asyncrat | 7f84b9d1710249e6194cf77d1bd58cdb0eef49ff1e502bbea5a586f5c2b9aa70

Analysis

max time kernel
529s
max time network
539s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
10-07-2024 15:40

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Updater.exe
Size

74KB
MD5

56c2943af429929b627d9c788e82dc3c
SHA1

cfb23725cf43512ff8bcdde96c00548f2eda57c4
SHA256

5d15194f5c0260f77520c3e3c3b0aa8dcac5d59a942f5ef61baa2e6cbe6ac922
SHA512

b549db00764fd52e4dc1646c4bad6bc34da24bd0fd74514c1ee3f67dae2287fd69fbf8815c24bc1259282f29c92699d3e7753adfa09a68c444aa9e2d69acdb27
SSDEEP

1536:2UINwcxKHXwzCtmPMV2e9VdQuDI6H1bf/eyQzcqLVclN:2UIicxK8WmPMV2e9VdQsH1bf5QbBY

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:9090

127.0.0.1:27853

147.185.221.20:9090

147.185.221.20:27853

Mutex

wtiwmavnqbnhro

Attributes

delay
1
install
true
install_file
msedge.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral13/files/0x000300000002aa4f-11.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2544	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4956	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 16 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "123"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3128	Updater.exe
3128	Updater.exe
3128	Updater.exe
3128	Updater.exe
3128	Updater.exe
3128	Updater.exe
3128	Updater.exe
3128	Updater.exe
3128	Updater.exe
3128	Updater.exe
3128	Updater.exe
3128	Updater.exe
3128	Updater.exe
3128	Updater.exe
3128	Updater.exe
3128	Updater.exe
3128	Updater.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe
2544	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3128	Updater.exe
Token: SeDebugPrivilege	2544	msedge.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe
Token: SeShutdownPrivilege	960	chrome.exe
Token: SeCreatePagefilePrivilege	960	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe
960	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2544	msedge.exe
5252	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 420	3128	Updater.exe	77
PID 3128 wrote to memory of 420	3128	Updater.exe	77
PID 3128 wrote to memory of 1692	3128	Updater.exe	79
PID 3128 wrote to memory of 1692	3128	Updater.exe	79
PID 420 wrote to memory of 3672	420	cmd.exe	81
PID 420 wrote to memory of 3672	420	cmd.exe	81
PID 1692 wrote to memory of 4956	1692	cmd.exe	82
PID 1692 wrote to memory of 4956	1692	cmd.exe	82
PID 1692 wrote to memory of 2544	1692	cmd.exe	83
PID 1692 wrote to memory of 2544	1692	cmd.exe	83
PID 960 wrote to memory of 1428	960	chrome.exe	88
PID 960 wrote to memory of 1428	960	chrome.exe	88
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 1488	960	chrome.exe	89
PID 960 wrote to memory of 4736	960	chrome.exe	90
PID 960 wrote to memory of 4736	960	chrome.exe	90
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91
PID 960 wrote to memory of 1740	960	chrome.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Updater.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "msedge" /tr '"C:\Users\Admin\AppData\Roaming\msedge.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:420
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "msedge" /tr '"C:\Users\Admin\AppData\Roaming\msedge.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF627.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4956
- - C:\Users\Admin\AppData\Roaming\msedge.exe
    "C:\Users\Admin\AppData\Roaming\msedge.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xac,0x108,0x7ffa8cf9cc40,0x7ffa8cf9cc4c,0x7ffa8cf9cc58
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1688,i,289563160763373517,10474594167290433487,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1684 /prefetch:2
  2⤵
  PID:1488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,289563160763373517,10474594167290433487,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:4736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,289563160763373517,10474594167290433487,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,289563160763373517,10474594167290433487,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,289563160763373517,10474594167290433487,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4404,i,289563160763373517,10474594167290433487,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4740,i,289563160763373517,10474594167290433487,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,289563160763373517,10474594167290433487,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5044,i,289563160763373517,10474594167290433487,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4808,i,289563160763373517,10474594167290433487,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4800,i,289563160763373517,10474594167290433487,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:1580

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:224

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3392

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1736

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5416

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a32855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3548ca582d2ba9ecb5b89b836ea8a925

SHA1
0224548d092d984df5031d9376175a0e292845b2

SHA256
327cb7ab0610b91d40cbc2e8027ed64a34a44661064f328548d0814fb4fb2acd

SHA512
575fda2609d9a4fc262a078dd95df984946cc89baa0bc7c97339287698dbddd3bc7a48e8826cc14d185c750c4c56239f4f00e7d6e27b8982d71b10260f93f200

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
8c03e31ff5a1bfb06b63c6ae5e847322

SHA1
bee272dccd470f4575782e702be1b03166175f96

SHA256
89b51ff30a69f2ad48573ae8430a37a0f62c992355ddcd4a5f9c6fcc2b3b4318

SHA512
330a9ef93f751cff6f0cab5140ec3162348147cb43236fb14ebdfa67dae8cde32865d85ced7c9607e2acf49342d064b5fffdd2bec667dd16199a409999ffbd46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8cda33b47adf84ca4b62ecd1ad6be096

SHA1
3cb3fdb0f31ae33afd423ff3c3625a432ce36563

SHA256
f6efeba1b8b8f497e12b87f20615d03e9ed1a4297ea7a6b677a0ed70980e7505

SHA512
70f4e33e2869d92f3b849da6ee7dff54b4d8f48fbe44b684b971ff6c4c9d89a72874060fa00c07dac7ef8342fbbf9a5823d8690a233e32501166393a03a6b989

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
195bc7984fd7117b01f792c72efe928c

SHA1
5b6268148655d83082657f2488ed098d9aa7cdc0

SHA256
d63894e44a8efabb5e34b1be6899ab0238f62a7233ed876615f6b5596cc8f55e

SHA512
7749703920f5ccf064a39f3966ad62d9ab86655235db4cd9990839dc77dc8269b202534242ddb5c78dab87b70abe8d46556931485101c6a038074e3c6a40f754

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d63d44e6a56b77df61d91000737a6576

SHA1
28baf18740a9b2ffd9516310d48ef710b96ad793

SHA256
b5c8035daeee4eec24bc97db04751ec61175d122e5c9fba6b1cb7cdfc0f89928

SHA512
714970ef571c50f05137383d9910e555f2f2149609d4c2f9e76bcab301991aa6e10a85075a92c21064e2f61feab0cbb9f4b776d32f4cae0211dd515ff6326e4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
774d9c5d0cdd75d5dfba137318fc50a4

SHA1
27361319445248ab4e566837978369ce25c76709

SHA256
5927a9d68357ffaf6b99662b0e4388135e29d4133889c5e35834ac84e080d58c

SHA512
8092820744ed028479e1cd88469e4a7fb74720393d46115753af9e384c9ddeeb1346ce53ab684c161f8f48b38cd4662f869318e522ae515b17cd953476c0e6b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a5c3f08c458b85f9c1d9433e7ba4cd8e

SHA1
2d2fbff50910d4e570dcd0fcf45e8a9e5f5feb14

SHA256
1b1458cd780ffd259d5fdea5c8cf05173953e5b7ccbff9a431eff5678b155bba

SHA512
1a18c4a5247c481dca087e0264397fe9ce972b2bf4337348dfb5d5fd3f6b8a5d1ca4445cbbe0f5608e7e352957eaf19514bd88c13e24b834d8c89bea055958a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
331f8f0a7bc927518c3289308dee36a5

SHA1
93ee14e79dcdc4fe656ab63aff0cf65813e6f596

SHA256
c32d88b20ff13dde3657bde94e2b4ad568c45f636b5880955329161370543ca9

SHA512
9afb0fc4c487fca69881c2a8a543592c45a719638a2f04a49045bbb4762e1123e1a3f8f6facf7fc6f97d1a9d6487305d08a248b30247ff85445ee5abe59b4d2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7efcaa3a6693f7a73776807a9aca221b

SHA1
7f4c1b488576518b526cead2036a0fbfd30b59db

SHA256
a13cc4874ca3b40ee46a2362e5880141a8f874510565b8c001479062c16aebda

SHA512
35b14922793291c4d190a7b1c8a00aa8d7c1b93bf6e887719d06d06e7a80284c2048198e20598efc39d02c441a2f2702c3bf950d5a4735f5d6dac289c0123c18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8a6ad3b13c61491d4123f207b458d8ed

SHA1
31601feea20a22ad6ec5285768a26575e8df8320

SHA256
69f31557b39a46c98609b6464b5ffe551588fc16cc61d142801902be1c33f63e

SHA512
64587b75feff91642fe404c38752ec2123f317559b1eeadcc42c3789a6e769188c1e381f0d1abbfe35129c52efafc06e532473534e4a60b49508039c75e483fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b18350484ba8d56a3d6ea76ee7b129f1

SHA1
14c3c4a3b1e1c6cba6b244a346367fe3c69a7522

SHA256
ab1c9bc56ba2d4d682cc94387f16bfed7321a69559e35b97eb5047ab6ce9ad7e

SHA512
082e4e75f648e60c2c3dc69f680e3732478e637d3c193082271c50f39a51a77daba421e369530aa9f778ae4c08d5fa12d168127f65ffd1f35767943f9f27d175

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
6673ae4404ceb1e82b1024ab2652b299

SHA1
89c0022c95f5955a43d924fe9d15892065349771

SHA256
4014492a51c1309979eaf10ad1698a55d8438f4dae6822f50455776fcdb5b755

SHA512
08bf1b012305bd09df63f782b57edb48be34000d95f6cd82dd37f1327c68dbd473445bcffe1610c3e05c31ecbfe3e2d23a19064a5bf8093eadd69f7b7c4cca3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
c839c99f9cc8277cb7ae87a936286d12

SHA1
ebf205a13208410cf80a215024aed9d529df63f4

SHA256
e0f429e907a2f6109108374b0885a6090690c444ceb51540b435efc759da281b

SHA512
244b8590a4a053f811103f6a4ba1c106b5f23f20cd5e27eeb7dabdb387589de2ae798b1839b2b0594d4122b0b9e418c60f61f79c2c48a1454eab6d51f65834d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
96f314b5f71d13585005275f1bc4eeb0

SHA1
24ee5a09539660e1c0b3b9c6004028ef826be599

SHA256
b5b78d0e9d41ad3480178f1cb62ee4c039da8d8a5a7c42a4d4512a0fe8804a61

SHA512
bfdf5b78a31029d35c2e80181ec071e18ac0d824358b365795d1119ac02856773ecd04cdc3eff50617f8186b6890a8029978f92fda52a8f0ec124e67ad63a224

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
8ce45adc1e9f54983b194275d2a706ea

SHA1
a152c9933a6e67ca4bb04692053d2b051f24f0fb

SHA256
c3cc5217bc72a372cffda2d5d4119edc6bc1215f86b153106eb2ca7166ac36da

SHA512
5cd9fbfaa0283d0916edef9faee76dc4495c4a52600a49acace9d73b8374f5dd02ecfbddb641ab9d25a23545604bb4bc463fb216ce8f02c7c11f6bbd3288fabe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
db8ef1efce7b3c22dc204a3d4ae43564

SHA1
1855ddc9fd16310104d6395c0b79fd33d274e6e6

SHA256
579ad7c9c6d3bb9af3534ada0697b96cb272c865493143b8b9e9858b9785b33a

SHA512
9d9b18789f0db9f36674aa62727bb06371b2e0de6c305f33d9ca489961692b3966e77688d25526ceefde41cedeed6180be3de96eee2961730722666f465302b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF627.tmp.bat

Filesize
150B

MD5
40e270323f440804339d46cc92f71596

SHA1
a373cd2b9b8c7e922e946d94f4e94c629de2b586

SHA256
c16f1f88a9fc4346488f21ff0fda6777291289368fc96f8233e4534b76597eb1

SHA512
6af679377a22be29d6ab4f469ab79ff742e5d741b4e1ad5d44991fd202446de1c4938d67817e94a13713477fee52450695f4b80df731004ffc5651a5ad20005c

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\msedge.exe

Filesize
74KB

MD5
56c2943af429929b627d9c788e82dc3c

SHA1
cfb23725cf43512ff8bcdde96c00548f2eda57c4

SHA256
5d15194f5c0260f77520c3e3c3b0aa8dcac5d59a942f5ef61baa2e6cbe6ac922

SHA512
b549db00764fd52e4dc1646c4bad6bc34da24bd0fd74514c1ee3f67dae2287fd69fbf8815c24bc1259282f29c92699d3e7753adfa09a68c444aa9e2d69acdb27

Download Submit
memory/2544-276-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-281-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-97-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-59-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-282-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-116-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-280-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-126-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-137-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-18-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-17-0x00000000028B0000-0x00000000028CE000-memory.dmp

Filesize
120KB

Download
memory/2544-152-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-16-0x0000000000F00000-0x0000000000F10000-memory.dmp

Filesize
64KB

Download
memory/2544-15-0x000000001C150000-0x000000001C1C6000-memory.dmp

Filesize
472KB

Download
memory/2544-283-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-90-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-31-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-279-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-270-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-271-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-272-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-273-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-274-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-275-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-80-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-277-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/2544-278-0x000000001C550000-0x000000001C703000-memory.dmp

Filesize
1.7MB

Download
memory/3128-1-0x0000000000EF0000-0x0000000000F08000-memory.dmp

Filesize
96KB

Download
memory/3128-3-0x00007FFA919A0000-0x00007FFA92462000-memory.dmp

Filesize
10.8MB

Download
memory/3128-4-0x00007FFA919A0000-0x00007FFA92462000-memory.dmp

Filesize
10.8MB

Download
memory/3128-0-0x00007FFA919A3000-0x00007FFA919A5000-memory.dmp

Filesize
8KB

Download
memory/3128-9-0x00007FFA919A0000-0x00007FFA92462000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads