asyncrat | hxxps://gofile[.]io/d/WfBdeW

Analysis

max time kernel
54s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/WfBdeW

Score

10^/10

asyncrat whats app discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Whats App

192.168.0.38:4449

Mutex

fvkarpgviexcled

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 382985.crdownload	family_asyncrat

Downloads MZ/PE file

Executes dropped EXE 12 IoCs

Processes:

Whats App.exeWhats App.exeWhats App.exeWhats App.exeWhats App.exeWhats App.exeWhats App.exeWhats App.exeWhats App.exeWhats App.exeWhats App.exeWhats App.exe

pid	process
5340	Whats App.exe
5568	Whats App.exe
5856	Whats App.exe
5884	Whats App.exe
5912	Whats App.exe
5940	Whats App.exe
5968	Whats App.exe
5996	Whats App.exe
6048	Whats App.exe
5268	Whats App.exe
5560	Whats App.exe
5472	Whats App.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 382985.crdownload:SmartScreen msedge.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

1236 msedge.exe
1236 msedge.exe
2892 msedge.exe
2892 msedge.exe
2624 identity_helper.exe
2624 identity_helper.exe
5224 msedge.exe
5224 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

2892 msedge.exe
2892 msedge.exe
2892 msedge.exe
2892 msedge.exe
2892 msedge.exe
2892 msedge.exe
2892 msedge.exe
2892 msedge.exe
2892 msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 382985.crdownload:SmartScreen	msedge.exe

pid	process
1236	msedge.exe
1236	msedge.exe
2892	msedge.exe
2892	msedge.exe
2624	identity_helper.exe
2624	identity_helper.exe
5224	msedge.exe
5224	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Whats App.exeWhats App.exe

description	pid	process
Token: SeDebugPrivilege	5340	Whats App.exe
Token: SeDebugPrivilege	5568	Whats App.exe
Token: SeIncreaseQuotaPrivilege	5340	Whats App.exe
Token: SeSecurityPrivilege	5340	Whats App.exe
Token: SeTakeOwnershipPrivilege	5340	Whats App.exe
Token: SeLoadDriverPrivilege	5340	Whats App.exe
Token: SeSystemProfilePrivilege	5340	Whats App.exe
Token: SeSystemtimePrivilege	5340	Whats App.exe
Token: SeProfSingleProcessPrivilege	5340	Whats App.exe
Token: SeIncBasePriorityPrivilege	5340	Whats App.exe
Token: SeCreatePagefilePrivilege	5340	Whats App.exe
Token: SeBackupPrivilege	5340	Whats App.exe
Token: SeRestorePrivilege	5340	Whats App.exe
Token: SeShutdownPrivilege	5340	Whats App.exe
Token: SeDebugPrivilege	5340	Whats App.exe
Token: SeSystemEnvironmentPrivilege	5340	Whats App.exe
Token: SeRemoteShutdownPrivilege	5340	Whats App.exe
Token: SeUndockPrivilege	5340	Whats App.exe
Token: SeManageVolumePrivilege	5340	Whats App.exe
Token: 33	5340	Whats App.exe
Token: 34	5340	Whats App.exe
Token: 35	5340	Whats App.exe
Token: 36	5340	Whats App.exe
Token: SeIncreaseQuotaPrivilege	5340	Whats App.exe
Token: SeSecurityPrivilege	5340	Whats App.exe
Token: SeTakeOwnershipPrivilege	5340	Whats App.exe
Token: SeLoadDriverPrivilege	5340	Whats App.exe
Token: SeSystemProfilePrivilege	5340	Whats App.exe
Token: SeSystemtimePrivilege	5340	Whats App.exe
Token: SeProfSingleProcessPrivilege	5340	Whats App.exe
Token: SeIncBasePriorityPrivilege	5340	Whats App.exe
Token: SeCreatePagefilePrivilege	5340	Whats App.exe
Token: SeBackupPrivilege	5340	Whats App.exe
Token: SeRestorePrivilege	5340	Whats App.exe
Token: SeShutdownPrivilege	5340	Whats App.exe
Token: SeDebugPrivilege	5340	Whats App.exe
Token: SeSystemEnvironmentPrivilege	5340	Whats App.exe
Token: SeRemoteShutdownPrivilege	5340	Whats App.exe
Token: SeUndockPrivilege	5340	Whats App.exe
Token: SeManageVolumePrivilege	5340	Whats App.exe
Token: 33	5340	Whats App.exe
Token: 34	5340	Whats App.exe
Token: 35	5340	Whats App.exe
Token: 36	5340	Whats App.exe
Token: SeIncreaseQuotaPrivilege	5568	Whats App.exe
Token: SeSecurityPrivilege	5568	Whats App.exe
Token: SeTakeOwnershipPrivilege	5568	Whats App.exe
Token: SeLoadDriverPrivilege	5568	Whats App.exe
Token: SeSystemProfilePrivilege	5568	Whats App.exe
Token: SeSystemtimePrivilege	5568	Whats App.exe
Token: SeProfSingleProcessPrivilege	5568	Whats App.exe
Token: SeIncBasePriorityPrivilege	5568	Whats App.exe
Token: SeCreatePagefilePrivilege	5568	Whats App.exe
Token: SeBackupPrivilege	5568	Whats App.exe
Token: SeRestorePrivilege	5568	Whats App.exe
Token: SeShutdownPrivilege	5568	Whats App.exe
Token: SeDebugPrivilege	5568	Whats App.exe
Token: SeSystemEnvironmentPrivilege	5568	Whats App.exe
Token: SeRemoteShutdownPrivilege	5568	Whats App.exe
Token: SeUndockPrivilege	5568	Whats App.exe
Token: SeManageVolumePrivilege	5568	Whats App.exe
Token: 33	5568	Whats App.exe
Token: 34	5568	Whats App.exe
Token: 35	5568	Whats App.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe
2892	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2892 wrote to memory of 4088	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 4088	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 400	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 1236	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 1236	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe
PID 2892 wrote to memory of 2036	2892	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/WfBdeW
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x58,0x108,0x7ff8736146f8,0x7ff873614708,0x7ff873614718
2⤵
PID:4088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
2⤵
PID:400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
2⤵
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
2⤵
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
2⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
2⤵
PID:4456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5172 /prefetch:8
2⤵
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
2⤵
PID:2724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5984 /prefetch:8
2⤵
PID:1752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
2⤵
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
2⤵
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
2⤵
PID:1672

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
2⤵
PID:888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,6801078911253519694,14564790068283836881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6048 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5224

C:\Users\Admin\Downloads\Whats App.exe
"C:\Users\Admin\Downloads\Whats App.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5340

C:\Users\Admin\Downloads\Whats App.exe
"C:\Users\Admin\Downloads\Whats App.exe"
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5568

C:\Users\Admin\Downloads\Whats App.exe
"C:\Users\Admin\Downloads\Whats App.exe"
2⤵
- Executes dropped EXE
PID:5856

C:\Users\Admin\Downloads\Whats App.exe
"C:\Users\Admin\Downloads\Whats App.exe"
2⤵
- Executes dropped EXE
PID:5884

C:\Users\Admin\Downloads\Whats App.exe
"C:\Users\Admin\Downloads\Whats App.exe"
2⤵
- Executes dropped EXE
PID:5912

C:\Users\Admin\Downloads\Whats App.exe
"C:\Users\Admin\Downloads\Whats App.exe"
2⤵
- Executes dropped EXE
PID:5940

C:\Users\Admin\Downloads\Whats App.exe
"C:\Users\Admin\Downloads\Whats App.exe"
2⤵
- Executes dropped EXE
PID:5968

C:\Users\Admin\Downloads\Whats App.exe
"C:\Users\Admin\Downloads\Whats App.exe"
2⤵
- Executes dropped EXE
PID:5996

C:\Users\Admin\Downloads\Whats App.exe
"C:\Users\Admin\Downloads\Whats App.exe"
2⤵
- Executes dropped EXE
PID:6048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2436

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6076

C:\Users\Admin\Downloads\Whats App.exe
"C:\Users\Admin\Downloads\Whats App.exe"
1⤵
- Executes dropped EXE
PID:5268

C:\Users\Admin\Downloads\Whats App.exe
"C:\Users\Admin\Downloads\Whats App.exe"
1⤵
- Executes dropped EXE
PID:5560

C:\Users\Admin\Downloads\Whats App.exe
"C:\Users\Admin\Downloads\Whats App.exe"
1⤵
- Executes dropped EXE
PID:5472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
416ecc3b90d2ee54b64b31e9fe69952f

SHA1
13b22fecd439e420c3af150030ff5ac48eeb390c

SHA256
688240b2841cbf48949f4f91db9f8e2496ac604d4591421a5c55794628d34500

SHA512
19f10dc1ea3634180ed72f28cba9927bd51749cf668bb2c44fb5cf6aa08b405f86577c87a0217b0e06263304576f5a2698c4e898daa950925e18cfecfb75bb43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
de13b1f575ea9d972d217d22f433c396

SHA1
cbe752e7bd6f63a25ef354bcb8c1a14b6e894a12

SHA256
f61d3e87d2d996b93439433250755255d1b849b8cbac3e0b62385da914ac98b7

SHA512
72823c432f762ec7ca6fd60395ab15b6b7098860ef11ce51b1c96ea3a1a1a6799631f3637177a02c0c5e78e3412682eae55d08f59fa65c1e9df01577beb81c80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3ffed8b08ebc0d33bc04992015186b31

SHA1
68fe6eb4c429c1632519209973454332f30c3802

SHA256
e038dd78adc27c703abcc6a8b877158ff3978fccca376ded81703f598a3e22bd

SHA512
4b86ca7a84068318d033eed09b0d33c79cdbec82de11bffb8e71467e8bf211c1e65eceebe1631a1db3d905a8a2f03106a40ffe1c072ba3871266b9330aa4ddd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a62d26d782b10a68d2e0e095cadd9c3c

SHA1
f2522608187f5816701ecad4667a260f8fd7fbbf

SHA256
6b671f83fe6dcb64425cdb3b2b6ad91596a4d6bc850084953829e407ea48d5cd

SHA512
c50c1af7198a455a343e3629ab47295fd78244d347a1acc5e312a22fd9d903aca43d565e3d37b23b8676ed49f8225bcee75b6d849244dbda603f7465be494d70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
250212f73867b55f1a84c6091ebfcd0f

SHA1
16f6c3ffc85edc9233ebe93b05cd3073a2f2c9ab

SHA256
80aafb7855cfcffeeff4218f0a61e9e8d9e75132ddbdedc227c70d3bd3b9b071

SHA512
489383ce43fff1aaf5b4700d5afa510d24d48d0cdf815fa214ee0caf8b7936de61ce13a644ba422d0363acdaf1cd51425acbe237e3ce80a98895b9d425abc55a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c719f570c7f8c69472b2d729a4bfbbe5

SHA1
591c230f0a849c5db69ba40b85fb9df0fc280f4a

SHA256
88d38532eebebc5d027f96321fb6a9ce9a729d8b135e128fcce6602a504a6eaa

SHA512
e8066b458fb3a70d23de0b01bec7f413ee52519858c5b50697a24ef2685b07a69a37d9a8147649af307c1ae47444dba2ca59c21f1fbe83ab38c5ea92cbdcb5df

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 382985.crdownload

Filesize
89KB

MD5
1c7d0dcf487cc6a96e31e5cca2e1eafd

SHA1
0815fa01c8a38b14ce7a7778f7e09d3c1a7d371c

SHA256
efc856f4812ff5817caa289b71f2bd72403fec4fe57dd426303e3e638c7b8b72

SHA512
9ba36c389ed5cde7fdec9daf5039f3e45d9952e06c663725274aca387b230767340159b8f81d19265b2f0d25a0f19d4d987815c23b826482ccf39517303485d4

Download Submit
\??\pipe\LOCAL\crashpad_2892_MYZLUXMYDKRSSQQY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5340-116-0x0000000000880000-0x000000000089C000-memory.dmp

Filesize
112KB

Download