asyncrat | hxxps://linkgenie[.]me/ec366

General

Target

https://linkgenie.me/ec366

Score

10^/10

asyncrat rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat

Async RAT payload 5 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Explorers.exe	asyncrat
C:\Users\Admin\AppData\Local\Explorers.exe	asyncrat
behavioral1/memory/2644-139-0x0000000000FE0000-0x0000000001000000-memory.dmp	asyncrat
C:\Users\Admin\AppData\Roaming\Explorer.exe	asyncrat
C:\Users\Admin\AppData\Roaming\Explorer.exe	asyncrat

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

Explorers.exeExplorer.exe

pid process

2644 Explorers.exe
3788 Explorer.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

Hypixel Dupe.exe

pid process

1716 Hypixel Dupe.exe
1716 Hypixel Dupe.exe
1716 Hypixel Dupe.exe
1716 Hypixel Dupe.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1124 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3248 timeout.exe

pid	process
2644	Explorers.exe
3788	Explorer.exe

pid	process
1716	Hypixel Dupe.exe
1716	Hypixel Dupe.exe
1716	Hypixel Dupe.exe
1716	Hypixel Dupe.exe

pid	process
1124	schtasks.exe

pid	process
3248	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeHypixel Dupe.exepowershell.exeExplorers.exe

pid	process
816	chrome.exe
816	chrome.exe
2732	chrome.exe
2732	chrome.exe
3304	chrome.exe
3304	chrome.exe
1948	chrome.exe
1948	chrome.exe
3116	chrome.exe
3116	chrome.exe
3948	chrome.exe
3948	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
2348	chrome.exe
1716	Hypixel Dupe.exe
1716	Hypixel Dupe.exe
1716	Hypixel Dupe.exe
3236	powershell.exe
3236	powershell.exe
3236	powershell.exe
2644	Explorers.exe
2644	Explorers.exe
2644	Explorers.exe
2644	Explorers.exe
2644	Explorers.exe
2644	Explorers.exe
2644	Explorers.exe
2644	Explorers.exe
2644	Explorers.exe
2644	Explorers.exe
2644	Explorers.exe
2644	Explorers.exe
2644	Explorers.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

Processes:

chrome.exe

pid	process
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Hypixel Dupe.exepowershell.exeExplorers.exeExplorer.exe

description	pid	process
Token: SeDebugPrivilege	1716	Hypixel Dupe.exe
Token: SeDebugPrivilege	3236	powershell.exe
Token: SeDebugPrivilege	2644	Explorers.exe
Token: SeDebugPrivilege	3788	Explorer.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

chrome.exe

pid	process
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe
2732	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Hypixel Dupe.exe

pid process

1716 Hypixel Dupe.exe
1716 Hypixel Dupe.exe

pid	process
1716	Hypixel Dupe.exe
1716	Hypixel Dupe.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2732 wrote to memory of 2748	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 2748	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 852	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 816	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 816	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe
PID 2732 wrote to memory of 3312	2732	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://linkgenie.me/ec366
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff38b94f50,0x7fff38b94f60,0x7fff38b94f70
2⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1844 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1544 /prefetch:2
2⤵
PID:852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2148 /prefetch:8
2⤵
PID:3312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2868 /prefetch:1
2⤵
PID:3876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1
2⤵
PID:3856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4116 /prefetch:8
2⤵
PID:400

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
2⤵
PID:3944

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
2⤵
PID:1428

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
2⤵
PID:1572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
2⤵
PID:1940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
2⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2884 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3396 /prefetch:8
2⤵
PID:832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
2⤵
PID:2976

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6000 /prefetch:8
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4428 /prefetch:8
2⤵
PID:1300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4532 /prefetch:8
2⤵
PID:2836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4716 /prefetch:8
2⤵
PID:3888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4844 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6072 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6048 /prefetch:8
2⤵
PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5644 /prefetch:8
2⤵
PID:2736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6064 /prefetch:8
2⤵
PID:596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4392 /prefetch:8
2⤵
PID:1932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 /prefetch:8
2⤵
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2204 /prefetch:8
2⤵
PID:1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4436 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4112 /prefetch:8
2⤵
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2024 /prefetch:1
2⤵
PID:2520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5056 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6160 /prefetch:8
2⤵
PID:3492

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
2⤵
PID:2744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
2⤵
PID:3884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
2⤵
PID:2668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6508 /prefetch:8
2⤵
PID:3456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6516 /prefetch:8
2⤵
PID:3076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4092 /prefetch:8
2⤵
PID:1532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4488 /prefetch:8
2⤵
PID:368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1524,7746215820066086759,5636627073910517410,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6024 /prefetch:8
2⤵
PID:404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\Temp1_Hypixel Dupe.zip\Hypixel Dupe.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Hypixel Dupe.zip\Hypixel Dupe.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1716

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c powershell Add-MpPreference -ExclusionPath C:\
2⤵
PID:3780

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Add-MpPreference -ExclusionPath C:\
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start C:\Users\Admin\AppData\Local\Explorers.exe
2⤵
PID:3056

C:\Users\Admin\AppData\Local\Explorers.exe
C:\Users\Admin\AppData\Local\Explorers.exe
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Explorer" /tr '"C:\Users\Admin\AppData\Roaming\Explorer.exe"' & exit
4⤵
PID:2236

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "Explorer" /tr '"C:\Users\Admin\AppData\Roaming\Explorer.exe"'
5⤵
- Creates scheduled task(s)
PID:1124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE10B.tmp.bat""
4⤵
PID:3972

C:\Windows\SysWOW64\timeout.exe
timeout 3
5⤵
- Delays execution with timeout.exe
PID:3248

C:\Users\Admin\AppData\Roaming\Explorer.exe
"C:\Users\Admin\AppData\Roaming\Explorer.exe"
5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Explorers.exe
MD5
f2930c520093a896d4ef50c0995d694b

SHA1
dc3c34e22dce34ca017fe3c70f9174050fb8c798

SHA256
22f63744dff94230d8020a41e86e9c542183c8565b400c93a6c5cbc42479c81f

SHA512
0e8de70fe0ca3682088f4f29bd0d6d66d32aba096a7e95b6646642b72f724de18c07970d6b3585a5f671c6e830996d89214305e2d7c728560c71e99723e6a62e

Download Submit
C:\Users\Admin\AppData\Local\Explorers.exe
MD5
f2930c520093a896d4ef50c0995d694b

SHA1
dc3c34e22dce34ca017fe3c70f9174050fb8c798

SHA256
22f63744dff94230d8020a41e86e9c542183c8565b400c93a6c5cbc42479c81f

SHA512
0e8de70fe0ca3682088f4f29bd0d6d66d32aba096a7e95b6646642b72f724de18c07970d6b3585a5f671c6e830996d89214305e2d7c728560c71e99723e6a62e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE10B.tmp.bat
MD5
774b2f54fe8c1f5ed2be32f6b66a9c9c

SHA1
5842ac0b8b36f614171f7cd7ae3e2e5970aae34f

SHA256
63004866e51aab9085045eebc07be942aac640903a1f3977cf2e74bea834337b

SHA512
9b1b318051586648769a33c9b7ff0acbc3c3c9b61b165e456037f32a9405cab43dbfe602fe4603a6eab551ea49363e94a08e64b0207014e7e233aaab1575a39e

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer.exe
MD5
f2930c520093a896d4ef50c0995d694b

SHA1
dc3c34e22dce34ca017fe3c70f9174050fb8c798

SHA256
22f63744dff94230d8020a41e86e9c542183c8565b400c93a6c5cbc42479c81f

SHA512
0e8de70fe0ca3682088f4f29bd0d6d66d32aba096a7e95b6646642b72f724de18c07970d6b3585a5f671c6e830996d89214305e2d7c728560c71e99723e6a62e

Download Submit
C:\Users\Admin\AppData\Roaming\Explorer.exe
MD5
f2930c520093a896d4ef50c0995d694b

SHA1
dc3c34e22dce34ca017fe3c70f9174050fb8c798

SHA256
22f63744dff94230d8020a41e86e9c542183c8565b400c93a6c5cbc42479c81f

SHA512
0e8de70fe0ca3682088f4f29bd0d6d66d32aba096a7e95b6646642b72f724de18c07970d6b3585a5f671c6e830996d89214305e2d7c728560c71e99723e6a62e

Download Submit
\??\pipe\crashpad_2732_EPRGTZKWLWDJOLQV
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1716-119-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/1716-120-0x00000000003D0000-0x00000000007EE000-memory.dmp

Filesize
4.1MB

Download
memory/1716-121-0x0000000003C60000-0x0000000003D80000-memory.dmp

Filesize
1.1MB

Download
memory/2644-213-0x0000000006210000-0x00000000062AC000-memory.dmp

Filesize
624KB

Download
memory/2644-142-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/2644-139-0x0000000000FE0000-0x0000000001000000-memory.dmp

Filesize
128KB

Download
memory/3236-128-0x00000000072F0000-0x0000000007312000-memory.dmp

Filesize
136KB

Download
memory/3236-155-0x0000000009A10000-0x0000000009AA4000-memory.dmp

Filesize
592KB

Download
memory/3236-134-0x0000000008560000-0x00000000085D6000-memory.dmp

Filesize
472KB

Download
memory/3236-132-0x0000000007D20000-0x0000000007D3C000-memory.dmp

Filesize
112KB

Download
memory/3236-131-0x0000000007ED0000-0x0000000008220000-memory.dmp

Filesize
3.3MB

Download
memory/3236-130-0x0000000007400000-0x0000000007466000-memory.dmp

Filesize
408KB

Download
memory/3236-129-0x0000000007390000-0x00000000073F6000-memory.dmp

Filesize
408KB

Download
memory/3236-147-0x0000000009750000-0x0000000009783000-memory.dmp

Filesize
204KB

Download
memory/3236-148-0x00000000089B0000-0x00000000089CE000-memory.dmp

Filesize
120KB

Download
memory/3236-153-0x000000007F8C0000-0x000000007F8C1000-memory.dmp

Filesize
4KB

Download
memory/3236-154-0x0000000009880000-0x0000000009925000-memory.dmp

Filesize
660KB

Download
memory/3236-133-0x0000000007D60000-0x0000000007DAB000-memory.dmp

Filesize
300KB

Download
memory/3236-157-0x0000000006EC3000-0x0000000006EC4000-memory.dmp

Filesize
4KB

Download
memory/3236-127-0x0000000007500000-0x0000000007B28000-memory.dmp

Filesize
6.2MB

Download
memory/3236-125-0x0000000006EC0000-0x0000000006EC1000-memory.dmp

Filesize
4KB

Download
memory/3236-126-0x0000000006EC2000-0x0000000006EC3000-memory.dmp

Filesize
4KB

Download
memory/3236-124-0x0000000006DE0000-0x0000000006E16000-memory.dmp

Filesize
216KB

Download
memory/3236-359-0x0000000009720000-0x0000000009728000-memory.dmp

Filesize
32KB

Download
memory/3236-354-0x0000000009730000-0x000000000974A000-memory.dmp

Filesize
104KB

Download
memory/3788-231-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/3788-373-0x0000000006430000-0x000000000692E000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads