asyncrat | ca9af3c4717ffe322f5e2f02fc8745f5744f5e8397a87212246099b4c3e2a53d

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28/01/2025, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ca9af3c4717ffe322f5e2f02fc8745f5744f5e8397a87212246099b4c3e2a53d.ps1
Size

456KB
MD5

067e3f77fde1c988ac1d1413bafc29ae
SHA1

e2a17181441c1e573a47d7ef8c259bf9797be9e8
SHA256

ca9af3c4717ffe322f5e2f02fc8745f5744f5e8397a87212246099b4c3e2a53d
SHA512

740bd6be6b4eaa189b596abd56eb9fc48b7c7c31b7fb6990ca27c2ee4e2174a9a1e95b4aca2415b4ae59a3b358cbe12b23a44e145fab4fe7b8cdf4a2d669427f
SSDEEP

1536:g9dW/z20+u4dXNR8WrlDnqIuH7FWRGPP3jU86lsWST+HxYfn8qgy5J+LLg7WMJV8:gzaGD

Score

10^/10

asyncrat 00000001 discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | 3Losh

Botnet

00000001

81.10.39.58:7077

Mutex

AsyncMutex_alosh

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4404	powershell.exe
5108	powershell.exe
2628	powershell.exe
1988	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 5108 set thread context of 4060	5108	powershell.exe	100
PID 2628 set thread context of 4988	2628	powershell.exe	116
PID 4404 set thread context of 1080	4404	powershell.exe	126

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_compiler.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1988	powershell.exe
1988	powershell.exe
5108	powershell.exe
5108	powershell.exe
5012	msedge.exe
5012	msedge.exe
3508	msedge.exe
3508	msedge.exe
1276	identity_helper.exe
1276	identity_helper.exe
2628	powershell.exe
2628	powershell.exe
2628	powershell.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4460	msedge.exe
4404	powershell.exe
4404	powershell.exe
4404	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	5108	powershell.exe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	4404	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe
3508	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1988 wrote to memory of 3284	1988	powershell.exe	84
PID 1988 wrote to memory of 3284	1988	powershell.exe	84
PID 1988 wrote to memory of 4392	1988	powershell.exe	85
PID 1988 wrote to memory of 4392	1988	powershell.exe	85
PID 2420 wrote to memory of 5108	2420	WScript.exe	87
PID 2420 wrote to memory of 5108	2420	WScript.exe	87
PID 1988 wrote to memory of 3508	1988	powershell.exe	89
PID 1988 wrote to memory of 3508	1988	powershell.exe	89
PID 3508 wrote to memory of 1076	3508	msedge.exe	90
PID 3508 wrote to memory of 1076	3508	msedge.exe	90
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 1516	3508	msedge.exe	91
PID 3508 wrote to memory of 5012	3508	msedge.exe	92
PID 3508 wrote to memory of 5012	3508	msedge.exe	92
PID 3508 wrote to memory of 4796	3508	msedge.exe	93
PID 3508 wrote to memory of 4796	3508	msedge.exe	93
PID 3508 wrote to memory of 4796	3508	msedge.exe	93
PID 3508 wrote to memory of 4796	3508	msedge.exe	93
PID 3508 wrote to memory of 4796	3508	msedge.exe	93
PID 3508 wrote to memory of 4796	3508	msedge.exe	93
PID 3508 wrote to memory of 4796	3508	msedge.exe	93
PID 3508 wrote to memory of 4796	3508	msedge.exe	93
PID 3508 wrote to memory of 4796	3508	msedge.exe	93
PID 3508 wrote to memory of 4796	3508	msedge.exe	93
PID 3508 wrote to memory of 4796	3508	msedge.exe	93
PID 3508 wrote to memory of 4796	3508	msedge.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ca9af3c4717ffe322f5e2f02fc8745f5744f5e8397a87212246099b4c3e2a53d.ps1
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1988
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /Create /XML \Users\Public\Music\//UKqoc24IV1YQ.xml /TN MicrosoftEdgeUpdateTaskMachineCore6645
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3284
- C:\Windows\system32\schtasks.exe
  "C:\Windows\system32\schtasks.exe" /run /tn MicrosoftEdgeUpdateTaskMachineCore6645
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.ssa.gov/benefits/retirement/social-security-fairness-act.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc076f46f8,0x7ffc076f4708,0x7ffc076f4718
    3⤵
    PID:1076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2703879182685828346,14923472537725024749,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
    3⤵
    PID:1516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,2703879182685828346,14923472537725024749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,2703879182685828346,14923472537725024749,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
    3⤵
    PID:4796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2703879182685828346,14923472537725024749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
    3⤵
    PID:1436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2703879182685828346,14923472537725024749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
    3⤵
    PID:1584
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,2703879182685828346,14923472537725024749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
    3⤵
    PID:2724
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,2703879182685828346,14923472537725024749,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2703879182685828346,14923472537725024749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
    3⤵
    PID:2576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2703879182685828346,14923472537725024749,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
    3⤵
    PID:2420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2703879182685828346,14923472537725024749,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
    3⤵
    PID:3520
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2703879182685828346,14923472537725024749,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
    3⤵
    PID:3208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2703879182685828346,14923472537725024749,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4804 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4460

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\//UKqoc24IV1YQ.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $ZwzTcBdkMuj8='ReadAllText';$aNTjFb0kci9h='C:\Users\Public\Music\/UKqoc24IV1YQ.Zo5ULgMtQFzD';IEx([IO.File]::$ZwzTcBdkMuj8($aNTjFb0kci9h))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5108
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4376

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\//UKqoc24IV1YQ.vbs"
1⤵
- Checks computer location settings
PID:1680
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $ZwzTcBdkMuj8='ReadAllText';$aNTjFb0kci9h='C:\Users\Public\Music\/UKqoc24IV1YQ.Zo5ULgMtQFzD';IEx([IO.File]::$ZwzTcBdkMuj8($aNTjFb0kci9h))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2628
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4988

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Public\Music\//UKqoc24IV1YQ.vbs"
1⤵
- Checks computer location settings
PID:3604
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass $ZwzTcBdkMuj8='ReadAllText';$aNTjFb0kci9h='C:\Users\Public\Music\/UKqoc24IV1YQ.Zo5ULgMtQFzD';IEx([IO.File]::$ZwzTcBdkMuj8($aNTjFb0kci9h))
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
556084f2c6d459c116a69d6fedcc4105

SHA1
633e89b9a1e77942d822d14de6708430a3944dbc

SHA256
88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8

SHA512
0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_compiler.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
e055164e80d1fa85e21d755e67da0c2b

SHA1
bb8a201b5fcbae9ebaa947db28f42da339e48382

SHA256
3fa773a781552d22fec68872d91f5035d2445a9083f1bdffe3d8ec731c238e53

SHA512
edd45fd19d465f1d9f3a56a6428fec5cba7c20c2f4f5e87d08c825120e8322707eafeff3ec14b31bde8fb71cffd395a4925823e5671956eecc1f3321eeae7ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
932B

MD5
ac40942ae0adf0ef60eef2b3c4ccaca1

SHA1
043f555e50ab9d4c3df1b8d4b7e8ea8114f0e471

SHA256
a6d166cb2ee6f28b9e7e9674c10cb6d9a98b0df3fc4edd20540c4f0734821ad5

SHA512
df3fc6df466fbf802227114d1a1a85c72a823ad01e955dc9499ecc1cd0954d6534d52861e15363d869909c4a8cfd99f0cc9070bf123872def56619fdf422b5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
50a5bc3fc119155f0f5e7ed1ac42ca43

SHA1
b3d40ca1e6644185e8e36f2e10348995341bd448

SHA256
b89bb92017432e5afa8f1db7e4ccdd58bd0618e06ac0015da6342b350e9cd71b

SHA512
5e17bb095d4e168af06aa9fbc8d67f08ba606fca653a987d8bf5ecc6cf92691d7ef0ef9c8a7cd495a34be00ea4b477e2cc244dc50be3cc94d7b65f3f43d0548c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d764dcbf1baf62eb1844fd66259b0a3e

SHA1
4082e648c86551c87bb58477fc7800d4c40b76aa

SHA256
d9e6193531db88441167c42cf393f0450f5eef058790bb1fc0d38a3f701c7c9f

SHA512
4459bad221075d6b30b9038e3c073fa98189ad45eed81260b4cdad00fc6669089bef103f18060646b82996d9fa05e0f0641a25b59dc8c285ee20de834909da0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4a2c6526e64476f3fea0981480209f82

SHA1
1553302f14bdbfb82b85ab3758685d3a53adb522

SHA256
3fe1d0f8a8469a5a0dc32826888b6dbd99ccd6a59cbafe512e76c6f6a091aef7

SHA512
dc5f286819a622c7f1b1a567a3314680f247b0234ad586adf86cf30a8d413375e929ee2985096a2eb20a98555976dd728d618a42dbbda676dbb81fdfe639b878

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8b56ab7631860454473cf924d0e1da02

SHA1
cd3b8705f1008e1a2a19bd363ab0b291fd9ebd38

SHA256
5624dd2edd0d950b56787cd937043d9c43ad667ac5471090e21cc0d2313eaa18

SHA512
efe7cdf0dad52799a624c33878cacaca5bfeb08bc3fbb78cbdc768b92fa6c83e16b38dfd95a9fa4947d757b9ab276990fee02ae26abdea7b4fd32bf246c74f20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c593eeb27a50f272f65afe0f221b99bc

SHA1
74b8c49714c9cac3b933aadd1a96ad9643783efc

SHA256
a0cedf5d307a61f55af03922df242ea2d177ce34e0c65a06c10aa9784ae4f403

SHA512
8a287197771288694c2d2d20c7a67650e7468a26e272900d224dc7d2193959fe8dfe13b9e3e23012f718601e472e1ce5ad890dd6a96a12ffcfdd836801685247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ec484f5eba2f29de745101dfa991b523

SHA1
7c21ecc9206a1a9162f399a6034881f45947b340

SHA256
a64ce3f37231c19aed671a3f57c9be4faf8980fd9aff3c683fa3565abdcdedc2

SHA512
564252e7a8d5f95b8e047d9469b11ef45074a102a10fc20a22df1b7aabf089015854b632dbf6a62d3176b5543dc9cf11d66418b71220535207211569a38c9d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qaewu1uy.czo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Public\Music\UKqoc24IV1YQ.Zo5ULgMtQFzD

Filesize
454KB

MD5
734b815a3b58e39d3f057149914453e4

SHA1
e5c5e33d1885131b966067000218365513ed8f60

SHA256
a2a3798235c330d821f1682d2eb07c1588a7043af66af8e9794e01ef907f63e7

SHA512
de4d692cc3adf81e66a485068044fc0024ee1c910ed9c82dd7d94db7ff986ef68eec7968fb0ba5a2e4fafe7aec73b3a67e1a6da4058b7653b52c1aa6698cea67

Download Submit
C:\Users\Public\Music\UKqoc24IV1YQ.vbs

Filesize
258B

MD5
620fa0406400572ecf7c970d5b3d07c8

SHA1
2906d405ef76b605a6574b4d850f7e8d0f48b45d

SHA256
71f1108823ce5907d1145e6cc05f7ab19afa90e8903940cdcc9c7951fa3a256d

SHA512
e0ecd2e721c713cb79fb29010a45377bca42eb54ae6e3b641f96296f5b54d0086803d6473ed970e48bc55a182a8dbda8ecaf6b6fbf72aab87adba2fec8f6adfa

Download Submit
C:\Users\Public\Music\UKqoc24IV1YQ.xml

Filesize
1KB

MD5
1e9e5a7078dbd492a03f964006d34cf1

SHA1
743c617edc62c21ebdf62879c7fbc635863c8d9b

SHA256
148a4cb2733c2ffc9dd3f36229570eaf2dd925b0b5acb8a5b5f3e5adad218095

SHA512
d7788029ca86f05c4e7bd18bc24c665249c7108d757817c516efa7a22fb0f9e0b02d4ac4c6db95a143fcdb0351aae60ebc318963f39fb899d1f3204c5c300bc9

Download Submit
memory/1988-11-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/1988-0-0x00007FFC0E1E3000-0x00007FFC0E1E5000-memory.dmp

Filesize
8KB

Download
memory/1988-12-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/1988-20-0x00007FFC0E1E0000-0x00007FFC0ECA1000-memory.dmp

Filesize
10.8MB

Download
memory/1988-10-0x000001F4AA630000-0x000001F4AA652000-memory.dmp

Filesize
136KB

Download
memory/4060-95-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/5108-94-0x000002057BCC0000-0x000002057BCCC000-memory.dmp

Filesize
48KB

Download