Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system -
submitted
01/03/2024, 17:37
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
asyncrat
40
authority-amazon.gl.at.ply.gg:41414
杰Zofr3uLΒ4伊Αש吾杰q斯Θ比
-
delay
1
-
install
true
-
install_file
svchost.exe
-
install_folder
%AppData%
Signatures
-
Async RAT payload 1 IoCs
resource yara_rule behavioral1/files/0x000100000002a7f6-118.dat family_asyncrat -
Executes dropped EXE 2 IoCs
pid Process 4084 Setup.exe 1620 svchost.exe -
Drops desktop.ini file(s) 1 IoCs
description ioc Process File opened for modification \??\c:\users\admin\desktop\desktop.ini svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3636 schtasks.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 1564 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies data under HKEY_USERS 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Set value (int) \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133537882738707618" chrome.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Setup.exe:Zone.Identifier chrome.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
pid Process 984 chrome.exe 984 chrome.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 1224 chrome.exe 1224 chrome.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe Token: SeDebugPrivilege 4084 Setup.exe Token: SeDebugPrivilege 4084 Setup.exe Token: SeShutdownPrivilege 984 chrome.exe Token: SeCreatePagefilePrivilege 984 chrome.exe -
Suspicious use of FindShellTrayWindow 47 IoCs
pid Process 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe 984 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 984 wrote to memory of 1500 984 chrome.exe 79 PID 984 wrote to memory of 1500 984 chrome.exe 79 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4888 984 chrome.exe 81 PID 984 wrote to memory of 4844 984 chrome.exe 82 PID 984 wrote to memory of 4844 984 chrome.exe 82 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 PID 984 wrote to memory of 4536 984 chrome.exe 83 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.upload.ee/files/16340398/Setup.exe.html1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff19619758,0x7fff19619768,0x7fff196197782⤵PID:1500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1540 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:22⤵PID:4888
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:82⤵PID:4844
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2164 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:82⤵PID:4536
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2840 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:12⤵PID:2604
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2848 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:12⤵PID:3592
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4556 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:12⤵PID:3112
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4852 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:12⤵PID:832
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5060 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:12⤵PID:1452
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4776 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:12⤵PID:4108
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4556 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:12⤵PID:420
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:82⤵PID:4676
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:82⤵PID:3500
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5396 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:12⤵PID:1240
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5036 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:12⤵PID:5048
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3128 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:12⤵PID:3256
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6116 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:82⤵PID:4028
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6156 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:82⤵PID:4512
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:82⤵
- NTFS ADS
PID:3856
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5516 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:82⤵PID:436
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6316 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:82⤵PID:3764
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1000 --field-trial-handle=1740,i,3775656868157394231,15162843888937080416,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1224
-
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵PID:3520
-
C:\Users\Admin\Downloads\Setup.exe"C:\Users\Admin\Downloads\Setup.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4084 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵PID:2368
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
PID:3636
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD09E.tmp.bat""2⤵PID:4028
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1564
-
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
PID:1620
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵PID:3008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2ec05e80-0ac6-41da-aae8-6e1f74909ce7.tmp
Filesize6KB
MD5431d5c07647e2e9c794d033f091b267b
SHA1425accb273c23d6de28c91cd972a559de68abd58
SHA25684c4f9e8721350e759ec2282120bbb33d97270700ece11737fb7ec128304b9db
SHA5125f5356172e83876eff688080ade98a290ecab51fc9771d00bc9f9765ef0b89a7cad37ead5d28f7b139d53e61f2689b6456a779d11ad186cd5b515ab3c266dc9f
-
Filesize
264B
MD5aeb8a878dda26b100dc368ffd2ec6ad0
SHA13ff873cf2bac88b00e3ec7b5aa7c6eb8248b5bdb
SHA2567c12d8079a7a883357691fedcb33e889ff61e37c7c48bb797b38eb598af9f8e4
SHA512af0f24345176116b2d1f898c37c2f12486cba1dd0e86db5c9a0c33ee03253cae243b46862e2a0f5070479e0ffded69e640fb9e7d1a76cafd0f0df11effba1ec0
-
Filesize
4KB
MD53ebbcb9a0662760bc8284c9c781299b4
SHA14e7f7d2ef3928d0acf2db6d4caee7a179d05b1cc
SHA256cb3d5de279d0896e2c8b75c48a1fe721cad326ff247b5d25a106c12bc5db3267
SHA5123db521c68e69bf727337999da5dc1d609567fee3c7a2aecadd32c19fe7a324feabe701881c5a021f811fe8367569b0c64ae950514c0fc999e523f6debe79e45e
-
Filesize
1KB
MD50c3c2deb9c121d60b274bcc1df769d0b
SHA1d6e1d9662220b51295a5dc4a64831f4e1bbaeb5d
SHA256e64f3eadf992cd5460b895a1a455e2cb29649644a274eb24d1feaf9a40b19618
SHA512fa449603ffc05de6b0d57555478353af5214f68c897c1fcc3fa90481e5581a608a44ebbbec7f2487fa4d817fe91a6a9be6a8964ac6f37894e9059cc47d65a517
-
Filesize
6KB
MD5ee0fecb3582e945ce266b8837757ce46
SHA1a26c0ac94e70fd5d82ababd7d1e7ec03111a6cd3
SHA2563c9f47865ca0c9fe89397d2b0328b0ad0712335f9a34507bafaee04adacddd9b
SHA5120421fbb62e23af6738fad04a41831da4c00144f4b2b0a6f150bf663835ef2dbfd102d382c3df0ba5c14dd81440e5413e734c0d9e64ba030542eff654c22b4ecd
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize96B
MD5ef0668df18cbf88b49153d07f6cddbf3
SHA150e5859a430a536b17c5a5f9eef2b517398a1490
SHA25603401a6d78dfa5138e6a4dfe4d74a5baddc1b8ac9375ef502263738c0967cdd6
SHA512bf2a2301818d5c8975f1dd173ceb5863b7cc0a89a1bc58ea3a14fad760575679fa4277db19b61898651367b8f721d9aace664234a739d6ef7b6dc2232d3ca7f5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c832.TMP
Filesize48B
MD56e6c97b474a22871a7dc752e3063c88b
SHA17e0b01f3e898dcdf2adb567c61310b11c607573b
SHA256728c15e50129020fd4f1a41a6825a8af5c8fbb52a4087f19bfea544828c49d1b
SHA512e860ed04006b546d055562d76b5a27bcc151d8946f7ca5a7a2a43aee039b73974d2314a9e4d02bd0a06aa9598483e4823910c1e94a61800915c923035d35ee7f
-
Filesize
130KB
MD5b06a61eeae40630f01ecfce08a850889
SHA1b19d73d462bb667b20a46c53626134ac320405da
SHA256c70fac59ade146b3ee19256d1398da61a48687597123c3cc899b9104088df624
SHA5125cdcc70a39f0fa160a5e50db446cd87c1b1c6c82076328aba24b9cb7e3ffb60a4fbf000276574262fa8365935bea4eae637198656ee8227bfd19f43737201e2d
-
Filesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
Filesize
151B
MD59c7460c2162b81666c303aa4219bc6a6
SHA1c8e0355790dc9d2dd0dd41fbc701af973f3baf88
SHA2567ec1cc278a7e51b7868d2030805349518c241e0509dee1077468e10473f0d397
SHA512415eaa974c696e32c5702dcd12380f63973f51e3beb8bcb7a95ff458f132749c6dba24c97053ba5aaab34ddd6b19c7e0ac4ad28bdef2772d390b5cff66c58e5e
-
Filesize
3.0MB
MD5644c5d62a4a0594ffca743a09173ea48
SHA1b1f3fc522edbfe8892be54469222e6a730946195
SHA256ddde7fb697a3d04a1419717eacfc2abcf3b2079034e876e1039de39e90e15f6c
SHA512813fb8f080e4a2d39a129284a0c16d03efaa64cd9c6b306cac558a1d3e274e83ef2229dc72711fa37b04ade52f4a64fe7df8a66ecbfe5155e6bbf1f0eca46872
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98