Overview

overview

10

Static

static

3

Loader.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    865s
  • max time network
    872s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 17:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loader.exe

  • Size

    64KB

  • MD5

    7ca5852a9d6d8c6d86ed1d0c0814a9f6

  • SHA1

    692ef8e9600163e66508dd27cbbded5be2f9dda5

  • SHA256

    92ec5fd1a2c0aa1c565b93b5c2f8d9e472346014a0927182865b7c830aa3c7cd

  • SHA512

    3fb5c4a95b6c1fb4db20810d824192aa8b4dc35535151eaad02a60e0a24df38e452d52a8912fb8d114d7d0d58456763cf3eb739086fdb72f838f235e88f877b8

  • SSDEEP

    1536:YzUmkjlbRxKrE99uExdTlM28i5pzDwl2qay:e50lb7KrE93Mw7wl2S

Score
10/10
asyncratdefaultdiscoveryevasionexecutionrattrojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

66.66.146.74:9511

Mutex

nwJFeGdDXcL2

Attributes
  • delay

    3

  • install

    true

  • install_file

    System32.exe

  • install_folder

    %AppData%

aes.plain

Extracted

Family

asyncrat

Botnet

Default

C2

one-accordance.gl.at.ply.gg:9590

Attributes
  • delay

    1

  • install

    true

  • install_file

    Windows Defender.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Asyncrat family
    asyncrat
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs
    evasiontrojan
  • Async RAT payload 2 IoCs
    rat
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Start PowerShell.

    execution
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 4 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3684
    • C:\Users\Admin\AppData\Local\Temp\Loader.exe
      "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
      2⤵
        PID:4128
      • C:\Users\Admin\AppData\Local\Temp\Start.exe
        "C:\Users\Admin\AppData\Local\Temp\Start.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:212
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3264
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
            4⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:1284
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7772.tmp.bat""
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5096
          • C:\Windows\SysWOW64\timeout.exe
            timeout 3
            4⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:428
          • C:\Users\Admin\AppData\Roaming\System32.exe
            "C:\Users\Admin\AppData\Roaming\System32.exe"
            4⤵
            • Checks computer location settings
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1112
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ifwknl.bat"' & exit
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3360
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\ifwknl.bat"'
                6⤵
                • Command and Scripting Interpreter: PowerShell
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2860
                • C:\Users\Admin\AppData\Local\Temp\ifwknl.bat
                  "C:\Users\Admin\AppData\Local\Temp\ifwknl.bat"
                  7⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  PID:2784
                  • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                    "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
                    8⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:4536
                    • C:\Windows\System32\cmd.exe
                      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"' & exit
                      9⤵
                        PID:2440
                        • C:\Windows\system32\schtasks.exe
                          schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"'
                          10⤵
                          • Scheduled Task/Job: Scheduled Task
                          PID:388
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE9DE.tmp.bat""
                        9⤵
                          PID:184
                          • C:\Windows\system32\timeout.exe
                            timeout 3
                            10⤵
                            • Delays execution with timeout.exe
                            PID:2164
                          • C:\Users\Admin\AppData\Roaming\Windows Defender.exe
                            "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
                            10⤵
                            • Modifies Windows Defender Real-time Protection settings
                            • Checks computer location settings
                            • Executes dropped EXE
                            • Windows security modification
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            PID:3360
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "powershell" Get-MpPreference -verbose
                              11⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:180
                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add - MpPreference - ExclusionExtension ".exe"
                              11⤵
                              • Suspicious use of AdjustPrivilegeToken
                              PID:1424
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Defender"
                              11⤵
                                PID:2380
                                • C:\Windows\system32\schtasks.exe
                                  schtasks /delete /f /tn "Windows Defender"
                                  12⤵
                                    PID:4584
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEB88.tmp.bat""
                                  11⤵
                                    PID:1968
                                    • C:\Windows\system32\timeout.exe
                                      timeout 3
                                      12⤵
                                      • Delays execution with timeout.exe
                                      PID:4952
                            • C:\Users\Admin\AppData\Local\Temp\Start.exe
                              "C:\Users\Admin\AppData\Local\Temp\Start.exe"
                              8⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              PID:4812
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "System32"
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:3608
                        • C:\Windows\SysWOW64\schtasks.exe
                          schtasks /delete /f /tn "System32"
                          6⤵
                          • System Location Discovery: System Language Discovery
                          PID:1840
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp857B.tmp.bat""
                        5⤵
                        • System Location Discovery: System Language Discovery
                        PID:3916
                        • C:\Windows\SysWOW64\timeout.exe
                          timeout 3
                          6⤵
                          • System Location Discovery: System Language Discovery
                          • Delays execution with timeout.exe
                          PID:2860
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
                1⤵
                • Enumerates system info in registry
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:2032
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff4bd546f8,0x7fff4bd54708,0x7fff4bd54718
                  2⤵
                    PID:2356
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,16113614958304754145,15542675513585891449,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
                    2⤵
                      PID:3436
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,16113614958304754145,15542675513585891449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1156
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,16113614958304754145,15542675513585891449,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
                      2⤵
                        PID:4608
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16113614958304754145,15542675513585891449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
                        2⤵
                          PID:1920
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16113614958304754145,15542675513585891449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
                          2⤵
                            PID:2076
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16113614958304754145,15542675513585891449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
                            2⤵
                              PID:4548
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16113614958304754145,15542675513585891449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
                              2⤵
                                PID:3404
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16113614958304754145,15542675513585891449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
                                2⤵
                                  PID:2860
                                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,16113614958304754145,15542675513585891449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
                                  2⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:756
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16113614958304754145,15542675513585891449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
                                  2⤵
                                    PID:3708
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16113614958304754145,15542675513585891449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
                                    2⤵
                                      PID:3376
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16113614958304754145,15542675513585891449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
                                      2⤵
                                        PID:4212
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16113614958304754145,15542675513585891449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
                                        2⤵
                                          PID:2036
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16113614958304754145,15542675513585891449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:1
                                          2⤵
                                            PID:4812
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,16113614958304754145,15542675513585891449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
                                            2⤵
                                              PID:4436
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,16113614958304754145,15542675513585891449,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4472 /prefetch:2
                                              2⤵
                                                PID:1408
                                            • C:\Windows\System32\CompPkgSrv.exe
                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                              1⤵
                                                PID:840
                                              • C:\Windows\System32\CompPkgSrv.exe
                                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                1⤵
                                                  PID:3376

                                                Network

                                                MITRE ATT&CK Enterprise v15

                                                Reconnaissance

                                                Resource Development

                                                Initial Access

                                                Execution

                                                Command and Scripting Interpreter

                                                1
                                                T1059

                                                PowerShell

                                                1
                                                T1059.001

                                                Scheduled Task/Job

                                                1
                                                T1053

                                                Scheduled Task

                                                1
                                                T1053.005

                                                Persistence

                                                Create or Modify System Process

                                                1
                                                T1543

                                                Windows Service

                                                1
                                                T1543.003

                                                Scheduled Task/Job

                                                1
                                                T1053

                                                Scheduled Task

                                                1
                                                T1053.005

                                                Privilege Escalation

                                                Create or Modify System Process

                                                1
                                                T1543

                                                Windows Service

                                                1
                                                T1543.003

                                                Scheduled Task/Job

                                                1
                                                T1053

                                                Scheduled Task

                                                1
                                                T1053.005

                                                Defense Evasion

                                                Impair Defenses

                                                2
                                                T1562

                                                Disable or Modify Tools

                                                2
                                                T1562.001

                                                Modify Registry

                                                2
                                                T1112

                                                Credential Access

                                                Discovery

                                                Browser Information Discovery

                                                1
                                                T1217

                                                Query Registry

                                                3
                                                T1012

                                                System Information Discovery

                                                3
                                                T1082

                                                System Location Discovery

                                                1
                                                T1614

                                                System Language Discovery

                                                1
                                                T1614.001

                                                Lateral Movement

                                                Collection

                                                Command and Control

                                                Exfiltration

                                                Impact

                                                Replay Monitor

                                                Loading Replay Monitor...

                                                Downloads

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Loader.exe.log
                                                  Filesize

                                                  654B

                                                  MD5

                                                  2ff39f6c7249774be85fd60a8f9a245e

                                                  SHA1

                                                  684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                  SHA256

                                                  e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                  SHA512

                                                  1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                  Filesize

                                                  2KB

                                                  MD5

                                                  d85ba6ff808d9e5444a4b369f5bc2730

                                                  SHA1

                                                  31aa9d96590fff6981b315e0b391b575e4c0804a

                                                  SHA256

                                                  84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                  SHA512

                                                  8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Start.exe.log
                                                  Filesize

                                                  522B

                                                  MD5

                                                  acc9090417037dfa2a55b46ed86e32b8

                                                  SHA1

                                                  53fa6fb25fb3e88c24d2027aca6ae492b2800a4d

                                                  SHA256

                                                  2412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b

                                                  SHA512

                                                  d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                  Filesize

                                                  152B

                                                  MD5

                                                  34d2c4f40f47672ecdf6f66fea242f4a

                                                  SHA1

                                                  4bcad62542aeb44cae38a907d8b5a8604115ada2

                                                  SHA256

                                                  b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

                                                  SHA512

                                                  50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                  Filesize

                                                  1KB

                                                  MD5

                                                  fb07e3dd88b4cc6f5f40d0479b0e92e4

                                                  SHA1

                                                  54ff5d77086aee784a8f1d24dceeef235acc7c0c

                                                  SHA256

                                                  560f67adc26826581c54cac753172f05cb56cff8e8391fd45e1ed237e604d313

                                                  SHA512

                                                  aaf1afd25aa4b0991527eaad527e1f614f52f2070f9bd18f8fcf3f3eb396c86affe1e6a914a1e6ea19405a2d56173e21d1ef0bca3ed9c7916971b8ca1055c8ab

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                  Filesize

                                                  839B

                                                  MD5

                                                  bfa426451c5c6f31b0ab0def6581b5f9

                                                  SHA1

                                                  c1f43c716595e84d0096f48af7733af79ba4379f

                                                  SHA256

                                                  29200821e3538bc932b29aed3906c22630d3ec6bdfc4d3e506cb2230d01a26ce

                                                  SHA512

                                                  f257148c483a1b0ebd4a05c6a558883b7996ae88bb75d6363b52350a228cb41f82df1c5a9119618aeb341130cbbe8b084a90e7ff45878834aca3c8632e9f3599

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                  Filesize

                                                  837B

                                                  MD5

                                                  10a6691121ca2be4cb280c773fddbde5

                                                  SHA1

                                                  bd2b13cf889f4d1cc59b35ca351021f4d456b835

                                                  SHA256

                                                  a7550b90b86143730217a9663dd2946fb8c8c444d6d48ca81e594c0321fda5bf

                                                  SHA512

                                                  e2071b245245d0cee158a419ac8a90f5fa953ca2750d7cadab419b79878f2ae7797c565f524d8c5d680fcdc3322cc0a3e5c51155532891092619cb2da7d93fae

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                  Filesize

                                                  471B

                                                  MD5

                                                  800abd285601de95a983fbae5075fb7e

                                                  SHA1

                                                  5e262023c6a95042c5ecdd5da821e04afc8db777

                                                  SHA256

                                                  9b904e61a3beccaec82c0937237be9ba981d9a97b8ee4602da5bca4d852f81fa

                                                  SHA512

                                                  544c3560e08e2b52a563b7d7dad5add052cf9c9cc65e97e182349d86b1b05a82aac883a542cdba40a1ec1f425a7855eddeb74e5a62e084df2cd5dafe76848c8c

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                  Filesize

                                                  747B

                                                  MD5

                                                  807497128ba0b7fe3201c2de23401106

                                                  SHA1

                                                  b1c4066f3f4c43ff6ec2f63923495035231d5957

                                                  SHA256

                                                  fc4eab4dbb2ea08a3dde567008ba59e31522c39e74c93840e3ccf5a701b20495

                                                  SHA512

                                                  bb1995c80ac648a6aa9141d35b1643961c43c0b425215858d62aa94dc6c7c190d4f99534275f4007527ef2ffae9127d9f949078b91874424bb121aea29ae88ef

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                  Filesize

                                                  5KB

                                                  MD5

                                                  d10ca837a779ffebf53e77d3e784dbd6

                                                  SHA1

                                                  b9cab43cde255734a9c10703d6049290dfa65e20

                                                  SHA256

                                                  bb1251880a9a6eb41ded052782195270f765985a0a99934c70d320378992336f

                                                  SHA512

                                                  78fcfe75e592fe6e8c49cca3282b5f3d40844161f7ef451c5c4019e6730d05f895609fd8483d4fb0a83f0cc313ee46eb51788567e87f791fd3a829bed048300f

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                  Filesize

                                                  6KB

                                                  MD5

                                                  bb5acaff09f83cf33e9730af0c26cedc

                                                  SHA1

                                                  d9b531ad66ce16625530f513a63ad054eeb6d34f

                                                  SHA256

                                                  916b0895a6d2aaf11986563853b25a2546dcc2ee137f40925f8ca29420607b31

                                                  SHA512

                                                  6bc7ecd6d6d48d4550bc646b78bb866deebb96adc06cfd4a3700155e8a2319368b33c1366a1f4d07b3605f0aea2311984e8282f2af412f6b29e4e49d969f0743

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                  Filesize

                                                  6KB

                                                  MD5

                                                  cf5b25adf055a321da105fca95b794aa

                                                  SHA1

                                                  6fbd65964dec9fb0be06d7d9bc27b7642570f661

                                                  SHA256

                                                  65ef86cd605c5e1ad4665661ca9648f37fa0a644766f22692888c5811e18ff52

                                                  SHA512

                                                  3ba2178581ec2b6ef43a4a1cadcff72dbdda9b6f49d614053a36fc25f076a901b624d0b20f6b0661ee118166d7fb97fa1a58437a7e1185469a5f0303cb091d21

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                  Filesize

                                                  16B

                                                  MD5

                                                  6752a1d65b201c13b62ea44016eb221f

                                                  SHA1

                                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                  SHA256

                                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                  SHA512

                                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                  Filesize

                                                  11KB

                                                  MD5

                                                  87821d6cf45c4af4f111bbe1f116b6d0

                                                  SHA1

                                                  59d212d4cbc493067b3db40fbf8ad713367f355a

                                                  SHA256

                                                  2711e2090ea3aef1c5cdba36d74de6d02f9b18098e79499092b44fcaeae751d6

                                                  SHA512

                                                  2d383c364ab71f4dfd5c42fe34593fa67faa7439b5b47fe7b35cb398ec57b3231ba50d6b6724d8998c5e7d18629372d058e8983cc8bc55c98754a845614ab5ab

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                  Filesize

                                                  10KB

                                                  MD5

                                                  47135ef130999ad940adf9e4878b85c6

                                                  SHA1

                                                  0a0878357ddba202a202053afee7fdce85e49649

                                                  SHA256

                                                  0070bb98092389707accf8700d12003d6d769bc310b2e2741c510c6758c153fe

                                                  SHA512

                                                  7c0098a2bb06382726ef69b6749e4b217239f7363d5065ac4031ecb3e3949c61b3c07ddd3942a16b0a07859c5d5d30558c4a15eb9ec56b233679594ec13433f4

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  15KB

                                                  MD5

                                                  c9a1e77b6fafe8fac054cc19e973f998

                                                  SHA1

                                                  9994959cba8f3a76e39d6ca55ce83897e08a3586

                                                  SHA256

                                                  1485909583817e626625f72d4efaed04ffceb1e88793a09306534fd39e55679f

                                                  SHA512

                                                  cc1fc0b81bb02bae832c4ecc2bc8421a1f409b6ac465f4cf6f404692c6ecf86bab6f9a163cac772f19b705d08a845f567e99de8f2fecb57fb87a8ec57f2b365b

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                  Filesize

                                                  948B

                                                  MD5

                                                  a7ce8cefc3f798abe5abd683d0ef26dd

                                                  SHA1

                                                  b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e

                                                  SHA256

                                                  5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a

                                                  SHA512

                                                  c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\Loader.exe
                                                  Filesize

                                                  63KB

                                                  MD5

                                                  aba726ec9183c855cfa084ee66f49f7f

                                                  SHA1

                                                  f12f9cf0920b0d3a76bb16027539ba0c13da035d

                                                  SHA256

                                                  fb680425e6edc0fa4d2fe526cd78d6ec69683fcafe57744993c8b7192b2c0a71

                                                  SHA512

                                                  a03a1c596e9570c6766d051d76e1a14894852cfa3889dd567f9e187be1055a49479355b8ed3a876a2934308aac945b232c1b206664614b66791ed0cc1f0b5c1f

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\Start.exe
                                                  Filesize

                                                  45KB

                                                  MD5

                                                  b733e729705bf66c1e5c66d97e247701

                                                  SHA1

                                                  25eec814abdf1fc6afe621e16aa89c4eb42616b9

                                                  SHA256

                                                  9081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023

                                                  SHA512

                                                  09b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vvjn032t.wdg.ps1
                                                  Filesize

                                                  60B

                                                  MD5

                                                  d17fe0a3f47be24a6453e9ef58c94641

                                                  SHA1

                                                  6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                  SHA256

                                                  96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                  SHA512

                                                  5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\ifwknl.bat
                                                  Filesize

                                                  64KB

                                                  MD5

                                                  7ca5852a9d6d8c6d86ed1d0c0814a9f6

                                                  SHA1

                                                  692ef8e9600163e66508dd27cbbded5be2f9dda5

                                                  SHA256

                                                  92ec5fd1a2c0aa1c565b93b5c2f8d9e472346014a0927182865b7c830aa3c7cd

                                                  SHA512

                                                  3fb5c4a95b6c1fb4db20810d824192aa8b4dc35535151eaad02a60e0a24df38e452d52a8912fb8d114d7d0d58456763cf3eb739086fdb72f838f235e88f877b8

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\tmp7772.tmp.bat
                                                  Filesize

                                                  152B

                                                  MD5

                                                  ee1ee97f4714432bff4351c68f953d04

                                                  SHA1

                                                  33d0e9b8d62b6b3f37610fc3cf5f9dc8072f5450

                                                  SHA256

                                                  e30ceb0151b84d2cdc32f786534394e0c31b31ca7780384411f7854547e09f05

                                                  SHA512

                                                  362400235e889173e9d0966e08e91bdcc77c5be5232fa74e20665b2a59331564554983e1b217db85e1f7c844078a4202809040f5ed19d775b6a007e5150cb718

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\tmp857B.tmp.bat
                                                  Filesize

                                                  157B

                                                  MD5

                                                  7310f00e4704d0a901880cf9ea3ac9ed

                                                  SHA1

                                                  3b9dfd6cdab7d3854cc30255375e833d021db46a

                                                  SHA256

                                                  2a21e62f1f7e08061c0f9cdb1a7ef8311d16de8671061a0d4b1e5b6bd3df28d4

                                                  SHA512

                                                  314834a4af3c8fd7b52079df78fed5d89ac38d17840319c9ffc01a13e61399f527da31abde81a100ae469168b48cdf045f710034ef0211830c4d411ef9a93ea7

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\tmpE9DE.tmp.bat
                                                  Filesize

                                                  160B

                                                  MD5

                                                  5f81a3d0d563361e639fbd97dc850cb2

                                                  SHA1

                                                  f12d555100809c99ae01359d01b3844b67c6e058

                                                  SHA256

                                                  fe662a3160bdf0afd81054f18e1380247ba7326cb3000d492def0c1f41824478

                                                  SHA512

                                                  a66d37cd7bb415f4b51f97292adced6ef5957ef0727e7794b14badf9930e35b40f311fec34432f238ac89837cbc6c491bbc6ff73e8d9c6d9b585dc01075ae84d

                                                  Download Submit

                                                • C:\Users\Admin\AppData\Local\Temp\tmpEB88.tmp.bat
                                                  Filesize

                                                  165B

                                                  MD5

                                                  2fa652699aadb645e1d2ae40967cfebe

                                                  SHA1

                                                  186abb02314da26f85fae966bdb272d656875840

                                                  SHA256

                                                  f8ac936ae91c5c3b109ec42df26fd9c8546ce64baa1daae36f1fbc4fdc2be292

                                                  SHA512

                                                  18827dc0c32dd759393c9654b394c7ecb3aa59703b0faaa75e393d0f6c16c10e8be6b9d8398f1f765fd91f9be08d4bf8beb6c5605fa7a1c95a2ada99dd8999c9

                                                  Download Submit

                                                • \??\pipe\LOCAL\crashpad_2032_MHJLPZFZUPNPVAUX
                                                  MD5

                                                  d41d8cd98f00b204e9800998ecf8427e

                                                  SHA1

                                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                  SHA256

                                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                  SHA512

                                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                  Download Submit

                                                • memory/180-333-0x0000021BA1690000-0x0000021BA16B2000-memory.dmp

                                                  Filesize

                                                  136KB

                                                  Download

                                                • memory/180-340-0x0000021BA1820000-0x0000021BA196E000-memory.dmp

                                                  Filesize

                                                  1.3MB

                                                  Download

                                                • memory/212-16-0x0000000000D90000-0x0000000000DA2000-memory.dmp

                                                  Filesize

                                                  72KB

                                                  Download

                                                • memory/212-15-0x000000007541E000-0x000000007541F000-memory.dmp

                                                  Filesize

                                                  4KB

                                                  Download

                                                • memory/212-19-0x00000000057E0000-0x000000000587C000-memory.dmp

                                                  Filesize

                                                  624KB

                                                  Download

                                                • memory/1112-33-0x0000000005470000-0x00000000054D6000-memory.dmp

                                                  Filesize

                                                  408KB

                                                  Download

                                                • memory/1112-32-0x0000000005950000-0x0000000005EF4000-memory.dmp

                                                  Filesize

                                                  5.6MB

                                                  Download

                                                • memory/1112-233-0x0000000006BC0000-0x0000000006C22000-memory.dmp

                                                  Filesize

                                                  392KB

                                                  Download

                                                • memory/1112-392-0x0000000006100000-0x0000000006164000-memory.dmp

                                                  Filesize

                                                  400KB

                                                  Download

                                                • memory/1112-100-0x0000000006500000-0x0000000006576000-memory.dmp

                                                  Filesize

                                                  472KB

                                                  Download

                                                • memory/1112-103-0x00000000068F0000-0x0000000006982000-memory.dmp

                                                  Filesize

                                                  584KB

                                                  Download

                                                • memory/1112-102-0x00000000065C0000-0x00000000065DE000-memory.dmp

                                                  Filesize

                                                  120KB

                                                  Download

                                                • memory/1112-101-0x0000000006480000-0x00000000064E8000-memory.dmp

                                                  Filesize

                                                  416KB

                                                  Download

                                                • memory/1424-353-0x000001CA714B0000-0x000001CA715FE000-memory.dmp

                                                  Filesize

                                                  1.3MB

                                                  Download

                                                • memory/2860-246-0x0000000005240000-0x0000000005262000-memory.dmp

                                                  Filesize

                                                  136KB

                                                  Download

                                                • memory/2860-258-0x0000000006100000-0x000000000611E000-memory.dmp

                                                  Filesize

                                                  120KB

                                                  Download

                                                • memory/2860-261-0x00000000065B0000-0x00000000065CA000-memory.dmp

                                                  Filesize

                                                  104KB

                                                  Download

                                                • memory/2860-262-0x0000000006600000-0x0000000006622000-memory.dmp

                                                  Filesize

                                                  136KB

                                                  Download

                                                • memory/2860-244-0x0000000002800000-0x0000000002836000-memory.dmp

                                                  Filesize

                                                  216KB

                                                  Download

                                                • memory/2860-245-0x0000000005290000-0x00000000058B8000-memory.dmp

                                                  Filesize

                                                  6.2MB

                                                  Download

                                                • memory/2860-247-0x0000000005A30000-0x0000000005A96000-memory.dmp

                                                  Filesize

                                                  408KB

                                                  Download

                                                • memory/2860-260-0x0000000007110000-0x00000000071A6000-memory.dmp

                                                  Filesize

                                                  600KB

                                                  Download

                                                • memory/2860-253-0x0000000005B80000-0x0000000005ED4000-memory.dmp

                                                  Filesize

                                                  3.3MB

                                                  Download

                                                • memory/2860-259-0x0000000006130000-0x000000000617C000-memory.dmp

                                                  Filesize

                                                  304KB

                                                  Download

                                                • memory/3360-318-0x0000000002720000-0x000000000273E000-memory.dmp

                                                  Filesize

                                                  120KB

                                                  Download

                                                • memory/3360-326-0x000000001B050000-0x000000001B084000-memory.dmp

                                                  Filesize

                                                  208KB

                                                  Download

                                                • memory/3360-317-0x0000000000DE0000-0x0000000000E14000-memory.dmp

                                                  Filesize

                                                  208KB

                                                  Download

                                                • memory/3360-316-0x000000001CB00000-0x000000001CB76000-memory.dmp

                                                  Filesize

                                                  472KB

                                                  Download

                                                • memory/3360-397-0x000000001C900000-0x000000001C9B2000-memory.dmp

                                                  Filesize

                                                  712KB

                                                  Download

                                                • memory/3684-0-0x00007FFF4B663000-0x00007FFF4B665000-memory.dmp

                                                  Filesize

                                                  8KB

                                                  Download

                                                • memory/3684-25-0x00007FFF4B660000-0x00007FFF4C121000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                  Download

                                                • memory/3684-10-0x00007FFF4B660000-0x00007FFF4C121000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                  Download

                                                • memory/3684-1-0x0000000000930000-0x0000000000946000-memory.dmp

                                                  Filesize

                                                  88KB

                                                  Download

                                                • memory/4128-18-0x00007FFF4B660000-0x00007FFF4C121000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                  Download

                                                • memory/4128-12-0x00007FFF4B660000-0x00007FFF4C121000-memory.dmp

                                                  Filesize

                                                  10.8MB

                                                  Download

                                                • memory/4536-288-0x00000000005D0000-0x00000000005E6000-memory.dmp

                                                  Filesize

                                                  88KB

                                                  Download