asyncrat | 82d21f05aa27eb85e5244cd11a3e60b39093942d19ac86e20b96a280e9579544

Analysis

max time kernel
134s
max time network
153s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
23-04-2024 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lMG_MlaKhlfa1111HD_14546.vbs
Size

255KB
MD5

b921e66031316c979fac97b7012990ce
SHA1

01c4d314a23b6bd8b571b302c3483b7be904309f
SHA256

82d21f05aa27eb85e5244cd11a3e60b39093942d19ac86e20b96a280e9579544
SHA512

c0085dd5bc5595ff00a091361def95d92c3260a66e2c84c2aa2d54d2a48b3c5249d071e1db240d1ba2a5c26fc7b9d79122d9b0df55a1a4008025813d0839986f
SSDEEP

3072:Q03pA03pp03pmAk79DqcPKrB5jzeTMJNHEPenFkCum03pvfpp03pp03pp03pA:wk79DqcyrBJeQJhEPeQr5

Score

10^/10

asyncrat adflyyyy persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

ADFLYYYY

139.99.133.66:6666

Mutex

acwwcawwacwvasasa

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Loads dropped DLL 5 IoCs

pid	Process
2704	regsvr32.exe
848	WSCRIPT.EXE
372	regsvr32.exe
3240	regsvr32.exe
4032	regsvr32.exe

Registers COM server for autorun 1 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 848 set thread context of 4980	848	WSCRIPT.EXE	75
PID 848 set thread context of 3244	848	WSCRIPT.EXE	79
PID 848 set thread context of 4676	848	WSCRIPT.EXE	81
PID 848 set thread context of 3040	848	WSCRIPT.EXE	84

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2400	4980	WerFault.exe	75
480	4676	WerFault.exe	81

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\DynamicWrapperX	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3244	RegAsm.exe
3244	RegAsm.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3244	RegAsm.exe
Token: SeShutdownPrivilege	3020	unregmp2.exe
Token: SeCreatePagefilePrivilege	3020	unregmp2.exe
Token: SeShutdownPrivilege	2904	wmplayer.exe
Token: SeCreatePagefilePrivilege	2904	wmplayer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2904	wmplayer.exe
2904	wmplayer.exe

Suspicious use of WriteProcessMemory 62 IoCs

description	pid	Process	procid_target
PID 4988 wrote to memory of 848	4988	WScript.exe	73
PID 4988 wrote to memory of 848	4988	WScript.exe	73
PID 4988 wrote to memory of 848	4988	WScript.exe	73
PID 848 wrote to memory of 2704	848	WSCRIPT.EXE	74
PID 848 wrote to memory of 2704	848	WSCRIPT.EXE	74
PID 848 wrote to memory of 2704	848	WSCRIPT.EXE	74
PID 848 wrote to memory of 4980	848	WSCRIPT.EXE	75
PID 848 wrote to memory of 4980	848	WSCRIPT.EXE	75
PID 848 wrote to memory of 4980	848	WSCRIPT.EXE	75
PID 848 wrote to memory of 4980	848	WSCRIPT.EXE	75
PID 848 wrote to memory of 372	848	WSCRIPT.EXE	77
PID 848 wrote to memory of 372	848	WSCRIPT.EXE	77
PID 848 wrote to memory of 372	848	WSCRIPT.EXE	77
PID 848 wrote to memory of 3244	848	WSCRIPT.EXE	79
PID 848 wrote to memory of 3244	848	WSCRIPT.EXE	79
PID 848 wrote to memory of 3244	848	WSCRIPT.EXE	79
PID 848 wrote to memory of 3244	848	WSCRIPT.EXE	79
PID 848 wrote to memory of 3244	848	WSCRIPT.EXE	79
PID 848 wrote to memory of 3244	848	WSCRIPT.EXE	79
PID 848 wrote to memory of 3244	848	WSCRIPT.EXE	79
PID 848 wrote to memory of 3244	848	WSCRIPT.EXE	79
PID 848 wrote to memory of 3240	848	WSCRIPT.EXE	80
PID 848 wrote to memory of 3240	848	WSCRIPT.EXE	80
PID 848 wrote to memory of 3240	848	WSCRIPT.EXE	80
PID 848 wrote to memory of 4676	848	WSCRIPT.EXE	81
PID 848 wrote to memory of 4676	848	WSCRIPT.EXE	81
PID 848 wrote to memory of 4676	848	WSCRIPT.EXE	81
PID 848 wrote to memory of 4676	848	WSCRIPT.EXE	81
PID 848 wrote to memory of 4032	848	WSCRIPT.EXE	83
PID 848 wrote to memory of 4032	848	WSCRIPT.EXE	83
PID 848 wrote to memory of 4032	848	WSCRIPT.EXE	83
PID 848 wrote to memory of 3040	848	WSCRIPT.EXE	84
PID 848 wrote to memory of 3040	848	WSCRIPT.EXE	84
PID 848 wrote to memory of 3040	848	WSCRIPT.EXE	84
PID 848 wrote to memory of 3040	848	WSCRIPT.EXE	84
PID 848 wrote to memory of 3040	848	WSCRIPT.EXE	84
PID 848 wrote to memory of 3040	848	WSCRIPT.EXE	84
PID 848 wrote to memory of 3040	848	WSCRIPT.EXE	84
PID 848 wrote to memory of 3040	848	WSCRIPT.EXE	84
PID 3244 wrote to memory of 4652	3244	RegAsm.exe	85
PID 3244 wrote to memory of 4652	3244	RegAsm.exe	85
PID 3244 wrote to memory of 4652	3244	RegAsm.exe	85
PID 4652 wrote to memory of 2396	4652	cmd.exe	87
PID 4652 wrote to memory of 2396	4652	cmd.exe	87
PID 4652 wrote to memory of 2396	4652	cmd.exe	87
PID 3244 wrote to memory of 2000	3244	RegAsm.exe	88
PID 3244 wrote to memory of 2000	3244	RegAsm.exe	88
PID 3244 wrote to memory of 2000	3244	RegAsm.exe	88
PID 2000 wrote to memory of 816	2000	cmd.exe	90
PID 2000 wrote to memory of 816	2000	cmd.exe	90
PID 2000 wrote to memory of 816	2000	cmd.exe	90
PID 4572 wrote to memory of 1116	4572	wmplayer.exe	92
PID 4572 wrote to memory of 1116	4572	wmplayer.exe	92
PID 4572 wrote to memory of 1116	4572	wmplayer.exe	92
PID 4572 wrote to memory of 4368	4572	wmplayer.exe	93
PID 4572 wrote to memory of 4368	4572	wmplayer.exe	93
PID 4572 wrote to memory of 4368	4572	wmplayer.exe	93
PID 4368 wrote to memory of 3020	4368	unregmp2.exe	94
PID 4368 wrote to memory of 3020	4368	unregmp2.exe	94
PID 1116 wrote to memory of 2904	1116	setup_wm.exe	95
PID 1116 wrote to memory of 2904	1116	setup_wm.exe	95
PID 1116 wrote to memory of 2904	1116	setup_wm.exe	95

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lMG_MlaKhlfa1111HD_14546.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:4988
- C:\Windows\SYSWOW64\WSCRIPT.EXE
  "C:\Windows\SYSWOW64\WSCRIPT.EXE" //b //e:vbscript "C:\Users\Admin\AppData\Local\Temp\lMG_MlaKhlfa1111HD_14546.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:848
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:2704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4980
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 96
      4⤵
      Program crash
      PID:2400
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\remc1.vbs"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4652
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\remc1.vbs"'
        5⤵
        
        PID:2396
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\xeno.vbs"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\xeno.vbs"'
        5⤵
        
        PID:816
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:3240
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:4676
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 88
      4⤵
      Program crash
      PID:480
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - Registers COM server for autorun
    - Modifies registry class
    PID:4032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:3040

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4572
- C:\Program Files (x86)\Windows Media Player\setup_wm.exe
  "C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\CheckpointProtect.mpeg
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2904
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\System32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:3020

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localserviceandnoimpersonation -s upnphost
1⤵
- Drops file in Windows directory
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
8154c6892401971fb3c37002144bb033

SHA1
8b4b9b8635adbe143d36c2e5d713b605b68d8139

SHA256
e31f6fad305d02878a3617c4b11f14a72a1f600755b63d814eb53f609cc64cfe

SHA512
049d9cc23e6be99ba04fc65f4708ac067102562593711f658d22ab468f87262e6dbe3becfaabcb24efe9797fb8691598dba4284dab89f7b70764115102091180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
64KB

MD5
0e807656bd86f2aef7ccf207f963973b

SHA1
27052af8d103d134369e356b793eb88ba873df55

SHA256
c509c498682bec50142782a51785655020bea27652f46e104e07a530c2ff5162

SHA512
e6c7d5e001e8322ccb1abd101d47e7f1401597518f45dd8da1d757728147262bcb3b1f96128f291e0e367c5b34026b401468e4219b27cf3c37a8d434180cd8f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll

Filesize
13KB

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp41109.WMC\allservices.xml

Filesize
546B

MD5
df03e65b8e082f24dab09c57bc9c6241

SHA1
6b0dacbf38744c9a381830e6a5dc4c71bd7cedbf

SHA256
155b9c588061c71832af329fafa5678835d9153b8fbb7592195ae953d0c455ba

SHA512
ef1cc8d27fbc5da5daab854c933d3914b84ee539d4d2f0126dc1a04a830c5599e39a923c80257653638b1b99b0073a7174cc164be5887181730883c752ba2f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp42421.WMC\serviceinfo.xml

Filesize
523B

MD5
d58da90d6dc51f97cb84dfbffe2b2300

SHA1
5f86b06b992a3146cb698a99932ead57a5ec4666

SHA256
93acdb79543d9248ca3fca661f3ac287e6004e4b3dafd79d4c4070794ffbf2ad

SHA512
7f1e95e5aa4c8a0e4c967135c78f22f4505f2a48bbc619924d0096bf4a94d469389b9e8488c12edacfba819517b8376546687d1145660ad1f49d8c20a744e636

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
29e5d85670fc3fd0789215ce336b51a7

SHA1
21c6623e24d5f47ffaa4910a5d6d9328b8b0f361

SHA256
43212b41a6aec46a2a7844842fbbf83176bd2356a13f44d900caf63913076de9

SHA512
b70a988143a3b451a09122e47adac8a815994c1397d2ca0c7d184499df07f94a576b422ffc57e917b0339dfbb1fb529b0d548c1e67fe3fe57a571c1db98ec28c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
519e4b1edf8ecaf26cfa352c05f74a03

SHA1
e89427447e58422ef12445a66932b537755efd6d

SHA256
c66cbcec127f779c71879eca1a1e7bdd8f666e43765de814144d43620e1fb198

SHA512
42019c251ab7fa151b16c54a4ad7a01e5eac953ee57402ee2acfafa7e6d02b5561374d6dd9a37dbd4e5dc83951cb102eba1a6181960cc957349a41dfdba32e6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
802aecb0f2e6132f8c9840a79a662ee5

SHA1
0c898f0f491affd49dcece8094efcb7363d79e18

SHA256
ed55a736e89a3fe2e7d69053afa9979f743e664492c56d36aa09c27412d95ff1

SHA512
0623dd6a6ffa52ab6c87555c46a6a4263753de37845b03018cf790cbabadf05f0ff61d13adc02e8d8eee71fe9e142463822544a00b516ae4499719f4a57a40bf

Download Submit
memory/848-8-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/848-15-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

Filesize
4KB

Download
memory/848-12-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download
memory/848-4-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/2904-98-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-103-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-123-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/2904-128-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/2904-129-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-127-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-126-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/2904-124-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-82-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2904-83-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2904-84-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2904-85-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2904-88-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2904-89-0x00000000072A0000-0x00000000072B0000-memory.dmp

Filesize
64KB

Download
memory/2904-90-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/2904-91-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/2904-92-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/2904-93-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/2904-94-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/2904-95-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/2904-96-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/2904-122-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/2904-99-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/2904-97-0x0000000007910000-0x0000000007920000-memory.dmp

Filesize
64KB

Download
memory/2904-100-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-102-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-101-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-121-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-106-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-105-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-104-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-107-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-108-0x000000000A040000-0x000000000A050000-memory.dmp

Filesize
64KB

Download
memory/2904-109-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-110-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-115-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-114-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-113-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-112-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-111-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-116-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-117-0x000000000A440000-0x000000000A450000-memory.dmp

Filesize
64KB

Download
memory/2904-118-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-119-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/2904-120-0x0000000007D30000-0x0000000007D40000-memory.dmp

Filesize
64KB

Download
memory/3040-18-0x00000000721A0000-0x000000007288E000-memory.dmp

Filesize
6.9MB

Download
memory/3040-16-0x00000000721A0000-0x000000007288E000-memory.dmp

Filesize
6.9MB

Download
memory/3244-26-0x0000000006800000-0x000000000681E000-memory.dmp

Filesize
120KB

Download
memory/3244-21-0x0000000005520000-0x00000000055BC000-memory.dmp

Filesize
624KB

Download
memory/3244-22-0x0000000005AC0000-0x0000000005FBE000-memory.dmp

Filesize
5.0MB

Download
memory/3244-23-0x0000000005630000-0x0000000005696000-memory.dmp

Filesize
408KB

Download
memory/3244-24-0x0000000006840000-0x00000000068B6000-memory.dmp

Filesize
472KB

Download
memory/3244-25-0x0000000005620000-0x000000000562C000-memory.dmp

Filesize
48KB

Download
memory/3244-28-0x00000000721A0000-0x000000007288E000-memory.dmp

Filesize
6.9MB

Download
memory/3244-10-0x00000000721A0000-0x000000007288E000-memory.dmp

Filesize
6.9MB

Download
memory/3244-7-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download