asyncrat | 4c6183029dcf2e4d604c473c2dfb4f72037b6a8f13d9183b0842fd201e422d7a

Resubmissions

11-01-2025 16:38

250111-t5fkbstmdt 1

11-01-2025 16:18

250111-tr4p1awjek 10

Analysis

max time kernel
111s
max time network
116s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-01-2025 16:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

qwucfv.html
Size

7KB
MD5

aa5d13590623abb5d3963a8af5dfb85d
SHA1

8dcb62e75f970ac4f9f78e2558f335951b599774
SHA256

4c6183029dcf2e4d604c473c2dfb4f72037b6a8f13d9183b0842fd201e422d7a
SHA512

94899bfebc29d4d76c1a8d0e9b787ae50386a5e8718194791d27d86eb7e67e1b0e1a9b0a4e68031905c767419bd767b9d2666ac5ffd0a8dd87c0bf842ac7282b
SSDEEP

96:CMq9SlLh2B3Zq36uWl/PtxyjttJQ8Maoah3vL5LaNclmnU1Eh2sS:T1lLhwJrPahtJxMaoah3vG12sS

Score

10^/10

asyncrat default defense_evasion discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Default

13.127.206.16:12686

Mutex

udityzfkrqtwiefnzic

Attributes

delay
1
install
true
install_file
micross.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000400000002a80a-188.dat	family_asyncrat

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
2764	MicroSS.exe
1580	micross.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MicroSS.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2252	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133810859261341353"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\MicroSS.exe:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4780	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2428	chrome.exe
2428	chrome.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
2764	MicroSS.exe
1580	micross.exe
1580	micross.exe
1580	micross.exe
1580	micross.exe
1580	micross.exe
1580	micross.exe
1580	micross.exe
1580	micross.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe
Token: SeShutdownPrivilege	2428	chrome.exe
Token: SeCreatePagefilePrivilege	2428	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe
2428	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1580	micross.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2428 wrote to memory of 1904	2428	chrome.exe	77
PID 2428 wrote to memory of 1904	2428	chrome.exe	77
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 2168	2428	chrome.exe	78
PID 2428 wrote to memory of 3716	2428	chrome.exe	79
PID 2428 wrote to memory of 3716	2428	chrome.exe	79
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80
PID 2428 wrote to memory of 3804	2428	chrome.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\qwucfv.html
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffaf998cc40,0x7ffaf998cc4c,0x7ffaf998cc58
  2⤵
  PID:1904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1868,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1880 /prefetch:3
  2⤵
  PID:3716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2172,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:8
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4528,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  PID:460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4816,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:2952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4992,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4896,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4876,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3476,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4756,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4328,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3460 /prefetch:8
  2⤵
  PID:124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3560,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:2620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4392,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5020,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5704,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4860,i,4945107890325611588,12244290284651130643,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4276 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3484

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4508

C:\Users\Admin\Downloads\MicroSS.exe
"C:\Users\Admin\Downloads\MicroSS.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2764
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "micross" /tr '"C:\Users\Admin\AppData\Roaming\micross.exe"' & exit
  2⤵
  PID:1320
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "micross" /tr '"C:\Users\Admin\AppData\Roaming\micross.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp9B51.tmp.bat""
  2⤵
  PID:1960
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:2252
- - C:\Users\Admin\AppData\Roaming\micross.exe
    "C:\Users\Admin\AppData\Roaming\micross.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\1f1ac0a7-3029-44b8-b949-1ac6d82b71e3.tmp

Filesize
228KB

MD5
948617e0447423050f951795a028856c

SHA1
50d1d24ef04e8efdaa9263dd293cfc9bcfd6c4c8

SHA256
196de7b36f39107d80d55bc8e5d98f7a571a85b787d69f091c061a105b128e61

SHA512
afbd2973bfd24c212a8f2e9740ab2a781c88eaca8a3d6d755b4a067a62cf4a7637746f7333b0ea51e768dc988e9b4e96561de3877a7ca9d3f57ba7ac8a8b2709

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c88e31c44c5d5223c2f4ef6b9e566de2

SHA1
6b769b87a540f684fbb7e9b0e87a3325a16453e5

SHA256
73aaadd9363a7cd82ae6034237bc68e7e83e2feba89feff587b6739194a411fc

SHA512
dcc44217f917c0bf6af2d18facafa9cf9dd70e909b118b3189a040dc0c87dca5dedb0d6688f045e557e7209bebf68392702a9bad88e61c579c57092132839c71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
74KB

MD5
a5f83154d790b5f61d9aa9469e5aa9df

SHA1
21070d6c10f0db0e6a56c2292a6f4d96a83fb2ba

SHA256
a1c321c66b4007a8b8cf4c255f9563bfd16909e5e6e7be646b283b4d5901fd95

SHA512
96bd513c422017e7d5e8c5acf94716d009cd08771c16df68d4f11d96ce2b8f512a24fe4e715aa68f92d59dac862c80b2e398c6751dabd52e23f49bae3d3c84d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
624B

MD5
54adb9ecae4e1c09045960d606388d0e

SHA1
3c6ce3bf35a5babcf8dc622c21e63955faa6520b

SHA256
ce089702e27618c50c94d35748b4a04230ae6fdb48a33d0b08c163d6ce2643cd

SHA512
f9a862d384127cccec61b5e6de8b747178981da4e1e94c332a30f112a93bbd14e1c723201792bedfbf80571aa258305f205c0e5b64b965e1f84a17af63ceb292

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3f2293d9bfe172691c879b8e826c48a9

SHA1
c7f310c9b8c336477f7442f4c8bd82840519f734

SHA256
dcf00800adb174eaea1c18e5adfd9eaa12510c991c5e0c3ebf24d0852efa9149

SHA512
d9b496d1bdb1f8e72e7c3ebb6a66f2943f2e3fd17e8816047dff9b7a97c28bca8d0e2d88c59d0b9bc5600a9d14ae11abda2cc76be07c47772b0ef361eecba3dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
d25b3faa814793aae41e52e041036930

SHA1
7005903ff4378d2e391e5f4bdb95fd03567d3176

SHA256
8030faaa46cecd21365697410dae922d9b0b2ae103607184d1992d6a03866c2b

SHA512
cb6e2064cc6563f535baaa0766da5de6dd9ec8f2bdf7f61e79abc8ec5ac3ddd2dfea94cf800681c90bb9700f8ea7380c8497c1117f6315b2a95e799685449ff1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
c510b6ed1a63bb59ad8ac6b7ffebaeed

SHA1
be4ec4495c39fe6b110b87ae68c6c3f5f497133d

SHA256
2d359ceac0ed86975b7df5209c9c74eb2ef8ef94cb80eccfdb18a2c0d87d524b

SHA512
2f22c56f6331027358215ef93728e5d407d110a133ce5e597396f77712e7ca2405af33a330743c0001d9d5d41d6ba8ec723fea05a32da6a406dcaeca6f75eac3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
4fa15ac2e682f53d33505647a7e5df42

SHA1
d2b174adac144bc329e456e98d44620e7d12c505

SHA256
5f08e5879306b16a608e775be722463bce9a8be27688acfc705138d639f754a3

SHA512
fcfc9fbf7deb7e769c9ef238ee63a92412d910c80b3b6909116846b0d8079080f56d940321bf1a0ffc4b258c21b5ea8fecf87263b3f6f1acfffb58cd56bd9f36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
790119cb3b716ad0543dc564a5a2d1f4

SHA1
9a269b12b1aa8f8628c2383498765880ad8ae8e8

SHA256
b219a143cec3e2f3c1fe18dc21a77acd00953e1dff414a1be358d3c8c1a6e107

SHA512
49b0d0ddd7e943fdf0b0dbfc69ae6552ac407988ed9c98c1330fb41487fb3886bc83f17d2239b960838385978da0254787c6282ee2bc956263e8fab15ca01c83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fced626e66a052663ca8ddd1e1384631

SHA1
c58636d152fa0fd2d4e4416e67838a20d6d99b85

SHA256
ef64bb22b3fd053e44cdb53976e21b5b62a88b4da3afd7356290ad4c6f58fe84

SHA512
8174668f2546db923775d6d6a78d54927136b561bbce173954b490a6f1f4070a49114fd60c80a698d81e85c8c04021e0a473e7f4963d4c02790c43324c644a30

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e30d7e38408e241cda3f9d690f463bb4

SHA1
eb3cb3ef5c75060468aa986e29f9380b515c1577

SHA256
32a6198fd72410ac860d87d77d622569a3cca0d1341912e9771daa6cea681aeb

SHA512
7d2005b76995b94636955aa66ddf31d00bbc2fbffce891d9e2e83fb7a2804e7acb0820ae99131e88d5e04cd8d60ce2288f8500492c695692a747e978dc87a3a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\fb3e2b37-1ada-46a1-b10f-bc4606dcb766.tmp

Filesize
10KB

MD5
5abe1da420a90e951bdc5420cc865c86

SHA1
26148edb07c9e9c900f4af3272203c6823ce9699

SHA256
cf7ea4f3b58afed4cbee45640d5622c3383650c520694b9d3f7011214e3bfc9e

SHA512
18feb2259d923359557308c298d47094e0475e74dc24605abd1483d471824975bc6441d333ba523a9818763cdc4ff83831b575fad3373ef4efa764ce6c1a43f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
0213a2c8f3c1a9ed97d6bce63bf45e47

SHA1
2aaa3bf3b4ef516b2589e621741d33b78aa207a5

SHA256
2c6a7337cae555d01c83803fc9e470c2e5e3dfab1b02c10d999343cfc569bacc

SHA512
1366733e60fe511553229ee15284850db8f49ec0c3d9e65fa7c5701f8e019c0d23bff098b396d74fcc6d753f4d0f2126ad67c210d4aa1ae2c3cfb428abe5d93e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
29f3ecaf4632f618282abf8289b248fc

SHA1
28283bdadfb97c32e1993e84317b6a1b3db51ee8

SHA256
cd42f530e2a3b162338e61eedf55b72b3ab07c1731e29e7f82d0c3eb91232d82

SHA512
1640120a5acf75febbdaccbeb81dcf1130473513c3513fb6edc47543bde4983ffdc921a88192044e040d7e71340c9bd418250ef27afbbd8063ce97fa8b56382f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
ceab2fcb3d3ad088c535935cf71be083

SHA1
594b2304a6285d2b36ce66c9b64cf5b17b9c434c

SHA256
7263fd3733be6933e12fe1cf307526c8ba5c233690538a80c9d3425522e2d76e

SHA512
c68dd155b0e41d1d1a7eb52c3d27d52cafe4e83685c969c76ef6e8887f4d2f8af4104f2d6a4eca28013e272bdb172b4c0ccd009bb74361c95a1104e4b958d3c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
98f30f0c510e924a71f47a97923b6db0

SHA1
e9002421390c0d6f8880fbaffd3ec1e0d3b3e823

SHA256
9f4d50b5be40c8cd14eccdb3503d0535f191f5ae3fce7376834360313420b43a

SHA512
326f8ad9e4ecae1b6293fd3f89e14f035d3425cdc96d260d25428a73c11f401af4192473cb851eab6cff748860fbe2be3a5ba3865abadd4f222e73d2b16353b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\micross.exe.log

Filesize
1KB

MD5
b4e91d2e5f40d5e2586a86cf3bb4df24

SHA1
31920b3a41aa4400d4a0230a7622848789b38672

SHA256
5d8af3c7519874ed42a0d74ee559ae30d9cc6930aef213079347e2b47092c210

SHA512
968751b79a98961f145de48d425ea820fd1875bae79a725adf35fc8f4706c103ee0c7babd4838166d8a0dda9fbce3728c0265a04c4b37f335ec4eaa110a2b319

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B51.tmp.bat

Filesize
151B

MD5
5f5a9009196d7087a5c1868ed56d7eae

SHA1
e86b76032d5ef9d363153e5437629a800bab232c

SHA256
a1ca902c2b48d34610490ce1337216c063c9fc40ea43828bb6d5ef060334eb63

SHA512
2947d26248157aa440191fb33f18bd9f232b1f565083054704002599caa46c57b3d7eae76a80eda5aa2e58c74fe241dcdba81121b00e913e58f2936d0377fb5f

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
memory/2764-319-0x00007FFAE7583000-0x00007FFAE7585000-memory.dmp

Filesize
8KB

Download
memory/2764-320-0x0000000000970000-0x0000000000988000-memory.dmp

Filesize
96KB

Download