asyncrat | hxxps://cas5-0-urlprotect[.]trendmicro[.]com/wis/clicktime/v1/query?url=https%3a%2f%2fdocs[.]google[.]com%2fuc%3fexport%3ddownload%26id%3d1WzgwW-oHUQ-jD5xuUngYVv8tCotgsKES&umid=d0735f25-ada1-11ef-90ed-6045bd047a68&auth=2877182e97994b86f9bf77cfc08cae9153406ffd-08f672a1222e37f5f5aee50340e112dc61adb309

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02/12/2024, 19:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cas5-0-urlprotect.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fdocs.google.com%2fuc%3fexport%3ddownload%26id%3d1WzgwW-oHUQ-jD5xuUngYVv8tCotgsKES&umid=d0735f25-ada1-11ef-90ed-6045bd047a68&auth=2877182e97994b86f9bf77cfc08cae9153406ffd-08f672a1222e37f5f5aee50340e112dc61adb309

Score

10^/10

asyncrat xxx discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

XXX

94.103.125.231:2626

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Executes dropped EXE 1 IoCs

pid	Process
3808	SE EMITE AUDIENCIA CONCENTRADA; BAJO EL RADICADO. 00322-2024..exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cylance = "C:\\Users\\Admin\\Videos\\Cylance\\Bin\\Cylance.exe"	SE EMITE AUDIENCIA CONCENTRADA; BAJO EL RADICADO. 00322-2024..exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3808 set thread context of 4120	3808	SE EMITE AUDIENCIA CONCENTRADA; BAJO EL RADICADO. 00322-2024..exe	128

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SE EMITE AUDIENCIA CONCENTRADA; BAJO EL RADICADO. 00322-2024..exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2368	msedge.exe
2368	msedge.exe
2500	msedge.exe
2500	msedge.exe
1812	identity_helper.exe
1812	identity_helper.exe
1376	msedge.exe
1376	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	4196	7zG.exe
Token: 35	4196	7zG.exe
Token: SeSecurityPrivilege	4196	7zG.exe
Token: SeSecurityPrivilege	4196	7zG.exe
Token: SeDebugPrivilege	4120	csc.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
4196	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe
2500	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 3672	2500	msedge.exe	85
PID 2500 wrote to memory of 3672	2500	msedge.exe	85
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 316	2500	msedge.exe	86
PID 2500 wrote to memory of 2368	2500	msedge.exe	87
PID 2500 wrote to memory of 2368	2500	msedge.exe	87
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88
PID 2500 wrote to memory of 2104	2500	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cas5-0-urlprotect.trendmicro.com/wis/clicktime/v1/query?url=https%3a%2f%2fdocs.google.com%2fuc%3fexport%3ddownload%26id%3d1WzgwW-oHUQ-jD5xuUngYVv8tCotgsKES&umid=d0735f25-ada1-11ef-90ed-6045bd047a68&auth=2877182e97994b86f9bf77cfc08cae9153406ffd-08f672a1222e37f5f5aee50340e112dc61adb309
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdcff346f8,0x7ffdcff34708,0x7ffdcff34718
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14700253287792450346,14318139431903916559,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,14700253287792450346,14318139431903916559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,14700253287792450346,14318139431903916559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14700253287792450346,14318139431903916559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14700253287792450346,14318139431903916559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14700253287792450346,14318139431903916559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14700253287792450346,14318139431903916559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,14700253287792450346,14318139431903916559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14700253287792450346,14318139431903916559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14700253287792450346,14318139431903916559,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14700253287792450346,14318139431903916559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14700253287792450346,14318139431903916559,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,14700253287792450346,14318139431903916559,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  PID:1676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,14700253287792450346,14318139431903916559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,14700253287792450346,14318139431903916559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,14700253287792450346,14318139431903916559,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5408 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4848

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap30625:182:7zEvent526
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4196

C:\Users\Admin\Downloads\SE EMITE AUDIENCIA CONCENTRADA; BAJO EL RADICADO. 00322-2024..exe
"C:\Users\Admin\Downloads\SE EMITE AUDIENCIA CONCENTRADA; BAJO EL RADICADO. 00322-2024..exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
886B

MD5
112d21b78de46f94a83bc5bbbe6146ae

SHA1
49e94f3599a79fdb0ee1b67fabf70cb60ee787b7

SHA256
924766c08884e3507ce088313fcefedd4caa7d62473b566b0a677487298ae378

SHA512
69a7ae89ceb665f19ce1ae60329b7720586df0ba37a33a5e91d8bf66e9a6cad8e68d9cf0d8c3bdcc57308431e276f5c25c2f4e32bd68611506d189802089b54b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
78025a698235d96082aa98aca53945d2

SHA1
3f03e8f7c67411b021b8aef0902b623549c131a7

SHA256
06ff00476bca37f643e0fcc62ba6ff11d3f9c723cf0b11e518f8207c61c43248

SHA512
41160680f48be10a3f1c3f0e30b931771363800496d59d2da310853113a9f74e32a94b0001f776d7adccc6982369f03d09120ae2e6717a2b9a2e0268b8da8997

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c937877b5c6b4eb52452659c85f25904

SHA1
8a9ae7b0bcd8b428e144f3a1e34be196bc854fef

SHA256
6b5fbad2060ae86af2a6c86827788ef4e1289aede6662edf6c86421760ee000a

SHA512
b865f81e2c84abbe9bc4dc51886cd4aefec49fdb3882c401b590be9294b63e0fd1f207f42a0901972c360b4032175a3e9066d2f1005136d11a0b4031ccd767d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ed687bc8252d9123556b7372dd38ce2f

SHA1
70998524141d60fe9ded4248b83cdb1968d1c773

SHA256
2c5dbe2598bbf1b140a1fd16346e49f231910f5f44f0fc5173f55f75688da2fb

SHA512
ac35eaac25e98f0df062a0fc51f8f4dfe0030e720f3280304de4230bb08c617388ec4a67bdd7808612fbbd140e4f38fa7617c07c7fc6d5d4c3e3d2d780df204c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a42e375584e8fd405c5bdd36eaf6310b

SHA1
e8fa166cadbecdc4823a1102e8d21d986a74569b

SHA256
47d07d301d90a5969e313f50201285bf9c0d24077b5efa7c7a0ab536842dfb2d

SHA512
06045ac559b18c2e3a87cb6352eab94dddbacbfdeff2b9acc736b7989b02468c64772855445ab598bf2696785f98db833b569fcb4cad97df21df469c50651aab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3779f5dca1ae6b1abd41fe9fddce2ef9

SHA1
1d7d3f41480105e9c1ba183625e43a6848f32bd4

SHA256
133e188e628c56e3dc8897636fca5f551afaa1c714bdf057111c3d9af84228ed

SHA512
b11dd005b55b9dc81819b3dcb038e010234d2fe840bd03e9798051b46c48e65b79721d25d0dbad1e883317ff4634749b89158c8f3887c79e39759ede6774a39d

Download Submit
C:\Users\Admin\Downloads\SE EMITE AUDIENCIA CONCENTRADA; BAJO EL RADICADO. 00322-2024..exe

Filesize
1.4MB

MD5
12e5a3588230ef734189a61a3463c6d7

SHA1
bdc2f9b4584bc3501e6895610b453411e334cacd

SHA256
70feac3064249f2c3773ed2a044cb9f6e644961fe8f51e9c742d2979c6e562a3

SHA512
189da1c8642f44c68df44fb656d25bb463866fbfdfd95474b9e7007a98aa62e507d019a95b7a57bfed04566fb98aa3f5f6c8bf90420cc56aa6c4d3a348c6caa0

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 890542.crdownload

Filesize
673KB

MD5
30c747954b25f174ca158158a71a406f

SHA1
1ead3b4f2d42c5f0031deefd16cd2f6681a3cd1b

SHA256
e76ac5275cfb5d83d23972c7b45ef64b0c0ce5061cbcf5320cc1cb64c439b243

SHA512
1716f9051d8e4130de5e8bb9603819e13c377a77a908968bcfe456475a907bbeb1e51c823137cf8340a40c806c4bdfeae51ec13e968564fab89e220ed30cba64

Download Submit
memory/3808-90-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3808-91-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3808-92-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3808-94-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3808-93-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3808-97-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/3808-96-0x0000000000400000-0x0000000000577000-memory.dmp

Filesize
1.5MB

Download
memory/4120-95-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/4120-100-0x0000000005BA0000-0x0000000006144000-memory.dmp

Filesize
5.6MB

Download
memory/4120-101-0x0000000005660000-0x00000000056C6000-memory.dmp

Filesize
408KB

Download
memory/4120-99-0x0000000005550000-0x00000000055EC000-memory.dmp

Filesize
624KB

Download