discordrat | 5436af4185d5c05d8ec07213f940cb8a3506fa9a0621b45ebf38583e37165977

Resubmissions

30-06-2024 18:16

240630-wwqeaavfnq 10

30-06-2024 18:10

240630-wr1pfs1hpa 10

Analysis

max time kernel
9s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 18:16

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Discord rat.exe
Size

79KB
MD5

4a825505953f3f758e1da9bab73df39e
SHA1

ee7226735ea2d358d8628e037f35d38fc799ef50
SHA256

5436af4185d5c05d8ec07213f940cb8a3506fa9a0621b45ebf38583e37165977
SHA512

43120fc749ee67d7b8371aa921ee9a7b3769cbc63db06c0dd5cadfa7a83aeeb51e3a54ac4e8c0738cc58b22bcef0d8c5198b753626955371823d11a54d0d12a9
SSDEEP

1536:UeycDpiiSoH8ovTpPFl+ktd2+6CHpHKcGiNPAeN+cvy1kml4KSYHbC/EuYDbbqik:rycDpiiSoH8ovTpFl+ktd2+6CHpHKcGw

Score

10^/10

discordrat evasion execution persistence privilege_escalation rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1Njk1OTk3MzkyMjA1MDA0OA.GGLfYW.bDrMZAIyeTVgyJMSqQFO2gDeB0CtQKGKri6ACU
server_id
1256666099580403734

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs

Processes:

Discord rat.exe

description	pid	process	target process
PID 1840 created 616	1840	Discord rat.exe	winlogon.exe
PID 1840 created 616	1840	Discord rat.exe	winlogon.exe
PID 1840 created 616	1840	Discord rat.exe	winlogon.exe
PID 1840 created 616	1840	Discord rat.exe	winlogon.exe
PID 1840 created 616	1840	Discord rat.exe	winlogon.exe
PID 1840 created 616	1840	Discord rat.exe	winlogon.exe
PID 1840 created 616	1840	Discord rat.exe	winlogon.exe
PID 1840 created 616	1840	Discord rat.exe	winlogon.exe
PID 1840 created 616	1840	Discord rat.exe	winlogon.exe
PID 1840 created 616	1840	Discord rat.exe	winlogon.exe
PID 1840 created 616	1840	Discord rat.exe	winlogon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 29 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
6100	powershell.exe
6232	powershell.exe
884	powershell.exe
5516	powershell.exe
8088	powershell.exe
5932	powershell.exe
6148	powershell.exe
6076	powershell.exe
1968	powershell.exe
6624	powershell.exe
6880	powershell.exe
1408	powershell.exe
5124	powershell.exe
2568	powershell.exe
1172	powershell.exe
6404	powershell.exe
4440	powershell.exe
5520	powershell.exe
392	powershell.exe
4816	powershell.exe
4300	powershell.exe
1536	powershell.exe
3960	powershell.exe
6436	powershell.exe
1048	powershell.exe
1900	powershell.exe
1744	powershell.exe
1644	powershell.exe
3008	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 29 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

NetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exe

pid	process
5156	NetSh.exe
6952	NetSh.exe
8092	NetSh.exe
3588	NetSh.exe
3972	NetSh.exe
3788	NetSh.exe
4560	NetSh.exe
6184	NetSh.exe
6804	NetSh.exe
6984	NetSh.exe
6400	NetSh.exe
1072	NetSh.exe
3456	NetSh.exe
6068	NetSh.exe
5260	NetSh.exe
6712	NetSh.exe
6676	NetSh.exe
1468	NetSh.exe
3468	NetSh.exe
1624	NetSh.exe
4300	NetSh.exe
2800	NetSh.exe
4056	NetSh.exe
1776	NetSh.exe
2336	NetSh.exe
3116	NetSh.exe
5244	NetSh.exe
2288	NetSh.exe
5056	NetSh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Discord rat.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77Discord rat.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Discord rat.exe"	Discord rat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

Processes:

flow	ioc
10	raw.githubusercontent.com
14	raw.githubusercontent.com
26	discord.com
43	discord.com
86	discord.com
20	discord.com
21	discord.com
44	discord.com
84	discord.com

Drops file in System32 directory 5 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx	svchost.exe
File opened for modification	C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx	svchost.exe

Suspicious use of SetThreadContext 11 IoCs

Processes:

Discord rat.exe

description	pid	process	target process
PID 1840 set thread context of 4320	1840	Discord rat.exe	dllhost.exe
PID 1840 set thread context of 3800	1840	Discord rat.exe	dllhost.exe
PID 1840 set thread context of 3368	1840	Discord rat.exe	dllhost.exe
PID 1840 set thread context of 4008	1840	Discord rat.exe	dllhost.exe
PID 1840 set thread context of 5008	1840	Discord rat.exe	dllhost.exe
PID 1840 set thread context of 4188	1840	Discord rat.exe	dllhost.exe
PID 1840 set thread context of 820	1840	Discord rat.exe	dllhost.exe
PID 1840 set thread context of 1492	1840	Discord rat.exe	dllhost.exe
PID 1840 set thread context of 6036	1840	Discord rat.exe	dllhost.exe
PID 1840 set thread context of 3564	1840	Discord rat.exe	dllhost.exe
PID 1840 set thread context of 3464	1840	Discord rat.exe	dllhost.exe

Drops file in Windows directory 4 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 33 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

NetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

Explorer.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\IESettingSync	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	Explorer.EXE

Modifies data under HKEY_USERS 41 IoCs

Processes:

WaaSMedicAgent.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe

Modifies registry class 1 IoCs

Processes:

Explorer.EXE

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings Explorer.EXE
Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

5848 NOTEPAD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000_Classes\Local Settings	Explorer.EXE

pid	process
5848	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
1840	Discord rat.exe
4320	dllhost.exe
4320	dllhost.exe
4300	powershell.exe
1840	Discord rat.exe
3800	dllhost.exe
3800	dllhost.exe
1840	Discord rat.exe
1840	Discord rat.exe
3368	dllhost.exe
3368	dllhost.exe
4300	powershell.exe
4300	powershell.exe
884	powershell.exe
884	powershell.exe
884	powershell.exe
2568	powershell.exe
2568	powershell.exe
1840	Discord rat.exe
4008	dllhost.exe
4008	dllhost.exe
1840	Discord rat.exe
5008	dllhost.exe
5008	dllhost.exe
1536	powershell.exe
1536	powershell.exe
2568	powershell.exe
1536	powershell.exe
1840	Discord rat.exe
1840	Discord rat.exe
4188	dllhost.exe
4188	dllhost.exe
1172	powershell.exe
1172	powershell.exe
1840	Discord rat.exe
820	dllhost.exe
820	dllhost.exe
1048	powershell.exe
1048	powershell.exe
1048	powershell.exe
1172	powershell.exe
1644	powershell.exe
1644	powershell.exe
1840	Discord rat.exe
1492	dllhost.exe
1492	dllhost.exe
4440	powershell.exe
4440	powershell.exe
1644	powershell.exe
4440	powershell.exe
4008	dllhost.exe
4008	dllhost.exe
820	dllhost.exe
820	dllhost.exe
820	dllhost.exe
820	dllhost.exe
1492	dllhost.exe
1492	dllhost.exe
1492	dllhost.exe
1492	dllhost.exe
1492	dllhost.exe
1492	dllhost.exe
1492	dllhost.exe
1492	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Discord rat.exedllhost.exepowershell.exedllhost.exedllhost.exepowershell.exepowershell.exedllhost.exedllhost.exepowershell.exedllhost.exepowershell.exedllhost.exepowershell.exepowershell.exedllhost.exepowershell.exedllhost.exepowershell.exedllhost.exeExplorer.EXEpowershell.exedllhost.exepowershell.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	4320	dllhost.exe
Token: SeDebugPrivilege	4300	powershell.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	3800	dllhost.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	3368	dllhost.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	4008	dllhost.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	5008	dllhost.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	4188	dllhost.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	820	dllhost.exe
Token: SeDebugPrivilege	1048	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	1492	dllhost.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	6036	dllhost.exe
Token: SeDebugPrivilege	6076	powershell.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	3564	dllhost.exe
Token: SeShutdownPrivilege	3424	Explorer.EXE
Token: SeCreatePagefilePrivilege	3424	Explorer.EXE
Token: SeShutdownPrivilege	3424	Explorer.EXE
Token: SeCreatePagefilePrivilege	3424	Explorer.EXE
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	1840	Discord rat.exe
Token: SeDebugPrivilege	3464	dllhost.exe
Token: SeDebugPrivilege	5516	powershell.exe
Token: SeShutdownPrivilege	2784	svchost.exe
Token: SeCreatePagefilePrivilege	2784	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2088	svchost.exe
Token: SeIncreaseQuotaPrivilege	2088	svchost.exe
Token: SeSecurityPrivilege	2088	svchost.exe
Token: SeTakeOwnershipPrivilege	2088	svchost.exe
Token: SeLoadDriverPrivilege	2088	svchost.exe
Token: SeBackupPrivilege	2088	svchost.exe
Token: SeRestorePrivilege	2088	svchost.exe
Token: SeShutdownPrivilege	2088	svchost.exe
Token: SeSystemEnvironmentPrivilege	2088	svchost.exe
Token: SeManageVolumePrivilege	2088	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	2088	svchost.exe
Token: SeIncreaseQuotaPrivilege	2088	svchost.exe
Token: SeSecurityPrivilege	2088	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Discord rat.exe

description	pid	process	target process
PID 1840 wrote to memory of 4320	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4320	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4320	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4320	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4320	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4320	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4320	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4320	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4320	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4320	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4320	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4300	1840	Discord rat.exe	powershell.exe
PID 1840 wrote to memory of 4300	1840	Discord rat.exe	powershell.exe
PID 1840 wrote to memory of 1988	1840	Discord rat.exe	cmd.exe
PID 1840 wrote to memory of 1988	1840	Discord rat.exe	cmd.exe
PID 1840 wrote to memory of 1776	1840	Discord rat.exe	NetSh.exe
PID 1840 wrote to memory of 1776	1840	Discord rat.exe	NetSh.exe
PID 1840 wrote to memory of 3800	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3800	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3800	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3800	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3800	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3800	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3800	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3800	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3800	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3800	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3800	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 884	1840	Discord rat.exe	powershell.exe
PID 1840 wrote to memory of 884	1840	Discord rat.exe	powershell.exe
PID 1840 wrote to memory of 4632	1840	Discord rat.exe	cmd.exe
PID 1840 wrote to memory of 4632	1840	Discord rat.exe	cmd.exe
PID 1840 wrote to memory of 2288	1840	Discord rat.exe	NetSh.exe
PID 1840 wrote to memory of 2288	1840	Discord rat.exe	NetSh.exe
PID 1840 wrote to memory of 3368	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3368	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3368	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3368	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3368	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3368	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3368	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3368	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3368	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3368	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 3368	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 2568	1840	Discord rat.exe	powershell.exe
PID 1840 wrote to memory of 2568	1840	Discord rat.exe	powershell.exe
PID 1840 wrote to memory of 368	1840	Discord rat.exe	cmd.exe
PID 1840 wrote to memory of 368	1840	Discord rat.exe	cmd.exe
PID 1840 wrote to memory of 2336	1840	Discord rat.exe	NetSh.exe
PID 1840 wrote to memory of 2336	1840	Discord rat.exe	NetSh.exe
PID 1840 wrote to memory of 4008	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4008	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4008	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4008	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4008	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4008	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4008	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4008	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4008	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4008	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 4008	1840	Discord rat.exe	dllhost.exe
PID 1840 wrote to memory of 1536	1840	Discord rat.exe	powershell.exe
PID 1840 wrote to memory of 1536	1840	Discord rat.exe	powershell.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:376

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{52940a2f-ad80-4aef-9c4c-3ca9629457c1}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4320

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{6d3e2d6c-a75b-44aa-b5b1-e5fda0b51469}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3800

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{bbcb366c-8240-4bd6-ba93-77d63176498f}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3368

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{179bf18b-bf2a-4c6b-8bc3-0196c7ab2076}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{849c9057-09f8-4119-bb46-34f3aebd4144}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5008

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{6eae9b5d-d22e-4d4f-93c9-4d5fece88541}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f7ec42fe-01c6-4f9f-b389-da11f0d6b340}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{6abdba20-440f-485a-a8bc-54f1b6c26b99}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{1aa23f33-e54c-4ebd-beea-385dbee181ed}
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:6036

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{37fc79b4-77fc-4a48-8ede-5f76903f8ccc}
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{4ad87a93-b128-4405-85f9-da9c3a6c9f7e}
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3464

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e6e1a0f4-f7c2-4cad-995d-f57b38c5d138}
2⤵
PID:3580

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c38f1c5d-d2ab-47c0-87ef-54297da70128}
2⤵
PID:5256

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{5f9bf16a-da77-4fe9-a21c-43da15eff67e}
2⤵
PID:6056

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{00948760-63c0-4d64-9e80-dd8581d13470}
2⤵
PID:5208

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{81498e3e-66b1-45c3-a3db-8b7b5f546115}
2⤵
PID:3648

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{0401f8a5-8665-4bd8-b295-c44e48ea59fc}
2⤵
PID:3124

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{5d195ce1-7b1b-463c-b5b3-bc7754a6f005}
2⤵
PID:6012

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b01daf34-46ed-471e-8b49-3b8de7ccf284}
2⤵
PID:1996

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{bced9c53-1742-427d-9708-274ab703efc7}
2⤵
PID:6612

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ea31640e-b4b0-4e06-8c69-27411431b846}
2⤵
PID:6824

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c37684f4-f25d-45b9-8952-613faca5520b}
2⤵
PID:5928

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f5a9cbe4-ad2b-4f17-b129-52cfd6042a30}
2⤵
PID:7036

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{115997a0-3a3f-4117-9852-9968f8e1db2f}
2⤵
PID:6424

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f48e6c19-8bc4-4170-970c-c256e1adc156}
2⤵
PID:6372

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{51d6ebf9-b89f-47cc-9a12-3746a35d75b0}
2⤵
PID:6940

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{fcbdf152-1169-4675-99fd-05a4e6919441}
2⤵
PID:6492

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{9219d81e-73d6-43da-ac4d-18b67c557f09}
2⤵
PID:6324

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{8da421f8-ddd0-4730-8b3e-dd466e6e32f8}
2⤵
PID:7880

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:760

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1212

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
- Drops file in System32 directory
PID:1224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1396

C:\Windows\system32\sihost.exe
sihost.exe
2⤵
PID:2992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1496

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1664

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1712

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1824

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:2012

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:2020

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2180

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2272

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2344

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2548

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2676

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2700

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2728

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:3000

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:3020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3344

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3424

C:\Users\Admin\AppData\Local\Temp\Discord rat.exe
"C:\Users\Admin\AppData\Local\Temp\Discord rat.exe"
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4300

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:1988

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:4632

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1208

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:368

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4912

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:2336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:4480

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3588

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1172

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:4128

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:2376

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:4248

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2544

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4400

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3628

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3788

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:6076

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5696

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:3472

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5784

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1072

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5824

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:1900

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5124

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:4460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:1992

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4560

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:4088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of AdjustPrivilegeToken
PID:5516

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5236

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:5168

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:3440

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:3468

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:3008

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:6096

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:5244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:5520

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:5252

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:3456

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:6100

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:384

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:6068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:3960

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:2100

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:1624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1968

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:5324

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:2800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pornhub.com/
3⤵
PID:1644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd852446f8,0x7ffd85244708,0x7ffd85244718
4⤵
PID:3480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,16422689123540765136,9798174746535976898,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
4⤵
PID:5700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,16422689123540765136,9798174746535976898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3
4⤵
PID:5176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,16422689123540765136,9798174746535976898,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
4⤵
PID:5548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16422689123540765136,9798174746535976898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
4⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16422689123540765136,9798174746535976898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
4⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16422689123540765136,9798174746535976898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
4⤵
PID:5916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16422689123540765136,9798174746535976898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
4⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,16422689123540765136,9798174746535976898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 /prefetch:8
4⤵
PID:6192

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,16422689123540765136,9798174746535976898,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 /prefetch:8
4⤵
PID:6844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16422689123540765136,9798174746535976898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
4⤵
PID:7280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16422689123540765136,9798174746535976898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
4⤵
PID:7236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16422689123540765136,9798174746535976898,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
4⤵
PID:6540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,16422689123540765136,9798174746535976898,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
4⤵
PID:6184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1744

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:5336

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:5260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:5932

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:5516

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:2280

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:4056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:392

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:4964

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:4300

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:6624

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:6668

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:6676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:6880

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:6940

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:6952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:6148

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:6236

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:6184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:4816

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:6280

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:5056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:6232

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:6276

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:6804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:8088

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:8080

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:8092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:1408

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:3972

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:6984

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:5124

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:6124

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:6400

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:6436

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:6860

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:6712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
3⤵
- Command and Scripting Interpreter: PowerShell
PID:6404

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
3⤵
PID:7696

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
3⤵
- Modifies Windows Firewall
PID:5156

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\cool.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:5848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3552

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3736

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3924

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3664

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4520

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4252

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1076

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:1436

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:1648

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:1676

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4232

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3084

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4876

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2004

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:2380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:5036

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 224e3a3a2ad5f5fc0d0a420d7eca66e4 Yu+mKjvT7kGEixetXYfAPw.0.1.0.0.0
1⤵
- Modifies data under HKEY_USERS
PID:5732

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
2⤵
PID:5744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4080

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5748

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WERB4B9.tmp.csv
Filesize
66KB

MD5
b064342e3bea4d8421aa1a581629aa01

SHA1
d61acc7c5a53960af6a0605a7429676f6a42c3a7

SHA256
f743c0931a2bc1952f7f4465a02c0d94a841081ea0ce9e41eacf09899aef0aff

SHA512
9f0f82063fb2af86aeb8d63be14c3001ad6801761a9a44812a35363254d2520d552546ca4a55f88114c54522595f8150eb020777627d1786eb3604dedb4e1a1d

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WERB537.tmp.txt
Filesize
13KB

MD5
0c2635f238f4e94fa2e49247ce4c7b75

SHA1
773ed7d9a09289421fa83531a32dee0aa46218f3

SHA256
f37588b64d9d65a46502489900ce2ae040173bfa8e25864b828bd00664b19c4c

SHA512
27a222275f564d0851b04964126445eca57cf71ba047e3cf97b8a47331ea546300f0007e2a2e06b9a4bfca9f8c5c182998ded59e0ceae94127bf5c92683f7389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b4a74bc775caf3de7fc9cde3c30ce482

SHA1
c6ed3161390e5493f71182a6cb98d51c9063775d

SHA256
dfad4e020a946f85523604816a0a9781091ee4669c870db2cabab027f8b6f280

SHA512
55578e254444a645f455ea38480c9e02599ebf9522c32aca50ff37aad33976db30e663d35ebe31ff0ecafb4007362261716f756b3a0d67ac3937ca62ff10e25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c5abc082d9d9307e797b7e89a2f755f4

SHA1
54c442690a8727f1d3453b6452198d3ec4ec13df

SHA256
a055d69c6aba59e97e632d118b7960a5fdfbe35cfdfaa0de14f194fc6f874716

SHA512
ad765cddbf89472988de5356db5e0ee254ca3475491c6034fba1897c373702ab7cfa4bd21662ab862eebb48a757c3eb86b1f8ed58629751f71863822a59cd26c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
816B

MD5
5863e3be415af16e1443a35341174cdd

SHA1
cc2897ed6f571257528ac84fd49d99d06d93149a

SHA256
8d975eefb1ff73a52550db5da545fef59eb8f659fff347601c7da2a3ebaed018

SHA512
e40d295bd9250e731f7afc04e3bb06c2d879e33285da694f4a001f858c7bac6cb7aa5f2586cc414d02db59e696542072d635b006232a527b160a583d043d5c11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
18027d56de4ea1e76beb308a49ca2df2

SHA1
a7c9f691177a629fcd8b30b65f29cb10a4c470a8

SHA256
8d3febc83b23d6fd1f18690e653c5d461d94c6da17735daa73e268c507cebe5d

SHA512
5e46d4d3a015473ed252d0956005f5c7317a1f0954964f2cf5251a8ee86a254763728011a47c5646689753e279af5605d3d13132463c70b74cd55732256888a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
074ef9a739b49cff28e3161c9176bbf2

SHA1
24febe1b87467c26a3e7b430f0e3bb327e310ee7

SHA256
10cd67796c8a682fe3c4fd18f3e29b9390ec2cfc1b69ace73d9cc5c676bdd76f

SHA512
0d4ad5b3bffdd64bdae5bf3456ed455da90018a7abd92f8ac90257f2bbe45a381e6e48242ba60fbc355d628214cdeba3558b98b274affb971a09971d49c227e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
2f47a5c6356996f226f3318f78e53636

SHA1
0b81efbb501003af455bc96ed554ae1dcd5903c6

SHA256
ae96254be4647c03366beedae716a7aeaf3ddcb3d55622d12cbeb80cdd345ea3

SHA512
eda0ba59b5c2f863e827b0e0834e9749de3353cafecaa2cc0513c3e3f938f178913cc97385c87baf96d6856d8191f97d8f48fa035311e2cf5467ff9d952be15c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e2efbfd23e33d8d07d019bdd9ca20649

SHA1
68d3b285c423d311bdf8dc53354f5f4000caf386

SHA256
f4386e3a103dafd6e85bebc2ad649069d168b4da8a0ded51b3ec96fa1408a828

SHA512
b7a961002557ff2efb785f756c9347e250392eab3dcb5168c67e89238e85368a41d0a5bdc94bfbbc192ba427c83e982234b3cf8824b166a69973f3f9df177443

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
8b0c538d5abf34a820cb7f9db8f7f8d5

SHA1
6b3f6950b1786fcd55fabbdc7b22b06e50be7046

SHA256
7f914b156618a3d38ee14d6adf4f0ff50796582bf06150771a938051178e61a4

SHA512
120f2b568582719ae2dea5b42b4bd679071269ccc9106d51446a595a70b9b6cf75c08fe53666f6d8bea469288945f278d6990ded02a8d29c2d500681364aee36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2369bbb2c26bb259a7cb3d872be81aaf

SHA1
31f19466344ad63e22da94aa37c9f2d6866fd653

SHA256
59bf4e18373186725669d90c11001949b0d639b1cb35b41593d986de75d7998f

SHA512
c6a68d947dd81797567b1a4e09e0b135352e6282e6e3328114aaa508282defe4b63b1527ae219db931321ae18bcc1755cf9adaec51ed633cf4441cee59ec340b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
87710d90c6f6fd01fd6c58ed33b40b08

SHA1
16f74fba4891c24d5dde0c2911d39bbee5a059e3

SHA256
9da5fe088f7f3da66368c88020cd77b42dc817c97631c0dabce87a39d706eef6

SHA512
b0afd32e7eb777f16f27b15820d93ec811a095b8a67827c4ae4e81018cae5d5dca84f21b58bb0f79eeaa8d9fde3f6fe816aa2a92b6603ba2e66960b60943faef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
1db603eb97fe7f53cec494c6bda708fa

SHA1
62eae65be71e756be720c83d846a0ec6cc4a7da6

SHA256
b1381bb40f4d49928f025366439d38f18a0683ee0e100a5fc38ad22639bfdf4c

SHA512
13d8cfc5eacc9e7ad5761614472dc7d1d1108be3dd2e1a036ec2d64be35b44480365a040c506bbf5a3b93cfdb3a25a7b9376f6771dd79d0d8eeea8abe98a98b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
fb1fbb8252c33d25c03eec10a34da80a

SHA1
48ab9995c432b77e1dff35fd4146be75f5e5bdaf

SHA256
82b5fe563b356199e8b36b9e4939a1a70109f47c8876819217ab7ed757bf77d8

SHA512
3b70a72bab968657d5cc6eae40676ccdaf78e4995f3ed5e72b5e5d7e2224f3a9b48d5f52df0ca44079d2c3c57ea9f16c8612487ea36e21414a4622739a8d3cf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e6717ba4a6f3158a7c937a2ff0900097

SHA1
e52aca0214f1e7a99ffe0c49d3cee9151ec3c9db

SHA256
2709593371e03f0b4c46036b9200b7cdd0b12fe18162d767c8542df019c2bf54

SHA512
9e115fd0adec8b0bfb50f105eb09e669a1636ecad4ea1ab99dacaf69f9975bb2f4d07458f6b5bd7f938cb6352d91ee26f727061410d0af0bd239392f3deed651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
1dd8648df1581687db3c443025ee7399

SHA1
f28080fdbaf8533003d8a512ce7bf639759cfd08

SHA256
895eb57409991d9c805c91cc89dbfae5828e8355fe02628c390b2fbe1a75cf6c

SHA512
15bf22009876753580dc12fbbf5f8a8cd5c4d99fecad016f67b817b9d4b10f4fd2c2473483dd94490c26b8c4962397d1c134bfc00a7a88a7b246cd2f4d66c9e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9ed50c0721b3a3ed4c6269522631568d

SHA1
7aec35522a022448e967b91536d7eddcc09eff66

SHA256
50035ef4f5c552ba6a42519de63047916764c029e7690db8367efb5efff57a75

SHA512
a1010ea9e5857270c90af1b50855cb0bdffcc5c260c2d58acb5dc25fd94ced8999d907aedf296ee1f68c07b4929f7305baf36360a27976f17a6712b17ab4ab2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
7d9ecfe610b58440e18d2bffe5167d71

SHA1
7afeed064042ef5e614228f678a0c595699c3d84

SHA256
2c42082be2718281fe2a2bf0136bf417ff214ce7c36bc22a40d23adb1d026632

SHA512
017a63c4b81cd256adec796b9258fbae464d32af59cb654a81dd157e02896f50a252c25b6eac07fc6cb44a493b477e7debfaf9999c854dbd3fb34e24ef443c29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c08aea9c78561a5f00398a723fdf2925

SHA1
2c880cbb5d02169a86bb9517ce2a0184cb177c6e

SHA256
63d2688b92da4d1bb69980b7998b9be1595dd9e53951434a9414d019c4f825a7

SHA512
d30db2f55bbda7102ffe90520d233355633313dcc77cdb69a26fdbb56e59dd41793def23d69dc5dc3f94c5bd41d3c26b3628886fd2edbed2df0b332e9a21f95c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
f31e01f2c0e458c7be9f6286e3c9a082

SHA1
97c7519c186fee0eeb94b3e8beda064c0ffd763a

SHA256
b953e3702f77e38c32d149a47ca2f8e3325a4f141eff9ede67f695a5d058ed4c

SHA512
99e88d97cd3fc1e8baa1e1315d4c7ed0af76696f78c964994e588b6d781bd771f2441769511773f09966d8cb1b64645ac0a527917ec36d4541c52da5968809ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
e60eb305a7b2d9907488068b7065abd3

SHA1
1643dd7f915ac50c75bc01c53d68c5dafb9ce28d

SHA256
ad07460e061642c0dd4e7dfa7b821aacce873e290389e72f708e9f3504f9d135

SHA512
95c45afec6fa4e0b2a21edd10a6b2dc30568810c67bc9bc34d98ab111c48261f377a370583adb27e08616b0108026c119493b1b093b52ce931117e646b46cb7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
eb1ad317bd25b55b2bbdce8a28a74a94

SHA1
98a3978be4d10d62e7411946474579ee5bdc5ea6

SHA256
9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

SHA512
d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9c740b7699e2363ac4ecdf496520ca35

SHA1
aa8691a8c56500d82c5fc8c35209bc6fe50ab1d9

SHA256
be96c91b62ba9ba7072ab89e66543328c9e4395150f9dbe8067332d94a3ecc61

SHA512
8885683f96353582eb871209e766e7eba1a72a2837ce27ea298b7b5b169621d1fa3fce25346b6bfd258b52642644234da9559d4e765a2023a5a5fc1f544cc7af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sst1r3pl.ylj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98B6.tmp.png
Filesize
22.5MB

MD5
3ca0d0466f82ce5d217bc6f35d03404e

SHA1
e338046a2b79c017f533bed1d4b570b1e1501d06

SHA256
1a1081df45b5eec233dd8b066913ff52c23a55f2859a7c6275ae5b44f6c67022

SHA512
5a2462e212071a7b8a94729d8e139407d27427cb1dfc62628f15cac8fb4699f8f960387469dd09ea01c8d10548272fbbf85767e14eb41d8f0230fa61f1a7b23d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\5f7b5f1e01b83767.automaticDestinations-ms
Filesize
9KB

MD5
453b83a1f9896899975b57203c0eca51

SHA1
38d3a09495d6fe0c2e9421eba606e91274318df4

SHA256
24c982a840d0a1ee5f262fe91d5acc48052040faf92057e08a60c6a770da13d6

SHA512
7c22f31a445c5f9a2068a19594b34f1a00b5458d99ba6c814f3d6a8c39b295227cc799dac4b34e3f409723aa437c15bea7930ee801d13365ce90b2c9c0649ab8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\9b9cdc69c1c24e2b.automaticDestinations-ms
Filesize
3KB

MD5
3a8c5475a79477b4e726bc0c06ce726a

SHA1
bc1e577738533bb84f4c9fb2f5932e62627a7fc5

SHA256
79e1b6347b6f10b05df23c514c51521fa2b4972f046e6543b75b3969191db5ab

SHA512
16c1fa5e79b6a1b41bebbcd946323959943bc9c2b44d6e18d9cfd4e256a855eb0f6849a30385e57d370d29c0d0e2c335650d2ac8d34db30b601906ad7058b1fe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms
Filesize
7KB

MD5
b64c2132df3793fc83df1924f61f7304

SHA1
0eb1e2045d057d93486da30600575ae07a5b7b77

SHA256
524010fcf8b2746e79c674b9fc3eab485177ba0f9177d3a178b9736150012363

SHA512
c597de96bdf26f7b300d12896febebe387f82289f37c5565fdb857474b1a77343cb11fb7cf230b09951effe935e6e0cd625a3fb8e47ee9cce8f750ebd525064c

Download Submit
C:\Windows\Logs\CBS\CBS.log
Filesize
1KB

MD5
30fb9f77ef8e825d6b8ae8ef677f6027

SHA1
dc6da9a5a71f10f830ccbe8115e1927872a7e4e1

SHA256
27e5b53866a3ea91a180820cc9ded6b503392fb1f720d7bbab742825a85fbe31

SHA512
cde914077b87c018766cfe126cf00f2fb0ae09f4c642fe74cea971bf476be7e29cc6ff2ee57c482159a4aad0adadd73872efb045f4f157bbcb0afb8ae7e81ef2

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work
Filesize
2KB

MD5
f313c5b4f95605026428425586317353

SHA1
06be66fa06e1cffc54459c38d3d258f46669d01a

SHA256
129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b

SHA512
b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Work
Filesize
2KB

MD5
7d612892b20e70250dbd00d0cdd4f09b

SHA1
63251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5

SHA256
727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02

SHA512
f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1

Download Submit
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work
Filesize
2KB

MD5
0b990e24f1e839462c0ac35fef1d119e

SHA1
9e17905f8f68f9ce0a2024d57b537aa8b39c6708

SHA256
a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a

SHA512
c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4

Download Submit
\??\pipe\LOCAL\crashpad_1644_PABFSLIESTJWOTEA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/376-158-0x000002A714890000-0x000002A7148BA000-memory.dmp

Filesize
168KB

Download
memory/376-159-0x00007FFD6BDD0000-0x00007FFD6BDE0000-memory.dmp

Filesize
64KB

Download
memory/616-148-0x000002F77C1D0000-0x000002F77C1F3000-memory.dmp

Filesize
140KB

Download
memory/616-149-0x000002F77C5F0000-0x000002F77C61A000-memory.dmp

Filesize
168KB

Download
memory/616-150-0x00007FFD6BDD0000-0x00007FFD6BDE0000-memory.dmp

Filesize
64KB

Download
memory/680-153-0x000001B632560000-0x000001B63258A000-memory.dmp

Filesize
168KB

Download
memory/680-154-0x00007FFD6BDD0000-0x00007FFD6BDE0000-memory.dmp

Filesize
64KB

Download
memory/820-102-0x00007FFDAA010000-0x00007FFDAA0CE000-memory.dmp

Filesize
760KB

Download
memory/820-100-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/820-101-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

Filesize
2.0MB

Download
memory/1492-129-0x00007FFDAA010000-0x00007FFDAA0CE000-memory.dmp

Filesize
760KB

Download
memory/1492-128-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

Filesize
2.0MB

Download
memory/1492-127-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1840-56-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

Filesize
2.0MB

Download
memory/1840-82-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

Filesize
2.0MB

Download
memory/1840-124-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

Filesize
2.0MB

Download
memory/1840-6-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

Filesize
2.0MB

Download
memory/1840-7-0x00007FFDAA010000-0x00007FFDAA0CE000-memory.dmp

Filesize
760KB

Download
memory/1840-5-0x0000025232DB0000-0x0000025232DEE000-memory.dmp

Filesize
248KB

Download
memory/1840-88-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

Filesize
2.0MB

Download
memory/1840-4-0x0000025233740000-0x0000025233C68000-memory.dmp

Filesize
5.2MB

Download
memory/1840-1-0x0000025218840000-0x0000025218858000-memory.dmp

Filesize
96KB

Download
memory/1840-24-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

Filesize
2.0MB

Download
memory/1840-3-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmp

Filesize
10.8MB

Download
memory/1840-4130-0x00007FFD8DD63000-0x00007FFD8DD65000-memory.dmp

Filesize
8KB

Download
memory/1840-62-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

Filesize
2.0MB

Download
memory/1840-4138-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmp

Filesize
10.8MB

Download
memory/1840-25-0x00007FFDAA010000-0x00007FFDAA0CE000-memory.dmp

Filesize
760KB

Download
memory/1840-2-0x0000025232E40000-0x0000025233002000-memory.dmp

Filesize
1.8MB

Download
memory/1840-0-0x00007FFD8DD63000-0x00007FFD8DD65000-memory.dmp

Filesize
8KB

Download
memory/3368-37-0x00007FFDAA010000-0x00007FFDAA0CE000-memory.dmp

Filesize
760KB

Download
memory/3368-35-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3368-36-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

Filesize
2.0MB

Download
memory/3800-30-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

Filesize
2.0MB

Download
memory/3800-29-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/3800-31-0x00007FFDAA010000-0x00007FFDAA0CE000-memory.dmp

Filesize
760KB

Download
memory/4008-60-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

Filesize
2.0MB

Download
memory/4008-59-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4008-146-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4008-61-0x00007FFDAA010000-0x00007FFDAA0CE000-memory.dmp

Filesize
760KB

Download
memory/4188-85-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4188-86-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

Filesize
2.0MB

Download
memory/4188-87-0x00007FFDAA010000-0x00007FFDAA0CE000-memory.dmp

Filesize
760KB

Download
memory/4300-15-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmp

Filesize
10.8MB

Download
memory/4300-66-0x00007FFD8DD60000-0x00007FFD8E821000-memory.dmp

Filesize
10.8MB

Download
memory/4300-21-0x00000231EAD50000-0x00000231EAD72000-memory.dmp

Filesize
136KB

Download
memory/4300-14-0x00007FFD8DD63000-0x00007FFD8DD65000-memory.dmp

Filesize
8KB

Download
memory/4320-13-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4320-8-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4320-11-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

Filesize
2.0MB

Download
memory/4320-12-0x00007FFDAA010000-0x00007FFDAA0CE000-memory.dmp

Filesize
760KB

Download
memory/4320-10-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4320-9-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5008-71-0x00007FFDAA010000-0x00007FFDAA0CE000-memory.dmp

Filesize
760KB

Download
memory/5008-70-0x00007FFDABD50000-0x00007FFDABF45000-memory.dmp

Filesize
2.0MB

Download
memory/5008-69-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads