asyncrat | 4c4a0d9390fff1001cacdb197801dbe33f3cc788a12b77a65161bf8a98b3072a

Analysis

max time kernel
63s
max time network
68s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
17-11-2024 15:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SMTP-CRACKED.7z
Size

66KB
MD5

dc7f190edab0cf0aae00f3aa79b972b5
SHA1

b38effbdeb851cba3b9350368c3bebebec58d76d
SHA256

4c4a0d9390fff1001cacdb197801dbe33f3cc788a12b77a65161bf8a98b3072a
SHA512

f28503cafb1b480a0662611d9a5b10817c367337170b8a96ae5b13e7b49f6e365fdcaca14c8db635a477773dfa579142e819776212d17107100264b5e29ac911
SSDEEP

1536:vnXYn22OGlD9XGx8sGpynKrLZ1qBubsApAceh4rL:I/OqdAGIKHhbsApAcBP

Score

10^/10

asyncrat stormkitty default discovery persistence phishing privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot8016347116:AAHPjxhpFq18J-TCYqzulezvSTm8u40JjSY/sendMessage?chat_id=5147192355

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002aadb-6.dat	family_stormkitty
behavioral1/memory/2116-9-0x0000000000E20000-0x0000000000E52000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001900000002aadb-6.dat	family_asyncrat

A potential corporate email address has been identified in the URL: WorldWindProResultsDate2024111731024PMSystemWindows11Pro64BitUsernameAdminCompNameOKUUPVQNLanguageenUSAntivirusNotinstalledHardwareCPU12thGenIntelRCoreTMi512400GPUMicrosoftBasicDisplayAdapterRAM16154MBHWIDUnknownPowerNoSystemBattery1Screen1280x720NetworkGatewayIP10.127.0.1InternalIP10.127.0.168ExternalIP181.215.176.83BSSID7aac0b2eeb57DomainsinfoBankLogsNodataCryptoLogsNodataFreakyLogsNodataLogsBookmarks5SoftwareDeviceWindowsproductkeyDesktopscreenshotFileGrabberSourcecodefiles1Databasefiles7Documents1TelegramChannel@XSplinter
phishing

Executes dropped EXE 2 IoCs

pid	Process
2116	stmp activator.exe
3216	stmp activator.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 18 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\287c4f6d8dec891a500e77756fc8e6ee\Admin@OKUUPVQN_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	stmp activator.exe
File created	C:\Users\Admin\AppData\Local\7f7e5b7b6ca91d5696510f1a5b80a29e\Admin@OKUUPVQN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	stmp activator.exe
File created	C:\Users\Admin\AppData\Local\7f7e5b7b6ca91d5696510f1a5b80a29e\Admin@OKUUPVQN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	stmp activator.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zE0F88C7E7\SMTP-CRACKED\desktop.ini	7zFM.exe
File created	C:\Users\Admin\AppData\Local\287c4f6d8dec891a500e77756fc8e6ee\Admin@OKUUPVQN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	stmp activator.exe
File created	C:\Users\Admin\AppData\Local\287c4f6d8dec891a500e77756fc8e6ee\Admin@OKUUPVQN_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	stmp activator.exe
File created	C:\Users\Admin\AppData\Local\287c4f6d8dec891a500e77756fc8e6ee\Admin@OKUUPVQN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	stmp activator.exe
File created	C:\Users\Admin\AppData\Local\7f7e5b7b6ca91d5696510f1a5b80a29e\Admin@OKUUPVQN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	stmp activator.exe
File opened for modification	C:\Users\Admin\AppData\Local\287c4f6d8dec891a500e77756fc8e6ee\Admin@OKUUPVQN_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	stmp activator.exe
File created	C:\Users\Admin\AppData\Local\7f7e5b7b6ca91d5696510f1a5b80a29e\Admin@OKUUPVQN_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	stmp activator.exe
File created	C:\Users\Admin\AppData\Local\7f7e5b7b6ca91d5696510f1a5b80a29e\Admin@OKUUPVQN_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	stmp activator.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\7zE0F88C7E7\SMTP-CRACKED\desktop.ini	7zFM.exe
File created	C:\Users\Admin\AppData\Local\287c4f6d8dec891a500e77756fc8e6ee\Admin@OKUUPVQN_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	stmp activator.exe
File created	C:\Users\Admin\AppData\Local\287c4f6d8dec891a500e77756fc8e6ee\Admin@OKUUPVQN_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\SMTP-CRACKED\desktop.ini	stmp activator.exe
File created	C:\Users\Admin\AppData\Local\287c4f6d8dec891a500e77756fc8e6ee\Admin@OKUUPVQN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	stmp activator.exe
File opened for modification	C:\Users\Admin\AppData\Local\7f7e5b7b6ca91d5696510f1a5b80a29e\Admin@OKUUPVQN_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	stmp activator.exe
File created	C:\Users\Admin\AppData\Local\7f7e5b7b6ca91d5696510f1a5b80a29e\Admin@OKUUPVQN_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	stmp activator.exe
File created	C:\Users\Admin\AppData\Local\7f7e5b7b6ca91d5696510f1a5b80a29e\Admin@OKUUPVQN_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\SMTP-CRACKED\desktop.ini	stmp activator.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	pastebin.com
8	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stmp activator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	stmp activator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5812	netsh.exe
5460	cmd.exe
2132	netsh.exe
5192	cmd.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	stmp activator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	stmp activator.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	stmp activator.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	stmp activator.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3973800497-2716210218-310192997-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
2116	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe
3216	stmp activator.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	2288	7zFM.exe
Token: 35	2288	7zFM.exe
Token: SeSecurityPrivilege	2288	7zFM.exe
Token: SeDebugPrivilege	2116	stmp activator.exe
Token: SeDebugPrivilege	3216	stmp activator.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2288	7zFM.exe
2288	7zFM.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe
3228	OpenWith.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 5460	2116	stmp activator.exe	87
PID 2116 wrote to memory of 5460	2116	stmp activator.exe	87
PID 2116 wrote to memory of 5460	2116	stmp activator.exe	87
PID 5460 wrote to memory of 1964	5460	cmd.exe	89
PID 5460 wrote to memory of 1964	5460	cmd.exe	89
PID 5460 wrote to memory of 1964	5460	cmd.exe	89
PID 5460 wrote to memory of 2132	5460	cmd.exe	90
PID 5460 wrote to memory of 2132	5460	cmd.exe	90
PID 5460 wrote to memory of 2132	5460	cmd.exe	90
PID 5460 wrote to memory of 5616	5460	cmd.exe	91
PID 5460 wrote to memory of 5616	5460	cmd.exe	91
PID 5460 wrote to memory of 5616	5460	cmd.exe	91
PID 2116 wrote to memory of 5080	2116	stmp activator.exe	92
PID 2116 wrote to memory of 5080	2116	stmp activator.exe	92
PID 2116 wrote to memory of 5080	2116	stmp activator.exe	92
PID 5080 wrote to memory of 4948	5080	cmd.exe	94
PID 5080 wrote to memory of 4948	5080	cmd.exe	94
PID 5080 wrote to memory of 4948	5080	cmd.exe	94
PID 5080 wrote to memory of 3892	5080	cmd.exe	95
PID 5080 wrote to memory of 3892	5080	cmd.exe	95
PID 5080 wrote to memory of 3892	5080	cmd.exe	95
PID 3216 wrote to memory of 5192	3216	stmp activator.exe	98
PID 3216 wrote to memory of 5192	3216	stmp activator.exe	98
PID 3216 wrote to memory of 5192	3216	stmp activator.exe	98
PID 5192 wrote to memory of 3520	5192	cmd.exe	100
PID 5192 wrote to memory of 3520	5192	cmd.exe	100
PID 5192 wrote to memory of 3520	5192	cmd.exe	100
PID 5192 wrote to memory of 5812	5192	cmd.exe	101
PID 5192 wrote to memory of 5812	5192	cmd.exe	101
PID 5192 wrote to memory of 5812	5192	cmd.exe	101
PID 5192 wrote to memory of 496	5192	cmd.exe	102
PID 5192 wrote to memory of 496	5192	cmd.exe	102
PID 5192 wrote to memory of 496	5192	cmd.exe	102
PID 3216 wrote to memory of 3908	3216	stmp activator.exe	103
PID 3216 wrote to memory of 3908	3216	stmp activator.exe	103
PID 3216 wrote to memory of 3908	3216	stmp activator.exe	103
PID 3908 wrote to memory of 3692	3908	cmd.exe	105
PID 3908 wrote to memory of 3692	3908	cmd.exe	105
PID 3908 wrote to memory of 3692	3908	cmd.exe	105
PID 3908 wrote to memory of 5252	3908	cmd.exe	106
PID 3908 wrote to memory of 5252	3908	cmd.exe	106
PID 3908 wrote to memory of 5252	3908	cmd.exe	106

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\SMTP-CRACKED.7z"
1⤵
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2288

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4808

C:\Users\Admin\Desktop\SMTP-CRACKED\stmp activator.exe
"C:\Users\Admin\Desktop\SMTP-CRACKED\stmp activator.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:5460
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1964
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2132
- - C:\Windows\SysWOW64\findstr.exe
    findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5616
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5080
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4948
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3892

C:\Users\Admin\Desktop\SMTP-CRACKED\stmp activator.exe
"C:\Users\Admin\Desktop\SMTP-CRACKED\stmp activator.exe"
1⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:5192
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3520
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5812
- - C:\Windows\SysWOW64\findstr.exe
    findstr All
    3⤵
    - System Location Discovery: System Language Discovery
    PID:496
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3908
- - C:\Windows\SysWOW64\chcp.com
    chcp 65001
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3692
- - C:\Windows\SysWOW64\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:5252

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\287c4f6d8dec891a500e77756fc8e6ee\Admin@OKUUPVQN_en-US\System\Process.txt

Filesize
4KB

MD5
ecf96189e0bbf5ca65cac26287675174

SHA1
1f774a16824e4e181d5809f988072948e43b9482

SHA256
72bbc687faeff6ff9408e73b66287a24a573babd54ae6719bac68bd8eef03842

SHA512
1ed1a958fab25de3aad8d479c31539a899b9a0e0b3c553cd83219d4b24a77fe0f66ac335a49348e97665505df945c489ad0073b9bea12bef80ecde4276240caf

Download Submit
C:\Users\Admin\AppData\Local\7f7e5b7b6ca91d5696510f1a5b80a29e\Admin@OKUUPVQN_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\7f7e5b7b6ca91d5696510f1a5b80a29e\Admin@OKUUPVQN_en-US\System\Process.txt

Filesize
4KB

MD5
9fa6e38265c0169bb5105635a75ca722

SHA1
6ce242c4613d35294dd70207580d04fbb52ce895

SHA256
a271b322ddc66a9650f8205c56477cfdda7e1ad94f6a4100411dd580b6acd448

SHA512
a2cc51503427cf247e4c9976310ee00fa8431fa1b1947618621e887c98a77f09843fee138094cacf09dfa82f503f923e1fbe77b3382d5251c76a296c71158647

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw

Filesize
5.0MB

MD5
75edf782895193635b6515d6f6f579e0

SHA1
1fc7569a8b733a08db514e61064ad71bf4b9aad6

SHA256
0644607d3bc0bfc60de68988ea8b8b94e54d6fcd807d6f33418139b1ab985a64

SHA512
47c8373cd72716c668f33242c66ed149abea716416321a85853f1a867725246a005554496ab76eedd3fa456dc7100294ca59682c08b92616fdbdb91cb3639aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp58C9.tmp.dat

Filesize
114KB

MD5
3b0a6dd730b567b616146f69c87b5e6d

SHA1
789d479d4d84dbd823ca1ffb0cf1aca7cb6f092e

SHA256
d3b9c8dedd107425328c05d5f00edcb27c9a226de5a696b7fff13eb68f4dde93

SHA512
6308ebad20b326cedd351ff386af11d5319e48193a13cbda7df5c6a16b637b3d79aa82c6c494a01149395b2af7f2a393d96be1d9242166272ed457b8ee2ef428

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp58CB.tmp.dat

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp58EE.tmp.dat

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\d850db8f09bff89e4f4064e17b196bd2\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\Desktop\SMTP-CRACKED\desktop.ini

Filesize
114B

MD5
5dd243d0a3f82885dcb3da32ebe9087f

SHA1
7bdfa1d9c97980e27107eb32f821032cd00c4510

SHA256
290408d1009f799c0e0c388fff87d0f4433008e1b5a37c78d399916f3bbd091f

SHA512
798b31bc8a1e01414f697c2daab9d4a0c54ec762db6f97ce845ddf06793d97091cbcca77f6c5cbcd61c3eaa722f34b6b834d8f222d43d7c1acf4880df0c5fb37

Download Submit
C:\Users\Admin\Desktop\SMTP-CRACKED\smtpcracker.py

Filesize
3KB

MD5
0a092c2569652eb1f111e7f6fd6a3267

SHA1
a0a25094f271e358b28fa8ab45d412f58cc5a846

SHA256
1d526b1ce4453ae43d7fc9bf1b8b9e8e63bdd945e59bca20e5a734d9be683be5

SHA512
bb16fec5bafbd95c774e5285f61c471507912403a78b6d0d132bfa50f3298d492efa7314e7b666dcfe8bedd1d6882d11d0bf25650246c394c31e214739a6e52a

Download Submit
C:\Users\Admin\Desktop\SMTP-CRACKED\stmp activator.exe

Filesize
175KB

MD5
1a45aeff7aa95726e16438391117a613

SHA1
81297558200d2eaa8b1a15a72b34c820feae8468

SHA256
e3db90427a0f3bb0af632b38a69ad5a2bfe5107795a7e69d2c5ea7ee1c485796

SHA512
6a97e295c81bbe5cc2c9ddb294262d6c93a336badba205a00ac61c3d88391e55ee3b7a8d293c0ffcb498c350dcfe092d3dd60daad9f586c981326bebe46ef0d0

Download Submit
memory/2116-170-0x0000000007320000-0x0000000007332000-memory.dmp

Filesize
72KB

Download
memory/2116-158-0x0000000006A90000-0x0000000007036000-memory.dmp

Filesize
5.6MB

Download
memory/2116-162-0x0000000006670000-0x000000000667A000-memory.dmp

Filesize
40KB

Download
memory/2116-163-0x00000000749E0000-0x0000000075191000-memory.dmp

Filesize
7.7MB

Download
memory/2116-113-0x00000000749E0000-0x0000000075191000-memory.dmp

Filesize
7.7MB

Download
memory/2116-156-0x0000000006440000-0x00000000064D2000-memory.dmp

Filesize
584KB

Download
memory/2116-97-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download
memory/2116-157-0x00000000749E0000-0x0000000075191000-memory.dmp

Filesize
7.7MB

Download
memory/2116-11-0x0000000005910000-0x0000000005976000-memory.dmp

Filesize
408KB

Download
memory/2116-10-0x00000000749E0000-0x0000000075191000-memory.dmp

Filesize
7.7MB

Download
memory/2116-9-0x0000000000E20000-0x0000000000E52000-memory.dmp

Filesize
200KB

Download
memory/2116-8-0x00000000749EE000-0x00000000749EF000-memory.dmp

Filesize
4KB

Download