asyncrat | 20ef76c154dc7e7ebb7a1dc49590fab234f0f082133ed085bd834f89bd16c66b

Analysis

max time kernel
72s
max time network
82s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
26-07-2024 13:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mia_Malkova_Photos.vbs
Size

4.0MB
MD5

83959ea07eae4d7f08fb11862ed707cb
SHA1

80f40a35bde7a1500476bb17401948f4f811c7b0
SHA256

20f8f27cdfbd0a0346a2e43348b3ae626d3aa4712ab559dce8286b74a58ddeb8
SHA512

16faa156267bd072d9c889c951a109c827cc61d01b5962a74c912a8a63d5582802a6d1cb78875294ee3cb1fe361cfc41545837c22a4f76765f74e9b609942d05
SSDEEP

12288:X999t9t9t9t9t99999999999t99t99999999tttt9tt9t9t99t99tt9t9t9ttttE:EGg

Score

10^/10

asyncrat gb discovery persistence privilege_escalation rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

141.95.84.40:3080

Mutex

XXXXXX

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mia_Malkova_Photos.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mia_Malkova_Photos.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Mia_Malkova_Photos.vbs	wscript.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Loads dropped DLL 4 IoCs

pid	Process
1000	regsvr32.exe
6116	wscript.exe
3292	regsvr32.exe
1520	regsvr32.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 6116 set thread context of 3868	6116	wscript.exe	97
PID 6116 set thread context of 1524	6116	wscript.exe	101
PID 6116 set thread context of 1204	6116	wscript.exe	104

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1928	3868	WerFault.exe	97

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133664740749987211"	chrome.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\DynamicWrapperX	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\WOW6432Node	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\WOW6432Node\CLSID	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dynwrapx.dll"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\DynamicWrapperX\CLSID	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\DynamicWrapperX\CLSID\ = "{89565275-A714-4a43-912E-978B935EDCCC}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-514081398-208714212-3319599467-1000_Classes\WOW6432Node\CLSID\{89565275-A714-4a43-912E-978B935EDCCC}\InProcServer32	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5284	chrome.exe
5284	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe
Token: SeShutdownPrivilege	5284	chrome.exe
Token: SeCreatePagefilePrivilege	5284	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe
5284	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 6116	4224	WScript.exe	83
PID 4224 wrote to memory of 6116	4224	WScript.exe	83
PID 4224 wrote to memory of 6116	4224	WScript.exe	83
PID 5284 wrote to memory of 3164	5284	chrome.exe	88
PID 5284 wrote to memory of 3164	5284	chrome.exe	88
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 1284	5284	chrome.exe	89
PID 5284 wrote to memory of 828	5284	chrome.exe	90
PID 5284 wrote to memory of 828	5284	chrome.exe	90
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91
PID 5284 wrote to memory of 1776	5284	chrome.exe	91

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Mia_Malkova_Photos.vbs"
1⤵
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\syswow64\wscript.exe
  "C:\Windows\syswow64\wscript.exe" //b //e:vbscript "C:\Users\Admin\AppData\Local\Temp\Mia_Malkova_Photos.vbs"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:6116
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1000
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:3868
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3868 -s 92
      4⤵
      Program crash
      PID:1928
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3292
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1524
- - C:\Windows\SysWOW64\regsvr32.exe
    "C:\Windows\System32\regsvr32.exe" /I /S "C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:1520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d8a9cc40,0x7ff9d8a9cc4c,0x7ff9d8a9cc58
  2⤵
  PID:3164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1936,i,6470009622594284390,871544924324266401,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:1284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1720,i,6470009622594284390,871544924324266401,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1968 /prefetch:3
  2⤵
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,6470009622594284390,871544924324266401,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2224 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,6470009622594284390,871544924324266401,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3088,i,6470009622594284390,871544924324266401,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3788,i,6470009622594284390,871544924324266401,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4336 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4792,i,6470009622594284390,871544924324266401,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,6470009622594284390,871544924324266401,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4924,i,6470009622594284390,871544924324266401,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3124,i,6470009622594284390,871544924324266401,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3308,i,6470009622594284390,871544924324266401,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3340 /prefetch:8
  2⤵
  PID:5856

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:3356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3868 -ip 3868
1⤵
PID:2568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9b937a57dc3a8616724566fee1a58e49

SHA1
8f2112ffa72ce3ba21f3feb68f4630584fb9fb03

SHA256
919b8ef92e726f25a655cce30c243ff6852902a61b1314327e87ae71478d382c

SHA512
54791e8380984088fb9a9afb39754814667ac668c3441a84b1c11bb82e3932b418ccb2c8b1ae793803555e362babb17dd18d86f1a23dbd917fcd5fcb6d15b90f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
210KB

MD5
5ac828ee8e3812a5b225161caf6c61da

SHA1
86e65f22356c55c21147ce97903f5dbdf363649f

SHA256
b70465f707e42b41529b4e6d592f136d9eb307c39d040d147ad3c42842b723e7

SHA512
87472912277ae0201c2a41edc228720809b8a94599c54b06a9c509ff3b4a616fcdd10484b679fa0d436e472a8fc062f4b9cf7f4fa274dde6d10f77d378c06aa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
67edbec070369267b14f52b61958b6a2

SHA1
03371c95f85867056a2bd783fe04043a6d8c7853

SHA256
4157a23f8d3e7bc06d8e0ead970ca35d72065fffb29611dd2700cb1e04306607

SHA512
fc9edbda92b21b45676d164b40d72ed63f51e54b99457c4cb5a4af8489a26c7f3fca92aff8be8c53019be09537388018c90b2d953be074995e0f35036b11245c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\2f3465f4-c28b-465f-bc6b-24c16f306949.tmp

Filesize
691B

MD5
55aa54ec3b519ea8c4de89aef699181a

SHA1
0cc2aeafa2fb2a267e2b5b16a041d6854f3bc127

SHA256
199bd14b7c2ddcafef7fa3da21d070fb04dc223dfea2b7777badd53f4810437e

SHA512
6d6c7f24c0d635fed29935a3de547c2a4aab65441899814113301ae09997715ec8c558c04f7acb025c3517eff8b17279e1983a7b0018456982da178dc8bee225

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
4f02e523d7f7efdeba30bddea0ca4855

SHA1
a3e4573acd356d07b11c4a1ab1ab715e4deacd5c

SHA256
58f125db7ea9d396c92b29caafb0477e875d1cd81519be8a382fc5e93e13a5c9

SHA512
a9a1c552f780ed6e0fd77f1118419810a2cbe76e12790515019104aac73ec9009bffeea471701ee0f5af7210aed14b2d0bc1a62f1a42cc5e2ca1900a66be237e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
829bdb645012f75237874321a541c1af

SHA1
5385f12354211b799aab4bb3e1972c1fe5fa8902

SHA256
a6e5ff8be252b72275c401487e647a657aa70fa3483004f23d673d631636d049

SHA512
8184619cdd5d216b7588e2f07ed17aa3fea4ef8f91a3546a2d6f4e86627a8cdd46666d4a11d0ef5a953997999af9d47cd0707921244a59a9263510754221fca5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
165f2c5c7ccbd54987cfe399255aa9c8

SHA1
988551a1714e042e46e32f352d68a79965cc1b1c

SHA256
b76eb183c717d009ac5e98b843c9188c62382b4cc38e71988f68db9505320660

SHA512
ee8714636c12b7fab7b90f9da1bf3dc13e3acbe5d392c5cde18192104ed7c50493bfa0777f45ebad88f8d6e7c9ba39720085461a35bdee21a927e7a0b5707a76

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ba319701d04a7b56aa76c3e55ccc3dde

SHA1
d111ff1a546e510e3e485ac40ad5996187169202

SHA256
615041251156ce61134fd08d9b4cd67474ea35d382c29e88348a72de64079dd0

SHA512
e5c95da8f5535eea4fdfef4d67aa535291c9dd929fbd0cb79af3f361b580d6d175f7cacc1dacfab70e3a4b17c715d4372de940c2ca98a30933fbb5cefdc28de7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
272c3473aaaabc406a5ede40c4dc973f

SHA1
49583301c0ee377af8fe821b046ea0ce4949cc07

SHA256
00396d98992eae1767eeba6648dd0c81439fd331c3b80dd2ba07b9cb0e410930

SHA512
1ff126b4d9a619715dcf9850146ed44e8dc0c8dccf71471c08e5d6ecc49c40d710704ccb2238d61a89c45cc784bd0ac265ecc8781b0bebde822cadc741bf3c6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8b45227cf0525706daba3122b5fc796b

SHA1
4cc96377de19f82fbebc4374a8f257585346e7b3

SHA256
fff69b1e9e25e10b8c5b6fb8933e1f1c53c816789decfae589730cd046634db1

SHA512
2f264e07f7a6d11900cdcf57c8e79a8a23ad41d62d0967f9d95b3870d0b40992bc199369823db86920e52f79fdb7d0e9f00296e2639a4063ae80e819fe5e4f53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
9f105ddc34f4ae3584f338ad134ef9f2

SHA1
41cd8e69e53027f2b2b2151ebcf4857cdd4b69df

SHA256
cd0ed3235961e42d6de739c1e27ae0c0635562536f336b11b3002fea40994520

SHA512
aa0e3982dc830999b7d4204274782451551886504a597cbdf0408a83d71927cd5b5c1fe911b321e4a38621084abc9e9d2fe392874a804d76a4731f93819c8bac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
188KB

MD5
5e76b9a87cea1476514adaeccca0c8a1

SHA1
f3636e51351a0037b0813dcc66515e88abe07cc2

SHA256
2daca5885df3bedbd91da371a0c839e88f18fec4163747aa4e4fd0d070b9f051

SHA512
e73930dd643fe0f12ad9e5d5239ae8b8c33d666ee44d7f4cdf8ab16e0c63bff3619a4c7149f0ece3b941ef1257cf49e49ea7975fc98e92cb9ce90ba625fd0997

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
189KB

MD5
17e389a6d7c3108946f643ff85220f88

SHA1
fc49802fe480a17f73d6b03f7c41bf4f684bcf6f

SHA256
2b23df3346640c114bc0c3ff42f659b8f80e28556f822f88134a978e7c970313

SHA512
1dcf7dc3168ba85a863012eaa0e191eadcc4ba95de3a6913a04325db15d39f16343595cbfbc180d9539430b407de5898334dc829dd58eb8bd1304c1ad20cbabd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dynwrapx.dll

Filesize
13KB

MD5
e0b8dfd17b8e7de760b273d18e58b142

SHA1
801509fb6783c9e57edc67a72dde3c62080ffbaf

SHA256
4ef3a6703abc6b2b8e2cac3031c1e5b86fe8b377fde92737349ee52bd2604379

SHA512
443359da27b3c87e81ae4f4b9a2ab7e7bf6abfa93551fc62347a0b79b36d79635131abc14d4deddab3ace12fdf973496518f67e1be8dc4903b35fd465835556b

Download Submit
memory/1524-35-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download