Malware Analysis Report

2025-04-03 08:56

Sample ID 230123-vyevwsfh9t
Target 8862106294.zip
SHA256 b21293d38f5b89444a9e4e4bed355346398e21b2654640496ed07077d55d60ea
Tags
aurora persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b21293d38f5b89444a9e4e4bed355346398e21b2654640496ed07077d55d60ea

Threat Level: Known bad

The file 8862106294.zip was found to be: Known bad.

Malicious Activity Summary

aurora persistence stealer

Aurora

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-23 17:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-23 17:23

Reported

2023-01-23 17:28

Platform

win7-20220812-en

Max time kernel

117s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe"

Signatures

Aurora

stealer aurora

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 696 set thread context of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1460 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 1460 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 1460 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 1460 wrote to memory of 696 N/A C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 696 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 696 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 696 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 696 wrote to memory of 964 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 696 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Windows\SysWOW64\cmd.exe
PID 696 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Windows\SysWOW64\cmd.exe
PID 696 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Windows\SysWOW64\cmd.exe
PID 696 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Windows\SysWOW64\cmd.exe
PID 468 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 468 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 468 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 468 wrote to memory of 1184 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 696 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 696 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 696 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 696 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 696 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 696 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 696 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 696 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 696 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 696 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 696 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 696 wrote to memory of 1924 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA3AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

Network

Country Destination Domain Proto
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

MD5 b8f4d297ca8d6fd0c502d13477a0c02a
SHA1 08ac6d6451698354f9204a2ac80751e7572f0e0e
SHA256 62ee6a526bf001a942c8af9c4afb3b4ec243b1d566fd0b83c950dcdf02ff836d
SHA512 497633af662c117eadb373ce055a72b91412ee861355321a63ea14712b34c56752c4ecfd423ee3705d02288f14f9fcfb11243876dd5335852d8ea4009ffef1b1

memory/696-54-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

MD5 b8f4d297ca8d6fd0c502d13477a0c02a
SHA1 08ac6d6451698354f9204a2ac80751e7572f0e0e
SHA256 62ee6a526bf001a942c8af9c4afb3b4ec243b1d566fd0b83c950dcdf02ff836d
SHA512 497633af662c117eadb373ce055a72b91412ee861355321a63ea14712b34c56752c4ecfd423ee3705d02288f14f9fcfb11243876dd5335852d8ea4009ffef1b1

memory/696-57-0x0000000001320000-0x00000000015A8000-memory.dmp

memory/696-58-0x00000000768A1000-0x00000000768A3000-memory.dmp

memory/696-59-0x0000000005D60000-0x0000000005FDA000-memory.dmp

memory/696-60-0x0000000007EF0000-0x00000000080E0000-memory.dmp

memory/696-61-0x0000000005190000-0x0000000005222000-memory.dmp

memory/964-62-0x0000000000000000-mapping.dmp

memory/964-64-0x000000006EEF0000-0x000000006F49B000-memory.dmp

memory/964-65-0x000000006EEF0000-0x000000006F49B000-memory.dmp

memory/964-66-0x000000006EEF0000-0x000000006F49B000-memory.dmp

memory/468-67-0x0000000000000000-mapping.dmp

memory/1184-68-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 fe090f8245267da02b2b1d5af4b7ec1f
SHA1 d36d9f594491353f2e476aa00b56aa89089145e9
SHA256 cbfd1a1a9ec718fc6c18e629c13a59c106ecfee2c9b3d8b42a239c39540be821
SHA512 b464a670fa1357e73e3f2e549ef08d9c5c8475c2fc8254ea476e019518844563f4c15e4c62dd8c18e5421da75939bb5ad046c333e91eb30e2f9c11ff50bc18f2

\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

MD5 878eaac3fb76b3685c0a798881eed6ff
SHA1 96697d97ec7e8a40c12b824aeb43fa66647d2915
SHA256 a5f4786186fd47ac552d99aa6acc34996313cc45f4f09514953aadab4aa4f5a8
SHA512 ffab6cd5bc820df2d46d69110952475f705ed206408e784d74b97f55a4f9abe38e8928de1d7172a1d6f93acd327002df409e8b8bbeb1b261b2710cf672bc22b3

memory/1924-72-0x0000000000400000-0x0000000000876000-memory.dmp

memory/1924-73-0x0000000000400000-0x0000000000876000-memory.dmp

memory/1924-75-0x0000000000400000-0x0000000000876000-memory.dmp

memory/1924-77-0x0000000000400000-0x0000000000876000-memory.dmp

memory/1924-79-0x0000000000400000-0x0000000000876000-memory.dmp

memory/1924-80-0x0000000000400000-0x0000000000876000-memory.dmp

memory/1924-82-0x0000000000400000-0x0000000000876000-memory.dmp

memory/1924-83-0x0000000000400000-0x0000000000876000-memory.dmp

memory/1924-84-0x0000000000466710-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

MD5 fdf84889ede11790b8346860b64c9f3c
SHA1 e569c3f9df2fcdd8c6cdc51fa026f580056fc81b
SHA256 418a26c31966d3a0b09ecf226bc26ad99932b088be7473c8003e828770c02611
SHA512 b29ff020a441c98381036e51e57f7665dd97b9969c4305ae0d9bff1555c1776143295ebb8c5f28a583d90cdbcf0151bb801ac71f2f1e6e6dbf15dbbe3a8e1401

memory/1184-87-0x000000006EC30000-0x000000006F1DB000-memory.dmp

memory/1924-88-0x0000000000400000-0x0000000000876000-memory.dmp

memory/1924-89-0x0000000000400000-0x0000000000876000-memory.dmp

memory/1924-90-0x0000000000400000-0x0000000000876000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-23 17:23

Reported

2023-01-23 17:35

Platform

win10v2004-20220812-en

Max time kernel

599s

Max time network

607s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe"

Signatures

Aurora

stealer aurora

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1248 set thread context of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 952 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 952 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 952 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 1248 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 3964 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Windows\SysWOW64\cmd.exe
PID 1248 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2200 wrote to memory of 4808 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1248 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 1248 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 1248 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 1248 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 1248 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 1248 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 1248 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 1248 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 1248 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 1248 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe
PID 1248 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe

"C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA3AA==

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

Network

Country Destination Domain Proto
N/A 162.159.134.233:443 tcp
N/A 162.159.129.233:443 tcp
N/A 20.42.72.131:443 tcp
N/A 8.253.135.241:80 tcp
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 8.253.135.241:80 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 142.250.179.170:443 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 34.104.35.123:80 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 34.104.35.123:80 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp
N/A 79.137.206.138:8081 tcp

Files

memory/1248-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

MD5 b8f4d297ca8d6fd0c502d13477a0c02a
SHA1 08ac6d6451698354f9204a2ac80751e7572f0e0e
SHA256 62ee6a526bf001a942c8af9c4afb3b4ec243b1d566fd0b83c950dcdf02ff836d
SHA512 497633af662c117eadb373ce055a72b91412ee861355321a63ea14712b34c56752c4ecfd423ee3705d02288f14f9fcfb11243876dd5335852d8ea4009ffef1b1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

MD5 b8f4d297ca8d6fd0c502d13477a0c02a
SHA1 08ac6d6451698354f9204a2ac80751e7572f0e0e
SHA256 62ee6a526bf001a942c8af9c4afb3b4ec243b1d566fd0b83c950dcdf02ff836d
SHA512 497633af662c117eadb373ce055a72b91412ee861355321a63ea14712b34c56752c4ecfd423ee3705d02288f14f9fcfb11243876dd5335852d8ea4009ffef1b1

memory/1248-135-0x0000000000C40000-0x0000000000EC8000-memory.dmp

memory/1248-136-0x0000000005ED0000-0x0000000006474000-memory.dmp

memory/1248-137-0x0000000005860000-0x00000000058F2000-memory.dmp

memory/1248-138-0x0000000005930000-0x000000000593A000-memory.dmp

memory/1248-139-0x0000000008690000-0x00000000086B2000-memory.dmp

memory/3964-140-0x0000000000000000-mapping.dmp

memory/3964-141-0x0000000004F90000-0x0000000004FC6000-memory.dmp

memory/3964-142-0x0000000005620000-0x0000000005C48000-memory.dmp

memory/3964-143-0x0000000005EB0000-0x0000000005F16000-memory.dmp

memory/3964-144-0x0000000005F90000-0x0000000005FF6000-memory.dmp

memory/3964-145-0x0000000006590000-0x00000000065AE000-memory.dmp

memory/3964-146-0x0000000007BE0000-0x000000000825A000-memory.dmp

memory/3964-147-0x0000000006A60000-0x0000000006A7A000-memory.dmp

memory/2200-148-0x0000000000000000-mapping.dmp

memory/4808-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 6195a91754effb4df74dbc72cdf4f7a6
SHA1 aba262f5726c6d77659fe0d3195e36a85046b427
SHA256 3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512 ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

memory/4220-151-0x0000000000000000-mapping.dmp

memory/4220-152-0x0000000000400000-0x0000000000876000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe

MD5 b8f4d297ca8d6fd0c502d13477a0c02a
SHA1 08ac6d6451698354f9204a2ac80751e7572f0e0e
SHA256 62ee6a526bf001a942c8af9c4afb3b4ec243b1d566fd0b83c950dcdf02ff836d
SHA512 497633af662c117eadb373ce055a72b91412ee861355321a63ea14712b34c56752c4ecfd423ee3705d02288f14f9fcfb11243876dd5335852d8ea4009ffef1b1

memory/4220-155-0x0000000000400000-0x0000000000876000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ac3ad4ad47f85e3a95919ee24659a31a
SHA1 f30d6d945a5367419abea40bc9c2f79279b26234
SHA256 49c6d777967bb3424a6302ce176534cb7e6091ac42108e615a0ae1e69def2bfa
SHA512 5b32bc4f35c0abd913551bfbc96fa08d69e067826530fc902b624accb88af3c0efa752364ecb813a5cbf9e06c0e77f38bfa17e3407305bfafac83d3344d98512

memory/4220-157-0x0000000000400000-0x0000000000876000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

memory/4808-159-0x0000000007000000-0x0000000007032000-memory.dmp

memory/4808-160-0x0000000070DD0000-0x0000000070E1C000-memory.dmp

memory/4808-161-0x0000000006FC0000-0x0000000006FDE000-memory.dmp

memory/4808-162-0x0000000007400000-0x000000000740A000-memory.dmp

memory/4808-163-0x00000000075F0000-0x0000000007686000-memory.dmp

memory/4220-164-0x0000000000400000-0x0000000000876000-memory.dmp

memory/4808-165-0x0000000005E90000-0x0000000005E9E000-memory.dmp

memory/4808-166-0x00000000075B0000-0x00000000075CA000-memory.dmp

memory/4808-167-0x0000000007590000-0x0000000007598000-memory.dmp