asyncrat | ad5759eb050f0a4d2efee58b935d0ad1a314299de5461fa67bb7d10b77150fed

Analysis

max time kernel
1798s
max time network
1166s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VulturiStealer.zip
Size

305KB
MD5

310fe8b0fb9bb423fa65b93bbbbd2b93
SHA1

84d9794994cc43ecc98fc982e3b429022cc1b17d
SHA256

ad5759eb050f0a4d2efee58b935d0ad1a314299de5461fa67bb7d10b77150fed
SHA512

e7348c95707deab680894476942003b15e329650fcf88bba6dba342ef5983ae8abddae81f35225b7778b9ce6347942b82deec908cbfd50c02c19ef93cbeadba6
SSDEEP

6144:ZXbmsirssnoBRtMUVEq0ru8x3MGb50uicPYaCmUFGDQc0Ms82iDaelmNhZqT:ZXbmsJBRyZxcGbA/m/EpTuMNDqT

Score

10^/10

asyncrat microtex rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Microtex

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:4444

Mutex

0UQeXDJaDUAl

Attributes

delay
3
install
true
install_file
Mircorsoft Store.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000400000000074f-251.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
1996	Mircorsoft Store.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2556	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2012	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133527232729803297"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2292	chrome.exe
2292	chrome.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe
4728	CL.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe
Token: SeShutdownPrivilege	2292	chrome.exe
Token: SeCreatePagefilePrivilege	2292	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe
2292	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2292 wrote to memory of 3076	2292	chrome.exe	96
PID 2292 wrote to memory of 3076	2292	chrome.exe	96
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 4376	2292	chrome.exe	97
PID 2292 wrote to memory of 5100	2292	chrome.exe	101
PID 2292 wrote to memory of 5100	2292	chrome.exe	101
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98
PID 2292 wrote to memory of 3616	2292	chrome.exe	98

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\VulturiStealer.zip
1⤵
PID:1468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7fff33289758,0x7fff33289768,0x7fff33289778
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 --field-trial-handle=1908,i,11271603181378631412,11662158446052136249,131072 /prefetch:2
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 --field-trial-handle=1908,i,11271603181378631412,11662158446052136249,131072 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3028 --field-trial-handle=1908,i,11271603181378631412,11662158446052136249,131072 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1908,i,11271603181378631412,11662158446052136249,131072 /prefetch:1
  2⤵
  PID:1644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2004 --field-trial-handle=1908,i,11271603181378631412,11662158446052136249,131072 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4672 --field-trial-handle=1908,i,11271603181378631412,11662158446052136249,131072 /prefetch:1
  2⤵
  PID:772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1908,i,11271603181378631412,11662158446052136249,131072 /prefetch:8
  2⤵
  PID:4160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5288 --field-trial-handle=1908,i,11271603181378631412,11662158446052136249,131072 /prefetch:8
  2⤵
  PID:3248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 --field-trial-handle=1908,i,11271603181378631412,11662158446052136249,131072 /prefetch:8
  2⤵
  PID:3140
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5288 --field-trial-handle=1908,i,11271603181378631412,11662158446052136249,131072 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 --field-trial-handle=1908,i,11271603181378631412,11662158446052136249,131072 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5620 --field-trial-handle=1908,i,11271603181378631412,11662158446052136249,131072 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5576 --field-trial-handle=1908,i,11271603181378631412,11662158446052136249,131072 /prefetch:1
  2⤵
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 --field-trial-handle=1908,i,11271603181378631412,11662158446052136249,131072 /prefetch:8
  2⤵
  PID:1068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 --field-trial-handle=1908,i,11271603181378631412,11662158446052136249,131072 /prefetch:8
  2⤵
  PID:4556

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4348

C:\Users\Admin\Downloads\VulturiStealer\Vulturi\CL.exe
"C:\Users\Admin\Downloads\VulturiStealer\Vulturi\CL.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4728
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Mircorsoft Store" /tr '"C:\Users\Admin\AppData\Roaming\Mircorsoft Store.exe"' & exit
  2⤵
  PID:2508
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Mircorsoft Store" /tr '"C:\Users\Admin\AppData\Roaming\Mircorsoft Store.exe"'
    3⤵
    - Creates scheduled task(s)
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5DD6.tmp.bat""
  2⤵
  PID:1544
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2012
- - C:\Users\Admin\AppData\Roaming\Mircorsoft Store.exe
    "C:\Users\Admin\AppData\Roaming\Mircorsoft Store.exe"
    3⤵
    - Executes dropped EXE
    PID:1996

C:\Users\Admin\Downloads\VulturiStealer\Vulturi\CL.exe
"C:\Users\Admin\Downloads\VulturiStealer\Vulturi\CL.exe"
1⤵
PID:3708

C:\Users\Admin\Downloads\VulturiStealer\Vulturi\CL.exe
"C:\Users\Admin\Downloads\VulturiStealer\Vulturi\CL.exe"
1⤵
PID:1668

C:\Users\Admin\Downloads\VulturiStealer\Vulturi\CL.exe
"C:\Users\Admin\Downloads\VulturiStealer\Vulturi\CL.exe"
1⤵
PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
8496c369ea6affb423112ece80a07659

SHA1
26238aadf8a7ffde6d423a06ef2c91cb42aa85a0

SHA256
52d381d2daec81cf8037da33667d833f937ca4904a6d075afbb38f9aea8342e3

SHA512
38b05bf08b348bd0f480002d0222c4e21f2a8c2185fc65f51e05908aa5bf0782daa827a7ff0a639b6603820e596b916967488231e00ebf5e281807ac4c7095e8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
634c8dbffb027fe8e0e89a4dce25cc21

SHA1
6a958cf44a8c03c7eea4ff9579476eb4bc1ce24b

SHA256
57768189e38d310aba487754d18f1cf71ad166f0430e2a573cdb74228f17996e

SHA512
e54b628d7d88a0903c8eb2168d773120dd83379d240f517e8c4aebf6d5eca1ff53f88f23a4be949ec1d9f93201d8494d6e483e78960eb8627e4e8fb865c737e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
6b146cb9fb38233b32c7602698d952ed

SHA1
986b89cc2fc2bc40c486dfbab441343a4fe94ec4

SHA256
dd896f49d69eed679d338457a7a6c198581f4581dcb2ce78618383de27f28acb

SHA512
c0de33cc0cde7413477dd6a818c7fc27065b2feea0de427a500501212224d21375fac4077089a3aa6f8a9adf105dc72c0bd7a9b57d40d1015e7694335b5b6f9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
9b2479234a11d38a6679d5684fb427a6

SHA1
0635561441d8fec9be21c390c82e9b22edf784d8

SHA256
aa00541694ff9d8a50d2e6544fded2f4d851c33f996edfbba50891d9d797a54c

SHA512
1705785e86f4a93f73804399c412e44b9c35b95992ea4d10d5264b89deaf9a1ff76c0e9e2f30fbe69ea587f7357feb56d15ddee39b44d18d154356c753cd5e89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
93d43b9118cd6f96c940b08997d4b57d

SHA1
f2fdbc44e848946c10caf8b979dfc7be464b7d62

SHA256
bf897a894c6e09920723f08800fd0c9c5e23652843bd99613beb90608fd0e910

SHA512
877759d741a8edf4202657ee8d65514864c16904ef54bf762004f75da93b32913dab7651db6eb88e412a23a52b99ec8ee87293e0f7da6701da4084c68c781171

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8a5275afca348ae5b4dd4a31562410c8

SHA1
4090c31f7137ddc4bfda023dad24e9b35f10cafb

SHA256
d31f481a1c31d8e3b9a0deb732f3492d7de9c8041e1b159da9b2f092086a192d

SHA512
f21a9b649d43dfb74b693b70ee6f80224a7dfbe902d84d981340d0bb84ae4d1d9eb64d3fbe501b19ab64b8f4dfd8470b38e71703a9bd0c91ad2f121f9a9fdace

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3fb186bf7aca72e4311668c352c578da

SHA1
e760b24fe908247a9c18ac512f208639ee6703fe

SHA256
5a8d6e47064a432f3119aeff6135dbc91ef9766fd2090aac2c2a499df1b1529e

SHA512
fbb78e7a1a845a49d681a45e745f8287df46fc38e239b6f7341da4815a9bc1ba96688331e8ff23b8ddfeb242a6abc041116c7ca09b9287960c4dcd74e3db9dab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
79232b60ef93f07d5694f862d5a8adb8

SHA1
00216c5e79be845c38a99e63a75f48604dddc805

SHA256
9b93f30c495fd8640bdc513a6ce5720dc444a2bc00e45a473a500ade10a0a897

SHA512
feaa043a38ca17fbb874ccd9c7b46a24fe6ce3188f5bf693c25807745460805a1b1859c11657b25f708ad65cc4ee99927d086cd0826c4f55f98a4d8669b5f5f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
03a645024c29fdd471ac1682aa42b697

SHA1
69de4b03b46697943478b872b4d9bde4c6e20fb9

SHA256
c40aaa115f69dc9314fd6e778f3cfe851edfeb0834f8fbdab94ae85b7688b2a4

SHA512
44285107eb52f436017a7e0019f10ca42944ae03aaeec0a1f63f557d782ed7e1614589eae92a39b29bf6cbbd21628e368db0330d362ebadd90aa06620e3dfe6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
240KB

MD5
a9b4b87959c42ed1112bec9faac91310

SHA1
3048c20ae14e21eef2ff8938e1f0e6c87f4ec1d5

SHA256
7835ccf2e6ab55c0767cbb47541d95d030214d17f85be95b1597d8febd3b994c

SHA512
48ef12206238f3202aa81c0c31fb03ceb9b1478d2a0e814c9ae3e062c5ec54dc9d677ffb1a22e97402c921627d4d7e1d1fe81931e228ecf15e5aefe73f93b2a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
240KB

MD5
10710700bab998bf8feca171f4e581cd

SHA1
6666ad313561696286fa35d2f38445e0146bdf23

SHA256
a9df1c2a3428785939a90b25ca1e58be8d4f6fbc5e138f28045c3d251d5c6e8a

SHA512
433746c284e1107c328ba042c397d047751088ee5de6e2f82349e831b8f182b026218593ac20e15174c91913f80bcbc92ba3e29f409173b057d6bc4022880d90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
102KB

MD5
9ce5c7128a9d3fd570a5d51db510ef05

SHA1
b4d747af8d2832a75784ea561f2429934469b368

SHA256
8cb031de3c69dbe5a606f6290273a2bcc43b3af7fceb1b3ec94fdd77e3d2f46d

SHA512
5456c13c55b0d7ec10c7fd6b4c013f46b3e7d8293ddb30df1220d7fe8fcfac828f39fddac801c3aa0000699e10bb8e2c8945bfadd078756c0bf5d05208822dc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
64d32e661c144d1f348e600306fd4925

SHA1
2d33a27081d076b22b95a4cf9c95865357d34e1e

SHA256
b9b310edaae64c8e4b2b5e406c14f7f671979c5b19be02034b2d4c4ec7b7a4bc

SHA512
17011aa409b0251626ae398ff90319178fd1b789884b7927217237edc9289c2ae76ea6fd9d5583352fdb3c25bfe640fdf210bbc810427b13f3cdb727acf7e3be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58533c.TMP

Filesize
98KB

MD5
ad99a797a8c1cd8c13702f88f0b2dff2

SHA1
652c36f7a63dbc9cdc7e10c8e9e4bf8a9ab639cf

SHA256
10648a6f95c1219f001bc89c87f0597d8bd8bef30d7c46a81cd79b028640da38

SHA512
62905d74aad57601987c4e2719daa49a43bc6f0678d7c024f45dd14d24b76f842fbd6cb9504e9f647016bcb763f03ba3cdd16b9a91a469f115dcfc1392863a3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
fd64f7af3c7cece25d47792326201ccc

SHA1
de1484e374138aff0ac1fddc3bbb10dfab6a2d59

SHA256
b9a3e8e8fc275b91843a1a8ff5503e76b91770fd183340155a35e885cb0ec761

SHA512
379a750a645773af6bfd94818313e15e902298204d6cadbc1427aab7a749a6424c3c6664e607742c209be671cf13176c7d3a32adbdfd37819d1a1e5c913ac21d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CL.exe.log

Filesize
614B

MD5
54920f388010333559bdff225040761d

SHA1
040972bf1fc83014f10c45832322c094f883ce30

SHA256
9ed5449a36700939987209c7a2974b9cc669b8b22c7c4e7936f35dda0a4dc359

SHA512
e17aa5d1328b3bfd3754d15b3c2eded98653d90c7b326f941522e0b3bd6f557880246a6bc69047facb42eb97d2e0ed6c46148dfe95a98669fc4e1d07c21a285c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5DD6.tmp.bat

Filesize
160B

MD5
8b9403f958a3a4a7e970c991d7e0809f

SHA1
1d6c6793778cd72f95dc29b4486897dca183ab2e

SHA256
e71b6dcb412923f119c7d3eb87205fdb3b096e2aba1ebca5eadbc4c9982abcc9

SHA512
cbec96db21d6efccaa314a821dbd32c3488c2fb39cc0473c2710eca11ba70a738fd927b53201bc3c9b6122f9cfc958b82be47ac695253eb4d419f2064a77bc03

Download Submit
C:\Users\Admin\AppData\Roaming\Mircorsoft Store.exe

Filesize
47KB

MD5
a5e2802ff54bb848a32fa3925b96ed6a

SHA1
70b9e5119fe0ec621610b54fe7d70c87794eb5b6

SHA256
1be1daa2c9d6d4ec4bddb30a97ccaa682f01a39238a1cf58cc5954e8c90a1ccb

SHA512
1302d76b8495a93178132890c592d89a081a00e6cc0b3536b44b68000edf9299ef004c98f06a456eb13bbe0d53788ad69a17eeb1a3734e109970ba649f3f14ac

Download Submit
C:\Users\Admin\Downloads\VulturiStealer.zip.crdownload

Filesize
305KB

MD5
310fe8b0fb9bb423fa65b93bbbbd2b93

SHA1
84d9794994cc43ecc98fc982e3b429022cc1b17d

SHA256
ad5759eb050f0a4d2efee58b935d0ad1a314299de5461fa67bb7d10b77150fed

SHA512
e7348c95707deab680894476942003b15e329650fcf88bba6dba342ef5983ae8abddae81f35225b7778b9ce6347942b82deec908cbfd50c02c19ef93cbeadba6

Download Submit
memory/1668-262-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/1668-261-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/1996-254-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/1996-259-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/1996-253-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/1996-260-0x0000000004AD0000-0x0000000004AE0000-memory.dmp

Filesize
64KB

Download
memory/3540-264-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3540-263-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3708-257-0x00000000023D0000-0x00000000023E0000-memory.dmp

Filesize
64KB

Download
memory/3708-258-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3708-256-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/4728-249-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/4728-241-0x0000000005330000-0x0000000005340000-memory.dmp

Filesize
64KB

Download
memory/4728-240-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/4728-239-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/4728-242-0x00000000053B0000-0x0000000005416000-memory.dmp

Filesize
408KB

Download
memory/4728-243-0x0000000005840000-0x00000000058DC000-memory.dmp

Filesize
624KB

Download