asyncrat | 00577d6d7e7d1a3417d89d07668136959978c0bb4ec4f35b8e32f683e65d8ea6

Analysis

max time kernel
150s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Caser.exe
Size

45KB
MD5

853e7871e4a6f398fe39c88b39a064e9
SHA1

81cfc85c75c314e1d7be9e0aef35562ac1a86d9a
SHA256

00577d6d7e7d1a3417d89d07668136959978c0bb4ec4f35b8e32f683e65d8ea6
SHA512

b37158344ad8b5b34cf132c770e95840a00ea6e06001042416cc2030485e9d848a09a37323e3dc82f07c20029ede6ba83be05c0d7f61ff4684d64ecf4cbf70ae
SSDEEP

768:luI1tT/w70kWUquzumo2qzEKjPGaG6PIyzjbFgX3iFUGIAAj9gtsaVzBDZWx:luI1tT/kW2tKTkDy3bCXSFlIr9giedWx

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:2424

Mutex

dPEIFfZH3RI0

Attributes

delay
3
install
true
install_file
virus.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0003000000000731-11.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Caser.exe

Executes dropped EXE 1 IoCs

pid	Process
3112	virus.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Caser.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	virus.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
208	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133809053056285289"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
3568	Caser.exe
2436	chrome.exe
2436	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3568	Caser.exe
Token: SeDebugPrivilege	3112	virus.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 1984	3568	Caser.exe	87
PID 3568 wrote to memory of 1984	3568	Caser.exe	87
PID 3568 wrote to memory of 1984	3568	Caser.exe	87
PID 3568 wrote to memory of 3200	3568	Caser.exe	89
PID 3568 wrote to memory of 3200	3568	Caser.exe	89
PID 3568 wrote to memory of 3200	3568	Caser.exe	89
PID 3200 wrote to memory of 208	3200	cmd.exe	92
PID 3200 wrote to memory of 208	3200	cmd.exe	92
PID 3200 wrote to memory of 208	3200	cmd.exe	92
PID 1984 wrote to memory of 3120	1984	cmd.exe	91
PID 1984 wrote to memory of 3120	1984	cmd.exe	91
PID 1984 wrote to memory of 3120	1984	cmd.exe	91
PID 3200 wrote to memory of 3112	3200	cmd.exe	93
PID 3200 wrote to memory of 3112	3200	cmd.exe	93
PID 3200 wrote to memory of 3112	3200	cmd.exe	93
PID 2436 wrote to memory of 3132	2436	chrome.exe	101
PID 2436 wrote to memory of 3132	2436	chrome.exe	101
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4148	2436	chrome.exe	102
PID 2436 wrote to memory of 4692	2436	chrome.exe	103
PID 2436 wrote to memory of 4692	2436	chrome.exe	103
PID 2436 wrote to memory of 820	2436	chrome.exe	104
PID 2436 wrote to memory of 820	2436	chrome.exe	104
PID 2436 wrote to memory of 820	2436	chrome.exe	104
PID 2436 wrote to memory of 820	2436	chrome.exe	104
PID 2436 wrote to memory of 820	2436	chrome.exe	104
PID 2436 wrote to memory of 820	2436	chrome.exe	104
PID 2436 wrote to memory of 820	2436	chrome.exe	104
PID 2436 wrote to memory of 820	2436	chrome.exe	104
PID 2436 wrote to memory of 820	2436	chrome.exe	104
PID 2436 wrote to memory of 820	2436	chrome.exe	104
PID 2436 wrote to memory of 820	2436	chrome.exe	104
PID 2436 wrote to memory of 820	2436	chrome.exe	104
PID 2436 wrote to memory of 820	2436	chrome.exe	104
PID 2436 wrote to memory of 820	2436	chrome.exe	104
PID 2436 wrote to memory of 820	2436	chrome.exe	104

C:\Users\Admin\AppData\Local\Temp\Caser.exe
"C:\Users\Admin\AppData\Local\Temp\Caser.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "virus" /tr '"C:\Users\Admin\AppData\Roaming\virus.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "virus" /tr '"C:\Users\Admin\AppData\Roaming\virus.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:3120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC573.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:208
- - C:\Users\Admin\AppData\Roaming\virus.exe
    "C:\Users\Admin\AppData\Roaming\virus.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffee95dcc40,0x7ffee95dcc4c,0x7ffee95dcc58
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,11667150459531090910,8059449734611045090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1648,i,11667150459531090910,8059449734611045090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2024 /prefetch:3
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,11667150459531090910,8059449734611045090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2292 /prefetch:8
  2⤵
  PID:820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,11667150459531090910,8059449734611045090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3184,i,11667150459531090910,8059449734611045090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3672,i,11667150459531090910,8059449734611045090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:1692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4748,i,11667150459531090910,8059449734611045090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,11667150459531090910,8059449734611045090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4888,i,11667150459531090910,8059449734611045090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:3144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4408,i,11667150459531090910,8059449734611045090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5072,i,11667150459531090910,8059449734611045090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5164,i,11667150459531090910,8059449734611045090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4900 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4784,i,11667150459531090910,8059449734611045090,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5624 /prefetch:2
  2⤵
  PID:4208

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1812

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
bcd79d52f20341f72191ba1738a516ad

SHA1
8522a6c29adf3f649e5944bd307caf4f827d7fcc

SHA256
af8da1325cdaab6d3e54fd403d2603ef2a258de58847abfeeaeb61000ab9bc32

SHA512
e016c1e4a9b003e4f81b31dec7f4069b123e4cbd4035c4d86b1c5f1803f7be3ad242151afdd85d4d1f9207e89c937203233d99e885680095bf45facb72e8dc58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
682c47686a3e46c7b22ec70e4d097a23

SHA1
4afacfad8b132e04161050e771c00d3c2544c18f

SHA256
738fd4cf399c7ee22d008894c16c55ece1a778d74a2cfbdf9e9e6f17f9a1662b

SHA512
2b724f8b46008a3b79941cbb5136b393a7a158153e117aa1fe461fd65a9032bf3db79a043465b58c556d3b6ad0a2048a80460855f7ff1ed828606235d3d76278

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
fc940c5cc99786c3d7107601fcb18411

SHA1
674b99e08c73e4efdc1bef01923c74de9a6f9046

SHA256
8734c28edcfe0f60d95adb1797a5d396f4366767c001f813b19306d4d198e20e

SHA512
39f6ced1b8239a3a6acafc9decf8c24cbe9b667f6c55d58c05fc057cc800f978820cdf2f2b1f7bb0166038706a5a743d7d7f1fef37283a40384ec6f6b3a4a03c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ab81a890a11df824e96fda6a8220fcde

SHA1
e8c9f3e78e69f6dcffbe2ab1fc7491361d1578aa

SHA256
b69c5522e63ac8f105e883c35eb8d970c9227ffb26321c45b78ea98af81eb988

SHA512
9f392a1f9b7d0136f2702f5d12f0e6848b0d3a596ad1346451f79872f936ac8e35719f1df99bc2efcee699e840433456a7bc7bac894a09b597d887af8706613a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
143ee0f80a4a2e2289c5c01d4e75caaf

SHA1
13598f3dd7393793b76210d8f9ac650d63ef4f50

SHA256
3d012febcfef641cf21db874e68904eb1b8dbac9777f328689de0607bcb96350

SHA512
d80000d823cd5c61e036a0d8cfe4e14732dcf67062c790f39b3fef007095be3fbae071a61f79653cf89685838b714962eb8fceb442d73ca31911ed9424fba406

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6e655d9afb911a490014023b42c3c8f3

SHA1
d3753a36ed0815ac50deb5e734ca2819781a971e

SHA256
d1a7fbabe20e96cba96150e309e75ff27d4d030cd7c325ac93b635da794f759a

SHA512
4a54360b2e0eee30df3f097da6ed7908b9ad25ab44841c8718652a17bec42bcbeb061c6dac4670785789c95a66faa71323c46d42bb84c8f2a584bbb65dc82350

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6c875e492ddd04910d6f275c4f8a52fb

SHA1
7c751a05f3a87af7782df281defa245546522f20

SHA256
eddf7138e8ea0e2519f1c971ff08660011b7fe39361da552206657ba7c2037f1

SHA512
afdf0bf48826d75432703d912227b0acfcdcbce5fc6446e5c0296eba3b04069dd5bf1a11a251f00437d5070f51555cb553875809042bf57006ede5c4256823cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
39081ace950114cd70b2c649d1a9b39c

SHA1
046d7a42d3ba014f299e7f2d7989e76a1f5983a4

SHA256
661b508280658178f14892dc25ac0daded36fc0694f923dee6c982a0fc02c5d3

SHA512
9049829b9dbd4c3b4d0947e659a536fb275892806851e5a234c5b7720817765266f8df7a21818f9342bc706de7f3ba7313801a371721200eebd6e484c2b70bb7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3c795567a2e0abdb9ece48091812c316

SHA1
d6ac523547b38ad92da6fb087868b7d1229d5cc2

SHA256
c639be853909c05173c6699011670935798fbe11c88167a792415073921e1dbd

SHA512
760a57fe19dbf38cde4f765d732f6fe59192a98b5900ba95972e5644b171811ba1676d12bad46732bd958d1e5f22e1dc9429c0ddd9645d9e9849c35bb4b8b9b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
509e1fb3212a20412cc7758240abfa0b

SHA1
679f914cdb48c7b0b4a4c5a1babf59efd683290e

SHA256
715f7b4c8d5d6347b2e95129c982a602a971f70a651d5029485657af511d3eab

SHA512
20b58500b816011af35057fb2d29aaf6c19d8cc2355ab1430a74cd71afa6fcc0f77a665042df23e74a2ce3de898697813ce7045315ac5cb8d263fff12d5ac6e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e4c2c8c19cf485808e400fc5c3b056c6

SHA1
8feeee93185b007adf0022da6cbc310664b2ef4b

SHA256
7ce7007fe2cf78e6ae52ca27241bcdd47a7efe1fce54e1ec7f0ea50f518b2be8

SHA512
c20af60c575684cc321ef417d2be31f6ec0daca778c9bd0d84402abd3d783e63de20136a79ce5c22cff533417ed07fb4dce10ad716456c74cea5562edcaceed8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
75936c36ff9b2613ff23bb0b8087b709

SHA1
7604788fbc851a697229928fed9bed03b67df546

SHA256
5f2cfa3c5bae9a0024ba493cb69cb9d1b30842fa3bece0bc6f102a00d5072433

SHA512
2398f181aa2837dd94c4e842d1cb7352297b45f0ee26837e34d4d1f8f1084828287023b1d7f0846653fc1e26834c7fc6545af38609b33723d8e0ddf9773b8ada

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
92a72ce81fb1f46c67da35a9513f89a8

SHA1
3963efd8e47046ec5a69fb16a49b124f26121930

SHA256
726e1dee5b8efe648dcc35535691d595b9c137184fe039e0105eb726b02b2a68

SHA512
2a8edca87f1931c5beb8ffddd588f6c84edfe6c911f2df175ef0ebcc1f9a7787f4f422c238c84cf431665778581517c66e8ed800fde3f84e381b643ac79d636d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
b0aa27c8961d3f8d7499bbe238230c49

SHA1
a49bbefe53724b5bb5c37ac0b77df06adb933792

SHA256
00914ed0133046421b764b1ffc90aa827a8a1fb8b1add564e7a553dd639a027e

SHA512
d1a639d6e5df05cce1f5e28afd4bb513a1e21683adbb9e50412db18b6183d77804c488411b40712c83be474a74bc9691406011f810c8bc3ddb0d69c4ec30d0cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
1bee2cb4951812aacb1d94f756e030f4

SHA1
8c2545153c95c8574bba95d31fdd77959cf5994e

SHA256
7616d5aae5660115691998d28aa8e044323e18f008ddbb2c71cfd937e56c9bef

SHA512
e636f98a4fc3d9ee2233bae096fb2ad35ceca3225f862015246252f00691ddc51916153916aaefee4ada1db95acbde06e047e7d233279e0ae29d88c943295d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2436_1248290657\7aea2ac3-89b8-41a7-864b-e3552870d2f5.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2436_1248290657\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC573.tmp.bat

Filesize
149B

MD5
d1bc9b3a2cc446da96cdaf2be1a95bb9

SHA1
3712a137ad896d4b154549b55b790c2d29170040

SHA256
15421fe954f30fefb675d6f87706544d3084bdfe9a74c22538e87e7899bdaba0

SHA512
47ecf4c1b66d1ff8abea6177ab0486b3d85b37850bd2e08e17f155827ef0b9b43f6c178aac575ba8a95bff58cb374c2dea8f924ffeb52b7a9c83a5cf264fcc34

Download Submit
C:\Users\Admin\AppData\Roaming\virus.exe

Filesize
45KB

MD5
853e7871e4a6f398fe39c88b39a064e9

SHA1
81cfc85c75c314e1d7be9e0aef35562ac1a86d9a

SHA256
00577d6d7e7d1a3417d89d07668136959978c0bb4ec4f35b8e32f683e65d8ea6

SHA512
b37158344ad8b5b34cf132c770e95840a00ea6e06001042416cc2030485e9d848a09a37323e3dc82f07c20029ede6ba83be05c0d7f61ff4684d64ecf4cbf70ae

Download Submit
memory/3112-14-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/3112-13-0x00000000747D0000-0x0000000074F80000-memory.dmp

Filesize
7.7MB

Download
memory/3568-0-0x000000007486E000-0x000000007486F000-memory.dmp

Filesize
4KB

Download
memory/3568-8-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/3568-3-0x00000000050E0000-0x000000000517C000-memory.dmp

Filesize
624KB

Download
memory/3568-2-0x0000000074860000-0x0000000075010000-memory.dmp

Filesize
7.7MB

Download
memory/3568-1-0x0000000000710000-0x0000000000722000-memory.dmp

Filesize
72KB

Download