asyncrat | hxxps://gofile[.]io/d/0Pr3r7

Analysis

max time kernel
145s
max time network
155s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
01-01-2025 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/0Pr3r7

Score

10^/10

asyncrat default defense_evasion discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:7000

127.0.0.1:56924

147.185.221.245:7000

147.185.221.245:56924

Mutex

sdfgw3r4eg24qedwf

Attributes

delay
1
install
true
install_file
WinReg32.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001a00000002ab62-70.dat	family_asyncrat

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
4352	work.exe
4936	WinReg32.exe
1512	work.exe
1544	work.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\work.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3800	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 827796.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\work.exe:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4220	schtasks.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
1176	msedge.exe
1176	msedge.exe
3864	msedge.exe
3864	msedge.exe
1232	msedge.exe
1232	msedge.exe
3668	identity_helper.exe
3668	identity_helper.exe
4540	msedge.exe
4540	msedge.exe
4352	work.exe
4352	work.exe
4352	work.exe
4352	work.exe
4352	work.exe
4352	work.exe
4352	work.exe
4352	work.exe
4352	work.exe
4352	work.exe
4352	work.exe
4352	work.exe
4352	work.exe
4352	work.exe
4352	work.exe
4352	work.exe
4352	work.exe
4936	WinReg32.exe
4936	WinReg32.exe
4936	WinReg32.exe
4936	WinReg32.exe
4936	WinReg32.exe
4936	WinReg32.exe
4936	WinReg32.exe
4936	WinReg32.exe
4936	WinReg32.exe
4936	WinReg32.exe
4936	WinReg32.exe
388	msedge.exe
388	msedge.exe
388	msedge.exe
388	msedge.exe
4936	WinReg32.exe
4936	WinReg32.exe
4936	WinReg32.exe
4936	WinReg32.exe
4936	WinReg32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4352	work.exe
Token: SeDebugPrivilege	4936	WinReg32.exe
Token: SeDebugPrivilege	1512	work.exe
Token: SeDebugPrivilege	1544	work.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe
3864	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4936	WinReg32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3864 wrote to memory of 2968	3864	msedge.exe	77
PID 3864 wrote to memory of 2968	3864	msedge.exe	77
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 3612	3864	msedge.exe	78
PID 3864 wrote to memory of 1176	3864	msedge.exe	79
PID 3864 wrote to memory of 1176	3864	msedge.exe	79
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80
PID 3864 wrote to memory of 3916	3864	msedge.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/0Pr3r7
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbea2c3cb8,0x7ffbea2c3cc8,0x7ffbea2c3cd8
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2040 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4540
- C:\Users\Admin\Downloads\work.exe
  "C:\Users\Admin\Downloads\work.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "WinReg32" /tr '"C:\Users\Admin\AppData\Roaming\WinReg32.exe"' & exit
    3⤵
    PID:3000
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "WinReg32" /tr '"C:\Users\Admin\AppData\Roaming\WinReg32.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.bat""
    3⤵
    PID:1144
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:3800
  - - C:\Users\Admin\AppData\Roaming\WinReg32.exe
      "C:\Users\Admin\AppData\Roaming\WinReg32.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:4936
- C:\Users\Admin\Downloads\work.exe
  "C:\Users\Admin\Downloads\work.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1512
- C:\Users\Admin\Downloads\work.exe
  "C:\Users\Admin\Downloads\work.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1896,17509800224689798878,9901840878078666081,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6524 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\work.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
826c7cac03e3ae47bfe2a7e50281605e

SHA1
100fbea3e078edec43db48c3312fbbf83f11fca0

SHA256
239b1d7cc6f76e1d1832b0587664f114f38a21539cb8548e25626ed5053ea2ab

SHA512
a82f3c817a6460fd8907a4ac6ab37c2129fb5466707edcfb565c255680d7f7212a5669fe2a42976150f16e4e549ea8310078f22ed35514ee1b7b45b46d8cc96e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
02a4b762e84a74f9ee8a7d8ddd34fedb

SHA1
4a870e3bd7fd56235062789d780610f95e3b8785

SHA256
366e497233268d7cdf699242e4b2c7ecc1999d0a84e12744f5af2b638e9d86da

SHA512
19028c45f2e05a0cb32865a2554513c1536bf9da63512ff4e964c94a3e171f373493c7787d2d2a6df8012648bbefab63a9de924f119c50c39c727cf81bdc659f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\67205c17-5bf7-42a0-a9d1-e619f596ea15.tmp

Filesize
6KB

MD5
ef6f9fb6730f73185d69e18bf002dba1

SHA1
31e7c5082d5ed4203f3fb1a748c4f78f38ea714e

SHA256
eeb7ab6bebf56da34e6869121f689fbee3f83309e056e5e92344539be7c5af77

SHA512
fcae06c2ea742a89bdf194d63aba2f28c19e4210ef62997c5f0aec3f35f212d7f4b41e65981c9e9eaa643c6fea090b50be43a3feea2eba44700785e4704291d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
f4d9483dbd504947817029fb29865878

SHA1
45aec1fe378a1b201786aba8c672ed336d348b06

SHA256
85abc70827fac524203aa9573fbf78c8714947d812233f7409625b68682f0a36

SHA512
a5a70ee3b979c3f60d1522f4f85f64a4fc6536a9ddb3fc15ab5787737f38c6099603f350c6c4088a7c00e9847acb4dc3c05cd7d91105ccdde699f9a50737f013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
b15ca352a2f208a7f0fcce0996404cb7

SHA1
c4bbe66ab7d727e190e511b276b25a52d7d41df5

SHA256
21f7392ea9180d4bfaa71f853089c07c2d2023604274f4ad8790ec7308343959

SHA512
d00a1135f39eb765f53c55ec2e99683863c610404617e6c0fd41a1f4f7fffacb22ce22cc887ca4a70989491a643d764c2306c8a77302f5f98402278e3e466f85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b2299379d58691695717b52fec52fe74

SHA1
cfd8bcc1889dd72c939cc6bb32630faf9dd2149a

SHA256
9bdc93db3efe07942d454c29ef4986c6c75902f4f2a27ebdc9afed33ec5c0525

SHA512
9a7a95470fd311cffb1de1047401ffdd39b2408d027db3c8083c158f929dbbb9af8477ba0fdc4b141f2bc258a1f209e636914f833ff695415e3104bc54890af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6963a6d78f04dbfed4ad8f10a50d10c0

SHA1
3c6c444230a2e36f0c5872a34be75e4adcff1ab8

SHA256
f6a62c75a1f9fab9bfdf92e4a55bf57fceb79298440d1e8f1bf539a99a5b1590

SHA512
b18794f608fca6fa0efeffdfda3831157c367f32a6ae02081423bf5b285ebd7950d5b230cc99ca24122230ad48e052af8292d36f04d5679fb48de7b1b7e97bb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
73118ba7995951b9443a1173f8054263

SHA1
8073e9bd2b9743489b51980506501e7b0ddb8131

SHA256
2a3ddddf6446f6ff4d5888dc800c2fcbab01c138252ae6368e63aff335ac856b

SHA512
90e6dc78d1f0fcbe47b18b5215870ea614456b7376f414f9158347add27fc6b9596414833ef173d7675a8e680f635d1acd2f509341ec58edb0adc16cd615754e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCEC.tmp.bat

Filesize
151B

MD5
60e35d4e674c5d22d79b412a943e108a

SHA1
aa18bf3262592768289f23646bd01ed149b5c3a9

SHA256
5f106baabb4da8b838585c23ffed4f173ff39bab3bf1cbbf0507e514b1922cff

SHA512
4c5036f450a307b0fa1c9a3cc8977a2caf10783a241017eb5b7f781a6819fc09109d6a66172a7e41acce11061efade04fd4afc7dc189f8a795e4b798601de904

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 827796.crdownload

Filesize
74KB

MD5
4f6cec5e87b5c6fa80b8826b2d525b62

SHA1
9d7a03abb8942ad6fce2d37fff715e14ba79f2b6

SHA256
53768ef1583ebe90054010d6b67a15b9f3cbab78250cddbdf0e45f4ada422711

SHA512
23889e35d8e04be1a99a3c70ffd678c74471bb7d41e91d49adfbfc4c148d5c6df4cd31a301efde5de5b5c46bff97c8a9e796709055f322f6527df7bcdeb5766c

Download Submit
C:\Users\Admin\Downloads\work.exe:Zone.Identifier

Filesize
151B

MD5
d6efac1fa9278aca304f878c954b375d

SHA1
ea14a52e57a618a814c1f6f3fe618f96155f8d29

SHA256
8f7ebd07d9f1e3191a13960b6c61f9fc9bf708b7e661dd7308ffd326e7b2e44d

SHA512
8755c9e6d78adb40f673bb16afafbd6f178393c8107cda833ab3bff2efb74b2c1bf2c5154f80b4d87e00e20ed27462cf1dfce197471c18fdc6576ca708e7494e

Download Submit
memory/4352-105-0x00000000007D0000-0x00000000007E8000-memory.dmp

Filesize
96KB

Download