asyncrat | f1cf79e0ebbb693d10ca8b96d6c6aae0176c3a3417512bacaf0016207e60492d

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
20-07-2024 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Password Bruteforcer.exe
Size

82KB
MD5

401cdb3441eaa85c7d5d85b8cfe0fe54
SHA1

6bbb659c5c2b30c24313efa7a3775b78cbf385c5
SHA256

f1cf79e0ebbb693d10ca8b96d6c6aae0176c3a3417512bacaf0016207e60492d
SHA512

fb70afc7e5a382b3970cf92feaa12c4cfeba7a7dbca0d0f8736b5a38c0e4c42204cf4975081eab940524332fd3067bc4d5da053b55e71f983e01bc20454822bf
SSDEEP

1536:x6UzwcxbUTCrmPMVAsP1K4I3H1bL/2sQzcH33LjVclN:wU0cxbgwmPMVA8wBH1bLesQK33LJY

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

127.0.0.1:9001

91.92.254.89:4449

91.92.254.89:9001

Mutex

fefewfewfewf

Attributes

delay
1
install
true
install_file
Realltek Audio Service 86x.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000300000002aa6f-13.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
3472	Realltek Audio Service 86x.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2240	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133659449955209885"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
1852	Password Bruteforcer.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
1908	chrome.exe
1908	chrome.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
3472	Realltek Audio Service 86x.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
3472	Realltek Audio Service 86x.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	Password Bruteforcer.exe
Token: SeDebugPrivilege	3472	Realltek Audio Service 86x.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe
Token: SeShutdownPrivilege	1908	chrome.exe
Token: SeCreatePagefilePrivilege	1908	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe
1908	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3472	Realltek Audio Service 86x.exe
860	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 3224	1852	Password Bruteforcer.exe	82
PID 1852 wrote to memory of 3224	1852	Password Bruteforcer.exe	82
PID 1852 wrote to memory of 5104	1852	Password Bruteforcer.exe	83
PID 1852 wrote to memory of 5104	1852	Password Bruteforcer.exe	83
PID 5104 wrote to memory of 2240	5104	cmd.exe	86
PID 5104 wrote to memory of 2240	5104	cmd.exe	86
PID 3224 wrote to memory of 2656	3224	cmd.exe	87
PID 3224 wrote to memory of 2656	3224	cmd.exe	87
PID 5104 wrote to memory of 3472	5104	cmd.exe	90
PID 5104 wrote to memory of 3472	5104	cmd.exe	90
PID 1908 wrote to memory of 3100	1908	chrome.exe	98
PID 1908 wrote to memory of 3100	1908	chrome.exe	98
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2776	1908	chrome.exe	99
PID 1908 wrote to memory of 2944	1908	chrome.exe	100
PID 1908 wrote to memory of 2944	1908	chrome.exe	100
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101
PID 1908 wrote to memory of 2576	1908	chrome.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Password Bruteforcer.exe
"C:\Users\Admin\AppData\Local\Temp\Password Bruteforcer.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Realltek Audio Service 86x" /tr '"C:\Users\Admin\AppData\Roaming\Realltek Audio Service 86x.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Realltek Audio Service 86x" /tr '"C:\Users\Admin\AppData\Roaming\Realltek Audio Service 86x.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2656
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE966.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2240
- - C:\Users\Admin\AppData\Roaming\Realltek Audio Service 86x.exe
    "C:\Users\Admin\AppData\Roaming\Realltek Audio Service 86x.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3472

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ff94b87cc40,0x7ff94b87cc4c,0x7ff94b87cc58
  2⤵
  PID:3100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,14739202174830761016,651556822623820236,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,14739202174830761016,651556822623820236,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,14739202174830761016,651556822623820236,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:2576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,14739202174830761016,651556822623820236,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3204,i,14739202174830761016,651556822623820236,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4440,i,14739202174830761016,651556822623820236,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4728,i,14739202174830761016,651556822623820236,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4808 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4972,i,14739202174830761016,651556822623820236,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:3348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=868,i,14739202174830761016,651556822623820236,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4996 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1800

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3512

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
1c4cf347ba22792119e4677c0fa13855

SHA1
0c92bf6a915977c18b15a88b64147bc4d024d8f9

SHA256
69cb53f55fdb2aed8fe2ec3136721b8e74cfe4ea59bc33da1543cb81521a8a7b

SHA512
8828a7969f3c90513a4ae823a151c1a2309eb58524293335a7aef9774f9ece926798fcc52a8d39b138bec01f7d75ffbb9efa0dceb9989f7a02a7845b35284b1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a430d795f23bdeb2fe01a8f5eacfd65c

SHA1
db392e87228555b6247ec2c2fa909303a04dc5fb

SHA256
385941d7a64e174e2f375b95d04e389dd619dbd54cafb1ea0bd4cfa8ca5d96b5

SHA512
418edb771f998f18e29e1da469e6a1cddedba3e30a67504df27506940310c73be0e7823f3a126309e571c087301f0dcbae977c33bad9f70b9b45086b32f0b4fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
95f4f1bee5d62ad77b107c933ae25ec0

SHA1
a03f666cade99403bdf3224a07bdab969c76079c

SHA256
4ceb1e19b30762c704f5052fbcad318edf84446f6ebec1abfecec716ba1a8e90

SHA512
043c6835b2e787628a4868247b514c9d78d65b7b9681f11d64b02a48aabf95b522b80494497d2d5adfd8862d095816374d896ddd5618a69b4ae919f6769574ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0f63ce451d22bb0721fb15ae6a18a3d5

SHA1
9cb53b37b463b24a3a679696810bb2dc4e5c504d

SHA256
ee2eddaa42eb0afd1a59bdac805f427f4902d0ec99c65ecbe4825423aceae875

SHA512
ec53f75fa5d29bd11690dd1d7ee9734c0fe364dbd72d59e2fe5d9c1a795fd5cd9fc3fc4e352283868da4b5006d0e0bfcceacc1164bf9405a0b9131024719aa68

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a33e3eae8a6700c97c58955d08ad634

SHA1
f9f1ecde5142fb3434b01b992a8dbe8f764eee81

SHA256
22629e3b68c9e6e039a0be29d58ef6d9399f1ca04fca6b6b601ff3945b474ec0

SHA512
a43399e7ff116ba0ff3fd8570486e344be46f876e804edb145e5d5dfda231e048b43c59b8f59527576733528365037d2c7a926563e0f5f3a7ce9ac179c9bee7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9222138a01fe9daeb9d51d29d02b15a0

SHA1
a141bbadbed07882bd576e1f15b77ea8efd6398b

SHA256
ec95754b5abeb514ee3ba4e61aaf3e86a0e3c21e0e01ccf88750c6717b27b9f4

SHA512
92a55db127452ee6ecad30425ab7c984f118417ec59f65413c08dfac683cd6816d350dc68f8bffc4179d3737a3fa51ba005cfb546abb7843180be720c3b0519e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eaaeb86a2365de0116fc631e8d204d9f

SHA1
85120fc776412cf8d2f1a295fdb434832293b800

SHA256
f9a5cd46b794c5e3f14b6136e9e42d1a2be6010514386e452e881e4e7bce7e22

SHA512
08179df25b009ec037fe79af8e1e9b2478832e5f8f72132a861fc2e50423449ee361a54aa9da83c710e936bcfa2b9b01e6693ee5f6e3d556b717b8932fd82455

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e1d38e891c8289958c35306637b87d83

SHA1
d5cc2ab83e10494cb957a9fd40b68f90c8793703

SHA256
b998840c1e276da6248a9149504d0d620b73ccec068ee86f06644be19509f2e7

SHA512
c0f449f212dc85eedccef844ad0aacd519939bc9f9de7c62db9387b6f90e15faee76cc3f1378dae1b7fca08174757e568993f3961230a65c48d35f1021916d35

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a81f8ab6dcc5c7f26f2564bb904da1cd

SHA1
8fbbc3c1bffdc8b1f30606447cb9316365d649b2

SHA256
22809a185ec31a6291eb1a977f0ac4a5a3432fe6bf769c5e5910d4b15b7e09f6

SHA512
e275bdb2a904282e769444a80e4a5a94428ed1d3a27fbddeb0b475be67b18630dffa3faa5f6095ea587a208dc6ee9d87aaf149bbbe672c40f89c1338d8f69975

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
893de86b4e9fc4c431d31b4f9e016b3e

SHA1
cba349a25f339d9e323b93ac9029703639e4555d

SHA256
d395eade37f3d44324259212f315dcf5eb542a059bb368d2bb7ca2bb0d8c47c8

SHA512
70c2aaa1e6ceb00be449872efee0e6fee8b7f35ecad8c3a9a4428051fd15020d9f1203adcfc98eb2cd2a221e243ddc64dce2e451e764c8c4acf7ae32bc49c69d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ee4d21f24f6ca8927c27ce896c5b0843

SHA1
cbfa702ed593911e4b8c47344592b16b37554915

SHA256
838bd412b69f3366a5a6ff8403374aa7b9b893bf17d105237485ebf070f074a9

SHA512
ef27f33488490e0a77f8fdbb15162d81c0225f881e39b1d77805dc0513a254bc61550bc5d7ee9bd3171b31e59ca703f5cdd53c85b852c7688eff64006fb9a3ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
57d8579766f728aaaddea01da3f08ec0

SHA1
c34fccef840359269f3b2416b5a2564628432591

SHA256
9830ee5d498bb4e074b64b0654c7df7ff1bbaac645d0a292497ceb03fe19ad07

SHA512
5da49fdd1c823c5fd6c7c444900ca927a8254638e7f3ad01fb7b9b5936d4bda4b5cd7ba56c011a49867e4cead4e02291827781f6088c41ee0947edf9d8bd684b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
39f932679df18e345cf7b24815e8b533

SHA1
0d241033ef3c7a4bc0b69106f69c5d9b8f824066

SHA256
6551bd65395ff255cc50822d8845b502c2f66ce5ba942df6484b43b4d637f5e7

SHA512
5f67753c4e758894006f11ebbd04965f4dd351dd7b9f7ecea2bfe38d4dc4e5b88880ba166408e7670bfba9197e694cd4a9dd288697299f6fc20af61b59a81e2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
a5a4f513bb418d358029bf0efc06a69d

SHA1
2f856913d29a53c6235cbc2e6ad10a30ab183eb9

SHA256
5214860341209f28e4d3d51d199b95768b534d5ff1f8171de9897d082612caa9

SHA512
2501b709a664b0caa657570eb67993a2e52dbe76765fd1ebfc04ddb67d53fa625c42eb94c0cd94a7b26c76d410711a3bfe078aec1e7f5fa2da731d6d7a1bf15f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
cde2f79b738723dd7c52f649ed9179c2

SHA1
6eb5aaf5a6df094af97e3720d9a911aa40bd1f56

SHA256
9504b54f4cf432bc896eb372bad6e5bf8fe2cdcfca8a3cc4455b0c8c7a7daa82

SHA512
b086321ea0c034f6ca8452fca56eb4bca7eeba1ea256e073534a467b3aae45f694894aeee4ae5a2ceeba709a9245c0e39ebc1018f4801a9cf73d5b0debea8b97

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1015d2fd919a3b62e193194c7bfafbef

SHA1
f7f3314dd817edcee90f87491f74825b197f476b

SHA256
990002e556b74d16e89d7f6c8be6ac5870e9be8b904ec52e87d92631fa09467b

SHA512
ffc7702179fb30851f4646f26a53e87c0215e320e117901c726a6294bf428540134e1fd14fce37a0b430e8379b4c56d6f57b582efff5654e2ed4624453762bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE966.tmp.bat

Filesize
170B

MD5
5496bdb17d82b73e524119643504f051

SHA1
d44461b517a51034a8a59852ebd4c2058be3c8b1

SHA256
99957fd8370f49eafe6208bb9eea7b82a35f0969e0b36421931cc62ca23f8fe6

SHA512
3af87aafbff4ba9d26f1e1550ac36669b6808da95bf9c21eb9dc62772bdb8db59a59b9fd03733d87968ccbce493dbb364cf7c963e46bb85edad97b0f475a87f5

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\Realltek Audio Service 86x.exe

Filesize
82KB

MD5
401cdb3441eaa85c7d5d85b8cfe0fe54

SHA1
6bbb659c5c2b30c24313efa7a3775b78cbf385c5

SHA256
f1cf79e0ebbb693d10ca8b96d6c6aae0176c3a3417512bacaf0016207e60492d

SHA512
fb70afc7e5a382b3970cf92feaa12c4cfeba7a7dbca0d0f8736b5a38c0e4c42204cf4975081eab940524332fd3067bc4d5da053b55e71f983e01bc20454822bf

Download Submit
memory/1852-0-0x00007FF950263000-0x00007FF950265000-memory.dmp

Filesize
8KB

Download
memory/1852-9-0x00007FF950260000-0x00007FF950D22000-memory.dmp

Filesize
10.8MB

Download
memory/1852-4-0x00007FF950260000-0x00007FF950D22000-memory.dmp

Filesize
10.8MB

Download
memory/1852-3-0x00007FF950260000-0x00007FF950D22000-memory.dmp

Filesize
10.8MB

Download
memory/1852-1-0x0000000000240000-0x000000000025A000-memory.dmp

Filesize
104KB

Download