asyncrat | 8018d4a6776fd432ea3d84c4c5cd576894362ef2212f66ec5c4ce6964a78016c

Resubmissions

Analysis

max time kernel
28s
max time network
42s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Flash-USDT-main/Flash USDT v2.exe
Size

918KB
MD5

e45aa1c8df8c2e551cbb12eb60d45862
SHA1

cb00e3e6bd28bbef0899c7e470e82f4e5f5dc13b
SHA256

5c9d92a9fc8a5399e2dc146af2c5dfbfdbbf94cd11ea331e9422626026470279
SHA512

ea77a19bc7d76c821082d9f2a14b6e818f28b98aaea9f923767d86d96e8db1a64ddcc56d7cfbcce41c06bd195b8afef4ed4f4dfc1e3543df0e5de4b6aa3af069
SSDEEP

24576:1Gz1TSpONGTQ9dokTpIG/2KPJ8r6oPNYY:1o1SpONZ9dokTpIG/Y+YN

Score

10^/10

asyncrat quasar stormkitty venomrat xworm default office04 evasion persistence rat rootkit spyware stealer trojan

Malware Config

Extracted

Family

xworm

146.70.34.130:7812

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148

Extracted

Family

quasar

Version

2.1.0.0

Botnet

Office04

146.70.34.130:7812

Mutex

VNM_MUTEX_c2q7y2ayYutZ2XaYe7

Attributes

encryption_key
xwXT4WCNnk3vInV5C8eN
install_name
Windows Security Health Service.exe
log_directory
Logs
reconnect_delay
3000
startup_key
Windows Security Health Service
subdirectory
Windows Security Health Service

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

https://api.telegram.org/bot6110313252:AAE6fFOzBefHnbenT-1DwxI9EBeZQTxbYGk/sendMessage?chat_id=6291749148

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Contains code to disable Windows Defender 3 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe	disable_win_def
behavioral1/memory/2552-21-0x0000000000090000-0x000000000011C000-memory.dmp	disable_win_def
behavioral1/memory/1632-45-0x00000000003E0000-0x000000000046C000-memory.dmp	disable_win_def

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\service.exe	family_xworm
behavioral1/memory/2440-9-0x0000000000890000-0x00000000008A8000-memory.dmp	family_xworm

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

Windows Security Health Service.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Windows Security Health Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Windows Security Health Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Windows Security Health Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	Windows Security Health Service.exe

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe	family_quasar
behavioral1/memory/2552-21-0x0000000000090000-0x000000000011C000-memory.dmp	family_quasar
behavioral1/memory/1632-45-0x00000000003E0000-0x000000000046C000-memory.dmp	family_quasar

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2376-38-0x0000000000400000-0x0000000000430000-memory.dmp	family_stormkitty
behavioral1/memory/2376-36-0x0000000000400000-0x0000000000430000-memory.dmp	family_stormkitty
behavioral1/memory/2376-34-0x0000000000400000-0x0000000000430000-memory.dmp	family_stormkitty
behavioral1/memory/2376-31-0x0000000000400000-0x0000000000430000-memory.dmp	family_stormkitty
behavioral1/memory/2376-29-0x0000000000400000-0x0000000000430000-memory.dmp	family_stormkitty

VenomRAT
VenomRAT is a modified version of QuasarRAT with some added features, such as rootkit and stealer capabilites.
rat rootkit stealer venomrat
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2524 cmd.exe

pid	process
2524	cmd.exe

Drops startup file 2 IoCs

Processes:

service.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SecurityService.lnk	service.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows Defender SecurityService.lnk	service.exe

Executes dropped EXE 5 IoCs

Processes:

service.exeWindows Security Health Service.exeMicrosoft Edge.exeMicrosoft Edge.exeWindows Security Health Service.exe

pid process

2440 service.exe
2552 Windows Security Health Service.exe
2488 Microsoft Edge.exe
2376 Microsoft Edge.exe
1632 Windows Security Health Service.exe
Loads dropped DLL 1 IoCs

Processes:

Windows Security Health Service.exe

pid process

2552 Windows Security Health Service.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
2440	service.exe
2552	Windows Security Health Service.exe
2488	Microsoft Edge.exe
2376	Microsoft Edge.exe
1632	Windows Security Health Service.exe

pid	process
2552	Windows Security Health Service.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

Windows Security Health Service.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features	Windows Security Health Service.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	Windows Security Health Service.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Microsoft Edge.exeservice.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BbNpQCTyLP = "C:\\Users\\Admin\\AppData\\Roaming\\QrNCGfAyDz\\DcDJLimAFT.exe"	Microsoft Edge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender SecurityService = "C:\\Users\\Admin\\AppData\\Roaming\\Windows Defender SecurityService"	service.exe

Drops desktop.ini file(s) 6 IoCs

Processes:

Microsoft Edge.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\3989ebc524cfb8f4d19d92283f90c0f6\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	Microsoft Edge.exe
File opened for modification	C:\Users\Admin\AppData\Local\3989ebc524cfb8f4d19d92283f90c0f6\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Pictures\desktop.ini	Microsoft Edge.exe
File created	C:\Users\Admin\AppData\Local\3989ebc524cfb8f4d19d92283f90c0f6\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Documents\desktop.ini	Microsoft Edge.exe
File created	C:\Users\Admin\AppData\Local\3989ebc524cfb8f4d19d92283f90c0f6\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	Microsoft Edge.exe
File opened for modification	C:\Users\Admin\AppData\Local\3989ebc524cfb8f4d19d92283f90c0f6\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Downloads\desktop.ini	Microsoft Edge.exe
File created	C:\Users\Admin\AppData\Local\3989ebc524cfb8f4d19d92283f90c0f6\Admin@IZKCKOTP_en-US\Grabber\DRIVE-C\Users\Admin\Desktop\desktop.ini	Microsoft Edge.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip-api.com
17 icanhazip.com
Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Suspicious use of SetThreadContext 1 IoCs

Processes:

Microsoft Edge.exe

description pid process target process

PID 2488 set thread context of 2376 2488 Microsoft Edge.exe Microsoft Edge.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
2	ip-api.com
17	icanhazip.com

description	pid	process	target process
PID 2488 set thread context of 2376	2488	Microsoft Edge.exe	Microsoft Edge.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Microsoft Edge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Microsoft Edge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Microsoft Edge.exe

Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exe

pid process

1552 schtasks.exe
1612 schtasks.exe
320 schtasks.exe

pid	process
1552	schtasks.exe
1612	schtasks.exe
320	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

Microsoft Edge.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Microsoft Edge.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Microsoft Edge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Microsoft Edge.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Microsoft Edge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Microsoft Edge.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Microsoft Edge.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

1572 PING.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

service.exe

pid process

2440 service.exe

pid	process
1572	PING.EXE

pid	process
2440	service.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

powershell.exeservice.exeMicrosoft Edge.exeWindows Security Health Service.exechrome.exe

pid	process
1480	powershell.exe
2440	service.exe
2376	Microsoft Edge.exe
2376	Microsoft Edge.exe
2376	Microsoft Edge.exe
2376	Microsoft Edge.exe
2376	Microsoft Edge.exe
2552	Windows Security Health Service.exe
2552	Windows Security Health Service.exe
2552	Windows Security Health Service.exe
2552	Windows Security Health Service.exe
2552	Windows Security Health Service.exe
2552	Windows Security Health Service.exe
2552	Windows Security Health Service.exe
2932	chrome.exe
2932	chrome.exe
2440	service.exe
2440	service.exe
2440	service.exe
2440	service.exe
2440	service.exe
2440	service.exe
2440	service.exe
2440	service.exe
2440	service.exe
2440	service.exe
2440	service.exe
2440	service.exe
2440	service.exe
2440	service.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

service.exeMicrosoft Edge.exeWindows Security Health Service.exepowershell.exeWindows Security Health Service.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	2440	service.exe
Token: SeDebugPrivilege	2376	Microsoft Edge.exe
Token: SeDebugPrivilege	2552	Windows Security Health Service.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	1632	Windows Security Health Service.exe
Token: SeDebugPrivilege	1632	Windows Security Health Service.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe
Token: SeShutdownPrivilege	2932	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe
2932	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Windows Security Health Service.exeservice.exe

pid process

1632 Windows Security Health Service.exe
2440 service.exe

pid	process
1632	Windows Security Health Service.exe
2440	service.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Flash USDT v2.exeMicrosoft Edge.exeWindows Security Health Service.exeWindows Security Health Service.exeservice.exeMicrosoft Edge.execmd.execmd.exe

description	pid	process	target process
PID 2008 wrote to memory of 2440	2008	Flash USDT v2.exe	service.exe
PID 2008 wrote to memory of 2440	2008	Flash USDT v2.exe	service.exe
PID 2008 wrote to memory of 2440	2008	Flash USDT v2.exe	service.exe
PID 2008 wrote to memory of 2552	2008	Flash USDT v2.exe	Windows Security Health Service.exe
PID 2008 wrote to memory of 2552	2008	Flash USDT v2.exe	Windows Security Health Service.exe
PID 2008 wrote to memory of 2552	2008	Flash USDT v2.exe	Windows Security Health Service.exe
PID 2008 wrote to memory of 2552	2008	Flash USDT v2.exe	Windows Security Health Service.exe
PID 2008 wrote to memory of 2488	2008	Flash USDT v2.exe	Microsoft Edge.exe
PID 2008 wrote to memory of 2488	2008	Flash USDT v2.exe	Microsoft Edge.exe
PID 2008 wrote to memory of 2488	2008	Flash USDT v2.exe	Microsoft Edge.exe
PID 2008 wrote to memory of 2488	2008	Flash USDT v2.exe	Microsoft Edge.exe
PID 2488 wrote to memory of 2376	2488	Microsoft Edge.exe	Microsoft Edge.exe
PID 2488 wrote to memory of 2376	2488	Microsoft Edge.exe	Microsoft Edge.exe
PID 2488 wrote to memory of 2376	2488	Microsoft Edge.exe	Microsoft Edge.exe
PID 2488 wrote to memory of 2376	2488	Microsoft Edge.exe	Microsoft Edge.exe
PID 2488 wrote to memory of 2376	2488	Microsoft Edge.exe	Microsoft Edge.exe
PID 2488 wrote to memory of 2376	2488	Microsoft Edge.exe	Microsoft Edge.exe
PID 2488 wrote to memory of 2376	2488	Microsoft Edge.exe	Microsoft Edge.exe
PID 2488 wrote to memory of 2376	2488	Microsoft Edge.exe	Microsoft Edge.exe
PID 2488 wrote to memory of 2376	2488	Microsoft Edge.exe	Microsoft Edge.exe
PID 2552 wrote to memory of 1552	2552	Windows Security Health Service.exe	schtasks.exe
PID 2552 wrote to memory of 1552	2552	Windows Security Health Service.exe	schtasks.exe
PID 2552 wrote to memory of 1552	2552	Windows Security Health Service.exe	schtasks.exe
PID 2552 wrote to memory of 1552	2552	Windows Security Health Service.exe	schtasks.exe
PID 2552 wrote to memory of 1632	2552	Windows Security Health Service.exe	Windows Security Health Service.exe
PID 2552 wrote to memory of 1632	2552	Windows Security Health Service.exe	Windows Security Health Service.exe
PID 2552 wrote to memory of 1632	2552	Windows Security Health Service.exe	Windows Security Health Service.exe
PID 2552 wrote to memory of 1632	2552	Windows Security Health Service.exe	Windows Security Health Service.exe
PID 2552 wrote to memory of 1480	2552	Windows Security Health Service.exe	powershell.exe
PID 2552 wrote to memory of 1480	2552	Windows Security Health Service.exe	powershell.exe
PID 2552 wrote to memory of 1480	2552	Windows Security Health Service.exe	powershell.exe
PID 2552 wrote to memory of 1480	2552	Windows Security Health Service.exe	powershell.exe
PID 1632 wrote to memory of 1612	1632	Windows Security Health Service.exe	schtasks.exe
PID 1632 wrote to memory of 1612	1632	Windows Security Health Service.exe	schtasks.exe
PID 1632 wrote to memory of 1612	1632	Windows Security Health Service.exe	schtasks.exe
PID 1632 wrote to memory of 1612	1632	Windows Security Health Service.exe	schtasks.exe
PID 2440 wrote to memory of 320	2440	service.exe	schtasks.exe
PID 2440 wrote to memory of 320	2440	service.exe	schtasks.exe
PID 2440 wrote to memory of 320	2440	service.exe	schtasks.exe
PID 2376 wrote to memory of 748	2376	Microsoft Edge.exe	cmd.exe
PID 2376 wrote to memory of 748	2376	Microsoft Edge.exe	cmd.exe
PID 2376 wrote to memory of 748	2376	Microsoft Edge.exe	cmd.exe
PID 2376 wrote to memory of 748	2376	Microsoft Edge.exe	cmd.exe
PID 748 wrote to memory of 332	748	cmd.exe	chcp.com
PID 748 wrote to memory of 332	748	cmd.exe	chcp.com
PID 748 wrote to memory of 332	748	cmd.exe	chcp.com
PID 748 wrote to memory of 332	748	cmd.exe	chcp.com
PID 748 wrote to memory of 2072	748	cmd.exe	netsh.exe
PID 748 wrote to memory of 2072	748	cmd.exe	netsh.exe
PID 748 wrote to memory of 2072	748	cmd.exe	netsh.exe
PID 748 wrote to memory of 2072	748	cmd.exe	netsh.exe
PID 748 wrote to memory of 1740	748	cmd.exe	findstr.exe
PID 748 wrote to memory of 1740	748	cmd.exe	findstr.exe
PID 748 wrote to memory of 1740	748	cmd.exe	findstr.exe
PID 748 wrote to memory of 1740	748	cmd.exe	findstr.exe
PID 2376 wrote to memory of 876	2376	Microsoft Edge.exe	cmd.exe
PID 2376 wrote to memory of 876	2376	Microsoft Edge.exe	cmd.exe
PID 2376 wrote to memory of 876	2376	Microsoft Edge.exe	cmd.exe
PID 2376 wrote to memory of 876	2376	Microsoft Edge.exe	cmd.exe
PID 876 wrote to memory of 2272	876	cmd.exe	chcp.com
PID 876 wrote to memory of 2272	876	cmd.exe	chcp.com
PID 876 wrote to memory of 2272	876	cmd.exe	chcp.com
PID 876 wrote to memory of 2272	876	cmd.exe	chcp.com
PID 876 wrote to memory of 2040	876	cmd.exe	netsh.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Flash-USDT-main\Flash USDT v2.exe
"C:\Users\Admin\AppData\Local\Temp\Flash-USDT-main\Flash USDT v2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Users\Admin\AppData\Roaming\service.exe
"C:\Users\Admin\AppData\Roaming\service.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Windows Defender SecurityService" /tr "C:\Users\Admin\AppData\Roaming\Windows Defender SecurityService"
3⤵
- Creates scheduled task(s)
PID:320

C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe
"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"
2⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2552

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Security Health Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe" /rl HIGHEST /f
3⤵
- Creates scheduled task(s)
PID:1552

C:\Users\Admin\AppData\Roaming\Windows Security Health Service\Windows Security Health Service.exe
"C:\Users\Admin\AppData\Roaming\Windows Security Health Service\Windows Security Health Service.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\schtasks.exe
"schtasks" /create /tn "Windows Security Health Service" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\Windows Security Health Service\Windows Security Health Service.exe" /rl HIGHEST /f
4⤵
- Creates scheduled task(s)
PID:1612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1480

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k start /b del /q/f/s %TEMP%\* & exit
3⤵
PID:2568

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K del /q/f/s C:\Users\Admin\AppData\Local\Temp\*
4⤵
- Deletes itself
PID:2524

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\ykGn7iDantaC.bat" "
3⤵
PID:1612

C:\Windows\SysWOW64\chcp.com
chcp 65001
4⤵
PID:2248

C:\Windows\SysWOW64\PING.EXE
ping -n 10 localhost
4⤵
- Runs ping.exe
PID:1572

C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe
"C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe"
4⤵
PID:2240

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2488

C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
"C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe"
3⤵
- Executes dropped EXE
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
4⤵
- Suspicious use of WriteProcessMemory
PID:748

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:332

C:\Windows\SysWOW64\netsh.exe
netsh wlan show profile
5⤵
PID:2072

C:\Windows\SysWOW64\findstr.exe
findstr All
5⤵
PID:1740

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
4⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\SysWOW64\chcp.com
chcp 65001
5⤵
PID:2272

C:\Windows\SysWOW64\netsh.exe
netsh wlan show networks mode=bssid
5⤵
PID:2040

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7feeee09758,0x7feeee09768,0x7feeee09778
2⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1168,i,17632236302343020762,17927514422886009837,131072 /prefetch:2
2⤵
PID:1088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1500 --field-trial-handle=1168,i,17632236302343020762,17927514422886009837,131072 /prefetch:8
2⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1168,i,17632236302343020762,17927514422886009837,131072 /prefetch:8
2⤵
PID:2852

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2240 --field-trial-handle=1168,i,17632236302343020762,17927514422886009837,131072 /prefetch:1
2⤵
PID:692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2256 --field-trial-handle=1168,i,17632236302343020762,17927514422886009837,131072 /prefetch:1
2⤵
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1316 --field-trial-handle=1168,i,17632236302343020762,17927514422886009837,131072 /prefetch:2
2⤵
PID:2860

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1408 --field-trial-handle=1168,i,17632236302343020762,17927514422886009837,131072 /prefetch:1
2⤵
PID:2596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3492 --field-trial-handle=1168,i,17632236302343020762,17927514422886009837,131072 /prefetch:8
2⤵
PID:600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3260 --field-trial-handle=1168,i,17632236302343020762,17927514422886009837,131072 /prefetch:8
2⤵
PID:2120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3632 --field-trial-handle=1168,i,17632236302343020762,17927514422886009837,131072 /prefetch:8
2⤵
PID:2312

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1552

C:\Windows\system32\taskeng.exe
taskeng.exe {1917EE51-75B9-401A-92E0-61A3EC36A24E} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
PID:2628

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
d04ed57f02433e43eb55bc85578e05bd

SHA1
ad3aea734f67b9b912ebd899416337f77d62dcc1

SHA256
7e707a1cfe17b2a9ee03d479c36963fac8eac7685eb88f3830c1e1d69fbbaa8b

SHA512
306c194ada0b8d6f2032d882df9f0a137d87a8a29522078191aea06907b2fd655ed8d73e5e4f01045c0cbb173c23646ac9cd6bee8db3cca5ed7e990e911896d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
17d1114254012259fff48eb0a85b0a27

SHA1
358abf1410756f38717d31ef662d4ae4ce2c5902

SHA256
4b146e54735e568f05268b0ed78aa1fc4f9c935aa091491d4dfc6af51665abc9

SHA512
4c460cc9f4123b40ea3cb8f08ca8d6dd057e783f40782d5313b585704ac4b7fa5723c199e3e81bfa27a29c5edf9e17d03418bf18fbdacb538532b9c8c37f4d9f

Download Submit
C:\Users\Admin\AppData\Local\3989ebc524cfb8f4d19d92283f90c0f6\msgid.dat
Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\cc55a995-8021-4971-95de-5e6de76c9727.tmp
Filesize
270KB

MD5
69bc5fd0d6986ba3efb07d1fde11c386

SHA1
0675bf13623ace63c9b93ad741dd67b486975148

SHA256
4e68211102b2be647ba523e4ea70d1df0d5d57c9a9ac93f1003319962c621156

SHA512
ed3e5b46efdc834fb25e85d4a3c82b56b05361338e647a9d84ebcba179c3d51be0f24498324681002ab08512b4c186953af00945477179777930221b3a1e250a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar611B.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\places.raw
Filesize
5.0MB

MD5
7fc35978e1fa3ae454f917a59f40298f

SHA1
ee00066c094ba1bc5b196e40dae0e7b549e30a86

SHA256
c9ef2541692c130e03e9ab73cdb8368255b6e252c582d6d6f7c4950ebc41038d

SHA512
b3f348c975fbca5082c7c42196e1855a551fd024b3c4a16047b12941db659c8abbe7eff3a503c3471d5965873d17c684e1149583cbb48121704a038dacb85cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ykGn7iDantaC.bat
Filesize
225B

MD5
461a4062c0c541fffc5dc0f97a05de5f

SHA1
c204a0d15e960faa4dade77ffe45254040aed973

SHA256
2c70989a498853c20dea26278ff5e6d3dbdbf844ec88a7cc1a2490a060da9306

SHA512
62051c4b5d4a80d8d41462e76c7651cd0f9bc1f1b6611c9b83ffe790c2dc23730f4fcb34e5770e6c42ece8813b0cf6b60f87fa1f83676d3bb82c482df86c25ca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft Edge.exe
Filesize
195KB

MD5
e7f8c4ea62d6c4ae774f981480c6b232

SHA1
2dad33c36ad472cee4ca8231c723e92bd7033b7d

SHA256
c57f5af415c2e2b4850b6274567ea05841501136b634365c8dc9c19c0a5cd39b

SHA512
f92a03354724834c21c932e2f6933c0afab21d768e7ceedb15699e22bc1a63771f2f91734b902dd8cdb75d2fb7e2be0579c0b826f154a325769a0317c3c1a3c7

Download Submit
C:\Users\Admin\AppData\Roaming\Windows Security Health Service.exe
Filesize
534KB

MD5
b934a776bf8ad0d2acba5fecd3e8d54a

SHA1
2c2419eaa05137543fbacd52929b758633543fc2

SHA256
9ecdfad064bdd85e9f36f5d6580e4576b495f6b2981f822129fe2f37b69ac405

SHA512
c8f06093c6048edbdb92f12263179595c23aa6263aff2c359736c41cbb7548c886d55b7d85dbbd2651df4dfebd4fec88f2f4380d9d59453224ca0483c1cb18f3

Download Submit
C:\Users\Admin\AppData\Roaming\service.exe
Filesize
68KB

MD5
e3959c47fd8eb8989ffcccbedb64f28d

SHA1
fb4e8f09c8a395cae695dd7431d2985a949aa89c

SHA256
ad93141af1cd287247d5365955f235e7c1b9477d4a32354680f684237a07b145

SHA512
c52783c65a929c971667a806f234b086aae6b1db2b09e763cb17c09e31484aef26f5cea4340b01bcb6172679b8a8b11fa4c7ae0eb160eccf271903a3371a990c

Download Submit
\??\pipe\crashpad_2932_YPLVVWDXTWOMMCZK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1632-45-0x00000000003E0000-0x000000000046C000-memory.dmp

Filesize
560KB

Download
memory/2008-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/2008-1-0x0000000001030000-0x000000000111C000-memory.dmp

Filesize
944KB

Download
memory/2376-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2376-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2376-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2376-31-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2376-34-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2376-36-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2376-38-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2376-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2440-22-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-290-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2440-9-0x0000000000890000-0x00000000008A8000-memory.dmp

Filesize
96KB

Download
memory/2488-24-0x0000000000250000-0x000000000025A000-memory.dmp

Filesize
40KB

Download
memory/2488-20-0x0000000000D70000-0x0000000000DA6000-memory.dmp

Filesize
216KB

Download
memory/2552-21-0x0000000000090000-0x000000000011C000-memory.dmp

Filesize
560KB

Download