asyncrat | 4e7d6048e7522e1eeebe24cd1df3070ebe3d865c4cc1c17a319f683d95f0c2b9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
16/03/2025, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nigga.exe
Size

63KB
MD5

abcbfb5453afe36e96134a59a56b458f
SHA1

a03e3dd6a00abdd4157054384aa9c0f7d628c6f8
SHA256

4e7d6048e7522e1eeebe24cd1df3070ebe3d865c4cc1c17a319f683d95f0c2b9
SHA512

e4b0354556fdb940b8b060b26d88a4eb64c7e1af9c6f86fc7bd3a6de4bc952730aade09cd235d92c720df193fe70b10fe85fbded8aff824c048cbd3bfd549431
SSDEEP

1536:H1/kDsLa3fblJpuCUbth9oiKTuwdpqKmY7:H6qa3PMCUbtOpGz

Score

10^/10

asyncrat stealerium default collection discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:7000

127.0.0.1:64072

147.185.221.26:7000

147.185.221.26:64072

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nigga.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nigga.exe
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nigga.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
63	icanhazip.com
66	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4316	cmd.exe
1552	netsh.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	nigga.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	nigga.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133866245581363781"	chrome.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
4880	chrome.exe
4880	chrome.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
5656	nigga.exe
4880	chrome.exe
4880	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5656	nigga.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 6016	4880	chrome.exe	94
PID 4880 wrote to memory of 6016	4880	chrome.exe	94
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 6116	4880	chrome.exe	95
PID 4880 wrote to memory of 5076	4880	chrome.exe	96
PID 4880 wrote to memory of 5076	4880	chrome.exe	96
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97
PID 4880 wrote to memory of 5380	4880	chrome.exe	97

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nigga.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	nigga.exe

C:\Users\Admin\AppData\Local\Temp\nigga.exe
"C:\Users\Admin\AppData\Local\Temp\nigga.exe"
1⤵
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:5656
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  PID:4316
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:3868
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1552
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:3488
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  PID:5132
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5956
- - C:\Windows\system32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffb6e27dcf8,0x7ffb6e27dd04,0x7ffb6e27dd10
  2⤵
  PID:6016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2064,i,11882208270229024274,17196077831137755493,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:6116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=2180,i,11882208270229024274,17196077831137755493,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2432,i,11882208270229024274,17196077831137755493,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,11882208270229024274,17196077831137755493,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3248,i,11882208270229024274,17196077831137755493,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,11882208270229024274,17196077831137755493,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4500 /prefetch:2
  2⤵
  PID:5876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4708,i,11882208270229024274,17196077831137755493,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:3604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5372,i,11882208270229024274,17196077831137755493,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5440,i,11882208270229024274,17196077831137755493,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5848,i,11882208270229024274,17196077831137755493,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5864,i,11882208270229024274,17196077831137755493,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5884,i,11882208270229024274,17196077831137755493,262144 --variations-seed-version=20250312-184628.452000 --mojo-platform-channel-handle=5932 /prefetch:8
  2⤵
  PID:5420

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\38c7f01a5aedbab8e742525fa58bb7e1\Admin@VOEILKQD_en-US\System\Process.txt

Filesize
3KB

MD5
de4b1306a58813a4deb7f4f19a07ac0f

SHA1
582515153220e8d468f9f33c3546f7a2b0057d3f

SHA256
767057c9089e40e56ea2eb81dcfc9d2aad74c912d0108db42582a05cd0cb9f31

SHA512
f6ddb3bc498e7e7b7ec04ab09fa2db6d14ed3cc5c210b8ee9a128a1cf4cc3bcff81765cec59574a25f070f1a191ba468dfbb45e6da0ec3a089819f3823237496

Download Submit
C:\Users\Admin\AppData\Local\38c7f01a5aedbab8e742525fa58bb7e1\Admin@VOEILKQD_en-US\System\Process.txt

Filesize
4KB

MD5
6fa328a263efcff7033448db48efb127

SHA1
b94bc4d0b1ca82ec444f77a9c31ad63dcc009594

SHA256
a3148c5ea2bb0a65cb153d131fbffe636b3079244a4483ec69a1406745f53a3d

SHA512
ed74f218b37e0974c74285682b1b85c02f450ed65891e0ea2da44bdd0abf4d47f9912aefccfcc5cf48818e2a87df3ee5f82bfb93e1511eab1872e22e3a3d3952

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\01fb3151-b210-4f2d-b069-cfbc7e0598ce.tmp

Filesize
10KB

MD5
c549dc3d9d29031f5f0f9bca2aaf7fc1

SHA1
3de0d920dcdb94931bfe006be0145a86e58f6ea3

SHA256
27761ddb99b8e12f0b90a11fb1d24ddcf21c757f4479175f3f7978fbc663bf45

SHA512
4586788d9edae1a19e0b365f827c7b2b9fceea6a853bea539a28b2060286c744b0b5bae3654b9f86ac26b8306bdd07e12a3cfc00b0f366fde2c7be78a51c3308

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
414B

MD5
43d6558ab9e032769862f4b7211ed5be

SHA1
9c596d9166ea8fe74097b085f22fe833ef333a96

SHA256
55d81884d5bcf055e3792e41bdc425bea8f79c7a6dcccdf6cbaf031dbf3ee9b7

SHA512
50175249d810b7f04cdbf7a540f5c5898e7b2ac97a040e978619f7074c472302b70e59898eb0046737c5cbf2012934ce6827df9e2b8299b8d73a31b9b695557b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4ec9f6f930bfdb290509d01f7f933fce

SHA1
8f9fb9e27fe24b43d5f0f891bc32567bfc4184d9

SHA256
ec68086f6dc30d2f8b0c5408f8870931a658ae09649c13fd2a119d049eb50fdb

SHA512
11087901596145eae11db489cb6828a5b746c5364c93585c52e3a3f56917c02bfec1605929bf2686f7409a31c6bdc7bd919a0aec0b087663bb3e0e6c6431d2ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
94c724698eeba639dcbcf0bbd6875348

SHA1
554068e475db62292c01d8a05c61ca2b205222e7

SHA256
42c3439e95949d82bd310ee9b662f808b2bd19638f5736439b493a82675abed9

SHA512
e579fae4286c140c28ad96ef00349a0ca2280b6fb16838a8213494fc0d61422e81d0ebad14c7acd1c2c0c575bee71b0270aefd53405ef1ac5ef9e9b8a93f81ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f67aaa1cbc4a80a79075a93c552e57d3

SHA1
d6be82f62ee4d5f6fd152d2c12dd314393d5d769

SHA256
5ba6d6303a871de5679d1ceaef621ab7cd736503e4e25d385ed51cba7c537af1

SHA512
a33ff46d4e7f210aa2443109ab30741e5a8a51795ccd9706ee6cb1fb2b1f869383914b4290a29510df083c9bbab7cbfb1bd3ef920c3b44b413e50b25e8f29576

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2c1fbeeddb02dc48a92cca4611b447a1

SHA1
060f9c78b0620b16c34e8f63f32df0bf49654029

SHA256
0c7a939a8655b83c336b66713ea80b77a1360e58508bd90f4dcdd108fc370740

SHA512
7038a37b5059c08a39bc2c45fb60d15902f654015051a7dbc2a7fbd076b2fbb9b84d30f7abcbb628dcf7d583b45e165e7bdaa8f72d09eb046193c0c8e43d2006

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580d78.TMP

Filesize
48B

MD5
99bc607232ca3cd6903685626c96f430

SHA1
436b4fc0de8b4b2e9b1a97d8658978678b7521d7

SHA256
0553f30782f776380d21c33be2787079f3681ef21def9883da68bf37e85822a1

SHA512
c10e33b5bd70752ea19cc4fbcddaeeacb890921282dbdf230caa113c478799f57b07b9847375c7cfa230025d7780fa5da74594a4bcbe79d73b80d246fe0ad18d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

Filesize
130KB

MD5
8de468e3ccd4940676ecdebce3249bce

SHA1
1e31b2fb4568848a5d3b0fd7ea15173678364199

SHA256
455682520e627c324362f6a04c4148b7aa98f39881382f3f5af17484ba0dbc74

SHA512
d85aec838b61f4c94b2b5b1ce1faeb88cfd64093f7a973db98e3a04b8abf213cd54e2bd653a0c13feb62dfe8a483706a8893ffd4913f61231a19724b44051efc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
b656fa0380841882fd3c7945202a0104

SHA1
c2f608a322e7140d205432f96d79c3e6eecfb175

SHA256
28c41b9b49fa69f5e9c72e6e31655fc723fd09941757e5e3f4c6a7b54b71f0e3

SHA512
e5a6eebfb1e368a7c6ebcc721f4c7734a23302f469a61c7cffdb2d23921a9024f3b6c5195fa56e8dc6a6c3a282567080730ed30220071a481c54ec1145e9dfe7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
a30152e91079f0dfddb4ce5e3470d3be

SHA1
9085a41a0fe5daba69a9306ba6d54b389d325ce8

SHA256
f8e64a5de6e6317c3263ff1401d05a5f7aefb878da028a794baf579b5a987f52

SHA512
4f2c2e676f2d0db1cc4ca8a9a4ba940771b8c6ae0ba86b1a6978903eb225598bf982c98e65f2c4cbfd15e7ddb2ed39cb50d64a97df2deb56449ded9578ff1fa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
25f842a675ff405b3b27808ef02e25f9

SHA1
cccb563ae37a0a92a4f2175fa934276ab17593ae

SHA256
6a5531c85f32703e495179ab9ec66ac160c18fa27c99c96b629df474b0974de6

SHA512
05d900207dc15589e87c4f27457e2c46b7c634536c7a5ae606c9b6b01d38d5f182d1c2994c5b77e70959d242cc39a2a0e637929f3ee041626e8b4e14c3d1afa0

Download Submit
memory/5656-4-0x00007FFB73EE0000-0x00007FFB749A1000-memory.dmp

Filesize
10.8MB

Download
memory/5656-70-0x000000001AFF0000-0x000000001B00E000-memory.dmp

Filesize
120KB

Download
memory/5656-83-0x000000001D3B0000-0x000000001D538000-memory.dmp

Filesize
1.5MB

Download
memory/5656-88-0x000000001B050000-0x000000001B05A000-memory.dmp

Filesize
40KB

Download
memory/5656-69-0x00000000026B0000-0x00000000026E4000-memory.dmp

Filesize
208KB

Download
memory/5656-68-0x000000001CF60000-0x000000001CFD6000-memory.dmp

Filesize
472KB

Download
memory/5656-0-0x00007FFB73EE3000-0x00007FFB73EE5000-memory.dmp

Filesize
8KB

Download
memory/5656-3-0x00007FFB73EE3000-0x00007FFB73EE5000-memory.dmp

Filesize
8KB

Download
memory/5656-2-0x00007FFB73EE0000-0x00007FFB749A1000-memory.dmp

Filesize
10.8MB

Download
memory/5656-260-0x00007FFB73EE0000-0x00007FFB749A1000-memory.dmp

Filesize
10.8MB

Download
memory/5656-265-0x000000001CD60000-0x000000001CDDA000-memory.dmp

Filesize
488KB

Download
memory/5656-300-0x00007FFB73EE0000-0x00007FFB749A1000-memory.dmp

Filesize
10.8MB

Download
memory/5656-1-0x0000000000460000-0x0000000000476000-memory.dmp

Filesize
88KB

Download