asyncrat | 7bb046bb513f61bb2f038262e0355f239b0daefc081619cb51039bf0cf796033

Resubmissions

21/01/2025, 01:29

250121-bwhzzszjct 10

21/01/2025, 01:26

250121-btnsfsyqfr 10

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ProximaCLient.exe
Size

62KB
MD5

9b58a4fad9c0ddace097997174a11175
SHA1

aad8aaac4ac821a047d68d90bb3266d73e5f6457
SHA256

7bb046bb513f61bb2f038262e0355f239b0daefc081619cb51039bf0cf796033
SHA512

dc27a308b85434804249751deb19eb8ccbcef8c53ca5af6f662b74e41da4763593388c75216ceda66b83b5213a8c55c662d485ae70d9b9abc33bee3e053bb6ba
SSDEEP

1536:Nu2etT/+No2KISb6/N6FbbAb2FftIVZNdCwdAoeWYx:Nu2aT/+No2KISb6/N4bbAUeVZvB8px

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

31.57.243.64:6606

31.57.243.64:7707

31.57.243.64:8808

Mutex

LpF3ngSX2CvP

Attributes

delay
3
install
true
install_file
lasjiiziopjwe.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x000a000000023b90-12.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ProximaCLient.exe

Executes dropped EXE 1 IoCs

pid	Process
3460	lasjiiziopjwe.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProximaCLient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lasjiiziopjwe.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
2860	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133818964214299002"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3888	ProximaCLient.exe
3956	chrome.exe
3956	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe
1536	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3888	ProximaCLient.exe
Token: SeDebugPrivilege	3460	lasjiiziopjwe.exe
Token: SeDebugPrivilege	3460	lasjiiziopjwe.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 844	3888	ProximaCLient.exe	84
PID 3888 wrote to memory of 844	3888	ProximaCLient.exe	84
PID 3888 wrote to memory of 844	3888	ProximaCLient.exe	84
PID 3888 wrote to memory of 2292	3888	ProximaCLient.exe	86
PID 3888 wrote to memory of 2292	3888	ProximaCLient.exe	86
PID 3888 wrote to memory of 2292	3888	ProximaCLient.exe	86
PID 2292 wrote to memory of 2860	2292	cmd.exe	89
PID 2292 wrote to memory of 2860	2292	cmd.exe	89
PID 2292 wrote to memory of 2860	2292	cmd.exe	89
PID 844 wrote to memory of 2992	844	cmd.exe	90
PID 844 wrote to memory of 2992	844	cmd.exe	90
PID 844 wrote to memory of 2992	844	cmd.exe	90
PID 2292 wrote to memory of 3460	2292	cmd.exe	94
PID 2292 wrote to memory of 3460	2292	cmd.exe	94
PID 2292 wrote to memory of 3460	2292	cmd.exe	94
PID 3956 wrote to memory of 4208	3956	chrome.exe	102
PID 3956 wrote to memory of 4208	3956	chrome.exe	102
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 2196	3956	chrome.exe	103
PID 3956 wrote to memory of 4468	3956	chrome.exe	104
PID 3956 wrote to memory of 4468	3956	chrome.exe	104
PID 3956 wrote to memory of 4928	3956	chrome.exe	105
PID 3956 wrote to memory of 4928	3956	chrome.exe	105
PID 3956 wrote to memory of 4928	3956	chrome.exe	105
PID 3956 wrote to memory of 4928	3956	chrome.exe	105
PID 3956 wrote to memory of 4928	3956	chrome.exe	105
PID 3956 wrote to memory of 4928	3956	chrome.exe	105
PID 3956 wrote to memory of 4928	3956	chrome.exe	105
PID 3956 wrote to memory of 4928	3956	chrome.exe	105
PID 3956 wrote to memory of 4928	3956	chrome.exe	105
PID 3956 wrote to memory of 4928	3956	chrome.exe	105
PID 3956 wrote to memory of 4928	3956	chrome.exe	105
PID 3956 wrote to memory of 4928	3956	chrome.exe	105
PID 3956 wrote to memory of 4928	3956	chrome.exe	105
PID 3956 wrote to memory of 4928	3956	chrome.exe	105
PID 3956 wrote to memory of 4928	3956	chrome.exe	105

C:\Users\Admin\AppData\Local\Temp\ProximaCLient.exe
"C:\Users\Admin\AppData\Local\Temp\ProximaCLient.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "lasjiiziopjwe" /tr '"C:\Users\Admin\AppData\Roaming\lasjiiziopjwe.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "lasjiiziopjwe" /tr '"C:\Users\Admin\AppData\Roaming\lasjiiziopjwe.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2992
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8CFE.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2860
- - C:\Users\Admin\AppData\Roaming\lasjiiziopjwe.exe
    "C:\Users\Admin\AppData\Roaming\lasjiiziopjwe.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x11c,0x120,0x124,0x118,0x128,0x7ffd407ecc40,0x7ffd407ecc4c,0x7ffd407ecc58
  2⤵
  PID:4208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2328,i,5088112891849767201,1067277607646429583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2324 /prefetch:2
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1932,i,5088112891849767201,1067277607646429583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2444 /prefetch:3
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2000,i,5088112891849767201,1067277607646429583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,5088112891849767201,1067277607646429583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3328,i,5088112891849767201,1067277607646429583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4628,i,5088112891849767201,1067277607646429583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4844,i,5088112891849767201,1067277607646429583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:1276
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4980,i,5088112891849767201,1067277607646429583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5008,i,5088112891849767201,1067277607646429583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4876 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5304,i,5088112891849767201,1067277607646429583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,5088112891849767201,1067277607646429583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5424 /prefetch:8
  2⤵
  PID:1828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5412,i,5088112891849767201,1067277607646429583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5504,i,5088112891849767201,1067277607646429583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5284 /prefetch:2
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5284,i,5088112891849767201,1067277607646429583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1536

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2156

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3ab898f38c44db65323c107ee4f20795

SHA1
3c6816d2867dd56233b1810229acdeac2b19c126

SHA256
526af5eacc55a5e80713a8916480070acb5604721b8b3c269683a6a0f8c9a4cc

SHA512
7c91d02d7f8ecaf22e11c0065b2b2788ef58668cb9b90598cfe1a38e3043a2d4c802426f500ba2dcb0aad19b103651780af387edcc256f06726a7772c69b48ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
34590eb006951b4573aaba5accca02a4

SHA1
0daf66a1774d6b55710bb65fe94a922bd4aaec7c

SHA256
4982be17f70d4dcd09d649460e90bd1ed607c0419dad2839df00783d387157ec

SHA512
09048e76ee82af89a5db88bc29cf74ddd0fafd92dea44d8cd562d488a8fab3312c9bf59f299372507dedd0bba18f2b2a52f375a35b5420ce5a9c6644cc7eaad4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
86fb730f818694e1d52b2c90cbe13eb1

SHA1
626240d4da8d54e0a206672df357a7af5f64f825

SHA256
3e60c73eaa4cebe758936cb3f4c9cb9e2346fb319c9c98e46da4e25e4059fe43

SHA512
b9f5866fa9ecc51a620c16092f4bdc6a4fedb1ce7ce6ba984e1cc6231cc4664736b56bf50874fba222e6c0d29e6375d33e09f5c26094789673715adcbe94b182

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9801cd2fb47f6bfe8926052958d2370b

SHA1
cd922d6aa2dd5d6aaee0783022469d649c186d84

SHA256
58ad2f665456d78aac2394b10fb83d08382d993acba9cb6e726c4d55a1645fcd

SHA512
bfc23e6d8b13788b699a6d39253559a1439e684a9055794e47017c1e6413951adace0960603a8ab7ce0b69447c3bbf9579f1b72e2e95325085358cf6598fa863

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
47f163ef44a3b8dd1c9faa3c1ba6db35

SHA1
f3bd79a2ecb50b877a04825a85773b0262396234

SHA256
ec270663948f2762b216b5d7116337beaa69e438b3563fdff1b21c75308db276

SHA512
465c6189cccd79399395a2901dbb0b77dac08756f724381d48d628ff83da27f2534744e93520e76c0e8f41f7c0b246dd29d7c66fbf11dc14af846c324f77a161

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
43c63fba7325814d6e7e73aabdf7b5dc

SHA1
b93111a714170d88ae727a0b7d957c3f3cbb2e31

SHA256
714a62ca33a12cecf95e7ed845a979866b107321f1d175ac28ef23707be49b7f

SHA512
883b6a8b7087a0d290289b41c4a704660f3588adc93c0dd369147f00fbd09dc1e4d222fb7b89162065ffc638f28918d78472708820a55028700e3fdae95d6a15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5a0494a8048666a0ddeeeb67bc8ebbae

SHA1
88eb41f29998ec90e59cdd9f9b66646039b08579

SHA256
eefe6e65ea9fbe30387da58df4fd6fbac7af4d237752298346df8146b7870e2b

SHA512
d11869535d6748ee41a49f98df27846a7ab0f996e64c50ef576effe79f9bbfcfd49df03243906ca31f420a997cc60de74ec211791aeabcebcf14e306a7cbf10d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
975f4e0cc91bc5b1029a3eae37f25844

SHA1
95ee6d0c2afa1f8eeb71d0f484b3d9f11f880e09

SHA256
cffe44021421af68a91c0a7b1a133ac068d4edecf76ef2c7320120c376687b4b

SHA512
18e839abc588d48d55c6705a477bd8c1f5b5ca74de3d05d397fd61e35d7d44faed990ccd2f8d5ea0bf99a8c2485a3aa6c119e459e680af1b3f19ef47e1a4b5b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
4e8f989cc0b0b1f6111608f54be5d1ba

SHA1
270f918a52d8339581c4f287c382bc81ec496644

SHA256
7b68d5034948cd30dd3dd2a596aa43eca51d833479a2e4fed425c138ea0a2357

SHA512
db51ce54c8c8acaf7d46a95706866ad090224d7e97d947927e164e6cf18b7c75aafbbd29c9403bd97eb0b97109c03da5dca2d443422b1aa738395959f3fabd9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
c9141aef9041f8482d849cdda9142252

SHA1
37e7c8b775dd1e9b69ec2d7072f489750dfaaad7

SHA256
1a5f7ee9f7c52eb67efaf6ba2cd459807ec70ed05e00fb6bf71b1be03c212a71

SHA512
39ee04a64041399881a6f5eb913e8634bd9f132f5ed313e4d46417f0645fde8c2555ced1f9ecab9805c981973bda1202b9e53d7a7b1b595c2a23cf576a16344d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
3f0e1fe9cdb0e925c499c05303f7e4dd

SHA1
e4ef76f28897cc9f6425a2f04b0a6c72cd0bdf1a

SHA256
e43e3ffe8fd4c3ccc4c094002b7a0b502a3fb5a98abf2cdee9a667a5a32cdcfd

SHA512
22915127b0b845675c2d97342bbda92401823cb5da8a423ba384b9e0e386abaf39ae2d7090879dd3723806049eced6d3592174d21e804904450c2c0c756abe1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3956_915997712\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir3956_915997712\d0c601e0-6e99-4901-b537-0932413d5a39.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8CFE.tmp.bat

Filesize
157B

MD5
e5067725fe758df679f67a10616150e6

SHA1
07283fe48ba627a6d047018c286ab4a935398b12

SHA256
7c784a15a51818886c8364d522b245bdcfacaabb14bccc172c494be11643e485

SHA512
a89eb7ed7fda5d8bce758a3a7fe1853ee7a7665292f184060b49fd7f056680078858ffd350ecb797565d23fc5730a03281f3b41f511c1faa1dede98a9e06fd01

Download Submit
C:\Users\Admin\AppData\Roaming\lasjiiziopjwe.exe

Filesize
62KB

MD5
9b58a4fad9c0ddace097997174a11175

SHA1
aad8aaac4ac821a047d68d90bb3266d73e5f6457

SHA256
7bb046bb513f61bb2f038262e0355f239b0daefc081619cb51039bf0cf796033

SHA512
dc27a308b85434804249751deb19eb8ccbcef8c53ca5af6f662b74e41da4763593388c75216ceda66b83b5213a8c55c662d485ae70d9b9abc33bee3e053bb6ba

Download Submit
memory/3888-9-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/3888-4-0x0000000005210000-0x00000000052AC000-memory.dmp

Filesize
624KB

Download
memory/3888-0-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

Filesize
4KB

Download
memory/3888-3-0x0000000004D70000-0x0000000004DD6000-memory.dmp

Filesize
408KB

Download
memory/3888-2-0x0000000074CF0000-0x00000000754A0000-memory.dmp

Filesize
7.7MB

Download
memory/3888-1-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download