asyncrat | hxxps://t[.]ly/zt6XS

Analysis

max time kernel
50s
max time network
58s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
30/03/2024, 09:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://t.ly/zt6XS

Score

10^/10

asyncrat eternity default evasion rat spyware stealer trojan

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

Mutex

trigjiqjyexsu

Attributes

delay
1
install
true
install_file
Registry.exe
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/w5QC7zcd

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Contains code to disable Windows Defender 2 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0007000000023217-40.dat	disable_win_def
behavioral1/memory/2868-81-0x0000000000D20000-0x0000000000E5E000-memory.dmp	disable_win_def

Detects Eternity stealer 2 IoCs

stealer

resource	yara_rule
behavioral1/files/0x0007000000023217-40.dat	eternity_stealer
behavioral1/memory/2868-81-0x0000000000D20000-0x0000000000E5E000-memory.dmp	eternity_stealer

Eternity
Eternity Project is a malware kit offering an info stealer, clipper, worm, coin miner, ransomware, and DDoS bot.
eternity

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Silviozas Premium Proxy V3.8597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Silviozas Premium Proxy V3.8597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Silviozas Premium Proxy V3.8597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Silviozas Premium Proxy V3.8597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Silviozas Premium Proxy V3.8597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Silviozas Premium Proxy V3.8597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Silviozas Premium Proxy V3.8597.exe

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000023217-40.dat	family_asyncrat
behavioral1/files/0x000700000002322c-94.dat	family_asyncrat

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	Silviozas Premium Proxy V3.8597.exe
Key value queried	\REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation	Silviozas Premium Proxy V3.8597.exe

Executes dropped EXE 6 IoCs

pid	Process
2868	Silviozas Premium Proxy V3.8597.exe
1808	Registry.exe
1500	dcd.exe
5440	Silviozas Premium Proxy V3.8597.exe
5584	dcd.exe
5632	Registry.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Silviozas Premium Proxy V3.8597.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0"	Silviozas Premium Proxy V3.8597.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 116654.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2912	msedge.exe
2912	msedge.exe
3076	msedge.exe
3076	msedge.exe
3520	identity_helper.exe
3520	identity_helper.exe
4352	msedge.exe
4352	msedge.exe
2792	powershell.exe
2792	powershell.exe
2792	powershell.exe
5688	powershell.exe
5688	powershell.exe
5688	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	Silviozas Premium Proxy V3.8597.exe
Token: SeDebugPrivilege	1808	Registry.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeIncreaseQuotaPrivilege	1808	Registry.exe
Token: SeSecurityPrivilege	1808	Registry.exe
Token: SeTakeOwnershipPrivilege	1808	Registry.exe
Token: SeLoadDriverPrivilege	1808	Registry.exe
Token: SeSystemProfilePrivilege	1808	Registry.exe
Token: SeSystemtimePrivilege	1808	Registry.exe
Token: SeProfSingleProcessPrivilege	1808	Registry.exe
Token: SeIncBasePriorityPrivilege	1808	Registry.exe
Token: SeCreatePagefilePrivilege	1808	Registry.exe
Token: SeBackupPrivilege	1808	Registry.exe
Token: SeRestorePrivilege	1808	Registry.exe
Token: SeShutdownPrivilege	1808	Registry.exe
Token: SeDebugPrivilege	1808	Registry.exe
Token: SeSystemEnvironmentPrivilege	1808	Registry.exe
Token: SeRemoteShutdownPrivilege	1808	Registry.exe
Token: SeUndockPrivilege	1808	Registry.exe
Token: SeManageVolumePrivilege	1808	Registry.exe
Token: 33	1808	Registry.exe
Token: 34	1808	Registry.exe
Token: 35	1808	Registry.exe
Token: 36	1808	Registry.exe
Token: SeIncreaseQuotaPrivilege	1808	Registry.exe
Token: SeSecurityPrivilege	1808	Registry.exe
Token: SeTakeOwnershipPrivilege	1808	Registry.exe
Token: SeLoadDriverPrivilege	1808	Registry.exe
Token: SeSystemProfilePrivilege	1808	Registry.exe
Token: SeSystemtimePrivilege	1808	Registry.exe
Token: SeProfSingleProcessPrivilege	1808	Registry.exe
Token: SeIncBasePriorityPrivilege	1808	Registry.exe
Token: SeCreatePagefilePrivilege	1808	Registry.exe
Token: SeBackupPrivilege	1808	Registry.exe
Token: SeRestorePrivilege	1808	Registry.exe
Token: SeShutdownPrivilege	1808	Registry.exe
Token: SeDebugPrivilege	1808	Registry.exe
Token: SeSystemEnvironmentPrivilege	1808	Registry.exe
Token: SeRemoteShutdownPrivilege	1808	Registry.exe
Token: SeUndockPrivilege	1808	Registry.exe
Token: SeManageVolumePrivilege	1808	Registry.exe
Token: 33	1808	Registry.exe
Token: 34	1808	Registry.exe
Token: 35	1808	Registry.exe
Token: 36	1808	Registry.exe
Token: SeDebugPrivilege	5440	Silviozas Premium Proxy V3.8597.exe
Token: SeDebugPrivilege	5632	Registry.exe
Token: SeDebugPrivilege	5688	powershell.exe
Token: SeIncreaseQuotaPrivilege	5632	Registry.exe
Token: SeSecurityPrivilege	5632	Registry.exe
Token: SeTakeOwnershipPrivilege	5632	Registry.exe
Token: SeLoadDriverPrivilege	5632	Registry.exe
Token: SeSystemProfilePrivilege	5632	Registry.exe
Token: SeSystemtimePrivilege	5632	Registry.exe
Token: SeProfSingleProcessPrivilege	5632	Registry.exe
Token: SeIncBasePriorityPrivilege	5632	Registry.exe
Token: SeCreatePagefilePrivilege	5632	Registry.exe
Token: SeBackupPrivilege	5632	Registry.exe
Token: SeRestorePrivilege	5632	Registry.exe
Token: SeShutdownPrivilege	5632	Registry.exe
Token: SeDebugPrivilege	5632	Registry.exe
Token: SeSystemEnvironmentPrivilege	5632	Registry.exe
Token: SeRemoteShutdownPrivilege	5632	Registry.exe
Token: SeUndockPrivilege	5632	Registry.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3524	3076	msedge.exe	85
PID 3076 wrote to memory of 3524	3076	msedge.exe	85
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 1560	3076	msedge.exe	86
PID 3076 wrote to memory of 2912	3076	msedge.exe	87
PID 3076 wrote to memory of 2912	3076	msedge.exe	87
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88
PID 3076 wrote to memory of 2068	3076	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.ly/zt6XS
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8486646f8,0x7ff848664708,0x7ff848664718
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,16241583211770346277,14242286078777663648,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,16241583211770346277,14242286078777663648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,16241583211770346277,14242286078777663648,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16241583211770346277,14242286078777663648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16241583211770346277,14242286078777663648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,16241583211770346277,14242286078777663648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,16241583211770346277,14242286078777663648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,16241583211770346277,14242286078777663648,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16241583211770346277,14242286078777663648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2176,16241583211770346277,14242286078777663648,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16241583211770346277,14242286078777663648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16241583211770346277,14242286078777663648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16241583211770346277,14242286078777663648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,16241583211770346277,14242286078777663648,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,16241583211770346277,14242286078777663648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4352
- C:\Users\Admin\Downloads\Silviozas Premium Proxy V3.8597.exe
  "C:\Users\Admin\Downloads\Silviozas Premium Proxy V3.8597.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Checks computer location settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of AdjustPrivilegeToken
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\zlnckwcf.5ab\Registry.exe
    "C:\Users\Admin\AppData\Local\Temp\zlnckwcf.5ab\Registry.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:1500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- C:\Users\Admin\Downloads\Silviozas Premium Proxy V3.8597.exe
  "C:\Users\Admin\Downloads\Silviozas Premium Proxy V3.8597.exe"
  2⤵
  - Modifies Windows Defender Real-time Protection settings
  - Checks computer location settings
  - Executes dropped EXE
  - Windows security modification
  - Suspicious use of AdjustPrivilegeToken
  PID:5440
- - C:\Users\Admin\AppData\Local\Temp\dcd.exe
    "C:\Users\Admin\AppData\Local\Temp\dcd.exe" -path=""
    3⤵
    - Executes dropped EXE
    PID:5584
- - C:\Users\Admin\AppData\Local\Temp\zjwug2mr.pn3\Registry.exe
    "C:\Users\Admin\AppData\Local\Temp\zjwug2mr.pn3\Registry.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5632
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c6136bc98a5aedca2ea3004e9fbe67d

SHA1
74318d997f4c9c351eef86d040bc9b085ce1ad4f

SHA256
50c3bd40caf7e9a82496a710f58804aa3536b44d57e2ee5e2af028cbebc6c2f2

SHA512
2d2fb839321c56e4cb80562e9a1daa4baf48924d635729dc5504a26462796919906f0097dd1fc7fd053394c0eea13c25219dec54ffe6e9abb6e8cb9afa66bada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5c6aef82e50d05ffc0cf52a6c6d69c91

SHA1
c203efe5b45b0630fee7bd364fe7d63b769e2351

SHA256
d9068cf3d04d62a9fb1cdd4c3cf7c263920159171d1b84cb49eff7cf4ed5bc32

SHA512
77ad48936e8c3ee107a121e0b2d1216723407f76872e85c36413237ca1c47b8c40038b8a6349b072bbcc6a29e27ddda77cf686fa97569f4d86531e6b2ac485ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8f1bcf15ed0aa766972163b27d9855f8

SHA1
f8bb04f37935d740113a2511695b1c521e2f25c0

SHA256
51582f676acfa9f83e290536cf092e9b2be4986e07aac7e84d92557939e2a091

SHA512
b5ef84a3b8e65ea0243204e0b3d2a3a7231208fb7132367c37e38237b2707ad934b129d5a3c748437c38be52cd958a722d0c1e0414930f6e92305912a47419d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dfd2cd6f9b8c3dc27fdc538be57dafe0

SHA1
7724017e677b12795c289ed30ff666dd89e2bbb2

SHA256
5e3445c68612e4dd1683b0871524b189973747a7a78d1357bdf15479c51e9d7b

SHA512
0631b420114d3ec738e9752e6b9e441264ae275b6a66a368060b5dd37dd880a2d74d40b94afac7707548153575916b1a4ee00be233c5c81affec66813dc570e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0061aa8f2edbd08eae416d2e6e953724

SHA1
208d612551cccd57ebc989f99fa48019c5517267

SHA256
aa7ca54dea4c55c259d89c8f28a7cddb51fafae244a941472dfe0c7f469d04a7

SHA512
45644104a5c4f35dd71398ca11ca23aee77b774f4633f5d7c8b0018ee13280ee2f36144e66e06a3eccab521502b12431de6bd7c6616fb94dd9b824d3fb5ad7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0dd93cd05974b781def38f014bd275a5

SHA1
ef9288626d915248797c3f122114305e398aa90d

SHA256
80412a7dbf016864e219f19714453ac50008a91119468ae92315167354c980cc

SHA512
5fa728a2bb8dfa3ff78d8edfc87707e1bfde87f301a0a3890af7ff68ba8335528c4da21fa5b64062de9ed118ad7a0dfbfc5f02142add6d3ffcf79d49a1a1249b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0clydxcv.v51.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dcd.exe

Filesize
227KB

MD5
b5ac46e446cead89892628f30a253a06

SHA1
f4ad1044a7f77a1b02155c3a355a1bb4177076ca

SHA256
def7afcb65126c4b04a7cbf08c693f357a707aa99858cac09a8d5e65f3177669

SHA512
bcabbac6f75c1d41364406db457c62f5135a78f763f6db08c1626f485c64db4d9ba3b3c8bc0b5508d917e445fd220ffa66ebc35221bd06560446c109818e8e87

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlnckwcf.5ab\Registry.exe

Filesize
74KB

MD5
819ef23f2823d16fbf5c2480e869e261

SHA1
29e9c79553eb9c4f4607f642d5594fdb8b4a5513

SHA256
b77f8634b17a6834c73b6958f5334284c3aeb6a45faad141c68c10580ee83ac2

SHA512
6c250d26ed3034050c7e40aabdefb745b29efa7a823f36b5d44ab18b1a389fca382275ca23f942383f1ed4b761eb78997910bfab29d49a276d09cecce310fdc3

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 116654.crdownload

Filesize
1.4MB

MD5
fd8ce08e09853579a9edbbaf89346f02

SHA1
6a31e23cea5530ed899224acf513ba7177cbe4c2

SHA256
d84de9620d535ced827137b18e2f0d8b167812f71389e87fb5e22eca3206cbaa

SHA512
87fd94173cce1d60dd9d7578d85dd49493100e85b71bdc9c9dc5e8bb09ac4fe423445630c33d9b8da753884b79bb57044d4af789b930d3b4df1c40428ae0187f

Download Submit
memory/1808-107-0x00007FF835050000-0x00007FF835B11000-memory.dmp

Filesize
10.8MB

Download
memory/1808-102-0x0000000000150000-0x0000000000168000-memory.dmp

Filesize
96KB

Download
memory/1808-144-0x00007FF835050000-0x00007FF835B11000-memory.dmp

Filesize
10.8MB

Download
memory/1808-108-0x000000001ADF0000-0x000000001AE00000-memory.dmp

Filesize
64KB

Download
memory/2792-130-0x000001276EF90000-0x000001276EFB2000-memory.dmp

Filesize
136KB

Download
memory/2792-140-0x000001276EE50000-0x000001276EE60000-memory.dmp

Filesize
64KB

Download
memory/2792-143-0x00007FF835050000-0x00007FF835B11000-memory.dmp

Filesize
10.8MB

Download
memory/2792-118-0x00007FF835050000-0x00007FF835B11000-memory.dmp

Filesize
10.8MB

Download
memory/2792-120-0x000001276EE50000-0x000001276EE60000-memory.dmp

Filesize
64KB

Download
memory/2792-119-0x000001276EE50000-0x000001276EE60000-memory.dmp

Filesize
64KB

Download
memory/2868-85-0x0000000001700000-0x0000000001701000-memory.dmp

Filesize
4KB

Download
memory/2868-83-0x000000001B9B0000-0x000000001BA00000-memory.dmp

Filesize
320KB

Download
memory/2868-88-0x000000001BB50000-0x000000001BB60000-memory.dmp

Filesize
64KB

Download
memory/2868-87-0x000000001B960000-0x000000001B9B0000-memory.dmp

Filesize
320KB

Download
memory/2868-86-0x000000001BB50000-0x000000001BB60000-memory.dmp

Filesize
64KB

Download
memory/2868-84-0x0000000001700000-0x0000000001701000-memory.dmp

Filesize
4KB

Download
memory/2868-145-0x00007FF835050000-0x00007FF835B11000-memory.dmp

Filesize
10.8MB

Download
memory/2868-89-0x000000001BB50000-0x000000001BB60000-memory.dmp

Filesize
64KB

Download
memory/2868-81-0x0000000000D20000-0x0000000000E5E000-memory.dmp

Filesize
1.2MB

Download
memory/2868-82-0x00007FF835050000-0x00007FF835B11000-memory.dmp

Filesize
10.8MB

Download
memory/5440-149-0x00007FF835050000-0x00007FF835B11000-memory.dmp

Filesize
10.8MB

Download
memory/5440-150-0x0000000002510000-0x0000000002511000-memory.dmp

Filesize
4KB

Download
memory/5440-153-0x000000001B0D0000-0x000000001B0E0000-memory.dmp

Filesize
64KB

Download
memory/5440-151-0x000000001B0D0000-0x000000001B0E0000-memory.dmp

Filesize
64KB

Download
memory/5440-152-0x000000001B0D0000-0x000000001B0E0000-memory.dmp

Filesize
64KB

Download
memory/5440-199-0x00007FF835050000-0x00007FF835B11000-memory.dmp

Filesize
10.8MB

Download
memory/5632-179-0x00007FF835050000-0x00007FF835B11000-memory.dmp

Filesize
10.8MB

Download
memory/5632-180-0x000000001B400000-0x000000001B410000-memory.dmp

Filesize
64KB

Download
memory/5632-200-0x00007FF835050000-0x00007FF835B11000-memory.dmp

Filesize
10.8MB

Download
memory/5688-183-0x000002E06F060000-0x000002E06F070000-memory.dmp

Filesize
64KB

Download
memory/5688-195-0x000002E06F060000-0x000002E06F070000-memory.dmp

Filesize
64KB

Download
memory/5688-196-0x000002E06F060000-0x000002E06F070000-memory.dmp

Filesize
64KB

Download
memory/5688-198-0x00007FF835050000-0x00007FF835B11000-memory.dmp

Filesize
10.8MB

Download
memory/5688-184-0x000002E06F060000-0x000002E06F070000-memory.dmp

Filesize
64KB

Download
memory/5688-182-0x00007FF835050000-0x00007FF835B11000-memory.dmp

Filesize
10.8MB

Download