asyncrat | 22c7f23dedc2667904b242348ce36ce7e8aa43c1a1579f86d61c27778e141441

Resubmissions

26-07-2024 15:26

240726-sveplszckf 10

26-07-2024 15:22

240726-sr1snszbjd 5

Analysis

max time kernel
63s
max time network
298s
platform
windows7_x64
resource
win7-20240704-es
resource tags

arch:x64arch:x86image:win7-20240704-eslocale:es-esos:windows7-x64systemwindows
submitted
26-07-2024 15:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

022-CITACION DEMANDA EN SU CONTRA -JUZGADO LABORAL 04 CIRCUITO ESPECIALIZADO EXTINXION-02.svg
Size

365KB
MD5

80193d67d0da94a9d928fe4bc5b3a7cc
SHA1

ec3b1f52e184dd87dfe9ceb2eb5cdca6f96f5dc4
SHA256

6e6577761b13f6a42f212419a8fcca10f35ab9315f24e9be39c8fc5cdfcfea10
SHA512

b376e9152c6ec0b45d8e9fa7d4f298a8ddf2d873c3b42b3f7d60704dbef3c7a4967a6e32fef5cd8fa0019bd6176401c2b8fcc0698437c2ae8082bfacb9088957
SSDEEP

3072:RCkLBpCoMXyV1d/Cl+XlwdgrJGwS4BHKlgeJtonukwUwPsWw5wzwQw6qmPwOhuqZ:RfBpCoK21dE+XlpJGwSsKldhLsuCY

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

melo2024.kozow.com:8000

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
AnsyFelix
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2776	chrome.exe
2776	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe
Token: SeShutdownPrivilege	2776	chrome.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe
2776	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 1948	2776	chrome.exe	30
PID 2776 wrote to memory of 1948	2776	chrome.exe	30
PID 2776 wrote to memory of 1948	2776	chrome.exe	30
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 1268	2776	chrome.exe	32
PID 2776 wrote to memory of 2760	2776	chrome.exe	33
PID 2776 wrote to memory of 2760	2776	chrome.exe	33
PID 2776 wrote to memory of 2760	2776	chrome.exe	33
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34
PID 2776 wrote to memory of 2560	2776	chrome.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\022-CITACION DEMANDA EN SU CONTRA -JUZGADO LABORAL 04 CIRCUITO ESPECIALIZADO EXTINXION-02.svg
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6e29758,0x7fef6e29768,0x7fef6e29778
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1144,i,10159409096936010501,7411316735359081782,131072 /prefetch:2
  2⤵
  PID:1268
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1476 --field-trial-handle=1144,i,10159409096936010501,7411316735359081782,131072 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1616 --field-trial-handle=1144,i,10159409096936010501,7411316735359081782,131072 /prefetch:8
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1144,i,10159409096936010501,7411316735359081782,131072 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1144,i,10159409096936010501,7411316735359081782,131072 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1588 --field-trial-handle=1144,i,10159409096936010501,7411316735359081782,131072 /prefetch:2
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3056 --field-trial-handle=1144,i,10159409096936010501,7411316735359081782,131072 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3124 --field-trial-handle=1144,i,10159409096936010501,7411316735359081782,131072 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=2992 --field-trial-handle=1144,i,10159409096936010501,7411316735359081782,131072 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3140 --field-trial-handle=1144,i,10159409096936010501,7411316735359081782,131072 /prefetch:8
  2⤵
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2084 --field-trial-handle=1144,i,10159409096936010501,7411316735359081782,131072 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3744 --field-trial-handle=1144,i,10159409096936010501,7411316735359081782,131072 /prefetch:1
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3068 --field-trial-handle=1144,i,10159409096936010501,7411316735359081782,131072 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3840 --field-trial-handle=1144,i,10159409096936010501,7411316735359081782,131072 /prefetch:8
  2⤵
  PID:1764

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2988

C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\01 NOTIFICACION DEMANDA..exe
"C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\01 NOTIFICACION DEMANDA..exe"
1⤵
PID:1000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  PID:1356
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    PID:404

C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\01 NOTIFICACION DEMANDA..exe
"C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\01 NOTIFICACION DEMANDA..exe"
1⤵
PID:2936
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  PID:892
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
aa5ee61778d241d2587a6de542d1b3c0

SHA1
bb20ffe81a5b7443bc90c6a0b8ae937eee40cc7d

SHA256
c43559b1ec12caff505591d139b939d3f77cafeb3c42bb0ada77d7ac068f03eb

SHA512
8f6b8fc20baf047cf41f9db1ca57ed2ce54dcce6ba72c49a126606cf822aea1eb342a23734b6dc889235829e98d9bba9e811162b0632fa70e321b40be8b5aeec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
df0408eb867287a975426db46988f4f1

SHA1
ccf7379e32955810b63d2c3485297ffb543aaa58

SHA256
f6bfb0a8931e8c5ba4ddfe63c91f6e11769e910261986e362377e41d3d88b5f7

SHA512
bfcb5da259bb84348c5efbf88fdab76709976dcae0adfaa6ed4e1151474af22c88d362dc99b19570e76f0f89692dde27373576efc9fde2d91fccd1316fb2b05c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
3803b9b52e312b6aa3a8ededcee393ca

SHA1
5b3c7b59038d9d8e091c31140f8c7f1cc307017c

SHA256
f5488d87408739c7e175661c7b2c5db0573229e7adf52092f043212b47a6767b

SHA512
65d854173d14643e76093130b4a88dedad20535b19f08552d785db87f70d2369b42a6ef416a0a7802c697bc625a1a948c234f436806caad943424951421e633a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
532c68273009c9df4bb5609f3575b6bb

SHA1
63dfa3cd88f28450029365b11c68c19f5482ec09

SHA256
dc0cebe05c334da129dcd06ee6a5e4fe9c58ecbff230e6485506d25ad4f7ffdd

SHA512
3ad71424d351ec898fd528e706d63d2050ee82a885ffc5f32b4d483750da3e182e28122c2e4357c8c4a3c8cf38e7d18fbac460466f2ab3636bd9743c9afc9c1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
965d838b742d7217324f8f455003c5cd

SHA1
129bbaa59b122b964385118a3638de3d6d3f346c

SHA256
143f14d7de112875f2969e1798d3ca8c755fdb4146f21fad511a59ba61bb91b3

SHA512
ce7b110e1ed060c98a96f5e2ec4672d8a5e614f75f8c71ffe0e30456eab6783999e4d3ae3966b469a3faee7e2570412ce305cdb6462958cdbb592c51263b981e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
79KB

MD5
a3da5213e8b5a1f461c09ef679532712

SHA1
6eaa1066be0427d036af362555a9100862cbfe95

SHA256
3970df49b25d374f548b61a89d930dfee2a2ea049c723216722c87b2464077ab

SHA512
29f94af965c6ebd46fc48b7ffda91b539aab13da42c2a6f685a6771ffa1178f5285413ebba0d6244d1a9467d645ccba6be143582fed31fa02e412bc75a1e208e

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f594ee9

Filesize
774KB

MD5
10729f678bf1d39132fd1bf3bdedb202

SHA1
9b4562620c513639b9e25b31e284904a6668f38e

SHA256
97a601168ec41f1d1cc0e659e73e170fc6bb6240c60ff960cb0af47c3aa9847a

SHA512
365217ae174b50e06395116461ff66fede2ee1237d3510966703ac58eb09e64011ac3f659ae54b510b26b9425c60d4489f43265610becfbcf66f13ebae66fb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab99A3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea2fa4ca

Filesize
774KB

MD5
7bba61a4db0adb1ed56e9455f7f0ae21

SHA1
cf522f5876875f036f4e42fc00adf82108cc797e

SHA256
04f0a3730f070680985b8a89d4cb5cc2c270e5dd0188398586f9655a91302165

SHA512
a40e929a88f4ba5064aa7aba25220efaa99c33235767bf4328d723632d217a1483d95d0af366c8eed260b19d135b01fa2a640bba8e85ab038f553fc45e380ca2

Download Submit
C:\Users\Admin\AppData\Roaming\apppower\aigret.eps

Filesize
650KB

MD5
b16a26aee27cdc91b7f545e03877f9c0

SHA1
7eb68256ac0a97e4ee0ddc1db648968987406910

SHA256
b3abdc2b792cb4b0160bdcc291dcb13b31078d852bd20ae01ae0908a0b46b72f

SHA512
25b8a3155c9b30df90b64690b8f4d16b1de1dd321efe05f9c8e5e939e0884acd2e4cf07797dc7f1a87600793246640ef6e5ff3b2a82229406cce674fef15b446

Download Submit
C:\Users\Admin\AppData\Roaming\apppower\barrette.accdb

Filesize
17KB

MD5
3de728173727b206fe14724ba05a28c2

SHA1
407ca05387c9fc1ac22cd409df1f0899d49a7cde

SHA256
f923b85549cf4d2f87c11f4cdeb5abb408974aea8235aa68acc849736ebdde28

SHA512
33b6e43f6bdaf31b7387ffa683e9581afb4d9b170767e6c6a51180608568db9675fb16643ff462dfd53c6ca76789902553d9bb6e834734fbd8ce4f8726b76206

Download Submit
C:\Users\Admin\AppData\Roaming\apppower\madbasic_.bpl

Filesize
210KB

MD5
e03a0056e75d3a5707ba199bc2ea701f

SHA1
bf40ab316e65eb17a58e70a3f0ca8426f44f5bef

SHA256
7826395127e791a883359ea81308174700da0af8052cc9853b19fd29c2e4badb

SHA512
b0a3cfb6b34832f048fe0fc70c6fa76ae16a2cacda930f6529a83a967d6e8de1c69b93e0de3dc2126c5385d85e814687e695a0a4131399a69633141cad98da2a

Download Submit
C:\Users\Admin\AppData\Roaming\apppower\maddisAsm_.bpl

Filesize
63KB

MD5
ef3b47b2ea3884914c13c778ff29eb5b

SHA1
dc2b1fa7c7547d8f1ad3f20f9060f7bc686118e0

SHA256
475f7cdffd8ed4d6f52bd98ae2bb684f1c923a1be2a692757a9af788a39b1d87

SHA512
9648d951d8d3640436c8029fd0f06786f7ff8f52191cd6959569c87868bb6c40ac8c7e495c09377a8a5c85e8d3942551c37eb84e916b5c16327d8d43a167820e

Download Submit
C:\Users\Admin\AppData\Roaming\apppower\madexcept_.bpl

Filesize
436KB

MD5
98e59596edd9b888d906c5409e515803

SHA1
b79d73967a2df21d00740bc77ccebda061b44ab6

SHA256
a6ca13af74a64e4ab5ebb2d12b757cecf1a683cb9cd0ae7906db1b4b2c8a90c0

SHA512
ba617227849d2eb3285395e2d1babfe01902be143144be895011f0389f1860d0d7f08c6bbc4d461384eba270f866cce3351f52af1dc9ef9719c677619de79e42

Download Submit
C:\Users\Admin\AppData\Roaming\apppower\rtl120.bpl

Filesize
1.1MB

MD5
1681f93e11a7ed23612a55bcef7f1023

SHA1
9b378bbdb287ebd7596944bce36b6156caa9ff7d

SHA256
7ed5369fcf0283ea18974c43dbff80e6006b155b76da7c72fa9619eb03f54cef

SHA512
726e8f58648a6abaf1f2d5bebcf28c1d8320551a3b6e7eef0cf8d99f9ef941e30e7004c24c98e9b5e931a86128d26de7decba202390665a005e972dcbe87ab93

Download Submit
C:\Users\Admin\AppData\Roaming\apppower\vcl120.bpl

Filesize
1.9MB

MD5
1384dcc24a52cf63786848c0ed4a4d1b

SHA1
ea63180c94ea2d0417ad1860128980dd18c922ef

SHA256
d19f51871484cc4a737196bdb048193ad73f7f6bd061ec813766516eba26e406

SHA512
d405911672e3ea7abcbc898d7b807b9bc1dcbf4f83663d70bd8adab075960cf3d904b2710adbdafbcbb99ba4a41b9a40c64b7171e845255a91a042871b1ce8a3

Download Submit
C:\Users\Admin\AppData\Roaming\apppower\vclx120.bpl

Filesize
222KB

MD5
3cb8f7606940c9b51c45ebaeb84af728

SHA1
7f33a8b5f8f7210bd93b330c5e27a1e70b22f57b

SHA256
2feec33d1e3f3d69c717f4528b8f7f5c030caae6fb37c2100cb0b5341367d053

SHA512
7559cdf6c8dbea052242f3b8129979f7d2d283f84040f1d68ae10438548072715a56a5af88b8562aeea7143194e7c5bddac3fdb01ded411a0b1cac9f0c6eef3f

Download Submit
C:\Users\Admin\Downloads\115b0664-8b9e-4038-a66f-c33d94079b0e.tmp

Filesize
6.7MB

MD5
da0f823b67bc093b75d381f2a105ecb6

SHA1
11e82222f4070fbadc8c4c2f194ba65d9fa60ac5

SHA256
ed88b5c4a8be75f5da0400817a9514bdcb38e602aa3fe463d39cec523dcd3268

SHA512
3d2986bf2b9d6fc9c7251934f68eab8995dc33b1cf3886c2360afebdc2f9f35a088a2e0d92002a3c225a07095a5213677df78a4bf95ed77842d98a998b1e1016

Download Submit
memory/404-231-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/404-226-0x0000000072C80000-0x0000000073CE2000-memory.dmp

Filesize
16.4MB

Download
memory/404-227-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/404-228-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/892-224-0x0000000077650000-0x00000000777F9000-memory.dmp

Filesize
1.7MB

Download
memory/1000-148-0x0000000077650000-0x00000000777F9000-memory.dmp

Filesize
1.7MB

Download
memory/1000-162-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/1000-147-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/1000-163-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/1000-165-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/1000-167-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/1000-168-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/1000-169-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/1000-166-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/1000-158-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/1000-159-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/1000-157-0x0000000074AF2000-0x0000000074AF4000-memory.dmp

Filesize
8KB

Download
memory/1356-229-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/1356-230-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/1356-170-0x0000000077650000-0x00000000777F9000-memory.dmp

Filesize
1.7MB

Download
memory/1356-164-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/1356-223-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/2936-195-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/2936-219-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/2936-220-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/2936-217-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/2936-222-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/2936-218-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/2936-216-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/2936-213-0x0000000074AE0000-0x0000000074C54000-memory.dmp

Filesize
1.5MB

Download
memory/2936-196-0x0000000077650000-0x00000000777F9000-memory.dmp

Filesize
1.7MB

Download