asyncrat | hxxps://github[.]com/anonyketa?tab=repositories

Analysis

max time kernel
57s
max time network
56s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26-12-2024 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/anonyketa?tab=repositories

Score

10^/10

asyncrat stormkitty xworm default discovery rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Attributes

Install_directory
%LocalAppData%
install_file
USB.exe
pastebin_url
https://pastebin.com/raw/ZnhxAV6a
telegram
https://api.telegram.org/bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot7538644364:AAHEMV7mmxz6PSRgzo0ORf3_n0BaazmrAqk/sendMessage?chat_id=7541917888

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d72-425.dat	family_xworm
behavioral1/memory/2704-476-0x0000000000300000-0x000000000032A000-memory.dmp	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d73-454.dat	family_stormkitty
behavioral1/memory/4760-481-0x0000000000E60000-0x0000000000E9E000-memory.dmp	family_stormkitty

Stormkitty family
stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0007000000023d73-454.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	msedge.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msedge.lnk	msedge.exe

Executes dropped EXE 4 IoCs

pid	Process
2704	msedge.exe
4760	svchost.exe
4272	msedge.exe
4412	svchost.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 8 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\716fafadea665d6706541b10a55f556b\Admin@GLZCSNLK_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\716fafadea665d6706541b10a55f556b\Admin@GLZCSNLK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\716fafadea665d6706541b10a55f556b\Admin@GLZCSNLK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\716fafadea665d6706541b10a55f556b\Admin@GLZCSNLK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\716fafadea665d6706541b10a55f556b\Admin@GLZCSNLK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\716fafadea665d6706541b10a55f556b\Admin@GLZCSNLK_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Local\716fafadea665d6706541b10a55f556b\Admin@GLZCSNLK_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Local\716fafadea665d6706541b10a55f556b\Admin@GLZCSNLK_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	svchost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
74	pastebin.com
75	pastebin.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4660	cmd.exe
1484	netsh.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4856	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2704	msedge.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
1488	msedge.exe
1488	msedge.exe
3748	msedge.exe
3748	msedge.exe
4756	identity_helper.exe
4756	identity_helper.exe
2928	msedge.exe
2928	msedge.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
2704	msedge.exe
2704	msedge.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe
4760	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	msedge.exe
Token: SeDebugPrivilege	4760	svchost.exe
Token: SeDebugPrivilege	4412	svchost.exe
Token: SeDebugPrivilege	4272	msedge.exe
Token: SeDebugPrivilege	2704	msedge.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe
3748	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2704	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3748 wrote to memory of 4648	3748	msedge.exe	83
PID 3748 wrote to memory of 4648	3748	msedge.exe	83
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 3952	3748	msedge.exe	84
PID 3748 wrote to memory of 1488	3748	msedge.exe	85
PID 3748 wrote to memory of 1488	3748	msedge.exe	85
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86
PID 3748 wrote to memory of 1844	3748	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/anonyketa?tab=repositories
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1b3f46f8,0x7ffd1b3f4708,0x7ffd1b3f4718
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,13501218981858224904,12566648435922560486,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,13501218981858224904,12566648435922560486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,13501218981858224904,12566648435922560486,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13501218981858224904,12566648435922560486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13501218981858224904,12566648435922560486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13501218981858224904,12566648435922560486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,13501218981858224904,12566648435922560486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13501218981858224904,12566648435922560486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13501218981858224904,12566648435922560486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13501218981858224904,12566648435922560486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13501218981858224904,12566648435922560486,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,13501218981858224904,12566648435922560486,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,13501218981858224904,12566648435922560486,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,13501218981858224904,12566648435922560486,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1128

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3676

C:\Users\Admin\Downloads\exm\EXMservice.exe
"C:\Users\Admin\Downloads\exm\EXMservice.exe"
1⤵
PID:3092
- C:\Users\Admin\msedge.exe
  "C:\Users\Admin\msedge.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2704
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4856
- C:\Users\Admin\svchost.exe
  "C:\Users\Admin\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4660
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:3664
  - - C:\Windows\SysWOW64\netsh.exe
      netsh wlan show profile
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1484
  - - C:\Windows\SysWOW64\findstr.exe
      findstr All
      4⤵
      PID:3164

C:\Users\Admin\Downloads\exm\EXMservice.exe
"C:\Users\Admin\Downloads\exm\EXMservice.exe"
1⤵
PID:3116
- C:\Users\Admin\msedge.exe
  "C:\Users\Admin\msedge.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4272
- C:\Users\Admin\svchost.exe
  "C:\Users\Admin\svchost.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\716fafadea665d6706541b10a55f556b\Admin@GLZCSNLK_en-US\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\716fafadea665d6706541b10a55f556b\Admin@GLZCSNLK_en-US\System\Process.txt

Filesize
4KB

MD5
d786be61b671a9c710e4ca46ff3913d9

SHA1
d259efb7eb7405e8ba6536837c2807707adf537b

SHA256
0f5f975d71071384ba04d8148f29cfc84dcb09ae7e1d6c8b2dec150f76c6d234

SHA512
f7e5a1fb9d37171fcbca68db922eb87955dde25a477d1fd81e7d0ab59b303ad4693f4da9e9ba87da3067927cab3187fc75ab79f4efea97187fc284955e865473

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\EXMservice.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
18KB

MD5
7d54dd3fa3c51a1609e97e814ed449a0

SHA1
860bdd97dcd771d4ce96662a85c9328f95b17639

SHA256
7a258cd27f674e03eafc4f11af7076fb327d0202ce7a0a0e95a01fb33c989247

SHA512
17791e03584e77f2a6a03a7e3951bdc3220cd4c723a1f3be5d9b8196c5746a342a85226fcd0dd60031d3c3001c6bdfee0dcc21d7921ea2912225054d7f75c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a04c28b0b29ef760a0a244b1f9cb7907

SHA1
070c4a632ff0ead6ce2481698fa1f9d73e358cc9

SHA256
97123248353d04ab39a69f7fb41b3d6ea6f1b5978368c567a97298d3d57407c5

SHA512
14c61ff3e66c162952515668b3b07b0e98235abb6802822726a49f8a6ae7a6c1d0b183d8b1406aff8b0180ca89c38afa289db0bfa5311e06c14ec7f627c03d37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
5dc7e2e718987afd1093350029307852

SHA1
3b4a77d95ce81ddba4c8d6bb73fded79c172b839

SHA256
8ac980d306b92594802a6d3f2768b4182bad2cca6fc322c3bbc2c61e23720183

SHA512
3a536dd020774de5c9874cae3bf0fbbc685fbfb768a2056e89271a1b2e06de6b85cbf78a63fbb41ff1a6f7f66562f0caa1dbb75023b4bce2d27fcd29678441fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
00aee4e471af5b975e22b448693257b0

SHA1
253562429b8244f97af3cf652e31a009ce41ef82

SHA256
6dd003146a975ef4d0307f0392b34456c8e491b0741d309ac9dcd60f8e2c376c

SHA512
9f21bc9d4fc6078150eacc5a7dfcf490f5a8646796ae754578a3ea61b219c39b53508ac048601c9a1f1878f1ee7fdd804c15197d964da63057c93409eb6864b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
e6b1131bd12b144ccca82eaf1fa1eb67

SHA1
9d62e88036ce97c8a84482880527623e8c99ae0a

SHA256
951e6b430cc3789ad14c7d5d31496f4ae41e2d7fd64ebcaa905e25e896ddd879

SHA512
7686e7974da3b8a4079c5644d192451b50141e1218b3e8eea9be0b933a40a53bd88215c40a9d85b28f4172dcba56062bda3907b4ba59b76d765b0c31de54090d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
17355f1de68e3e6ffbdb55bf29e80b4f

SHA1
82c7b6e1e0bfca4c9e48abc4a284d6a74886f9e0

SHA256
4ab2b1544826322c27a77d548166b8fdaf143cbfd18ebd406ac29a064c55998b

SHA512
ce8c77da7d7566f370e8b66fda145ad5a9d7381b30c821b3870d3208850482c7094a7b3ea7df617a7936f1e1ba025befde5587085745a0270d56fcaddd7fb836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
be8708cee1ca6714844a60d03529b0b0

SHA1
de1203a94bfc9aff2555385ea3469675b8a28245

SHA256
f58b7e7d864273a7c67d9dc82f10ed130ade988355dd8b03f5bff6ab584d6660

SHA512
09eb3b5e89b219fb7b76d9191a47e40500928045ceb1ebbfae3ac00842e16b4cc6bd49d2df2d80f218b35f1dd2a65f51bc81766c0f7067cdd99235b9d18893ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a326692a18bf39c9c4d767ae46efe422

SHA1
f5b8e88d2b6d5291eef55221e1bb228fa48db66d

SHA256
31389c2a10a12c0a33a93e1cb61c364cc4d6fe2e3288b535244c4465b40bf2dd

SHA512
e97d6760bc7cdb0ba8399a2f3747a24078f7d7b92b17ecfd809c23915e300de246a68ac45f8eb621bd6784f403bbbcd17567ef4dbc9826ce5c8e97d0cd31d120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0332e400f0212b02a9a95ef840900d3b

SHA1
1f143c8cbef74edb7823c9e58b8d96d9518c18a5

SHA256
82b7826042ed9a73595f2ba808ff9b6beacfc5131a70a7c25b1a35e7126f92ba

SHA512
2f73eacec188b503b9d6e96d508411a7cc3dd9c09e5d674fc36f2b12aa705ad9f57ab12b0ad78441c56bed7c8d1c89942289724b58d0141a845de5f648662711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
f276874360b4a5aadae21f25a735e254

SHA1
4d124408f209169add1eb63445991db7d7646e35

SHA256
83f88ac1145f1c1febc14fc9a6457d899cc8185439677da63d12a63202bad746

SHA512
6a7cdbc9d1c5bacb7cfeab6d289b16936b2ae08baa4fe3462d13a5d9d2fd9c7eb7d9029e9d78f68e3186993103588bfdefbb535a0b2e56e9bd0a914e84fd110a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
948154e5451cadca72453d1b84a75b19

SHA1
36bf647e089b4cd66cc4c28573e0912e77d5e72a

SHA256
78e671702dfc30c016c507952317191b8409a6811b8bcdff63e5672f7cc52a86

SHA512
d314a8f4d8c23682df666cd43a00de4478cf2ff772bae5ea3bc0a2bf999a22f97410ea3a1c201b965d33b37a15f2a7e94ea7f0ca92bfd7cc803ca9352b62dc3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58296c.TMP

Filesize
701B

MD5
38c2468ed175e025a7747bf1aa688d71

SHA1
831eae31e7164be32520928db3b254b92463c394

SHA256
536899684db2e1c761c97b56f4d63aa6e60d690407a7acb70dff8ac7198af5a3

SHA512
b0dc9002d6047a88f42d37823bca135814458eff1e6aa6fa1a927f2c6cb263de20f367eb97dff88717915b38ea4f15ab2a5a03b8aee598145339598be925f8ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
362fb4da060dd26a4d12cab781af8cfa

SHA1
a2957f9639b2380bdef27f8a867bfe0fd6e68ea2

SHA256
17ba0ae76b68896ee558858afafd16d26e53fc4d5fa12e6d50584a6ef6c22fb2

SHA512
0c4f73401b588d58d9105239ff9abb1dd24e93ee993b415393566a6bb58843f445fcf6243fc6caabd1f8646592678e9d669072f37633dd055f4c4464ea36c57b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d55efbd0d1a5071669b4d224e89476f3

SHA1
28114d9abf86e005ae93faa59d333eaaa8b1edf2

SHA256
4d496a1129ff2fddb62869a55f8fe1458de79769ed7a3e4392da6ef8290a2ead

SHA512
b40472f48b914194704dda26b1306f7316fc205f266bc4e4c7c8ea5956afe1d0d533b6dc3737d2eff48cec2bb772de9cc0ae6a4345114b3b6bfe66d8e5c5ac65

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 458783.crdownload

Filesize
13.3MB

MD5
57a6527690625bea4e4f668e7db6b2aa

SHA1
c5799fd94999d128203e81e22c6d9fdb86e167ee

SHA256
076e01b09f9c5cccc273b2f7dfa1a1efccc1a8e8ebf98a7eee756024b93bad17

SHA512
d86c7f79989eb0781e15f8631048506ffab338f933ddfedbcc2c7464447770beaf21b7ed3cba2ebb97be5ffdc9a450f2df2e2313efaeb8e8101f2ee53c066e4e

Download Submit
C:\Users\Admin\msedge.exe

Filesize
146KB

MD5
f1c2525da4f545e783535c2875962c13

SHA1
92bf515741775fac22690efc0e400f6997eba735

SHA256
9e6985fdb3bfa539f3d6d6fca9aaf18356c28a00604c4f961562c34fa9f11d0f

SHA512
56308ac106caa84798925661406a25047df8d90e4b65b587b261010293587938fa922fbb2cfdedfe71139e16bfcf38e54bb31cbcc00cd244db15d756459b6133

Download Submit
C:\Users\Admin\svchost.exe

Filesize
226KB

MD5
1bea6c3f126cf5446f134d0926705cee

SHA1
02c49933d0c2cc068402a93578d4768745490d58

SHA256
1d69b5b87c4cd1251c5c94461a455659febb683eab0ebd97dd30da2319ffc638

SHA512
eb9f423f6adb5e686a53f5f197e6b08455f8048d965a9ec850838fdf4724ef87f68945c435ace5a48a9a7226006a348e97586335d0246ea0dc898a412dea5df3

Download Submit
memory/2704-476-0x0000000000300000-0x000000000032A000-memory.dmp

Filesize
168KB

Download
memory/3092-420-0x00000000008E0000-0x0000000000946000-memory.dmp

Filesize
408KB

Download
memory/4760-481-0x0000000000E60000-0x0000000000E9E000-memory.dmp

Filesize
248KB

Download
memory/4760-482-0x0000000005D70000-0x0000000005DD6000-memory.dmp

Filesize
408KB

Download
memory/4760-652-0x00000000068E0000-0x0000000006972000-memory.dmp

Filesize
584KB

Download
memory/4760-653-0x0000000006F30000-0x00000000074D4000-memory.dmp

Filesize
5.6MB

Download