asyncrat | 16218dfb99864ae75f35ca58118a20cbc83562431af7eddfb925f11ef26164fa

Resubmissions

28-05-2024 21:27

240528-1a6xcseb98 10

28-05-2024 21:21

240528-z7tgvsea42 10

Analysis

max time kernel
149s
max time network
148s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28-05-2024 21:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

view.html
Size

84KB
MD5

a9f8941616a5447c1e6b05d48789bc9c
SHA1

39ba4832085d5cf1ab22ba03e2056027545f2235
SHA256

16218dfb99864ae75f35ca58118a20cbc83562431af7eddfb925f11ef26164fa
SHA512

c08536b90bdcbfe93a22a6afdde99f975f2ee2cb06e69994cf3e969e7c77b37cc979aec39f4d4098981bee333b781ee3760c557a962ff5b576f2442591f41084
SSDEEP

768:vh/lZmmHYnApdwLQc7TCfpa0E3sSTrlh1JAAvQ7D13dNQL3YZowoKNEI56dPRLwb:mvCc1JtQ7RtNk309K+b7wCxdudWh+1yF

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

ansy.duckdns.org:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Executes dropped EXE 2 IoCs

Processes:

00 NOTIFICACION DEMANDA.exe00 NOTIFICACION DEMANDA.exe

pid process

4720 00 NOTIFICACION DEMANDA.exe
5084 00 NOTIFICACION DEMANDA.exe
Loads dropped DLL 4 IoCs

Processes:

00 NOTIFICACION DEMANDA.exe00 NOTIFICACION DEMANDA.exe

pid process

4720 00 NOTIFICACION DEMANDA.exe
4720 00 NOTIFICACION DEMANDA.exe
5084 00 NOTIFICACION DEMANDA.exe
5084 00 NOTIFICACION DEMANDA.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

13 drive.google.com
16 drive.google.com

pid	process
4720	00 NOTIFICACION DEMANDA.exe
5084	00 NOTIFICACION DEMANDA.exe

pid	process
4720	00 NOTIFICACION DEMANDA.exe
4720	00 NOTIFICACION DEMANDA.exe
5084	00 NOTIFICACION DEMANDA.exe
5084	00 NOTIFICACION DEMANDA.exe

flow	ioc
13	drive.google.com
16	drive.google.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

00 NOTIFICACION DEMANDA.exe00 NOTIFICACION DEMANDA.execmd.execmd.exe

description	pid	process	target process
PID 4720 set thread context of 2256	4720	00 NOTIFICACION DEMANDA.exe	cmd.exe
PID 5084 set thread context of 1204	5084	00 NOTIFICACION DEMANDA.exe	cmd.exe
PID 2256 set thread context of 2520	2256	cmd.exe	MSBuild.exe
PID 1204 set thread context of 4224	1204	cmd.exe	MSBuild.exe

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133614049373203626"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

chrome.exe00 NOTIFICACION DEMANDA.execmd.exe00 NOTIFICACION DEMANDA.execmd.exeMSBuild.exechrome.exetaskmgr.exe

pid	process
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
4720	00 NOTIFICACION DEMANDA.exe
4720	00 NOTIFICACION DEMANDA.exe
2256	cmd.exe
2256	cmd.exe
5084	00 NOTIFICACION DEMANDA.exe
5084	00 NOTIFICACION DEMANDA.exe
5084	00 NOTIFICACION DEMANDA.exe
1204	cmd.exe
1204	cmd.exe
1204	cmd.exe
1204	cmd.exe
2520	MSBuild.exe
2520	MSBuild.exe
4092	chrome.exe
4092	chrome.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

00 NOTIFICACION DEMANDA.exe00 NOTIFICACION DEMANDA.execmd.execmd.exe

pid process

4720 00 NOTIFICACION DEMANDA.exe
5084 00 NOTIFICACION DEMANDA.exe
2256 cmd.exe
2256 cmd.exe
1204 cmd.exe
1204 cmd.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

2272 chrome.exe
2272 chrome.exe
2272 chrome.exe
2272 chrome.exe

pid	process
4720	00 NOTIFICACION DEMANDA.exe
5084	00 NOTIFICACION DEMANDA.exe
2256	cmd.exe
2256	cmd.exe
1204	cmd.exe
1204	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	process
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeRestorePrivilege	5080	7zG.exe
Token: 35	5080	7zG.exe
Token: SeSecurityPrivilege	5080	7zG.exe
Token: SeSecurityPrivilege	5080	7zG.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe
Token: SeShutdownPrivilege	2272	chrome.exe
Token: SeCreatePagefilePrivilege	2272	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zG.exetaskmgr.exe

pid	process
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
5080	7zG.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe

Suspicious use of SendNotifyMessage 57 IoCs

Processes:

chrome.exetaskmgr.exe

pid	process
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2272	chrome.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe
2756	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

2520 MSBuild.exe

pid	process
2520	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2272 wrote to memory of 2164	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 2164	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 4528	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 3204	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 3204	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe
PID 2272 wrote to memory of 1728	2272	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\view.html
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffb4fb79758,0x7ffb4fb79768,0x7ffb4fb79778
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1800,i,15551953080833181525,15703713908645016642,131072 /prefetch:2
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1828 --field-trial-handle=1800,i,15551953080833181525,15703713908645016642,131072 /prefetch:8
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1800,i,15551953080833181525,15703713908645016642,131072 /prefetch:8
  2⤵
  PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2912 --field-trial-handle=1800,i,15551953080833181525,15703713908645016642,131072 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2920 --field-trial-handle=1800,i,15551953080833181525,15703713908645016642,131072 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4436 --field-trial-handle=1800,i,15551953080833181525,15703713908645016642,131072 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4652 --field-trial-handle=1800,i,15551953080833181525,15703713908645016642,131072 /prefetch:1
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5912 --field-trial-handle=1800,i,15551953080833181525,15703713908645016642,131072 /prefetch:8
  2⤵
  PID:4340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5964 --field-trial-handle=1800,i,15551953080833181525,15703713908645016642,131072 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5988 --field-trial-handle=1800,i,15551953080833181525,15703713908645016642,131072 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3616 --field-trial-handle=1800,i,15551953080833181525,15703713908645016642,131072 /prefetch:8
  2⤵
  PID:3408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1800,i,15551953080833181525,15703713908645016642,131072 /prefetch:8
  2⤵
  PID:4668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5976 --field-trial-handle=1800,i,15551953080833181525,15703713908645016642,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4092

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2816

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap20951:108:7zEvent16218
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5080

C:\Users\Admin\Downloads\00 NOTIFICACION DEMANDA\00 NOTIFICACION DEMANDA.exe
"C:\Users\Admin\Downloads\00 NOTIFICACION DEMANDA\00 NOTIFICACION DEMANDA.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4720
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:2256
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2520

C:\Users\Admin\Downloads\00 NOTIFICACION DEMANDA\00 NOTIFICACION DEMANDA.exe
"C:\Users\Admin\Downloads\00 NOTIFICACION DEMANDA\00 NOTIFICACION DEMANDA.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1204
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    PID:4224

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
743a5bc05f9493f998a7e1b6cf70e0ee

SHA1
cfecbca8a6ba6913cd7352c9a0c2003ef26ba990

SHA256
183e8eef253ce60adb9c1320fb516ab196ca0e28e76978088ed650483e1564eb

SHA512
14dc2a71dc8156904905fe7218082b25c54106ba0f3710a2c0f26c51c4c71a5db14d26845e144fc26cc30e8af5a93761a3a529a92a2ef691878872e38004681b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
156a9e0eb8b4901de5862abf9ce2418b

SHA1
d2e1a555a9a18601e5ae5c69b2307572b5cbbdfe

SHA256
5ad671da0bec53aca8d4e7a04afcaaab262ecfe17fbf9eeae0c70bc9e15b0417

SHA512
f74cd821ebbf4bb8498ee22e7fad3a6076655a1b1e76f11f10b71e85ff978fa1500cad79f289b68f79c15917a50dd1a4252e83a8e872ccd54d08cfcde317fa9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
874B

MD5
cdaaf7fd4014238d8d7218771f362e70

SHA1
6a63db47a3dd61e8052a45bbd134ff869f85b895

SHA256
61399791b8625d635298f46c65761e4819d9d09eb0bad2c348023aa93ff7deb6

SHA512
a4e6e43389fa650bfaf24bc74889da06b59febe0450aa6dc1fce12d5bace13261bc463ef59c32492665f77b5532783c177418e4cdf9303858b5792f5f3924ea9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
065982f55b7828f4df6b3fe3d731a398

SHA1
6f701814240693390da544ba83e76f4d5a77120a

SHA256
c49da50e268da2c512ab94fb4cd9193e4287d4b0a411ecbe0ce248802d1abc8a

SHA512
56c391dbe3b360557f05543fec55313e0e81160a8b3f6d9978b67a97413dde0ead7ff5165a7d8f88e2030ac5c7caa65bd3f63bc56ca50455e9999147892b84bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
4ee1b48da1569ab8e37a774055051bf4

SHA1
1e58c7825a4f75a65d768f39094c54be8be6cc6c

SHA256
f5b1ba76fd65b31bcf65f5e1b33dd144e7c75d51e3c4196e01179fc68feacc70

SHA512
899d624d452cbb3e87d7f09d6022cdb8c8172a93f2e3460f84dfaab4c027004f34aa119d21c9b4f3ec52ed6c8d0ce6e298e03c2361cbdc18847479ae80b50184

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
160KB

MD5
908706e14c60f729b7590e0a1f2cc6e4

SHA1
c498787b35f8f5c79fb9dea4566562066b705081

SHA256
4623f589e9559ff7da6203b2b0d42860d32541d82ff1930fb9fd9dcc0cc9761f

SHA512
9af62b5035b73649059a4c13dbf4cb76f9c47172cb5e9454811f15ffb75e0f8838eee073de3e1994431434048a1979c1a70277902f55f873e79a9f3167b3d1eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
953601aed6af862e8b122c0c188ab6e0

SHA1
cdcb173366652329b689e66d6ddd0d95f3fc09c2

SHA256
57d44ff02beda1afa4b4563d71d1a71a56412c0fb8c7255d574a7f5aea1a6bb2

SHA512
2d12d3724d61a6a8086873ed8c56c5ae11cf654da42ff8fe831c062bc14b357d69c530c9784cd50da491cae193afd356fd7036b377dca5846d1d68ebeddb5107

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
9de473bc97cf16ac6708c5e1c66e731c

SHA1
d50ccd557512b01c8afed7cbf914e32fc8d6a8df

SHA256
ccd07c6975be7e716db8ea8fde707c81712a5d09538f3cb91b8240aaf258d5b6

SHA512
bc404e070a25f9adcc7dacae76e9b27d5eb68f5f074ff580888618c7ae5ca880d6388fcc6e4a2ff2463726bd374f7eabbd7768e4c85f7087957029a89a5cfeae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ae641006

Filesize
741KB

MD5
5cae79d90248bfba20aecc1b0739cee5

SHA1
6a3335fae4c7c38fe003fdb513016ffaea9c9de8

SHA256
6026b0098363d3f946a3a0caec5559f9e6f4d855ac9ee9683e801e1a29895a38

SHA512
a5390d0e67ad086e4439423751ace4b4aebddd16d6301b5706df543b80df5a4633d9536bdc2a0fe931fa59ce2c5fcee82bc2e7a704d1c4883ddc0bdd67f2b6ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\f6e5de7a

Filesize
741KB

MD5
980e49bbd5cb13da7283f59e00a1c9c9

SHA1
f4813297424e112a67e40b424f20fe0f352e2d95

SHA256
62437644e6f9338ec9110eb1ff8b278fedd96ba76d6845fd019dad11366c14f1

SHA512
d6ca61313a7bbc795d601bd83e5cb6650a7a62fca103670292541c299e12ec8482b909f5981296f573cb241b317cf7dbb8619cd9c671096b52a6bb728f288c47

Download Submit
C:\Users\Admin\Downloads\00 NOTIFICACION DEMANDA.REV.crdownload

Filesize
752KB

MD5
aab14f7280b1ec0d6e1c856f109edd37

SHA1
76bf0d7afc64cedcd68dd47a118cf3043dabcb64

SHA256
70a7eba6f053b061ff222f0bef2b3aefc488f980c7ce2c0d5398f44740380c2b

SHA512
c9c4516e452c8727f76cf8f3844ae99154805fd9f52f0f19f6ca12ef33dd4e372d4a0c6f127700aa00d06793fe0595b1dca5fe52ececccda28cafe8ab54fa480

Download Submit
C:\Users\Admin\Downloads\00 NOTIFICACION DEMANDA\00 NOTIFICACION DEMANDA.exe

Filesize
446KB

MD5
485008b43f0edceba0e0d3ca04bc1c1a

SHA1
55ae8f105af415bb763d1b87f6572f078052877c

SHA256
12c22ba646232d5d5087d0300d5cfd46fed424f26143a02dc866f1bfceab3c10

SHA512
402652786daae635c7405f5fa0924d768cbde2086f9f57b10f00f921dec98e37168f5c3a6baa5593ba9a478f3971d32747c517ffd485d25634c924e6b08815b1

Download Submit
C:\Users\Admin\Downloads\00 NOTIFICACION DEMANDA\AsIO.dll

Filesize
120KB

MD5
3e2c867b129165acdb3a457e131b90bc

SHA1
f538fa5705229da2c4403830d8c9f13e3a885f73

SHA256
e1bb63ccac541b38266228acd3d77a141efc468a69c3f821bfcc06330ce86815

SHA512
8a6574138f43e263f045bf5b1f2b0fb495fb0d424c403a0fd5a19959bfc970243b43c46f4dff86091d34980d3be9bf07034d9f3478ac7043ef0bbf5e2ed365bf

Download Submit
C:\Users\Admin\Downloads\00 NOTIFICACION DEMANDA\mural.htm

Filesize
526KB

MD5
9e335e31fe5c74ca764d216aa85436f7

SHA1
52df66c234e6a835fee976db127283b3e7ad2375

SHA256
b5ed42b8ade649dd4e3919eca16c500c5ad88498e33cd2118ba8c7199336ec6f

SHA512
c7c93753357b1e5aea2fb6cc1fa55bad926b8a9879116a61f2687fcd1a7a74b6e70e29f46f62ef4f37fdaae04d43d2f68a85e8ce89b9102832bd950888c9bf67

Download Submit
C:\Users\Admin\Downloads\00 NOTIFICACION DEMANDA\rainwear.eml

Filesize
81KB

MD5
284c621674619977075765186547f4bc

SHA1
52dedb6ee0ed67bbb806661477df35c211f81614

SHA256
fa4130ee95bb203d543d7f8e5e4546fc870d733375591efa99d1df2b91bbc0d0

SHA512
bb37b696ab64cc717b753e4e632335bdb00ee727b2d921e2b09697dd9c984e053678eed79b1471eac5bd91f0dbf8d4f59a058ad3c560f20367d0885134725655

Download Submit
\??\pipe\crashpad_2272_PVPMNHGGFGOETYAZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\Downloads\00 NOTIFICACION DEMANDA\ASUS_WMI.dll

Filesize
224KB

MD5
fc195ceb49f286113ba7ef14d4aeaa5f

SHA1
586677479f1565e1705d38b07274cd79e62b1b64

SHA256
eb51aedd6dded1db3ee78c6916a398a2b8537f02e932ce8307a2724e3e564916

SHA512
e0bc4191a09b47e216aae79a723aaa4ac6fbe9bfae846b51131969bedc5fb1072c2b43396025b8aa3508cd989ba402532692e8e457c4777332e42a88bf30ffa2

Download Submit
\Users\Admin\Downloads\00 NOTIFICACION DEMANDA\ATKEX.dll

Filesize
84KB

MD5
e68562f63265e1a70881446b4b9dc455

SHA1
da16ef9367bde3ce892b1a0e33bc179d8acdceb3

SHA256
c8b16f1c6883a23021da37d9116a757f971fe919d64ef8f9dba17a7d8dd39adb

SHA512
6bedea10a5b50f6e93e8566c18970c8ad1b8dfc7d5961069fc5d5216dcdded0b2a2ad8dd91f4ad80f8604d573a343c126df238ee5c448cdc26b899077957a674

Download Submit
memory/1204-208-0x00007FFB5B550000-0x00007FFB5B72B000-memory.dmp

Filesize
1.9MB

Download
memory/2256-187-0x00007FFB5B550000-0x00007FFB5B72B000-memory.dmp

Filesize
1.9MB

Download
memory/2256-209-0x0000000073B20000-0x0000000073C9B000-memory.dmp

Filesize
1.5MB

Download
memory/2520-222-0x0000000005700000-0x000000000570A000-memory.dmp

Filesize
40KB

Download
memory/2520-221-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/2520-215-0x0000000000BD0000-0x0000000000BE6000-memory.dmp

Filesize
88KB

Download
memory/2520-220-0x0000000005A50000-0x0000000005F4E000-memory.dmp

Filesize
5.0MB

Download
memory/2520-211-0x0000000072490000-0x0000000073813000-memory.dmp

Filesize
19.5MB

Download
memory/4224-217-0x0000000072490000-0x0000000073813000-memory.dmp

Filesize
19.5MB

Download
memory/4720-168-0x00007FFB5B550000-0x00007FFB5B72B000-memory.dmp

Filesize
1.9MB

Download
memory/4720-184-0x0000000073B20000-0x0000000073C9B000-memory.dmp

Filesize
1.5MB

Download
memory/4720-167-0x0000000073B20000-0x0000000073C9B000-memory.dmp

Filesize
1.5MB

Download
memory/5084-205-0x0000000073B20000-0x0000000073C9B000-memory.dmp

Filesize
1.5MB

Download
memory/5084-194-0x00007FFB5B550000-0x00007FFB5B72B000-memory.dmp

Filesize
1.9MB

Download
memory/5084-193-0x0000000073B20000-0x0000000073C9B000-memory.dmp

Filesize
1.5MB

Download