asyncrat | 8d002e9c3f7c8e30ee67cb68aadbc532da12d3b592ba2d0781af2cc64e3b1056

Analysis

max time kernel
67s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-12-2024 09:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddosiarka FIRST.exe
Size

74KB
MD5

30918d21d2d28f64f0ec9da829d270d7
SHA1

ec47a8c00ab0af3652d843c8cf60cc0c26888341
SHA256

8d002e9c3f7c8e30ee67cb68aadbc532da12d3b592ba2d0781af2cc64e3b1056
SHA512

1d6340512fdb911908d94ef83ada92678fca5bb96aa256ef3502699488434e6501822bf9e8db70b75f91080c32a6fe7ff02bf5cb517fa28eebe08f0ccef892e9
SSDEEP

1536:6UxQcxHCapCtGPMVKCyeFIF11bq/fItOgQzcOLVclN:6UOcxHCoeGPMVx211bqwpQHBY

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

127.0.0.1:4449

Mutex

qxkfylnnpgxzven

Attributes

delay
1
install
true
install_file
svhost.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Crashpad\metadata	setup.exe
File opened for modification	C:\Program Files\Crashpad\settings.dat	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133795066648531103"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
208	chrome.exe
208	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
652	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3808	ddosiarka FIRST.exe
Token: SeIncreaseQuotaPrivilege	3808	ddosiarka FIRST.exe
Token: SeSecurityPrivilege	3808	ddosiarka FIRST.exe
Token: SeTakeOwnershipPrivilege	3808	ddosiarka FIRST.exe
Token: SeLoadDriverPrivilege	3808	ddosiarka FIRST.exe
Token: SeSystemProfilePrivilege	3808	ddosiarka FIRST.exe
Token: SeSystemtimePrivilege	3808	ddosiarka FIRST.exe
Token: SeProfSingleProcessPrivilege	3808	ddosiarka FIRST.exe
Token: SeIncBasePriorityPrivilege	3808	ddosiarka FIRST.exe
Token: SeCreatePagefilePrivilege	3808	ddosiarka FIRST.exe
Token: SeBackupPrivilege	3808	ddosiarka FIRST.exe
Token: SeRestorePrivilege	3808	ddosiarka FIRST.exe
Token: SeShutdownPrivilege	3808	ddosiarka FIRST.exe
Token: SeDebugPrivilege	3808	ddosiarka FIRST.exe
Token: SeSystemEnvironmentPrivilege	3808	ddosiarka FIRST.exe
Token: SeRemoteShutdownPrivilege	3808	ddosiarka FIRST.exe
Token: SeUndockPrivilege	3808	ddosiarka FIRST.exe
Token: SeManageVolumePrivilege	3808	ddosiarka FIRST.exe
Token: 33	3808	ddosiarka FIRST.exe
Token: 34	3808	ddosiarka FIRST.exe
Token: 35	3808	ddosiarka FIRST.exe
Token: 36	3808	ddosiarka FIRST.exe
Token: SeIncreaseQuotaPrivilege	3808	ddosiarka FIRST.exe
Token: SeSecurityPrivilege	3808	ddosiarka FIRST.exe
Token: SeTakeOwnershipPrivilege	3808	ddosiarka FIRST.exe
Token: SeLoadDriverPrivilege	3808	ddosiarka FIRST.exe
Token: SeSystemProfilePrivilege	3808	ddosiarka FIRST.exe
Token: SeSystemtimePrivilege	3808	ddosiarka FIRST.exe
Token: SeProfSingleProcessPrivilege	3808	ddosiarka FIRST.exe
Token: SeIncBasePriorityPrivilege	3808	ddosiarka FIRST.exe
Token: SeCreatePagefilePrivilege	3808	ddosiarka FIRST.exe
Token: SeBackupPrivilege	3808	ddosiarka FIRST.exe
Token: SeRestorePrivilege	3808	ddosiarka FIRST.exe
Token: SeShutdownPrivilege	3808	ddosiarka FIRST.exe
Token: SeDebugPrivilege	3808	ddosiarka FIRST.exe
Token: SeSystemEnvironmentPrivilege	3808	ddosiarka FIRST.exe
Token: SeRemoteShutdownPrivilege	3808	ddosiarka FIRST.exe
Token: SeUndockPrivilege	3808	ddosiarka FIRST.exe
Token: SeManageVolumePrivilege	3808	ddosiarka FIRST.exe
Token: 33	3808	ddosiarka FIRST.exe
Token: 34	3808	ddosiarka FIRST.exe
Token: 35	3808	ddosiarka FIRST.exe
Token: 36	3808	ddosiarka FIRST.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe
Token: SeCreatePagefilePrivilege	208	chrome.exe
Token: SeShutdownPrivilege	208	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 208 wrote to memory of 4308	208	chrome.exe	100
PID 208 wrote to memory of 4308	208	chrome.exe	100
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 4484	208	chrome.exe	101
PID 208 wrote to memory of 1820	208	chrome.exe	102
PID 208 wrote to memory of 1820	208	chrome.exe	102
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103
PID 208 wrote to memory of 1052	208	chrome.exe	103

C:\Users\Admin\AppData\Local\Temp\ddosiarka FIRST.exe
"C:\Users\Admin\AppData\Local\Temp\ddosiarka FIRST.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffd7f48cc40,0x7ffd7f48cc4c,0x7ffd7f48cc58
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,11624790294477585016,9812327808269510720,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,11624790294477585016,9812327808269510720,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  PID:1820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2252,i,11624790294477585016,9812327808269510720,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2468 /prefetch:8
  2⤵
  PID:1052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,11624790294477585016,9812327808269510720,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3220,i,11624790294477585016,9812327808269510720,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4588,i,11624790294477585016,9812327808269510720,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4592 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4472,i,11624790294477585016,9812327808269510720,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:1056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5044,i,11624790294477585016,9812327808269510720,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  - Drops file in Program Files directory
  PID:1880
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x284,0x288,0x28c,0x260,0x290,0x7ff7b71c4698,0x7ff7b71c46a4,0x7ff7b71c46b0
    3⤵
    - Drops file in Program Files directory
    PID:1728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4828,i,11624790294477585016,9812327808269510720,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:4172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5056,i,11624790294477585016,9812327808269510720,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4920 /prefetch:8
  2⤵
  PID:1748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5224,i,11624790294477585016,9812327808269510720,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5244,i,11624790294477585016,9812327808269510720,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5360,i,11624790294477585016,9812327808269510720,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5432 /prefetch:2
  2⤵
  PID:5532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5216,i,11624790294477585016,9812327808269510720,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4380 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4604,i,11624790294477585016,9812327808269510720,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4624,i,11624790294477585016,9812327808269510720,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:6020

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2180

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
10182b4f042be6dce59907b9e28f7d57

SHA1
0c2deb4d5d7fafd76bb24c78e39b71264c0fe7ac

SHA256
aaabdf68631b5a9cdb00f46d467c4f7359675d3d6063182f323bcd9091eef440

SHA512
12008b2121af03da86eec69e7c6a200589ff9fcb1c1a2a110d41dabb28a188025e9363d45f55f50521bf189fb5549bfff8b711b3fe8bbe70c7e607c959733f50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
711604694c64f003f8b4007ed16a5a39

SHA1
8818ab57bfd6a3daeaf100124d16d72133d0661f

SHA256
e9c3e37ac6bff20992222963b21e08cdd2188c29321f62417753dce422ec2ae1

SHA512
0564181a01e2d9c0c80730323cfb017c27b0e0c58eb022f0f5b92eb273a1f529b5cee663c859678cfa94796ae9a2fa3d20c76a97eeda1edbfe6cb56bbbf977ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9bb87d163fd327de9caf2d05e0dd275a

SHA1
cd6dae55a3334f077c65a2a01848ce6cb1abb510

SHA256
1cbeab745bc54401bacc344dcee77d8fff6ca4dedc196a8f4f14ebc52ef98059

SHA512
61b6fb7d63b1cd83a8f4d440ee907637a5e72a2853b5e452ada70d55621619ac220f7690eafcaf545aebf2d93b1ed344550b4e729048c2fcb3e09638e0ca7f01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
762f6063d84fcef813fde09fdb130649

SHA1
95662034b0ce0826d84ed1f09aa0928c7293dacf

SHA256
f758d1b11ddd64ddf1738c30297aee5a474c8dd04281a503df29837df9f9e734

SHA512
4179bb079dc0dc70411b133d6fa8cefafb8bab941c26a824abc4931417243e8d47b911ffb45b7f647ec069e62f0775f78a326828bffbc23fe29efa3018339da7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
50c2e185b7b75906edee7ed52c23369d

SHA1
c0a96610ac91594b519305b567aac52199b22d9f

SHA256
b1e3c6a3152367e775463c51f2d7e7988a1d4f5fc7bc2b8158fa37081dccf315

SHA512
2d52df0ffc2dd418491e3755ec27efa90bf18ed25ae122520ec8a900476582ea27adf33865ed52b79c6bbc51196e7dee14a1d518fdf51994c9f6333259186a72

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
1a54cc669b34cadb39b45bb986d092bd

SHA1
e36aaf05ed5eb3289d52385f9fbe516e2c7dcd24

SHA256
9c5321c453df5e80ff7df3deed0da196a7f45760387b12c251b6f4a0163387e7

SHA512
6c47ac4beda722b06d5f67062ffca41f8c9d7a7583d1fd4dc466cba677ca370ba111648daebbd0a71a433faa2e9385e77bac2b51b66006fc9155b0bce207ff71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
fbf9b04a8ec25b131131b3ab974540f5

SHA1
72db61ac55dee9f3254615d31ca07e8044079cb2

SHA256
793f2fae5b6c6bb34620995673c69212dcf1c445d08a2a793e5aa317b128bfbe

SHA512
7f97c6e53f7d7e477c4228cf438d46b43c9043ddc5c2bc68478932e385706475f28ef1e7c075812769698d28b6cd1dce933f943706986acd134e550d0b23fef9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
80131d65b72c00949cc5165a1df7648e

SHA1
26ceffc131a5b1796be345b49b5a0c5c8372d6aa

SHA256
89a1f542a0e0235ee049aebf3adbdd1f0a6c9d7b075828c0811ead3b499217d9

SHA512
7ffbe0e315d40461107f848cd02a7a207df257be52de66b3bf145c3c8b42d170787cd342ac85c0291c4605d436e6c08554763d7d5deb6ac710492945e145b101

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir208_375847247\7885bf32-cb7b-4efe-9a66-9a4b0176463b.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir208_375847247\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/3808-4-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

Filesize
10.8MB

Download
memory/3808-0-0x00007FFD7FAC3000-0x00007FFD7FAC5000-memory.dmp

Filesize
8KB

Download
memory/3808-3-0x00007FFD7FAC0000-0x00007FFD80581000-memory.dmp

Filesize
10.8MB

Download
memory/3808-1-0x00000000001B0000-0x00000000001C8000-memory.dmp

Filesize
96KB

Download