asyncrat | 0a05f8788ca28d5f4e2ad838a36f83107326d3021fc5bc9824fe2c47dfd07712

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c701b9904603479c8e01a692383e396_JaffaCakes118.exe
Size

7.0MB
MD5

2c701b9904603479c8e01a692383e396
SHA1

c9662c1ee3ed00ea0f70d12a6e5ecfa50d1d9c77
SHA256

0a05f8788ca28d5f4e2ad838a36f83107326d3021fc5bc9824fe2c47dfd07712
SHA512

60e2e350e44c5676f283842d2af354b55b559c46eb3e1c8236c2abf87654845f7a6727da1aea824395b0d102a643790fb9eed55f729085dfee595aab259cf650
SSDEEP

196608:WHPdZwCsXDjDyf4L2WliXYrHW1LzbpbWg:eP4CEDHL2ciIrHWRzbB

Score

10^/10

asyncrat njrat ase_2 discovery execution persistence pyinstaller rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

ASE_2

Mutex

AsyncMutex_6SI8OkPnk

Attributes

c2_url_file
https://aa.larinax999.repl.co
delay
3
install
true
install_file
MsMpEng.exe
install_folder
%AppData%

aes.plain

Extracted

Family

njrat

Version

v4.0

Botnet

ASE_2

103.91.207.190:4985

Mutex

Windows

Attributes

reg_key
Windows
splitter
|-F-|

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000c000000023b6e-1392.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5640	powershell.exe
5448	powershell.exe
5272	powershell.exe
6064	powershell.exe
4896	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	temp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	ASE_2.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	MSMPENG_ASE.EXE
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	2c701b9904603479c8e01a692383e396_JaffaCakes118.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	MSMPENG_ASE.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	MsMpEng_ASE.exe.exe

Executes dropped EXE 7 IoCs

pid	Process
3692	cmd.exe
1948	cmd.exe
4212	temp.exe
4980	ASE_2.EXE
3448	MSMPENG_ASE.EXE
4936	MsMpEng.exe
764	MsMpEng_ASE.exe.exe

Loads dropped DLL 7 IoCs

pid	Process
1948	cmd.exe
1948	cmd.exe
1948	cmd.exe
1948	cmd.exe
1948	cmd.exe
1948	cmd.exe
1948	cmd.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	MsMpEng_ASE.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	MsMpEng_ASE.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	MsMpEng_ASE.exe.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\Windows.URL"	MsMpEng_ASE.exe.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Roaming\\MsMpEng_ASE.exe.exe"	MSMPENG_ASE.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	discord.com
21	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1948	cmd.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000c000000023b14-6.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSMPENG_ASE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASE_2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsMpEng.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsMpEng_ASE.exe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	temp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3964	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
4896	powershell.exe
4896	powershell.exe
6064	powershell.exe
6064	powershell.exe
5640	powershell.exe
5640	powershell.exe
5448	powershell.exe
5448	powershell.exe
5272	powershell.exe
5272	powershell.exe
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE
4980	ASE_2.EXE

Suspicious use of AdjustPrivilegeToken 38 IoCs

description	pid	Process
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	6064	powershell.exe
Token: SeDebugPrivilege	5640	powershell.exe
Token: SeDebugPrivilege	5448	powershell.exe
Token: SeDebugPrivilege	5272	powershell.exe
Token: SeDebugPrivilege	4980	ASE_2.EXE
Token: SeDebugPrivilege	4936	MsMpEng.exe
Token: SeDebugPrivilege	764	MsMpEng_ASE.exe.exe
Token: 33	764	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	764	MsMpEng_ASE.exe.exe
Token: 33	764	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	764	MsMpEng_ASE.exe.exe
Token: 33	764	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	764	MsMpEng_ASE.exe.exe
Token: 33	764	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	764	MsMpEng_ASE.exe.exe
Token: 33	764	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	764	MsMpEng_ASE.exe.exe
Token: 33	764	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	764	MsMpEng_ASE.exe.exe
Token: 33	764	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	764	MsMpEng_ASE.exe.exe
Token: 33	764	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	764	MsMpEng_ASE.exe.exe
Token: 33	764	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	764	MsMpEng_ASE.exe.exe
Token: 33	764	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	764	MsMpEng_ASE.exe.exe
Token: 33	764	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	764	MsMpEng_ASE.exe.exe
Token: 33	764	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	764	MsMpEng_ASE.exe.exe
Token: 33	764	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	764	MsMpEng_ASE.exe.exe
Token: 33	764	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	764	MsMpEng_ASE.exe.exe
Token: 33	764	MsMpEng_ASE.exe.exe
Token: SeIncBasePriorityPrivilege	764	MsMpEng_ASE.exe.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 3692	4964	2c701b9904603479c8e01a692383e396_JaffaCakes118.exe	85
PID 4964 wrote to memory of 3692	4964	2c701b9904603479c8e01a692383e396_JaffaCakes118.exe	85
PID 3692 wrote to memory of 1948	3692	cmd.exe	87
PID 3692 wrote to memory of 1948	3692	cmd.exe	87
PID 1948 wrote to memory of 4872	1948	cmd.exe	88
PID 1948 wrote to memory of 4872	1948	cmd.exe	88
PID 4872 wrote to memory of 4896	4872	cmd.exe	90
PID 4872 wrote to memory of 4896	4872	cmd.exe	90
PID 1948 wrote to memory of 6128	1948	cmd.exe	91
PID 1948 wrote to memory of 6128	1948	cmd.exe	91
PID 6128 wrote to memory of 6064	6128	cmd.exe	93
PID 6128 wrote to memory of 6064	6128	cmd.exe	93
PID 1948 wrote to memory of 5692	1948	cmd.exe	94
PID 1948 wrote to memory of 5692	1948	cmd.exe	94
PID 5692 wrote to memory of 5640	5692	cmd.exe	96
PID 5692 wrote to memory of 5640	5692	cmd.exe	96
PID 1948 wrote to memory of 5492	1948	cmd.exe	97
PID 1948 wrote to memory of 5492	1948	cmd.exe	97
PID 5492 wrote to memory of 5448	5492	cmd.exe	99
PID 5492 wrote to memory of 5448	5492	cmd.exe	99
PID 1948 wrote to memory of 5320	1948	cmd.exe	100
PID 1948 wrote to memory of 5320	1948	cmd.exe	100
PID 5320 wrote to memory of 5272	5320	cmd.exe	102
PID 5320 wrote to memory of 5272	5320	cmd.exe	102
PID 4964 wrote to memory of 4212	4964	2c701b9904603479c8e01a692383e396_JaffaCakes118.exe	103
PID 4964 wrote to memory of 4212	4964	2c701b9904603479c8e01a692383e396_JaffaCakes118.exe	103
PID 4964 wrote to memory of 4212	4964	2c701b9904603479c8e01a692383e396_JaffaCakes118.exe	103
PID 4212 wrote to memory of 4980	4212	temp.exe	104
PID 4212 wrote to memory of 4980	4212	temp.exe	104
PID 4212 wrote to memory of 4980	4212	temp.exe	104
PID 4212 wrote to memory of 3448	4212	temp.exe	105
PID 4212 wrote to memory of 3448	4212	temp.exe	105
PID 4212 wrote to memory of 3448	4212	temp.exe	105
PID 4980 wrote to memory of 60	4980	ASE_2.EXE	106
PID 4980 wrote to memory of 60	4980	ASE_2.EXE	106
PID 4980 wrote to memory of 60	4980	ASE_2.EXE	106
PID 4980 wrote to memory of 2704	4980	ASE_2.EXE	108
PID 4980 wrote to memory of 2704	4980	ASE_2.EXE	108
PID 4980 wrote to memory of 2704	4980	ASE_2.EXE	108
PID 2704 wrote to memory of 3964	2704	cmd.exe	110
PID 2704 wrote to memory of 3964	2704	cmd.exe	110
PID 2704 wrote to memory of 3964	2704	cmd.exe	110
PID 60 wrote to memory of 4320	60	cmd.exe	111
PID 60 wrote to memory of 4320	60	cmd.exe	111
PID 60 wrote to memory of 4320	60	cmd.exe	111
PID 2704 wrote to memory of 4936	2704	cmd.exe	112
PID 2704 wrote to memory of 4936	2704	cmd.exe	112
PID 2704 wrote to memory of 4936	2704	cmd.exe	112
PID 3448 wrote to memory of 764	3448	MSMPENG_ASE.EXE	113
PID 3448 wrote to memory of 764	3448	MSMPENG_ASE.EXE	113
PID 3448 wrote to memory of 764	3448	MSMPENG_ASE.EXE	113
PID 3448 wrote to memory of 1220	3448	MSMPENG_ASE.EXE	114
PID 3448 wrote to memory of 1220	3448	MSMPENG_ASE.EXE	114
PID 3448 wrote to memory of 1220	3448	MSMPENG_ASE.EXE	114
PID 764 wrote to memory of 3704	764	MsMpEng_ASE.exe.exe	117
PID 764 wrote to memory of 3704	764	MsMpEng_ASE.exe.exe	117
PID 764 wrote to memory of 3704	764	MsMpEng_ASE.exe.exe	117
PID 764 wrote to memory of 1472	764	MsMpEng_ASE.exe.exe	118
PID 764 wrote to memory of 1472	764	MsMpEng_ASE.exe.exe	118
PID 764 wrote to memory of 1472	764	MsMpEng_ASE.exe.exe	118

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1220	attrib.exe
3704	attrib.exe
1472	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2c701b9904603479c8e01a692383e396_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2c701b9904603479c8e01a692383e396_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Users\Admin\AppData\Local\Temp\cmd.exe
  "C:\Users\Admin\AppData\Local\Temp\cmd.exe" GoZgc6IpGuOXQ36dVdtx
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe" GoZgc6IpGuOXQ36dVdtx
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -PUAProtection disabled"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -PUAProtection disabled
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -command Set-MpPreference -MAPSReporting 0"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:6128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Set-MpPreference -MAPSReporting 0
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Roaming
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Add-MpPreference -ExclusionPath C:\Users\Admin\AppData\Local\Temp
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe -command Add-MpPreference -ExclusionExtension exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command Add-MpPreference -ExclusionExtension exe
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5272
- C:\Users\Admin\AppData\Local\Temp\temp.exe
  "C:\Users\Admin\AppData\Local\Temp\temp.exe" oGzlirr1EQPdBmb6YVZq
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Users\Admin\AppData\Local\Temp\ASE_2.EXE
    "C:\Users\Admin\AppData\Local\Temp\ASE_2.EXE"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4980
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "MsMpEng" /tr '"C:\Users\Admin\AppData\Roaming\MsMpEng.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:60
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "MsMpEng" /tr '"C:\Users\Admin\AppData\Roaming\MsMpEng.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9DE6.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3964
    - - C:\Users\Admin\AppData\Roaming\MsMpEng.exe
        
        "C:\Users\Admin\AppData\Roaming\MsMpEng.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
- - C:\Users\Admin\AppData\Local\Temp\MSMPENG_ASE.EXE
    "C:\Users\Admin\AppData\Local\Temp\MSMPENG_ASE.EXE"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Users\Admin\AppData\Roaming\MsMpEng_ASE.exe.exe
      "C:\Users\Admin\AppData\Roaming\MsMpEng_ASE.exe.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:764
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3704
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1472
  - - C:\Windows\SysWOW64\attrib.exe
      attrib +h +r +s "C:\Users\Admin\AppData\Roaming\MsMpEng_ASE.exe.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
948B

MD5
c9b6705519e1eef08f86c4ba5f4286f3

SHA1
6c6b179e452ecee2673a1d4fe128f1c06f70577f

SHA256
0f9cad44a79126871580e19b01dc3f880c5173b1faaf8b9018d5d1f829714705

SHA512
6d8f85a7a8b0b124530f36a157cd0441b5c1eacdc35e274af9fbf0569d03d1d5e468651a5b2425f0215c282ecfa7b1ffeaeeaf18612822f00bd14306d30640c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a7cc007980e419d553568a106210549a

SHA1
c03099706b75071f36c3962fcc60a22f197711e0

SHA256
a5735921fc72189c8bf577f3911486cf031708dc8d6bc764fe3e593c0a053165

SHA512
b9aaf29403c467daef80a1ae87478afc33b78f4e1ca16189557011bb83cf9b3e29a0f85c69fa209c45201fb28baca47d31756eee07b79c6312c506e8370f7666

Download Submit
C:\Users\Admin\AppData\Local\Temp\ASE_2.EXE

Filesize
48KB

MD5
322973fcfa6811db872e6d3942bd7a8e

SHA1
4c9f630e248c4fdddba2b9095c427a34ac51042a

SHA256
d06417e9d191f55788b7a25e3e79bea3fdc981e8d8ab0b6eec89cb0a05b84932

SHA512
11c45414a09f10822c37d24f557bd619cb3a89559f644d0ee55919f5cfecce3ba174329b9088144872daebc0b94752d63edfdfbdfdfc5b2462551fd72cc9e75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSMPENG_ASE.EXE

Filesize
27KB

MD5
8ca3aa218d25ea5a0b172b17415bb003

SHA1
f39fb0aea10075935403c5c23f780fe64345e248

SHA256
0c7ac7076b94ae6d619a6d3ada388f823b7a13d8927810a36a0dd92b8d4b08cb

SHA512
254ef34b38bcc52244c676fff9d6ca7adeeea4259f2d55748ce57dca6ee4a0769b75eade8a1fa7d4b8c8676bba1e2e83aa9e5e8a74c90b0ac2a67bb153e6dc09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\VCRUNTIME140.dll

Filesize
94KB

MD5
18049f6811fc0f94547189a9e104f5d2

SHA1
dc127fa1ff0aab71abd76b89fc4b849ad3cf43a6

SHA256
c865c3366a98431ec3a5959cb5ac3966081a43b82dfcd8bfefafe0146b1508db

SHA512
38fa01debdb8c5369b3be45b1384434acb09a6afe75a50a31b3f0babb7bc0550261a5376dd7e5beac74234ec1722967a33fc55335b1809c0b64db42f7e56cdf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_ctypes.pyd

Filesize
124KB

MD5
7322f8245b5c8551d67c337c0dc247c9

SHA1
5f4cb918133daa86631211ae7fa65f26c23fcc98

SHA256
4fcf4c9c98b75a07a7779c52e1f7dff715ae8a2f8a34574e9dac66243fb86763

SHA512
52748b59ce5d488d2a4438548963eb0f2808447c563916e2917d08e5f4aab275e4769c02b63012b3d2606fdb5a8baa9eb5942ba5c5e11b7678f5f4187b82b0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_pytransform.dll

Filesize
1.1MB

MD5
a79506279945c623c275a0ed3c4d044a

SHA1
0dfde455d64fbef93c071cc54fc1cc4114d941d6

SHA256
cffb9f659c0cfc4cbde4485d322010c073f586051522c0ead51d7e22d077a5cb

SHA512
769b95c3d3d55a99373585a528b59faa7ccd3ae7e0d7dd748985adaae86fd6a2995538c9a225ae2843c6d10d5a74e28f9dee0e717bfeffee453de45b14147724

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\_socket.pyd

Filesize
78KB

MD5
478abd499eefeba3e50cfc4ff50ec49d

SHA1
fe1aae16b411a9c349b0ac1e490236d4d55b95b2

SHA256
fdb14859efee35e105f21a64f7afdf50c399ffa0fa8b7fcc76dae4b345d946cb

SHA512
475b8d533599991b4b8bfd27464b379d78e51c41f497e81698b4e7e871f82b5f6b2bfec70ec2c0a1a8842611c8c2591133eaef3f7fc4bc7625e18fc4189c914e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\base_library.zip

Filesize
763KB

MD5
c6b38adf85add9f9a7ea0b67eea508b4

SHA1
23a398ffdae6047d9777919f7b6200dd2a132887

SHA256
77479f65578cf9710981255a3ad5495d45f8367b2f43c2f0680fce0fed0e90fb

SHA512
d6abc793a7b6cc6138b50305a8c1cad10fa1628ca01a2284d82222db9bd1569959b05bdf4581d433ff227438131e43eec98bf265e746b17e76b1c9e9e21d447d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\python39.dll

Filesize
4.3MB

MD5
1d5e4c20a20740f38f061bdf48aaca4f

SHA1
de1b64ab5219aa6fef95cd2b0ccead1c925fd0d0

SHA256
f8172151d11bcf934f2a7518cd0d834e3f079bd980391e9da147ce4cff72c366

SHA512
9df64c97e4e993e815fdaf7e8ecbc3ce32aa8d979f8f4f7a732b2efa636cfeb9a145fe2c2dcdf2e5e9247ee376625e1fdc62f9657e8007bb504336ac8d05a397

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36922\select.pyd

Filesize
28KB

MD5
fed3dae56f7c9ea35d2e896fede29581

SHA1
ae5b2ef114138c4d8a6479d6441967c170c5aa23

SHA256
d56542143775d02c70ad713ac36f295d473329ef3ad7a2999811d12151512931

SHA512
3128c57724b0609cfcaca430568d79b0e6abd13e5bba25295493191532dba24af062d4e0340d0ed68a885c24fbbf36b7a3d650add2f47f7c2364eab6a0b5faff

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfig2te5.ofb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
6.9MB

MD5
4621621eba5ceabfbfa7aa607a9d6a3d

SHA1
e86fbf0e414e60bbfd130007811844c11aaff1fd

SHA256
6b19078dd387b51fe3fb55a80d0fa36dbc30008b7bd4052297b3c9ab7fadd636

SHA512
93b25e9da281111e4cf8d542dd0847ae07f100d6f470097e11dad2bf8ead64b83acafcfc0a20c46058ecda2d8c02b3d28c68abc7951c833ac46af3921a6f4b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\temp.exe

Filesize
128KB

MD5
1345c9556ce21d1a147ddd1ed6712a90

SHA1
0d74f412a719226802d1d8713037e62a3c9cb465

SHA256
ed991ad801b907dc8d39c87bdc3ec75ad50d076172b7e701009341aca9367842

SHA512
a705e351c234969579273e259477c876e2a9a1de7da91dbd4e9fe1d8c3c72ba274b48020d1bce9124c7542d4f050d3efb18b1c128eaff5efaa124fb719afa583

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9DE6.tmp.bat

Filesize
151B

MD5
d9b8119ad793dc6c3ecfb608006c0fde

SHA1
c106ec8fd0d99ec062b9154e4e79d2c265e8dddb

SHA256
f2b049cc1c398cb817c00b936357fd5d133b068b811744fd8bc36d6ff738f327

SHA512
910cd4227a81c3cf1cc5aa84917fe1e9fd6f19ee829fe7846624cdecf4ad0c97acacd4f9ed2e189f435e11e70c9e2dccd095b98730a4fcb6bdb0765cc9f69930

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
81e424321f8d2bc04b4fd579be1f0130

SHA1
250cea684320202a21aa76815ddd02aeb3e11b69

SHA256
64efa1cd57c52ebd7a222bf2df189cb9824197ec75d25969b15c670d62b5ebfa

SHA512
a6d3827d6a7e1d8ace98bdac3df98b39a0faad11097d58689c145dba736bf187500ba25fa1acf4318b3ad48bcd87af54cd70ac5e3d287007fe7086061f4a1f47

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
fc920f73bb2c089ce7e3dc71d1909e06

SHA1
aee67a852600600c4fa2dc157a3151d51aba137b

SHA256
f7bd0c5d733c4cbd4686bb01cdd5ea35f068a5132bb175ab9f3448a52b879e28

SHA512
0b9d3cbbeba6c19d3bf4e41ed07bf68f9bc1b8be40cbbae4f21f3355cee9b5cfb9b7b6f9c9e36357c06761c3001963ae2c9c7ea1176e305bcf7cade1f327e98f

Download Submit
memory/764-1435-0x0000000005F60000-0x0000000005FC6000-memory.dmp

Filesize
408KB

Download
memory/764-1436-0x0000000006DE0000-0x0000000006E72000-memory.dmp

Filesize
584KB

Download
memory/764-1437-0x0000000006DA0000-0x0000000006DAA000-memory.dmp

Filesize
40KB

Download
memory/1948-103-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-49-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-83-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-81-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-79-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-77-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-75-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-73-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-71-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-69-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-67-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-65-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-63-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-61-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-59-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-57-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-55-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-53-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-51-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-85-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-87-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-48-0x0000023E7C0A0000-0x0000023E7C0A1000-memory.dmp

Filesize
4KB

Download
memory/1948-89-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-91-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-93-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-95-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-97-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-99-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-101-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-111-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-109-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-107-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/1948-105-0x0000023E7C0B0000-0x0000023E7C0B1000-memory.dmp

Filesize
4KB

Download
memory/3448-1413-0x0000000006460000-0x0000000006A04000-memory.dmp

Filesize
5.6MB

Download
memory/3448-1410-0x0000000005570000-0x000000000560C000-memory.dmp

Filesize
624KB

Download
memory/3448-1408-0x0000000000BE0000-0x0000000000BEE000-memory.dmp

Filesize
56KB

Download
memory/4896-1313-0x0000013A7B9E0000-0x0000013A7BA02000-memory.dmp

Filesize
136KB

Download
memory/4964-0-0x00007FFF59D23000-0x00007FFF59D25000-memory.dmp

Filesize
8KB

Download
memory/4964-1-0x0000000000950000-0x000000000105E000-memory.dmp

Filesize
7.1MB

Download
memory/4980-1409-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

Filesize
72KB

Download