asyncrat | hxxps://gofile[.]io/d/Qjlpag

Resubmissions

13-12-2024 22:41

241213-2mda9askej 3

13-12-2024 22:38

241213-2knzzaskbj 10

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-12-2024 22:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/Qjlpag

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

193.161.193.99:3333

81.51.33.42:3333

Mutex

coebhqhymsl

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000023cc5-207.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
5616	Windows.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5024	msedge.exe
5024	msedge.exe
3576	msedge.exe
3576	msedge.exe
1052	identity_helper.exe
1052	identity_helper.exe
1896	msedge.exe
1896	msedge.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe
5616	Windows.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
6108	OpenWith.exe
5344	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeRestorePrivilege	3240	7zG.exe
Token: 35	3240	7zG.exe
Token: SeSecurityPrivilege	3240	7zG.exe
Token: SeSecurityPrivilege	3240	7zG.exe
Token: SeDebugPrivilege	5616	Windows.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3240	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe
3576	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
532	OpenWith.exe
5616	Windows.exe
6108	OpenWith.exe
5344	OpenWith.exe
5344	OpenWith.exe
5344	OpenWith.exe
5344	OpenWith.exe
5344	OpenWith.exe
5344	OpenWith.exe
5344	OpenWith.exe
5344	OpenWith.exe
5344	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3576 wrote to memory of 4204	3576	msedge.exe	83
PID 3576 wrote to memory of 4204	3576	msedge.exe	83
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 1968	3576	msedge.exe	84
PID 3576 wrote to memory of 5024	3576	msedge.exe	85
PID 3576 wrote to memory of 5024	3576	msedge.exe	85
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86
PID 3576 wrote to memory of 4476	3576	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/Qjlpag
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd504946f8,0x7ffd50494708,0x7ffd50494718
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4112 /prefetch:8
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,15893136976654423224,5912388420371644795,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5256 /prefetch:2
  2⤵
  PID:5156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1036

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap12867:86:7zEvent8804
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Stealer Luna\setup.bat" "
1⤵
PID:5320
- C:\Windows\system32\cacls.exe
  "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
  2⤵
  PID:5452
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c where python
  2⤵
  PID:5468
- - C:\Windows\system32\where.exe
    where python
    3⤵
    PID:5488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Stealer Luna\run.bat" "
1⤵
PID:5524
- C:\Users\Admin\Downloads\Stealer Luna\Windows.exe
  Windows.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5616

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6108

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Stealer Luna\version.txt
1⤵
PID:2372

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e55832d7cd7e868a2c087c4c73678018

SHA1
ed7a2f6d6437e907218ffba9128802eaf414a0eb

SHA256
a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574

SHA512
897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c2d9eeb3fdd75834f0ac3f9767de8d6f

SHA1
4d16a7e82190f8490a00008bd53d85fb92e379b0

SHA256
1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66

SHA512
d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
f295a4d542b2ba599a1d6354e8a7bcc9

SHA1
a38a3b45a82723d5d2efd1a681a62a3561adba3c

SHA256
6bf978d90656c20c990349bf326cb223f799e6d6f3962c293166c48478669244

SHA512
fc69f7deb47c70628ec31ffc45caf853893b9cb312b5f3f464266b3e891796e63c7afa13abe52a2fd4da0bf8208747f6c56add86916c9fbfd8d8d89535be8c6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
7db3dfbd3824847e38299e19ed495db8

SHA1
fbb346a0b070d472e259af72e5e8452bcb8b5cf7

SHA256
0e7ef01600508d4133a35436c94acac7aca6b400da7e200cd857f4c7cf1d4aba

SHA512
748a46889be2bcac7080c21c63c954df22d8bac7cc40c5e69f1d017d9bb6b27900843853f51f4d18465cef196187e969406c89d11820cd80edb515ad6a1cadf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3181427bd435f9e0337b43b3c80b7ff4

SHA1
30807df8015b5b06764fdf06256219dc168152f6

SHA256
8100b4c50d818ebbabc88181355f7e3dc0787349baf7a506c0f0173c93472314

SHA512
3b274db66a9ecd1573753669b79193792589fcc43c4531ed0625819ea3aa2f6c97a723d936ae43f0ce70b240b49b17e5d96257a3f9ddc7339749f98ab30ee14a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9912a7f75ea5d68c75fa4ff4b8bed777

SHA1
fa60ec28b6eda6a79926ea25ebf795adc90ee34c

SHA256
4213fba802eeaf6b3f27296a064f54733c42b1d2299158398f3bb413d1177e3d

SHA512
95b18749ecb3e5c3ccc499793f4136bab79ae62a74101cba91415d417277356a0511e4d1cfb90baa32b7406d0a98045d5012edfb6e9ff62ef995f238b6c81e84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d7293a62e4004dd42231850bb8936c43

SHA1
1dbf8605695e512faad87f4d2364d9706058c4c0

SHA256
cf85502f8101c54dd0c97d861f74b74498932ee46384bd91ba67de4bd2db08b5

SHA512
09758011eced61fad81f5dc98be732305e25c66f22e399fd0514ca40a56dc60d6330f7ca8c6ea8d0e3b6862e8eda5d84ed789fe6826b3d0f064a3a8fcb99068e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3a01835cfe06015b55602e06e67d6a65

SHA1
ed5f851c85620e1bdf563d5a9eb6c846cf73c679

SHA256
4d92f92e3e04b1da013f9bccfa282c1590bdba15023781a87bd2bb73fc2382cc

SHA512
3d93c0038ea6be856317f4907e3a85df0a7ad9669272efeb5dbdf695d7113f994400e8a65832204469f3fc842b1a314a28d59dfbbd05a5b656dfd204958b5fec

Download Submit
C:\Users\Admin\Downloads\Stealer Luna.rar

Filesize
111KB

MD5
c05c06166e97efc8f7b2f8895843acbe

SHA1
5164026a2c604afe5948f8e7a31b9062247b7946

SHA256
7f91afc66ce86b80e8c00f0d587ec70144fd4c726294af723cfa25a7f4dbf691

SHA512
492189ef22380880f5adc693deab0f9804caf0c9c8258e729e88b6280434c31f1b5f4b388d68e20fb05dac8eea4673e4a833e591e0a13c7413233f426a205b53

Download Submit
C:\Users\Admin\Downloads\Stealer Luna\Windows.exe

Filesize
74KB

MD5
bf10762955e08becb327393349375d89

SHA1
a87bd6c812825761f1ba31eeb481e37bd3bfd1b4

SHA256
80e566ed129fb51dc641794e2afca3601e2e2b2e79e304d4c82c39e030201287

SHA512
74401b13ff0842481a44de32324adbdfa7fd6273e6760e74e35debdcf349bd497005a651d1b44f9289169aab1ca8f176e5007f144fa1fc629ef5b7d6ea9d2ef4

Download Submit
C:\Users\Admin\Downloads\Stealer Luna\run.bat

Filesize
27B

MD5
93563ca9357bf4f7b6fba1d2017b3b57

SHA1
ba3cbf1f6c87006fc71be2b692c725bc14642c55

SHA256
9052c9bd8d646b778dd15070f80ecb9e1d959aec585b97a62c8e3b0eaea501ed

SHA512
3b73fca9d877e8d8d9522c73561eeb713121424a5ff70eaca9e5f6fb3e53d3319abf0b72bd5c890c58c972e31d7ea9881380d0138db7cd00c3f8caa44dcb8d3f

Download Submit
C:\Users\Admin\Downloads\Stealer Luna\setup.bat

Filesize
2KB

MD5
5a2fca3a6ca8837f9506fc813d724cec

SHA1
4e91f260f161cc07259d6d2dd208dbdc6b3b8908

SHA256
f4bbde069306e022e851c9e8fe1daa7d178ff7d83515c4dc3aa45c454d6b58c3

SHA512
fa543f87d38f68cc9acc00cf65d18e03fba6a61fa229ef436f41d4b79a9fa81e17eeb5fbfa84756c9fc6b482d9e9ea64979e7c13055e44f7857a1fac30c8b5ab

Download Submit
C:\Users\Admin\Downloads\Stealer Luna\version.txt

Filesize
1KB

MD5
d120bd362d78f5948e3284dd2dfc005c

SHA1
f9055da4911f1b03ddcbf36db8930b11aba6720a

SHA256
eb924ec331353a23de481b3e9caa4d5fd9e17c49893419e03fe85c1e9c78c47a

SHA512
fbb7f2c78e5cf1d8385dcad53877c5a2f2919769f9c2535065d5c7035cbf4ab95fbec1a9607062f9a5011ee0c6af3a2c49b9984129010dc4e0fa10f96fccb1ba

Download Submit
memory/5616-209-0x0000000000D80000-0x0000000000D98000-memory.dmp

Filesize
96KB

Download
memory/5616-244-0x000000001C6A0000-0x000000001C716000-memory.dmp

Filesize
472KB

Download
memory/5616-245-0x0000000002F40000-0x0000000002F50000-memory.dmp

Filesize
64KB

Download
memory/5616-246-0x000000001BE80000-0x000000001BE9E000-memory.dmp

Filesize
120KB

Download