asyncrat | 0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021c

Analysis

max time kernel
115s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.exe
Size

2.3MB
MD5

8b6a57a8a3855b86a441a639a752ba00
SHA1

0d17b1246374b7932f011c98c4fbb0f2a4f5efdf
SHA256

0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021c
SHA512

4fbcfecfad061142789f1195eeff4a927184abaca6d26155ea9ff428c08e1557a34181f19b8313e46b273e99a4ff97b268c85252f1a0911bb71d450cf7f83738
SSDEEP

49152:QhU1VeVUW8Ia/cGlnFQh+iSehfxmumKNRh2VSvuPC1YHsDWMHGVa526:weCa/BFKd3g4b20vpWMKir

Score

10^/10

asyncrat venomrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

v1.2.2

Botnet

Default

27.124.6.137:13651

Mutex

oayguxqwqnan

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/2012-94-0x0000000002F50000-0x0000000002F62000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2012-94-0x0000000002F50000-0x0000000002F62000-memory.dmp	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp

Executes dropped EXE 5 IoCs

pid	Process
1144	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp
2800	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp
2008	msedgewebview2.exe
3660	msedgewebview2.exe
1964	msedgewebview2.exe

Loads dropped DLL 13 IoCs

pid	Process
1144	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp
1144	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp
2800	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp
2800	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp
2008	msedgewebview2.exe
3660	msedgewebview2.exe
2012	regsvr32.exe
1964	msedgewebview2.exe
1060	regsvr32.exe
4200	regsvr32.exe
792	regsvr32.exe
1312	regsvr32.exe
4244	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
392	powershell.exe
5112	powershell.exe
4000	powershell.exe
2548	powershell.exe
232	powershell.exe
4124	powershell.exe
2212	powershell.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
3392	tasklist.exe
3936	tasklist.exe
316	tasklist.exe
4152	tasklist.exe
4264	tasklist.exe
3540	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2800	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp
2800	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp
4000	powershell.exe
4000	powershell.exe
2548	powershell.exe
2548	powershell.exe
2012	regsvr32.exe
2012	regsvr32.exe
2012	regsvr32.exe
2012	regsvr32.exe
2012	regsvr32.exe
2012	regsvr32.exe
2012	regsvr32.exe
2012	regsvr32.exe
2012	regsvr32.exe
2012	regsvr32.exe
2012	regsvr32.exe
232	powershell.exe
232	powershell.exe
4124	powershell.exe
4124	powershell.exe
2212	powershell.exe
2212	powershell.exe
392	powershell.exe
392	powershell.exe
5112	powershell.exe
5112	powershell.exe
2012	regsvr32.exe
2012	regsvr32.exe
2012	regsvr32.exe
2012	regsvr32.exe
2012	regsvr32.exe
2012	regsvr32.exe
2012	regsvr32.exe
2012	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeIncreaseQuotaPrivilege	4000	powershell.exe
Token: SeSecurityPrivilege	4000	powershell.exe
Token: SeTakeOwnershipPrivilege	4000	powershell.exe
Token: SeLoadDriverPrivilege	4000	powershell.exe
Token: SeSystemProfilePrivilege	4000	powershell.exe
Token: SeSystemtimePrivilege	4000	powershell.exe
Token: SeProfSingleProcessPrivilege	4000	powershell.exe
Token: SeIncBasePriorityPrivilege	4000	powershell.exe
Token: SeCreatePagefilePrivilege	4000	powershell.exe
Token: SeBackupPrivilege	4000	powershell.exe
Token: SeRestorePrivilege	4000	powershell.exe
Token: SeShutdownPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeSystemEnvironmentPrivilege	4000	powershell.exe
Token: SeRemoteShutdownPrivilege	4000	powershell.exe
Token: SeUndockPrivilege	4000	powershell.exe
Token: SeManageVolumePrivilege	4000	powershell.exe
Token: 33	4000	powershell.exe
Token: 34	4000	powershell.exe
Token: 35	4000	powershell.exe
Token: 36	4000	powershell.exe
Token: SeIncreaseQuotaPrivilege	4000	powershell.exe
Token: SeSecurityPrivilege	4000	powershell.exe
Token: SeTakeOwnershipPrivilege	4000	powershell.exe
Token: SeLoadDriverPrivilege	4000	powershell.exe
Token: SeSystemProfilePrivilege	4000	powershell.exe
Token: SeSystemtimePrivilege	4000	powershell.exe
Token: SeProfSingleProcessPrivilege	4000	powershell.exe
Token: SeIncBasePriorityPrivilege	4000	powershell.exe
Token: SeCreatePagefilePrivilege	4000	powershell.exe
Token: SeBackupPrivilege	4000	powershell.exe
Token: SeRestorePrivilege	4000	powershell.exe
Token: SeShutdownPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeSystemEnvironmentPrivilege	4000	powershell.exe
Token: SeRemoteShutdownPrivilege	4000	powershell.exe
Token: SeUndockPrivilege	4000	powershell.exe
Token: SeManageVolumePrivilege	4000	powershell.exe
Token: 33	4000	powershell.exe
Token: 34	4000	powershell.exe
Token: 35	4000	powershell.exe
Token: 36	4000	powershell.exe
Token: SeIncreaseQuotaPrivilege	4000	powershell.exe
Token: SeSecurityPrivilege	4000	powershell.exe
Token: SeTakeOwnershipPrivilege	4000	powershell.exe
Token: SeLoadDriverPrivilege	4000	powershell.exe
Token: SeSystemProfilePrivilege	4000	powershell.exe
Token: SeSystemtimePrivilege	4000	powershell.exe
Token: SeProfSingleProcessPrivilege	4000	powershell.exe
Token: SeIncBasePriorityPrivilege	4000	powershell.exe
Token: SeCreatePagefilePrivilege	4000	powershell.exe
Token: SeBackupPrivilege	4000	powershell.exe
Token: SeRestorePrivilege	4000	powershell.exe
Token: SeShutdownPrivilege	4000	powershell.exe
Token: SeDebugPrivilege	4000	powershell.exe
Token: SeSystemEnvironmentPrivilege	4000	powershell.exe
Token: SeRemoteShutdownPrivilege	4000	powershell.exe
Token: SeUndockPrivilege	4000	powershell.exe
Token: SeManageVolumePrivilege	4000	powershell.exe
Token: 33	4000	powershell.exe
Token: 34	4000	powershell.exe
Token: 35	4000	powershell.exe
Token: 36	4000	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2800	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2012	regsvr32.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3364 wrote to memory of 1144	3364	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.exe	84
PID 3364 wrote to memory of 1144	3364	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.exe	84
PID 3364 wrote to memory of 1144	3364	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.exe	84
PID 1144 wrote to memory of 2708	1144	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp	85
PID 1144 wrote to memory of 2708	1144	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp	85
PID 1144 wrote to memory of 2708	1144	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp	85
PID 2708 wrote to memory of 2800	2708	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.exe	86
PID 2708 wrote to memory of 2800	2708	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.exe	86
PID 2708 wrote to memory of 2800	2708	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.exe	86
PID 2800 wrote to memory of 2008	2800	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp	87
PID 2800 wrote to memory of 2008	2800	0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp	87
PID 2008 wrote to memory of 4000	2008	msedgewebview2.exe	88
PID 2008 wrote to memory of 4000	2008	msedgewebview2.exe	88
PID 2008 wrote to memory of 3660	2008	msedgewebview2.exe	91
PID 2008 wrote to memory of 3660	2008	msedgewebview2.exe	91
PID 3660 wrote to memory of 2548	3660	msedgewebview2.exe	92
PID 3660 wrote to memory of 2548	3660	msedgewebview2.exe	92
PID 3660 wrote to memory of 316	3660	msedgewebview2.exe	94
PID 3660 wrote to memory of 316	3660	msedgewebview2.exe	94
PID 3660 wrote to memory of 2012	3660	msedgewebview2.exe	96
PID 3660 wrote to memory of 2012	3660	msedgewebview2.exe	96
PID 1964 wrote to memory of 232	1964	msedgewebview2.exe	106
PID 1964 wrote to memory of 232	1964	msedgewebview2.exe	106
PID 1964 wrote to memory of 4152	1964	msedgewebview2.exe	108
PID 1964 wrote to memory of 4152	1964	msedgewebview2.exe	108
PID 1964 wrote to memory of 1060	1964	msedgewebview2.exe	110
PID 1964 wrote to memory of 1060	1964	msedgewebview2.exe	110
PID 1964 wrote to memory of 4124	1964	msedgewebview2.exe	111
PID 1964 wrote to memory of 4124	1964	msedgewebview2.exe	111
PID 1964 wrote to memory of 4264	1964	msedgewebview2.exe	113
PID 1964 wrote to memory of 4264	1964	msedgewebview2.exe	113
PID 1964 wrote to memory of 4200	1964	msedgewebview2.exe	115
PID 1964 wrote to memory of 4200	1964	msedgewebview2.exe	115
PID 1964 wrote to memory of 2212	1964	msedgewebview2.exe	116
PID 1964 wrote to memory of 2212	1964	msedgewebview2.exe	116
PID 1964 wrote to memory of 3540	1964	msedgewebview2.exe	118
PID 1964 wrote to memory of 3540	1964	msedgewebview2.exe	118
PID 1964 wrote to memory of 792	1964	msedgewebview2.exe	120
PID 1964 wrote to memory of 792	1964	msedgewebview2.exe	120
PID 1964 wrote to memory of 392	1964	msedgewebview2.exe	121
PID 1964 wrote to memory of 392	1964	msedgewebview2.exe	121
PID 1964 wrote to memory of 3392	1964	msedgewebview2.exe	123
PID 1964 wrote to memory of 3392	1964	msedgewebview2.exe	123
PID 1964 wrote to memory of 1312	1964	msedgewebview2.exe	125
PID 1964 wrote to memory of 1312	1964	msedgewebview2.exe	125
PID 1964 wrote to memory of 5112	1964	msedgewebview2.exe	126
PID 1964 wrote to memory of 5112	1964	msedgewebview2.exe	126
PID 1964 wrote to memory of 3936	1964	msedgewebview2.exe	128
PID 1964 wrote to memory of 3936	1964	msedgewebview2.exe	128
PID 1964 wrote to memory of 4244	1964	msedgewebview2.exe	130
PID 1964 wrote to memory of 4244	1964	msedgewebview2.exe	130

C:\Users\Admin\AppData\Local\Temp\0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.exe
"C:\Users\Admin\AppData\Local\Temp\0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3364
- C:\Users\Admin\AppData\Local\Temp\is-H8I6Q.tmp\0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-H8I6Q.tmp\0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp" /SL5="$C01DA,1999995,141312,C:\Users\Admin\AppData\Local\Temp\0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1144
- - C:\Users\Admin\AppData\Local\Temp\0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.exe
    "C:\Users\Admin\AppData\Local\Temp\0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Admin\AppData\Local\Temp\is-103H0.tmp\0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-103H0.tmp\0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp" /SL5="$701C2,1999995,141312,C:\Users\Admin\AppData\Local\Temp\0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\\NVIDIA app\\488\\msedgewebview2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2008
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C008736B-068D-4B6E-9350-4ECCB6742D2E}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4000
      - C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedgewebview2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3660
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C008736B-068D-4B6E-9350-4ECCB6742D2E}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2548
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq regsvr32.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:316
        
        C:\Windows\system32\regsvr32.exe
        
        "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedge_elf.dll"
        7⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:2012

C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedgewebview2.exe
"C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedgewebview2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C008736B-068D-4B6E-9350-4ECCB6742D2E}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:232
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:4152
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:1060
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C008736B-068D-4B6E-9350-4ECCB6742D2E}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4124
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:4264
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:4200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C008736B-068D-4B6E-9350-4ECCB6742D2E}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:3540
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:792
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C008736B-068D-4B6E-9350-4ECCB6742D2E}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:392
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:3392
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:1312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{C008736B-068D-4B6E-9350-4ECCB6742D2E}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:5112
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:3936
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:4244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fee026663fcb662152188784794028ee

SHA1
3c02a26a9cb16648fad85c6477b68ced3cb0cb45

SHA256
dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

SHA512
7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5cff7d9254adee1ffe916c065e79fd5a

SHA1
235bef9f4dcac09e6815425c8b96126e40a0c25b

SHA256
05c6f5ca7e5d93e85df9c44a65e9b9095d21cf3e132287b0996db23be83eb36e

SHA512
83b736cf455e44acf3a1aa2fd0e4eb10183beee85579c862cc90762dd1a89cb70e8bda5b62d98340624fe208c15280c5881fccb6e441ed34298d2f31a118f0e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f54d80e9f1fadc3bcd439a5afb11f61f

SHA1
c751131196cacbf248b0278e2dd8ff59e49d5385

SHA256
495d7c5fb521935fdd34065b6041bbb7df83e2d6e0ba4dab9a9ab528ced8175a

SHA512
3d9dce58f6483795cdd440d17bc80d19a53512bc65e44bc50af878af2f1b85419f7ae0fda264da63a0d8b4b5bf27715258990a37ad17a6d1afbfe20fd92ab534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f25c85b2bb354d280391b5de0f2e74e6

SHA1
8255ba9443f52eaee33c1483e4b00217bcc0bed6

SHA256
59d0837a17ff3728035f1b7d7a6be1410cb76796ad4e9c261ec5334d751a8f3b

SHA512
927c91edc8ae45c3136ba2bf5cf640abaabd08472f390cebaf1f1edcf084217ed370bbcebf675010a207ebed1105ff6fd02c4865848f3180a6cc616d3b56b2e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2ac3c9ba89b8c2ef19c601ecebb82157

SHA1
a239a4b11438c00e5ff89ebd4a804ede6a01935b

SHA256
3c2714ce07f8c04b3f8222dfe50d8ae08f548b0e6e79fe33d08bf6f4c2e5143e

SHA512
b1221d29e747b37071761b2509e9109b522cce6411f73f27c9428ac332d26b9f413ae6b8c0aeac1afb7fab2d0b3b1c4af189da12fe506287596df2ef8f083432

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aiojyutn.jzh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-H8I6Q.tmp\0842370177abe09ebf9df068a902969bef897b1ca6d3e691493f35fddea6021cN.tmp

Filesize
1.1MB

MD5
8fdc58c7d4c59472615682d6dea9d190

SHA1
8e131fe09fd238493719b4fd92e6c833bf3596c1

SHA256
26a5be637ee680b1ec11d1adf2fd0972cc52078cbd200d9273f8bb826707c83b

SHA512
b05b9fd8ff3d627b562cbd2968466fb54adbc2fa5591ebe803300a3c5ef7887bc1761d8013b47aab0f5387265c8b7b15078a01abb75d4c3180671780181ebe24

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J20KA.tmp\_isetup\_isdecmp.dll

Filesize
13KB

MD5
a813d18268affd4763dde940246dc7e5

SHA1
c7366e1fd925c17cc6068001bd38eaef5b42852f

SHA256
e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64

SHA512
b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O5E9A.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedge_elf.dll

Filesize
782KB

MD5
22db7c194848182daed3c3c30969bb06

SHA1
e7d5d179616846ca331cad2be6f5219ca4dd1913

SHA256
6a0ca3784c5541615fe8bed1542fe5011d19788e50757f514774bad98bf16699

SHA512
2adbeda9fa5d6c8f30ee11eade79c824522a15611d80be002cff5353884226dcae7581efcd4e37d8d48103db28536985bc3fc51f0285197e5944d981140d3250

Download Submit
C:\Users\Admin\AppData\Roaming\NVIDIA app\488\msedgewebview2.exe

Filesize
3.2MB

MD5
71fdf2d301949413f8b14e0f12c2e0f5

SHA1
c57e8eff6bfc0be6420e97cfd6de895c937fd5b7

SHA256
1e7e2c05c6c634aa7f11c8c217bf9c21fbe336f128d744fbaf3fc91d643925a0

SHA512
752fe30b893a1e0a0fbd93fb91dceea2b88f5e1c067e8f780fbedcf1fd4a11ec1317d65bbc3c11086926a2d37a49e5f519c40f7d65dba335079dc2044dd53f58

Download Submit
memory/1144-26-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/1144-7-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/1964-186-0x00007FFBD42F0000-0x00007FFBD4396000-memory.dmp

Filesize
664KB

Download
memory/2008-96-0x00007FFBD42F0000-0x00007FFBD4396000-memory.dmp

Filesize
664KB

Download
memory/2012-98-0x00007FFBD42F0000-0x00007FFBD4396000-memory.dmp

Filesize
664KB

Download
memory/2012-94-0x0000000002F50000-0x0000000002F62000-memory.dmp

Filesize
72KB

Download
memory/2708-23-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2708-21-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2708-60-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2800-31-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/2800-59-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/3364-27-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3364-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/3364-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3660-97-0x00007FFBD42F0000-0x00007FFBD4396000-memory.dmp

Filesize
664KB

Download
memory/4000-66-0x00000230742C0000-0x00000230742E2000-memory.dmp

Filesize
136KB

Download