asyncrat | hxxps://dosya[.]co/p9hctjt8v3wl/Sonoyuncu_client_tr_v1[.]0[.]0[.]exe[.]html

Analysis

max time kernel
299s
max time network
301s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11/01/2025, 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dosya.co/p9hctjt8v3wl/Sonoyuncu_client_tr_v1.0.0.exe.html

Score

10^/10

asyncrat default defense_evasion discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001900000002aac1-59.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2476	Sonoyuncu client tr v1.0.0.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Sonoyuncu client tr v1.0.0.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sonoyuncu client tr v1.0.0.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 63 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\2\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\2	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\2\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\2\0 = 5a003100000000002b5ae053100053797374656d33320000420009000400efbec5522d602b5ae0532e0000008f360000000001000000000000000000000000000000ed8b7c00530079007300740065006d0033003200000018000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 020000000100000000000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\2 = 560031000000000047594c62100057696e646f777300400009000400efbec5522d602b5ae0532e000000a6050000000001000000000000000000000000000000d59e2400570069006e0064006f0077007300000016000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\2\0	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1 = 8c0031000000000047593966110050524f4752417e310000740009000400efbec55259612b5a14542e0000003f0000000000010000000000000000004a0000000000beacb700500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\2\MRUListEx = ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\2\NodeSlot = "8"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\2\0\NodeSlot = "9"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\1\NodeSlot = "7"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3870231897-2573482396-1083937135-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	OpenWith.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 346432.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Sonoyuncu client tr v1.0.0.exe:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4504	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1664	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1700	msedge.exe
1700	msedge.exe
1464	msedge.exe
1464	msedge.exe
2836	msedge.exe
2836	msedge.exe
2080	identity_helper.exe
2080	identity_helper.exe
3400	msedge.exe
3400	msedge.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3260	taskmgr.exe
2980	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3260	taskmgr.exe
Token: SeSystemProfilePrivilege	3260	taskmgr.exe
Token: SeCreateGlobalPrivilege	3260	taskmgr.exe
Token: SeSecurityPrivilege	3260	taskmgr.exe
Token: SeTakeOwnershipPrivilege	3260	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe
3260	taskmgr.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
1664	EXCEL.EXE
1664	EXCEL.EXE
1664	EXCEL.EXE
1664	EXCEL.EXE
1664	EXCEL.EXE
1664	EXCEL.EXE
1664	EXCEL.EXE
1664	EXCEL.EXE
1664	EXCEL.EXE
1664	EXCEL.EXE
1664	EXCEL.EXE
1664	EXCEL.EXE
1664	EXCEL.EXE
1664	EXCEL.EXE
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe
2980	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 3948	1464	msedge.exe	77
PID 1464 wrote to memory of 3948	1464	msedge.exe	77
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1512	1464	msedge.exe	78
PID 1464 wrote to memory of 1700	1464	msedge.exe	79
PID 1464 wrote to memory of 1700	1464	msedge.exe	79
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80
PID 1464 wrote to memory of 4624	1464	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://dosya.co/p9hctjt8v3wl/Sonoyuncu_client_tr_v1.0.0.exe.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e9be3cb8,0x7ff8e9be3cc8,0x7ff8e9be3cd8
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,14230650570247454692,3141172608189023471,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,14230650570247454692,3141172608189023471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,14230650570247454692,3141172608189023471,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2504 /prefetch:8
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14230650570247454692,3141172608189023471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14230650570247454692,3141172608189023471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14230650570247454692,3141172608189023471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:2876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14230650570247454692,3141172608189023471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,14230650570247454692,3141172608189023471,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,14230650570247454692,3141172608189023471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,14230650570247454692,3141172608189023471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,14230650570247454692,3141172608189023471,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14230650570247454692,3141172608189023471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1748 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14230650570247454692,3141172608189023471,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:1
  2⤵
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14230650570247454692,3141172608189023471,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2472 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,14230650570247454692,3141172608189023471,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,14230650570247454692,3141172608189023471,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4808 /prefetch:2
  2⤵
  PID:1816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:752

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2032

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1424

C:\Users\Admin\Downloads\Sonoyuncu client tr v1.0.0.exe
"C:\Users\Admin\Downloads\Sonoyuncu client tr v1.0.0.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2476

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3260

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\New Microsoft Excel Worksheet.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\some.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4504

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3d68c7edc2a288ee58e6629398bb9f7c

SHA1
6c1909dea9321c55cae38b8f16bd9d67822e2e51

SHA256
dfd733ed3cf4fb59f2041f82fdf676973783ffa75b9acca095609c7d4f73587b

SHA512
0eda66a07ec4cdb46b0f27d6c8cc157415d803af610b7430adac19547e121f380b9c6a2840f90fe49eaea9b48fa16079d93833c2bcf4b85e3c401d90d464ad2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c03d23a8155753f5a936bd7195e475bc

SHA1
cdf47f410a3ec000e84be83a3216b54331679d63

SHA256
6f5f7996d9b0e131dc2fec84859b7a8597c11a67dd41bdb5a5ef21a46e1ae0ca

SHA512
6ea9a631b454d7e795ec6161e08dbe388699012dbbc9c8cfdf73175a0ecd51204d45cf28a6f1706c8d5f1780666d95e46e4bc27752da9a9d289304f1d97c2f41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
99c16df0aaf9f476f7a41d6563f67201

SHA1
e27d5931892db748dc07b789bbdf0c2651c79a96

SHA256
17b17f9635ab9cd5d340ab37b01a16709a23fed8244d325d6f96dc438e5e5307

SHA512
8b4f73805902ef7d12d13cb3d78edd7123f637c2eb5e2273bf4f49c1b2a406a5e6020d9fd78ee15af1a5283ccc709a70960e803d1ed788b68c197efbecc03081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
26728b15d094a31cc94230bc682b5816

SHA1
4d55628a0a810d7a450c4693435df323d939dd4a

SHA256
69de565bc1472f8b8c09cf7615d6020c3cbfdf0d726be7bf209e63a4c31acb92

SHA512
9585bfecc35049a3b208f47c788e7f0726cf0193e57411478621ce7b59b9a27b9b652ee6ab352d3fffba1819dad10890e800af5bc35d34fbc202d0f9bf68310a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
50b63cc1a34a075519e7a14343a8110c

SHA1
de4d6dc9e13727b2befa3a9c41807a90f4ce50d2

SHA256
bf1384c6ada2e054dcaba4fad9c5e3ee4705ee5a945d73ef29731726fc1be640

SHA512
adb95645bca7dd314f6b55a7b28cadb3d4b245860cf479bf611f8df923d82972b3eaf3da3926e414429a4422c8b0f5b712183413def0771a0173187c74118f46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4d3d4e61cac26f6bf6d04d824881e634

SHA1
820dc01eb32ff4c4796d3f2bbf39092ea696bc22

SHA256
c508510e0abc18ec1d1e49312956863bbdcc88959b05d2fb7c9884a37084f4c1

SHA512
fde2fb0d275d9cbe0baf931b54cbed802c5faa77298b2d66967978a2b554ae523bdee293397c89f11815f7008fb78cdb4f73cc29c0ac6e3a3b20d2db1b90d4c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e83d7019-f6f9-4806-9df6-6dacc57eec00.tmp

Filesize
2KB

MD5
59c82ef8a37a1383c77b720ab0d6b49d

SHA1
9b8b6688fcfe975cc59d72ddcd2c9c0a8c757a71

SHA256
84c0d3338f6b44b8b8893dc63422803ed919df61bd50c0c6e45574c639480586

SHA512
d819102696adcfc0fab6ac880b1bdad6b856d4ea2cf015fd74fd4a7c38692bb9827d4eca004d77c7b768d01a44107d95d5c38e65242f309417040f0eb91c57eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ffb122ea41203cd6ce395ba47e01c6f8

SHA1
0833b8e0b84388743b79ee3290630c86cb7b75a8

SHA256
f97fc3980f3d72c50a8ffb00a95ea051a71ca9b81289c29570630ebda03f6386

SHA512
7f1f70054f2b70471456c441123be2879aa6fec3baab5284ce56230fe12b1599f5c071105c33f16e1f8f77826fe490343ed943a6a1655f3ea504936c04544eab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
67c5045eb5c14ae62511408ae633d9df

SHA1
2383ee9d799d77070c49cf1448f3caf177b61769

SHA256
6c99f979dad9386a025214b1848909075f4b0624ac565303106fb046335bfc90

SHA512
bf106fa52992d0b463374a4c6ade79feac8b83f60d77205422483847fe7a0aa7c8fb5bb9cbe4bd97d5093a8a24761bf61ec494a324443f726c19a27f438c9677

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6d1f4cc6dedd16632a75f07255489d45

SHA1
2e50e848d144f81fe495a6939b0efe396dc69d9b

SHA256
0643f4b57b15c04b0aadbb90aa3421b769e5cc89dddab4f0b9da2a3429daf542

SHA512
6f5a54e142e2b5f1d0ac1845d45bc113bb1e1257bfc1b675139620e1f4d45aaafc3c721cc979af298a160b1ae51180bc22776e1da65c95fcc5d665cef8b3e1ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
b91492215c3f2b6c170d2dbb8fcc762a

SHA1
bc7a855a13dc48f99e69331d0ea604ce954f6f99

SHA256
0d232c7fa86350f189f5b66faf6f8733d64d71b86988f772884f173bcee3631b

SHA512
51a5bef9a239cf3ab03652e2ad72fa896b2af22b72596d1f9b6bd92a8ddddb39a696bac4f2c7b137aeea2ec009a37173222914b67718c276ee1f7865c5f7ee4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
103B

MD5
7e2ce8b39a69cd444f2a74e22285f251

SHA1
2062daeedb7a0aa91187d6e45256f2e053bcd546

SHA256
9dbd5baa906acedeffb65b551d217b12b0dfab704cd61fb593c4c3b8bb7807ae

SHA512
1eae594596087c482b4b650ec890363a234b418aad1a2207cfd9c68a233e06b4b1db281b253be61598e0cb5c7cdafd4c42a82bece681e7100ebdcba8c9089673

Download Submit
C:\Users\Admin\Downloads\Sonoyuncu client tr v1.0.0.exe:Zone.Identifier

Filesize
189B

MD5
c3c8c4319dcc4820367d98eb64649f5d

SHA1
1031ff97bf0616fd776dc6602870ec02b66d8cc0

SHA256
b9d2078144e134135ff33673aa0ba996ccb56d314ea60b861577e98e916de14b

SHA512
8bb35d321f658e9d7cb3b5713ced15fb7c89fff30e946742da1156e3c7154d27357b1971d64a9d44a6148d689574b8729d296918e4eebf8e9f0bff0342b0547e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 346432.crdownload

Filesize
253KB

MD5
006cf9ecda1c06de525937b3177217cb

SHA1
b997841645e4194e79ba65a138052c6d31ef901b

SHA256
c93e91208da32c2d53feb734663f4260494d016f9e505551449105e91e85bb09

SHA512
33dfffcb3d706b810883d757e79430ce8998acb4bf9c0a7d78486517a5375527a3fa83d8605ff228f7ca38349114330301e89b99e68d73a9558ecace34fe6575

Download Submit
memory/1664-222-0x00007FF8B8F10000-0x00007FF8B8F20000-memory.dmp

Filesize
64KB

Download
memory/1664-226-0x00007FF8B6550000-0x00007FF8B6560000-memory.dmp

Filesize
64KB

Download
memory/1664-268-0x00007FF8B8F10000-0x00007FF8B8F20000-memory.dmp

Filesize
64KB

Download
memory/1664-269-0x00007FF8B8F10000-0x00007FF8B8F20000-memory.dmp

Filesize
64KB

Download
memory/1664-267-0x00007FF8B8F10000-0x00007FF8B8F20000-memory.dmp

Filesize
64KB

Download
memory/1664-266-0x00007FF8B8F10000-0x00007FF8B8F20000-memory.dmp

Filesize
64KB

Download
memory/1664-225-0x00007FF8B6550000-0x00007FF8B6560000-memory.dmp

Filesize
64KB

Download
memory/1664-220-0x00007FF8B8F10000-0x00007FF8B8F20000-memory.dmp

Filesize
64KB

Download
memory/1664-221-0x00007FF8B8F10000-0x00007FF8B8F20000-memory.dmp

Filesize
64KB

Download
memory/1664-223-0x00007FF8B8F10000-0x00007FF8B8F20000-memory.dmp

Filesize
64KB

Download
memory/1664-224-0x00007FF8B8F10000-0x00007FF8B8F20000-memory.dmp

Filesize
64KB

Download
memory/2476-113-0x0000000000F00000-0x0000000000F44000-memory.dmp

Filesize
272KB

Download
memory/3260-138-0x0000013291150000-0x0000013291151000-memory.dmp

Filesize
4KB

Download
memory/3260-140-0x0000013291150000-0x0000013291151000-memory.dmp

Filesize
4KB

Download
memory/3260-139-0x0000013291150000-0x0000013291151000-memory.dmp

Filesize
4KB

Download
memory/3260-145-0x0000013291150000-0x0000013291151000-memory.dmp

Filesize
4KB

Download
memory/3260-146-0x0000013291150000-0x0000013291151000-memory.dmp

Filesize
4KB

Download
memory/3260-150-0x0000013291150000-0x0000013291151000-memory.dmp

Filesize
4KB

Download
memory/3260-147-0x0000013291150000-0x0000013291151000-memory.dmp

Filesize
4KB

Download
memory/3260-148-0x0000013291150000-0x0000013291151000-memory.dmp

Filesize
4KB

Download
memory/3260-149-0x0000013291150000-0x0000013291151000-memory.dmp

Filesize
4KB

Download
memory/3260-144-0x0000013291150000-0x0000013291151000-memory.dmp

Filesize
4KB

Download