Analysis
-
max time kernel
47s -
max time network
311s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30/06/2024, 18:14
Behavioral task
behavioral1
Sample
Discord rat.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Discord rat.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
Discord rat.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral4
Sample
Discord rat.exe
Resource
win11-20240508-en
General
-
Target
Discord rat.exe
-
Size
79KB
-
MD5
4a825505953f3f758e1da9bab73df39e
-
SHA1
ee7226735ea2d358d8628e037f35d38fc799ef50
-
SHA256
5436af4185d5c05d8ec07213f940cb8a3506fa9a0621b45ebf38583e37165977
-
SHA512
43120fc749ee67d7b8371aa921ee9a7b3769cbc63db06c0dd5cadfa7a83aeeb51e3a54ac4e8c0738cc58b22bcef0d8c5198b753626955371823d11a54d0d12a9
-
SSDEEP
1536:UeycDpiiSoH8ovTpPFl+ktd2+6CHpHKcGiNPAeN+cvy1kml4KSYHbC/EuYDbbqik:rycDpiiSoH8ovTpFl+ktd2+6CHpHKcGw
Malware Config
Extracted
discordrat
-
discord_token
MTI1Njk1OTk3MzkyMjA1MDA0OA.GGLfYW.bDrMZAIyeTVgyJMSqQFO2gDeB0CtQKGKri6ACU
-
server_id
1256666099580403734
Signatures
-
Discord RAT
A RAT written in C# using Discord as a C2.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 21 IoCs
description pid Process procid_target PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 PID 2024 created 576 2024 Discord rat.exe 5 -
Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 6740 powershell.exe 6488 powershell.exe 3012 powershell.exe 7748 powershell.exe 4372 powershell.exe 4876 powershell.exe 2808 powershell.exe 5852 powershell.exe 7124 powershell.exe 1424 powershell.exe 800 powershell.exe 6256 powershell.exe 5676 powershell.exe 7004 powershell.exe 4988 powershell.exe 5812 powershell.exe 5480 powershell.exe 3796 powershell.exe 5380 powershell.exe 6152 powershell.exe 6904 powershell.exe 5020 powershell.exe 2516 powershell.exe 5648 powershell.exe 5164 powershell.exe 7096 powershell.exe 8028 powershell.exe 5356 powershell.exe 360 powershell.exe 1940 powershell.exe 5536 powershell.exe 3344 powershell.exe 6568 powershell.exe 6164 powershell.exe 6392 powershell.exe 4372 powershell.exe 6040 powershell.exe 5888 powershell.exe 6032 powershell.exe 1308 powershell.exe 4496 powershell.exe 1316 powershell.exe 6572 powershell.exe 8636 powershell.exe 4596 powershell.exe 4152 powershell.exe 6864 powershell.exe 6200 powershell.exe 4920 powershell.exe 5128 powershell.exe 6464 powershell.exe 2848 powershell.exe 5076 powershell.exe 5648 powershell.exe 2656 powershell.exe 2208 powershell.exe 6560 powershell.exe 1392 powershell.exe 6016 powershell.exe 1424 powershell.exe 6120 powershell.exe 5348 powershell.exe 3096 powershell.exe 5152 powershell.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 64 IoCs
pid Process 2100 NetSh.exe 5392 NetSh.exe 216 NetSh.exe 8648 NetSh.exe 5348 NetSh.exe 348 NetSh.exe 1300 NetSh.exe 5760 NetSh.exe 5608 NetSh.exe 6924 NetSh.exe 7836 NetSh.exe 4308 NetSh.exe 4672 NetSh.exe 2332 NetSh.exe 4908 NetSh.exe 5320 NetSh.exe 1176 NetSh.exe 6812 NetSh.exe 5892 NetSh.exe 5280 NetSh.exe 2456 NetSh.exe 8188 NetSh.exe 2492 NetSh.exe 3796 NetSh.exe 6124 NetSh.exe 6496 NetSh.exe 5640 NetSh.exe 8604 NetSh.exe 6044 NetSh.exe 504 NetSh.exe 2912 NetSh.exe 3860 NetSh.exe 68 NetSh.exe 6344 NetSh.exe 5280 NetSh.exe 5704 NetSh.exe 5124 NetSh.exe 5960 NetSh.exe 1068 NetSh.exe 5500 NetSh.exe 4156 NetSh.exe 5732 NetSh.exe 5392 NetSh.exe 4020 NetSh.exe 5856 NetSh.exe 6040 NetSh.exe 4352 NetSh.exe 4176 NetSh.exe 2820 NetSh.exe 6520 NetSh.exe 5012 NetSh.exe 364 NetSh.exe 1504 NetSh.exe 6512 NetSh.exe 5428 NetSh.exe 3236 NetSh.exe 6612 NetSh.exe 8052 NetSh.exe 6468 NetSh.exe 5420 NetSh.exe 4176 NetSh.exe 6764 NetSh.exe 7092 NetSh.exe 6424 NetSh.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77Discord rat.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Discord rat.exe" Discord rat.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
flow ioc 4 raw.githubusercontent.com 5 raw.githubusercontent.com 19 discord.com 29 discord.com 31 discord.com 7 discord.com 8 discord.com 12 discord.com 14 discord.com 20 discord.com 21 discord.com -
Suspicious use of SetThreadContext 21 IoCs
description pid Process procid_target PID 2024 set thread context of 1908 2024 Discord rat.exe 73 PID 2024 set thread context of 4716 2024 Discord rat.exe 80 PID 2024 set thread context of 1408 2024 Discord rat.exe 84 PID 2024 set thread context of 2328 2024 Discord rat.exe 91 PID 2024 set thread context of 1324 2024 Discord rat.exe 101 PID 2024 set thread context of 5148 2024 Discord rat.exe 105 PID 2024 set thread context of 5116 2024 Discord rat.exe 115 PID 2024 set thread context of 2076 2024 Discord rat.exe 122 PID 2024 set thread context of 3456 2024 Discord rat.exe 129 PID 2024 set thread context of 6004 2024 Discord rat.exe 136 PID 2024 set thread context of 5416 2024 Discord rat.exe 143 PID 2024 set thread context of 3932 2024 Discord rat.exe 150 PID 2024 set thread context of 4224 2024 Discord rat.exe 157 PID 2024 set thread context of 5580 2024 Discord rat.exe 164 PID 2024 set thread context of 1956 2024 Discord rat.exe 171 PID 2024 set thread context of 5804 2024 Discord rat.exe 178 PID 2024 set thread context of 416 2024 Discord rat.exe 185 PID 2024 set thread context of 4636 2024 Discord rat.exe 192 PID 2024 set thread context of 5496 2024 Discord rat.exe 199 PID 2024 set thread context of 5524 2024 Discord rat.exe 206 PID 2024 set thread context of 3648 2024 Discord rat.exe 213 -
Event Triggered Execution: Netsh Helper DLL 1 TTPs 63 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh NetSh.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\1a\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2024 Discord rat.exe 1908 dllhost.exe 1908 dllhost.exe 1908 dllhost.exe 1908 dllhost.exe 2024 Discord rat.exe 2024 Discord rat.exe 1408 dllhost.exe 1408 dllhost.exe 2024 Discord rat.exe 4716 dllhost.exe 2328 dllhost.exe 2328 dllhost.exe 2328 dllhost.exe 2328 dllhost.exe 2328 dllhost.exe 2328 dllhost.exe 4716 dllhost.exe 2328 dllhost.exe 2328 dllhost.exe 2328 dllhost.exe 2328 dllhost.exe 1392 powershell.exe 1392 powershell.exe 2328 dllhost.exe 2328 dllhost.exe 2328 dllhost.exe 2328 dllhost.exe 2024 Discord rat.exe 2024 Discord rat.exe 2024 Discord rat.exe 1324 dllhost.exe 1324 dllhost.exe 1392 powershell.exe 2328 dllhost.exe 2328 dllhost.exe 5148 dllhost.exe 5148 dllhost.exe 4920 powershell.exe 4920 powershell.exe 4372 powershell.exe 4372 powershell.exe 5020 powershell.exe 5020 powershell.exe 2328 dllhost.exe 2328 dllhost.exe 2328 dllhost.exe 2328 dllhost.exe 1392 powershell.exe 4372 powershell.exe 2328 dllhost.exe 2328 dllhost.exe 1392 powershell.exe 5356 powershell.exe 5356 powershell.exe 2848 powershell.exe 2848 powershell.exe 2328 dllhost.exe 2328 dllhost.exe 2328 dllhost.exe 2328 dllhost.exe 4372 powershell.exe 2848 powershell.exe 5356 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3308 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 1908 dllhost.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 1408 dllhost.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 4716 dllhost.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2328 dllhost.exe Token: SeDebugPrivilege 1392 powershell.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 1324 dllhost.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 5148 dllhost.exe Token: SeDebugPrivilege 4920 powershell.exe Token: SeDebugPrivilege 4372 powershell.exe Token: SeDebugPrivilege 5020 powershell.exe Token: SeDebugPrivilege 5356 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 5116 dllhost.exe Token: SeDebugPrivilege 6016 powershell.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2076 dllhost.exe Token: SeDebugPrivilege 2516 powershell.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 3456 dllhost.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 6004 dllhost.exe Token: SeDebugPrivilege 6040 powershell.exe Token: SeDebugPrivilege 5480 powershell.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 5416 dllhost.exe Token: SeDebugPrivilege 5128 powershell.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 3932 dllhost.exe Token: SeDebugPrivilege 360 powershell.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 4224 dllhost.exe Token: SeDebugPrivilege 800 powershell.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 5580 dllhost.exe Token: SeDebugPrivilege 3796 powershell.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 1956 dllhost.exe Token: SeDebugPrivilege 4496 powershell.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 2024 Discord rat.exe Token: SeDebugPrivilege 5804 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1908 2024 Discord rat.exe 73 PID 2024 wrote to memory of 1908 2024 Discord rat.exe 73 PID 2024 wrote to memory of 1908 2024 Discord rat.exe 73 PID 2024 wrote to memory of 1908 2024 Discord rat.exe 73 PID 2024 wrote to memory of 1908 2024 Discord rat.exe 73 PID 2024 wrote to memory of 1908 2024 Discord rat.exe 73 PID 2024 wrote to memory of 1908 2024 Discord rat.exe 73 PID 2024 wrote to memory of 1908 2024 Discord rat.exe 73 PID 2024 wrote to memory of 1908 2024 Discord rat.exe 73 PID 2024 wrote to memory of 1908 2024 Discord rat.exe 73 PID 2024 wrote to memory of 1908 2024 Discord rat.exe 73 PID 2024 wrote to memory of 1392 2024 Discord rat.exe 74 PID 2024 wrote to memory of 1392 2024 Discord rat.exe 74 PID 2024 wrote to memory of 2908 2024 Discord rat.exe 75 PID 2024 wrote to memory of 2908 2024 Discord rat.exe 75 PID 2024 wrote to memory of 2100 2024 Discord rat.exe 76 PID 2024 wrote to memory of 2100 2024 Discord rat.exe 76 PID 1908 wrote to memory of 576 1908 dllhost.exe 5 PID 1908 wrote to memory of 636 1908 dllhost.exe 7 PID 636 wrote to memory of 2484 636 lsass.exe 44 PID 1908 wrote to memory of 732 1908 dllhost.exe 8 PID 2024 wrote to memory of 4716 2024 Discord rat.exe 80 PID 2024 wrote to memory of 4716 2024 Discord rat.exe 80 PID 2024 wrote to memory of 4716 2024 Discord rat.exe 80 PID 2024 wrote to memory of 4716 2024 Discord rat.exe 80 PID 2024 wrote to memory of 4716 2024 Discord rat.exe 80 PID 2024 wrote to memory of 4716 2024 Discord rat.exe 80 PID 2024 wrote to memory of 4716 2024 Discord rat.exe 80 PID 2024 wrote to memory of 4716 2024 Discord rat.exe 80 PID 2024 wrote to memory of 4716 2024 Discord rat.exe 80 PID 2024 wrote to memory of 4716 2024 Discord rat.exe 80 PID 636 wrote to memory of 2484 636 lsass.exe 44 PID 2024 wrote to memory of 4716 2024 Discord rat.exe 80 PID 2024 wrote to memory of 4920 2024 Discord rat.exe 81 PID 2024 wrote to memory of 4920 2024 Discord rat.exe 81 PID 2024 wrote to memory of 4952 2024 Discord rat.exe 82 PID 2024 wrote to memory of 4952 2024 Discord rat.exe 82 PID 2024 wrote to memory of 504 2024 Discord rat.exe 83 PID 2024 wrote to memory of 504 2024 Discord rat.exe 83 PID 636 wrote to memory of 2484 636 lsass.exe 44 PID 636 wrote to memory of 2484 636 lsass.exe 44 PID 636 wrote to memory of 2484 636 lsass.exe 44 PID 2024 wrote to memory of 1408 2024 Discord rat.exe 84 PID 2024 wrote to memory of 1408 2024 Discord rat.exe 84 PID 2024 wrote to memory of 1408 2024 Discord rat.exe 84 PID 2024 wrote to memory of 1408 2024 Discord rat.exe 84 PID 2024 wrote to memory of 1408 2024 Discord rat.exe 84 PID 2024 wrote to memory of 1408 2024 Discord rat.exe 84 PID 2024 wrote to memory of 1408 2024 Discord rat.exe 84 PID 2024 wrote to memory of 1408 2024 Discord rat.exe 84 PID 2024 wrote to memory of 1408 2024 Discord rat.exe 84 PID 2024 wrote to memory of 1408 2024 Discord rat.exe 84 PID 636 wrote to memory of 2484 636 lsass.exe 44 PID 636 wrote to memory of 2484 636 lsass.exe 44 PID 636 wrote to memory of 2484 636 lsass.exe 44 PID 636 wrote to memory of 2484 636 lsass.exe 44 PID 2024 wrote to memory of 1408 2024 Discord rat.exe 84 PID 2024 wrote to memory of 5020 2024 Discord rat.exe 88 PID 2024 wrote to memory of 5020 2024 Discord rat.exe 88 PID 636 wrote to memory of 2484 636 lsass.exe 44 PID 2024 wrote to memory of 3940 2024 Discord rat.exe 89 PID 2024 wrote to memory of 3940 2024 Discord rat.exe 89 PID 2024 wrote to memory of 4308 2024 Discord rat.exe 90 PID 2024 wrote to memory of 4308 2024 Discord rat.exe 90
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:576
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:996
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{cd83e5ff-0339-4731-98f3-a07ca30f2650}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1908
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{8c8bc1ed-228a-40a3-97df-d7c1cee42846}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3001719d-0bfb-44fa-9dac-1bf2eaccac73}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{8652e0e6-1752-4725-a863-6867d24705cb}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2328
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{04618d90-9743-4828-83ef-ef9289920c51}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1324
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{cae0decf-0fde-4cf4-8fde-a55b4367c77a}2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5148
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{9bd03a52-5ba4-46bd-bfa0-5afefbe24223}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5116
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{21fb2265-b7c9-4505-99ca-0db331d1c239}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2076
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3a07d460-054e-4985-a616-5744ef800da5}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3456
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b2b1adf5-8d14-4641-bb1d-cc696d05feb3}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6004
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{d95a3264-2014-4939-b1e5-d71a2d7d8e9b}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5416
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{d5723f53-b300-4644-94f6-8a71deab401b}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3932
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{32ecea06-f6e6-41fd-9dcf-8a2acf34b9f0}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{eac1c300-2754-4b25-bc16-e8a880566eca}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5580
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{7824639c-7340-4f18-8637-0e62b5304338}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1956
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{338ff857-98eb-4a06-abc3-1142f2fb9c52}2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5804
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f10e8ea2-610f-4379-988d-20bb712e1837}2⤵PID:416
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{84505ea8-207d-4eb6-8575-3bcac22bacf6}2⤵PID:4636
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{8504acac-032a-4471-b547-8349a968ed2c}2⤵PID:5496
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2d214ba1-c5fc-4eb7-bea5-53062bbfa0a7}2⤵PID:5524
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{d1698fb7-0a24-448b-894b-0386e9d70fa8}2⤵PID:3648
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{489f2a92-1de5-43cd-ae08-671bd199c6ec}2⤵PID:4448
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{05ef7cad-0bb5-4a32-a253-1dc0ff2e73cc}2⤵PID:6088
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b673d9ba-1f15-4694-a0dc-78d58e3a59ee}2⤵PID:5388
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1cc3181a-96da-4794-b5bf-c90a0cd51500}2⤵PID:5564
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{4c6cdc5e-61f7-44d1-9dff-6ef0fd597309}2⤵PID:5656
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{884c3a9c-3155-4bd8-9525-84fcd74d4013}2⤵PID:5252
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ed782aa3-a362-4eec-b3e2-26c17b7e5dcf}2⤵PID:3792
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{64eff29a-df45-44a3-ad65-80cb07a4461f}2⤵PID:4568
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{44e34e21-8464-492e-bee3-d94fa55c6e47}2⤵PID:2548
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c94e5fee-e39d-40c5-9b59-682e531d0eb5}2⤵PID:2896
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{cff9c6da-fa7b-41cd-b0ac-ccd1cf992323}2⤵PID:216
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{9c499441-75c3-432e-851d-a2f57e1d79d6}2⤵PID:5708
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{de4f6dd1-5af9-424e-8235-d6157f60fd4b}2⤵PID:5488
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{06198d77-c126-4b07-aae9-6a3fe18e441e}2⤵PID:2716
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{735b35ad-d775-4da4-8e83-97231744f3c0}2⤵PID:4440
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{d5122826-465e-4fa2-946c-4966390957b2}2⤵PID:6624
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{4d521fd7-901c-48bf-aafe-d23d6e5dea0d}2⤵PID:7060
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2bfa65d3-08fa-4b23-a09e-830cdb4b0b8e}2⤵PID:936
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{21b55cc8-2c9e-45e2-9a2e-2fb675b9b660}2⤵PID:4712
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{13b665c7-ca18-4a14-9ff0-09d03b9015ed}2⤵PID:6412
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{214c80b4-f8aa-407e-a515-e313e7d32496}2⤵PID:5356
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c2236f68-9b9c-4083-b3f0-4b27f06bae05}2⤵PID:1704
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{afc05db2-4de4-4091-9941-2a8bab4e4751}2⤵PID:504
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f76d261b-f088-47a5-bf73-ff0571fc8d21}2⤵PID:6260
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{dc875677-da3f-44b8-b376-7da2f15db03d}2⤵PID:7024
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{2b270fdc-4abe-4d40-bbf1-eda816fcd5ea}2⤵PID:4112
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c0bc0f90-a8ab-4f98-ae84-730c04e68149}2⤵PID:6712
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{49ca37de-a958-4f05-9a86-45101d301f5a}2⤵PID:4960
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{5fa1e431-bd84-4118-8f46-142b534dbe29}2⤵PID:992
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3efa9245-e2aa-49d7-9f5c-c2df802f95e8}2⤵PID:5500
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{ea26c613-7a8c-4ce5-8b36-0013aabcd491}2⤵PID:2180
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{07d31efc-4156-4395-954c-afa1c1938c0f}2⤵PID:348
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{7348fd6b-afbd-482d-8902-4623e9b3aa35}2⤵PID:7992
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{3bf6efa4-90a5-49ff-8e23-f9f5e891b4c9}2⤵PID:8144
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{17a5e33f-9f11-4f6d-bce6-6b5098ea9c2d}2⤵PID:5892
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{1e9bf828-e2ed-4050-84b7-547fae202a6e}2⤵PID:6808
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{6c657f05-f9f1-4c69-86b0-b4e32f2bba15}2⤵PID:2808
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{56c8eefb-b941-42bb-a716-1bc63d0b15df}2⤵PID:7640
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{fc01dce7-0001-4e70-a9fd-d560e47e362a}2⤵PID:676
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{104875d6-be5e-4c66-bf54-d7d33ed5ae22}2⤵PID:800
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{b0e9e47d-550a-4e87-aee1-2405ca55f0dc}2⤵PID:6396
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{fb22fa60-e32c-4873-bf7a-1760cd429be0}2⤵PID:8532
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{a139fff5-623f-4345-a02d-f04007148330}2⤵PID:812
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{c4d3acb1-ed66-4417-9ecf-0ec1bb21160d}2⤵PID:8772
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{bdc1246e-9e20-4cbe-a04a-7cb4addb6ada}2⤵PID:6348
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{226045ef-9690-4300-b268-190b893ba96b}2⤵PID:7396
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{be8d14f6-8092-41fe-852f-26a0f13db903}2⤵PID:8724
-
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{f4a7f72b-665d-4b06-9bd0-7b045a227f3e}2⤵PID:592
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:636
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay1⤵PID:732
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k dcomlaunch -s LSM1⤵PID:904
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s gpsvc1⤵PID:352
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts1⤵PID:384
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService1⤵PID:856
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Schedule1⤵PID:1084
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:3060
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog1⤵PID:1120
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ProfSvc1⤵PID:1160
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s EventSystem1⤵PID:1240
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Themes1⤵PID:1256
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s nsi1⤵PID:1276
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s UserManager1⤵PID:1356
-
c:\windows\system32\sihost.exesihost.exe2⤵PID:2960
-
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp1⤵PID:1412
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s SENS1⤵PID:1444
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s NlaSvc1⤵PID:1512
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s Dnscache1⤵PID:1548
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder1⤵PID:1576
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1680
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s netprofm1⤵PID:1688
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1760
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted1⤵PID:1768
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection1⤵PID:1876
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s StateRepository1⤵PID:1884
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1996
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation1⤵PID:1836
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s IKEEXT1⤵PID:2292
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent1⤵
- Modifies data under HKEY_USERS
PID:2304
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s LanmanServer1⤵PID:2320
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Browser1⤵PID:2428
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k networkservice -s CryptSvc1⤵PID:2448
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2484
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc1⤵PID:2504
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks1⤵PID:2524
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s Winmgmt1⤵PID:2540
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s WpnService1⤵PID:2552
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2968
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3020
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s TokenBroker1⤵PID:2932
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3308 -
C:\Users\Admin\AppData\Local\Temp\Discord rat.exe"C:\Users\Admin\AppData\Local\Temp\Discord rat.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1392 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:804
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:2908
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4628
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2100 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3716
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4920 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1068
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:4952
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:192
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:504 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:512
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:924
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:3940
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5068
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4308 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:980
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4372 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:900
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:3860
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2044
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4176 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5012
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5472
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:1052
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5236
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5124 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5336
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5356 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5576
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5368
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1428
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5392 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4620
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6016
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:6028
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:6132
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:6044 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:6056
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:2516
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5260
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4232
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:348 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4452
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6040 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3340
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:2564
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5152
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2820 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4912
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5480 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5420
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:4920
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5072
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5892 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5664
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5128 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5428
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:4624
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:924
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5732 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4556
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:360 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1372
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5932
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5848
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2492 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5832
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:800 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5960
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:2752
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3820
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4672 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5340
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:3796 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4704
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:6016
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5652
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2332 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:348
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:4496 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4500
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5308
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5688
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2912 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3096
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:5648 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:644
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5980
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5020
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1504 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4032
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:3096 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:3340
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:2912
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5528
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3796
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:5152 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5684
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:3296
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5976
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:1792
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:1424 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2180
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5304
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:2900
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Event Triggered Execution: Netsh Helper DLL
PID:2176 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4576
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵PID:6056
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4500
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:2820
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5744
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5392 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1172
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:4372
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:2044
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1708
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1300
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:5164
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5188
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:216
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:4596
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5764
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:5960
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6120
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:2224
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:5760 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1300
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:5648
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:4600
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:3860
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:5076
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:2348
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:68
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:5348
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5052
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:4020
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:5676
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5896
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:5280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:1940
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:4660
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:6124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:2656
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:2792
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5644
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:1068
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:4876
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:3488
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:4908
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:4152
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:2848
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:5856
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:1316
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:2656
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:5500
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:2808
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:804
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:2456
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:5536
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5660
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:3236
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:5852
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:3824
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:4176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6740
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:6756
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:6764
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:3344
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:4160
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵PID:5604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6568
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:6592
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:6520
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6164
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:7056
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:6040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6392
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:6248
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:5320
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:7096
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:6856
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5224
-
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:6512
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6864
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5720
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:6612
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6572
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:2316
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:6344
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6032
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:6376
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:5280
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:2208
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5852
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:6496
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:7004
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:1968
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:5428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6560
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:2100
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:1176
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:5380
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:1100
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:4156
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:1308
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:6572
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:7092
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6488
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5136
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:5704
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:5888
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5348
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:6424
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6200
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:6152
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:4352
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:8028
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:8044
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:8052
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6256
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5792
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:5608
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵PID:6700
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:6600
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:6468
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:7124
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:6952
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:5012
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:3012
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:3044
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:364
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:1424
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:6980
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:6924
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6152
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:6340
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵PID:7452
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:8636
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:720
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:8648
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6904
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5096
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:5640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:6464
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:2012
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:8188
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵PID:9076
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:5272
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:5420
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:7748
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:6284
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:7836
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵PID:8264
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:1028
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:6812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵PID:900
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:7536
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:5348
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:4988
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f3⤵PID:6332
-
-
C:\Windows\SYSTEM32\NetSh.exe"NetSh.exe" Advfirewall set allprofiles state off3⤵
- Modifies Windows Firewall
PID:8604
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"3⤵
- Command and Scripting Interpreter: PowerShell
PID:5812
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3828
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4040
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localservice -s CDPSvc1⤵PID:4680
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV1⤵PID:4512
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc1⤵PID:3580
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:2580
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s wlidsvc1⤵PID:4204
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:4548
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵PID:2860
-
C:\Windows\System32\InstallAgent.exeC:\Windows\System32\InstallAgent.exe -Embedding1⤵PID:3740
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵PID:2824
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵PID:8548
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵PID:6368
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5b49a31b6e3a6771dbfa29b309842ef4f
SHA16b837a896a3008be212e7a3e297859b06b1d22af
SHA256066845e6408685e957268c1c1bbb2240809c5b5751ae7973235490032eb51d81
SHA512804d493bfafbe4be906dc9bb760839af0dc1e7ff4e15cec1b75c328b982f797ee5910e045d691138bbf8e5bcaba3fcfe354523acd90be3a6180cdae14af19029
-
Filesize
1KB
MD572151bb01abed33bda312080c604591e
SHA1391dab109c4f1b7bb752d46ecb7873d703b7027b
SHA2567846cfc31269dbeb552a9ef7632358eb31881d6c55ea380b19a92d16fb985f52
SHA51297351b52a9232a1c9fb019260ce31a344cf0888398e033ee50939b97b610db1aab5b1db7bb24998ba49655b72c7a22cdf416d8a2e17a5386ed68db956a37ec2d
-
Filesize
1KB
MD5572bbe55b99c8f17d2a34c3c410670e8
SHA1cd536fab61ae2496730f061fe219151c7b0fe6a0
SHA256c69b7f1a90b8fbbeb156a0159b155a34c90408c65f9cd42e57521358d3ee2f97
SHA5128b9ab6a6e4c19d56e0dad905a6ac277cf0ac53444d9b2b76cb60b17e2fe744d75eb87b48fde9659f0d717334847224956cbe8c187d3f4cbdd85825c96a44ce84
-
Filesize
1KB
MD502bd6af8f5c4a5f5ad4cf2e1c822b430
SHA15e3264a5bf80143ad1b585b2935e69054ea3b64a
SHA256fe3fce4684ad6cb235d514d46b4f85ef67771d3bddb738eb41d6bb4187d7877e
SHA5123652b898c04b68f4bd2a2259be3292c0375493e922ecce1f28224e0b54f5ad056850c80cc49be61f423de81d88da3e0753169cfeca07dae6c5e57b87d0b9faba
-
Filesize
1KB
MD509ae0f879a461635b0eb2cadb37a9f10
SHA1b4eb26cccb9ad4310b86b8afcc17f19c216b3436
SHA2560d385a78ff1b07e424d40b77d839f1a3ff0903c1eaa2aef65064d4d32e5617d8
SHA512d54c5181b83b8e215a2b9df4286ae54a32f837694197f53d991610c18b55d5b1e9c6ed773fa6258eb2a4707f083b1caf36112a738d5bce6274ec9f5974d62455
-
Filesize
1KB
MD510c4541197d55fa06e65763f7cff5390
SHA1ad735a424e09e858f632a191b1083f1f0a532ad1
SHA256e5e4b0643379ced71f3e498aea5228aaedc0f49022f6e3f5025cf29fc1f867eb
SHA512cf3152c8ff1d603316048b404c4d861783b460ee8b3084f8b769cbee32ef4dac0321adfc037b82f77a0e387ba6f65a5f21fd893122ec03c988f0775bbeccdf65
-
Filesize
1KB
MD5749563b84b6308eff37e7ed5379f4186
SHA150d0fe438b52431b639f0197469b7b70c4cdfaa9
SHA256be87f3482c18a5f362d4cf56d0b4bec18f199e279a22c053ecacb1d6521ba3ae
SHA512ef5a63350ffe4e0cf750068c9bf4ab6e0b7089a150b898f0301f0685a93fd4f1c5235ca555b30432621ff2e34a98753ae70fe99faac1af26d819d7f7b063aebf
-
Filesize
1KB
MD5b2003182af9813d2a7c0c7f79ad6bb49
SHA1cfab702e38ae6e447f95cb44a23a30562d3fb673
SHA256fb53b856b3198225a45d5789af22ee61ce1d3b10bf207ed819bd5fd333c3a66f
SHA5123f318c6df3aa8cf6ebc0edc8886d3cd56cb25f72b27f2fe31631c5034acefad1c73e2fe395cc0ed7f5d47bc30f7b0d7c263420cdefeb72e5350584c9299fa723
-
Filesize
1KB
MD52dbf0cfc5c4895aa22867e396bcac396
SHA1857c3a11aec06f0418373ac90023838fcb5bd9ba
SHA256c25b67de4df03e99627ab3fcd944ea46d709d65735005c90be0dc660d459a5d7
SHA5121a62a0417823f125e6dbb3933d9ad3b2259b987b45891fe65f3dce2e6a7ac9ee6d1f23642445910e2ab60f83779f1fefe7db8b149a9ffdd90fb0de6efe986e20
-
Filesize
1KB
MD5b17e9ec427969b2dc59b05f33345e0a6
SHA1e31e35bbb610ea1c1ac8807980cbb63c35a27a6d
SHA2561f6eac82730ea6c24ccd395a7240cf0ac39f39235f9767ed2226f8cfa0b2c271
SHA512c733ca4da428f4c0482044d730e5616aeb90c1d141d6bc70522b0ede6bb88e26c5b85ce4ee704809879540cfe644ee04840d214f26369de8b2597de4fab90ab2
-
Filesize
1KB
MD5c80515e6cf7a8d9eb7299d014748b928
SHA1086ffe89c9993d752e9fc4b7d14f9c0c1e8e5bc1
SHA256080768bee63aa6d6c4cea294b637bd67165f82d702d50a9fcb777d5cd4acabaf
SHA512066441c9812cc8bcdb2c2f4e2bd5edd372a4da5fa1abcf5b62a88de53242a879e3f048ebde34bd0dc2d2939c9a418b71619e2176233e4f4b1060aaa3d4866ff9
-
Filesize
1KB
MD56ed445d64ddb6738c0036219e8c1bb40
SHA135699bcaee297a00edca1f163a60966eec209bbf
SHA25623fe66416eca081ac067e88a4f518fd5d62415f089055c9f3743f1ddc49f63dd
SHA512b8c781563dfc598acd5e3c601ab172abda2eecf9caab91498932072ecb8d3b628cbf0c6c137d8ce57a2aa4a65be1ebb14a8fff5d021e57d266df52021db82dfb
-
Filesize
1KB
MD51d1d9cb7db1d4df5d520953310e05868
SHA151b2c3e6b4b3e02c1da8a9430183a207f496bd86
SHA256f3c42fb07b38832c10cde2c406eabe6440efe358c4d488355d087abbcd5f0c1f
SHA512328ce2f406c4d2796c48b212950aa49dea75e456cb13c6a1090d0d4c36c9072ac96a4428a1dddc91224761dcb6c2b23955f35965e2d7385d9b64f3750053f245
-
Filesize
1KB
MD53d633c5acb8710643c61835d6462994f
SHA1aa171d2c4ff047f29d4df99aee20a2f56c27a0b7
SHA256ec133c6bdb68ae7629f04ce84d1c341a97055c42c3b4e735ba46360746d022cf
SHA512d8f00f0876d72baad4f11454fb111b13e7516c1aeeaee543a5948c083e5d8bd306cb76f8b6f9ffedc7f2de714ee7e6cf59662f280e9016af0b9b8385582170d8
-
Filesize
1KB
MD56f0f99db9e8ee6cb9418eea9130f29ad
SHA155e95053a5d29fcde01c0690e50592d220ef2a2f
SHA2565fa4911248c544d4dae11075aca48ca595391922f8ee7020d011fd1855ada0d1
SHA5122a6dc63e8cfc26e64bdf6e43a1a5899efca1611fa501c85a46a222dfc84b74e251b2844400e180a61e68953f3576c78a881c3a37766c1ec463d49a21c6529976
-
Filesize
1KB
MD5f984ea0c1478c5169d68f3f7c75be260
SHA14db8ba9044c493e2adf73e717809ec553ad61f58
SHA2565c4ab47d2fba580608f9cec91750aa3b92aef15765d349b0930768a12947a0f9
SHA5122a4847a7f5b24dc111367819be698945a715796cbff348076ecec323ad7a5ffff8050894bf0010fba7e8a1ba4808845b90170df4b11f5cc92a7aeb52aa4e2126
-
Filesize
1KB
MD566d978d3ead6fed87c260b1c8817b624
SHA182ddf2f76fe5a9a2985cd4f811cdefc7aa2809b4
SHA2563d53ac066a5074713c69959a743751443616e8c28d71260f1e7d6949fea8fecc
SHA5120f4bcc6684bd780a19e46ec327d0ee62d05768a3005d0480bff0d594cb06f82f65c648bd5974506a6d80fa65c56acdf775e048a4db7def49f733e235d7fd2ed0
-
Filesize
1KB
MD51fa43ad0e65a66c64210de7ba223447d
SHA14f866aea1087cd184ccabffdd0c3538cfa199b10
SHA2564542c9ecc218df0f20532dfdcccab782bc8f4380c7cc43e09f936e9fb5c3d88f
SHA512d4b3b2cbb15b63c50f432dec9d668c9e7b4db628d2ae0e5db78753f89ad889665a35535d6eb00d17fc7ed52df6b46b2c8384b584a757489f57b7400ce6611ecf
-
Filesize
1KB
MD5bd53be62c2a61d87e2e48925aaf968ec
SHA1062523a013bae50f8ba4ddcdecad169a5e5ac5b4
SHA2563aa60b95478f77c4bb66e634e472969fe790c6ddcf699c97adabe49e9d596791
SHA512b26fe1ecab7d114f238bad5545cb1f116ba1d4619fecc80e0ea73d9b2d93e65df9cceb4cffe6b4cdfdba285f098694fc0d3a8f49c153d84916e2146d8c0b960f
-
Filesize
1KB
MD51392ce9f83ad1fa60ba3b2c04f9ed430
SHA166db8264df6f774d0c64dafeaabd839e7cad0da5
SHA256a35fc517d1ebbe37cac21a593be85677860872bc828dd70e5b6bc6891f9e37dc
SHA512e4c70002ae217ed1df0e43472b2f256f0851c2b32e91c795a8d284d09583e76416a49e3649a69009636d67ccc126006f39cc023d434cb579008b3711833740e6
-
Filesize
1KB
MD5998a4df95177d16954b43cec503473f3
SHA1ebda72c4a4cb7cc4b6f9ba51424ab3d82f8bf458
SHA2560d5ddba614a30e100a76db73c0488d193c2297923834a71809c7e3907ff20efa
SHA512f75c81d780089539b8066bef9a6173612331fb5aa209cbc0a75512bd42f7414177f8258637747da6d8f2f2f0ee56fbc0f86f25c4bc673cfebf4d31106e013c99
-
Filesize
1KB
MD515d893a6cfe55548c506fee5b3ed4050
SHA10421d581638913754fe80385236fe0eb2f0a820d
SHA2563c3298b7b7174c5b9ddb119b7f9422528b317a8f67cff3e0bc0fd7cd831e1eeb
SHA512593d3d32092a537dab2c63c81590e14d2ec62b0dc5532b455ed6d47ee75d9e92ccbedd28fba196e2537eab3a0e2600e26e9b34a456accbc049ab4cc530b1b99e
-
Filesize
1KB
MD5b5d1f0c8e3ac7f15976e2b4cf973cf95
SHA11ed0f6806462f1e09f87ef9cdc7ca0b7690c58bf
SHA2566adec9acf7691ab3a6865a8f2ac95bde1f04ffb90d0bbd6aed6429e223f3f45c
SHA5123a8abfc14fcf63715f380ff9249d90ac7f7109bf45530c19c1cbfca15e4d3db61d755fc72720a64f5029aca66ec79682fcd6ccf9cc0cf47557cd09c784155f79
-
Filesize
1KB
MD59368ae1a01c68b64c8530eb93cac876d
SHA1b94acaa847d6f8b7ff03d701e25022f09acd0826
SHA256c223ec0fcc43051975c92c9534da045b82514e1f90f504c46b77c6e01ef508ce
SHA512dc9607c10324ea980d88a97d1fd5027abad3c851374e436066ecd5b5cb21bbada9078a3c1eed2ef7abb0c38c02a027025ed9230b0ffc0af4f3a3304f473a9917
-
Filesize
1KB
MD56e5db99d48384d500f4171f0bcbc14e8
SHA1cfb5e62702b29b08cdfb69f2d2802559a5b03527
SHA25605f4d1a706e6ed6098fc8e4cfb482aef2693758076b948d847f0ffe409659450
SHA512e149b74cb9468e44db8adc97f8acd5ea3b540e07a45e70b5e95ebf242c55461adf47f5b9800e55cd7d4bbeb9b604527b84b6a26ba18be527068cef2ff78d4d84
-
Filesize
1KB
MD592275a0aeea9f3b7650d267065b01582
SHA17c11d5840d2780085f10f5fcd2b522c6e876528b
SHA256765bf3fe7cacf26ece5f20c548df2a1e1d747eb4d6e93637dbb931470a12027c
SHA5120774cef05ad3244b5e1e5a9a045663e128b512206032c598465b76037847640564e56ca4b5bc5a77293b042a5152b27bb351940150fe044b1e0d9a6c3106b074
-
Filesize
1KB
MD5efd7bb6cdbb4747ec684a810bb098857
SHA10edb773bb9484df65b07b338c0de44c95f7dba27
SHA256c5b250298ccb552a031f351bfbba62bdc642ef60e45ac86940e67550fb146683
SHA512d4f55d9ce8ad4edfd7206ce5187371719bc8b210787542276ece12f4166e7fd78806c23930562952f7407af18525152a6e3c16303e4cbe8b70ead528605ff6fe
-
Filesize
1KB
MD5ba2d9361dd64c7cdef8a1f2cbe624124
SHA1eec08c4cc1edeb3f3da7e1dc1cf159bc10e3aa66
SHA256f7cdb560e6d4d4463a850fcd1353b007f11272bb180aa2de51897f92408db396
SHA5126f0381ddd634098adf8ff48a4b13120bf92634821f4123078406c34b0a2c0ae92dbb98cec8fac6870f14242c294e3ba8521ce23a18c6db73cd74f0a51aef9a4a
-
Filesize
1KB
MD59248a9ffebe349c0be7d14483f660efd
SHA11cf46e472c063d23aa6dcf5e34ba7b7d843dba57
SHA256aeb7521aabf6cbdd9485f873c2243d4c2ec7830963d009fcdef36ffabb2c15ec
SHA512bccd1fde9ecc34bfd4732a51301dd3cee4bc55523ca666b9f1fe9d44ecadb13a6993063f25d3b95489921fe58c5496ddc5bee937d14390882c65e3facccd171b
-
Filesize
1KB
MD589d5afb7af0c315276b3f21ce051b8b4
SHA12a4f0144129e3d8f7ae0769b3dbd75fb80f7656d
SHA2569ae55c029c3e730c4c06d62adf4e69e0257771ea90ff1b4b7844b7fdc7012406
SHA51233f5e0634bfe211e9b60222806df29830a2cd24e900d24b92e14b90c4f3bc905a7e4367d9b1cbcafd7213525651cb86650087bfa6b895bb6aaf322b3900eae2a
-
Filesize
1KB
MD588cb7ee27e048ac15bb19ff5ad6821d2
SHA18f990f6282509990f4c35b9c7db5185474b0d944
SHA2562e65304776279738818725dcc53d7b3054d6bf4e4e374395fb4dcf5eaed02213
SHA5120fbaa393a24ca8918189200932de32ddb95a19d579fedb53a1f157ebe5cc19749e094be0cea88154f54af10edd3211de533a08f4c57fa47d589fdf7571e91a4c
-
Filesize
1KB
MD5e21d7180f42d3c2cb6405f6e1c1a71ab
SHA1c80d3c5b1633059bd6c03b7335d7c6df31a416cd
SHA256e1541eec2ea87e49f9a5e132d4602e515759a06e5ed819665e37503a0abb9c67
SHA51207aa4eb730ae5900ad9b97ba78447e18811a27e07d29086acc345eafbccf5ef26ea8823aded765e92a5971841293fb2eb92f0ea883dd4250a370a2e758cda143
-
Filesize
1KB
MD5aaeeccd30ade085dc2fb58e840e2067b
SHA15135b50d00bf5c43c6308cf7d465564fa8422bd1
SHA2562b1f1c3866ecd3ea9a2033c359c980f8d1615c947696de9176c937269336db13
SHA51241481a04b8106ce169e5a7e629d834f03f86a0e4338cd69c9e5e7953c698931e776de7ffddf76111fe71178a9dabbbda557eb76638b3007bae6e5b6d0b4d7d61
-
Filesize
1KB
MD5d2b9d048ec1273a43c0aec85fced44aa
SHA1d81ae0113f20be229c9a961fa95bbc079b9878b0
SHA256bdbfe989017688ded1bcd2b8672d2528c85d4c0f6c59128e23116b1b3df4c291
SHA512b552c1d17de4dcb859f8519df6d2e0cba0cb2df6393b49547f2a6f92e12a95761484dd9385e552f1919a0297eda2452b5bd52d2f4d1ad57d1d6f53cc81a202e3
-
Filesize
1KB
MD5682c47467314f36f8995611e4362e83d
SHA1ebb478ccfede59f8f8f7194acdb33071b5dc7fe5
SHA2567fce0e3bf9d8d28be8a461ebaf7bc248baba32b1e62c84bff4501c3488b4a0a2
SHA5123d1a6eff181f4cffa57804d79e2ae8e8d0ce56c9147a40256ea91cb42cdd1f4052bbdc50a18b7205300b7287bad4b97c4de1f9d197d14a5fbf77c802f48ad6a8
-
Filesize
1KB
MD51480cde6ece33ecdbbc96f7d91833663
SHA17c3d66dab2924a6965bb1a086a0bf024d21daf04
SHA256f133880e9407c19b5c480381999593ae49bd843a51f895113edac713dfb2845a
SHA512a124cdaea14729e404800c69e67ec3b227b32686e6efd094d945875582a706f40690bcdf2783751318558da9e7a956852eb434cf8ce43c1262a903dd92df0047
-
Filesize
1KB
MD585ba713e2fd6e576b234a2e027fe15cd
SHA1d57fae0c6ffc374a64ad320376c8035d03a4b746
SHA2561ca981a45581371128d8a35cb76a5199fd9add89ddfb5d529bf9691880da7f07
SHA5122e59f44fd82566940bcbdce55acd06912d9aaf9ab4d68ad41168f70b1461efa3a103ef370849582f28abd49df7330b0ac3fe800d21bb479bc7cf7b110f8b169e
-
Filesize
1KB
MD509d25c694eb494856c8708e175a466f2
SHA1e52be67240d436aa12bb94c9dd73ea5f8e91b4f4
SHA2562b83e076456314bfb5a24f6e857581a99d5781d3755fba74910c44e33cbccd9e
SHA5129bc05a79a3c0973fe4aad043d1f47d8a7ca73b0f267072b9234684f08ae1c5b610ce237332e499561e4fc8ab9b06cf19a0055feeaf02c61a45a2a587c5b4fd59
-
Filesize
1KB
MD50683ae83631cd4a79329c1bc0a3563fe
SHA1a8d2601a4f5ec1ca5542a6756a42de811bdb01f5
SHA256268d9e43e1edefd551d8771f2d7139e6a5eb7c9b8fc12c9484e4f24a21b81446
SHA5123b1b1128a38345970711727bcd32501b27a9b6d1c2daba45dac2437b7e24d80a805d3ddc5144fb29c37d1c952dd0e2e451c422774926bdbe74a719fef73e03e8
-
Filesize
1KB
MD5cad5205c84fd60c525fbe337d7a8750b
SHA18b9f1de53d77aef1da4412d0f04a3717f3a5f442
SHA25610cfdc9510424b32d2f973dc158a31fa34dccebbadea1e203f770f21a6309fa1
SHA5128751d362e2543bf63b101dad806ed5b475c2aa03616693469649e83903a9de39a21d9de8a3738eefb4ac22c871545a1c9ffa8b59790fe9b2cf53b2f383b756fb
-
Filesize
1KB
MD5b02d4567fd05f49b8aa350daaa0a2eb8
SHA1cb79d34898fa4b6b189e6b609bab348127afa25f
SHA256e9e1d9082a708ddceff5833a7a224eaff4854ae9bdd313e0453c90c02386cd45
SHA51289b16790264c4b3e0f762125e2a359a6ddd3641b7163137a2bf2f2468820962fee82f6cb40c3bb83262901700c68b667dd2c78750461b3d26b829b399def6fc0
-
Filesize
1KB
MD57a28eb236cb143937486b6b6f9dcbf44
SHA17feb2435cdc4e34d83eb91925511a9d7917bc65f
SHA2568afcafec647cdd435b1676d00383d1681f40d46f775a9d3a79c298ca269be69f
SHA512437e2b22851208d72529242c99d93314d196bbf586d286f410934ffee30af713ebab98ac44eafb6a390d2eae91022b0e743cd7d2e663e2f36acf8e168bdafab3
-
Filesize
1KB
MD52c482f3f0d6a114cfbeb2bc8f00ccc84
SHA1f930d7109e8b2c5c9b756d3617b71cedd08c1063
SHA256c1ed9ea4a5613718caa0b7359d692dcf59c0669084c4ea20557810fd00331b83
SHA51279512945b0a3cb9de357e4176a303ce81d054fb0e8e290359857151dc6adf38eaea733c2bd45037393726caf93e55596207c34fcc8c630c6c981736b6f8c67ea
-
Filesize
1KB
MD5808b3c7a6f4415d4f433dc555e3f2b79
SHA19108d3e6795d5c312a7814c07c5d8c01751d74cc
SHA256f3c5765d4baad326e3cd761f3960c1bfd66ed17467fbdc7dbde2dfe67f6d31b0
SHA5129bcbbe42a5943b86671cdbe33c812694d59398ce626aa16ac05a3a4d6526de09454d853ae6f21bdc9c329362069e6d5638d00a800ce8be7a42d862072f35c6ed
-
Filesize
1KB
MD566c320852a5e2afa916301094e83fdec
SHA1ff6168768ef5afb288f28b5641b2a825fae8a994
SHA256d6615913e5565781013ccad6dc190ef866e3cded2e1ff43a25098e0ddc148832
SHA51233dce7f6a96c77894502c9560a4d2a5223c6d21a5f7d568919699f32999b3bd905a41e205f386963860d2c7ffcc2745371e7dfe5be3f4f0ab4d0ea18c420ba8f
-
Filesize
1KB
MD53c3fbbefe5e59226c4a4c3d9c788d694
SHA17455f49f96715a311bfa27c6dbb3dbcec0abf81b
SHA256fc03fde6c783ff8ad2cb08d0089a683c8e8fd449a0e73f4845631d5bdb11fbcd
SHA51217b0b63fca1624098c0d1d27441298ab0007904270ddbc499a1efd2149e03aff9f5d5a8a8d65ee8be0cd1a9b070609f181429e4963f558523481b4b91d243921
-
Filesize
1KB
MD5b799a5f756526348725e1b12f4935407
SHA17aba24a956670e9e37a877eedd6f7c79f61e84c9
SHA256b009640837f642a12a60d2a4ccde315d1191697cd7b762d478ca9fdb36021c35
SHA512a466263931b17da256d014dbf81b348d4352568bd5ee9f9e6cafbf409d8402e39240dc4f488f957409335aac264944911a0da06d9a1f2c5e4314c9af7954b5e9
-
Filesize
1KB
MD5352c4d119bdd43bdc9522e8e7501155a
SHA128e79c3f16a0e0b2d327cf3f137dd2536f8cffe6
SHA25612a8300a2fc2b6a9e555cc151ff547fb2decc2bf7f11d661877652222fb0779a
SHA512ca025d8b0851dab1f56154667a7251732620e482f90041ebee905ce5d8b4d5190181786c6bb4e6f9b23e4d3684b293471d2846d26ee5b07c6b1f8b6495b665ae
-
Filesize
1KB
MD582c7e5a0ffb14c03bc7b5fd212203d5c
SHA154b0efa7bd1037d23f138eced009bffd2a2f4424
SHA256d2d00336d312797130f943d6e45087eba973035f99cf7e2668afcafcfbe0d8e4
SHA512f75ef940ddd636b0ef84e817644bfc672221dc9de0f7fc91aeddd3a712de87762229bf49b4e9e4767997eb8810b3ff8fb06680496465ce8412b0aa424745924e
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize338B
MD5f440647ccc28d2ba1dd421549f5f57b9
SHA107281d26c169969255af4867f7cabb7df205e250
SHA2563b3dd2ba5098edfbef9cfc6725ebf585b6a659fa8edc34484b637d19454612a7
SHA5127bed6895af003e7859ee5de67b6e6fba27b9379fb1a012ed31c40669cd857c5cb16b2236aff17af31a95311e241dd248048ac32180c554300fc1e4908c8c7501