asyncrat | fb0adc9c82a462297f7be357e0272b3b8d0f1af106580e7aa64f6108c40658ea

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2025, 07:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb0adc9c82a462297f7be357e0272b3b8d0f1af106580e7aa64f6108c40658ea.ps1
Size

440KB
MD5

f405f22335b325746fc2c92892af92e9
SHA1

720b78fe3afb353d94271fc2255b629042432c6a
SHA256

fb0adc9c82a462297f7be357e0272b3b8d0f1af106580e7aa64f6108c40658ea
SHA512

1887a8de5cbd6a119ca77c250b36d9b965a704fb9ad75a363fc4cc67ed46f84bb3d63e0f2aab5f8bce539a21fca9cc9f517905ce26f40317770d33d7bbf91ab4
SSDEEP

1536:bkdW/z20+u4dXNR8WrlDn9lVYw7VM4kD2Fq5AGGzeQz4JnImgzP8RiPmHnClK+dr:beYw7Ev1P4RtluaB1

Score

10^/10

asyncrat fox_mado discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

Fox_Mado

Mutex

0000_000

Attributes

delay
3
install
false
install_folder
%AppData%
pastebin_config
https://pastebin.com/raw/r3hJ4btd

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1800	powershell.exe
2548	powershell.exe
5044	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 26 IoCs

Web Service

T1102

flow	ioc
50	pastebin.com
58	pastebin.com
73	pastebin.com
77	pastebin.com
78	pastebin.com
82	pastebin.com
86	pastebin.com
87	pastebin.com
90	pastebin.com
99	pastebin.com
101	pastebin.com
76	pastebin.com
84	pastebin.com
85	pastebin.com
95	pastebin.com
97	pastebin.com
51	pastebin.com
59	pastebin.com
62	pastebin.com
74	pastebin.com
92	pastebin.com
93	pastebin.com
100	pastebin.com
75	pastebin.com
94	pastebin.com
96	pastebin.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2548 set thread context of 2760	2548	powershell.exe	107
PID 5044 set thread context of 1724	5044	powershell.exe	133

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1464	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1800	powershell.exe
1800	powershell.exe
2548	powershell.exe
2548	powershell.exe
4304	msedge.exe
4304	msedge.exe
492	msedge.exe
492	msedge.exe
3784	identity_helper.exe
3784	identity_helper.exe
2760	aspnet_compiler.exe
2760	aspnet_compiler.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe
4980	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	2760	aspnet_compiler.exe
Token: SeDebugPrivilege	5044	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2760	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 1464	1800	powershell.exe	85
PID 1800 wrote to memory of 1464	1800	powershell.exe	85
PID 1800 wrote to memory of 2068	1800	powershell.exe	86
PID 1800 wrote to memory of 2068	1800	powershell.exe	86
PID 2816 wrote to memory of 2548	2816	WScript.exe	88
PID 2816 wrote to memory of 2548	2816	WScript.exe	88
PID 1800 wrote to memory of 492	1800	powershell.exe	90
PID 1800 wrote to memory of 492	1800	powershell.exe	90
PID 492 wrote to memory of 5064	492	msedge.exe	91
PID 492 wrote to memory of 5064	492	msedge.exe	91
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4756	492	msedge.exe	92
PID 492 wrote to memory of 4304	492	msedge.exe	93
PID 492 wrote to memory of 4304	492	msedge.exe	93
PID 492 wrote to memory of 3688	492	msedge.exe	94
PID 492 wrote to memory of 3688	492	msedge.exe	94
PID 492 wrote to memory of 3688	492	msedge.exe	94
PID 492 wrote to memory of 3688	492	msedge.exe	94
PID 492 wrote to memory of 3688	492	msedge.exe	94
PID 492 wrote to memory of 3688	492	msedge.exe	94
PID 492 wrote to memory of 3688	492	msedge.exe	94
PID 492 wrote to memory of 3688	492	msedge.exe	94
PID 492 wrote to memory of 3688	492	msedge.exe	94
PID 492 wrote to memory of 3688	492	msedge.exe	94
PID 492 wrote to memory of 3688	492	msedge.exe	94
PID 492 wrote to memory of 3688	492	msedge.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\fb0adc9c82a462297f7be357e0272b3b8d0f1af106580e7aa64f6108c40658ea.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Create /XML \Users\Public\Music\//dSYHloKDMnp3.xml /TN MicrosoftEdgeUpdateTaskMachineCore3975
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1464
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /run /tn MicrosoftEdgeUpdateTaskMachineCore3975
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ssa.gov/benefits/retirement/social-security-fairness-act.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc66db46f8,0x7ffc66db4708,0x7ffc66db4718
    3⤵
    PID:5064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,13315168358776188407,283790776986203795,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
    3⤵
    PID:4756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,13315168358776188407,283790776986203795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,13315168358776188407,283790776986203795,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
    3⤵
    PID:3688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13315168358776188407,283790776986203795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
    3⤵
    PID:2252
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13315168358776188407,283790776986203795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
    3⤵
    PID:4768
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,13315168358776188407,283790776986203795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
    3⤵
    PID:2256
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,13315168358776188407,283790776986203795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13315168358776188407,283790776986203795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
    3⤵
    PID:1308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13315168358776188407,283790776986203795,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
    3⤵
    PID:2664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13315168358776188407,283790776986203795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
    3⤵
    PID:1896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,13315168358776188407,283790776986203795,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
    3⤵
    PID:2772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,13315168358776188407,283790776986203795,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1844 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4980

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\//dSYHloKDMnp3.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $CZlnVJR1AUHz='ReadAllText';$0Gp75ijU8Dln='C:\Users\Public\Music\/dSYHloKDMnp3.Goc0ahsTp7Wu';IEx([IO.File]::$CZlnVJR1AUHz($0Gp75ijU8Dln))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2548
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4672

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\//dSYHloKDMnp3.vbs"
1⤵
- Checks computer location settings
PID:1308
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $CZlnVJR1AUHz='ReadAllText';$0Gp75ijU8Dln='C:\Users\Public\Music\/dSYHloKDMnp3.Goc0ahsTp7Wu';IEx([IO.File]::$CZlnVJR1AUHz($0Gp75ijU8Dln))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:4068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
a0abafc15fc86cef7c75fcb4070840b5

SHA1
2a2031c00657acf30dc4806d2ab243d08c358f0f

SHA256
9b9a980174a095ce456bc0951a0551af708028ba88e49f51aa3ec206c90e38ca

SHA512
7d282e1d6fddae2d5e1a91a902882c0b60ed93edd1ca291db93b3743836743dc5de1b711abfa180467642256e53ec89619ae55d0d58cd7b08057fc915547c685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
901B

MD5
8042b24ef676cc7674f73c5fc138653c

SHA1
464164aa5de3356168c8d5373a435272c8871524

SHA256
cea2b89b14841e53b8cfaa514e113fb23e811ee8aee12fe5456093ae6658e925

SHA512
21157f533a90a934e03f0ba324c14dae2081300f23fb44ad87e7435e28612dd0242ee79639e62643074fa79ad2e7d7792e9a33b4799f24ef0b6d33cc1875f314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2e1d2d4decbf3bb73f76c75505ef664b

SHA1
a2fc18a2f9b73c64a1e92a6680f93e45bede2d2a

SHA256
db3ad4c942304fcdc2a950fdd2f9f016c22ef92ca16bc91f272a2e1050e7df59

SHA512
72cccc1fb917aad11cb30c38fc74117d0645bf0ce406243cf30bc30b3f470d7bbd4b23050a4712ec671934b603c9d4833ab78578e1a04dc581f6c783b20b2d6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6ad75d1056e78fe7967e27cae44405b0

SHA1
2332555b21fe6dc8a2758797d8bae1901d7186d3

SHA256
0accc105a5fdfe13a3dcbb58ce4ffd9fb885fe9befded8b7ea2666cf8d1b4a01

SHA512
7f46802e5f53026166a29fe813b563e02d70663f5b314cfb988b66e9e5e44dd0872bc83e1069d4c240aeea919d5478dbf7d34e63a89c816e9fa933ff200c8c7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ab87dffdf683687e22a174990e66454d

SHA1
880b696fd973b181c96347d7a18c14ecc774776f

SHA256
146c4794f3f8f9bb70f9f14d07dc1fc06350ec6b4e2273be4862375ff9aa488c

SHA512
f7d8bdc26a48fb00b5d6f1c8566c11ac10dcf39605e1b17e7dd744e3c287e6160921cc383135110c452dcb4689d86b8f29408da5118913ac3adb2d528d13fb55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6fe7f2ff9f024b0658a4113e39b826fc

SHA1
07a0d4ec3b19b62fd409ddb60e843021ac40f1f3

SHA256
e8f1c76e1435d42070f4d6c600c2301710b291674c00ef9c069508f0fea69cf1

SHA512
64448c79c9070cbc179df72420c1d86d10ea2ff8ae0d9c3fed5676851cb45a64e65a9d637a1f8f41ecf4dc51c3d5ff8a689519d9ea13d9837b3f9cfaddd13979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
755d78b8784d90bfb4881886a10a25b8

SHA1
b7902d6ff5ad589895b5115cad5e7c499fccbc07

SHA256
59da6ef91817a3089ccf5ed70826afc6a10480cd122e2b0e1015154f7e56e486

SHA512
f5a582fc32d2f55363e93ca03b0878473c71fc505cb97df06fa9d8a9c11d9eb8762b8272660f3f2ca6a3c3d3b500a072935d9d60a3c54931f826f94852eae07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r2eoe22y.ovs.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\dSYHloKDMnp3.Goc0ahsTp7Wu

Filesize
438KB

MD5
18f594bbe2b381c9ef57c1561342c121

SHA1
c67beaa987fb3beb4e7376f41ca8733b147e38db

SHA256
8adb9596c1690e3d137724520b1af00e4f7a4eaf7b8c5c293481a417b3f7d93e

SHA512
69ee2eb5f14dfc066e13e0cc9a890dd38fd54cea2c028a41f4656f6904f604c0b5a1f6ff5af76fe4daa259eae70bdef6ab9e96e1fe147ece73eb684d2c7821ea

Download Submit
C:\Users\Public\Music\dSYHloKDMnp3.vbs

Filesize
258B

MD5
7f22ade6ffeebc3ef4ae7a1446c512c5

SHA1
34a5d0daec79bd3df0e16bbdc100dc61b5011df1

SHA256
3a171f85c4a09089532d265bdc823ce7c7c3ee3b648cb70220b2c3e226812b26

SHA512
3fdf5bad49343b43c043c7d68ea6b681d440ec915ad1ac95ffe113cdeea636569eb9f2438797184d6e705efe21f9c19f24a43b57ab2ca28951bc84256269613c

Download Submit
C:\Users\Public\Music\dSYHloKDMnp3.xml

Filesize
1KB

MD5
337ebf838c41967d4c8c28ca82c72e9b

SHA1
ae5f7c4553c9dbeeddf4b374f46f78770a0cb668

SHA256
46fef993675b60e18429979f91656b170bd23b2778932bfcbb98139db6319377

SHA512
a94b60cbc244fbd342f2ee894dc170afc2e54ba691867fe93316337c37ce1ad4f5ebc323c90d870dd38c0dac5ce1cd5f8f8855b0525a411734439906177701ea

Download Submit
memory/1800-0-0x00007FFC6E913000-0x00007FFC6E915000-memory.dmp

Filesize
8KB

Download
memory/1800-21-0x00007FFC6E910000-0x00007FFC6F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/1800-12-0x00007FFC6E910000-0x00007FFC6F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/1800-11-0x00007FFC6E910000-0x00007FFC6F3D1000-memory.dmp

Filesize
10.8MB

Download
memory/1800-1-0x00000190B4B80000-0x00000190B4BA2000-memory.dmp

Filesize
136KB

Download
memory/2548-97-0x0000016C654D0000-0x0000016C654DC000-memory.dmp

Filesize
48KB

Download
memory/2760-98-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/2760-113-0x00000000058C0000-0x0000000005E64000-memory.dmp

Filesize
5.6MB

Download
memory/2760-114-0x0000000005500000-0x0000000005592000-memory.dmp

Filesize
584KB

Download
memory/2760-115-0x0000000006290000-0x000000000629A000-memory.dmp

Filesize
40KB

Download