asyncrat | b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f

Resubmissions

18-12-2024 14:46

241218-r5shsasndt 10

18-12-2024 14:46

241218-r49qnssncw 10

18-12-2024 14:15

241218-rknn4a1res 10

Analysis

max time kernel
140s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-12-2024 14:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f.exe
Size

45KB
MD5

7ace559d317742937e8254dc6da92a7e
SHA1

e4986e5b11b96bedc62af5cfb3b48bed58d8d1c9
SHA256

b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f
SHA512

2c50337078075dc6bfd8b02d77d4de8e5b9ad5b01deed1a3b4f3eb0b2d21efce2736e74d5cf94fdf937bcc2a51c2ecf98022049c706350feacb079c4b968d5d3
SSDEEP

768:hukaVT3ongoWU2zjimo2qrrKjGKG6PIyzjbFgX3ij8z+vfYO4qHBDZMhd:hukaVT3QR2mKYDy3bCXSjlfYQdMd

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

96.248.52.125:8031

Mutex

adobe_6SI8OkPnk

Attributes

delay
3
install
true
install_file
update.exe
install_folder
%Temp%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000b000000012029-13.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
2012	update.exe

Loads dropped DLL 1 IoCs

pid	Process
756	cmd.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	update.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2924	timeout.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2884	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2952	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
328	b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f.exe
328	b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f.exe
328	b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f.exe
2600	chrome.exe
2600	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	328	b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f.exe
Token: SeDebugPrivilege	2012	update.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe
Token: SeShutdownPrivilege	2600	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe
2600	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2952	EXCEL.EXE
2952	EXCEL.EXE
2952	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 2528	328	b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f.exe	30
PID 328 wrote to memory of 2528	328	b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f.exe	30
PID 328 wrote to memory of 2528	328	b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f.exe	30
PID 328 wrote to memory of 2528	328	b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f.exe	30
PID 328 wrote to memory of 756	328	b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f.exe	32
PID 328 wrote to memory of 756	328	b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f.exe	32
PID 328 wrote to memory of 756	328	b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f.exe	32
PID 328 wrote to memory of 756	328	b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f.exe	32
PID 756 wrote to memory of 2924	756	cmd.exe	34
PID 756 wrote to memory of 2924	756	cmd.exe	34
PID 756 wrote to memory of 2924	756	cmd.exe	34
PID 756 wrote to memory of 2924	756	cmd.exe	34
PID 2528 wrote to memory of 2884	2528	cmd.exe	35
PID 2528 wrote to memory of 2884	2528	cmd.exe	35
PID 2528 wrote to memory of 2884	2528	cmd.exe	35
PID 2528 wrote to memory of 2884	2528	cmd.exe	35
PID 756 wrote to memory of 2012	756	cmd.exe	37
PID 756 wrote to memory of 2012	756	cmd.exe	37
PID 756 wrote to memory of 2012	756	cmd.exe	37
PID 756 wrote to memory of 2012	756	cmd.exe	37
PID 756 wrote to memory of 2012	756	cmd.exe	37
PID 756 wrote to memory of 2012	756	cmd.exe	37
PID 756 wrote to memory of 2012	756	cmd.exe	37
PID 2600 wrote to memory of 2652	2600	chrome.exe	40
PID 2600 wrote to memory of 2652	2600	chrome.exe	40
PID 2600 wrote to memory of 2652	2600	chrome.exe	40
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42
PID 2600 wrote to memory of 2124	2600	chrome.exe	42

C:\Users\Admin\AppData\Local\Temp\b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f.exe
"C:\Users\Admin\AppData\Local\Temp\b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Local\Temp\update.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "update" /tr '"C:\Users\Admin\AppData\Local\Temp\update.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpC487.tmp.bat""
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2924
- - C:\Users\Admin\AppData\Local\Temp\update.exe
    "C:\Users\Admin\AppData\Local\Temp\update.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2012

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6d59758,0x7fef6d59768,0x7fef6d59778
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1288,i,12702002968290367923,6427027989576050161,131072 /prefetch:2
  2⤵
  PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1288,i,12702002968290367923,6427027989576050161,131072 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1288,i,12702002968290367923,6427027989576050161,131072 /prefetch:8
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2188 --field-trial-handle=1288,i,12702002968290367923,6427027989576050161,131072 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2176 --field-trial-handle=1288,i,12702002968290367923,6427027989576050161,131072 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1036 --field-trial-handle=1288,i,12702002968290367923,6427027989576050161,131072 /prefetch:2
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1308 --field-trial-handle=1288,i,12702002968290367923,6427027989576050161,131072 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3680 --field-trial-handle=1288,i,12702002968290367923,6427027989576050161,131072 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3716 --field-trial-handle=1288,i,12702002968290367923,6427027989576050161,131072 /prefetch:1
  2⤵
  PID:328

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
d79b35ccf8e6af6714eb612714349097

SHA1
eb3ccc9ed29830df42f3fd129951cb8b791aaf98

SHA256
c8459799169b81fdab64d028a9ebb058ea2d0ad5feb33a11f6a45a54a5ccc365

SHA512
f4be1c1e192a700139d7cff5059af81c0234ed5f032796036a1a4879b032ce4eedd16a121bbf776f17bc84a0012846f467ad48b46db4008841c25b779c7d8f5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
987b2e427732ab24e65a949c420cc648

SHA1
05379fd37836df005eca7a861ea4004460ddbd9d

SHA256
1d0622c732db7519210b6175f885acabe27d25f4ba4b73b2a73eb7e863e3a61f

SHA512
01116ce8fde6c8ac3ab18b76c759e81b8020fec63094d2ae63fe393a9a90f1db652b20ef63ee1300a06633a234da8d472ee3b10787160bab6026dac93792f100

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
875c42d6a9a6974fa918e77b00c10ace

SHA1
b7d94bb15341a810506d35c3fa9138256cba99a0

SHA256
3ecf23d9b5366fa43fb6b3a622621815a3fc83c2d47684da1ecc43ace7e2c0dc

SHA512
bbeb5c26b19b20df92a9acacbeb237d981f367be9902f8a385350bab503515ab8385ea8f8b61dc6696162b39c1bdee1830c6af6a5e05bb09fdf1c5f5eccae896

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
345KB

MD5
c86eaeb1d7023b36d49b4c5d427733f3

SHA1
347c96effd2297ade73a76eee28ac7542b55d963

SHA256
325d16428110f3ab195b709cda7fd28e51cd561a7efc47b7d8162381a01a25de

SHA512
c557ba03c0035a279ace68a7feb921802a86c73dd524d3b3e94376d6d8b21ea59d8931b10cf2e32916a9c100562fec6318d4bcc8f8939720a8a81a08b67f1be0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d1a524ed-1782-4cec-a6b1-d8276aa39c53.tmp

Filesize
345KB

MD5
57404f7eab1aa4e9d5f8243e9b614af1

SHA1
f559c2be23105ea14176a092bbdf60530c99488d

SHA256
7712cfda4eb7c82fe2e5c92aa173603e9180de90ebf65d82c467b3750973ae61

SHA512
15872c09db883bb78e77e8fe304eace631984ee573d7156e849a42637982cb205935a2e32a42f991f389f18562e655184ad0851ff5f104f48fd76888515b6bc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC487.tmp.bat

Filesize
153B

MD5
d96f28978b5851a04ac08c570c9b4fde

SHA1
ae07b82801efe11e76d907656efe550265026e26

SHA256
32f22d5487564587ac905224abf7a515f1119dc37a1af7cb84753e06a9b8b946

SHA512
a8fc15ac265c15d2a80fb0f4ff929402b5f2245f8cbdd284d78f00adfc0ab0246d8eee9c9d6fb18203b6fd8c73e4dbd545a4cfe6c9445c67d06ca14cad9c0d6d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
406B

MD5
e44cf8e42e754f1a57aa3c9b0ae0b8ca

SHA1
a0601d315fa97b165fd8987cecafbea19f690b74

SHA256
6fb7a8d29765429c3c2c957bcdaac3f60dc0e654ea4a72bb79dae0e710d4af9e

SHA512
6130c633182d897d1af3cfb27f3a55c7652a8b088661c57cedd94a4bf9b33274bf506972e6d026b3186a0a675016084cff133822890d5036caebe807711e6aa6

Download Submit
\Users\Admin\AppData\Local\Temp\update.exe

Filesize
45KB

MD5
7ace559d317742937e8254dc6da92a7e

SHA1
e4986e5b11b96bedc62af5cfb3b48bed58d8d1c9

SHA256
b6c58155365a5e35952e46611fd7b43e36e256903bff2030bc07a3c6841b836f

SHA512
2c50337078075dc6bfd8b02d77d4de8e5b9ad5b01deed1a3b4f3eb0b2d21efce2736e74d5cf94fdf937bcc2a51c2ecf98022049c706350feacb079c4b968d5d3

Download Submit
memory/328-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/328-11-0x00000000745E0000-0x0000000074CCE000-memory.dmp

Filesize
6.9MB

Download
memory/328-2-0x00000000745E0000-0x0000000074CCE000-memory.dmp

Filesize
6.9MB

Download
memory/328-1-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/2012-16-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2952-30-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2952-17-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download