asyncrat | hxxps://gofile[.]to/xW9A/gyat1[.]exe

Analysis

max time kernel
79s
max time network
75s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
24-11-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.to/xW9A/gyat1.exe

Score

10^/10

asyncrat default discovery phishing rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

192.168.1.63:4444

Mutex

4wMHcxbOKref

Attributes

delay
3
install
false
install_file
update
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 300148.crdownload	family_asyncrat

Downloads MZ/PE file
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: [email protected]
phishing
A potential corporate email address has been identified in the URL: sweetalert2@11
phishing
Executes dropped EXE 1 IoCs

Processes:

gyat1.exe

pid process

4392 gyat1.exe

pid	process
4392	gyat1.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a6e9aeb0-93ca-4ed2-8265-1667ef53dc65.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241124115004.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

gyat1.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gyat1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	gyat1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings msedge.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 300148.crdownload:SmartScreen msedge.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid process

1696 msedge.exe
1696 msedge.exe
1752 msedge.exe
1752 msedge.exe
5008 identity_helper.exe
5008 identity_helper.exe
2000 msedge.exe
2000 msedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings	msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 300148.crdownload:SmartScreen	msedge.exe

pid	process
1696	msedge.exe
1696	msedge.exe
1752	msedge.exe
1752	msedge.exe
5008	identity_helper.exe
5008	identity_helper.exe
2000	msedge.exe
2000	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exe

pid	process
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe
1752	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1752 wrote to memory of 1044	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 1044	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 2972	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 1696	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 1696	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe
PID 1752 wrote to memory of 3924	1752	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.to/xW9A/gyat1.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffa584646f8,0x7ffa58464708,0x7ffa58464718
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2616 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4712
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff780b85460,0x7ff780b85470,0x7ff780b85480
    3⤵
    PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3024 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2044,13118560585420165680,11126835964086091865,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7052 /prefetch:8
  2⤵
  PID:1280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1152

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:228

C:\Users\Admin\Downloads\gyat1.exe
"C:\Users\Admin\Downloads\gyat1.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ef84d117d16b3d679146d02ac6e0136b

SHA1
3f6cc16ca6706b43779e84d24da752207030ccb4

SHA256
5d1f5e30dc4c664d08505498eda2cf0cf5eb93a234f0d9b24170b77ccad57000

SHA512
9f1a197dccbc2dcf64d28bebe07247df1a7a90e273474f80b4abd448c6427415bace98e829d40bccf2311de2723c3d1ad690a1cfdcf2e891b527344a9a2599d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
39191fa5187428284a12dd49cca7e9b9

SHA1
36942ceec06927950e7d19d65dcc6fe31f0834f5

SHA256
60bae7be70eb567baf3aaa0f196b5c577e353a6cabef9c0a87711424a6089671

SHA512
a0d4e5580990ab6efe5f80410ad378c40b53191a2f36a5217f236b8aac49a4d2abf87f751159e3f789eaa00ad7e33bcc2efebc658cd1a4bcccfd187a7205bdbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
3815a7828c9bd02b259db925b985a7a6

SHA1
f4db08572132dc2a4cff3ef5df1bd0056765a0ac

SHA256
d8a72cbfdb52637ba192a04858ecaaf27661e2ee5fbc9868e58a15dcd8f2fdb1

SHA512
d0ccd48f5408308d4032178e9cb2788077e24186a5fd467b2b964aa73ac69f5f2ef508b5221b075187aca865a4797711b829b9a16cbd66ce15d22345f0339115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
552B

MD5
4e973e5281c61547ae7acc207e3e6cc0

SHA1
ff2e7bfff61c57fd7deb4945619407c266eea1c6

SHA256
b8910f87b1af3af7ca29f052c0fc9dd54ae3b9c660c0d2726eb65836647bc587

SHA512
9af0edded2d2c96a4c7db9b29b2b18e1313dea6a8c3003d1a7637d9bb00769c3894ad688bce612238720e0c10c7c7841a1973ae1b390990d3b7119092286c963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
7e346d5c2ee0936ffae6270be72dd1aa

SHA1
fb3b894b8badb8930a9d120cb8ac63ea03cdb6de

SHA256
161d7a4d6ef6f23bde29c0609bffbfadcb9ae1851a7bbf6fbfce6ba7c5dd0ea5

SHA512
a77bb07c0ea290863445052d43311616146d368999bc0484777dc4bc46730e37ae3bc0bd4b82b80845dbc5ce973414b91759654ed444bd23e1d96699a7d70731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
09a68452dbad4a688730de1a100d51b3

SHA1
61c735b4bf2750efe9dbb3867dc2e7c927960527

SHA256
c24910caea0b93bd4b248cc2f27958735a46a90ab35d12cec2671208c7adcaae

SHA512
4b4d563dcc34bb101c81e79917f10679007151da29249bf33c7b305179fc3be9d4519d373f3043dde37d84ad04f87fcf4c0e9239cab633531e1915a6b9d115fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58ec4f.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cb51628a474a1850f69a26e8ee3c3c60

SHA1
fcebadf868891107b58f5723becc798a1eed2feb

SHA256
f245199d3d7854d6e8e843a51e05caf8ae6264cfb5da2eb61a843065f37120aa

SHA512
c6550b2e955ca970c26c6bd1051465dc3a77ae8ca9b135e50c2a21a207a1320f649fc4d4f85d5502f4e2daf72f6ba4a32e0043e1b2e0333cdef9c12bbd3503c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
81861bfa965e170134ab974af8a89cea

SHA1
3162768be3889cf0b07f22122861804cdd0a0b0d

SHA256
150f13b6e307c49ddaff98a1a434b9ec18a4dee9067488c076fda55fad314f21

SHA512
511092678a06d549d194a3afe1ec76597c8bd02666d3e23fea334ce6a6ffd483138e7511d55f3d0cc6923ada61c0d0bc9a00ef188fc68debab2c914ed1d4b824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
95d4c7985174d851a888c4ea166ff444

SHA1
e576d22508e88a15db2fa1236359da5c47719f1b

SHA256
eea565ad2434a3be51b04e01c3aaaa800eef8e746288f68a6bd7290fa5360a57

SHA512
bb4f06caf77911041c859fd258f8da4b60b340613ba96234d174b7f47c56052d3b19e2a50911a92d6a3c4ed8582a74267e32dd5c68b9a2f8da876e9f78150c31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
60d82bd601d64fd00bb0373f5ecd65b8

SHA1
0e8bde426270dfa3ea285c2c5b7282ab37771d4c

SHA256
bdec91a5061c6a400ef33c2dca5b1d0c16c1fe9e464f8ec99a72442b752e6a97

SHA512
5ea1b33784438acd246c02c95716f72c78293bc8d8e8e6d71aeaab370ae9fc2063ba8ffa443bbfc26c96e45a95549b62894b846a459c986531b34a110d0be38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0e98d1679e15688ad133f11eee8458ee

SHA1
a4b1a83f0a3f2867954d3146d95d314441950606

SHA256
8aa7eaf918f2969424996a8f3575478006d9d74b308a750f996fe4f5f045554e

SHA512
eb34d52a8df4992444000a93c8d0d11254069b5f43a68a6def21061be03a538f36c42b2e968a8637f12b93235de3140002b0212aa2cdebe0950fd115c04bc72f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4def66017e9e62b1a34c2071941ffa03

SHA1
d390c34749c7d285400d93247183f51f7bae9bec

SHA256
4c1428fac673ae912607dfc42c6d46c9eda81125c1a313d86574b57fb05b1430

SHA512
062eae22dbbb50773e14d9d3672c6174fa02e210dee2a272decdda6abe493ffa2d971444e6e688e251542e1fd137eb356e542ab6ccc49d450046eadc5c6f52d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588836.TMP

Filesize
1KB

MD5
14267c37230f54223439655c164f7557

SHA1
a2aaec555f1b7041e7d44b164e249566f7a7a681

SHA256
09a2c639105dc8e0c352727efb7d44dff41ff038e389f6f47e1d5bfa9c65891d

SHA512
4e7fdfbe8a1bdddf95278d69c7187e966ae1a57836a3d65e661c493b2dc65f9d8ff6cb4d1199bee7dc97fc25339c318fd3000883b417a08effa8aa1bbe7040ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
ad53b00046654c95be65459ce124cfe7

SHA1
bdc40b85b49e922d6f31e0e3d2224d27b8c22cc7

SHA256
c9dbfec530b98c1c50d0403183dac563c19ea0abc63760b18bd5bd5ea2a343c9

SHA512
9662d72d64b1f54499a017f35c3b0a00d448733dc8ce75673814a73421f85768cab2ca501d0c2b1bcfa9d5e87c505f527e2617b76fa6eb0df45c9ef67ebd613f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6008bacde92ccd88d6305e1fc3dbe16c

SHA1
16df442b9af9f78315e72702953a927d0a13518f

SHA256
38c85e4d2dd835e89926f3b4abf59798999c1fbf936f19afae7df43e8a04bee6

SHA512
c587dc36179dde7618cb9ec2fc6c617cf514efe9b8966b30216f55d803e285799b0824c542afaa3da55cbae185b1e07c8aa65e0adee6bd0f6f97b23f43192bab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
381290db9e3d4ee4ded51d01d87f802a

SHA1
b604fb2ec5e5c1006f1881fc70f8af7f9f657a9c

SHA256
d5f32528927abd0cd49d6f45c7597f555de35b0baaecc143f6326abc93aae523

SHA512
b790fea6afada66a61afff5021aaeef5bc2a32381831b60bc3b6e307bebe41f21a90e5988d9f41ca105714e6351619a726dc4475d2fdf9c6b4031b474262ed22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
4b64e666da39966fba6f07de2611e9ca

SHA1
f2e7f7eabb8af7564db9995c47b4108a5e0be6ca

SHA256
948a189cfb9f71bffc2788ee2d68ee73af0cf5d0f60945ac2d82508d09d3aa92

SHA512
79a0a47c5a78b6c19d78438bad618eb696d0e77084bbee5d4c1f80519e6434247693f4a0cba864f5ec8ab17366e9c06bf6ecf03df594698a04c131b1075356fc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 300148.crdownload

Filesize
45KB

MD5
9fb33877999ff862e33222871ce42331

SHA1
94ce7bf20d5d3e16bd20d4f89375da7a3998d915

SHA256
bbee7c9036d9418410a1c1c3bc4ae661569cdc6e215d023ceed6df31ee2b917a

SHA512
0694c9399760db24c225e28131b2ba602e57b28426b27c1244ea1ef13ad877187766da606da4b23d5ec18f525af8684fe4d845a96aac04540845231033da2816

Download Submit
\??\pipe\LOCAL\crashpad_1752_PTHTMLMNVRDSYGWD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4392-312-0x0000000000DD0000-0x0000000000DE2000-memory.dmp

Filesize
72KB

Download