asyncrat | 4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
08-02-2025 20:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ksUu.exe
Size

1.9MB
MD5

1f2be558a74cb83afab86147e70d87d6
SHA1

67aa1ef5fca4e3e720feb6080d0f1ac20b503b26
SHA256

4ce381358bde90843640ac7cc0d59f4c4066adf1f26db2e6ba4130e9f72b6af8
SHA512

5f8af4ea3bd3a5078b91d086ef1d4d1a9d88f2065621eb76ce21573e02144deab5f6e33d65a0525caff1387e5bbfa1ea4bb3f288e60045efcf7a82d5f57e87a9
SSDEEP

49152:33X/qQfkYzgrW/r1DNKHOkjSKwgRVRm9SMHGVa52a:nTfccDMRSKTVRmQi3

Score

10^/10

asyncrat venomrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

v1.2.2

Botnet

Default

27.124.4.150:51311

Mutex

owgonhhweps

Attributes

delay
5
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

VenomRAT 1 IoCs

Detects VenomRAT.

rat

resource	yara_rule
behavioral2/memory/4824-79-0x00000000031D0000-0x00000000031E2000-memory.dmp	VenomRAT

Venomrat family
venomrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4824-79-0x00000000031D0000-0x00000000031E2000-memory.dmp	family_asyncrat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
35	3040	Process not Found

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2499155680-3253481302-763015360-1000\Control Panel\International\Geo\Nation	ksUu.tmp

Executes dropped EXE 6 IoCs

pid	Process
3156	ksUu.tmp
3432	ksUu.tmp
856	msedgewebview2.exe
4424	msedgewebview2.exe
1720	msedgewebview2.exe
3376	msedgewebview2.exe

Loads dropped DLL 15 IoCs

pid	Process
856	msedgewebview2.exe
4424	msedgewebview2.exe
4824	regsvr32.exe
1720	msedgewebview2.exe
1640	regsvr32.exe
4744	regsvr32.exe
1532	regsvr32.exe
4408	regsvr32.exe
1020	regsvr32.exe
3376	msedgewebview2.exe
456	regsvr32.exe
1348	regsvr32.exe
3092	regsvr32.exe
1708	regsvr32.exe
3036	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4356	powershell.exe
1452	powershell.exe
1896	powershell.exe
4416	powershell.exe
1852	powershell.exe
2336	powershell.exe
5080	powershell.exe
1832	powershell.exe
3108	powershell.exe
4052	powershell.exe
740	powershell.exe
1076	powershell.exe

Enumerates processes with tasklist 1 TTPs 11 IoCs

discovery

Process Discovery

T1057

pid	Process
4660	tasklist.exe
3844	tasklist.exe
552	tasklist.exe
212	tasklist.exe
3640	tasklist.exe
1500	tasklist.exe
1876	tasklist.exe
3076	tasklist.exe
2632	tasklist.exe
2164	tasklist.exe
4948	tasklist.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksUu.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksUu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksUu.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ksUu.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1192	MicrosoftEdgeUpdate.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
3432	ksUu.tmp
3432	ksUu.tmp
5080	powershell.exe
5080	powershell.exe
4356	powershell.exe
4356	powershell.exe
4824	regsvr32.exe
4824	regsvr32.exe
4824	regsvr32.exe
4824	regsvr32.exe
4824	regsvr32.exe
4824	regsvr32.exe
1832	powershell.exe
1832	powershell.exe
4824	regsvr32.exe
1452	powershell.exe
1452	powershell.exe
1896	powershell.exe
1896	powershell.exe
4416	powershell.exe
4416	powershell.exe
1852	powershell.exe
1852	powershell.exe
4824	regsvr32.exe
4824	regsvr32.exe
4824	regsvr32.exe
3108	powershell.exe
3108	powershell.exe
4052	powershell.exe
4052	powershell.exe
740	powershell.exe
740	powershell.exe
1076	powershell.exe
1076	powershell.exe
2336	powershell.exe
2336	powershell.exe
4824	regsvr32.exe
4824	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeIncreaseQuotaPrivilege	5080	powershell.exe
Token: SeSecurityPrivilege	5080	powershell.exe
Token: SeTakeOwnershipPrivilege	5080	powershell.exe
Token: SeLoadDriverPrivilege	5080	powershell.exe
Token: SeSystemProfilePrivilege	5080	powershell.exe
Token: SeSystemtimePrivilege	5080	powershell.exe
Token: SeProfSingleProcessPrivilege	5080	powershell.exe
Token: SeIncBasePriorityPrivilege	5080	powershell.exe
Token: SeCreatePagefilePrivilege	5080	powershell.exe
Token: SeBackupPrivilege	5080	powershell.exe
Token: SeRestorePrivilege	5080	powershell.exe
Token: SeShutdownPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeSystemEnvironmentPrivilege	5080	powershell.exe
Token: SeRemoteShutdownPrivilege	5080	powershell.exe
Token: SeUndockPrivilege	5080	powershell.exe
Token: SeManageVolumePrivilege	5080	powershell.exe
Token: 33	5080	powershell.exe
Token: 34	5080	powershell.exe
Token: 35	5080	powershell.exe
Token: 36	5080	powershell.exe
Token: SeIncreaseQuotaPrivilege	5080	powershell.exe
Token: SeSecurityPrivilege	5080	powershell.exe
Token: SeTakeOwnershipPrivilege	5080	powershell.exe
Token: SeLoadDriverPrivilege	5080	powershell.exe
Token: SeSystemProfilePrivilege	5080	powershell.exe
Token: SeSystemtimePrivilege	5080	powershell.exe
Token: SeProfSingleProcessPrivilege	5080	powershell.exe
Token: SeIncBasePriorityPrivilege	5080	powershell.exe
Token: SeCreatePagefilePrivilege	5080	powershell.exe
Token: SeBackupPrivilege	5080	powershell.exe
Token: SeRestorePrivilege	5080	powershell.exe
Token: SeShutdownPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeSystemEnvironmentPrivilege	5080	powershell.exe
Token: SeRemoteShutdownPrivilege	5080	powershell.exe
Token: SeUndockPrivilege	5080	powershell.exe
Token: SeManageVolumePrivilege	5080	powershell.exe
Token: 33	5080	powershell.exe
Token: 34	5080	powershell.exe
Token: 35	5080	powershell.exe
Token: 36	5080	powershell.exe
Token: SeIncreaseQuotaPrivilege	5080	powershell.exe
Token: SeSecurityPrivilege	5080	powershell.exe
Token: SeTakeOwnershipPrivilege	5080	powershell.exe
Token: SeLoadDriverPrivilege	5080	powershell.exe
Token: SeSystemProfilePrivilege	5080	powershell.exe
Token: SeSystemtimePrivilege	5080	powershell.exe
Token: SeProfSingleProcessPrivilege	5080	powershell.exe
Token: SeIncBasePriorityPrivilege	5080	powershell.exe
Token: SeCreatePagefilePrivilege	5080	powershell.exe
Token: SeBackupPrivilege	5080	powershell.exe
Token: SeRestorePrivilege	5080	powershell.exe
Token: SeShutdownPrivilege	5080	powershell.exe
Token: SeDebugPrivilege	5080	powershell.exe
Token: SeSystemEnvironmentPrivilege	5080	powershell.exe
Token: SeRemoteShutdownPrivilege	5080	powershell.exe
Token: SeUndockPrivilege	5080	powershell.exe
Token: SeManageVolumePrivilege	5080	powershell.exe
Token: 33	5080	powershell.exe
Token: 34	5080	powershell.exe
Token: 35	5080	powershell.exe
Token: 36	5080	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3432	ksUu.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4824	regsvr32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 3156	1264	ksUu.exe	87
PID 1264 wrote to memory of 3156	1264	ksUu.exe	87
PID 1264 wrote to memory of 3156	1264	ksUu.exe	87
PID 3156 wrote to memory of 3924	3156	ksUu.tmp	90
PID 3156 wrote to memory of 3924	3156	ksUu.tmp	90
PID 3156 wrote to memory of 3924	3156	ksUu.tmp	90
PID 3924 wrote to memory of 3432	3924	ksUu.exe	91
PID 3924 wrote to memory of 3432	3924	ksUu.exe	91
PID 3924 wrote to memory of 3432	3924	ksUu.exe	91
PID 3432 wrote to memory of 856	3432	ksUu.tmp	92
PID 3432 wrote to memory of 856	3432	ksUu.tmp	92
PID 856 wrote to memory of 5080	856	msedgewebview2.exe	93
PID 856 wrote to memory of 5080	856	msedgewebview2.exe	93
PID 856 wrote to memory of 4424	856	msedgewebview2.exe	96
PID 856 wrote to memory of 4424	856	msedgewebview2.exe	96
PID 4424 wrote to memory of 4356	4424	msedgewebview2.exe	97
PID 4424 wrote to memory of 4356	4424	msedgewebview2.exe	97
PID 4424 wrote to memory of 552	4424	msedgewebview2.exe	99
PID 4424 wrote to memory of 552	4424	msedgewebview2.exe	99
PID 4424 wrote to memory of 4824	4424	msedgewebview2.exe	101
PID 4424 wrote to memory of 4824	4424	msedgewebview2.exe	101
PID 1720 wrote to memory of 1832	1720	msedgewebview2.exe	113
PID 1720 wrote to memory of 1832	1720	msedgewebview2.exe	113
PID 1720 wrote to memory of 2632	1720	msedgewebview2.exe	115
PID 1720 wrote to memory of 2632	1720	msedgewebview2.exe	115
PID 1720 wrote to memory of 1640	1720	msedgewebview2.exe	117
PID 1720 wrote to memory of 1640	1720	msedgewebview2.exe	117
PID 1720 wrote to memory of 1452	1720	msedgewebview2.exe	118
PID 1720 wrote to memory of 1452	1720	msedgewebview2.exe	118
PID 1720 wrote to memory of 2164	1720	msedgewebview2.exe	120
PID 1720 wrote to memory of 2164	1720	msedgewebview2.exe	120
PID 1720 wrote to memory of 4744	1720	msedgewebview2.exe	122
PID 1720 wrote to memory of 4744	1720	msedgewebview2.exe	122
PID 1720 wrote to memory of 1896	1720	msedgewebview2.exe	123
PID 1720 wrote to memory of 1896	1720	msedgewebview2.exe	123
PID 1720 wrote to memory of 212	1720	msedgewebview2.exe	125
PID 1720 wrote to memory of 212	1720	msedgewebview2.exe	125
PID 1720 wrote to memory of 1532	1720	msedgewebview2.exe	127
PID 1720 wrote to memory of 1532	1720	msedgewebview2.exe	127
PID 1720 wrote to memory of 4416	1720	msedgewebview2.exe	128
PID 1720 wrote to memory of 4416	1720	msedgewebview2.exe	128
PID 1720 wrote to memory of 4948	1720	msedgewebview2.exe	130
PID 1720 wrote to memory of 4948	1720	msedgewebview2.exe	130
PID 1720 wrote to memory of 4408	1720	msedgewebview2.exe	132
PID 1720 wrote to memory of 4408	1720	msedgewebview2.exe	132
PID 1720 wrote to memory of 1852	1720	msedgewebview2.exe	133
PID 1720 wrote to memory of 1852	1720	msedgewebview2.exe	133
PID 1720 wrote to memory of 3640	1720	msedgewebview2.exe	135
PID 1720 wrote to memory of 3640	1720	msedgewebview2.exe	135
PID 1720 wrote to memory of 1020	1720	msedgewebview2.exe	137
PID 1720 wrote to memory of 1020	1720	msedgewebview2.exe	137
PID 3376 wrote to memory of 3108	3376	msedgewebview2.exe	145
PID 3376 wrote to memory of 3108	3376	msedgewebview2.exe	145
PID 3376 wrote to memory of 4660	3376	msedgewebview2.exe	147
PID 3376 wrote to memory of 4660	3376	msedgewebview2.exe	147
PID 3376 wrote to memory of 456	3376	msedgewebview2.exe	149
PID 3376 wrote to memory of 456	3376	msedgewebview2.exe	149
PID 3376 wrote to memory of 4052	3376	msedgewebview2.exe	150
PID 3376 wrote to memory of 4052	3376	msedgewebview2.exe	150
PID 3376 wrote to memory of 1500	3376	msedgewebview2.exe	152
PID 3376 wrote to memory of 1500	3376	msedgewebview2.exe	152
PID 3376 wrote to memory of 1348	3376	msedgewebview2.exe	154
PID 3376 wrote to memory of 1348	3376	msedgewebview2.exe	154
PID 3376 wrote to memory of 740	3376	msedgewebview2.exe	155

C:\Users\Admin\AppData\Local\Temp\ksUu.exe
"C:\Users\Admin\AppData\Local\Temp\ksUu.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\is-36017.tmp\ksUu.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-36017.tmp\ksUu.tmp" /SL5="$70298,1610660,141312,C:\Users\Admin\AppData\Local\Temp\ksUu.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\ksUu.exe
    "C:\Users\Admin\AppData\Local\Temp\ksUu.exe" /VERYSILENT
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\is-BQBDK.tmp\ksUu.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-BQBDK.tmp\ksUu.tmp" /SL5="$60110,1610660,141312,C:\Users\Admin\AppData\Local\Temp\ksUu.exe" /VERYSILENT
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3432
    - - C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\\NVIDIA app\\864\\msedgewebview2.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:856
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5080
      - C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe
        
        "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:4424
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4356
        
        C:\Windows\system32\tasklist.exe
        
        "tasklist" /FI "IMAGENAME eq regsvr32.exe"
        7⤵
        Enumerates processes with tasklist
        
        PID:552
        
        C:\Windows\system32\regsvr32.exe
        
        "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
        7⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:4824

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MEY5Q0UwQjEtREY0OC00OUJBLUJGODYtRjM3RTYyODNFNjBBfSIgdXNlcmlkPSJ7Qjk4MjI1NjktQTIxOS00NkI3LTk4MUYtN0RERkQzQzY1QThDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7M0E1MTg1RUEtMTU0MC00QjI5LUJFRUMtMzM5QzlEMUQ0M0YwfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDQ0OTciIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxNjkzODEzMjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MTYzMjQ4NjM3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1192

C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe
"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1832
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:2632
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1452
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:2164
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:4744
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1896
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:212
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:1532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4416
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:4948
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:4408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1852
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:3640
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:1020

C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe
"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3108
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:4660
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:456
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4052
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:1500
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:1348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:740
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:3844
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:3092
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1076
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:1876
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:1708
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{69A0DE0B-0647-467A-BA31-E1878E3C76B8}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0) -RunLevel Highest"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2336
- C:\Windows\system32\tasklist.exe
  "tasklist" /FI "IMAGENAME eq regsvr32.exe"
  2⤵
  - Enumerates processes with tasklist
  PID:3076
- C:\Windows\system32\regsvr32.exe
  "regsvr32" /s /i:SYNC "C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll"
  2⤵
  - Loads dropped DLL
  PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
fee026663fcb662152188784794028ee

SHA1
3c02a26a9cb16648fad85c6477b68ced3cb0cb45

SHA256
dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

SHA512
7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0c77ce1db08e7f1b2bc9896a13b4f7a5

SHA1
3de7b852f908b16834f9484bce8eebd4d7389ec1

SHA256
dcb3cb7065cee59e6f4e62405ef4c5418a04a35a1ac04db0b846851bc7ec967f

SHA512
5244fa2ce993c07dfbbeac86360c2e49e86c0957a016624251e917223b0d1c0afd5fefdf17b397b298c194b5699c8696dd7e59f379d6eae98665be361f077b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f54d80e9f1fadc3bcd439a5afb11f61f

SHA1
c751131196cacbf248b0278e2dd8ff59e49d5385

SHA256
495d7c5fb521935fdd34065b6041bbb7df83e2d6e0ba4dab9a9ab528ced8175a

SHA512
3d9dce58f6483795cdd440d17bc80d19a53512bc65e44bc50af878af2f1b85419f7ae0fda264da63a0d8b4b5bf27715258990a37ad17a6d1afbfe20fd92ab534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f25c85b2bb354d280391b5de0f2e74e6

SHA1
8255ba9443f52eaee33c1483e4b00217bcc0bed6

SHA256
59d0837a17ff3728035f1b7d7a6be1410cb76796ad4e9c261ec5334d751a8f3b

SHA512
927c91edc8ae45c3136ba2bf5cf640abaabd08472f390cebaf1f1edcf084217ed370bbcebf675010a207ebed1105ff6fd02c4865848f3180a6cc616d3b56b2e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
51ff4fcaf5a554450288e890fcaee19b

SHA1
52092330071b70daddf3ce60fc0d2ea3c2f9fc35

SHA256
fb380e1e9b615cc529cd0c87054fbee6c627dade76d09e29da90c75b8e327984

SHA512
3e879501f7da86d3b022bf4729d5c317b22100e8605ae8e3374b005b57390cfda4b41b097396eabc0050406c95b715b9d36f8fa21f6aa1a8ab6540bc976e32dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2ac3c9ba89b8c2ef19c601ecebb82157

SHA1
a239a4b11438c00e5ff89ebd4a804ede6a01935b

SHA256
3c2714ce07f8c04b3f8222dfe50d8ae08f548b0e6e79fe33d08bf6f4c2e5143e

SHA512
b1221d29e747b37071761b2509e9109b522cce6411f73f27c9428ac332d26b9f413ae6b8c0aeac1afb7fab2d0b3b1c4af189da12fe506287596df2ef8f083432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5d2242ff9dc07b67553123b3c939974d

SHA1
ec7b42a468cdb04f1403cd18f67aa4d5af6c5a7f

SHA256
27845ed84cb47c4ba2883bdd75c0a0be7035060f6ac845ca256a391bee640716

SHA512
25b081ed892b9bc03a7f77c16d110fdc8f03d118689f9773fff258e78a65c0e94c01886e01a4ba0cf5cb7bdb0d7e1e1babb58e1db4ba2582a4e1125b80ebd0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oke2dr3r.yc0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-36017.tmp\ksUu.tmp

Filesize
1.1MB

MD5
8fdc58c7d4c59472615682d6dea9d190

SHA1
8e131fe09fd238493719b4fd92e6c833bf3596c1

SHA256
26a5be637ee680b1ec11d1adf2fd0972cc52078cbd200d9273f8bb826707c83b

SHA512
b05b9fd8ff3d627b562cbd2968466fb54adbc2fa5591ebe803300a3c5ef7887bc1761d8013b47aab0f5387265c8b7b15078a01abb75d4c3180671780181ebe24

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O49M1.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedge_elf.dll

Filesize
792KB

MD5
49b060366422b6af60958aeb35f1eb06

SHA1
50240c19542c8a61507d169757ed91a4e801f2f5

SHA256
589715ba10dcb4ff605571fb03e3d6fd79214e659868aa36512a0bde3214283d

SHA512
f6ef75a3568aad0d302c1804acf9157ef95906b84e4e75b1f5955912eba30ecf2f7aa80600f9b9754dfc4b6f015a2607a70ad16ae80fbdea4d0ea09173c60233

Download Submit
C:\Users\Admin\AppData\Roaming\NVIDIA app\864\msedgewebview2.exe

Filesize
3.2MB

MD5
71fdf2d301949413f8b14e0f12c2e0f5

SHA1
c57e8eff6bfc0be6420e97cfd6de895c937fd5b7

SHA256
1e7e2c05c6c634aa7f11c8c217bf9c21fbe336f128d744fbaf3fc91d643925a0

SHA512
752fe30b893a1e0a0fbd93fb91dceea2b88f5e1c067e8f780fbedcf1fd4a11ec1317d65bbc3c11086926a2d37a49e5f519c40f7d65dba335079dc2044dd53f58

Download Submit
memory/856-81-0x00007FFDAF880000-0x00007FFDAF929000-memory.dmp

Filesize
676KB

Download
memory/1264-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/1264-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1264-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1720-172-0x00007FFDAF880000-0x00007FFDAF929000-memory.dmp

Filesize
676KB

Download
memory/3156-17-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/3156-7-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/3376-263-0x00007FFDAF880000-0x00007FFDAF929000-memory.dmp

Filesize
676KB

Download
memory/3432-44-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/3432-27-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/3924-45-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3924-16-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3924-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4424-82-0x00007FFDAF880000-0x00007FFDAF929000-memory.dmp

Filesize
676KB

Download
memory/4824-83-0x00007FFDAF880000-0x00007FFDAF929000-memory.dmp

Filesize
676KB

Download
memory/4824-79-0x00000000031D0000-0x00000000031E2000-memory.dmp

Filesize
72KB

Download
memory/4824-269-0x00007FFDAF880000-0x00007FFDAF929000-memory.dmp

Filesize
676KB

Download
memory/5080-46-0x000001E926D60000-0x000001E926D82000-memory.dmp

Filesize
136KB

Download