asyncrat | hxxps://file[.]io/qCegzn2Srcu4

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://file.io/qCegzn2Srcu4

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

legsl91IxOzv

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000023d5d-186.dat	family_asyncrat

Executes dropped EXE 8 IoCs

pid	Process
400	namamatiputaka.exe
4940	namamatiputaka.exe
1644	namamatiputaka.exe
3880	namamatiputaka.exe
3480	namamatiputaka.exe
4392	namamatiputaka.exe
1532	namamatiputaka.exe
3948	namamatiputaka.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	namamatiputaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	namamatiputaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	namamatiputaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	namamatiputaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	namamatiputaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	namamatiputaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	namamatiputaka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	namamatiputaka.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 619863.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2164	msedge.exe
2164	msedge.exe
5088	msedge.exe
5088	msedge.exe
4644	identity_helper.exe
4644	identity_helper.exe
4208	msedge.exe
4208	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe
5088	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5088 wrote to memory of 5112	5088	msedge.exe	83
PID 5088 wrote to memory of 5112	5088	msedge.exe	83
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 1600	5088	msedge.exe	84
PID 5088 wrote to memory of 2164	5088	msedge.exe	85
PID 5088 wrote to memory of 2164	5088	msedge.exe	85
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86
PID 5088 wrote to memory of 824	5088	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://file.io/qCegzn2Srcu4
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd480846f8,0x7ffd48084708,0x7ffd48084718
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2316 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6452 /prefetch:8
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4208
- C:\Users\Admin\Downloads\namamatiputaka.exe
  "C:\Users\Admin\Downloads\namamatiputaka.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:400
- C:\Users\Admin\Downloads\namamatiputaka.exe
  "C:\Users\Admin\Downloads\namamatiputaka.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4940
- C:\Users\Admin\Downloads\namamatiputaka.exe
  "C:\Users\Admin\Downloads\namamatiputaka.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1644
- C:\Users\Admin\Downloads\namamatiputaka.exe
  "C:\Users\Admin\Downloads\namamatiputaka.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,14408821380031978359,10908972377741955187,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=212 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1724

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:820

C:\Users\Admin\Downloads\namamatiputaka.exe
"C:\Users\Admin\Downloads\namamatiputaka.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3480

C:\Users\Admin\Downloads\namamatiputaka.exe
"C:\Users\Admin\Downloads\namamatiputaka.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4392

C:\Users\Admin\Downloads\namamatiputaka.exe
"C:\Users\Admin\Downloads\namamatiputaka.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1532

C:\Users\Admin\Downloads\namamatiputaka.exe
"C:\Users\Admin\Downloads\namamatiputaka.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\namamatiputaka.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
237c24d4ad4e5de29f8789f3110b109e

SHA1
b6d7168e3ac74c14635a10f229ab4e7dfbfae53b

SHA256
ad94ae8d8bc9003f9c964cdeededec754fee65c2fd4f9f0b56926f28a63d42de

SHA512
35a8bd809a8f98577061c317d48c7f79b803f373a793ec061942a421c6224a2492a9971c2e22922b77aa15a317078f521c5c5af375fd197d35b89f935aacc8c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
a553451dcb1531e6583462de08b92329

SHA1
dc517adbbe020e74b035f8de381de2145c8a03a8

SHA256
403a65e5adf7d44b8590d6f382c439c3ad63b29667a63cf660ec7b995c31c832

SHA512
98e3faaf1eeb7fb259d842c610eec7a1543de7383a9786182581f55449009a939f15664bfa4e303592dd7c8a37b9b83dd33578f63e5bbf56d3652748c1be2b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
39ad3972bb0fb8c3e3fa26272bfb0813

SHA1
3db74d6432eb70bbd231eb931c48aac1c2c8516a

SHA256
2f4a62b5fb9e807f383944434e2bfb936ef2b17181740a07f2a62bea6e589ccb

SHA512
06f3fc4d2f5dd620fc237074b90d06269c9bba8dfe326ff7209a0df55eb5357268b5a8266eb991c6e61554116d214be107fba80a969974758d08b9a428eeb41d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
4538afaade7985ae773f0695ba5fdd1a

SHA1
286ad31fb36cb1f7a761468b283fae93317bafed

SHA256
082dd7022be9562172a2c7eac4642dae3f075362f7de909233bd934f6e57b924

SHA512
d5568768226fd9442e17d66032b5d9d61fb82d7651ca58ebd5007bca8f02759b29371ea8dd6ae86f466e266ad73357f35849e93baa4c78b97d295abc6dd23074

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
3e926e71ee04e1125a22005ad80128d7

SHA1
5f24eedf5f295a8ae93acdf8431c6fb7b7ded3aa

SHA256
88a2cbde7ad9aa0224cb2968dec0498aa337dc20200fd2bfcd551e4258500b60

SHA512
df6167c1f18bdc4d15f8121752877c57e7cf1401fafc06982af27bea57322d6da995534ebf493198c740a996334a850ca111c1b099994c43991e972cf95a3d49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
225676615d630d4c6ce5ba5a095100cb

SHA1
d8075a7bb227169bf91931a0f5a0687c1213dd8b

SHA256
b2a8885b24b95b2e099a1461d3421e1783d4dc42aaf4e19a9a2b1b307d18f362

SHA512
9f7871fadc62ee5e4b0406b43ec4f2cd0ee23b0a63d1417d1464307fd61d1ea0ab9e28bbd292f0687e9b8618b5f0966aff336fb5a62bd416e9aca86dd9848271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58123b.TMP

Filesize
2KB

MD5
3d63cead69ead9dd55ca839aa80de95c

SHA1
ccb63f274bb79ae79277031730b3f3d55dd92c4c

SHA256
961ae1e166019cd6dd52838b9f5eb49020adf4f7cf2629c6e6f1dcbabad391be

SHA512
2f4fb6171dd3772c968e7c46891c8d453d5858b612bab4f6658be584be4411568e32a7d3fea6a9a8515e9809b74a4694255eb4caa7d530077d443445274665ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5b108442633c4289117099fbbc2abc31

SHA1
19813510afc86917bd033d463477657c9a16aed2

SHA256
b4ef850f7de12f065c332e90dcf0bb29063a41d075536931929c9f1312e53c6d

SHA512
fb255b5c9558f839a8d40d2a132272e2d0096d815bc45daacc11101a05894655075e896af80732238a9a65d2a91ff3218132976dafeb5094624b53230d4aef16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ab654f51c8def87a17e22b42f53dbd45

SHA1
3fbc47174e426e0d37cc6ec51bcf03751f927911

SHA256
0aa49105ed36c68c6f52da88d6f401ed7662339cd4b6a2b87389b2672574c02b

SHA512
b72f64734fccf9af9d556c2d1e44f28d4db83ef3bd599d7dea0552cf821945530cffd9ef4d1407da73f98ede22fbb35c514a7a9dd8c5d74d04bd334e957e8926

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 619863.crdownload

Filesize
45KB

MD5
3a7b2b9ffa8da24f652f03d8dbe70f56

SHA1
70c41c07f4faf57d22cf8afb1b16969a184aa4ce

SHA256
eb285ee4e6f0917ba1929fe2b35dc8227a80754101de9a87ec2ab9a6436ef097

SHA512
ab89bb6aef8a3eab8f3e24236945b9068f240fb9f0256569ce2fbd473164f1d55c49ef098aa2cc8d40099ceaf7acf6515dc53216a51465f5ddc62d14403be635

Download Submit
memory/400-278-0x0000000000110000-0x0000000000122000-memory.dmp

Filesize
72KB

Download