asyncrat | 1d2e01cb8271f99e28d34c0bae6921b3d4102eadf1564a0049cd7ee45ffd7111

Analysis

max time kernel
400s
max time network
407s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-11-2024 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Infected.exe
Size

63KB
MD5

2bc3f993bd6f8d453d1713abe771ff15
SHA1

46a5ae1a18b6e4ef04df6fbf6af8bbc3c5bed3d3
SHA256

1d2e01cb8271f99e28d34c0bae6921b3d4102eadf1564a0049cd7ee45ffd7111
SHA512

28c71c3d64d7264d8982e7d6d8180e1378ddaaffe0cfd591c8c075bee82305667c6e5a3b367dee737568ce63ec3aca5c4959ed198aeca0c531b7ef4664748d41
SSDEEP

768:Cm0vnfEXf78awC8A+XU2azcBRL5JTk1+T4KSBGHmDbD/ph0oXKnKWwkSusdpqKYC:qEXiLdSJYUbdh9G/wjusdpqKmY7

Score

10^/10

asyncrat stealerium default collection discovery execution persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

who-gabriel.gl.at.ply.gg:8000

who-gabriel.gl.at.ply.gg:45700

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium
Executes dropped EXE 1 IoCs

Processes:

wgzqjd.exe

pid process

1228 wgzqjd.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

pid	process
1228	wgzqjd.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

Infected.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

Infected.exe

description ioc process

File opened for modification \??\c:\users\admin\desktop\desktop.ini Infected.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

11 discord.com
14 discord.com
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

17 icanhazip.com
17 ip-api.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Start PowerShell.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1808 powershell.exe
4936 powershell.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 8 IoCs

Processes:

wgzqjd.exe

pid process

1228 wgzqjd.exe
1228 wgzqjd.exe
1228 wgzqjd.exe
1228 wgzqjd.exe
1228 wgzqjd.exe
1228 wgzqjd.exe
1228 wgzqjd.exe
1228 wgzqjd.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\c:\users\admin\desktop\desktop.ini	Infected.exe

flow	ioc
11	discord.com
14	discord.com

flow	ioc
17	icanhazip.com
17	ip-api.com

pid	process
1808	powershell.exe
4936	powershell.exe

pid	process
1228	wgzqjd.exe
1228	wgzqjd.exe
1228	wgzqjd.exe
1228	wgzqjd.exe
1228	wgzqjd.exe
1228	wgzqjd.exe
1228	wgzqjd.exe
1228	wgzqjd.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

cmd.exenetsh.exe

pid process

2724 cmd.exe
2168 netsh.exe

pid	process
2724	cmd.exe
2168	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Infected.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Infected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Infected.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exeInfected.exewgzqjd.exemsedge.exemsedge.exepowershell.exe

pid	process
4936	powershell.exe
4936	powershell.exe
340	Infected.exe
1228	wgzqjd.exe
1228	wgzqjd.exe
1604	msedge.exe
1604	msedge.exe
420	msedge.exe
420	msedge.exe
1808	powershell.exe
1808	powershell.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe
340	Infected.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

420 msedge.exe
420 msedge.exe
420 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Infected.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 340 Infected.exe
Token: SeDebugPrivilege 4936 powershell.exe
Token: SeDebugPrivilege 1808 powershell.exe

description	pid	process
Token: SeDebugPrivilege	340	Infected.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe

Suspicious use of FindShellTrayWindow 26 IoCs

Processes:

msedge.exe

pid	process
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe
420	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Infected.execmd.exepowershell.exewgzqjd.execmd.exemsedge.exe

description	pid	process	target process
PID 340 wrote to memory of 1952	340	Infected.exe	cmd.exe
PID 340 wrote to memory of 1952	340	Infected.exe	cmd.exe
PID 1952 wrote to memory of 4936	1952	cmd.exe	powershell.exe
PID 1952 wrote to memory of 4936	1952	cmd.exe	powershell.exe
PID 4936 wrote to memory of 1228	4936	powershell.exe	wgzqjd.exe
PID 4936 wrote to memory of 1228	4936	powershell.exe	wgzqjd.exe
PID 1228 wrote to memory of 4428	1228	wgzqjd.exe	cmd.exe
PID 1228 wrote to memory of 4428	1228	wgzqjd.exe	cmd.exe
PID 4428 wrote to memory of 420	4428	cmd.exe	msedge.exe
PID 4428 wrote to memory of 420	4428	cmd.exe	msedge.exe
PID 420 wrote to memory of 3516	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3516	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 3212	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 1604	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 1604	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 2196	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 2196	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 2196	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 2196	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 2196	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 2196	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 2196	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 2196	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 2196	420	msedge.exe	msedge.exe
PID 420 wrote to memory of 2196	420	msedge.exe	msedge.exe

outlook_office_path 1 IoCs

Processes:

Infected.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe

outlook_win_path 1 IoCs

Processes:

Infected.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe

C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:340
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wgzqjd.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\wgzqjd.exe"'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Users\Admin\AppData\Local\Temp\wgzqjd.exe
      "C:\Users\Admin\AppData\Local\Temp\wgzqjd.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c start https://discord.gg/xanaxspoofer
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4428
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/xanaxspoofer
        6⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:420
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd9a113cb8,0x7ffd9a113cc8,0x7ffd9a113cd8
        7⤵
        
        PID:3516
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,12420831396347519910,14496974519895337943,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1892 /prefetch:2
        7⤵
        
        PID:3212
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,12420831396347519910,14496974519895337943,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,12420831396347519910,14496974519895337943,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
        7⤵
        
        PID:2196
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,12420831396347519910,14496974519895337943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
        7⤵
        
        PID:1232
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,12420831396347519910,14496974519895337943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
        7⤵
        
        PID:1124
        
        C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,12420831396347519910,14496974519895337943,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
        7⤵
        
        PID:3376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qvmtqi.jpg"' & exit
  2⤵
  PID:2164
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\qvmtqi.jpg"'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1808
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:2724
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3212
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2168
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:4664
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  PID:3996
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4080
- - C:\Windows\system32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1264

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
88dc70c361a22feac57b031dd9c1f02f

SHA1
a9b4732260c2a323750022a73480f229ce25d46d

SHA256
43244c0820ec5074e654ecd149fa744f51b2c1522e90285567713dae64b62f59

SHA512
19c0532741ebc9751390e6c5ca593a81493652f25c74c8cab29a8b5b1f1efef8d511254a04f50b0c4a20724bae10d96d52af7a76b0c85ddc5f020d4cac41100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
247B

MD5
94bd83393ee4e3c749f28c3414160cbc

SHA1
68effb04ecc392f2ae4ad7bdc1e99b9116da474c

SHA256
e1dbf44fca250f32925910fcd7f59276e46d0d916eff30fdf9f85ef91bcd3d4b

SHA512
203109a405cd685a195e6cdae5d0a624abcd6c6a9333b88f312e50f96bafa03057366bd78bf62df8784ec97f14677d56f8b78b472000044618a784bcf7af3e8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c88b9607a248a7337f6b880f096e1e9c

SHA1
b50cc63633f59470054fe16e7b8b6945173f8afc

SHA256
cc238603b0fac5ab1e9514f2ae3cb663983f27b9f80c8966a479252ef1bc8309

SHA512
ad90ae35269fae046f9af1852110287aa14c9bae96cce268ee949c20a3793c63c97c4b6a5a3246bbe5a505163fa138fc8394e8529a89655c837cf61de963bd1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c958b307284049a6d58e331f3d94875

SHA1
546eea3d0bc748c3e9f5cf1298a0df30cf47c2cc

SHA256
fe274724cad96699452d0862fda184356d8c0b3fda561258252c7d316edcead7

SHA512
4bd62d19dd533c908a43f7fa183426867d629185210cf78f74c53385b92a820fa39f89113b8a4b9fda1c12e3598375163f92f9df13cd708838596bd5a5b7bb33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
16c3afb147e6519f36f24329aa6fcb64

SHA1
e36676dd5a103d4bbfd661d228f1b5c8365817e2

SHA256
99bc0bcb28c46c07f094b0dec143c01733a42755539567bc988c5dde5cd6d7d4

SHA512
5c912cb06bb292aa07ccbee03b71ba80e53735f1492e0f2e7575599a3ea0f56e4e9ee0865a589cf1160044e8eed3144b96190fb37e2977e5a04ee6d17c575f55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_auleswk1.cp5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wgzqjd.exe

Filesize
6.0MB

MD5
0ccec651d8bba5994aa039f5a9af46b6

SHA1
002427c48cbc4e64ff5a901f9b89abf7cef7e942

SHA256
c5cfe062d0895b2bd6621e06da7ee7e030de2e85f1fc2be62d734ce694bb29bf

SHA512
925b5a7f321e7dc37ad6275e38ddf54d4dee3c78c6735c40ede18ee0f831b6831edea5e898f174993e14f167ef54e22796eaac7b8444eb502679a788ec22ad83

Download Submit
C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\System\Process.txt

Filesize
434B

MD5
76a3084a88617a8d8fd37526ce5ac5ad

SHA1
5ac59527c353ab4999892625c5b019539ced7f39

SHA256
8c32a7102ff3a1e860af47c9ea8b843d65de36400e468e4965b096b3cf42d9ad

SHA512
838be6110bcd1507c6b3f26192d7adb211c497ad5f62f2a58c2c74a1dbf9370a94fcc9dce99297b74fb0abb1ea0fdecb51daac630035b4252982f7fe64c9d58f

Download Submit
C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\System\Process.txt

Filesize
2KB

MD5
819655d68e4265f99afbcec10f9f5448

SHA1
c77c3c17c7171cd4b02c32ed2b4cac115b87d3c0

SHA256
50b63b4e6c8dbf4212dfa394961df41ff019e6f850239142c2f0f9677fa9cde8

SHA512
70bddb5f3b67d65ea789ef233a1654a74f62f34e729d777fab1a5250ba1066617fb87aa063760ba9e9305026d14024234e958741d2546dbe5284ff49b12adc3b

Download Submit
C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\System\Process.txt

Filesize
2KB

MD5
c1645281a1302989f6a003bf4d6614c2

SHA1
f123b1cc98bf6a6730913a2f39ca632716502b8c

SHA256
b3539e3dc503d7f2e995e8cb63ff1e1be63b4fab2f46aef4378b8e8a30fd0d7a

SHA512
125f07af763d06d5754412b12598e1fc5925a5448319aa3d6444dbefb86cbdad6b89c79a0a9a2551ec4870db0f2f350dc28b83db551b957806f27c670a7fd66e

Download Submit
C:\Users\Admin\AppData\Local\c1802342081e87599e32efec843d3e00\Admin@TYEBXLJN_en-US\System\Process.txt

Filesize
4KB

MD5
09c4465d3a3da80916a22408753aca57

SHA1
b8bcb6a45968cc1a67e8ff876b7a9635d88b57ef

SHA256
dac278e1aa3180018c25288f6b58b1f8ba2448b276a3925499c19c405bb1534a

SHA512
d990a528ecabbc9940cd18ad01a0b5c8824b6652134525863028ad9ce50d17318272be5cc4952eee34eaa4be64585d3c235653a3046c5fcf78985e9dd0897abf

Download Submit
\??\pipe\LOCAL\crashpad_420_LTGMPWTILFFHSFNQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/340-7-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

Filesize
10.8MB

Download
memory/340-173-0x000000001C950000-0x000000001C95A000-memory.dmp

Filesize
40KB

Download
memory/340-346-0x000000001DF60000-0x000000001DF84000-memory.dmp

Filesize
144KB

Download
memory/340-0-0x00007FFDAF5C3000-0x00007FFDAF5C5000-memory.dmp

Filesize
8KB

Download
memory/340-313-0x000000001CBF0000-0x000000001CC6A000-memory.dmp

Filesize
488KB

Download
memory/340-2-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

Filesize
10.8MB

Download
memory/340-6-0x00007FFDAF5C3000-0x00007FFDAF5C5000-memory.dmp

Filesize
8KB

Download
memory/340-345-0x000000001CC90000-0x000000001CCB4000-memory.dmp

Filesize
144KB

Download
memory/340-3-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

Filesize
10.8MB

Download
memory/340-8-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

Filesize
10.8MB

Download
memory/340-10-0x000000001CDB0000-0x000000001CDE4000-memory.dmp

Filesize
208KB

Download
memory/340-12-0x000000001CCF0000-0x000000001CD22000-memory.dmp

Filesize
200KB

Download
memory/340-9-0x000000001CE30000-0x000000001CEA6000-memory.dmp

Filesize
472KB

Download
memory/340-168-0x000000001E260000-0x000000001E3E8000-memory.dmp

Filesize
1.5MB

Download
memory/340-11-0x000000001CE00000-0x000000001CE1E000-memory.dmp

Filesize
120KB

Download
memory/340-1-0x00000000008A0000-0x00000000008B6000-memory.dmp

Filesize
88KB

Download
memory/1228-32-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/1228-153-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/1228-151-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/1228-150-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/1228-167-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/1228-149-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/1228-152-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/1228-148-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/1228-31-0x0000000140000000-0x0000000141F36000-memory.dmp

Filesize
31.2MB

Download
memory/4936-25-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

Filesize
10.8MB

Download
memory/4936-23-0x0000020B06980000-0x0000020B069A2000-memory.dmp

Filesize
136KB

Download
memory/4936-30-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

Filesize
10.8MB

Download
memory/4936-14-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

Filesize
10.8MB

Download
memory/4936-24-0x00007FFDAF5C0000-0x00007FFDB0082000-memory.dmp

Filesize
10.8MB

Download