asyncrat | 97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3

Analysis

max time kernel
150s
max time network
178s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 16:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Size

878KB
MD5

72d1a18668b9c354bec0c1f4bb282503
SHA1

940cb647752ed13c34ea021f7617312960a61e35
SHA256

97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3
SHA512

91f1dfccb4b12ac2a46876da7422ec20865fd00c91ca06a2288cfe85787794b3b81bdd6bfc0f6a78ef70dfe1e2cf8112c94efc4f7b78d4318f99762d3f6a49a1
SSDEEP

768:UfQf38+WbFafW237K6DpM38IDq+R6qc1CUMXfptSX5ItFaOT8MOrhI:Ub8MOy

Score

10^/10

asyncrat default evasion persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

asdfdsg.duckdns.org:8050

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\Temp\\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe\""	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Modify Existing Service

T1031

Disabling Security Tools

T1089

Processes:

97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

Turns off Windows Defender SpyNet reporting 2 TTPs
evasion

Disabling Security Tools
T1089

Modify Registry
T1112

Windows security bypass 2 TTPs 3 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe = "0"	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe = "0"	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/800-174-0x0000000000400000-0x0000000000412000-memory.dmp	asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

Drops startup file 2 IoCs

Processes:

97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

Windows security modification 2 TTPs 11 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe = "0"	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe = "0"	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SpyNetReporting = "0"	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Spynet\SubmitSamplesConsent = "0"	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\<Unknown> = "C:\\Users\\Admin\\AppData\\Local\\Temp\\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe"	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe"	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Suspicious use of NtSetInformationThreadHideFromDebugger 12 IoCs

Processes:

97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

pid	process
1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

description	pid	process	target process
PID 1140 set thread context of 800	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4632 1140 WerFault.exe 97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3012 timeout.exe

pid	pid_target	process	target process
4632	1140	WerFault.exe	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

pid	process
3012	timeout.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

pid	process
1888	powershell.exe
1692	powershell.exe
2948	powershell.exe
320	powershell.exe
320	powershell.exe
1692	powershell.exe
2948	powershell.exe
1888	powershell.exe
1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	320	powershell.exe
Token: SeDebugPrivilege	1888	powershell.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.execmd.exe

description	pid	process	target process
PID 1140 wrote to memory of 320	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	powershell.exe
PID 1140 wrote to memory of 320	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	powershell.exe
PID 1140 wrote to memory of 320	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	powershell.exe
PID 1140 wrote to memory of 1692	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	powershell.exe
PID 1140 wrote to memory of 1692	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	powershell.exe
PID 1140 wrote to memory of 1692	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	powershell.exe
PID 1140 wrote to memory of 2948	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	powershell.exe
PID 1140 wrote to memory of 2948	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	powershell.exe
PID 1140 wrote to memory of 2948	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	powershell.exe
PID 1140 wrote to memory of 1888	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	powershell.exe
PID 1140 wrote to memory of 1888	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	powershell.exe
PID 1140 wrote to memory of 1888	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	powershell.exe
PID 1140 wrote to memory of 756	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	cmd.exe
PID 1140 wrote to memory of 756	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	cmd.exe
PID 1140 wrote to memory of 756	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	cmd.exe
PID 756 wrote to memory of 3012	756	cmd.exe	timeout.exe
PID 756 wrote to memory of 3012	756	cmd.exe	timeout.exe
PID 756 wrote to memory of 3012	756	cmd.exe	timeout.exe
PID 1140 wrote to memory of 800	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
PID 1140 wrote to memory of 800	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
PID 1140 wrote to memory of 800	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
PID 1140 wrote to memory of 800	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
PID 1140 wrote to memory of 800	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
PID 1140 wrote to memory of 800	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
PID 1140 wrote to memory of 800	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
PID 1140 wrote to memory of 800	1140	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe	97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe

C:\Users\Admin\AppData\Local\Temp\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
"C:\Users\Admin\AppData\Local\Temp\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe"
1⤵
- Modifies WinLogon for persistence
- Modifies Windows Defender Real-time Protection settings
- Windows security bypass
- Checks computer location settings
- Drops startup file
- Windows security modification
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1140

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2948

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe" -Force
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout 1
2⤵
- Suspicious use of WriteProcessMemory
PID:756

C:\Windows\SysWOW64\timeout.exe
timeout 1
3⤵
- Delays execution with timeout.exe
PID:3012

C:\Users\Admin\AppData\Local\Temp\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe
"C:\Users\Admin\AppData\Local\Temp\97de910f99c0d563605040f89beb13ca559618e7a3572d57ec430cdc861761c3.exe"
2⤵
PID:800

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 1828
2⤵
- Program crash
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1140 -ip 1140
1⤵
PID:516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
55KB

MD5
b091afea30c53e852ff87760493a4e25

SHA1
89d09951d8be200471398980e767066e68d0f11c

SHA256
eb95c19fd71ac984b6283043868a23b56f423242fb2d01d7a786c2b589bdc714

SHA512
0a4874a3629b594afee75996168f1b1f0f11de9c75ac29aed00d29d697daf59fdab5c734e60264a5081072017ad18093bbfa565e93a4823b2a8df0ef18e8ff1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
55KB

MD5
b091afea30c53e852ff87760493a4e25

SHA1
89d09951d8be200471398980e767066e68d0f11c

SHA256
eb95c19fd71ac984b6283043868a23b56f423242fb2d01d7a786c2b589bdc714

SHA512
0a4874a3629b594afee75996168f1b1f0f11de9c75ac29aed00d29d697daf59fdab5c734e60264a5081072017ad18093bbfa565e93a4823b2a8df0ef18e8ff1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
55KB

MD5
b091afea30c53e852ff87760493a4e25

SHA1
89d09951d8be200471398980e767066e68d0f11c

SHA256
eb95c19fd71ac984b6283043868a23b56f423242fb2d01d7a786c2b589bdc714

SHA512
0a4874a3629b594afee75996168f1b1f0f11de9c75ac29aed00d29d697daf59fdab5c734e60264a5081072017ad18093bbfa565e93a4823b2a8df0ef18e8ff1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
56KB

MD5
f5e4bbf5666453b2500626c8cf2e0e12

SHA1
80446911835e6cf5a1d0a759bde6c600650f6f6d

SHA256
39fe655265ab6cb2f0599a1be22fa44d30a3f3001186c40fcf8c071e02bfb6f5

SHA512
172d7374d27ec5185dcaff1ef56bae2301163fa6484c66bfa9a7dfc906d541435da37a230c9bd7799e168856fb7829f64eaea69d3111b63b7c65ce2cbc24a290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
56KB

MD5
8dcbfab1ad15e0ed76dd9728f0b19be8

SHA1
91d7a24df8688e5d62b0deda90f0ae9015e882e3

SHA256
888b3079b7a672aa5823dbac2b7678fc537ee61097d5cc8516b2ccfa50d9ba91

SHA512
57aba59f6287071a00d5bed0e92f6e32b70150fe02b55c504351a05f39676b065af33f2c1785c808aea5135a024123cd1bcaa3fc7acf1c366e38dfc4a77438d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
56KB

MD5
e0174b270b12f0ffbecc49ab8a1450c8

SHA1
62a242db905e5488959120f037ee21fc642256c2

SHA256
9e0cc430a34f130ea94fe2d6183541c2d07b7f6e6ca54b369d338b9f488573d8

SHA512
e89b6ee330fc30c6fad0425fec0ae5e634d61bbf9b67725af1719dd7609b6f1988757d85d5ece6c507b7480e34091660090c183ff11123d27a5aebec895a0c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
Filesize
56KB

MD5
e0174b270b12f0ffbecc49ab8a1450c8

SHA1
62a242db905e5488959120f037ee21fc642256c2

SHA256
9e0cc430a34f130ea94fe2d6183541c2d07b7f6e6ca54b369d338b9f488573d8

SHA512
e89b6ee330fc30c6fad0425fec0ae5e634d61bbf9b67725af1719dd7609b6f1988757d85d5ece6c507b7480e34091660090c183ff11123d27a5aebec895a0c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
471b1867280d5a1f3a483c479834a6a8

SHA1
41d88a1cf6070f2f567f92c16cbd35ad235d58f8

SHA256
53c5b4508ffd09463d1568063ca947cf4dc5fcaccd361294abf8826392ea9736

SHA512
3e677331f1a8c9791bbbf9ba67a8b3776078004646c6cb1efebbbdd81f5e83570ab94dda8c8ef6a9b993db58872affbc35595c6bebe74d43a9f01d05fe2a0a5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
8686462042d5aeb2b2f766cbb13e86bc

SHA1
d896fbe5f87f6bc03dae74d0db090dca57814540

SHA256
27dec8395db164b247936f386cc328b152dc4fe8ec72c2c8537d9420ec988864

SHA512
9bcc895b1504490290579c3034cc70a60df5a734b567b7a2fa733b1ab73113add8fdf2f7f9b8c22fa57c87e54f57da722615b310cefb185a4bb255c9adee9e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
35f9758b1f738bbb7798b8bb8b3d4ba3

SHA1
9b1252a47666207ba05e0076d823d3731b0da4a0

SHA256
23d5fef96ed1dc349956b6f613d3621338287be27121599a9d10e67fdaa2593e

SHA512
e73243b56189c362b6e3d12b5f100c5ab3a1958759061af6ab1f949d6dc2e62211972bac07da64d04747fde6a7484737b46eff73b6561ac8c3965a803800aeec

Download Submit
memory/320-162-0x0000000007D20000-0x0000000007D3A000-memory.dmp

Filesize
104KB

Download
memory/320-135-0x0000000000000000-mapping.dmp

Download
memory/320-161-0x0000000007C30000-0x0000000007C3E000-memory.dmp

Filesize
56KB

Download
memory/320-149-0x0000000070250000-0x000000007029C000-memory.dmp

Filesize
304KB

Download
memory/320-142-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/320-152-0x00000000056D0000-0x00000000056EE000-memory.dmp

Filesize
120KB

Download
memory/320-154-0x0000000008030000-0x00000000086AA000-memory.dmp

Filesize
6.5MB

Download
memory/756-171-0x0000000000000000-mapping.dmp

Download
memory/800-173-0x0000000000000000-mapping.dmp

Download
memory/800-174-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/1140-133-0x0000000004CE0000-0x0000000004D7C000-memory.dmp

Filesize
624KB

Download
memory/1140-134-0x0000000005470000-0x0000000005A14000-memory.dmp

Filesize
5.6MB

Download
memory/1140-132-0x0000000000030000-0x0000000000110000-memory.dmp

Filesize
896KB

Download
memory/1692-155-0x0000000006F60000-0x0000000006F7A000-memory.dmp

Filesize
104KB

Download
memory/1692-150-0x0000000070250000-0x000000007029C000-memory.dmp

Filesize
304KB

Download
memory/1692-136-0x0000000000000000-mapping.dmp

Download
memory/1692-139-0x00000000022C0000-0x00000000022F6000-memory.dmp

Filesize
216KB

Download
memory/1888-148-0x00000000050B0000-0x00000000050E2000-memory.dmp

Filesize
200KB

Download
memory/1888-160-0x00000000076C0000-0x0000000007756000-memory.dmp

Filesize
600KB

Download
memory/1888-138-0x0000000000000000-mapping.dmp

Download
memory/1888-140-0x00000000051F0000-0x0000000005818000-memory.dmp

Filesize
6.2MB

Download
memory/1888-153-0x0000000070250000-0x000000007029C000-memory.dmp

Filesize
304KB

Download
memory/1888-143-0x0000000005AE0000-0x0000000005B46000-memory.dmp

Filesize
408KB

Download
memory/2948-163-0x0000000007CC0000-0x0000000007CC8000-memory.dmp

Filesize
32KB

Download
memory/2948-137-0x0000000000000000-mapping.dmp

Download
memory/2948-159-0x0000000007AA0000-0x0000000007AAA000-memory.dmp

Filesize
40KB

Download
memory/2948-141-0x0000000006020000-0x0000000006042000-memory.dmp

Filesize
136KB

Download
memory/2948-144-0x00000000067A0000-0x00000000067BE000-memory.dmp

Filesize
120KB

Download
memory/2948-151-0x0000000070250000-0x000000007029C000-memory.dmp

Filesize
304KB

Download
memory/3012-172-0x0000000000000000-mapping.dmp

Download