aurora | 7e284862240837599b6916df7747947d45d8fa44979ff4bcf57703971e75c14b

Analysis

max time kernel
70s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2023 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

aurora.exe
Size

5.6MB
MD5

2072ab80f4f0b576590d6e2f66bc12a3
SHA1

92b9c99e858cd242983fad131e25028c9197a10f
SHA256

7e284862240837599b6916df7747947d45d8fa44979ff4bcf57703971e75c14b
SHA512

1f2fcf07f41af804aa94cdb3bd97cb7af35d12ba10f9e795052d1d68720f96933bb3a64c9397f1142c26ba392b6f988ac569ebfcddb5b5da85d82339a80bdeec
SSDEEP

49152:8ugM5SSiHPRpy67X9g31TGsev6imuMmS5cNDw7wBVAAp5ESxRlMmCaCfAm5K6Q0+:DMTlK1+gcEiMeCom5Kaw

Score

10^/10

aurora persistence stealer

Malware Config

Extracted

Family

aurora

94.142.138.71:456

Signatures

Aurora
Aurora is a crypto wallet stealer written in Golang.
stealer aurora

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

aurora.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_2 = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\config\\runtime.exe"	aurora.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_3 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\config\\runtime.exe"	aurora.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime_1 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\config\\runtime.exe"	aurora.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

2720 schtasks.exe
1276 schtasks.exe
3972 schtasks.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

4520 powershell.exe
4520 powershell.exe
1872 powershell.exe
1872 powershell.exe
2020 powershell.exe
2020 powershell.exe

pid	process
2720	schtasks.exe
1276	schtasks.exe
3972	schtasks.exe

pid	process
4520	powershell.exe
4520	powershell.exe
1872	powershell.exe
1872	powershell.exe
2020	powershell.exe
2020	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	4520	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeIncreaseQuotaPrivilege	1400	WMIC.exe
Token: SeSecurityPrivilege	1400	WMIC.exe
Token: SeTakeOwnershipPrivilege	1400	WMIC.exe
Token: SeLoadDriverPrivilege	1400	WMIC.exe
Token: SeSystemProfilePrivilege	1400	WMIC.exe
Token: SeSystemtimePrivilege	1400	WMIC.exe
Token: SeProfSingleProcessPrivilege	1400	WMIC.exe
Token: SeIncBasePriorityPrivilege	1400	WMIC.exe
Token: SeCreatePagefilePrivilege	1400	WMIC.exe
Token: SeBackupPrivilege	1400	WMIC.exe
Token: SeRestorePrivilege	1400	WMIC.exe
Token: SeShutdownPrivilege	1400	WMIC.exe
Token: SeDebugPrivilege	1400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1400	WMIC.exe
Token: SeRemoteShutdownPrivilege	1400	WMIC.exe
Token: SeUndockPrivilege	1400	WMIC.exe
Token: SeManageVolumePrivilege	1400	WMIC.exe
Token: 33	1400	WMIC.exe
Token: 34	1400	WMIC.exe
Token: 35	1400	WMIC.exe
Token: 36	1400	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1400	WMIC.exe
Token: SeSecurityPrivilege	1400	WMIC.exe
Token: SeTakeOwnershipPrivilege	1400	WMIC.exe
Token: SeLoadDriverPrivilege	1400	WMIC.exe
Token: SeSystemProfilePrivilege	1400	WMIC.exe
Token: SeSystemtimePrivilege	1400	WMIC.exe
Token: SeProfSingleProcessPrivilege	1400	WMIC.exe
Token: SeIncBasePriorityPrivilege	1400	WMIC.exe
Token: SeCreatePagefilePrivilege	1400	WMIC.exe
Token: SeBackupPrivilege	1400	WMIC.exe
Token: SeRestorePrivilege	1400	WMIC.exe
Token: SeShutdownPrivilege	1400	WMIC.exe
Token: SeDebugPrivilege	1400	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1400	WMIC.exe
Token: SeRemoteShutdownPrivilege	1400	WMIC.exe
Token: SeUndockPrivilege	1400	WMIC.exe
Token: SeManageVolumePrivilege	1400	WMIC.exe
Token: 33	1400	WMIC.exe
Token: 34	1400	WMIC.exe
Token: 35	1400	WMIC.exe
Token: 36	1400	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4524	WMIC.exe
Token: SeSecurityPrivilege	4524	WMIC.exe
Token: SeTakeOwnershipPrivilege	4524	WMIC.exe
Token: SeLoadDriverPrivilege	4524	WMIC.exe
Token: SeSystemProfilePrivilege	4524	WMIC.exe
Token: SeSystemtimePrivilege	4524	WMIC.exe
Token: SeProfSingleProcessPrivilege	4524	WMIC.exe
Token: SeIncBasePriorityPrivilege	4524	WMIC.exe
Token: SeCreatePagefilePrivilege	4524	WMIC.exe
Token: SeBackupPrivilege	4524	WMIC.exe
Token: SeRestorePrivilege	4524	WMIC.exe
Token: SeShutdownPrivilege	4524	WMIC.exe
Token: SeDebugPrivilege	4524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4524	WMIC.exe
Token: SeRemoteShutdownPrivilege	4524	WMIC.exe
Token: SeUndockPrivilege	4524	WMIC.exe
Token: SeManageVolumePrivilege	4524	WMIC.exe
Token: 33	4524	WMIC.exe
Token: 34	4524	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

aurora.exepowershell.exepowershell.exepowershell.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4924 wrote to memory of 4520	4924	aurora.exe	powershell.exe
PID 4924 wrote to memory of 4520	4924	aurora.exe	powershell.exe
PID 4520 wrote to memory of 1276	4520	powershell.exe	schtasks.exe
PID 4520 wrote to memory of 1276	4520	powershell.exe	schtasks.exe
PID 4924 wrote to memory of 1872	4924	aurora.exe	powershell.exe
PID 4924 wrote to memory of 1872	4924	aurora.exe	powershell.exe
PID 1872 wrote to memory of 3972	1872	powershell.exe	schtasks.exe
PID 1872 wrote to memory of 3972	1872	powershell.exe	schtasks.exe
PID 4924 wrote to memory of 2020	4924	aurora.exe	powershell.exe
PID 4924 wrote to memory of 2020	4924	aurora.exe	powershell.exe
PID 2020 wrote to memory of 2720	2020	powershell.exe	schtasks.exe
PID 2020 wrote to memory of 2720	2020	powershell.exe	schtasks.exe
PID 4924 wrote to memory of 1396	4924	aurora.exe	cmd.exe
PID 4924 wrote to memory of 1396	4924	aurora.exe	cmd.exe
PID 1396 wrote to memory of 1400	1396	cmd.exe	WMIC.exe
PID 1396 wrote to memory of 1400	1396	cmd.exe	WMIC.exe
PID 4924 wrote to memory of 4108	4924	aurora.exe	cmd.exe
PID 4924 wrote to memory of 4108	4924	aurora.exe	cmd.exe
PID 4108 wrote to memory of 4524	4108	cmd.exe	WMIC.exe
PID 4108 wrote to memory of 4524	4108	cmd.exe	WMIC.exe
PID 4924 wrote to memory of 2240	4924	aurora.exe	cmd.exe
PID 4924 wrote to memory of 2240	4924	aurora.exe	cmd.exe
PID 2240 wrote to memory of 1568	2240	cmd.exe	WMIC.exe
PID 2240 wrote to memory of 1568	2240	cmd.exe	WMIC.exe
PID 4924 wrote to memory of 3528	4924	aurora.exe	cmd.exe
PID 4924 wrote to memory of 3528	4924	aurora.exe	cmd.exe
PID 3528 wrote to memory of 808	3528	cmd.exe	WMIC.exe
PID 3528 wrote to memory of 808	3528	cmd.exe	WMIC.exe
PID 4924 wrote to memory of 4556	4924	aurora.exe	cmd.exe
PID 4924 wrote to memory of 4556	4924	aurora.exe	cmd.exe
PID 4556 wrote to memory of 5064	4556	cmd.exe	WMIC.exe
PID 4556 wrote to memory of 5064	4556	cmd.exe	WMIC.exe
PID 4924 wrote to memory of 4992	4924	aurora.exe	cmd.exe
PID 4924 wrote to memory of 4992	4924	aurora.exe	cmd.exe
PID 4992 wrote to memory of 4216	4992	cmd.exe	WMIC.exe
PID 4992 wrote to memory of 4216	4992	cmd.exe	WMIC.exe
PID 4924 wrote to memory of 2356	4924	aurora.exe	cmd.exe
PID 4924 wrote to memory of 2356	4924	aurora.exe	cmd.exe
PID 2356 wrote to memory of 444	2356	cmd.exe	WMIC.exe
PID 2356 wrote to memory of 444	2356	cmd.exe	WMIC.exe
PID 4924 wrote to memory of 1452	4924	aurora.exe	cmd.exe
PID 4924 wrote to memory of 1452	4924	aurora.exe	cmd.exe
PID 1452 wrote to memory of 1168	1452	cmd.exe	WMIC.exe
PID 1452 wrote to memory of 1168	1452	cmd.exe	WMIC.exe
PID 4924 wrote to memory of 3144	4924	aurora.exe	cmd.exe
PID 4924 wrote to memory of 3144	4924	aurora.exe	cmd.exe
PID 3144 wrote to memory of 2224	3144	cmd.exe	WMIC.exe
PID 3144 wrote to memory of 2224	3144	cmd.exe	WMIC.exe
PID 4924 wrote to memory of 316	4924	aurora.exe	cmd.exe
PID 4924 wrote to memory of 316	4924	aurora.exe	cmd.exe
PID 316 wrote to memory of 4264	316	cmd.exe	WMIC.exe
PID 316 wrote to memory of 4264	316	cmd.exe	WMIC.exe
PID 4924 wrote to memory of 4320	4924	aurora.exe	cmd.exe
PID 4924 wrote to memory of 4320	4924	aurora.exe	cmd.exe
PID 4320 wrote to memory of 3560	4320	cmd.exe	WMIC.exe
PID 4320 wrote to memory of 3560	4320	cmd.exe	WMIC.exe
PID 4924 wrote to memory of 4860	4924	aurora.exe	cmd.exe
PID 4924 wrote to memory of 4860	4924	aurora.exe	cmd.exe
PID 4860 wrote to memory of 3008	4860	cmd.exe	WMIC.exe
PID 4860 wrote to memory of 3008	4860	cmd.exe	WMIC.exe
PID 4924 wrote to memory of 2720	4924	aurora.exe	cmd.exe
PID 4924 wrote to memory of 2720	4924	aurora.exe	cmd.exe
PID 2720 wrote to memory of 704	2720	cmd.exe	WMIC.exe
PID 2720 wrote to memory of 704	2720	cmd.exe	WMIC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aurora.exe
"C:\Users\Admin\AppData\Local\Temp\aurora.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4520

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_1 /TR C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:1276

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_2 /TR C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:3972

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "" "SCHTASKS.exe /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /SC MINUTE /ED 12/12/2030 /TN runtime_3 /TR C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
3⤵
- Creates scheduled task(s)
PID:2720

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1400

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:4108

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:1568

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:808

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:4556

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:5064

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:4992

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:4216

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:2356

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:444

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:1452

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:1168

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:3144

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:2224

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:316

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:4264

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:3560

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:3008

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
- Suspicious use of WriteProcessMemory
PID:2720

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:704

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:3468

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:4868

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:1308

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:1888

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:3616

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:2756

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:1440

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:1552

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:3400

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:1568

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:1520

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:724

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:2328

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:4916

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:4832

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:1456

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:400

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:4560

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:968

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:2696

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:832

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:4596

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:1420

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:3964

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:2728

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:2384

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:664

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:848

C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
1⤵
PID:1268

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:4468

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:1128

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:4796

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
1⤵
PID:1592

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:972

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:3988

C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
1⤵
PID:1628

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:2996

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:4048

C:\Windows\system32\cmd.exe
cmd.exe /c "wmic csproduct get uuid"
2⤵
PID:940

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
PID:2040

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
137.0MB

MD5
152bebd4a31c13ad84833423471eb098

SHA1
5da8b93a7add5b3b042dd9e46f91b077ed00db23

SHA256
dd1a1774475cd59e2d6a73efd72b09b584f960828e40952e540b810be22c4ddb

SHA512
0a22d0ed71979b2c6f66120e475896cabee925b69810d40dcaff367622eb6f1291d01e15a1aef70b5fe18fc133a70ad6a8a118f28ad719ebe8fa534b02596c8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\config\runtime.exe
Filesize
143.8MB

MD5
6f1594c9d54f650dd1b2a60ee69d527f

SHA1
2204f7194c1110e8bc2a2d03bb145293fee545f0

SHA256
c5fa0c7bd27c4b7a5253637d2052c5108ee437a605542c05c0ef64272459f283

SHA512
711328ec072af38e39efcd933535f2244cddd883f2093358c907aac10df139ac69354d731556c69e533d3ec947fd1e45c67f2caa58c73fd5bdeb56d47101053c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
881.0MB

MD5
8c65ae7c8777acd4b9444aa7ffa28862

SHA1
f1ef3c2e8680441a966a5b9a545281fdc0d9aa2e

SHA256
60ece56b95330629fce13ab720165fb6e04158112c1c642210288d80325fa277

SHA512
952f28ecd88b72b19c95b7e1336c31331accbcd22fa0b9b35aa8feead39136819ecfc5c919b86fd56aec14a03d6cc92485057459dd9d95420c060f84e104e013

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
159.8MB

MD5
97e573fd2230f88e2c4c11d41143036c

SHA1
4ae360fa58bdcacaf6692296cae01c47fbe925a7

SHA256
03f74c7f37252181ef5c0d854cb99c2db7577ea01ec444a07f6fe86a716c5660

SHA512
c86024a7c52b8b3af571b59fe35ee185de25d3013e75e7ed3fe1428ed3f1233fce1d99b85ec494690728d1cbf0b2b71f257d5279c0d486a38d75a77d3802d9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft\config\runtime.exe
Filesize
151.8MB

MD5
66458982558c7ec2df22f992183907d1

SHA1
978833f0fe91ac3bc0a43adb15fd71e7241036f3

SHA256
1afcc297674d831e9837fd929007b7e7d75d3a84563f026cc98130e10548d076

SHA512
0d13f7732e08800b948429d8e818bfe34294b0389d2afff832e5515cdec2a05d9be61986e62be2ade414860baa05e1ec811564409adbbb37f24df5d303c62fc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jki5gfy0.y4f.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
94.2MB

MD5
f5c3a82cef2801be593b4ed99b6a2c4c

SHA1
7cde3980f183f092035a7144b572d67845d047cb

SHA256
ad4d8822414097b41d58548106fc490b3a1852a6efc3491c1eac04e3f2068645

SHA512
9287af218069bb9a5d8ce5a1754e6ac34d2e81b83ef8ebda9e2be146d78f6c428bccb8f6dc92ea19a7a8dab9c38a61379a76a479b1f0fd6e6776fad1f4739fce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\config\runtime.exe
Filesize
136.6MB

MD5
f3a1e391d08fa23739245add1f225b55

SHA1
5cfe8559416d7ed7145fa466c204a9fed1efeeef

SHA256
93a4a883904f6a3ced5b9b5f340ade65def8490314c1f6682c6fadeeed523b43

SHA512
533fd21c83d4b3082b43d043d501d03d1132af098381335d7e3bc9d3e2be8c8524a862bc353fd531fe761d89eb6d99d0a7c148a7e8ec5905303803a6f8b2c5c9

Download Submit
\??\PIPE\wkssvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1872-164-0x00000214CABF0000-0x00000214CAC00000-memory.dmp

Filesize
64KB

Download
memory/1872-152-0x00000214CABF0000-0x00000214CAC00000-memory.dmp

Filesize
64KB

Download
memory/1872-163-0x00000214CABF0000-0x00000214CAC00000-memory.dmp

Filesize
64KB

Download
memory/2020-179-0x000002A9B8F70000-0x000002A9B8F80000-memory.dmp

Filesize
64KB

Download
memory/2020-178-0x000002A9B8F70000-0x000002A9B8F80000-memory.dmp

Filesize
64KB

Download
memory/4520-136-0x000001EC21630000-0x000001EC21640000-memory.dmp

Filesize
64KB

Download
memory/4520-135-0x000001EC23720000-0x000001EC23742000-memory.dmp

Filesize
136KB

Download
memory/4520-137-0x000001EC21630000-0x000001EC21640000-memory.dmp

Filesize
64KB

Download