asyncrat | 92ec5fd1a2c0aa1c565b93b5c2f8d9e472346014a0927182865b7c830aa3c7cd

Analysis

max time kernel
930s
max time network
917s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 16:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

XBinderOutput.exe
Size

64KB
MD5

7ca5852a9d6d8c6d86ed1d0c0814a9f6
SHA1

692ef8e9600163e66508dd27cbbded5be2f9dda5
SHA256

92ec5fd1a2c0aa1c565b93b5c2f8d9e472346014a0927182865b7c830aa3c7cd
SHA512

3fb5c4a95b6c1fb4db20810d824192aa8b4dc35535151eaad02a60e0a24df38e452d52a8912fb8d114d7d0d58456763cf3eb739086fdb72f838f235e88f877b8
SSDEEP

1536:YzUmkjlbRxKrE99uExdTlM28i5pzDwl2qay:e50lb7KrE93Mw7wl2S

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

one-accordance.gl.at.ply.gg:9590

Attributes

delay
1
install
true
install_file
Windows Defender.exe
install_folder
%AppData%

aes.plain

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

66.66.146.74:9511

Mutex

nwJFeGdDXcL2

Attributes

delay
3
install
true
install_file
System32.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x0031000000023b76-6.dat	family_asyncrat
behavioral1/files/0x0031000000023b77-18.dat	family_asyncrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Start.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	System32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	XBinderOutput.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Loader.exe

Executes dropped EXE 4 IoCs

pid	Process
2796	Loader.exe
400	Start.exe
3284	Windows Defender.exe
4060	System32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
3176	timeout.exe
740	timeout.exe
5040	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1588	schtasks.exe
2220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
2796	Loader.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
400	Start.exe
3284	Windows Defender.exe
3284	Windows Defender.exe
3284	Windows Defender.exe
3284	Windows Defender.exe
3284	Windows Defender.exe
3284	Windows Defender.exe
3284	Windows Defender.exe
3284	Windows Defender.exe
3284	Windows Defender.exe
3284	Windows Defender.exe
3284	Windows Defender.exe
3284	Windows Defender.exe
3284	Windows Defender.exe
3284	Windows Defender.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2796	Loader.exe
Token: SeDebugPrivilege	400	Start.exe
Token: SeDebugPrivilege	3284	Windows Defender.exe
Token: SeDebugPrivilege	4060	System32.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe
1756	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 2796	4896	XBinderOutput.exe	84
PID 4896 wrote to memory of 2796	4896	XBinderOutput.exe	84
PID 4896 wrote to memory of 400	4896	XBinderOutput.exe	85
PID 4896 wrote to memory of 400	4896	XBinderOutput.exe	85
PID 4896 wrote to memory of 400	4896	XBinderOutput.exe	85
PID 2796 wrote to memory of 2056	2796	Loader.exe	86
PID 2796 wrote to memory of 2056	2796	Loader.exe	86
PID 2796 wrote to memory of 2252	2796	Loader.exe	88
PID 2796 wrote to memory of 2252	2796	Loader.exe	88
PID 2252 wrote to memory of 3176	2252	cmd.exe	90
PID 2252 wrote to memory of 3176	2252	cmd.exe	90
PID 2056 wrote to memory of 1588	2056	cmd.exe	91
PID 2056 wrote to memory of 1588	2056	cmd.exe	91
PID 2252 wrote to memory of 3284	2252	cmd.exe	98
PID 2252 wrote to memory of 3284	2252	cmd.exe	98
PID 400 wrote to memory of 1000	400	Start.exe	99
PID 400 wrote to memory of 1000	400	Start.exe	99
PID 400 wrote to memory of 1000	400	Start.exe	99
PID 400 wrote to memory of 3440	400	Start.exe	101
PID 400 wrote to memory of 3440	400	Start.exe	101
PID 400 wrote to memory of 3440	400	Start.exe	101
PID 3440 wrote to memory of 740	3440	cmd.exe	104
PID 3440 wrote to memory of 740	3440	cmd.exe	104
PID 3440 wrote to memory of 740	3440	cmd.exe	104
PID 1000 wrote to memory of 2220	1000	cmd.exe	103
PID 1000 wrote to memory of 2220	1000	cmd.exe	103
PID 1000 wrote to memory of 2220	1000	cmd.exe	103
PID 3440 wrote to memory of 4060	3440	cmd.exe	108
PID 3440 wrote to memory of 4060	3440	cmd.exe	108
PID 3440 wrote to memory of 4060	3440	cmd.exe	108
PID 1756 wrote to memory of 1000	1756	msedge.exe	116
PID 1756 wrote to memory of 1000	1756	msedge.exe	116
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117
PID 1756 wrote to memory of 828	1756	msedge.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
"C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Windows Defender" /tr '"C:\Users\Admin\AppData\Roaming\Windows Defender.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp74F1.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3176
  - - C:\Users\Admin\AppData\Roaming\Windows Defender.exe
      "C:\Users\Admin\AppData\Roaming\Windows Defender.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3284
- C:\Users\Admin\AppData\Local\Temp\Start.exe
  "C:\Users\Admin\AppData\Local\Temp\Start.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1000
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp828E.tmp.bat""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:740
  - - C:\Users\Admin\AppData\Roaming\System32.exe
      "C:\Users\Admin\AppData\Roaming\System32.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4060
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "System32"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7548
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /delete /f /tn "System32"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4046.tmp.bat""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7716
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb7b1b46f8,0x7ffb7b1b4708,0x7ffb7b1b4718
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:7252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1912 /prefetch:1
  2⤵
  PID:7924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2592 /prefetch:1
  2⤵
  PID:8172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,1454900413534590013,11415056990834033905,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5668 /prefetch:2
  2⤵
  PID:7428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fb705ea5c1b86a01ea2107394b993ccb

SHA1
00801046366a27fbe6e4798e7941a3c7a478bb72

SHA256
832ce15c5024dec2d56cd9617e77f64486ce854823016ca8230e8c4e2dcbd6bf

SHA512
e4dd58de27c52fdb49f8d8f801a8f1976d67ce1aaf801e8a815b84df0958f01e8ef103f2e2c2e55a812d3970e7324790e152487b1d63f2451a2bf43ba5e0e98d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
64d67b7742bbe4e0bd80a48323ea8de2

SHA1
59c041a7ee4ad2fa1687710ac51ad4996e14af69

SHA256
913b8bef3e731ffb0a4cea4859a0fc2c515c0b56c53408616a05eef4d2ea2924

SHA512
11d65ce9c645637dd6c48eba722c6d69bd6efcb4f55570d1ed6fa478a3146661357b026a1475ebb45a5f5af5ae6446a6ca1fed662603547c66382ae0169ce91e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
471B

MD5
b97254242718187742be4da3cd348c5f

SHA1
9b6366d58c65b0330b3c1dc6febf83cf2cf1da30

SHA256
d6559a6c6aaf1b9858e759af027d859b83a18babdebe09939f05efda49cc4b92

SHA512
d5d5dad0e65fc190000309338bb4e359cdc80d27ac15d6b940c3e054cdc98018d125a52db4c8eed9e2c6c472c496dee2982f114b9fc6a5bfd4edcd578c8e664a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9b8027e9f584744ad463335dd2d2c11d

SHA1
edef8e31cb92fe003bf6f0df81f0e059f4e51667

SHA256
a63d56d7db923a15fef13a508256c2380d1ab80e19bbe4906d8c8d9b82ddade4

SHA512
42586ca2581dc19335da9e3d0aef7983f624f0302f8ebec776e6fa30398795811e6433c1d1cb78838a846c501f0081d59d2c73c0d57566362528d0210eb3ac81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bb1f18aedb94be1c4a2bf1d1565f4fbc

SHA1
cb80bb8cda470dcd20233114bb6f5eb40225b7e2

SHA256
931af1a0cf2f7869757e2f09f2887913f963d474402552aa628b28dbf013e4b7

SHA512
0d8d11ef748300b0709d1e9355c5b42a51ce6e31cce8d482eebd0d573d90704cfb0f2f16c4c3cae0ac8d8eef5c4931a4f0047bb4cfeff2654a03ff8c11be764e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
920f383c1c937577faae1fc08d6d3958

SHA1
c1176869ad0253fb7d8480ae1236be4b53c05ce4

SHA256
665c6042f2990d258d6a7dec3bfe55b037861528daa3156d41c8ee62ce76679e

SHA512
eed67e80c22c1741b7b8d7c8ce5270e149314e9eb974457196e861e6801ad8f68ca9053aff948506e517cb200900df16fd182b810fe10eab6012729f8d9a52c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a7f651660d2e89eb6ae181885bc0c2a4

SHA1
da3e82ab55534019eb317cf51971f9d35bdba3e6

SHA256
cd8391e838a163476cd1c4e80f319f947a80bf91ee4c880f98ef99546b7fe00c

SHA512
3d72c07488076e305d95cf5619777a1d7fc2e7df84379bbaa30f7bc9d165a3873a50276c6e9563ca7f63d79157d97352d481a7c81b99b2a3d8d55d261367808a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
63KB

MD5
aba726ec9183c855cfa084ee66f49f7f

SHA1
f12f9cf0920b0d3a76bb16027539ba0c13da035d

SHA256
fb680425e6edc0fa4d2fe526cd78d6ec69683fcafe57744993c8b7192b2c0a71

SHA512
a03a1c596e9570c6766d051d76e1a14894852cfa3889dd567f9e187be1055a49479355b8ed3a876a2934308aac945b232c1b206664614b66791ed0cc1f0b5c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start.exe

Filesize
45KB

MD5
b733e729705bf66c1e5c66d97e247701

SHA1
25eec814abdf1fc6afe621e16aa89c4eb42616b9

SHA256
9081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023

SHA512
09b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4046.tmp.bat

Filesize
157B

MD5
67f8df0c20f4d49c71a1867b1a89f2c8

SHA1
d227491c0466db40dcf014e7dad76b3ad53f6b15

SHA256
94937fe9d654390101bc344ae1e10ca13f02322f25813c2c91c63b99d0badd99

SHA512
d89a194785091c3def6012f704b967f61b9a2f9488aa6c9fda6d1a36e67ff3bc1fa95bab340b38c3366ffc1a1fa6fa5de75449adc449085a46e024182e99efa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp74F1.tmp.bat

Filesize
160B

MD5
b41822ab417039eb9f4661fcdc82dcb0

SHA1
4fcd071ecfec7c19be56a5b647ce11660328b6a2

SHA256
f79bb007154eec18621e3105e34624ebb4994bfb37d4680e4c95f8984999b160

SHA512
939cb302977d37e8120094d59fba7c81bfd689d2c3cf3ea5988a1b5efeefd813e5b0bf9526132f21c2f2800c5f0e086b2bd02155dcfe5b785491a5d80c71b514

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp828E.tmp.bat

Filesize
152B

MD5
072d722726887eaa4922cd3b2bf20093

SHA1
919916c1fc22e187ff6a607dcdc1c3feecef900b

SHA256
9e5fc812d19cd7e5214d1f842c9d8f8157727f2ea7b90eb52a6a336f85c20dd9

SHA512
43f2a620e46b65fdedf5d4e373928c855a01b6e304347e6e9a3937e3e6cccb64ea0141e90b6cf8d9755124b2d3c45f2d30149ef7c5b1200ec0befb253c086267

Download Submit
memory/400-40-0x0000000004B00000-0x0000000004B9C000-memory.dmp

Filesize
624KB

Download
memory/400-28-0x0000000000110000-0x0000000000122000-memory.dmp

Filesize
72KB

Download
memory/400-27-0x000000007530E000-0x000000007530F000-memory.dmp

Filesize
4KB

Download
memory/2796-33-0x00007FFB80F40000-0x00007FFB81A01000-memory.dmp

Filesize
10.8MB

Download
memory/2796-24-0x00007FFB80F40000-0x00007FFB81A01000-memory.dmp

Filesize
10.8MB

Download
memory/2796-22-0x0000000000A70000-0x0000000000A86000-memory.dmp

Filesize
88KB

Download
memory/3284-355-0x000000001B970000-0x000000001B9A4000-memory.dmp

Filesize
208KB

Download
memory/3284-354-0x00000000013C0000-0x00000000013DE000-memory.dmp

Filesize
120KB

Download
memory/3284-353-0x0000000001370000-0x00000000013A4000-memory.dmp

Filesize
208KB

Download
memory/3284-352-0x000000001B8F0000-0x000000001B966000-memory.dmp

Filesize
472KB

Download
memory/4060-52-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/4060-51-0x0000000006120000-0x00000000066C4000-memory.dmp

Filesize
5.6MB

Download
memory/4060-338-0x0000000007840000-0x00000000078A4000-memory.dmp

Filesize
400KB

Download
memory/4060-56-0x0000000007210000-0x00000000072A2000-memory.dmp

Filesize
584KB

Download
memory/4060-53-0x0000000006D90000-0x0000000006E06000-memory.dmp

Filesize
472KB

Download
memory/4060-54-0x0000000006D10000-0x0000000006D78000-memory.dmp

Filesize
416KB

Download
memory/4060-55-0x0000000006E40000-0x0000000006E5E000-memory.dmp

Filesize
120KB

Download
memory/4896-0-0x00007FFB80F43000-0x00007FFB80F45000-memory.dmp

Filesize
8KB

Download
memory/4896-36-0x00007FFB80F40000-0x00007FFB81A01000-memory.dmp

Filesize
10.8MB

Download
memory/4896-11-0x00007FFB80F40000-0x00007FFB81A01000-memory.dmp

Filesize
10.8MB

Download
memory/4896-1-0x0000000000090000-0x00000000000A6000-memory.dmp

Filesize
88KB

Download