asyncrat | hxxps://ydray[.]com/get/t/u17291005264321hxNZ2973a713baabre

Resubmissions

16-10-2024 19:56

241016-ynyf2atanp 10

16-10-2024 19:52

241016-ylq9yashlm 3

Analysis

max time kernel
208s
max time network
215s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-10-2024 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ydray.com/get/t/u17291005264321hxNZ2973a713baabre

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

envio1206.duckdns.org:3030

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Executes dropped EXE 1 IoCs

Processes:

01 NOTIFICACION ELECTRONICA.exe

pid process

3272 01 NOTIFICACION ELECTRONICA.exe
Loads dropped DLL 1 IoCs

Processes:

01 NOTIFICACION ELECTRONICA.exe

pid process

3272 01 NOTIFICACION ELECTRONICA.exe

pid	process
3272	01 NOTIFICACION ELECTRONICA.exe

pid	process
3272	01 NOTIFICACION ELECTRONICA.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

01 NOTIFICACION ELECTRONICA.execmd.exe

description	pid	process	target process
PID 3272 set thread context of 5992	3272	01 NOTIFICACION ELECTRONICA.exe	cmd.exe
PID 5992 set thread context of 5412	5992	cmd.exe	MSBuild.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeMSBuild.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe01 NOTIFICACION ELECTRONICA.exemsedge.execmd.exe

pid	process
3724	msedge.exe
3724	msedge.exe
4460	msedge.exe
4460	msedge.exe
4240	identity_helper.exe
4240	identity_helper.exe
5392	msedge.exe
5392	msedge.exe
3272	01 NOTIFICACION ELECTRONICA.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
3272	01 NOTIFICACION ELECTRONICA.exe
3272	01 NOTIFICACION ELECTRONICA.exe
5992	cmd.exe
5992	cmd.exe
5992	cmd.exe
5992	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

01 NOTIFICACION ELECTRONICA.execmd.exe

pid process

3272 01 NOTIFICACION ELECTRONICA.exe
5992 cmd.exe
5992 cmd.exe

pid	process
3272	01 NOTIFICACION ELECTRONICA.exe
5992	cmd.exe
5992	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

7zG.exe

description	pid	process
Token: SeRestorePrivilege	6128	7zG.exe
Token: 35	6128	7zG.exe
Token: SeSecurityPrivilege	6128	7zG.exe
Token: SeSecurityPrivilege	6128	7zG.exe

Suspicious use of FindShellTrayWindow 49 IoCs

Processes:

msedge.exe7zG.exe

pid	process
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
6128	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4460 wrote to memory of 4072	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4072	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4804	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 3724	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 3724	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe
PID 4460 wrote to memory of 4376	4460	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ydray.com/get/t/u17291005264321hxNZ2973a713baabre
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9396046f8,0x7ff939604708,0x7ff939604718
2⤵
PID:4072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
2⤵
PID:4804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
2⤵
PID:4376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
2⤵
PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
2⤵
PID:4160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
2⤵
PID:3728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
2⤵
PID:4692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
2⤵
PID:628

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6688 /prefetch:8
2⤵
PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6688 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
2⤵
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
2⤵
PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5220 /prefetch:8
2⤵
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2432 /prefetch:1
2⤵
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
2⤵
PID:5132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
2⤵
PID:5140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6912 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,9114895460927220394,9775683688823405583,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4680 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5788

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap11560:156:7zEvent10095
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6128

C:\Users\Admin\Downloads\ENVIO COPIA DEL LA NOTIFICACION ELECTRONIA\01 NOTIFICACION ELECTRONICA.exe
"C:\Users\Admin\Downloads\ENVIO COPIA DEL LA NOTIFICACION ELECTRONIA\01 NOTIFICACION ELECTRONICA.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3272

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe
2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5992

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
3⤵
- System Location Discovery: System Language Discovery
PID:5412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
1.1MB

MD5
57c08ed488751aec5e87fed3d6fd7d62

SHA1
ca04ca63da28ad131b74047bca98409df347632c

SHA256
96c9ed63d9a5b924fc2677820f9f1b72aa8c9f7d38b9dec86277135bb21947c0

SHA512
e9b16c84c8871d22a83d4ffb5e845360524404229d5ffae940bc6ab55d47d200874e5c07fd3093f27f7997405f2ff776beb851e27b486a8b3332141e674e763b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
0ea682933704c24d9d285cdbfab600f1

SHA1
8877395c7ea52a0c483ac7edd9eb3d53d0688f95

SHA256
9cf2e1fd3fb444d444033000c22eccd6f23b5f9be0fcc1ce2e5d48516850d493

SHA512
97b287af3be66dfa76d58922f6636772df76bf4c74ee8a451916c6157da29ade6b39de2747e3eaad09bd720285c1d01e012e8536b923c1db354e9523ca01991a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
4d02af009cfd90e36c5cc0698b7f63d3

SHA1
92674334bb48e5fa2ade056f0e488e567b4e91c6

SHA256
51019d7c65882fa1835f6b2fe427b7b54cf72a1fd63cd26035be4e8622c9eb37

SHA512
0126b3916c7fc845e835c7e812dd4004f1c9b1221fd9c189b16bc4aa8bc1864b3df3decced9750849ef2f0426d30f7b0411fbf7370b0b8f43a54176289a8b982

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c6e081aea79a94d6bcee8d99be6a1f49

SHA1
2d1faefeafed4d4d88d0a838db2b4ab93a09fa78

SHA256
d6c7c40e43238c9b4811758b5367d1fdeb161907f7643c96def4d0b39225b4ec

SHA512
9b5d7f8aa29b6c29afc9c0ced7ae6529428525c7cd3a30df95e8670292cfa4c8a4047a1212c83361c473c1e9f643866e065aa7d5278a72d19a782845d8fe5a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d8091249ea16993691174905f1162964

SHA1
1e9cb6969ad949ebc564e8ddbd0a686f97197c3c

SHA256
7fc4d1ec15e380f52f406da7eff9221b9fa650e10bebdded52eb301d01f430a1

SHA512
a3ed447f1564026e3c1d3c03a0df80fcc2f3797f9f9bba25d0dd8c064561427876f8ac73538e4436f7ce7b49d07ead612a7944cfb841fb7eb6dd544c707ec16d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ce929fa4773e9f62a2c61f159a387964

SHA1
0c79df18ca5bfb71c7c63adc9287ed6ee6836738

SHA256
7ee81c76805373669a112106f6167c45b535afee78cbbb31e46a4dc69c294a34

SHA512
e5c1c002ba28b1e03f016b8a540d12811a2966b9b20cc120ba268f4b0b9fcc71eb5af8d8606c96e24d4d7e28384a358cb5780322614d5055a60b4b9fd90ee034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0aaa577ccd01df1eb0a3fc96fbd2c034

SHA1
fc426df36618ab1cefbfacd404d87160919e6c03

SHA256
5c620d1fec2d26202e45bffe47cf426d34de5484177716d3bc429728c649e53d

SHA512
bfb2e0663f9ee7ade345a7a20ba5ce0da1a54793fe608d9040927426ca4970388e5666465d944a8408014924bb71d746f39323c61f4c1f278fc11c949ec11c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5c598197208efa5fc10eb6243582bb6a

SHA1
aa760d24338e56eff7629678c279e003c14a2665

SHA256
bbed7f3994501c110b6c65273292aad37d732a81368d48dee5d86a7927e6b092

SHA512
6f03cf63ecd676f57bfcf21b511721c66102ef37f7f1b60fbf744f8fe78c00e553587cbf36da3b65780840bdd4a591df182fd7756c76cef27164bdde6b00f482

Download Submit
C:\Users\Admin\AppData\Local\Temp\b881575

Filesize
780KB

MD5
3885c1f0a4e7800d48edf6df06419adb

SHA1
dced1ab04b36e7ec016b93d8d66c7837c7a1317a

SHA256
e8c8a730d1d7e6a51a611738a72f827df820501a5366f8f464fe20c2f0eb4394

SHA512
137f3bb0e082cb73d150b39fdabdea575fae9971dc8ef19e88cecfa2e21ad1ef6c4d749c0654433a0b99f999bc470af0292af393478a567a2e701931ab03f88e

Download Submit
C:\Users\Admin\Downloads\ENVIO COPIA DEL LA NOTIFICACION ELECTRONIA\01 NOTIFICACION ELECTRONICA.exe

Filesize
1.6MB

MD5
8f0717916432e1e4f3313c8ebde55210

SHA1
41456cd9c3b66cfb22f9bbeefb6750cce516bf3a

SHA256
8dc4d5deef19fb4da195c270819a6ee283b67408fc9ee187216a0ce80ee61bab

SHA512
d1c4696541ec1d8d44e820902828bfbbd16afbb9c4a251080fc62262fbf879b268ed0fff80ea84aacdc58f424c516a979bb8fa82f0dfe920d71cad92f17bcfee

Download Submit
C:\Users\Admin\Downloads\ENVIO COPIA DEL LA NOTIFICACION ELECTRONIA\MpGear.dll

Filesize
592KB

MD5
8d6de42f1495eb5f487dd5bab8e97038

SHA1
dd9b13c03c8db0a2368f7dccaf4081b82bfa2a7b

SHA256
2625ad5e5176eeec5f91152d8b5fbdde2cb96fec11b6bf2a5dc4d09f03b381d9

SHA512
54424a71f2fe3d9d411ec30f5ae31aeed2d6637e06625273cee5c228c587e537892c78a5d984479d60b2791fd8e2083e7ef3e5a0cc11ae4b330152d8e033f93f

Download Submit
C:\Users\Admin\Downloads\ENVIO COPIA DEL LA NOTIFICACION ELECTRONIA\eqghknq

Filesize
543KB

MD5
e315be42447349771b034c8970175960

SHA1
fb5b8da1125d2f17b7afdadcf10c7f7d82fbe261

SHA256
32ca8915eb98cd3c684582101cef9bbb0e676d931105a6c1262e8342b884dbee

SHA512
dbf86bea8fb0347f66fe2b24f6e74cfa86a1218ab22129e68142b62d93b39b26c88ec0def211aa84ba814ca68b98b33d114558f06d6e905f34a150ba6570b1fe

Download Submit
C:\Users\Admin\Downloads\ENVIO COPIA DEL LA NOTIFICACION ELECTRONIA\rfd

Filesize
14KB

MD5
29b01936b7ea11492a23743a2b759db9

SHA1
7164f25051d1bca018068e436e9afff819c783d2

SHA256
10642367b4df02d19b6ed22bb6448439d8dd92bad78af15c908b502837ca7d7c

SHA512
5fc95108746c6d5df8cd15f657b7a8d47c334209ef514b847b95ad3b8c422f0cd65a59f71e22ec0ac4f2b72eaacb970359bdb781abc04c60c3e90eac3d49ca72

Download Submit
\??\pipe\LOCAL\crashpad_4460_HWNSPUETMYOLXBTY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3272-274-0x00007FF928660000-0x00007FF9287D2000-memory.dmp

Filesize
1.4MB

Download
memory/3272-280-0x00007FF928660000-0x00007FF9287D2000-memory.dmp

Filesize
1.4MB

Download
memory/5412-298-0x0000000073E90000-0x00000000750E4000-memory.dmp

Filesize
18.3MB

Download
memory/5412-302-0x0000000000FC0000-0x0000000000FD6000-memory.dmp

Filesize
88KB

Download
memory/5992-283-0x00007FF947ED0000-0x00007FF9480C5000-memory.dmp

Filesize
2.0MB

Download
memory/5992-296-0x0000000075910000-0x0000000075A8B000-memory.dmp

Filesize
1.5MB

Download