asyncrat | bc91ad4b9bcc091adbb209842c0ae0df3db1b25fe90a74aa1ea90f2c5c8e6b67

Analysis

max time kernel
1199s
max time network
1201s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
03/05/2024, 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.exe
Size

74KB
MD5

d391c2564b4ee31ee871729300b9d45a
SHA1

06e35ad7a1421ff87dc835580ca05a04ec44eee9
SHA256

bc91ad4b9bcc091adbb209842c0ae0df3db1b25fe90a74aa1ea90f2c5c8e6b67
SHA512

381e5f9290a3915304572a553213f462e21c7323ac4fbb6209c8c297b30d0ca9f6e2f7ffd010875c043c62596ff66c287d2e660f8a4c1797c8de48dabc60a0aa
SSDEEP

1536:/5U1AcxqXPC/2PMVCe9VdQuDI6H1bf/h95vQzcOLVclN:BUKcxqfs2PMVCe9VdQsH1bfTdQHBY

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

147.185.221.19:42550

Attributes

delay
1
install
true
install_file
test.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000400000002a987-12.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
3964	test.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
3140	powershell.exe
1688	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4000	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3580	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1230210488-3096403634-4129516247-1000_Classes\Local Settings	powershell.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4996	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4964	WINWORD.EXE
4964	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2572	Client.exe
2572	Client.exe
2572	Client.exe
2572	Client.exe
2572	Client.exe
2572	Client.exe
2572	Client.exe
2572	Client.exe
2572	Client.exe
2572	Client.exe
2572	Client.exe
2572	Client.exe
2572	Client.exe
2572	Client.exe
2572	Client.exe
2572	Client.exe
2572	Client.exe
2572	Client.exe
3964	test.exe
3964	test.exe
3964	test.exe
3140	powershell.exe
3140	powershell.exe
3964	test.exe
1688	powershell.exe
1688	powershell.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3964	test.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	Client.exe
Token: SeDebugPrivilege	3964	test.exe
Token: SeDebugPrivilege	3140	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
3964	test.exe
3964	test.exe
3964	test.exe
3964	test.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe
4996	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3964	test.exe
4964	WINWORD.EXE
4964	WINWORD.EXE
4964	WINWORD.EXE
4964	WINWORD.EXE
4964	WINWORD.EXE
4964	WINWORD.EXE
4964	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 4444	2572	Client.exe	81
PID 2572 wrote to memory of 4444	2572	Client.exe	81
PID 2572 wrote to memory of 1984	2572	Client.exe	83
PID 2572 wrote to memory of 1984	2572	Client.exe	83
PID 4444 wrote to memory of 4000	4444	cmd.exe	85
PID 4444 wrote to memory of 4000	4444	cmd.exe	85
PID 1984 wrote to memory of 3580	1984	cmd.exe	86
PID 1984 wrote to memory of 3580	1984	cmd.exe	86
PID 1984 wrote to memory of 3964	1984	cmd.exe	87
PID 1984 wrote to memory of 3964	1984	cmd.exe	87
PID 3964 wrote to memory of 3444	3964	test.exe	89
PID 3964 wrote to memory of 3444	3964	test.exe	89
PID 3444 wrote to memory of 3140	3444	cmd.exe	91
PID 3444 wrote to memory of 3140	3444	cmd.exe	91
PID 3140 wrote to memory of 4964	3140	powershell.exe	92
PID 3140 wrote to memory of 4964	3140	powershell.exe	92
PID 3964 wrote to memory of 4612	3964	test.exe	94
PID 3964 wrote to memory of 4612	3964	test.exe	94
PID 4612 wrote to memory of 1688	4612	cmd.exe	96
PID 4612 wrote to memory of 1688	4612	cmd.exe	96
PID 1688 wrote to memory of 4996	1688	powershell.exe	97
PID 1688 wrote to memory of 4996	1688	powershell.exe	97
PID 3964 wrote to memory of 4996	3964	test.exe	104
PID 3964 wrote to memory of 4996	3964	test.exe	104
PID 4996 wrote to memory of 4988	4996	msedge.exe	105
PID 4996 wrote to memory of 4988	4996	msedge.exe	105
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106
PID 4996 wrote to memory of 3504	4996	msedge.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Client.exe
"C:\Users\Admin\AppData\Local\Temp\Client.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "test" /tr '"C:\Users\Admin\AppData\Roaming\test.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4444
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "test" /tr '"C:\Users\Admin\AppData\Roaming\test.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:4000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4769.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:3580
- - C:\Users\Admin\AppData\Roaming\test.exe
    "C:\Users\Admin\AppData\Roaming\test.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\New Rich Text Document.rtf"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\New Rich Text Document.rtf"'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3140
      - C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
        
        "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\New Rich Text Document.rtf" /o ""
        6⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: AddClipboardFormatListener
        Suspicious use of SetWindowsHookEx
        
        PID:4964
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\2.txt"' & exit
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\2.txt"'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1688
      - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\2.txt
        6⤵
        Opens file in notepad (likely ransom note)
        
        PID:4996
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.one.one.one.one.com/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd38ca3cb8,0x7ffd38ca3cc8,0x7ffd38ca3cd8
        5⤵
        
        PID:4988
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
        5⤵
        
        PID:3504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
        5⤵
        
        PID:2644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
        5⤵
        
        PID:2384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
        5⤵
        
        PID:2616
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
        5⤵
        
        PID:3328
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
        5⤵
        
        PID:2132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
        5⤵
        
        PID:3372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
        5⤵
        
        PID:3940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
        5⤵
        
        PID:4612
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
        5⤵
        
        PID:4716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
        5⤵
        
        PID:664
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
        5⤵
        
        PID:660
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
        5⤵
        
        PID:3124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
        5⤵
        
        PID:2476
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
        5⤵
        
        PID:1520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
        5⤵
        
        PID:3752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,9995344060044788092,12216908092814468336,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
        5⤵
        
        PID:3780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1640

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ffa07b9a59daf025c30d00d26391d66f

SHA1
382cb374cf0dda03fa67bd55288eeb588b9353da

SHA256
7052a8294dd24294974bb11e6f53b7bf36feeb62ce8b5be0c93fbee6bc034afb

SHA512
25a29d2a3ba4af0709455a9905a619c9d9375eb4042e959562af8faa087c91afafdb2476599280bbb70960af67d5bd477330f17f7345a7df729aaee997627b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8e1dd984856ef51f4512d3bf2c7aef54

SHA1
81cb28f2153ec7ae0cbf79c04c1a445efedd125f

SHA256
34afac298a256d796d20598df006222ed6900a0dafe0f8507ed3b29bfd2027d7

SHA512
d1f8dfc7fdc5d0f185de88a420f2e5b364e77904cab99d2ace154407c4936c510f3c49e27eed4e74dd2fbd850ad129eb585a64127105661d5f8066448e9f201d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
1ae83003fb364a5f1fbba84519f7aafd

SHA1
c3118b27ca7553a47885b4f2d2dcad30dbe57296

SHA256
8063bbfc1365cc6f3ef2a8fdc410905c62f18741cd1a284ddc0d7e3f479d17c6

SHA512
f03ca29e16af75d77f02b38033c32050584d18b340b5209a671e07aa5851bcc201dba9ea67bababb719d38a31bfb97313850e3f5a4340e55195df171635687c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
318B

MD5
08986d0fa95c5cd9fdbc94fe63795daf

SHA1
5502ac6c5c259d0f60312e19a00c2a673d573141

SHA256
960c954730e9bec9656677a36b43295bdde548ac05e1c255c77174cc39e9f5ca

SHA512
473f67cdb4d35cb494db60ba0bc93f09075027e7d8e73f6b5838dc421a3bb6f9cc4d986cdbcac5f6b22428ec96112dca1422682e1f627d3ff16dd91b745b5ed7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ed19b5029a01af30dea70458e9b55997

SHA1
975fc4fefc0f57fc76eff9896a8d2f9b401b88e4

SHA256
59ac07b3dc37c9a1b1940fb93c53051e83521a62f3de3028f4522aa60a45d2be

SHA512
eba2a8b5ed171f1bd52c0f9de2d34c401b61358f715a2540a0e377662a6def078c3951a8820898abd3d061c86188713121104b35c287946b162fa1f8f3ee444a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ab3c873aa4dd3b4e82ea05c0137f8302

SHA1
baa36d2215cbbc151b558e95c029388c8b603e19

SHA256
2d0112af63a471c750e6fa0b092f53f122cab0a036e710851f3c0169de798e5d

SHA512
226b5e73f02f2f3250b7e768bdcbbdf848c1f09ae3e2bcbeeb6c20d9112b105d401b30b42c37b6cd0011ad952993191e0ff3e2ad920ccd5ab6f5af7e2e843bfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e219a0d6d02b41a88c2aa657c033f89d

SHA1
31c5c18300f6c11b7318733fea9eae6eab6adc6d

SHA256
a9bbc1a46fba7920f68525639cf0ed2508b08762e649bc485f7b7a3000faf687

SHA512
3dec681e67405eb2166f881265140ed0b860251e169a36346e07e0a88d518510e5db8adacefbf279d6b3c693aebf354c47430ab701fb1bb9def47666ee564ba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d0dfafe0dfa9a99ac9561e57fcc0ad85

SHA1
99a14af1cfc521ebb7842f342407231cf11cf45e

SHA256
705e0fbd417611181eb416c6166659528ddec20038dc1ce4dfc9b734c10b437b

SHA512
6f56f7b7e9c3b671cfe6b4f979f3ba5bac5c85d49e919950d2177cfd9883b039d5d5e2d7a08682eed73adf05bb0de71b9fd3abb5d749beb00ebfe08c509f3917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8b577ef20c3b41e8e5b36f8c6432a139

SHA1
ccc33320c414f792fda8a28e75a325f51a2e1ab6

SHA256
55bc5c3a070e9ea13014d9e40dacc9a0910174dadac5ed66243fea45b1236f39

SHA512
542017bee8b82fd78453d0802ea567eda3e4893bd9aebd8bafe917b727872c432e1070f7c35cf874a8c6de9efb50484f45bafa12dd0404a2b0058437e37bad55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.txt

Filesize
5B

MD5
d3b1613ada99bff60328d5d040d065ac

SHA1
6734cd3aae57e38ae5670b42a0209ea8a2e9127d

SHA256
8b07731e50da38cae50feaec1fb3c72f906d0ef9899395a40ae1c700d3cac419

SHA512
94c690e78677892e7a19384a796e3641e78c47f8216732f4e13c04c0cdc202e9f7ee7fe3199e3974e4d807f5de722cb41cdff0c9172cf423c3ac66f57f3e1673

Download Submit
C:\Users\Admin\AppData\Local\Temp\New Rich Text Document.rtf

Filesize
7B

MD5
8274425de767b30b2fff1124ab54abb5

SHA1
2201589aa3ed709b3665e4ff979e10c6ad5137fc

SHA256
0d6afb7e939f0936f40afdc759b5a354ea5427ec250a47e7b904ab1ea800a01d

SHA512
16f1647b22ca8679352e232c7dcbcdcba224c9b045c70e572bf061b2996f251cbd65a152557409f17be9417b23460adebe5de08d2dea30d13a64e22f6607206b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD9131.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oib13sy0.sju.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4769.tmp.bat

Filesize
148B

MD5
42642413639d763cfa81855a1886a00c

SHA1
e016475f751f57b3f6415c3e075185c7903af873

SHA256
d0738de70cad0e9ac825825288ff23a6e0ad2f71a8faca10a03459681e7ed9e9

SHA512
c4006e37e302d0a909a2f97734cdebdc3279ae09f8214ba094c2816edb94df481c6e95fe3cf66b2fd41561654300c5c0633f4f27e4781bace6b86964d573b941

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\test.exe

Filesize
74KB

MD5
d391c2564b4ee31ee871729300b9d45a

SHA1
06e35ad7a1421ff87dc835580ca05a04ec44eee9

SHA256
bc91ad4b9bcc091adbb209842c0ae0df3db1b25fe90a74aa1ea90f2c5c8e6b67

SHA512
381e5f9290a3915304572a553213f462e21c7323ac4fbb6209c8c297b30d0ca9f6e2f7ffd010875c043c62596ff66c287d2e660f8a4c1797c8de48dabc60a0aa

Download Submit
memory/2572-9-0x00007FFD2B180000-0x00007FFD2BC42000-memory.dmp

Filesize
10.8MB

Download
memory/2572-3-0x00007FFD2B180000-0x00007FFD2BC42000-memory.dmp

Filesize
10.8MB

Download
memory/2572-1-0x00000000006E0000-0x00000000006F8000-memory.dmp

Filesize
96KB

Download
memory/2572-4-0x00007FFD2B180000-0x00007FFD2BC42000-memory.dmp

Filesize
10.8MB

Download
memory/2572-0-0x00007FFD2B183000-0x00007FFD2B185000-memory.dmp

Filesize
8KB

Download
memory/3140-25-0x0000026AEBF10000-0x0000026AEBF32000-memory.dmp

Filesize
136KB

Download
memory/3964-17-0x000000001B730000-0x000000001B74E000-memory.dmp

Filesize
120KB

Download
memory/3964-15-0x000000001C810000-0x000000001C886000-memory.dmp

Filesize
472KB

Download
memory/3964-555-0x000000001B780000-0x000000001B78E000-memory.dmp

Filesize
56KB

Download
memory/3964-599-0x000000001C5B0000-0x000000001C5BC000-memory.dmp

Filesize
48KB

Download
memory/3964-600-0x000000001C290000-0x000000001C29E000-memory.dmp

Filesize
56KB

Download
memory/3964-601-0x000000001C2B0000-0x000000001C316000-memory.dmp

Filesize
408KB

Download
memory/3964-16-0x0000000002B50000-0x0000000002B5E000-memory.dmp

Filesize
56KB

Download
memory/4964-37-0x00007FFD094D0000-0x00007FFD094E0000-memory.dmp

Filesize
64KB

Download
memory/4964-554-0x00007FFD0C070000-0x00007FFD0C080000-memory.dmp

Filesize
64KB

Download
memory/4964-36-0x00007FFD094D0000-0x00007FFD094E0000-memory.dmp

Filesize
64KB

Download
memory/4964-35-0x00007FFD0C070000-0x00007FFD0C080000-memory.dmp

Filesize
64KB

Download
memory/4964-34-0x00007FFD0C070000-0x00007FFD0C080000-memory.dmp

Filesize
64KB

Download
memory/4964-33-0x00007FFD0C070000-0x00007FFD0C080000-memory.dmp

Filesize
64KB

Download
memory/4964-32-0x00007FFD0C070000-0x00007FFD0C080000-memory.dmp

Filesize
64KB

Download
memory/4964-31-0x00007FFD0C070000-0x00007FFD0C080000-memory.dmp

Filesize
64KB

Download
memory/4964-551-0x00007FFD0C070000-0x00007FFD0C080000-memory.dmp

Filesize
64KB

Download
memory/4964-552-0x00007FFD0C070000-0x00007FFD0C080000-memory.dmp

Filesize
64KB

Download
memory/4964-553-0x00007FFD0C070000-0x00007FFD0C080000-memory.dmp

Filesize
64KB

Download