asyncrat | 7a46dd663f8ebdf8650db27f2c2f96f2b7c84ead71e885b5dbdcae88fd1ef3b8

Analysis

max time kernel
270s
max time network
269s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Infected.exe
Size

63KB
MD5

07d4d7c92ca5211fd77e688d769a6495
SHA1

130414013920da27a5bd0cb24ab56e6a5594c3aa
SHA256

7a46dd663f8ebdf8650db27f2c2f96f2b7c84ead71e885b5dbdcae88fd1ef3b8
SHA512

e47e940ce8a577de3a831d07a75bf91b5828c5b15d99a893c2866876f7f5c324f870bf3472a02b25a1b4850c456c69f88a03a195183e4dc0365e147ff2c9b2fe
SSDEEP

768:spDxI6PfZ778/IC8A+X3uazcBRL5JTk1+T4KSBGHmDbD/ph0oXwjtoc9SuEdpqKX:+62ZBwdSJYUbdh9wmxuEdpqKmY7

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

loans-merchant.gl.at.ply.gg:50335

Attributes

delay
1
install
true
install_file
System32.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023c89-10.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Infected.exe

Executes dropped EXE 1 IoCs

pid	Process
4900	System32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2496	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
2728	Infected.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe
4900	System32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	Infected.exe
Token: SeDebugPrivilege	4900	System32.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 3940	2728	Infected.exe	83
PID 2728 wrote to memory of 3940	2728	Infected.exe	83
PID 2728 wrote to memory of 4440	2728	Infected.exe	85
PID 2728 wrote to memory of 4440	2728	Infected.exe	85
PID 4440 wrote to memory of 2496	4440	cmd.exe	87
PID 4440 wrote to memory of 2496	4440	cmd.exe	87
PID 3940 wrote to memory of 1436	3940	cmd.exe	88
PID 3940 wrote to memory of 1436	3940	cmd.exe	88
PID 4440 wrote to memory of 4900	4440	cmd.exe	89
PID 4440 wrote to memory of 4900	4440	cmd.exe	89
PID 1172 wrote to memory of 3492	1172	msedge.exe	117
PID 1172 wrote to memory of 3492	1172	msedge.exe	117
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 3576	1172	msedge.exe	118
PID 1172 wrote to memory of 4820	1172	msedge.exe	119
PID 1172 wrote to memory of 4820	1172	msedge.exe	119
PID 1172 wrote to memory of 4960	1172	msedge.exe	120
PID 1172 wrote to memory of 4960	1172	msedge.exe	120
PID 1172 wrote to memory of 4960	1172	msedge.exe	120
PID 1172 wrote to memory of 4960	1172	msedge.exe	120
PID 1172 wrote to memory of 4960	1172	msedge.exe	120
PID 1172 wrote to memory of 4960	1172	msedge.exe	120
PID 1172 wrote to memory of 4960	1172	msedge.exe	120
PID 1172 wrote to memory of 4960	1172	msedge.exe	120
PID 1172 wrote to memory of 4960	1172	msedge.exe	120
PID 1172 wrote to memory of 4960	1172	msedge.exe	120

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Infected.exe
"C:\Users\Admin\AppData\Local\Temp\Infected.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3940
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "System32" /tr '"C:\Users\Admin\AppData\Roaming\System32.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1436
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8CDE.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2496
- - C:\Users\Admin\AppData\Roaming\System32.exe
    "C:\Users\Admin\AppData\Roaming\System32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe693d46f8,0x7ffe693d4708,0x7ffe693d4718
  2⤵
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 /prefetch:8
  2⤵
  PID:3264
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3764 /prefetch:8
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,15822107948240797770,5104615785319804869,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4408 /prefetch:2
  2⤵
  PID:2208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1008B

MD5
d48570814ed15a907060ef069f77edd5

SHA1
de392f8b4c5aec68dc0d7c98d6906527664da15a

SHA256
ef8b98fb048781a1c0362f34a4f75fcbc54dcfed75041f5e3595a07ec3f22860

SHA512
5a3edae40aad865bb1a74ec785457310438dbcb92dc653f664825fc5637246719e3c66247113db57d3fefa6c75fc1b7536c7908fa5dc4a6cb78c08daa9aa11db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
402B

MD5
54c1d311012f48e50ac72e9b0d6b8e71

SHA1
2a7569f5395a1efd20d031ed5e65c424b2e89861

SHA256
a69b42b2df74adb169138aab69eca376a5148930e440e90d8a57404069b6f38a

SHA512
9d1fa30376fa78197ae987410687c80463b5dbf518b7b789de8ec6809f58d3800033cd5c55a9573fcd842d656e7ead6ffb0f63841374e058558ae3ddc7f762f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7e66260e84f057fe079db2ce097d9a7e

SHA1
e52da929c766eeea7d43869cfca6de2779193d45

SHA256
a9c0d2b3fb8d3e094514aa4cf0414bab064b583dd0ea7feada027d98b8883498

SHA512
ba8fa5758299a1099435034e6e53a437bc1525ee7d6ce8765825913cedf384b3ae804bbf6579f4056b295a90a71009953f503b77940b7b61573477d1cfc7b62c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cf84c03818471b4d62845e120f080af2

SHA1
befe787db8a6e8e57482c6f58751c5d97187c700

SHA256
84b0e55d4bbfefa9f791ede17d7a977b33a7e2187bda4e7e12bd0221c05d3bec

SHA512
5b969a2aa193a49fccadb6f100fca9144d54b174bccf876d6e348bcd4da4fcefec04eb501ba22eeaf5cff15782cfd3430851567607d9fe84d646579bdd0821d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2125141ed18b6d5bdefc7d60a8eeaf06

SHA1
f5d0e498145f4653993e7365accc3849796bfcec

SHA256
d931b3197fb89cb3cd20b00b0e48b0315132262643b24d6c4583265a7929792b

SHA512
ca6cd11e235d4ab4858daec772e827ec1c0a0f65ec3d34bdcb658ecf6102d00b19e702dfab24d6f388698b51009e9dd87cfd8bcaa526e9d51af469b5404ff79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8CDE.tmp.bat

Filesize
152B

MD5
635d3cbc0a85fcb690596ab00a8e4c75

SHA1
d39cc8f566fc32477ee6774e823e515ed90e9bfc

SHA256
2ac7b0b516168ae02e06a77edb40759f235e2dc67e1e38b75813df82f35fb320

SHA512
655fa952c86d55c176d7e45fb00d7b066cbb7c343fd97a554f91e97f3b0d29cbf863c93d8cabca9f4ccb83e80174f49720dbe04a1fe3d4cc1827f1cdc56ef811

Download Submit
C:\Users\Admin\AppData\Roaming\System32.exe

Filesize
63KB

MD5
07d4d7c92ca5211fd77e688d769a6495

SHA1
130414013920da27a5bd0cb24ab56e6a5594c3aa

SHA256
7a46dd663f8ebdf8650db27f2c2f96f2b7c84ead71e885b5dbdcae88fd1ef3b8

SHA512
e47e940ce8a577de3a831d07a75bf91b5828c5b15d99a893c2866876f7f5c324f870bf3472a02b25a1b4850c456c69f88a03a195183e4dc0365e147ff2c9b2fe

Download Submit
memory/2728-0-0x00007FFE6D833000-0x00007FFE6D835000-memory.dmp

Filesize
8KB

Download
memory/2728-7-0x00007FFE6D830000-0x00007FFE6E2F1000-memory.dmp

Filesize
10.8MB

Download
memory/2728-2-0x00007FFE6D830000-0x00007FFE6E2F1000-memory.dmp

Filesize
10.8MB

Download
memory/2728-1-0x0000000000360000-0x0000000000376000-memory.dmp

Filesize
88KB

Download