asyncrat | hxxps://urlhaus[.]abuse[.]ch/

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2025 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://urlhaus.abuse.ch/

Score

10^/10

asyncrat default discovery rat upx

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

wzt5xcg.localto.net:1604

wzt5xcg.localto.net:5274

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
KYGOClient.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0003000000000735-293.dat	family_asyncrat

Downloads MZ/PE file

Patched UPX-packed file 1 IoCs

Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.

resource	yara_rule
behavioral1/files/0x0008000000023cac-148.dat	patched_upx

Executes dropped EXE 1 IoCs

pid	Process
1036	sdggwsdgdrwgrwgrwgrwgrw.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000023cac-148.dat	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sdggwsdgdrwgrwgrwgrwgrw.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 750642.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4992	msedge.exe
4992	msedge.exe
1672	msedge.exe
1672	msedge.exe
4640	identity_helper.exe
4640	identity_helper.exe
2976	msedge.exe
2976	msedge.exe
2660	msedge.exe
2660	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1036	sdggwsdgdrwgrwgrwgrwgrw.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe
1672	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 3160	1672	msedge.exe	83
PID 1672 wrote to memory of 3160	1672	msedge.exe	83
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 2856	1672	msedge.exe	84
PID 1672 wrote to memory of 4992	1672	msedge.exe	85
PID 1672 wrote to memory of 4992	1672	msedge.exe	85
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86
PID 1672 wrote to memory of 4804	1672	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://urlhaus.abuse.ch/
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc02a746f8,0x7ffc02a74708,0x7ffc02a74718
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2268 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:1744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2720 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2092,11573508964688934384,14329590885736931385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2660
- C:\Users\Admin\Downloads\sdggwsdgdrwgrwgrwgrwgrw.exe
  "C:\Users\Admin\Downloads\sdggwsdgdrwgrwgrwgrwgrw.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
29KB

MD5
fb0e6981c97fba54d76f9b2bca152299

SHA1
7c26673f6d5dd46220ca13f2197a5f5e70d06335

SHA256
09b221854d59bd9fb7dcd7042f9fcee8b6b8f958d932096a9ca307e2d63813d0

SHA512
beafa70f582e2e2d2a8de30fa22aa2f9ab384fcea0ec7f016b30392e3001ed98ca105874f64f62a5d065d90ebc0912cef566cb37333c3903f6dcb1d3e1d4eb51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
102KB

MD5
220ee3b3522fb6b392115cd9c6d181d9

SHA1
718bbeece06959dfd6508378b3eaf7d16cb6132d

SHA256
909d3ab5e682c33eb09cfea8927aec8d6f9d3cd686cc4e43c414cf831ff191b4

SHA512
27a1634536d8362ebf504a853f27a4944edddde5ec29f965658867a293d12d101e344cb800cd81c5295e42f718e08554fcbc29520dca7f9732954a5e36be398c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0de658187385c341_0

Filesize
259B

MD5
3d0616041865ba0559dc9789a946cfd4

SHA1
b5c573abf871a2b10881e74e3ae292da746acbd1

SHA256
7246713ea078b8ed2f61c40231785cbff90817ed16b4c963fc73c63c42b34719

SHA512
629b7feda8e4e7a98d64bb0133048ece870e785fb58b81fd623eac7bd48c7ac183817bfafe95394e59b59a475e7694d95f8ebdae7be64d3b8914dd83831552bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b37e7ff6cf28c427_0

Filesize
442KB

MD5
fea451195fac9ca2cdb5c4c0740c5288

SHA1
f070ba1fdddfe8515046da462c9f5e6f22d9d9c4

SHA256
5343b22ac15004b17c770b9ed2a67c20a13c084e4a6e4c66e7eb760c17fdbf6a

SHA512
8e2210eb1a6ce5e4ef25486265dfc66ad94aa185f3bc85bc44782fbb8ba528d056fc9a2b6335a52f4d5abd76f89c5c7acabb48f4ff9714c6693baae868322138

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
49367bd2364a9d870898656af1d34c00

SHA1
ac7d34b8a1a4874652ebecf6f680ad6149009657

SHA256
4ccf79cc518205424867bf5b17c072d05f33f89bc6793f94e273607d27a9550b

SHA512
12c6f5d1c2a29747127847f1012af5d7d871b8dff73e92a75315faba3d46cd051c4e908c845a14e195a1d26a3e30492d7ea8a04e7710fd6b3376adc3718db66d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
aab0b494bd49540ca3c8c89289db6be9

SHA1
cf1df5f7aa8856d77f0cfe0845572758de99dd22

SHA256
1b90fb1b2bbd0b0c4fb8382e5449d9d3d3ef477843b4389ec7a6315c43c44911

SHA512
47a3b0873392c80ee108458f09fe7d10886546733c5052249db3111064b956091ec7d2210d242f46a80d9ef6d1d3b7634e8dd31868cc23b0a7dfe8969ae6a41c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
654B

MD5
6c227824f8fd3c4d44e89a07fef454d0

SHA1
033b54ed680e04ceec0c5d887fbabf88c7f5675d

SHA256
9c9253c2ea4bd9d725cab59bb08d5d28d6aad4ab265c94b272e8cc9311112759

SHA512
6d40ef17aabf864fa3ad858001fd96112a780a67f46f193799c875fc597af6c8f4e1e807fbf00543051add170c2aef91f11d65bcb803785da091d84141b4cf7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
16955a29fa84c0ad400b2be064fb2801

SHA1
a585840023b98f3666bda25e24a5bd1eff267bb2

SHA256
b12c4cd1f41e182d79de5b2efaf8e70547f74c7ff23732a82d1b0dbb5b5c5c66

SHA512
8b15cb3f2e2831c129012fb91b869c52e479e020499665869e7b99629c213baf6b10c5e84b6ab2193c40991d139dcf85432afba75502b7571564ae7e615f10f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e15eaac7113f80766bc1361c6cddb557

SHA1
6e16d075399635608c93ed1972bb90436720cd66

SHA256
0584985badd2b5bfbdca357790fb2a4a49a116bd58bac89347bd99c8fc69a42b

SHA512
ff4aefe63c874f3324926b54557faeaa53144069538d41dc2304a6c1fd7f1ddb76212a2059290aa6cb408e66a5f0d9d2a878c2c6701bfe6164672ecd371caf30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
03124c03e308f259c64792d5f546a54f

SHA1
91d1e9091854d77965d0b356cdf0dfb442534b62

SHA256
1ed39ea8c7993bcced51d6bd7fb570ccbbb37ed775de45607410bb9d4442e184

SHA512
63d1f0f5a7b530067c5b85cb2a283aabf731a44c7e5539c7b2aad6faa2ee1a4276ca444fba675422485d5aee45004c90596dd9bed1050f1d6554090855b718ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a9e0cd508062e3ce3ac2dd3197239a3c

SHA1
7aa018495597c6ca92340ec164d57554b051ed92

SHA256
fac24200199b6874230277e64994924c2a4220a2f90786335537d58122379a05

SHA512
69b9c80318f03671809ab384ef4f1a99fc1ecb93b03d73fb4a91deecf042c3692f7e8aa2a032c4371a8ef86ef4ad5632edd41f28a9fc415176fc351727d95c18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c302aa5208e48accce958830f382f93c

SHA1
cb90c7d9cda268b3b83d1bb35d3eb276076159c9

SHA256
f14523fbc123b9dc628a3caced1b35d65dd63840985a93ab145cb87d66af8564

SHA512
c17fad36ccd5207abe0192446744703def0e0d6e60f8ba5957665820576f4497fc4b7d81677e2c00da06b875c36c28290535ddd52e1b6c4473098f866aa1b6c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cbc6c79408458974d5cba1289c4a0407

SHA1
98a80752fb4ddf1fd4f9964ecce56f447532f35b

SHA256
b2e051316f170b3ef8f1918ba20bf304762ef6fc32ec4ae5c349bc6e62de79bc

SHA512
98cf7ccc66aae6e3b1429f672445c3781acbdf649a1917f642a4d0c96c938d06570233f5a11c75f1437bb731f20b6a2cc041120bc2ed1bbd14f28178886b368d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c406fd06e9dd6b43dd51cd685916b08e

SHA1
3df9f31294a643148267add87697566a28151f7b

SHA256
703f277bef66b78a36c8426a6c80e3df0eaded66ddbbe85c99907b5c803fe0e4

SHA512
6429c99c37dd77dbbd466fcdd244b81470e4ce252cc6cabcdade8fb03a6ddd4c4a617a67862f46d2df6462a0865b5b2087af7fab308d74bbb52a9dd90a9f3acd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
368B

MD5
e37c96f62b76366a76a59a6402b95a80

SHA1
3b367f65a8f68defa6cff7b1be2c1345597ee602

SHA256
802935b061090bbbe36c437d5094e76f5eb71890c776a605667800923cecd177

SHA512
0a339e47c7fdb68893fd21283da05b4d090947e16bbe2bcebc3f4ca428d3d7408e1352e16eb40e88ff70683ea6aa80933a703cca72d0bb2af58a1df323efa423

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
a96b3a8cd1cac05be4af03adadae465a

SHA1
f99f466e148cff02d37a89693c0ce5aad8e7aa82

SHA256
eebe8990a65bf39ca074100515d4f412903eb249d310f4e9dc7aeb24ee43ea1f

SHA512
11cb8be122336c09b01104442e173ba47ed0dd44dd1faee94d48bcbc1fe00b2b8a1b1d258f9a7cacaa7f802c20215e371e76c0677a8a9f8f96d2bb85bfa4eb28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
06e88831c871b0798e738f79999e0b81

SHA1
101783177cb99c5ff57f3d68f5e06cf75fe236ab

SHA256
81c93d30b3a187c442d7a9dc2ca79b1da1b60001ce25d41c45b33c98cdba5d8d

SHA512
3e934cad4a4b225d271da71c4b17660f63e34c43ca61daa81c3c38bfffea183d2faf00397135cac1e427a4a36d0950d925d1f206af69440756fa6d8e9c919d5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
68463229036cc8bd59b2cfc81b96faa5

SHA1
b75d686669cafdb44d9a740eedc3aaebecf8f1c1

SHA256
94f2a7528214d3a009b159c1b57cb7af211e8145321da4402c76392a9a3ad7e8

SHA512
d0e0a6ef2a3b5dc95bedc5cebe0cc376c3ce58661f695fd1220fc29183fa659385a9a706e277419ef9d057ef765b97350cc4aa315fd795527d641af8eff9003c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
399af1c5e1c77604f7e663c284e5d652

SHA1
a1972348698440f7f2d76ad72be7df40257f228e

SHA256
b15f770a40b3cba13d0309b09c374d85eb743ad50d9180d969abb21a02c359f0

SHA512
85772f57779b07be087b6ae430e8743d1875e27fa78add4a19560bb4b6cc0532b85ab34f0ec44009e2c58685e6dcf62213a1c6df0d45a31c1c1686360bf24919

Download Submit
C:\Users\Admin\Downloads\i.zip

Filesize
132KB

MD5
59ce0baba11893f90527fc951ac69912

SHA1
5857a7dd621c4c3ebb0b5a3bec915d409f70d39f

SHA256
4293c1d8574dc87c58360d6bac3daa182f64f7785c9d41da5e0741d2b1817fc7

SHA512
c5b12797b477e5e5964a78766bb40b1c0d9fdfb8eef1f9aee3df451e3441a40c61d325bf400ba51048811b68e1c70a95f15e4166b7a65a4eca0c624864328647

Download Submit
C:\Users\Admin\Downloads\sdggwsdgdrwgrwgrwgrwgrw.exe

Filesize
45KB

MD5
b525ea79a587def213905cf77f2b5e7e

SHA1
08211f74b221764ad5e0ff24c914c8d8bf0fdedb

SHA256
7d11842cce74194adfff7709d7ba3f560dd381dc05b79810ac5c08bb220e6556

SHA512
dc9ff41591b455589a97f09245b2a70fccb1a68f1176696f386b634511f8498df8d549d9e931919c7e598586251a6552f118f0a439e4e708568afb7a0e7f46b1

Download Submit
memory/1036-307-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

Filesize
72KB

Download