asyncrat | 3d0b19a62038f874efce6e1286a7d591c43935c14e9b9f4cd7a94901fc17cdcb

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20-07-2024 18:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Debug/Updater.exe
Size

74KB
MD5

6a573caf7b6f745e3113b602cc67db13
SHA1

1068547d9db8ba426e6dc9f5f5c7989873eeb3d1
SHA256

3ffae8507d10a4e66855339335a797343dcc19c6a8f48314bc678d03f06bb115
SHA512

badd9cbe3819c87b6cd3da58265e98d4f1f270e80d44589c70f6c9c7542199286a9b4c2b60462e1cb48ae85a2d79d89199b01332f6c797bd1bf54f862da3e2ec
SSDEEP

1536:lUPkcx5v/5CxSPMV6e9VdQuDI6H1bf/s/NQzc2LVclN:lUMcx5vx2SPMV6e9VdQsH1bfAQPBY

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:9090

127.0.0.1:27853

147.185.221.20:9090

147.185.221.20:27853

Mutex

otjnojdxtcgqahud

Attributes

delay
1
install
true
install_file
DustyV1.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral16/files/0x00090000000234d3-11.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1705699165-553239100-4129523827-1000\Control Panel\International\Geo\Nation	Updater.exe

Executes dropped EXE 1 IoCs

pid	Process
220	DustyV1.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2812	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133659737015363744"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4500	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
5100	Updater.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
1720	chrome.exe
1720	chrome.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe
220	DustyV1.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
220	DustyV1.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5100	Updater.exe
Token: SeDebugPrivilege	220	DustyV1.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe
Token: SeShutdownPrivilege	1720	chrome.exe
Token: SeCreatePagefilePrivilege	1720	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe
1720	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
220	DustyV1.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5100 wrote to memory of 4012	5100	Updater.exe	87
PID 5100 wrote to memory of 4012	5100	Updater.exe	87
PID 5100 wrote to memory of 3732	5100	Updater.exe	89
PID 5100 wrote to memory of 3732	5100	Updater.exe	89
PID 3732 wrote to memory of 2812	3732	cmd.exe	91
PID 3732 wrote to memory of 2812	3732	cmd.exe	91
PID 4012 wrote to memory of 4500	4012	cmd.exe	92
PID 4012 wrote to memory of 4500	4012	cmd.exe	92
PID 3732 wrote to memory of 220	3732	cmd.exe	97
PID 3732 wrote to memory of 220	3732	cmd.exe	97
PID 1720 wrote to memory of 4792	1720	chrome.exe	107
PID 1720 wrote to memory of 4792	1720	chrome.exe	107
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 3504	1720	chrome.exe	108
PID 1720 wrote to memory of 4864	1720	chrome.exe	109
PID 1720 wrote to memory of 4864	1720	chrome.exe	109
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110
PID 1720 wrote to memory of 1928	1720	chrome.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Debug\Updater.exe
"C:\Users\Admin\AppData\Local\Temp\Debug\Updater.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "DustyV1" /tr '"C:\Users\Admin\AppData\Roaming\DustyV1.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "DustyV1" /tr '"C:\Users\Admin\AppData\Roaming\DustyV1.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp96E1.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3732
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2812
- - C:\Users\Admin\AppData\Roaming\DustyV1.exe
    "C:\Users\Admin\AppData\Roaming\DustyV1.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:220

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff10b9cc40,0x7fff10b9cc4c,0x7fff10b9cc58
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2052,i,3008588350205261088,10326199380797477852,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1956,i,3008588350205261088,10326199380797477852,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2312,i,3008588350205261088,10326199380797477852,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2472 /prefetch:8
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,3008588350205261088,10326199380797477852,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3272,i,3008588350205261088,10326199380797477852,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4052,i,3008588350205261088,10326199380797477852,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4536,i,3008588350205261088,10326199380797477852,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4136 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4136,i,3008588350205261088,10326199380797477852,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:2640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5032,i,3008588350205261088,10326199380797477852,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3432,i,3008588350205261088,10326199380797477852,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4616,i,3008588350205261088,10326199380797477852,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4676 /prefetch:1
  2⤵
  PID:868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3504,i,3008588350205261088,10326199380797477852,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3376,i,3008588350205261088,10326199380797477852,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3412,i,3008588350205261088,10326199380797477852,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:2736

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:4752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
79a97bcd3cf7efd067fb38b079a4a009

SHA1
f0423dcae49926ee5eaf92790b2411ae044af8e1

SHA256
3557920ce715cb13274be0759e044db84f3b5541e0197b674b7d7e6d2a823463

SHA512
e399454a1102344766b3ee359f11e2877edd1a6db0e30728fbf122a21a68a74fdd20852180fd5dd9ac7e2040810c2da5c4b7a6be3133fa31da2f760f602bad23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
783c5a1ec6e158955b70164b7702466b

SHA1
03b92f96faec239e4ccc8dd1c7ef599c51dea3a6

SHA256
b371982c5e90b6e19cb2b96d1504850f4e1c5ef3a0f0db61a6dfe696cca74fa6

SHA512
e8221d3a8542bb0d213c5d3953e6e2b12abaab3f5020bba56a652ac75ad954305493bbcda6c54172ce7c7bc585552e9612632bc28c3c64c7b6cde7e283aeb282

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
211be04095a50608a3000caa2f835e6d

SHA1
2b189dcd5e35f9ba85e4603226bb689e21f1239b

SHA256
75e8a16769eef3d9b8f52fbfbf175f198de5d6c27fbbb3cf952004c0acf987ac

SHA512
c210dde19d787b41511abe9cc44307b1555f89d4a460014ac97e38a79034f163cc5ad16c583a4acf987dc779ccae6440a26ce8bfeeb5889a75705a40af0d7a6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ea9bfd54ccaf26124655cc999374512f

SHA1
f7ae7aedf601712a88422d956ca47524502e8d62

SHA256
ad7a838fbca3b24094e54fde6b88891ffdb52759a91e61b5ce4ab58c7022114c

SHA512
b6c833119667f25b988863135e740833899fa2d3bb17cf413a0c5b119158bf8e773bb52a5c7a05a49ba1b396d9e630867f86cd781cc0b4ad08e645611532526e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9f4211de855c337b74facd0c12ecfb80

SHA1
89dcdb386454e90f556666ead4cd6f45aa106ccb

SHA256
7e8cd0c477b3e36d985cfb47781a9cd98b8eee66c83edbaae31ae9a3da7543b7

SHA512
22be393a7986578a2c5b1c8768c09792f9acd3e07cbc0820c6d0af0a4be12c63c782ade52c92a9f5ddb9971322b655b73373633868a5fa3e6b1832a22e9057f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
226b446eef4deff8643c20012b260b1e

SHA1
52138a4a022265b5dc047b95d0c797bfe6156134

SHA256
ac8067a1ae64f1266bc82b5d665794b96bb225817143e7e5cc397e4ee69571a4

SHA512
455232f1335ad798da36f8625a25460ef79c55b21bef627ffcd072e8ac6679f270b334c7907678e8110c6d5a668430fc59937fdacb175c9f221063522f6a3438

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f10dddf57b9582c63758729864440444

SHA1
ee2f478e15955f7f3260da294d84743dfb9ad905

SHA256
ffd0d12d84a32d9c3a2491c0890190c90a01409e90772e7ab8dd6267395b6e56

SHA512
cddabf8472129b1e12f70c432b8048b552c885e73b07137b6b198d611284af49362e1c57ee64ebd6fda51f43f39f8c02f75369b401cfe61441ecb01d4090f966

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
89c986281285a3a6a17fd1c385d06912

SHA1
c01a359117957f9d18f6d4846e40454d72df0d24

SHA256
3297392ec74026b039dc1bcc38c0cc9a712bcdd0ccd82037034116731853f704

SHA512
3ddc0a31e98d6c9412fd5dfc97531ff6f48a83645dab925cf5f5bd79985895b822b366ba4700d084636025fd840e760fb5b1a037bc73cee669c2ba1f8ede7e38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7cbe97e2f332cd59e7ac946a8c9d6f6e

SHA1
eafa19999b6ef39c8a24c0e253c5c2c492e07cb4

SHA256
be95877b203134957c25369be5c416552040db8c62d019792ae3a61697b1c5e0

SHA512
7b32ef59adb0c0e932acd5ec876aa073484961eb1e9803afa0a7207e363050449fa6f5ceb8301545ee974e62e3292e2069abd65f3a2d91ee2808877a0a46e330

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a4b3b0597eb0da2f28b8f78619895816

SHA1
92821ffe68c31e20885237e7b8b326b66340115c

SHA256
36ea4ce182e4f402f51495bfa2f8b95b9802652223042c194dec00841cc34c8d

SHA512
418be6191a5658decafedee5e8fbe16e2d1745529fe01e9cc6ed3329898d0b5f63b9499e2bdeb030ea8d2cf199665c87118583bdb94c8a84945c536f3617e671

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
1ab6c3dc150f374a568714e48d99c26b

SHA1
1b08c6381aab8f788b6ae72697c59696d7e62570

SHA256
36ffc2c1eb86b85c0b750b26526b8ef086ab49fd6498dcc264be96e99bdac2b9

SHA512
a95a9af5629f436b8234091df0ac00cfa927a5a15bb45422b3094f4fc32132b23bce26a3b1c5edb1b50d0a150b9346894e634a939cbefac168731df1c30ad251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
1981a717941e94dadb21c20f140504ab

SHA1
a6a514e8466b0903d5a97aa5c998fc9f8502fa41

SHA256
5379dd8c9881b099076434b0d13e01c82425cb79515e8e4132a92d513b297dfb

SHA512
772f6c8836cf9f2cb4d0139412f9bc19f01fb1b954dd75b541dad8381ebed89c31d50ca781a1a17423830ebc1af37e61e989464be9edd8544ecd9adbc99d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp96E1.tmp.bat

Filesize
151B

MD5
105a26c2968ede1ae264ffc06d0eb135

SHA1
1bfd3bb09c3d803530d134e14beb201886b29449

SHA256
e6ea082d6dafe63f83633236afc6d3ee8bc18220a505fb9c184d0e1a5040cd15

SHA512
78c326aee1ab797a16e1032e4683625bec2734c486896b424369abd2f57b8de41ff450885f50762b621c73d67d2b9672da01fc309017b436486c9e4af1bf1242

Download Submit
C:\Users\Admin\AppData\Roaming\DustyV1.exe

Filesize
74KB

MD5
6a573caf7b6f745e3113b602cc67db13

SHA1
1068547d9db8ba426e6dc9f5f5c7989873eeb3d1

SHA256
3ffae8507d10a4e66855339335a797343dcc19c6a8f48314bc678d03f06bb115

SHA512
badd9cbe3819c87b6cd3da58265e98d4f1f270e80d44589c70f6c9c7542199286a9b4c2b60462e1cb48ae85a2d79d89199b01332f6c797bd1bf54f862da3e2ec

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/220-18-0x000000001C710000-0x000000001C72E000-memory.dmp

Filesize
120KB

Download
memory/220-17-0x0000000002AF0000-0x0000000002B00000-memory.dmp

Filesize
64KB

Download
memory/220-16-0x000000001C770000-0x000000001C7E6000-memory.dmp

Filesize
472KB

Download
memory/5100-0-0x0000000000810000-0x0000000000828000-memory.dmp

Filesize
96KB

Download
memory/5100-8-0x00007FFF22B90000-0x00007FFF23651000-memory.dmp

Filesize
10.8MB

Download
memory/5100-3-0x00007FFF22B90000-0x00007FFF23651000-memory.dmp

Filesize
10.8MB

Download
memory/5100-1-0x00007FFF22B93000-0x00007FFF22B95000-memory.dmp

Filesize
8KB

Download