asyncrat | hxxps://minrcx[.]com/external/TsKecsKM-018f9fef-5bd5-2241-5c1e-cdcfd5caae7c-9N9KqD0P/download

Analysis

max time kernel
268s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 11:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://minrcx.com/external/TsKecsKM-018f9fef-5bd5-2241-5c1e-cdcfd5caae7c-9N9KqD0P/download

Score

10^/10

asyncrat cpa persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

CPA

5.253.84.218:54657

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\ChromeData.dll,EntryPoint"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\*ChromeUpdate = "rundll32.exe C:\\Users\\Admin\\Documents\\ChromeData.dll,EntryPoint"	reg.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exe2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exe

description	pid	process	target process
PID 4172 set thread context of 4116	4172	2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exe	csc.exe
PID 1376 set thread context of 956	1376	2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exe	csc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
1652	msedge.exe
1652	msedge.exe
896	msedge.exe
896	msedge.exe
436	identity_helper.exe
436	identity_helper.exe
4004	msedge.exe
4004	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe
4636	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

896 msedge.exe
896 msedge.exe
896 msedge.exe
896 msedge.exe
896 msedge.exe
896 msedge.exe
896 msedge.exe
896 msedge.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

csc.exe

description pid process

Token: SeDebugPrivilege 4116 csc.exe

description	pid	process
Token: SeDebugPrivilege	4116	csc.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

msedge.exe

pid	process
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe
896	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 896 wrote to memory of 2652	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 2652	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1384	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1652	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 1652	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe
PID 896 wrote to memory of 4924	896	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://minrcx.com/external/TsKecsKM-018f9fef-5bd5-2241-5c1e-cdcfd5caae7c-9N9KqD0P/download
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85d2746f8,0x7ff85d274708,0x7ff85d274718
2⤵
PID:2652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
2⤵
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
2⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
2⤵
PID:4688

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
2⤵
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:4256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
2⤵
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
2⤵
PID:1852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
2⤵
PID:4724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6000 /prefetch:8
2⤵
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
2⤵
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
2⤵
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,16485878742420639082,6871874397356188325,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2580 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1240

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2328

C:\Users\Admin\Downloads\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exe
"C:\Users\Admin\Downloads\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exe"
1⤵
- Suspicious use of SetThreadContext
PID:4172

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4116

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeData.dll",EntryPoint /f & exit
2⤵
PID:2456

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeData.dll",EntryPoint /f
3⤵
- Adds Run key to start application
PID:872

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF\1099Misc.inf
1⤵
PID:4772

C:\Users\Admin\Downloads\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exe
"C:\Users\Admin\Downloads\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.exe"
1⤵
- Suspicious use of SetThreadContext
PID:1376

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
2⤵
PID:956

C:\Windows\SysWOW64\cmd.exe
cmd.exe /C reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeData.dll",EntryPoint /f & exit
2⤵
PID:2432

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "*ChromeUpdate" /t REG_SZ /d "rundll32.exe C:\Users\Admin\Documents\ChromeData.dll",EntryPoint /f
3⤵
- Adds Run key to start application
PID:4772

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
264B

MD5
a25f0a9717d1eb6be24577592b75121f

SHA1
ae2dc12506e1f83f4e04d9c3fc947a38c3532d6c

SHA256
ab6e30062d5be02c353d86dd054839cdb1cfcdd27a897016dda6f397f7e47c77

SHA512
d81548fc81460f8f6d65a7b3c143af5851fc5a53137044ca248fc5b665fc9270b60c3b56b3599553e44da861a880454d1031d88e395bce56c92387384cceabbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
505B

MD5
cb35b96cb0a46fb172bef5e38518c0c2

SHA1
dae7e71491cc285c9006da181fdd4345658bf4a8

SHA256
4af0519126ec4fb18849540179a3a545862661d333e63bd9f11ddf3f8b37d24f

SHA512
3b1a8c735a723668b608e3d8ebcd315c5fb2857488d079b5029f2448bb0bacd180bf364c3d6219d8a3979ec10566d3c323db840f6667ccfeb7a56f945569cb54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
67b11ce063e9e858834dbd7868ccbbe1

SHA1
61219630aecdc6879f9bd76d0f59cebcf1dd29e4

SHA256
571f31e86bdb50bf21a5bc3ee67c0a56fa4ebe4e1f29e407c38f9ba9ee8a7c64

SHA512
f7f0c1e233e780482a83c595315087f53989952b7f49b729d6be673dba14da03665b524560046c41a29cac5f134b374bde68ceb2edf187d812c1a32b65db9516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2adccec276fb4c293010180f57febc55

SHA1
fe780f8777495fcd727a68fc03d16e4378ff026f

SHA256
b09bae9de4bdf1825e2b5208eeb1cfdd2c77ae91f8569c4f728e2bede3ee3f15

SHA512
8aa338fbe51c254af16e0f8b5256a8bf2881bf42ccc8d6aa9a8fac7c5d5f226a6ccc510d7d1f3fbcae4de63c438e10e110c24a9b731ff2ee2e7cec7f0ef58473

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d928a37caee70adbeeef9e6980053689

SHA1
098f47057b4f485a72f2c1d669b0feda0cf74814

SHA256
72eb11f3e5964fa65de51b38c92f2712b8785196635354d756f770442d15b667

SHA512
a810cc76843e973e7ac0f2d4b98a88d81a8b3632c2355340db59116e04173ec3d85e69229ad0c057885b55759f1c1837460ea99aede1cb58e457f0bc2851a2e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
420ba4d967b3d02bf2f0e7839f766fe3

SHA1
1ed528ba5e143aceb2d5012677b2111f7c8d25c5

SHA256
fc63676c2453d7132515c2e50d516585cf3c81c563520f58440ba5872ab8b731

SHA512
1476d968d05d6d515ecb7497fdb27142720e64f5d384e9aae12a8e683f14a83ef36db36049b99047bc04127e3d73b79456548fec048bd086bd5a942bb0b75214

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
f6fbb345b7a306df5ac2714ed19b5ce8

SHA1
5277d7e7a9fd3467b90204eeb92792c7027abbbe

SHA256
8490df59a7cec54a9604f48f3bf826b8f3b15e75c2275c7eb668ba9c1f9e1b48

SHA512
75512948980c4a42d85a4b9f000c64e64b684921fb205b487b802da10e3d3a9e0e802e89cda8a77c1fe9ff655ac5cb8e8358610c19ebfe1fd6faa62070aa298f

Download Submit
C:\Users\Admin\Documents\ChromeData.dll
Filesize
930.4MB

MD5
7edf883adb507383892089861850a67f

SHA1
690ce3c873506be1eff982335451bbb5c0894859

SHA256
55ce61f049ffe4d2c596902b20b5104db2b9d792f4b567804632065c0a054251

SHA512
824b19f7445b4b8b433f0e78f1273d000c803883103450aaf863aba5b5cb266f2e057c5d55d27dc0960b09feb9b31fc1fc49099d49149fb3c1c01edf7bf389c0

Download Submit
\??\pipe\LOCAL\crashpad_896_YAZUMCEKCXIPJCRD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/956-200-0x0000000000A30000-0x0000000000A42000-memory.dmp

Filesize
72KB

Download
memory/1376-197-0x0000000010000000-0x0000000012D6B000-memory.dmp

Filesize
45.4MB

Download
memory/1376-199-0x0000000010000000-0x0000000012D6B000-memory.dmp

Filesize
45.4MB

Download
memory/1376-196-0x0000000010000000-0x0000000012D6B000-memory.dmp

Filesize
45.4MB

Download
memory/4116-190-0x0000000006090000-0x0000000006634000-memory.dmp

Filesize
5.6MB

Download
memory/4116-191-0x0000000005B50000-0x0000000005BB6000-memory.dmp

Filesize
408KB

Download
memory/4116-189-0x0000000005A40000-0x0000000005ADC000-memory.dmp

Filesize
624KB

Download
memory/4116-186-0x0000000000910000-0x0000000000922000-memory.dmp

Filesize
72KB

Download
memory/4172-187-0x0000000010000000-0x0000000012D6B000-memory.dmp

Filesize
45.4MB

Download
memory/4172-185-0x0000000010000000-0x0000000012D6B000-memory.dmp

Filesize
45.4MB

Download
memory/4172-184-0x0000000010000000-0x0000000012D6B000-memory.dmp

Filesize
45.4MB

Download