asyncrat | hxxps://gofile[.]to/2EEW/asyncclient[.]exe

Analysis

max time kernel
152s
max time network
162s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-11-2024 10:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.to/2EEW/asyncclient.exe

Score

10^/10

asyncrat default discovery phishing rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

192.168.1.63:7118

192.168.1.63:37454

tcp://Wagner123-60799.portmap.host:7118

tcp://Wagner123-60799.portmap.host:37454

Mutex

4wMHcxbOKref

Attributes

delay
3
install
false
install_file
update
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 57929.crdownload	family_asyncrat

Downloads MZ/PE file
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: sweetalert2@11
phishing
Executes dropped EXE 1 IoCs

Processes:

AsyncClient.exe

pid process

5752 AsyncClient.exe

pid	process
5752	AsyncClient.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a9bea40e-4064-45f5-9236-eeaa696ff596.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241124105334.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

AsyncClient.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AsyncClient.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings msedge.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 57929.crdownload:SmartScreen msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings	msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 57929.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exe

pid	process
2492	msedge.exe
2492	msedge.exe
3300	msedge.exe
3300	msedge.exe
576	identity_helper.exe
576	identity_helper.exe
4252	msedge.exe
4252	msedge.exe
6036	msedge.exe
6036	msedge.exe
6036	msedge.exe
6036	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

msedge.exe

pid	process
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

msedge.exe

pid	process
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

msedge.exe

pid	process
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe
3300	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3300 wrote to memory of 2176	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2176	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 1280	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2492	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 2492	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe
PID 3300 wrote to memory of 4724	3300	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.to/2EEW/asyncclient.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff91e5446f8,0x7ff91e544708,0x7ff91e544718
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 /prefetch:8
  2⤵
  PID:1260
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4376
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff71b815460,0x7ff71b815470,0x7ff71b815480
    3⤵
    PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1972 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6808 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7324 /prefetch:8
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,8807067955975229738,2890565673202148228,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4884 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5248

C:\Users\Admin\Downloads\AsyncClient.exe
"C:\Users\Admin\Downloads\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
290B

MD5
4dfdde31ee21dcde9dc6420d6e775139

SHA1
a17b23f0bdbdc864cec77bd160b0b820361ec629

SHA256
b1dc9131158f227119c845d0c211caf39384c344f4a8b2e0abaf1c93026114c5

SHA512
7ec5712e6b577b51981dff99eb36dff452a58ce93a2052f7f6df3048ed4e5b2a029c00ae3ef2cf2503d1cd71f51663c8c7e2c6b4f882937535328dae39bdf697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a134f1844e0964bb17172c44ded4030f

SHA1
853de9d2c79d58138933a0b8cf76738e4b951d7e

SHA256
50f5a3aaba6fcbddddec498e157e3341f432998c698b96a4181f1c0239176589

SHA512
c124952f29503922dce11cf04c863966ac31f4445304c1412d584761f90f7964f3a150e32d95c1927442d4fa73549c67757a26d50a9995e14b96787df28f18b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
78bc0ec5146f28b496567487b9233baf

SHA1
4b1794d6cbe18501a7745d9559aa91d0cb2a19c1

SHA256
f5e3afb09ca12cd22dd69c753ea12e85e9bf369df29e2b23e0149e16f946f109

SHA512
0561cbabde95e6b949f46deda7389fbe52c87bedeb520b88764f1020d42aa2c06adee63a7d416aad2b85dc332e6b6d2d045185c65ec8c2c60beac1f072ca184a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7ce0e2fec3789017a0315137a5301ef5

SHA1
cb76b4a0e4b04abdf925a7bdee0ba3e72f8852c9

SHA256
36d8268c80c07f59aa54ada0ba0eba6414b674008688e834b183e7121bc4e482

SHA512
166f96201d2efc86086e51b7dea039fd890b9447311f60a0a2f0b9851843530aa91efa5decabd7e4c633b786cbe44efe8b4c978eea8fe5777d3123c2862d046e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
555609d2bd2da3537582ecbe6ec53c9c

SHA1
0bf3811abddb5c7bbdd2d56f01d9574e11b1b1a9

SHA256
2d1df4a7a53a6d1914dbb80b375321af6431efc9833f4c4ff6e2c872fa634d52

SHA512
dcbca55255e52c14ef8d68e2cabc5f842a46669158e93a30611ce31dd6937e5776facb5e4511bc5f88b978b884dda33fcff360e5dc0f79dc960f6ade516a7770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
093bd38deadd0b15ac1728e3a108942c

SHA1
04205bba0ea8402e2ea993b80f3738a548fad07e

SHA256
17dcd0b61f2ccf0aa317d55a19b87924e9b8b48c94e927e20b4d8ebba7d80084

SHA512
aa792787edd252224c2377cb849f234697767f44c262aba3e26f8d0d5fcdaf5caa27cc5f5a5b2c5b99e21822a80fb1330a6b1ca476acf533a7bb85e3808fc61a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
379f0ffadb4acdeb13acc4805d4944a0

SHA1
35e2090441f00aab4685911a30eb6df27fbec4c8

SHA256
d9b29bee43acb7fae262e7d06a109c635138622fa97a98492b0a9b51cec72030

SHA512
8a7facaac133802d2df30f01efb48dd443146d6fd637233bb78775368ea27fd874c9565f6e048ad4b36795b891be203f655df0b1c5ab5e22a978ed5c3c52cdbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8ce588877cec3d76461377ec6f538900

SHA1
caded2c53acdc4e8c6adab4a3a2afa30191e735c

SHA256
e5c9b7172e23078ae736706027b51163d29b03c65c98e9e6bc5cf477d5fc4b78

SHA512
f96d670eff56336d1ecd562370a381bb022aaf251d937d99f4732ea188b8f39f22512e91e0490d27baee115f484847a5f5669a5e7bddd85c92b0a3383362aede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e8c7398ef4060ee58919cb2e36db5fba

SHA1
90ee62181a1ab9b9cafcd2a68306f721a4414db1

SHA256
acb0e1b9c79e1ba4f9cfa90a76b8fbd47c1ce0a9ec0a994559eed68779c0d924

SHA512
a53feaadb45a9301b98073ad644720636954b6187b07303a37ae7285772cbf7b7775e991f7aaa41aefb3f502e0868dc0fffb5fe6d5840f373c8e0e5038f7553c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1f592761542f65dc3c65361ca82db502

SHA1
86ec0933671f6279bd474e70505a27939172fd79

SHA256
18f30d78b5906984cf1293eec2c61d060b928cafaad0bfb1e1183818003f688c

SHA512
7ebd9a073c26feba2f834acadc2e92b366f919c9a337df59e2a6eac2ae35122ebe6184c45deae81a9e83154e5d81bfe5171cce5a3c3bbf656b33bb223e1a8518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fc053ef6a55186ce8a8971bfd05abb8d

SHA1
9a9c48c157faa8ffa6e559f33a8e197edb1cf3a9

SHA256
27d8bf01103f7ef51e9a266b7a2374c8fa3cc3d4fa4ee8ea90d239ad045e9f1d

SHA512
21982fe934dbb2fef390f83bdb0e618d3fad99ad49bc011bc3d7019162297a895ed32c619de7925b2b18dbf2cd0150d88e7b9d8773945c87b3db6c0fc5343301

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
9010fe212d7da97a4e9cf63a903ee7a4

SHA1
8f124a736d045eea3c50a9597d18c9af8b128e28

SHA256
c2956b77f9af9f4d79e0198d8a7e0a5b6f880b4d597dfeee25a3f56c05d11834

SHA512
f763ab3261592107fb19b7d6134c7f4d02e921258b1c72f1e0c69a95ee8ed9cc20498259a279cca9648bbd213a5234b965a9196865d465e1f975ee9242e36326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
21320325bdfc20c6f4e4d136228fc9c5

SHA1
7e96950811d7ddbc1daeb7341ddb9768980bf2b5

SHA256
5e7ac2b978206a07d8b1841a2bd89eae4b466bcd8a0df3a62ae2ca0439b8bd5e

SHA512
ee78316d5b8edffdc83e3431bdbd28ae05a481d2a445ddf3b7c58bf0f01c6c42aead46a4d91e7fc75519a5ca8a7e2bab78749d88476c7a2fa0a25e8b3592bd43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
05645012e10c358e5850af34b40d480f

SHA1
4725ba86fa1b9d581fa7bc38cffa022957eaea20

SHA256
5943221126577d7352632ca60b5fe1aaf3bf494c70a585d96d91d14ff3a61975

SHA512
e5c924c5ddac128de2da10757fe229dce721a62338da0d10c29ad3bf80832cc5abe7e55d651654a16c9881843699d851ba78368b869c4411dc8f78ce880271d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588141.TMP

Filesize
1KB

MD5
bc8efca67eb67cc2b7328d41309a1854

SHA1
83f2ad4b88ab0cdc8e7151ea4276aa52e6de4ad2

SHA256
285b11c978623d39a3503a94bbfc7e622c958ab62fee1a105428576154bbcac4

SHA512
3235ea595f28ead37f16c5a5e697a483d4b13bceccb1545ccb56ac2f601125decbe52122170af5010a4bc762aadf1d9b950d68998db560fba762c9107bc0da18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
49d3c032583828eec840aac7a70cbef2

SHA1
dd8106429a5386fb0cd7d11cf773d67b16f4c2bc

SHA256
ac4b0a60fb243a3c6e4e1dc87f124457d4d16b49a38cb1087c7b28d986e68b50

SHA512
add06a45880b5a4764a6121f1668de66657b84fe48e6bbf2d961b96229b77b4e764b24922c362f005038f27bab3ed7c0eb1687644314cbc4b2f2085ab9a20bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1ee0680b8d747e439cd1cbd02b29f0ea

SHA1
40bd6950d9c0f190e064cc20940b1618096428d4

SHA256
e8a783270f30906b04857bc9be2c4380201a535ed3513f63a99da35abdb7b435

SHA512
a2ea1d0599e4afda147e401f1ddf72ccd369981e30eeff365cf507ac99bc1bb4dca52a7c670f1fe454f12f7905a3424b94b3877499bd58eeba92d8cf75677942

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
76afc1b3681c584e9a2409902c1316f4

SHA1
5aed0614c0a67fd5321f426b8df08516268c0957

SHA256
c9661880bcdb0b0404c8e43f280f9f79cda8f8da3d5033994d4a4abe374c9eec

SHA512
065b166b61ca90aeafc6e05a17447efdac9d96dd89b93d51ac0c14952c2a471cfe54e3267be827515825234ba0c3c6f9791f2ef71ba1965e8c01eaaec817226c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
622dc859e87f0a6e900abe4f592e8ab8

SHA1
6676386eed29461ab43beb1f05daa57916a7e8dc

SHA256
3fbbacfdda90315ee22c895395ffe94c501344153a9a0dc0ffab2462e6e01661

SHA512
fed0ff357cf44f4880351729ece4024eaccc824fe7139b28aa37254ab5627ff8a87ce0129de06dbfe63c8e7a98c6b2bb133777019b5acb3a7cbce39a72ecb642

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
02b423a42e028937adcbbceee7e0b385

SHA1
0fb3978f2b10e1afe5066121ac1fd69884722e3b

SHA256
7efe6294aa0016ab188d6d1209ce49a5688b2e532508fa4c89ffafbfaaa87ffb

SHA512
cb22b9fd50a1f1a62fa02ec33874ab8107079cd7b98886e10b3c25a0982689fcc6f827f38bc366bf795331638a44440ed2b666af42f4160137add35ccdb4111d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 57929.crdownload

Filesize
45KB

MD5
01aa74103970953cdeb8f8dedfe4e5dc

SHA1
a7da41efd6d212f0bfd0ebb8a94cf24041ca4795

SHA256
81c48e4d5cb8c37ed30d6fc096c50e2aca8f05f37ec945d530f63b6e06a24655

SHA512
ff19fa9879d503deb46b14173f1aedff600d22cf6c872629a3ee90e198ffaaa3f9e481a3694b192b7deebb8b816455a8841846d259695ff3879ed08aef3ecbf5

Download Submit
\??\pipe\LOCAL\crashpad_3300_IDTOAZCVQGHHSAWC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5752-444-0x0000000000730000-0x0000000000742000-memory.dmp

Filesize
72KB

Download