asyncrat | 2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d

Analysis

max time kernel
142s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17-02-2024 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
Size

679KB
MD5

170ed51ddb22cd75bf0fa4fa2a1bb6c4
SHA1

2e74fd6be27a77a883208db0d09524f15dfa7d00
SHA256

2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d
SHA512

ac43b87484e0158b24c5c2a65ca6ab394b0b1bae62b03fb28588749066f04520ac10c6307bb45bf334d18a81c3a2b6ae68107b330e134a273f60e12d1c612865
SSDEEP

12288:ijWQ4W3K9jGCN0TPsnAH7UA51BlkOUCIV/VKMSiyyjK:7AK96jXQA51BCObIVNKMd8

Score

10^/10

asyncrat 2024 rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

2024

rat.loseyourip.com:6606

rat.loseyourip.com:7707

rat.loseyourip.com:8808

Mutex

Async_2024

Attributes

delay
3
install
true
install_file
csrss.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4544-27-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects executables packed with SmartAssembly 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4056-6-0x0000000005C60000-0x0000000005C7C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Detects file containing reversed ASEP Autorun registry keys 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4544-27-0x0000000000400000-0x0000000000416000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_ASEP_REG_Reverse

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.execsrss.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 2 IoCs

Processes:

csrss.execsrss.exe

pid process

2164 csrss.exe
1464 csrss.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2164	csrss.exe
1464	csrss.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.execsrss.exe

description	pid	process	target process
PID 4056 set thread context of 4544	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 2164 set thread context of 1464	2164	csrss.exe	csrss.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

4316 schtasks.exe
3092 schtasks.exe
1456 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

4856 timeout.exe

pid	process
4316	schtasks.exe
3092	schtasks.exe
1456	schtasks.exe

pid	process
4856	timeout.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exepowershell.exepowershell.exe2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.execsrss.exepowershell.exepowershell.execsrss.exe

pid	process
4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
1436	powershell.exe
3108	powershell.exe
4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
3108	powershell.exe
1436	powershell.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
2164	csrss.exe
2164	csrss.exe
2164	csrss.exe
2164	csrss.exe
2164	csrss.exe
2164	csrss.exe
2164	csrss.exe
2164	csrss.exe
2164	csrss.exe
4092	powershell.exe
2760	powershell.exe
2164	csrss.exe
4092	powershell.exe
2164	csrss.exe
2760	powershell.exe
1464	csrss.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
Token: SeDebugPrivilege	3108	powershell.exe
Token: SeDebugPrivilege	1436	powershell.exe
Token: SeDebugPrivilege	4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
Token: SeDebugPrivilege	2164	csrss.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	1464	csrss.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

csrss.exe

pid process

1464 csrss.exe

pid	process
1464	csrss.exe

Suspicious use of WriteProcessMemory 49 IoCs

Processes:

2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.execmd.execmd.execsrss.exe

description	pid	process	target process
PID 4056 wrote to memory of 3108	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	powershell.exe
PID 4056 wrote to memory of 3108	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	powershell.exe
PID 4056 wrote to memory of 3108	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	powershell.exe
PID 4056 wrote to memory of 1436	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	powershell.exe
PID 4056 wrote to memory of 1436	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	powershell.exe
PID 4056 wrote to memory of 1436	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	powershell.exe
PID 4056 wrote to memory of 1456	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	schtasks.exe
PID 4056 wrote to memory of 1456	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	schtasks.exe
PID 4056 wrote to memory of 1456	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	schtasks.exe
PID 4056 wrote to memory of 4544	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 4056 wrote to memory of 4544	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 4056 wrote to memory of 4544	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 4056 wrote to memory of 4544	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 4056 wrote to memory of 4544	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 4056 wrote to memory of 4544	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 4056 wrote to memory of 4544	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 4056 wrote to memory of 4544	4056	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
PID 4544 wrote to memory of 3832	4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	cmd.exe
PID 4544 wrote to memory of 3832	4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	cmd.exe
PID 4544 wrote to memory of 3832	4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	cmd.exe
PID 4544 wrote to memory of 4756	4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	cmd.exe
PID 4544 wrote to memory of 4756	4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	cmd.exe
PID 4544 wrote to memory of 4756	4544	2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe	cmd.exe
PID 3832 wrote to memory of 4316	3832	cmd.exe	schtasks.exe
PID 3832 wrote to memory of 4316	3832	cmd.exe	schtasks.exe
PID 3832 wrote to memory of 4316	3832	cmd.exe	schtasks.exe
PID 4756 wrote to memory of 4856	4756	cmd.exe	timeout.exe
PID 4756 wrote to memory of 4856	4756	cmd.exe	timeout.exe
PID 4756 wrote to memory of 4856	4756	cmd.exe	timeout.exe
PID 4756 wrote to memory of 2164	4756	cmd.exe	csrss.exe
PID 4756 wrote to memory of 2164	4756	cmd.exe	csrss.exe
PID 4756 wrote to memory of 2164	4756	cmd.exe	csrss.exe
PID 2164 wrote to memory of 4092	2164	csrss.exe	powershell.exe
PID 2164 wrote to memory of 4092	2164	csrss.exe	powershell.exe
PID 2164 wrote to memory of 4092	2164	csrss.exe	powershell.exe
PID 2164 wrote to memory of 2760	2164	csrss.exe	powershell.exe
PID 2164 wrote to memory of 2760	2164	csrss.exe	powershell.exe
PID 2164 wrote to memory of 2760	2164	csrss.exe	powershell.exe
PID 2164 wrote to memory of 3092	2164	csrss.exe	schtasks.exe
PID 2164 wrote to memory of 3092	2164	csrss.exe	schtasks.exe
PID 2164 wrote to memory of 3092	2164	csrss.exe	schtasks.exe
PID 2164 wrote to memory of 1464	2164	csrss.exe	csrss.exe
PID 2164 wrote to memory of 1464	2164	csrss.exe	csrss.exe
PID 2164 wrote to memory of 1464	2164	csrss.exe	csrss.exe
PID 2164 wrote to memory of 1464	2164	csrss.exe	csrss.exe
PID 2164 wrote to memory of 1464	2164	csrss.exe	csrss.exe
PID 2164 wrote to memory of 1464	2164	csrss.exe	csrss.exe
PID 2164 wrote to memory of 1464	2164	csrss.exe	csrss.exe
PID 2164 wrote to memory of 1464	2164	csrss.exe	csrss.exe

C:\Users\Admin\AppData\Local\Temp\2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
"C:\Users\Admin\AppData\Local\Temp\2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4056

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eOmdWxIgIyhoBN.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1436

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eOmdWxIgIyhoBN" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE956.tmp"
2⤵
- Creates scheduled task(s)
PID:1456

C:\Users\Admin\AppData\Local\Temp\2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe
"C:\Users\Admin\AppData\Local\Temp\2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe"
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Local\Temp\csrss.exe"' & exit
3⤵
- Suspicious use of WriteProcessMemory
PID:3832

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "csrss" /tr '"C:\Users\Admin\AppData\Local\Temp\csrss.exe"'
4⤵
- Creates scheduled task(s)
PID:4316

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpFF11.tmp.bat""
3⤵
- Suspicious use of WriteProcessMemory
PID:4756

C:\Windows\SysWOW64\timeout.exe
timeout 3
4⤵
- Delays execution with timeout.exe
PID:4856

C:\Users\Admin\AppData\Local\Temp\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\csrss.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\csrss.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4092

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\eOmdWxIgIyhoBN.exe"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2760

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eOmdWxIgIyhoBN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7D0B.tmp"
5⤵
- Creates scheduled task(s)
PID:3092

C:\Users\Admin\AppData\Local\Temp\csrss.exe
"C:\Users\Admin\AppData\Local\Temp\csrss.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1464

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d.exe.log
Filesize
1KB

MD5
8ec831f3e3a3f77e4a7b9cd32b48384c

SHA1
d83f09fd87c5bd86e045873c231c14836e76a05c

SHA256
7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

SHA512
26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
71ea97d6ec183da820a5f99bd250b2b1

SHA1
538c08920b6ca8ea9dbef0ff1d576c7844a177be

SHA256
b18ac223413ccb8a8c6b7e3750635bf14e7395cbf2f94a22160b08b524cadf0e

SHA512
2a727bb084d9f663d5d4b958a7d457a9174e611058076192d680abb3dbd9202f8bc5b7bd28a3da8e65c2e175908712fce2e500ad3d34448d05da828c1295918e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
78adc74c511f18ef0ec36906826f4380

SHA1
2fcbb50aedc90b54f4b606e510dac0b921ba6dc8

SHA256
2222d2d184e752d23a2a53242f408420177d80270245ebee7b9e12a419c146ec

SHA512
23cd10da26ceca4dd712794a4939de368545c1d02c4673c01a7b44e3205cdaaa5e7f7e76b369dc03a5c9014e2dcdde54f1c2be83e0d5d058f78be3eb91fdbc71

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lq0ebzxa.5kg.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\csrss.exe
Filesize
679KB

MD5
170ed51ddb22cd75bf0fa4fa2a1bb6c4

SHA1
2e74fd6be27a77a883208db0d09524f15dfa7d00

SHA256
2de5faa16c405e6a3bc14b9d31a82cc389290066b36ed8f0d99d7cd53b1b1d1d

SHA512
ac43b87484e0158b24c5c2a65ca6ab394b0b1bae62b03fb28588749066f04520ac10c6307bb45bf334d18a81c3a2b6ae68107b330e134a273f60e12d1c612865

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE956.tmp
Filesize
1KB

MD5
5003b67ef970ef6209267a95fe210e68

SHA1
4bdd736728b436b9f2972213bdb13ca462bd50ea

SHA256
3395759440c2e125576d8598e8139e84d0eb8652732d0537ff5c530e157102b1

SHA512
0b2f569bfc2c8d38a80fd013fe7bdf55636ee1e33711b625b29b696f45242731cea356a32f385282f3d672bc816c520fe7e04c1ac5b82f8ef8232c57d271e0f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF11.tmp.bat
Filesize
152B

MD5
94bd30468c2138e6fbd0b18364aa140c

SHA1
f3506bac3b03f5ca0a8b30a0cbf1131d908c4cba

SHA256
1c549d6016b821faf1498c075a25bf30fd3944ad2dd0d06a5b9ba196773e9667

SHA512
2ef068cce8869505f2486818adf1f8107bdd853b0d08e10a85cb04cdf7f8881b41753ef4516ee7c218324f7b365b220cf9d2dd281989276db773ef94850f60ee

Download Submit
memory/1436-100-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/1436-79-0x0000000008210000-0x000000000888A000-memory.dmp

Filesize
6.5MB

Download
memory/1436-53-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/1436-69-0x000000007F4E0000-0x000000007F4F0000-memory.dmp

Filesize
64KB

Download
memory/1436-47-0x00000000063F0000-0x0000000006744000-memory.dmp

Filesize
3.3MB

Download
memory/1436-67-0x0000000075C50000-0x0000000075C9C000-memory.dmp

Filesize
304KB

Download
memory/1436-51-0x0000000006910000-0x000000000695C000-memory.dmp

Filesize
304KB

Download
memory/1436-24-0x00000000058D0000-0x00000000058F2000-memory.dmp

Filesize
136KB

Download
memory/1436-20-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/1436-90-0x0000000007E00000-0x0000000007E0E000-memory.dmp

Filesize
56KB

Download
memory/1436-81-0x0000000007C40000-0x0000000007C4A000-memory.dmp

Filesize
40KB

Download
memory/1436-23-0x0000000005530000-0x0000000005540000-memory.dmp

Filesize
64KB

Download
memory/1464-138-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/2164-104-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/2164-105-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/2164-139-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/2760-116-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/2760-121-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2760-122-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2760-141-0x0000000004C60000-0x0000000004C70000-memory.dmp

Filesize
64KB

Download
memory/2760-152-0x000000007F5C0000-0x000000007F5D0000-memory.dmp

Filesize
64KB

Download
memory/3108-17-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/3108-93-0x00000000075E0000-0x00000000075E8000-memory.dmp

Filesize
32KB

Download
memory/3108-50-0x0000000005FB0000-0x0000000005FCE000-memory.dmp

Filesize
120KB

Download
memory/3108-54-0x0000000006590000-0x00000000065C2000-memory.dmp

Filesize
200KB

Download
memory/3108-82-0x0000000007540000-0x00000000075D6000-memory.dmp

Filesize
600KB

Download
memory/3108-55-0x000000007FB80000-0x000000007FB90000-memory.dmp

Filesize
64KB

Download
memory/3108-66-0x0000000006570000-0x000000000658E000-memory.dmp

Filesize
120KB

Download
memory/3108-16-0x00000000049E0000-0x0000000004A16000-memory.dmp

Filesize
216KB

Download
memory/3108-68-0x00000000071D0000-0x0000000007273000-memory.dmp

Filesize
652KB

Download
memory/3108-80-0x00000000072C0000-0x00000000072DA000-memory.dmp

Filesize
104KB

Download
memory/3108-19-0x00000000051D0000-0x00000000057F8000-memory.dmp

Filesize
6.2MB

Download
memory/3108-52-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3108-18-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3108-56-0x0000000075C50000-0x0000000075C9C000-memory.dmp

Filesize
304KB

Download
memory/3108-83-0x00000000074C0000-0x00000000074D1000-memory.dmp

Filesize
68KB

Download
memory/3108-21-0x0000000004B90000-0x0000000004BA0000-memory.dmp

Filesize
64KB

Download
memory/3108-25-0x0000000005050000-0x00000000050B6000-memory.dmp

Filesize
408KB

Download
memory/3108-99-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/3108-26-0x0000000005130000-0x0000000005196000-memory.dmp

Filesize
408KB

Download
memory/3108-91-0x0000000007500000-0x0000000007514000-memory.dmp

Filesize
80KB

Download
memory/3108-92-0x0000000007600000-0x000000000761A000-memory.dmp

Filesize
104KB

Download
memory/4056-9-0x0000000009750000-0x00000000097EC000-memory.dmp

Filesize
624KB

Download
memory/4056-1-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/4056-3-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/4056-5-0x00000000058E0000-0x00000000058EA000-memory.dmp

Filesize
40KB

Download
memory/4056-0-0x0000000000DB0000-0x0000000000E60000-memory.dmp

Filesize
704KB

Download
memory/4056-2-0x0000000005CE0000-0x0000000006284000-memory.dmp

Filesize
5.6MB

Download
memory/4056-4-0x00000000059C0000-0x00000000059D0000-memory.dmp

Filesize
64KB

Download
memory/4056-6-0x0000000005C60000-0x0000000005C7C000-memory.dmp

Filesize
112KB

Download
memory/4056-11-0x00000000059C0000-0x00000000059D0000-memory.dmp

Filesize
64KB

Download
memory/4056-49-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/4056-10-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/4056-7-0x0000000005C90000-0x0000000005CA2000-memory.dmp

Filesize
72KB

Download
memory/4056-8-0x0000000006FF0000-0x0000000007048000-memory.dmp

Filesize
352KB

Download
memory/4092-142-0x00000000703C0000-0x000000007040C000-memory.dmp

Filesize
304KB

Download
memory/4092-115-0x0000000005E90000-0x00000000061E4000-memory.dmp

Filesize
3.3MB

Download
memory/4092-136-0x0000000006AE0000-0x0000000006B2C000-memory.dmp

Filesize
304KB

Download
memory/4092-109-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/4092-108-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/4092-140-0x0000000002BD0000-0x0000000002BE0000-memory.dmp

Filesize
64KB

Download
memory/4092-107-0x0000000075360000-0x0000000075B10000-memory.dmp

Filesize
7.7MB

Download
memory/4544-88-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/4544-46-0x00000000753A0000-0x0000000075B50000-memory.dmp

Filesize
7.7MB

Download
memory/4544-27-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download