aurora | c0b6a90bb020f1795ae0c9eacf27dd940a69ca694670c1eb6afdcb65edb9e59b

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2023 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

libreoffice_out.exe
Size

391KB
MD5

d69cc73dfdba7cecce5ec8ba5302991a
SHA1

1a31b98b3a15aa30c9142b2bd6f1fc803219f490
SHA256

c0b6a90bb020f1795ae0c9eacf27dd940a69ca694670c1eb6afdcb65edb9e59b
SHA512

74ebd532c0e79f5b6a72af8dc13cade0909204d3e9af2d89bc89588a0cb45e3909eeaf053d0cb55910a0fbedebda4c8c6485aa81b87034f5e6c5defac37c65d1
SSDEEP

12288:WbCG7F1wjOLak1PCgqaapo2RvxC1WyOPwQOhGwYyY9ZGyooo3RZNzBjlww43vmOC:mzww4fmOa6IglK

Score

10^/10

aurora redline redline discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

redline

Botnet

redline

79.137.133.225:25999

Attributes

auth_value
38284dbf15da9b4a9eaee0ef0d2b343f

Extracted

Family

aurora

79.137.133.225:8081

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tmp98BA.tmp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tmp98BA.tmp.exe

Executes dropped EXE 9 IoCs

Processes:

tmp98BA.tmp.exetmp98CB.tmp.exetmp98EB.tmp.exetmp98EB.tmp.exetmp98CB.tmp.exetmp98CB.tmp.exetmp98BA.tmp.exetmp98CB.tmp.exetmp98BA.tmp.exe

pid	process
4160	tmp98BA.tmp.exe
4648	tmp98CB.tmp.exe
1224	tmp98EB.tmp.exe
452	tmp98EB.tmp.exe
2052	tmp98CB.tmp.exe
2536	tmp98CB.tmp.exe
4028	tmp98BA.tmp.exe
2196	tmp98CB.tmp.exe
3120	tmp98BA.tmp.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp98BA.tmp.exetmp98CB.tmp.exelibreoffice_out.exetmp98EB.tmp.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp98BA.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp98CB.tmp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	libreoffice_out.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp98EB.tmp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

tmp98BA.tmp.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eupdgebosk = "\"C:\\Users\\Admin\\AppData\\Roaming\\Gzjkqcsse\\Eupdgebosk.exe\""	tmp98BA.tmp.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

108 eth0.me

flow	ioc
108	eth0.me

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp98EB.tmp.exetmp98CB.tmp.exetmp98BA.tmp.exe

description	pid	process	target process
PID 1224 set thread context of 452	1224	tmp98EB.tmp.exe	tmp98EB.tmp.exe
PID 4648 set thread context of 2196	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4160 set thread context of 3120	4160	tmp98BA.tmp.exe	tmp98BA.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4112 taskkill.exe

pid	process
4112	taskkill.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

powershell.exepowershell.exepowershell.exetmp98CB.tmp.exetmp98BA.tmp.exetmp98EB.tmp.exetmp98BA.tmp.exe

pid	process
4488	powershell.exe
4168	powershell.exe
4192	powershell.exe
4192	powershell.exe
4168	powershell.exe
4488	powershell.exe
4648	tmp98CB.tmp.exe
4648	tmp98CB.tmp.exe
4648	tmp98CB.tmp.exe
4648	tmp98CB.tmp.exe
4160	tmp98BA.tmp.exe
4160	tmp98BA.tmp.exe
452	tmp98EB.tmp.exe
452	tmp98EB.tmp.exe
3120	tmp98BA.tmp.exe
3120	tmp98BA.tmp.exe
3120	tmp98BA.tmp.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

libreoffice_out.exepowershell.exepowershell.exepowershell.exetmp98CB.tmp.exetmp98BA.tmp.exetmp98EB.tmp.exetmp98BA.tmp.exewmic.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3092	libreoffice_out.exe
Token: SeDebugPrivilege	4192	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	4168	powershell.exe
Token: SeDebugPrivilege	4648	tmp98CB.tmp.exe
Token: SeDebugPrivilege	4160	tmp98BA.tmp.exe
Token: SeDebugPrivilege	1224	tmp98EB.tmp.exe
Token: SeDebugPrivilege	3120	tmp98BA.tmp.exe
Token: SeIncreaseQuotaPrivilege	4008	wmic.exe
Token: SeSecurityPrivilege	4008	wmic.exe
Token: SeTakeOwnershipPrivilege	4008	wmic.exe
Token: SeLoadDriverPrivilege	4008	wmic.exe
Token: SeSystemProfilePrivilege	4008	wmic.exe
Token: SeSystemtimePrivilege	4008	wmic.exe
Token: SeProfSingleProcessPrivilege	4008	wmic.exe
Token: SeIncBasePriorityPrivilege	4008	wmic.exe
Token: SeCreatePagefilePrivilege	4008	wmic.exe
Token: SeBackupPrivilege	4008	wmic.exe
Token: SeRestorePrivilege	4008	wmic.exe
Token: SeShutdownPrivilege	4008	wmic.exe
Token: SeDebugPrivilege	4008	wmic.exe
Token: SeSystemEnvironmentPrivilege	4008	wmic.exe
Token: SeRemoteShutdownPrivilege	4008	wmic.exe
Token: SeUndockPrivilege	4008	wmic.exe
Token: SeManageVolumePrivilege	4008	wmic.exe
Token: 33	4008	wmic.exe
Token: 34	4008	wmic.exe
Token: 35	4008	wmic.exe
Token: 36	4008	wmic.exe
Token: SeIncreaseQuotaPrivilege	4008	wmic.exe
Token: SeSecurityPrivilege	4008	wmic.exe
Token: SeTakeOwnershipPrivilege	4008	wmic.exe
Token: SeLoadDriverPrivilege	4008	wmic.exe
Token: SeSystemProfilePrivilege	4008	wmic.exe
Token: SeSystemtimePrivilege	4008	wmic.exe
Token: SeProfSingleProcessPrivilege	4008	wmic.exe
Token: SeIncBasePriorityPrivilege	4008	wmic.exe
Token: SeCreatePagefilePrivilege	4008	wmic.exe
Token: SeBackupPrivilege	4008	wmic.exe
Token: SeRestorePrivilege	4008	wmic.exe
Token: SeShutdownPrivilege	4008	wmic.exe
Token: SeDebugPrivilege	4008	wmic.exe
Token: SeSystemEnvironmentPrivilege	4008	wmic.exe
Token: SeRemoteShutdownPrivilege	4008	wmic.exe
Token: SeUndockPrivilege	4008	wmic.exe
Token: SeManageVolumePrivilege	4008	wmic.exe
Token: 33	4008	wmic.exe
Token: 34	4008	wmic.exe
Token: 35	4008	wmic.exe
Token: 36	4008	wmic.exe
Token: SeIncreaseQuotaPrivilege	4880	WMIC.exe
Token: SeSecurityPrivilege	4880	WMIC.exe
Token: SeTakeOwnershipPrivilege	4880	WMIC.exe
Token: SeLoadDriverPrivilege	4880	WMIC.exe
Token: SeSystemProfilePrivilege	4880	WMIC.exe
Token: SeSystemtimePrivilege	4880	WMIC.exe
Token: SeProfSingleProcessPrivilege	4880	WMIC.exe
Token: SeIncBasePriorityPrivilege	4880	WMIC.exe
Token: SeCreatePagefilePrivilege	4880	WMIC.exe
Token: SeBackupPrivilege	4880	WMIC.exe
Token: SeRestorePrivilege	4880	WMIC.exe
Token: SeShutdownPrivilege	4880	WMIC.exe
Token: SeDebugPrivilege	4880	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4880	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

libreoffice_out.exetmp98BA.tmp.exetmp98EB.tmp.exetmp98CB.tmp.exetmp98CB.tmp.execmd.exe

description	pid	process	target process
PID 3092 wrote to memory of 4160	3092	libreoffice_out.exe	tmp98BA.tmp.exe
PID 3092 wrote to memory of 4160	3092	libreoffice_out.exe	tmp98BA.tmp.exe
PID 3092 wrote to memory of 4160	3092	libreoffice_out.exe	tmp98BA.tmp.exe
PID 3092 wrote to memory of 4648	3092	libreoffice_out.exe	tmp98CB.tmp.exe
PID 3092 wrote to memory of 4648	3092	libreoffice_out.exe	tmp98CB.tmp.exe
PID 3092 wrote to memory of 4648	3092	libreoffice_out.exe	tmp98CB.tmp.exe
PID 3092 wrote to memory of 1224	3092	libreoffice_out.exe	tmp98EB.tmp.exe
PID 3092 wrote to memory of 1224	3092	libreoffice_out.exe	tmp98EB.tmp.exe
PID 3092 wrote to memory of 1224	3092	libreoffice_out.exe	tmp98EB.tmp.exe
PID 4160 wrote to memory of 4168	4160	tmp98BA.tmp.exe	powershell.exe
PID 4160 wrote to memory of 4168	4160	tmp98BA.tmp.exe	powershell.exe
PID 4160 wrote to memory of 4168	4160	tmp98BA.tmp.exe	powershell.exe
PID 1224 wrote to memory of 4488	1224	tmp98EB.tmp.exe	powershell.exe
PID 1224 wrote to memory of 4488	1224	tmp98EB.tmp.exe	powershell.exe
PID 1224 wrote to memory of 4488	1224	tmp98EB.tmp.exe	powershell.exe
PID 4648 wrote to memory of 4192	4648	tmp98CB.tmp.exe	powershell.exe
PID 4648 wrote to memory of 4192	4648	tmp98CB.tmp.exe	powershell.exe
PID 4648 wrote to memory of 4192	4648	tmp98CB.tmp.exe	powershell.exe
PID 1224 wrote to memory of 452	1224	tmp98EB.tmp.exe	tmp98EB.tmp.exe
PID 1224 wrote to memory of 452	1224	tmp98EB.tmp.exe	tmp98EB.tmp.exe
PID 1224 wrote to memory of 452	1224	tmp98EB.tmp.exe	tmp98EB.tmp.exe
PID 1224 wrote to memory of 452	1224	tmp98EB.tmp.exe	tmp98EB.tmp.exe
PID 1224 wrote to memory of 452	1224	tmp98EB.tmp.exe	tmp98EB.tmp.exe
PID 1224 wrote to memory of 452	1224	tmp98EB.tmp.exe	tmp98EB.tmp.exe
PID 1224 wrote to memory of 452	1224	tmp98EB.tmp.exe	tmp98EB.tmp.exe
PID 1224 wrote to memory of 452	1224	tmp98EB.tmp.exe	tmp98EB.tmp.exe
PID 4648 wrote to memory of 2052	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4648 wrote to memory of 2052	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4648 wrote to memory of 2052	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4648 wrote to memory of 2536	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4648 wrote to memory of 2536	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4648 wrote to memory of 2536	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4160 wrote to memory of 4028	4160	tmp98BA.tmp.exe	tmp98BA.tmp.exe
PID 4160 wrote to memory of 4028	4160	tmp98BA.tmp.exe	tmp98BA.tmp.exe
PID 4160 wrote to memory of 4028	4160	tmp98BA.tmp.exe	tmp98BA.tmp.exe
PID 4648 wrote to memory of 2196	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4648 wrote to memory of 2196	4648	tmp98CB.tmp.exe	tmp98CB.tmp.exe
PID 4160 wrote to memory of 3120	4160	tmp98BA.tmp.exe	tmp98BA.tmp.exe
PID 4160 wrote to memory of 3120	4160	tmp98BA.tmp.exe	tmp98BA.tmp.exe
PID 4160 wrote to memory of 3120	4160	tmp98BA.tmp.exe	tmp98BA.tmp.exe
PID 4160 wrote to memory of 3120	4160	tmp98BA.tmp.exe	tmp98BA.tmp.exe
PID 4160 wrote to memory of 3120	4160	tmp98BA.tmp.exe	tmp98BA.tmp.exe
PID 4160 wrote to memory of 3120	4160	tmp98BA.tmp.exe	tmp98BA.tmp.exe
PID 4160 wrote to memory of 3120	4160	tmp98BA.tmp.exe	tmp98BA.tmp.exe
PID 4160 wrote to memory of 3120	4160	tmp98BA.tmp.exe	tmp98BA.tmp.exe
PID 2196 wrote to memory of 4008	2196	tmp98CB.tmp.exe	wmic.exe
PID 2196 wrote to memory of 4008	2196	tmp98CB.tmp.exe	wmic.exe
PID 2196 wrote to memory of 4008	2196	tmp98CB.tmp.exe	wmic.exe
PID 2196 wrote to memory of 1132	2196	tmp98CB.tmp.exe	cmd.exe
PID 2196 wrote to memory of 1132	2196	tmp98CB.tmp.exe	cmd.exe
PID 2196 wrote to memory of 1132	2196	tmp98CB.tmp.exe	cmd.exe
PID 1132 wrote to memory of 4880	1132	cmd.exe	WMIC.exe
PID 1132 wrote to memory of 4880	1132	cmd.exe	WMIC.exe
PID 1132 wrote to memory of 4880	1132	cmd.exe	WMIC.exe
PID 2196 wrote to memory of 2388	2196	tmp98CB.tmp.exe	cmd.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

tmp98BA.tmp.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tmp98BA.tmp.exe

C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe
"C:\Users\Admin\AppData\Local\Temp\libreoffice_out.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092

C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
3⤵
- Executes dropped EXE
PID:4028

C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
3⤵
- UAC bypass
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3120

C:\Windows\SysWOW64\taskkill.exe
"taskkill.exe" /im chrome.exe /f
4⤵
- Kills process with taskkill
PID:4112

C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:452

C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe"
2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4192

C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
3⤵
- Executes dropped EXE
PID:2052

C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
3⤵
- Executes dropped EXE
PID:2536

C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic os get Caption
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4008

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic path win32_VideoController get name"
4⤵
- Suspicious use of WriteProcessMemory
PID:1132

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic path win32_VideoController get name
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4880

C:\Windows\SysWOW64\cmd.exe
cmd /C "wmic cpu get name"
4⤵
PID:2388

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get name
5⤵
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3092 -ip 3092
1⤵
PID:3916

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
6195a91754effb4df74dbc72cdf4f7a6

SHA1
aba262f5726c6d77659fe0d3195e36a85046b427

SHA256
3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

SHA512
ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp98EB.tmp.exe.log
Filesize
1KB

MD5
7200fb09b34d23375c2cff85323af4a4

SHA1
0994a0ab70a6f6c8c45b4664bed926779fbd5c2e

SHA256
e065d81294bae8c8404e57ce5d9d4db68472cefac1469e49f2e73671a4315e15

SHA512
417451e2279b9f1861d317edd8a517a7bb6d1e505c23fb89a16662059d23fbd789223b061ea73217d2042a2221f998c093928a28fd6d8054f53fa174f5dd02de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
53KB

MD5
06ad34f9739c5159b4d92d702545bd49

SHA1
9152a0d4f153f3f40f7e606be75f81b582ee0c17

SHA256
474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

SHA512
c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
e90539d1482041623063aa488ea1ae61

SHA1
73412d7fc7df29c5cec8387f13409295eba3f8cd

SHA256
c13f1d551bb5a8133603cf647dc48b20dc11304c0ea56bf07f2c2005a53afdb3

SHA512
88e57fc43af2c4c9efe40e070a85ea112e55c032a8317e59ec7044692de6203f27717e992de2f2d0670ff5aaef3db3f1666d818e91222ebb06ce891c568ab5ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
16KB

MD5
d866971e455fbc76649622f0208db697

SHA1
321a902192f7006784a9559ce2133f5c7b26a4ff

SHA256
3d4f81b55b5bfd0505988a3a47118c2b023a3b5c475471dbbe4c304d2afc04bd

SHA512
b0c65f31eeb032f96e078e087427edadb02c23a1bf9f6fad3c8b81c4cd9cdddf38ded3b2e90965bcef18072ee88362fe88eaa66e6fbc1f6a90747d38392c92b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
Filesize
1.7MB

MD5
797de7a7866e24d84c92c16337a18a04

SHA1
3d6511a658bcc2604a1da05e89d78021fd070d29

SHA256
50b4f4fff0b709c50551f73533f10b73b22318a83ad6e8fdfffa326a55295421

SHA512
c28fd98d945c8d5f7b379715bf2ea5c4cd869b75ca51d45f1e7fdfd2b02d7d96bf29f3f6187b67f19f1f41ca7465006df0d9f538394d2e0cb13880874ace484c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
Filesize
1.7MB

MD5
797de7a7866e24d84c92c16337a18a04

SHA1
3d6511a658bcc2604a1da05e89d78021fd070d29

SHA256
50b4f4fff0b709c50551f73533f10b73b22318a83ad6e8fdfffa326a55295421

SHA512
c28fd98d945c8d5f7b379715bf2ea5c4cd869b75ca51d45f1e7fdfd2b02d7d96bf29f3f6187b67f19f1f41ca7465006df0d9f538394d2e0cb13880874ace484c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
Filesize
1.7MB

MD5
797de7a7866e24d84c92c16337a18a04

SHA1
3d6511a658bcc2604a1da05e89d78021fd070d29

SHA256
50b4f4fff0b709c50551f73533f10b73b22318a83ad6e8fdfffa326a55295421

SHA512
c28fd98d945c8d5f7b379715bf2ea5c4cd869b75ca51d45f1e7fdfd2b02d7d96bf29f3f6187b67f19f1f41ca7465006df0d9f538394d2e0cb13880874ace484c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98BA.tmp.exe
Filesize
1.7MB

MD5
797de7a7866e24d84c92c16337a18a04

SHA1
3d6511a658bcc2604a1da05e89d78021fd070d29

SHA256
50b4f4fff0b709c50551f73533f10b73b22318a83ad6e8fdfffa326a55295421

SHA512
c28fd98d945c8d5f7b379715bf2ea5c4cd869b75ca51d45f1e7fdfd2b02d7d96bf29f3f6187b67f19f1f41ca7465006df0d9f538394d2e0cb13880874ace484c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
Filesize
3.0MB

MD5
9805cbb5c6c6b590b22efa323b8334b5

SHA1
64bc5664c277cbe047d994c77007dd94a2376a46

SHA256
fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94

SHA512
69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
Filesize
3.0MB

MD5
9805cbb5c6c6b590b22efa323b8334b5

SHA1
64bc5664c277cbe047d994c77007dd94a2376a46

SHA256
fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94

SHA512
69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
Filesize
3.0MB

MD5
9805cbb5c6c6b590b22efa323b8334b5

SHA1
64bc5664c277cbe047d994c77007dd94a2376a46

SHA256
fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94

SHA512
69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
Filesize
3.0MB

MD5
9805cbb5c6c6b590b22efa323b8334b5

SHA1
64bc5664c277cbe047d994c77007dd94a2376a46

SHA256
fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94

SHA512
69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98CB.tmp.exe
Filesize
3.0MB

MD5
9805cbb5c6c6b590b22efa323b8334b5

SHA1
64bc5664c277cbe047d994c77007dd94a2376a46

SHA256
fbfb9a51c89267d2c3728fb4b81774bf5e9e276bdde5186fa85f1955f9369a94

SHA512
69a0af37066ab7887f36882c7ba0649ceb4ef61132f68ff3a634c60ed7d6165578939bdc09db239dc2552faf7627c083c80fe8dce779ffbe6b3dbaa2aec3e242

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
Filesize
1.4MB

MD5
da2eeffeaafc33c43e23d4225cdc959c

SHA1
6673a54930e9e9f476f329d77987e95432f57d9e

SHA256
d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166

SHA512
8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
Filesize
1.4MB

MD5
da2eeffeaafc33c43e23d4225cdc959c

SHA1
6673a54930e9e9f476f329d77987e95432f57d9e

SHA256
d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166

SHA512
8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98EB.tmp.exe
Filesize
1.4MB

MD5
da2eeffeaafc33c43e23d4225cdc959c

SHA1
6673a54930e9e9f476f329d77987e95432f57d9e

SHA256
d1ca008a84ac68846ff6ed211238910ac40d499ebef8efec0b77b3ed9a3d5166

SHA512
8436c28d009c650e137179162ed96f2582f28757d37a5d05a93a6898190d59eac563e2b22ff763d0cfd5ec73f53c2137047e43c2c542d9d721065984aa2f4c56

Download Submit
memory/452-181-0x00000000057C0000-0x00000000058CA000-memory.dmp

Filesize
1.0MB

Download
memory/452-183-0x00000000056F0000-0x0000000005702000-memory.dmp

Filesize
72KB

Download
memory/452-177-0x0000000005C40000-0x0000000006258000-memory.dmp

Filesize
6.1MB

Download
memory/452-185-0x0000000005750000-0x000000000578C000-memory.dmp

Filesize
240KB

Download
memory/452-194-0x0000000007360000-0x00000000073B0000-memory.dmp

Filesize
320KB

Download
memory/452-193-0x0000000007110000-0x0000000007186000-memory.dmp

Filesize
472KB

Download
memory/452-192-0x00000000080A0000-0x00000000085CC000-memory.dmp

Filesize
5.2MB

Download
memory/452-191-0x0000000007190000-0x0000000007352000-memory.dmp

Filesize
1.8MB

Download
memory/452-164-0x0000000000000000-mapping.dmp

Download
memory/452-165-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/972-190-0x0000000000000000-mapping.dmp

Download
memory/1132-187-0x0000000000000000-mapping.dmp

Download
memory/1224-144-0x0000000000000000-mapping.dmp

Download
memory/1224-148-0x0000000000A80000-0x0000000000BE8000-memory.dmp

Filesize
1.4MB

Download
memory/2052-166-0x0000000000000000-mapping.dmp

Download
memory/2196-184-0x0000000000400000-0x0000000000876000-memory.dmp

Filesize
4.5MB

Download
memory/2196-174-0x0000000000400000-0x0000000000876000-memory.dmp

Filesize
4.5MB

Download
memory/2196-179-0x0000000000400000-0x0000000000876000-memory.dmp

Filesize
4.5MB

Download
memory/2196-195-0x0000000000400000-0x0000000000876000-memory.dmp

Filesize
4.5MB

Download
memory/2196-173-0x0000000000000000-mapping.dmp

Download
memory/2388-189-0x0000000000000000-mapping.dmp

Download
memory/2536-169-0x0000000000000000-mapping.dmp

Download
memory/3092-132-0x0000000000B40000-0x0000000000BA8000-memory.dmp

Filesize
416KB

Download
memory/3092-136-0x0000000008EF0000-0x0000000008F56000-memory.dmp

Filesize
408KB

Download
memory/3092-133-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/3092-134-0x00000000055E0000-0x0000000005672000-memory.dmp

Filesize
584KB

Download
memory/3092-135-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/3120-178-0x0000000000000000-mapping.dmp

Download
memory/3120-180-0x0000000000400000-0x00000000004A6000-memory.dmp

Filesize
664KB

Download
memory/3120-197-0x0000000006D80000-0x0000000006D9E000-memory.dmp

Filesize
120KB

Download
memory/4008-186-0x0000000000000000-mapping.dmp

Download
memory/4028-171-0x0000000000000000-mapping.dmp

Download
memory/4112-198-0x0000000000000000-mapping.dmp

Download
memory/4160-149-0x0000000005730000-0x0000000005752000-memory.dmp

Filesize
136KB

Download
memory/4160-137-0x0000000000000000-mapping.dmp

Download
memory/4160-140-0x00000000008F0000-0x0000000000AA2000-memory.dmp

Filesize
1.7MB

Download
memory/4168-150-0x0000000000000000-mapping.dmp

Download
memory/4168-155-0x0000000006040000-0x00000000060A6000-memory.dmp

Filesize
408KB

Download
memory/4168-153-0x0000000003120000-0x0000000003156000-memory.dmp

Filesize
216KB

Download
memory/4192-157-0x0000000007F30000-0x00000000085AA000-memory.dmp

Filesize
6.5MB

Download
memory/4192-156-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/4192-152-0x0000000000000000-mapping.dmp

Download
memory/4488-151-0x0000000000000000-mapping.dmp

Download
memory/4488-158-0x0000000005FD0000-0x0000000005FEA000-memory.dmp

Filesize
104KB

Download
memory/4488-154-0x0000000004EE0000-0x0000000005508000-memory.dmp

Filesize
6.2MB

Download
memory/4648-147-0x0000000000760000-0x0000000000A6E000-memory.dmp

Filesize
3.1MB

Download
memory/4648-141-0x0000000000000000-mapping.dmp

Download
memory/4880-188-0x0000000000000000-mapping.dmp

Download