asyncrat | 047b76675a633db72c428f5c79a6b5ca5c7b3a6fbebbb7de5ec495e4cb1857af

Analysis

max time kernel
145s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-01-2025 00:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe
Size

2.0MB
MD5

6ad6bb9ff2600d6e03aeea4d5aaae235
SHA1

e5c72c1a2a35e01b1e9d64cf7991d86abc88cce5
SHA256

047b76675a633db72c428f5c79a6b5ca5c7b3a6fbebbb7de5ec495e4cb1857af
SHA512

d3da5954fb81e8d4f50fc16ff89c5627de0c3e7e2e393b3dbd4d27293ba3e1b388e92a0585a5dd9df6a10561fcd519f014b90a5257d7c2c606de21fc001db770
SSDEEP

24576:SGyEQkGMex01TGQ0U7dr0hYmwFRbKOdzzmh3xtJ5GfsZOu17s:SGrdomllYOpcxckfs

Score

10^/10

asyncrat stormkitty default discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral2/memory/4972-84-0x0000000000400000-0x0000000000432000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	Aws SMTPS Cracker Private.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.exe	Windows Security.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Security.exe	Windows Security.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsUpdater.lnk	Windows Security.exe

Executes dropped EXE 7 IoCs

pid	Process
2072	Aws SMTPS Cracker Private.exe
4052	HeartSender.exe
2248	Windows Defender Security.exe
5048	Windows Security.exe
1796	crack.exe
4972	Windows Defender Security.exe
4320	Windows Security.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\dWQYXcWePR = "C:\\Users\\Admin\\AppData\\Roaming\\wTKPLfiDZW\\QdMLXbFpGy.exe"	Windows Security.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsUpdater = "\"C:\\Users\\Admin\\AppData\\Roaming\\Windows Security.exe\" .."	Windows Security.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\JgCXAbWzNr = "C:\\Users\\Admin\\AppData\\Roaming\\LqASTmzNGL\\EzArBTPtXq.exe"	Windows Defender Security.exe

Drops desktop.ini file(s) 9 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\1b8a1056b2e6d9ca2e3ace5539c4cdc4\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	Windows Defender Security.exe
File created	C:\Users\Admin\AppData\Local\1b8a1056b2e6d9ca2e3ace5539c4cdc4\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	Windows Defender Security.exe
File created	C:\Users\Admin\AppData\Local\1b8a1056b2e6d9ca2e3ace5539c4cdc4\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	Windows Defender Security.exe
File created	C:\Users\Admin\AppData\Local\1b8a1056b2e6d9ca2e3ace5539c4cdc4\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	Windows Defender Security.exe
File opened for modification	C:\Users\Admin\AppData\Local\1b8a1056b2e6d9ca2e3ace5539c4cdc4\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	Windows Defender Security.exe
File created	C:\Users\Admin\AppData\Local\1b8a1056b2e6d9ca2e3ace5539c4cdc4\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	Windows Defender Security.exe
File created	C:\Users\Admin\AppData\Local\1b8a1056b2e6d9ca2e3ace5539c4cdc4\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	Windows Defender Security.exe
File created	C:\Users\Admin\AppData\Local\1b8a1056b2e6d9ca2e3ace5539c4cdc4\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Windows Defender Security.exe
File opened for modification	C:\Users\Admin\AppData\Local\1b8a1056b2e6d9ca2e3ace5539c4cdc4\Admin@UTKBEBLO_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Windows Defender Security.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	icanhazip.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2248 set thread context of 4972	2248	Windows Defender Security.exe	88
PID 5048 set thread context of 4320	5048	Windows Security.exe	89

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Defender Security.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Security.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aws SMTPS Cracker Private.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HeartSender.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Windows Defender Security.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4884	cmd.exe
32	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Windows Defender Security.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Windows Defender Security.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2156	timeout.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe
4972	Windows Defender Security.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4972	Windows Defender Security.exe
Token: SeDebugPrivilege	1796	crack.exe

Suspicious use of WriteProcessMemory 58 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 2072	3432	2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe	83
PID 3432 wrote to memory of 2072	3432	2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe	83
PID 3432 wrote to memory of 2072	3432	2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe	83
PID 3432 wrote to memory of 4052	3432	2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe	84
PID 3432 wrote to memory of 4052	3432	2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe	84
PID 3432 wrote to memory of 4052	3432	2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe	84
PID 2072 wrote to memory of 2248	2072	Aws SMTPS Cracker Private.exe	85
PID 2072 wrote to memory of 2248	2072	Aws SMTPS Cracker Private.exe	85
PID 2072 wrote to memory of 2248	2072	Aws SMTPS Cracker Private.exe	85
PID 2072 wrote to memory of 5048	2072	Aws SMTPS Cracker Private.exe	86
PID 2072 wrote to memory of 5048	2072	Aws SMTPS Cracker Private.exe	86
PID 2072 wrote to memory of 5048	2072	Aws SMTPS Cracker Private.exe	86
PID 2072 wrote to memory of 1796	2072	Aws SMTPS Cracker Private.exe	87
PID 2072 wrote to memory of 1796	2072	Aws SMTPS Cracker Private.exe	87
PID 2072 wrote to memory of 1796	2072	Aws SMTPS Cracker Private.exe	87
PID 2248 wrote to memory of 4972	2248	Windows Defender Security.exe	88
PID 2248 wrote to memory of 4972	2248	Windows Defender Security.exe	88
PID 2248 wrote to memory of 4972	2248	Windows Defender Security.exe	88
PID 5048 wrote to memory of 4320	5048	Windows Security.exe	89
PID 5048 wrote to memory of 4320	5048	Windows Security.exe	89
PID 5048 wrote to memory of 4320	5048	Windows Security.exe	89
PID 2248 wrote to memory of 4972	2248	Windows Defender Security.exe	88
PID 2248 wrote to memory of 4972	2248	Windows Defender Security.exe	88
PID 2248 wrote to memory of 4972	2248	Windows Defender Security.exe	88
PID 2248 wrote to memory of 4972	2248	Windows Defender Security.exe	88
PID 2248 wrote to memory of 4972	2248	Windows Defender Security.exe	88
PID 5048 wrote to memory of 4320	5048	Windows Security.exe	89
PID 5048 wrote to memory of 4320	5048	Windows Security.exe	89
PID 5048 wrote to memory of 4320	5048	Windows Security.exe	89
PID 5048 wrote to memory of 4320	5048	Windows Security.exe	89
PID 5048 wrote to memory of 4320	5048	Windows Security.exe	89
PID 1796 wrote to memory of 3012	1796	crack.exe	90
PID 1796 wrote to memory of 3012	1796	crack.exe	90
PID 1796 wrote to memory of 3012	1796	crack.exe	90
PID 3012 wrote to memory of 2156	3012	cmd.exe	92
PID 3012 wrote to memory of 2156	3012	cmd.exe	92
PID 3012 wrote to memory of 2156	3012	cmd.exe	92
PID 4972 wrote to memory of 4884	4972	Windows Defender Security.exe	96
PID 4972 wrote to memory of 4884	4972	Windows Defender Security.exe	96
PID 4972 wrote to memory of 4884	4972	Windows Defender Security.exe	96
PID 4884 wrote to memory of 3364	4884	cmd.exe	98
PID 4884 wrote to memory of 3364	4884	cmd.exe	98
PID 4884 wrote to memory of 3364	4884	cmd.exe	98
PID 4884 wrote to memory of 32	4884	cmd.exe	99
PID 4884 wrote to memory of 32	4884	cmd.exe	99
PID 4884 wrote to memory of 32	4884	cmd.exe	99
PID 4884 wrote to memory of 1588	4884	cmd.exe	100
PID 4884 wrote to memory of 1588	4884	cmd.exe	100
PID 4884 wrote to memory of 1588	4884	cmd.exe	100
PID 4972 wrote to memory of 2816	4972	Windows Defender Security.exe	101
PID 4972 wrote to memory of 2816	4972	Windows Defender Security.exe	101
PID 4972 wrote to memory of 2816	4972	Windows Defender Security.exe	101
PID 2816 wrote to memory of 244	2816	cmd.exe	103
PID 2816 wrote to memory of 244	2816	cmd.exe	103
PID 2816 wrote to memory of 244	2816	cmd.exe	103
PID 2816 wrote to memory of 4832	2816	cmd.exe	104
PID 2816 wrote to memory of 4832	2816	cmd.exe	104
PID 2816 wrote to memory of 4832	2816	cmd.exe	104

C:\Users\Admin\AppData\Local\Temp\2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-25_6ad6bb9ff2600d6e03aeea4d5aaae235_icedid.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Users\Admin\AppData\Roaming\Aws SMTPS Cracker Private.exe
  "C:\Users\Admin\AppData\Roaming\Aws SMTPS Cracker Private.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
    "C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2248
  - - C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe
      "C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4972
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4884
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3364
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profile
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:32
      - C:\Windows\SysWOW64\findstr.exe
        
        findstr All
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1588
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2816
      - C:\Windows\SysWOW64\chcp.com
        
        chcp 65001
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:244
      - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show networks mode=bssid
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4832
- - C:\Users\Admin\AppData\Roaming\Windows Security.exe
    "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Users\Admin\AppData\Roaming\Windows Security.exe
      "C:\Users\Admin\AppData\Roaming\Windows Security.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:4320
- - C:\Users\Admin\AppData\Roaming\crack.exe
    "C:\Users\Admin\AppData\Roaming\crack.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB585.tmp.cmd""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3012
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 4
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2156
- C:\Users\Admin\AppData\Roaming\HeartSender.exe
  "C:\Users\Admin\AppData\Roaming\HeartSender.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\1b8a1056b2e6d9ca2e3ace5539c4cdc4\Admin@UTKBEBLO_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\1b8a1056b2e6d9ca2e3ace5539c4cdc4\Admin@UTKBEBLO_en-US\System\Process.txt

Filesize
4KB

MD5
7b527c8461c3f1953c7ba7af171ffc76

SHA1
cea7c65b8d0beb37eb1a410f35a11d7dcef2f985

SHA256
85d458da010299e9d48f8075302d097a5f6e47aaa623dc9463ef97e4d0f07086

SHA512
6647599d4da441da00f7c9a65e324001da35f07f3f64ed693fcc505904fb9c821c65cbaf550324d7b9cdacc570904ed34d724521d495db92b85716431be6d3da

Download Submit
C:\Users\Admin\AppData\Local\1b8a1056b2e6d9ca2e3ace5539c4cdc4\msgid.dat

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Windows Security.exe.log

Filesize
507B

MD5
76ffb2f33cb32ade8fc862a67599e9d8

SHA1
920cc4ab75b36d2f9f6e979b74db568973c49130

SHA256
f1a3724670e3379318ec9c73f6f39058cab0ab013ba3cd90c047c3d701362310

SHA512
f33502c2e1bb30c05359bfc6819ca934642a1e01874e3060349127d792694d56ad22fccd6c9477b8ee50d66db35785779324273f509576b48b7f85577e001b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB585.tmp.cmd

Filesize
151B

MD5
c9717d5bdce9cb283cf7e59b3b0ee37b

SHA1
3ac36b7a3276c7851810df9114d3a0ea9bbca49d

SHA256
213436d0c682f84feb9351bfeb967b123a0f015c15ffadd8fccecb5a16495e4c

SHA512
8c300903c6559834ab95451cd67beac5d27ba75644b5c91c284e313c17afa2769ef193239d4e242c31342843856ef0e58cf613afb29762002f453d42db22bab8

Download Submit
C:\Users\Admin\AppData\Roaming\Aws SMTPS Cracker Private.exe

Filesize
461KB

MD5
c3a6f6cdb3188010a0b230ddc987c01e

SHA1
c267acc2bf367a7ad783a5536b79528911e92fee

SHA256
f23c10b8274afc4aaf02bdacaa8f4f1db375cb221c12a1d3c3cec993dc00561a

SHA512
3861517e38e16160e976ba05af87c8c808c182fc47b4de93202b5822cbb0be01bcb62290503871061b3774222f00c748f743eb5febb86064e642c66fc8393eac

Download Submit
C:\Users\Admin\AppData\Roaming\HeartSender.exe

Filesize
1.5MB

MD5
1e76fc77d50b65268097301c482f005e

SHA1
ee2e94c47fd73cc14b26ece4dcae61a5d38e2c94

SHA256
ac0cdd2e2d793cb81fe898e457f357aac93a69410369bf35b5a3c6ff3beb0f02

SHA512
e19187da74d592fd958ac7d7c05efc81fb79f0cd90e53efeb9324cd54ed572d4e72a7e79a22adee097341269e19c64a6ff46083c6bef115dbfd16c72cca1f771

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Defender Security.exe

Filesize
267KB

MD5
86de666b0ad8dbc41cd8bde7edf2eaf1

SHA1
bd1739f2affb80835793ef2a7f1a0a4d92d57947

SHA256
606ddedb2de122911f04e14e584729f3b44852814c936f540ec00fde47ed4092

SHA512
c5259c56d0b4defe9af7be4f6ac4fea2d9052509041fac0a577f59ab362862079c8e39b27e3e04542b6255b6ef506138fded25fc09952524084e973e333a50a3

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security.exe

Filesize
107KB

MD5
e70a3009a59897bcceaf38d617eaa267

SHA1
fcd5f23e4f8ab3238e62a4c42327ee0634bbca72

SHA256
f23e22277e90ee4423c480a5d778bc3fe7daed8d906e252aaa46938fcd0566dd

SHA512
661e6a4b8059afe33c800ff98cff76012447952a3afa1c7e63763d019906116cc9f32d7201b56f7120e32ce6073895166157d5d122cb6f243c7e26d47f613173

Download Submit
C:\Users\Admin\AppData\Roaming\crack.exe

Filesize
8KB

MD5
9215015740c937980b6b53cee5087769

SHA1
a0bfe95486944f1548620d4de472c3758e95d36a

SHA256
a5390a297f14ef8f5be308009ec436d2a58598188dbb92d7299795a10ba1c541

SHA512
5b9bbf1836466d803d3e160a38e10c8397aa3966c120ab6435a52b7d0a09eb664ef2172bf0e7e2de1cc3eae261167c9355fa7ac3b1b7e4504a7e07b82c4b90e2

Download Submit
memory/1796-75-0x0000000000350000-0x0000000000358000-memory.dmp

Filesize
32KB

Download
memory/2072-28-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/2072-74-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/2072-26-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/2072-30-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/2248-71-0x0000000000980000-0x00000000009CA000-memory.dmp

Filesize
296KB

Download
memory/2248-79-0x0000000005220000-0x000000000522A000-memory.dmp

Filesize
40KB

Download
memory/2248-77-0x0000000005380000-0x000000000541C000-memory.dmp

Filesize
624KB

Download
memory/3432-1-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/3432-2-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/3432-0-0x0000000074842000-0x0000000074843000-memory.dmp

Filesize
4KB

Download
memory/3432-29-0x0000000074840000-0x0000000074DF1000-memory.dmp

Filesize
5.7MB

Download
memory/4052-72-0x00000000073E0000-0x00000000074EC000-memory.dmp

Filesize
1.0MB

Download
memory/4052-89-0x00000000050C0000-0x00000000050CA000-memory.dmp

Filesize
40KB

Download
memory/4052-250-0x0000000071A10000-0x00000000721C0000-memory.dmp

Filesize
7.7MB

Download
memory/4052-32-0x0000000000540000-0x00000000006BE000-memory.dmp

Filesize
1.5MB

Download
memory/4052-225-0x0000000071A1E000-0x0000000071A1F000-memory.dmp

Filesize
4KB

Download
memory/4052-81-0x0000000071A10000-0x00000000721C0000-memory.dmp

Filesize
7.7MB

Download
memory/4052-31-0x0000000071A1E000-0x0000000071A1F000-memory.dmp

Filesize
4KB

Download
memory/4320-85-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4972-97-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/4972-84-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4972-253-0x0000000006400000-0x000000000640A000-memory.dmp

Filesize
40KB

Download
memory/5048-70-0x00000000003A0000-0x00000000003C2000-memory.dmp

Filesize
136KB

Download
memory/5048-76-0x0000000004D20000-0x0000000004DB2000-memory.dmp

Filesize
584KB

Download
memory/5048-73-0x0000000005230000-0x00000000057D4000-memory.dmp

Filesize
5.6MB

Download