asyncrat | 7bb046bb513f61bb2f038262e0355f239b0daefc081619cb51039bf0cf796033

Resubmissions

21/01/2025, 01:29

250121-bwhzzszjct 10

21/01/2025, 01:26

250121-btnsfsyqfr 10

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21/01/2025, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ProximaCLient.exe
Size

62KB
MD5

9b58a4fad9c0ddace097997174a11175
SHA1

aad8aaac4ac821a047d68d90bb3266d73e5f6457
SHA256

7bb046bb513f61bb2f038262e0355f239b0daefc081619cb51039bf0cf796033
SHA512

dc27a308b85434804249751deb19eb8ccbcef8c53ca5af6f662b74e41da4763593388c75216ceda66b83b5213a8c55c662d485ae70d9b9abc33bee3e053bb6ba
SSDEEP

1536:Nu2etT/+No2KISb6/N6FbbAb2FftIVZNdCwdAoeWYx:Nu2aT/+No2KISb6/N4bbAUeVZvB8px

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

31.57.243.64:6606

31.57.243.64:7707

31.57.243.64:8808

Mutex

LpF3ngSX2CvP

Attributes

delay
3
install
true
install_file
lasjiiziopjwe.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral2/files/0x0008000000023cb6-434.dat	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	ProximaCLient.exe

Executes dropped EXE 1 IoCs

pid	Process
4824	lasjiiziopjwe.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lasjiiziopjwe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProximaCLient.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4208	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133818965966086263"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
3928	ProximaCLient.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe
1668	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeDebugPrivilege	3928	ProximaCLient.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeDebugPrivilege	4824	lasjiiziopjwe.exe
Token: SeDebugPrivilege	4824	lasjiiziopjwe.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe
Token: SeCreatePagefilePrivilege	2868	chrome.exe
Token: SeShutdownPrivilege	2868	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe
2868	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2868 wrote to memory of 4928	2868	chrome.exe	86
PID 2868 wrote to memory of 4928	2868	chrome.exe	86
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 5012	2868	chrome.exe	87
PID 2868 wrote to memory of 2776	2868	chrome.exe	88
PID 2868 wrote to memory of 2776	2868	chrome.exe	88
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89
PID 2868 wrote to memory of 3836	2868	chrome.exe	89

C:\Users\Admin\AppData\Local\Temp\ProximaCLient.exe
"C:\Users\Admin\AppData\Local\Temp\ProximaCLient.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "lasjiiziopjwe" /tr '"C:\Users\Admin\AppData\Roaming\lasjiiziopjwe.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4344
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "lasjiiziopjwe" /tr '"C:\Users\Admin\AppData\Roaming\lasjiiziopjwe.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4984
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp460.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1080
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:4208
- - C:\Users\Admin\AppData\Roaming\lasjiiziopjwe.exe
    "C:\Users\Admin\AppData\Roaming\lasjiiziopjwe.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffbbd62cc40,0x7ffbbd62cc4c,0x7ffbbd62cc58
  2⤵
  PID:4928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,16681914147264579515,1596503301399372046,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2060,i,16681914147264579515,1596503301399372046,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2052 /prefetch:3
  2⤵
  PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2300,i,16681914147264579515,1596503301399372046,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2476 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3156,i,16681914147264579515,1596503301399372046,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,16681914147264579515,1596503301399372046,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4528,i,16681914147264579515,1596503301399372046,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4684,i,16681914147264579515,1596503301399372046,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,16681914147264579515,1596503301399372046,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5112,i,16681914147264579515,1596503301399372046,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5088 /prefetch:8
  2⤵
  PID:1060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5224,i,16681914147264579515,1596503301399372046,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  PID:4548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5056,i,16681914147264579515,1596503301399372046,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:4752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,16681914147264579515,1596503301399372046,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5068 /prefetch:8
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4852,i,16681914147264579515,1596503301399372046,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5164 /prefetch:2
  2⤵
  PID:768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5496,i,16681914147264579515,1596503301399372046,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5508,i,16681914147264579515,1596503301399372046,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1668

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
bdbae172f598f429e797eddbc4015ba4

SHA1
90550dc1c3c99e09989dc55640fc5cc227cff350

SHA256
8aeee3fb0297279b9bea6c35b944128c9b9f05d0514cf2d3d4b73b041b4b81a9

SHA512
0866f0d93883d2f1d594d0dc979f6ffb4fff5beef47e72c9ebd97e3bc83b254af09985c3b68a00bb6723658383bb90c45cd4e70ad54648fd061ef34dbd2be9bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
4ae201b72f6e56038e9429884bd6edb1

SHA1
81c3e647a7117d070f5945b4e7536f187487f594

SHA256
dd237a08a616a4431cabf988a91ef59a1ef495612e225af084d5a6213016b775

SHA512
37cd3088804c5cca10febe4d54fe79159bd881b6ee6f4bd09d0e1a5da8a43a1ce19ab3381df139e1e2dbb3dcba45599728e74592b4e0632b23754e33ca76199e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
fb70f913cc9dce7112752df16eecd5fb

SHA1
b62d9898b179349923e40c4225dd08aaefad0922

SHA256
a7f4c8a71526e02f094820f45ae0c9417a05780e9815115661160bc74081a274

SHA512
a28c29a2c16cfe5b35023a5eadb0ee00b783c0507b9f403249e120cc15eecb8d28dd45166f73a84330fd477f77ed05995ec8cb741655e9b5c887664376169704

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
7f971c0770ef0485f4adda46daced786

SHA1
7ea5d44ab7debdb86eac4185a6fb1efb89f26afd

SHA256
37cb18d9c2085d39decb383c43324e7001a1b2b4574762ab8f128ea449e1edc5

SHA512
ae1041bbf7bbcece85914388b6ae188f4d8a870e3d47d08eefbfe32e20d252a16fef6479dc57ac9ec52976c7727bae3322f1e2766c411dfc58d05bb88e8f0f4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
e8cddc5e99c58d6bfc01cb1a50185905

SHA1
4e5457e3cc0549fa4251953faeb8664fe8de7b45

SHA256
c2290510cff780f1e65298f650fd156a9e4c6efd69ef624d4177eda6ff3c7ddd

SHA512
8518bdcbd6fa2ab60921ffa7e2112a6b30e747b7a54f8cd252e67c4bf356316c283fde8f1807aaa7387d0348ce4249cb6732dd341a66ce61c78beecb44e4c903

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
1c7980ab3845549ba0ca34783715cfdb

SHA1
1cfb4cc600f9b85b444b8a358d5c3060423ab2c6

SHA256
6783a0ce60ccf1812bedf0e89c1f1983f7c3c4fb35330e36728c2935eaa41aaf

SHA512
36fc6ad407363f6c0b1d898a98b8c611711e40bc91ffb92719a075de2b0b71619622de3a5682609ca83e50cd3f26d6c965438d77ce929d226feb9df854429f96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
20305edca09bfb20086a4fa456882690

SHA1
f6a4de0f91907e12c70ed8cb3e807cc8eb8d7226

SHA256
78eeef04e80483ee767f4fbcd48473bf04b12b937283d5548b1db67bd74c97e4

SHA512
1fb8e68b52017bb07bfa4c6cb432d3e84450e2f433dd35b81a5ae6154bf00ab993cc0253989ab68df3811f4685b9e0b6647003d0dc8f606ab4b2f404c967edcc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b5eee41712fe2fd05b80d4c56388754a

SHA1
c6d84018ab21897cde75248bd379a1564870f1e7

SHA256
429d781fa3c058767afe8b547f1e76cbd5068db876a041e335ef17f0433a912b

SHA512
7dac9ba0c2a6930337703123e074aaf07454352d0b9efa927d1a7d291215ec4ff08a1beeafda15588b482640f8aa57ce532abf40b61bc6c1a2d9f2de10c54cc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
eca29aaa6d3c4a26ac14811adc75ecfd

SHA1
4ccb17a33d7b807fdca1f6e42f090a2a1e5f538c

SHA256
247c2fc8e7d9c8f72d59efc454d4e70da57b70ab5a56a8edc06171eb064c29ce

SHA512
b45e65cd5249ff8bcddd2d8c333ffac48ad03dd2bd0b32e9387be48e115812f3adc9a547aec89608ce775248e76dfd0cf2994feb088237caf55eabce01a80385

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c7c3f8007021c947185edaf71223b29e

SHA1
232c6044f66e1f3090c51e8e894e1f20b9f1922e

SHA256
ec41ea3d919a987bdc69a63a6b81d13d799dee221e0676de2408f4e042ec357d

SHA512
29b1481077268511312da97a6cbe1cb2355489f23da022f46a71c63af8892fcf0daecf0aba520d5bb2d302f99e6534285177ce4fb323a8bfb6f298e94e3a42da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
47ed3f46b75c5ff706c7f3360b891663

SHA1
c02e65b1ee9ff132a7c77bbef6a8a9f21f31d54d

SHA256
f6953564cda485167888c2a79033884332511c451f09d86f07c7b495c2b997a3

SHA512
993048eba41e91fc37b0beec5769a6bba6a1659df7e53f55811a8665ad4621ab6206fbad460d0058b9001f830f3cc3dac29ada8936b06c0906f7231738fcdaf3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2bf3c0236dcacad8ccad6e2e9568b4cb

SHA1
8c8ba2ae29753407f99d1131c514709ed23c28ce

SHA256
8b12597b3737eee474a8f6c3a7a4504d49357690a73c8a70c6cec463d52986cb

SHA512
d00ef4b07cd464a092c9d061cd166b3cadc7aca190b853deedd8cd646c64c5eb01582bd0df18fd692be2dc75351a1c11f117fa8dfac0b4c39d505928c800bc47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5e08017ecdf431d199666cd8c6d864f0

SHA1
823eb31a0fc0bac837e02b161a833a1c98fc0939

SHA256
8fa2f2234394cf91aa7af97ab30d5f8230abece3c47e3a7f9858cf364a0db155

SHA512
1cfd6ff47acc49c18b07049bc82d3668e9791ee1f1b838650c10fcc71964d18815ae674beb9336371267b511efa89dc90d4a02b518df98adb5faf58702d275c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0b20d3dc3d2abfa4bc41e6d35c050acc

SHA1
e1122f81d89ad3ca8fcc5e26f4405d5d77c429ea

SHA256
7d92cce606726e73dc3230aafb0c3a993271aaa2f6965aff6651b7c3cb2a71a6

SHA512
e0ff4c08e166e469bfe634d1c13d7f69cfe634991720436f833ca5c31dcb45de34029017f0f0f99a3aeb75c57b1dd59f3da274259886d432a17897625611e060

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d685fcc40e437ecc2b25ec393c829f4f

SHA1
c04d5894363bd7f185a864f74fd5c624e4f9c98d

SHA256
5314dc2193ece02172129fccc002846145e136d83e69c2be77b6ec53b12d7160

SHA512
4e6745cea7ecc6a04ffb477f96a43deba6e8f7220a447924917e6f86542c20c4dd0da736165c4caa0e614d5dc7eb294ac497abee9d40e7f26d85bdd10dce8048

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e92e2ed6-58a4-49f6-9ac0-fe9bd0a593f0.tmp

Filesize
9KB

MD5
ba15bf82f932faa54ab22040c7d66c58

SHA1
d9b102b9ccdff106d4e639b9c35b164d298bff01

SHA256
8c3cdf00d0c5b226ac7a6086941cbb830c1f570c0f0c590daa16d814fa534b9f

SHA512
0f935717d55b310fb8d627ceac7782f9e87de5c25cea1ce6d1c4c105c7b03a4f3c66c5bc83d46b21646967235f9cb64dd4080270d2653283b4c3441112c44822

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
5cd491a12e86b5b873de0edf67fcfbb5

SHA1
4470c4d0cde69feb316ef3b2755c8fa4ee656425

SHA256
5ff1ccae4abf43d61e9c6589bff8480e488859ac1ba1948cbecd3b0e60e706c2

SHA512
fd10e95c0dfa2581143d20683cf879ed1b3cb779c96c74a58bc6a826242c8a0992c368016b99c592e878e1c407e6a263feb4ae93cf20c854d907841c54cac506

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
36ae219a30acd246f4438b4d6ede82dd

SHA1
d529dede027ec965607e070c6c26a3d278502f60

SHA256
930b666646b06eff1d3333c25507428a81fcb6367e7a1929105eab642f9cf7ad

SHA512
edb2c34ef9caaaf52c5953fbfc8c03fe8e538f1a03b29dc2e8208f4c40ae4feb5a14a75e84384ac3d873eb2573c59b3f3ad7f39a5fa13057b7a7fd2bc99c3d3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2868_604065433\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2868_604065433\aac2bab8-edf0-4b33-986f-68a6b4f3f9ef.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp460.tmp.bat

Filesize
156B

MD5
a821c14e7f9115bf83797a72e1a9f586

SHA1
3bd37245203342593307c42150c3470802d7d961

SHA256
13b9573c9934b510120b11c199588d2dad05f89071b01622708a3e503b53baac

SHA512
58d5a3db95511681047ecc54ce07802370f96bf2db948dd50a4171bc3a5afccbf4a751bd9f1cc19ed14810caa0d284b92af3a3565d05b9b2f66e4b74c7d4e2de

Download Submit
C:\Users\Admin\AppData\Roaming\lasjiiziopjwe.exe

Filesize
62KB

MD5
9b58a4fad9c0ddace097997174a11175

SHA1
aad8aaac4ac821a047d68d90bb3266d73e5f6457

SHA256
7bb046bb513f61bb2f038262e0355f239b0daefc081619cb51039bf0cf796033

SHA512
dc27a308b85434804249751deb19eb8ccbcef8c53ca5af6f662b74e41da4763593388c75216ceda66b83b5213a8c55c662d485ae70d9b9abc33bee3e053bb6ba

Download Submit
memory/3928-33-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/3928-0-0x00000000751BE000-0x00000000751BF000-memory.dmp

Filesize
4KB

Download
memory/3928-28-0x0000000005010000-0x00000000050AC000-memory.dmp

Filesize
624KB

Download
memory/3928-27-0x0000000004B80000-0x0000000004BE6000-memory.dmp

Filesize
408KB

Download
memory/3928-16-0x00000000751B0000-0x0000000075960000-memory.dmp

Filesize
7.7MB

Download
memory/3928-1-0x00000000001E0000-0x00000000001F6000-memory.dmp

Filesize
88KB

Download