asyncrat | hxxps://mega[.]nz/file/i0US2KhJ#Bs9Dj2t2yeel8SB-hin8m74o_P5v5qmmXOj4p7bLBP0

Analysis

max time kernel
68s
max time network
70s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 12:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/i0US2KhJ#Bs9Dj2t2yeel8SB-hin8m74o_P5v5qmmXOj4p7bLBP0

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 34 IoCs

rat

resource	yara_rule
behavioral1/memory/5396-257-0x0000000004B30000-0x0000000004B7A000-memory.dmp	family_asyncrat
behavioral1/memory/5396-269-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-275-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-321-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-317-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-315-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-311-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-309-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-307-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-305-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-303-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-301-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-299-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-295-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-293-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-291-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-289-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-287-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-285-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-283-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-281-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-277-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-273-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-271-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-267-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-265-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-263-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-261-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-259-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-319-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-313-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-297-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-279-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat
behavioral1/memory/5396-258-0x0000000004B30000-0x0000000004B75000-memory.dmp	family_asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Fortnite Keker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Infected.exe

Executes dropped EXE 4 IoCs

pid	Process
5240	Fortnite Keker.exe
5396	Infected.exe
5336	Fortnite Keker.exe
5952	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2396	5336	WerFault.exe	124

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
5756	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
5776	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3324	msedge.exe
3324	msedge.exe
1020	msedge.exe
1020	msedge.exe
3984	identity_helper.exe
3984	identity_helper.exe
5308	msedge.exe
5308	msedge.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe
5396	Infected.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5524	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: 33	1612	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1612	AUDIODG.EXE
Token: SeRestorePrivilege	5808	7zG.exe
Token: 35	5808	7zG.exe
Token: SeSecurityPrivilege	5808	7zG.exe
Token: SeSecurityPrivilege	5808	7zG.exe
Token: SeDebugPrivilege	5396	Infected.exe
Token: SeDebugPrivilege	5396	Infected.exe
Token: SeDebugPrivilege	5336	Fortnite Keker.exe
Token: SeDebugPrivilege	5952	explorer.exe
Token: SeDebugPrivilege	5952	explorer.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
5808	7zG.exe
1020	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe
1020	msedge.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
5524	OpenWith.exe
5524	OpenWith.exe
5524	OpenWith.exe
5524	OpenWith.exe
5524	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 2992	1020	msedge.exe	83
PID 1020 wrote to memory of 2992	1020	msedge.exe	83
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3284	1020	msedge.exe	84
PID 1020 wrote to memory of 3324	1020	msedge.exe	85
PID 1020 wrote to memory of 3324	1020	msedge.exe	85
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86
PID 1020 wrote to memory of 2668	1020	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/i0US2KhJ#Bs9Dj2t2yeel8SB-hin8m74o_P5v5qmmXOj4p7bLBP0
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbaf3846f8,0x7ffbaf384708,0x7ffbaf384718
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,15409608561517614502,11470805726766456549,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,15409608561517614502,11470805726766456549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,15409608561517614502,11470805726766456549,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15409608561517614502,11470805726766456549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15409608561517614502,11470805726766456549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,15409608561517614502,11470805726766456549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,15409608561517614502,11470805726766456549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15409608561517614502,11470805726766456549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15409608561517614502,11470805726766456549,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15409608561517614502,11470805726766456549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15409608561517614502,11470805726766456549,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,15409608561517614502,11470805726766456549,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,15409608561517614502,11470805726766456549,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5788 /prefetch:8
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,15409608561517614502,11470805726766456549,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,15409608561517614502,11470805726766456549,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3968

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x2cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5668

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Fortnite_Checker\" -spe -an -ai#7zMap25337:94:7zEvent640
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5808

C:\Users\Admin\Downloads\Fortnite_Checker\Fortnite_Keker_1_0_0_79\Fortnite Keker.exe
"C:\Users\Admin\Downloads\Fortnite_Checker\Fortnite_Keker_1_0_0_79\Fortnite Keker.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5240
- C:\Users\Admin\AppData\Local\Infected.exe
  "C:\Users\Admin\AppData\Local\Infected.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5396
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "explorer" /tr '"C:\Users\Admin\AppData\Roaming\explorer.exe"' & exit
    3⤵
    PID:4804
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "explorer" /tr '"C:\Users\Admin\AppData\Roaming\explorer.exe"'
      4⤵
      Creates scheduled task(s)
      PID:5756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp25E2.tmp.bat""
    3⤵
    PID:5176
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:5776
  - - C:\Users\Admin\AppData\Roaming\explorer.exe
      "C:\Users\Admin\AppData\Roaming\explorer.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5952
- C:\Users\Admin\AppData\Local\Fortnite Keker.exe
  "C:\Users\Admin\AppData\Local\Fortnite Keker.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:5336
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 2164
    3⤵
    - Program crash
    PID:2396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5336 -ip 5336
1⤵
PID:5152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Fortnite Keker.exe

Filesize
348KB

MD5
bed1540cd4a13ef94f1d4022563e123b

SHA1
e4033f1515387c8a3e4f5484f89d14c6b1f4bd7b

SHA256
dbff92734b854594b7da653f7ab1d869e6ea9372f1bb5d877864d2b543ee5c04

SHA512
bae9be08db4b7e92fad4ce5d3f723f01648b7b45ca2172b8cb985145f44e43b3afc76a2dfba43786443c393a6c9bb5f818167de0c424089cf1b426ec420fe02f

Download Submit
C:\Users\Admin\AppData\Local\Infected.exe

Filesize
355KB

MD5
a7674ca8eba8b438c380890004eceb27

SHA1
fb757723841949da5470251cb571ac566cfb9eac

SHA256
6490aebbe2bd44472b05525f69e1e99861c2588fe63b17daa70a6e2bc8ec1ad6

SHA512
00a9e1e3e585311c6f1a0d7761c29789b50289a4ce19ce904f56afcaf04e371cd912e1b0a486f20a28cbfeb0ef1f402931aec9ac15f0447f4c70ef7e330320e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
11dcaa83f76a9c8e10a417d7506816e0

SHA1
73f7f18a0dc4f0258a77ab7fbcba8d1169aeeb47

SHA256
dc561272627ebc4c89ee012a514a73fd9adb572b6b64e77cb6671fa7399ccbb2

SHA512
5e3e88e9c74f6ceae07392a78d175473db127d1bf74bc8ae86c4d70248ae581e1301042abc6a228be9ab437ec9835fc85a519c1eaca169dcdb8f4ea22c2526aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
59cbcd32293be3c860ef1e4a2d44086a

SHA1
235ca58a7ac9989c416020721fc43b0c285ea501

SHA256
2ef2f66b10301c99908133a5d38f3a15605ce9b14cb4248808220307a2bf24f0

SHA512
0d0246c91f2ab710eb526acf9c1a7accf3e04349e42d2b7f35ec3938b17651cb66ed2c76e1da1caae7ca8b4a33548776b910688f1a6802b3e86ff98cd903b683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d7a2af2c9bbc4157474812be97c5f3b7

SHA1
c6b50ae9c509d44ac803e7e34c0c93714dd421ed

SHA256
95faea8403f0ec76debba76e4adc7e34254bef380b4a08f6817f8d5d6931baab

SHA512
d56fd9a742462a0657969a3f4dcf46dd61d3c1d6e611e0a7a79f2605cf7f7a4c7820ceb8a446a9f09c6c3d3c6ae11d3af21d33883fd1358cb45924dd942b356c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a42f9f4ce3f0e0fd13e2056b5d1293b6

SHA1
f586ef8f6146acf2c867238fa8d4f31dbe94ef09

SHA256
faf229ec0517557f54ccda661a6a9371485b66a79da82ad2fd57661b59146416

SHA512
b9d16d72964856a07c2b00236a5043f2a73575c8113d0263eef3e61d2cadf00f462c55d2ff7f733c52bc13a625861d8da9be279a7ae72ea286e0b422be42f63f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
77ce760ffc9ca98001f647321c224d2d

SHA1
1f03348f0181b5e88c037d64d53be1ef2d552023

SHA256
08744c75ea614e7f64ab13ec3e86c1787a3a66df9fe3b9775bca8cfd561791b5

SHA512
d8bd7ce0ffd6f54751d999300592372e5aa26b158eda92d07ea6f73599ddfa5f9bb62319f4aaebbbcca957b74388e6b15685c111d07fe599ef6b5676292f8df4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
28db859b5b99f31cc213cadd03fd04fc

SHA1
3f4bf0d8612ece3062de38b6e527cd84997fe9bb

SHA256
106257e0b459a7a14fcaf786b927569fa74d5461c8bd53e624b11064c9ac1ec2

SHA512
0a475c66d5fe88389de0bf29bd6781d2044edcd445f6fb3284c4fe5373c0eb0abdbaac096f2aeeb33d433e569aa2124202c6a16cf81d565e8a6e4d999f921002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57a894.TMP

Filesize
48B

MD5
1631888343071d939e0212b30f1f438c

SHA1
3d364de8a0df2c090b7f1d3fefbe8ef88618afc7

SHA256
56fa15045b94ac293ef71dbd5c217085188d0885f9ee51dd7dbd2102d0bb9eec

SHA512
bcd5e79bacf686bf057fce20f61fbec9a9da4ea8b94d778b9a0e08d12fa68588b4b12e1849cb86bbd4665497738758db43d2ef79dceb874a2e43b144cbc291a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4fe665e082d3c37beb94492a1aa35cce

SHA1
12aa1bf928d3a5e3bfbe11e5e283bde3f673e6f3

SHA256
551d68f6de663fa9534f819720f70a52d4e483c971c26e1d86716ac5fa61b8c9

SHA512
cacbf2f50826419e54ba10da52044f28b10cb436a1cdc4544f3218d468a631744a6967975399d20a88f8c441fa575ec93de995c6c999c0d85e45cf37e6784648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
74279f683026568e12f6feded50ce963

SHA1
b166f6f40bf9dc7802b5215559601c252a9f4262

SHA256
cefac1bd46634723dc2fe5013de39bc4767d23972a2f548f707626dff3b2bce1

SHA512
bc72d5763ed943d81587a9c1a8d8ef6cac03a6306fd0533f81276d2a4aeb5d842b2fd711557742a43e6faef50d7cb32dbd9380d82b20cf0534aabb5ccf7a49aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7413f35fa28996c159338b253c56f91b

SHA1
2c96a24b34030c0c7b0fb33be57dc39f1254427c

SHA256
52f73c8206a59196f2ece949cd64f41381c1f33b80511feef66a20c0f45e17b3

SHA512
2fd8ef05c8343504158b9b78057bc4722bde7e63dad90d6d3434fb178110430a82745d368e9c51968e64dd67f33d0e18faaba37673adf6c6f1300f85b20ae605

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp25E2.tmp.bat

Filesize
152B

MD5
7d49969cc19986a7da6cc8c9feb15ff0

SHA1
3679d4478aa0deaf0d4caca757789c9cd272bab3

SHA256
4deb4a4978aaade3ec4e465cb5491d71a05742604c4e3f421b87f1021df2e8a0

SHA512
f226f52b87a838bdf9609a8eb80afa0355542b6443be72d7bd6c26437ffea9551b9ef1533bbd6b02ddbe6edd406f43c1f7ef3f1765d59b35d0638eb036337d77

Download Submit
C:\Users\Admin\Downloads\Fortnite_Checker.rar

Filesize
1005KB

MD5
caf3be22450854f6dae3b87ab8be3a8e

SHA1
33ea15bfabddb34b5a6e91e5ddba28549997eed0

SHA256
d9796244114d28e8c6c48d066766b5d025350ea253a50562ef1acd8bd9d68ee6

SHA512
787ebbf6828ed991262c607713e50f16e424bf80a3cdf46498bf51dbfa3ea6c98a0e9018990d385b3ec44841003cac097364706c6ea98afae9b7f338c624337c

Download Submit
C:\Users\Admin\Downloads\Fortnite_Checker\Fortnite_Keker_1_0_0_79\Fortnite Keker.exe

Filesize
747KB

MD5
5ea7a9326b41c93a52ea7024014d03b2

SHA1
1c78d72817fb2e9179fc77a256742a376b12c108

SHA256
94bead2a1bec71f0347928f902ed01dfe691ce85fc0e8065d9354ee92dd26aac

SHA512
72d5ef9efad6017369057ca5df707aa362be9fa091a8bc9edbaab5d35cd6e4d5d005a2f4aac2a0662c217d8bb604e4da7a3588c48aa259264e53e6696e90e89c

Download Submit
memory/5240-228-0x0000000000DD0000-0x0000000000E90000-memory.dmp

Filesize
768KB

Download
memory/5336-255-0x00000000003B0000-0x000000000040E000-memory.dmp

Filesize
376KB

Download
memory/5336-552-0x0000000004C90000-0x0000000004C9A000-memory.dmp

Filesize
40KB

Download
memory/5336-448-0x0000000004CC0000-0x0000000004D52000-memory.dmp

Filesize
584KB

Download
memory/5396-305-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-271-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-311-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-309-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-307-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-317-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-303-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-301-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-299-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-295-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-293-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-291-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-289-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-287-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-285-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-283-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-281-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-277-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-273-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-315-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-267-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-265-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-263-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-261-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-259-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-321-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-319-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-313-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-297-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-279-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-258-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-545-0x0000000005190000-0x00000000051F6000-memory.dmp

Filesize
408KB

Download
memory/5396-546-0x0000000005990000-0x0000000005A2C000-memory.dmp

Filesize
624KB

Download
memory/5396-275-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-269-0x0000000004B30000-0x0000000004B75000-memory.dmp

Filesize
276KB

Download
memory/5396-256-0x0000000004BE0000-0x0000000005184000-memory.dmp

Filesize
5.6MB

Download
memory/5396-257-0x0000000004B30000-0x0000000004B7A000-memory.dmp

Filesize
296KB

Download
memory/5396-254-0x00000000024D0000-0x000000000251C000-memory.dmp

Filesize
304KB

Download