asyncrat | hxxps://www[.]mediafire[.]com/file/wc3v349wllydmnj/PASSSWORD_IS_Fatality[.]rar/file

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/wc3v349wllydmnj/PASSSWORD_IS_Fatality.rar/file

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

192.168.40.128:41986

192.168.40.128:49701

Mutex

ukjrcdttgzfnvuwei

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000023521-327.dat	family_asyncrat

Executes dropped EXE 3 IoCs

pid	Process
1268	Fatality Cracked.exe
5472	Fatality Cracked.exe
5940	Fatality Cracked.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
3032	msedge.exe
3032	msedge.exe
868	msedge.exe
868	msedge.exe
5488	msedge.exe
5488	msedge.exe
5996	identity_helper.exe
5996	identity_helper.exe
1268	Fatality Cracked.exe
1268	Fatality Cracked.exe
1268	Fatality Cracked.exe
1268	Fatality Cracked.exe
1268	Fatality Cracked.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
2572	msedge.exe
1268	Fatality Cracked.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5184	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	5184	7zFM.exe
Token: 35	5184	7zFM.exe
Token: SeRestorePrivilege	4612	7zG.exe
Token: 35	4612	7zG.exe
Token: SeSecurityPrivilege	4612	7zG.exe
Token: SeSecurityPrivilege	4612	7zG.exe
Token: SeDebugPrivilege	1268	Fatality Cracked.exe
Token: SeDebugPrivilege	5472	Fatality Cracked.exe
Token: SeDebugPrivilege	5940	Fatality Cracked.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
5184	7zFM.exe
4612	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe
868	msedge.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1552	OpenWith.exe
1268	Fatality Cracked.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 868 wrote to memory of 3928	868	msedge.exe	86
PID 868 wrote to memory of 3928	868	msedge.exe	86
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 2476	868	msedge.exe	87
PID 868 wrote to memory of 3032	868	msedge.exe	88
PID 868 wrote to memory of 3032	868	msedge.exe	88
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89
PID 868 wrote to memory of 3924	868	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/wc3v349wllydmnj/PASSSWORD_IS_Fatality.rar/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7a2646f8,0x7ffd7a264708,0x7ffd7a264718
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6832 /prefetch:8
  2⤵
  PID:5652
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6832 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7340 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1776 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,12700582670800242062,5635885082385262842,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2632 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2620

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5676

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\PASSSWORD IS Fatality.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5184

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\PASSSWORD IS Fatality\" -ad -an -ai#7zMap31715:104:7zEvent26827
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4612

C:\Users\Admin\Downloads\PASSSWORD IS Fatality\PASSWORD IS FATALITY\Fatality Cracked.exe
"C:\Users\Admin\Downloads\PASSSWORD IS Fatality\PASSWORD IS FATALITY\Fatality Cracked.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1268

C:\Users\Admin\Downloads\PASSSWORD IS Fatality\PASSWORD IS FATALITY\Fatality Cracked.exe
"C:\Users\Admin\Downloads\PASSSWORD IS Fatality\PASSWORD IS FATALITY\Fatality Cracked.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5472

C:\Users\Admin\Downloads\PASSSWORD IS Fatality\PASSWORD IS FATALITY\Fatality Cracked.exe
"C:\Users\Admin\Downloads\PASSSWORD IS Fatality\PASSWORD IS FATALITY\Fatality Cracked.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Fatality Cracked.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
75c9f57baeefeecd6c184627de951c1e

SHA1
52e0468e13cbfc9f15fc62cc27ce14367a996cff

SHA256
648ba270261690bb792f95d017e134d81a612ef4fc76dc41921c9e5b8f46d98f

SHA512
c4570cc4bb4894de3ecc8eee6cd8bfa5809ea401ceef683557fb170175ff4294cc21cdc6834db4e79e5e82d3bf16105894fff83290d26343423324bc486d4a15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
10fa19df148444a77ceec60cabd2ce21

SHA1
685b599c497668166ede4945d8885d204fd8d70f

SHA256
c3b5deb970d0f06a05c8111da90330ffe25da195aafa4e182211669484d1964b

SHA512
3518ce16fef66c59e0bdb772db51aeaa9042c44ca399be61ca3d9979351f93655393236711cf2b1988d5f90a5b9318a7569a8cef3374fc745a8f9aa8323691ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
47e6a773d551679cdf3871f7a3aa7022

SHA1
41c22ee8bc3b336afddf928e5811b0c71be5645f

SHA256
eceb616b6525c19d0c3d45b1adebee2b06dc0669236f984e61c304f5bce7669a

SHA512
dc4432ad86866a926e6c728ac3a8f193a750bfb73f0aa061cf97bb84e34a37be129d9c9bad674c0e44b9f75505098a51f5e4d68cd7e2a70e3164a7ad9dfb61c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
358b27bb842e11525995cb4bcc3e9378

SHA1
9bf1556ab70087fa28f1d1737dcf49d220bd2b8e

SHA256
4c09765a26970e7042ce0d5b32e6b46392df6e3a891904a0fc604cc4e3a4ec39

SHA512
f2d9b0d2f11f3e03b3ee7ea29407f668ac952ac82fcf05b22a2f6793deef54190edab4ed9a3523d86ab9ac417ce926fba8ea8b3dc0e41a7c1b36fc9b2e556b03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0364a0cac5b2f9e0d42533338c0fea8e

SHA1
3e08d455373df316917093703e36244f0ab1a39b

SHA256
2a49a67e6266171c9e72ab56c8c6ada048b7c21cf45a963e8792fafb1829fc19

SHA512
f2441711656c0712d0d2b4792c39e5892edb666582a95fc9485a2b4927e3f4891ff3d983a018b0ebeadf319f19e1a70844ef4b7b2c659b3463eb4221a44a7eff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
aa3a2539fb02f47d2b3e70b1b1c1a688

SHA1
93907e0f8c5c193ad91ddbb9f690e8198cafeb19

SHA256
3e03f850b2dbdb5387c6e595c4a4df2828d5c89f1b2e68680b6dfe7ed8c1f36a

SHA512
6a5c0add4cc4dc5ee0b5e86e3e12b6b458925f55744dcdf520099293070e0b0b29c4c9500aa8fb42814930b43ef7e6f69e04e0c4cdb532ff951e7eb8f19c2eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
17d676c2500eef9d48bfee5a9862b2a2

SHA1
9b42f74eebbd3e9479ca5e488c87eb9fc7240769

SHA256
ddfbc9f608c387dcc0c38054d4da31c6c51e1945f2119ff7af52a9aeb349ae6b

SHA512
03fea37e2abf7cf5893632d8e2b3761e5633065305040d2c0754e7a29a483cc858ec31dbec9c5998c6096913302795472d7f0d29be457368c090abf6f36ff90a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5eb70db4a6b88b585a079a382a26bbbc

SHA1
219f3d8d9179f7335474cb4c4231d9b2e2e9b0ee

SHA256
8319e9816e831271fbb9585e0b8ffac5e628e4bc10288671be3bc8476f74c41b

SHA512
fe75d78d5ff4eeb0e8f735a640ae3f20099ca646e5e647af3049b8ba168a0dbf0c20a300504dfb85dca3d2ff0be00930b5c5a200a4caf1583b15c737be2ba657

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e37a.TMP

Filesize
1KB

MD5
ea0a2f5c23cc7b5360a1e097e5f843e2

SHA1
1f2feabbb16bb61fc4ec626c08be77db87b7cde8

SHA256
41943b3746b4bc366bd15e365c2ca7e704574f6f08c8b854f43f17627e43cb92

SHA512
a7cfe6a57504d47b3849609b40ce6ea5d7c8b5a7429773e2e91f80001ccc381009d36cce4f936d672da03ecdca1e2903590fcd85a74bed5f27b8713ad6cf91fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9f7b1f888075f2c82f365823c8b57db0

SHA1
8dbfbc7d404139415473cfd6e322902d74898dcb

SHA256
c4bacf7edef1428c2d97e0101b3363101d1b3d1af013c0f6f9b6b9ce169a9275

SHA512
546375bc5db3d23cff27374969c9750e09b77826661e9e1976fe64f1684e342a8565776f4050b4b178078df225cb7da221998d38056565b2801177acec4d88e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
30795bee84a3ef625689d9759ae9810e

SHA1
c33f70b5b837d0c6edc025e5eabfe8b23272a2a5

SHA256
d95f6d4f7f17ce93ee2f13b9b640a3e3e04279757153ed39519b963f257952ec

SHA512
bbb01d80d94b8fc06135d72ac8f4875b1911651489f25117e66e78ef05ee508654559788a0c1dfdf7197d25fd684af5bf0a4432b943f1e685d92a7f97c52aa7b

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\Downloads\PASSSWORD IS Fatality.rar

Filesize
69KB

MD5
499517849d5eb1555a6218ac74211c32

SHA1
f25bb819cf6acf7275f69025c9334732c80b56e1

SHA256
ef7b996f56d1f6e3ab5e0f8c218794aaa2dac0c7d59411953c85632575fd19d7

SHA512
38ac6ddd18409f38d0a9f362aeb8a990985804bb4931dbe27683acc190c1a03dd4a02008f5a6b5c9d61f3b1f99959d8824d0bee574e08fd9a8eec49d1266e236

Download Submit
C:\Users\Admin\Downloads\PASSSWORD IS Fatality\PASSWORD IS FATALITY\Fatality Cracked.exe

Filesize
74KB

MD5
bca1307712368015ab48742ddb4f6400

SHA1
016ef71d6bf398c69c67ec0161ad26b45568aea2

SHA256
7d710410c0b5e3f9ebd036dff6784d01b75a4a79410080b9d9982c5ab2aec058

SHA512
adc712b75cb90443987bc7ac1bf55895d6597266e17a557c8449bd70f81f3f75029da3bd424e5da343bf7e1e6584bde3be1cd5f81720ee984f2a869c47d578d1

Download Submit
memory/1268-329-0x0000000000A30000-0x0000000000A48000-memory.dmp

Filesize
96KB

Download