asyncrat | 2acf58b89e013558f70f7d432331cb926ea74093b1a0f7ff753779dd5aca45bb

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06/08/2024, 09:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rat.exe
Size

48KB
MD5

fcf89ebf3f7353591c0784c354fb1ff0
SHA1

a4df86134af908d17c434fbfcdbe8452df1e0839
SHA256

2acf58b89e013558f70f7d432331cb926ea74093b1a0f7ff753779dd5aca45bb
SHA512

a974178f767d25958ed684997f12be01d3b536cb5ea07eb2380bec3e9b9dddf2a2db7183c665a5ca5402220bff4e301eb8f9448b8d83ae514af3efbd9987b76c
SSDEEP

768:Jok4oILg+k5+biSP/DaGTyiMb8YbegeiAA0FvvEgK/JCVVc6KN:JokXRomGwzbhPB01nkJCVVclN

Score

10^/10

asyncrat solara discovery rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Solara

legacysoud.duckdns.org:8848

Attributes

delay
1
install
true
install_file
bfsvc.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000e000000023343-10.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	rat.exe

Executes dropped EXE 1 IoCs

pid	Process
4940	bfsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
54	discord.com
55	discord.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4236	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133674087387182177"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-656926755-4116854191-210765258-1000\{06988C98-4A23-4BE9-9E31-5C29E7E21A76}	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
2376	rat.exe
400	chrome.exe
400	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2376	rat.exe
Token: SeDebugPrivilege	4940	bfsvc.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe
Token: SeShutdownPrivilege	400	chrome.exe
Token: SeCreatePagefilePrivilege	400	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe
400	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 3972	2376	rat.exe	90
PID 2376 wrote to memory of 3972	2376	rat.exe	90
PID 2376 wrote to memory of 4064	2376	rat.exe	92
PID 2376 wrote to memory of 4064	2376	rat.exe	92
PID 4064 wrote to memory of 4236	4064	cmd.exe	94
PID 4064 wrote to memory of 4236	4064	cmd.exe	94
PID 3972 wrote to memory of 4104	3972	cmd.exe	95
PID 3972 wrote to memory of 4104	3972	cmd.exe	95
PID 4064 wrote to memory of 4940	4064	cmd.exe	96
PID 4064 wrote to memory of 4940	4064	cmd.exe	96
PID 400 wrote to memory of 2708	400	chrome.exe	104
PID 400 wrote to memory of 2708	400	chrome.exe	104
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 452	400	chrome.exe	105
PID 400 wrote to memory of 3332	400	chrome.exe	106
PID 400 wrote to memory of 3332	400	chrome.exe	106
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107
PID 400 wrote to memory of 512	400	chrome.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\rat.exe
"C:\Users\Admin\AppData\Local\Temp\rat.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "bfsvc" /tr '"C:\Users\Admin\AppData\Local\Temp\bfsvc.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3972
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "bfsvc" /tr '"C:\Users\Admin\AppData\Local\Temp\bfsvc.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4104
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCF85.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4064
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4236
- - C:\Users\Admin\AppData\Local\Temp\bfsvc.exe
    "C:\Users\Admin\AppData\Local\Temp\bfsvc.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7fff46decc40,0x7fff46decc4c,0x7fff46decc58
  2⤵
  PID:2708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,4007884596353469740,9360833098305534744,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2108,i,4007884596353469740,9360833098305534744,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  PID:3332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,4007884596353469740,9360833098305534744,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2584 /prefetch:8
  2⤵
  PID:512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3180,i,4007884596353469740,9360833098305534744,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3352,i,4007884596353469740,9360833098305534744,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4580,i,4007884596353469740,9360833098305534744,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4848,i,4007884596353469740,9360833098305534744,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4896,i,4007884596353469740,9360833098305534744,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:4000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5040,i,4007884596353469740,9360833098305534744,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4756,i,4007884596353469740,9360833098305534744,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3356,i,4007884596353469740,9360833098305534744,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3436,i,4007884596353469740,9360833098305534744,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5544,i,4007884596353469740,9360833098305534744,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:4316

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4104

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3ec 0x320
1⤵
PID:4224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8b3f645c-e059-4ec7-81dd-c9be36391f81.tmp

Filesize
8KB

MD5
b934182db0c4fd324d1c7813dee881b8

SHA1
68c4f049451207eb424a5b31e0bb25a103af6d5a

SHA256
cde9158f97e9e5a45ae696a86d2116dcb333bbffb7ef5fd45dfc15601f927352

SHA512
623f7dd48ee3bb2352245894f76e10e9edb44f9b3ad991c6fa7265d75022a1e131c280678b9659bec36d8b1d26828a9342edf8a4117eb78fbc42933f6327386b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8c64dcfbff5ed6559097ad922eeca2ad

SHA1
6071e36a145ed5c00027a452b83389e5a5120e23

SHA256
9abeee6d61eea5f079fe54af785222f5d1851e58f9af03a21eea5e9d357f2473

SHA512
07e42131d61a2cd46ed69749ccdd478d85999227a198f2b51d398fb8fccd287f4fed84b76cacd34709acf10ef8b088139f71fc22814c6b2a3671a7ffb868048c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
a32389a8d350a05db11f185a45ec596b

SHA1
d89a41b3eb540bb45b6d3297df482ce2871644d6

SHA256
6446947bdbf977475aa29a20c34223c5ad92391f8fa4895e44b26c28bc1bdd9b

SHA512
692a0dbc2b688563e753c561d99e20be4b4acc5fc91ebb4c65e97352f13a27739a0338231566d8f25ada847d68ee3d9e647e97a9d95a4d1b607d7a823d146574

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
30e1c630114d1211cb285b6a8cc8b31f

SHA1
caed174e404378d99a992932a452562fc2b1cd6e

SHA256
3b417eb6c5b18fe5aaba0aaa7b52b867484736616296a5fbc0fb2c5afae76de5

SHA512
970504707b610ff38732601a38ef163ee0dcdbe84e5cccc2000543f4d6a0995145c7cf3d57d52f027c370d3cb158bed1e18d7c9861c12fdddd8a8a13aa5d54c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f8979c96599ad145c16133e5625a0eae

SHA1
5178b0a4050b71069686d8956376c7e3516a984d

SHA256
61c16412511932531ea525086a4c53a57f3db29900d8d4f2f37c30ce52f4c0b2

SHA512
0e1d92e138f709a494d116fbe5ef42097fe5b4ca48a71a58827330c8714ed735975260c9f0e50977855b44cea04312fa1ec3fc834278262800cbea23d40b6fdb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
81d24f085bbb01ab4bfccb6f1d659948

SHA1
d9a0e1c8dc76c4b7a9bb59eaac54dece6f0cb6e6

SHA256
168401cf2662a4c98c2745e98957f71738e583c6ce985f2b8384529dfb2beb92

SHA512
1d110e2d15619151b1043207bff420950ff99c425d7eb00c237949091bbdc95e4ac3059b5ceb8c056bbc1feee84c13d2ddd379c22b98b16ad24852407c097b28

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4fd0051533933bdcecc75dbd4e55b253

SHA1
e726851199e6bd4f9b690e865ebdde23b9009c9f

SHA256
ac2ac072ee4b37b525080a771cc4660fe317bd09578be5bde82e20cfd2ef319c

SHA512
c1bf5eb86c7c3db7813aec7c33337f3529a04b5b7ef2f8759aed9e8fdfc2e8475bd8b5964edeeaa207c52d546ae34e14185c0fc4fef164bb19ce5f1b2d334ddc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
686B

MD5
7de151951950f2fe8dbd0a1b645c87d6

SHA1
c9f17d81add2f35324deacbc197f9212ffd45dc2

SHA256
3a90bb7f51d87847c8d43600bebf3f3ceb5d50c9cec8d97671211848ac8f9fcd

SHA512
1a87ccc95b2ca43814fc509d1cbcfa803a334ed8eb0ea13d98119936a9855cd8783059c17913c58b936ccaca793fce7f3852a569c7ee6e688dc0a4087b95f053

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
87ae1785a17633f2d38fd5a3fff88932

SHA1
28fdcb6b7d1750956d6150c4d6d3c7920e91b99e

SHA256
cd95e8ef4007781bc51567d8eaaf92494ee10773923cfd069377d46c014c2ff0

SHA512
23bbb22610b09d3f94331dbe8bf8062193fd2118e00e632974a50398daf8e333b36667a48b89a9ba9a6627d408c23ac3cbc0ffc2c5027a0dcb70e4da97f30b5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
07df067a5bcb10d8ec1b68d211fb3323

SHA1
8bf5ba88f571b31ecadbe005c31f53d88c953696

SHA256
068c350e66db93b43d70696ff43a2b18c86976f0aaee7cbcdd564340dd7034bf

SHA512
c640c98ac6d489ac00cdbf32078da3b469e3c3eb7e13e3dc1631a6aacb1e9507140678effe1fe0f13e1a9619c6df4127099b69f0c55fdfc4a1e22315c58ceadf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2f3fb754514f5094bdda1166f8770ab4

SHA1
4438412270faf78d08357f4185483447c8d221e6

SHA256
87ee63ce943aef3438f9370b81f3c01e61c2c6dcf49f916ab473529bdf1aa5f6

SHA512
f911bb878b3a27e8231dcfc9ceb06c75602226afb8af40827455a9328b08db76ae2661e2003013aaa73c5162a4322ae9f5791d37623d4e9350c923b9bf7b8715

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
534665ab16002467bd22a68e1381d667

SHA1
dfa64ff7b300820c2a262ee5e5dc5dd81d29b7a4

SHA256
d197ebca01db9001b0340bb1c4a461a0b4c9bb21e04a70abff07c02aac084c5b

SHA512
775d3f8ec1611a257bb585189bd56e0ca2b5bf13bfaa1d1d3d8661723a7193e73f86058e55b4d2478deb41afe698f0e58ad01cbeba5ad77469d38071920881ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
99756986b2a803ff2a411b523a5e1832

SHA1
a624fed252705b1634a06149ce71e9ef315c0f3e

SHA256
9baf6a4fdbc5cc9f5ad5d4c66596d5b5bd8150fdea6d23cd6528cfb1a357979d

SHA512
f0346d9b27dd6a6e09bbae5d5e16867d7f3310fbf791dd379633e0b15a5237d3422b672d46651dbee2c4777ae44c2045f0dd6aae937d37ff4d1141777acd4f00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
372d49e35e31640eaf691f4ab0fdad3d

SHA1
6e06c535478b73969b7dd25ba71288acef6d5b73

SHA256
910a1cc001b76fd3445e6abf0e32c6f29da43f6729f0293c41c4dfa57466a3bc

SHA512
759f99b2b719038b49acdcb7ca11a857ea98607d260f8b4ea275b554e35b7cc67ff34e92ba07a4ee699974752cf8be5d49d51cebee6a133fc8d23c5e24e585b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9bf90e1388b21fb26a8d6d92ceaedcf2

SHA1
1fa2a0310ec33763ace84752622d5182f49c3f22

SHA256
1f46eca6c8a4a1dc4564e832d6645695702b38466b84d122496ca052706e91e4

SHA512
c3def0f56664ae5ac9e8fcda426a7a2dd27b386ade04a3e30ac4d6650508caee37faa2f84c4a5a93bdb442b15b19854dfd14255a9204d3fdcd634f7fec8d689b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
14b576cf981de6914eb3f36ac04fd1b7

SHA1
7b980cfddf2b4a7d4efac81969b73919bd634af8

SHA256
0854a187bdc8b3439265e222c9df1be0365d2c14cacd718d8344bfc95cee0f83

SHA512
b9d74752b20250c9f2fd1dd29281bb9b5fd4643b5bed46abcf58d2d82c549ca5796c37339229e936480a6be2abd333d56a084fbecbabaf1e55349e09748a10cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
37f4024f65b0e96198ddf866559c5d66

SHA1
146663b05867bc4d977782e6301d7331952a366f

SHA256
eb8016967b76b1cdbf4a5b91e0d13c85387091af2d7a0329cfea18d80bdb066a

SHA512
651e5842e16c806604a2e7e83cdbfba041c347838e7936f151064f55b149c40d5460e360873d43a6bec5aaea9c379bf84ce5da738882c4cf462fe3bbfddd14b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
c5ae45bf68926d7284adc39bfc35b159

SHA1
c9325d09057503acb7057fef0f11e46f56d816c1

SHA256
daadf7b55f100dc0b81f60416af6e9f059b8d7f6e8df8b135d0bc6771d664d18

SHA512
bccaeb0f67ed48b1034583a31a317d0a3f2216228130293421ecaa9f74ab6598c5c5ea2b24925008db99b3488356325eea374935ad47b048a980ae4d4a004ed6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
b5090b5c637cda09c66c067e2895acb1

SHA1
06f64abbe7f03ec51992427f632c5417940e0720

SHA256
4279a01382552316df1bf6a3346b8e3430ee8586150ecc7cae8e0e2256e3ef70

SHA512
8ac628491166e6b4470f586552de03fb760ebaba4eb9b9acb84aa5bcef09316dd574dcf2dcb14008ea2f12fe73dcc743a0f0645012f23dca9e61286972000cf2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
e206a696132630e0811f503844ff1041

SHA1
758df5a333582a2011f644d7e1408f1ade6baf92

SHA256
daa41160a8d4a16c9783384bf0ebac6ae26bca5006055133e73cec9495a46eb9

SHA512
d694cb9c890106721244555837a7fc613b5f51aec5fd81239f4c2f80dc5654dacc10539b0eb986d0946abb02d0b864fa08475aec516cf73cb8c9dc00dcf6f992

Download Submit
C:\Users\Admin\AppData\Local\Temp\bfsvc.exe

Filesize
48KB

MD5
fcf89ebf3f7353591c0784c354fb1ff0

SHA1
a4df86134af908d17c434fbfcdbe8452df1e0839

SHA256
2acf58b89e013558f70f7d432331cb926ea74093b1a0f7ff753779dd5aca45bb

SHA512
a974178f767d25958ed684997f12be01d3b536cb5ea07eb2380bec3e9b9dddf2a2db7183c665a5ca5402220bff4e301eb8f9448b8d83ae514af3efbd9987b76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCF85.tmp.bat

Filesize
152B

MD5
8f335432acc0abfefd5bb01be37016a3

SHA1
ce62d8d49dcac8a2e7590ad57b163503ee68bea3

SHA256
7e2d422d75845285593581a5f3cf328f514ce4c66cd72ccc2d6f125274851f24

SHA512
b0867349c12032340603ce15124a9e1d81cf03d94b833766cd526fa7d6a57311e3aedbedaa2f4d3e73c7ba9b602f4cd06fe51ff51a154f33bf3219e7fcdcfd06

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2376-0-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/2376-7-0x00007FFF4AD70000-0x00007FFF4B831000-memory.dmp

Filesize
10.8MB

Download
memory/2376-2-0x00007FFF4AD70000-0x00007FFF4B831000-memory.dmp

Filesize
10.8MB

Download
memory/2376-1-0x00007FFF4AD73000-0x00007FFF4AD75000-memory.dmp

Filesize
8KB

Download