asyncrat | f368400a4f67b6f2390343181e5d1945967c6cd25088798984e6e4654a1b928c

Resubmissions

04/01/2025, 12:14

250104-pej3ls1mbk 10

04/01/2025, 12:10

250104-pcc7aa1lcr 10

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2025, 12:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cum.exe
Size

63KB
MD5

6ae8830520e0bf079fc97aa207673ac6
SHA1

8eab31bfba85b5847573bda4257f79c607f0c297
SHA256

f368400a4f67b6f2390343181e5d1945967c6cd25088798984e6e4654a1b928c
SHA512

cb8e918f34780d91673fdcc6bf3a70d2a1bf82bafb62f59ab6fc0f98b5ee09a8ed404d99fee25a4d5f55f9b7c4a5dc280d41725c596e6ddb8fae158542f14596
SSDEEP

1536:+62ZBUFWbPZEYUbeM9odcrXuEdpqKmY7:+62CWbP6YUbe1cr5Gz

Score

10^/10

asyncrat default discovery phishing rat

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:1337

127.0.0.1:26550

147.185.221.24:1337

147.185.221.24:26550

Attributes

delay
3
install
true
install_file
hawktuah.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0005000000022f6b-108.dat	family_asyncrat

A potential corporate email address has been identified in the URL: [email protected]
phishing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	cum.exe

Executes dropped EXE 1 IoCs

pid	Process
1160	hawktuah.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1892	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4460	msedge.exe
4460	msedge.exe
3280	msedge.exe
3280	msedge.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
5080	cum.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe
1160	hawktuah.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5080	cum.exe
Token: SeDebugPrivilege	1160	hawktuah.exe
Token: 33	5548	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5548	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe
3280	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3280 wrote to memory of 3024	3280	msedge.exe	86
PID 3280 wrote to memory of 3024	3280	msedge.exe	86
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4036	3280	msedge.exe	87
PID 3280 wrote to memory of 4460	3280	msedge.exe	88
PID 3280 wrote to memory of 4460	3280	msedge.exe	88
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89
PID 3280 wrote to memory of 532	3280	msedge.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\cum.exe
"C:\Users\Admin\AppData\Local\Temp\cum.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "hawktuah" /tr '"C:\Users\Admin\AppData\Roaming\hawktuah.exe"' & exit
  2⤵
  PID:1500
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "hawktuah" /tr '"C:\Users\Admin\AppData\Roaming\hawktuah.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1424
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAE32.tmp.bat""
  2⤵
  PID:4228
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1892
- - C:\Users\Admin\AppData\Roaming\hawktuah.exe
    "C:\Users\Admin\AppData\Roaming\hawktuah.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d98546f8,0x7ff8d9854708,0x7ff8d9854718
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2480 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:8
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6208 /prefetch:8
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6844 /prefetch:8
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:5720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,11779377176901959153,5540283013906795833,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5440 /prefetch:2
  2⤵
  PID:5492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2560

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3948

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x320
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005a

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
2bd6e5f4658a6fd24a758ebad474b4bd

SHA1
3ef52bd166eedcbec01407c4a3c055c4b2a970d4

SHA256
ac937674755c467119a1232cadfa5c465319a09d51cce7fc3828e5f6594a193a

SHA512
e809cbbd165194b68bfd67041c9bbeecc3eb09363e39c3431ba29cad2916d2c17688cdfb1115b93cf7db59e4f0403fece18fd30dc928417713909578b4c5840a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
31235b2c67ddf3c4deba37ea76ef190d

SHA1
954ede41f8cae9159d1814ac2c467c6e97c23376

SHA256
a8bc2f56d4a8b1274bd0c443ac346d959756fa4b5da90b5ea6e4bdbf8c6476af

SHA512
c1b7bf15ffcfa782b09533455da8f0d1b7ffd4c6808172518c96f2ad81fad7ea335bc3b28cd0662a04583964ca897f57a76418aa0bb5e7cb8af6e42a837d5606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
01352c766526ecaea1833b2a0ead7f2d

SHA1
e5afbe81a58247314fe606337eaf4b6eda2bd2da

SHA256
172b1da5cb96998c49fdc8c98f1f75893bd46ee4294ecb04327022ad079a3bcc

SHA512
e74111010d6c6a9237aac9d4b1c2c1fb543a478eec8a8400e7eda44b794d84b98c759fe3fd92cbd205e5976360114677c5a1bd6b51727fba90f4ad37707ca14a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
640f4e8d61ea4bd87af8301387bcbbc3

SHA1
92d5855889d5cd3fe58cd1888d24d142ce61e137

SHA256
83be6b381090129794c37892cc10fdc65270f64192db7cd7b505671100b36c57

SHA512
136fb14070f38f5e11ce688de05ffdd1ba2bbd78de4091810fd52f2cb25f59b56638e5d912b9da81387cb783e981b5123c4c3e9eae772490b4423027b8d49c3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b95fbd760841669aa9e44f354c4f4268

SHA1
caa752a062b24d69c9baa821656333149e0366ec

SHA256
403f271efd049c7bffbae4a416c6f4f0beea3de539b287b803b4c5d92008e719

SHA512
b28511d71c334786a53faad53a2c6989ec685f06134512c622c57bb7a7aff6f6d44c00a7b2149314c6c54a552148c72992bdc866167832e84ea84dc396e4afdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a6690fe67c49f2f8bcdfe290e787d5f0

SHA1
0235afc1a7fe1d8975a0f30c3e9958ace00ddb3d

SHA256
87f66209c779a1db47c9fa1e097f657f45910ab64ca28ff0328b686506889a6a

SHA512
d4453e517c819b6be845ca813c4eebfe01e1543ef31d89cd15683d543cf43bd51dca5b349bd53f0ff67b46969cfc5c6c543867e3c6e0399898493031d098777d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b40be2cd3b29dcab2336af93631bfbfb

SHA1
b6903c24e18855eec27e2eb05424d101c89ab29d

SHA256
4289da47b420f06b44917ca996375ce66e60d1f335cb1d8a0ae3d414d80ae30a

SHA512
3d9f7747ffdc76365c6f709f0a18c797687153159ceb58181dc06d23d3275416584164919147c662808edeb42edf007cbbd5ca57c2431fa37f26e98be6c42524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
353e9d141292a045f4ae8b3f1a98c8f4

SHA1
4376a20191367b9c11b40825f7dddfe422022e48

SHA256
f4923c9612673070f00436f4d3f36cce08d4b1fb89b8c294f719e10eb0f9b5a8

SHA512
130d65b8917c1deabf7d3f719617dce60cba9ec77f2c8c36561ebd8024eb0c68e7a624fa2092e55740a20e8e8f642558ce1cc3d6ed5ca52dc2214902e8519ab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581875.TMP

Filesize
48B

MD5
3afb023486eaeb0086677c029d15e46f

SHA1
546ce9bb4ce616cd3aff90be4a2454da2c2b8a6b

SHA256
eaaa3bc546a95d60f2ed644342f3ac851aff40fdd4fc28b819b3a36dbadac259

SHA512
eacfc68f0c1336bc01c9af334375f69933bd8e3e11ca7a3801ed5d5b2da064c087c0e82b1040f3cfbb57ee5b4ab8ac8325cc4754601cb0ff3b52da54bc3ffbcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a41b1c9086dd79c4a651f6f6dd1f8e6

SHA1
1727a4b30b995229fd110a33d07a596ab4681fb5

SHA256
c3ebff775b8abd863676f4abfff3e5af11dbc07f2798927631c2c393108bc047

SHA512
416dffafcee11ec32464ac4973cca91c37e0c085ac4303fe5e48d298844665ca16ebf07a302b641e15ea5ea0f1b79b7d0c4c8927669f6837c8f13017aaf8566e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4705dc78a550663e71290f3b40f05ba7

SHA1
6746d09bbc4cbf700b406a662a0fb0c107211deb

SHA256
9b4cee726ebf76738219a02f4f06e7af3e709edc6cf141ed906c7dd995a72111

SHA512
dd30f364e3f785aa24c94b8072c13147fc7e7e10598d15af54f912b9c9831c8f3c9a5ad24cd04c307baba95744a1ca6920f2c59784810ee4a6d482133b3a94ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ebe6423b99b36352d9867c3403b7b1e0

SHA1
d253625ed2ebb593e0f328a9d9af93e98d945d2d

SHA256
276c5bb525d9b23c0c0dc78f67bdb8a9eccfe5dd0c3c44b80ddadf309e0d0148

SHA512
d50c8b5646871de23d1ee9bdc3640fa484f1105f4cca02e1d199ec45f07bb6e8b8283d4ce77d2093c840d98a57c8d07b63544de82ba2b8a8484fadf7e29ee397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5807ac.TMP

Filesize
870B

MD5
b529360fd9a53cf68b6df4a1b873402f

SHA1
bb29703271fa75b3a00f992bbe7be755f0e5b89b

SHA256
b08b050e7d715afab7413c5dd6a8f855e1f96c72a00deeffa02e360615626c04

SHA512
ca8f2fbc23150767e1e86a65eb43f7aabd9de0a358c9d67d7aa62fccf54774acefe9acbe0914b4d8c03f324435e80f411b9fb477015742dd40841f131a4b040d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4f5f105659e47ff387f988a06a8073f0

SHA1
00cb1f5667869449eb596d2e9a9303e871cd58cd

SHA256
c21f152c5f9e327660ac6c76d4e298e7bc955d48949ee299ee84d6043ca0ccc7

SHA512
ee7b140d40edaef0da7d172b4930f3c62ff948db1ce85c4643a99c6edc6f45af7760f09dcec2303067ab56e737c4f78538ba150219513e8f577c0338c312dc13

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAE32.tmp.bat

Filesize
152B

MD5
eda4e9d12e3b10c9f99de7b8010e3364

SHA1
c44532a5b5d03febecc71ba4df998b1385f4e554

SHA256
6729eb2cd76a8899952980b2977f2f2e35177dc560e8779f2c7461d4372f1a7b

SHA512
f3ee8638df2a60361100bb6cc075c22b2126308d602939ef2e722d7aae7886f64a636074d6084b1b7664f1cc12e7aa61676ac2a71bee8044f06c194c1dee9f23

Download Submit
C:\Users\Admin\AppData\Roaming\hawktuah.exe

Filesize
63KB

MD5
6ae8830520e0bf079fc97aa207673ac6

SHA1
8eab31bfba85b5847573bda4257f79c607f0c297

SHA256
f368400a4f67b6f2390343181e5d1945967c6cd25088798984e6e4654a1b928c

SHA512
cb8e918f34780d91673fdcc6bf3a70d2a1bf82bafb62f59ab6fc0f98b5ee09a8ed404d99fee25a4d5f55f9b7c4a5dc280d41725c596e6ddb8fae158542f14596

Download Submit
memory/1160-659-0x0000000002CD0000-0x0000000002D04000-memory.dmp

Filesize
208KB

Download
memory/1160-658-0x000000001B740000-0x000000001B7B6000-memory.dmp

Filesize
472KB

Download
memory/1160-660-0x0000000002D20000-0x0000000002D3E000-memory.dmp

Filesize
120KB

Download
memory/5080-31-0x00007FF8DBAB0000-0x00007FF8DC571000-memory.dmp

Filesize
10.8MB

Download
memory/5080-0-0x00007FF8DBAB3000-0x00007FF8DBAB5000-memory.dmp

Filesize
8KB

Download
memory/5080-26-0x00007FF8DBAB0000-0x00007FF8DC571000-memory.dmp

Filesize
10.8MB

Download
memory/5080-32-0x00007FF8DBAB0000-0x00007FF8DC571000-memory.dmp

Filesize
10.8MB

Download
memory/5080-1-0x00000000008F0000-0x0000000000906000-memory.dmp

Filesize
88KB

Download