asyncrat | hxxps://files-ld[.]s3[.]us-east-2[.]amazonaws[.]com/client[.]zip

Resubmissions

12-10-2024 18:48

241012-xf2m2szdqr 3

12-10-2024 18:11

241012-wsmh8ayblj 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://files-ld.s3.us-east-2.amazonaws.com/client.zip

Score

10^/10

asyncrat new discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

New

147.185.221.19:22240

Mutex

komvqogocxtmko

Attributes

delay
1
install
true
install_file
new.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\new.exe	family_asyncrat

Executes dropped EXE 2 IoCs

Processes:

new.exenew.exe

pid process

1040 new.exe
3708 new.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4680 timeout.exe
4856 timeout.exe

pid	process
1040	new.exe
3708	new.exe

pid	process
4680	timeout.exe
4856	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133732302787844792"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings chrome.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

2184 schtasks.exe
3852 schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	chrome.exe

pid	process
2184	schtasks.exe
3852	schtasks.exe

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

chrome.exeClient.exeClient.exenew.exechrome.exe

pid	process
3952	chrome.exe
3952	chrome.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
1660	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3416	Client.exe
3708	new.exe
3708	new.exe
3708	new.exe
3708	new.exe
3708	new.exe
3708	new.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
3708	new.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

3952 chrome.exe
3952 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeClient.exeClient.exenew.exe

description	pid	process
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeDebugPrivilege	1660	Client.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeDebugPrivilege	3416	Client.exe
Token: SeDebugPrivilege	1040	new.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe
Token: SeCreatePagefilePrivilege	3952	chrome.exe
Token: SeShutdownPrivilege	3952	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe
3952	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

new.exe

pid process

3708 new.exe

pid	process
3708	new.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 3952 wrote to memory of 2692	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 2692	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 3236	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 2096	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 2096	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe
PID 3952 wrote to memory of 740	3952	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://files-ld.s3.us-east-2.amazonaws.com/client.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffeb07acc40,0x7ffeb07acc4c,0x7ffeb07acc58
2⤵
PID:2692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2060,i,11131657394867305669,2306049344453838670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2056 /prefetch:2
2⤵
PID:3236

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1652,i,11131657394867305669,2306049344453838670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2196 /prefetch:3
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2256,i,11131657394867305669,2306049344453838670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2276 /prefetch:8
2⤵
PID:740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3124,i,11131657394867305669,2306049344453838670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
2⤵
PID:3572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3128,i,11131657394867305669,2306049344453838670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3240 /prefetch:1
2⤵
PID:4196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4796,i,11131657394867305669,2306049344453838670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4788 /prefetch:8
2⤵
PID:2564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4536,i,11131657394867305669,2306049344453838670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
2⤵
PID:5032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5300,i,11131657394867305669,2306049344453838670,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5372 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2876

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4272

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4192

C:\Users\Admin\Downloads\client\Client.exe
"C:\Users\Admin\Downloads\client\Client.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1660

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "new" /tr '"C:\Users\Admin\AppData\Roaming\new.exe"' & exit
2⤵
PID:3676

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "new" /tr '"C:\Users\Admin\AppData\Roaming\new.exe"'
3⤵
- Scheduled Task/Job: Scheduled Task
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF01D.tmp.bat""
2⤵
PID:872

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4680

C:\Users\Admin\AppData\Roaming\new.exe
"C:\Users\Admin\AppData\Roaming\new.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Users\Admin\Downloads\client\Client.exe
"C:\Users\Admin\Downloads\client\Client.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3416

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "new" /tr '"C:\Users\Admin\AppData\Roaming\new.exe"' & exit
2⤵
PID:392

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "new" /tr '"C:\Users\Admin\AppData\Roaming\new.exe"'
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3B4.tmp.bat""
2⤵
PID:2776

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:4856

C:\Users\Admin\AppData\Roaming\new.exe
"C:\Users\Admin\AppData\Roaming\new.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a2821cbf8e12a9ae6ccfb659a9623930

SHA1
98306594acbf9f7abba37e1a9907134e23e09279

SHA256
dc017b2aadecb9e52e70a0578b07373d51901ecf2b0a32e5efea9a2e074b2aba

SHA512
251c60532a44a6e06f62b629c71a66d83f0814f99cf5a2c47070b396f0a2735d66d130c5deb97fb8d0d4c9b154992cc981e7684df2ec8aae0adc6516ae4c68b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
aed4f8358cc2767f9ebe0b08d8725898

SHA1
7709fad0208af5af714089294f690604abffb49c

SHA256
c7c6976e1b0b5bf3fae3eaffd6d02e1689c5f3e932a35db3d43c83a3b3a0ad28

SHA512
14d92eb6a1e1749b2c42fe253f37560491cf2fbca2a82d9752ef18c8f7c9aa7c31c86b45843a94862ab9d409e024043683fd61677c5e9151882f3590826fc586

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4b3391f9961f996f1a20a5094e195621

SHA1
f6d8a527ac57540e146e2279a2416077c2c91d42

SHA256
0e03b19de35970ca62e13364701a4879f457e30ceea11e2546919d750b7827c6

SHA512
86762e9cdbd92d1ff424c97729ed0e863a2cc0bd76fc244931af46e7c8d8454c2a10196f56f2a079562407db62141d7cb57e02e373e3b59b9ffb8747a639c22b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0e03cd57e082248918eb17db6999b87b

SHA1
efab264f75062be52b5896b62110873e32bdbec2

SHA256
7be7423ff85d3ebc991fb5ee3cfed94c7a1ba4071bcb649a6932d56645f6bc43

SHA512
fa2151cc5d673244372b22739c2c224ebae71fd6ea4e5d8aa0e7f4fea30497425c37e43cc6cf4caad5ea5cb9525e10a68e3a192b39f151c239d8d1bf58fa65d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
6971b3bf06e4ee638e63886ec0c07844

SHA1
3cb4cc086a74ea98cf5fcda0a55c29455acb8ce2

SHA256
0fa485aaee09996f1d3d013973b010f638f62e7d762ba1b76ab6070df4e30980

SHA512
965706101d3ed89d5fc046f9a278aea7483236fe4bebc97faae47076acf88df18917ac8aa56589a87896321acfdd359db0087593bf776dbad77bca152cd9aaa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c910247d99c91daa63296ea5b78984cc

SHA1
bb2fc20cbb10193c14274e9a7804ccb673bf4fd7

SHA256
27694410a201b0c85bf0324bc1006229ab42e59a156f2660ba9e5f3ab0d086f3

SHA512
41c6db82d3af2d6aa74da2571d58836c07bb8c438c66d3da5f9f0f34122752c153e3034762b3e445c2054105d65109c9cddaefebb15f514babb12577203f9dea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
fb6af18def3df53cd4f4072ce7d269af

SHA1
e38a8f13a16293bae8eee0391ecad5d13b1a56b9

SHA256
94e5a031d84171208e26642168246a9948f60aadbb92ecd1c3ed3d009f385bc0

SHA512
7c08cbf6d53b39fa1c74a359ec3670d79ede02e82974fd05798ead3bf44d952bf4c1661328e51d3156172beed06de16352fcaee975112268fb70f01eac04fd1e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
288ca8ce86c8585a8cbcad03bc0a8139

SHA1
e9f78ff49840fadc25b8708f92ee12c446e98e22

SHA256
9e6560cdcbd5d8bca9ad93b345f03b16ca63fb24e30ec69ffa32c4c95ee079c4

SHA512
10e14f48577ad97eb927cc6f7140f408bde2d35509d4ff9a3b950f103dbe66032ae9c68d758c76bf2994047ad4500ae6d042107d98b020a04d850c446a499441

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
136579991144f7a2e93a50c8d2246ced

SHA1
64d91a0367c197aef31171b5b497bef75f53023e

SHA256
772e5ccd16cd657c81b0f46374327a3d889886d8e447257a3e20cef735dcfd79

SHA512
a747afde15fc1b3c8fcaccc7c3880cba53fce5abd4047f34a2fbc6946db7298c37c858269ff04cd299b467f9da151b9e815074059160c36a1d300dd780cc4bde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
e60b6f01488b005095686e3f6ad8c690

SHA1
82c2ed3e1cdc94cdf60aadf06ba2ed1ec3a7b662

SHA256
74fc31f07d05c8fd543b0d659f9c8c0fd330ae4e0b6ebbdae75301823e5a312c

SHA512
8a9cc2345b9bfb13376ceee7f7105154a263c28c6c18fd264556bd9815fb657d85e1a236df059f8780aa392eb809f41f359546428fd379ad26f130294f7a07e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
d4482f67b9b11ed448abe9205d66bbcd

SHA1
5fe24368709fd8eb90259dea2e888a73f68a559e

SHA256
2749825fc25d26e30eec5c7a1913c067d42cdfee4038859f59f5c0d1a34b8873

SHA512
ea91e4b06b7d219ccece515bfcd575d11288437ec1ded7168d10866d493d6f59c0a736dfafa0f039673c1916ba91b0a5b2ae667d12c189b4a3c66c77ec87bf3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3B4.tmp.bat

Filesize
146B

MD5
a663cfa3d3f0500722e47d8e0a7bc547

SHA1
2b93933b826844c648945a55adb6a4da152c2435

SHA256
613f61c1cd367766a961e9feb06cf051d1ff9eaa375b6b5ee008ed6cdfdc86e4

SHA512
b9e51079473fcc52f035b8eae4a53ccd7336936331f80d5f1ab626a58f371b83a0b7278633ca8d5fad12d22ebb6a2a7815b76f3c869441061cd3daf38ec0d15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF01D.tmp.bat

Filesize
147B

MD5
2672d32bed32cf9e1564124ee7d76c0a

SHA1
02b16e4a37d078e5e1fa4e4c41f80fa3a78c2b4e

SHA256
e6299dcc9ece4bd0d413a5cd24c4105b5faade5f349c64134ab24d07663df0d6

SHA512
aefe68cd3a70e32c3a36324d8bdaecebda8f56a330a67e0fb06784ec572e51a25c4ec4daf5eadc9cc21814bc640f7520e51b1b8eb111dc7313ceb853104970eb

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\new.exe

Filesize
74KB

MD5
7e98ce3829f6afc0318ac2deea0680ad

SHA1
2f63adade7fa8ada790dd8f30045db1f64ab575d

SHA256
994a3ffb6fdde0851e076dc9e42262538481e285979c8ead8ed00e7580b61b3b

SHA512
3507eeb3c8eac5cc1438e6dc9e259553537386b456a0883e13cfa691f80496d0e1b01177848c338d9e134bd40e1455551b5ee36f3a510c4cb2ac3aaf3f98d33b

Download Submit
C:\Users\Admin\Downloads\client.zip.crdownload

Filesize
34KB

MD5
487a9d6044844f9addd0a2379b2ced05

SHA1
873d6b1ba9a4712295faf82ab138e32746f58d1d

SHA256
99ff4121626b82849bdacb05e73c4fd747e6853eb3e96e3aec57bb1b8153ce1d

SHA512
6b46ccb475c810e79b4605a3b49aa6bd955d80b851dd16ea71064cf03b65efacd804d725d4aa717669b2d3fe3c55ed0656d50ad74c8d091b233e6dd96a203cd2

Download Submit
\??\pipe\crashpad_3952_FWQLJLRWEBZROHUB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1660-61-0x00007FFEAB8E0000-0x00007FFEAC3A1000-memory.dmp

Filesize
10.8MB

Download
memory/1660-60-0x00007FFEAB8E0000-0x00007FFEAC3A1000-memory.dmp

Filesize
10.8MB

Download
memory/1660-46-0x00007FFEAB8E0000-0x00007FFEAC3A1000-memory.dmp

Filesize
10.8MB

Download
memory/1660-44-0x00000000001E0000-0x00000000001F8000-memory.dmp

Filesize
96KB

Download
memory/1660-43-0x00007FFEAB8E3000-0x00007FFEAB8E5000-memory.dmp

Filesize
8KB

Download