asyncrat | e544ff3ed62db97c02442c849b3214a7b3d913fb73b430d79edf557e7ec91555

Analysis

max time kernel
595s
max time network
441s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
16-08-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AsyncClient.exe
Size

47KB
MD5

c792e7efbdb2d57c605efcb45a48109d
SHA1

eb0c663a68aee213c6b64e1f10207409f0da5b20
SHA256

e544ff3ed62db97c02442c849b3214a7b3d913fb73b430d79edf557e7ec91555
SHA512

f407285fd965f6d7e5ea42312fda6159cd9546480e2752983cf6f784c414ee040446c6bbb595d27e9d27d07e5f59355265fe7384f6666af86c3c6a8e1aa74b33
SSDEEP

768:Juk0VT3ongoWU2Gjimo2qryBmv83OxmIsPIjACXD9izQ0b3eQbC2l6S6heyV27H1:Juk0VT3Q+2qg0jAgCb3ZbC2lqYyV27hv

Score

10^/10

asyncrat default defense_evasion discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:7707

127.0.0.1:8808

Mutex

uSyaMxhmF1LU

Attributes

delay
3
install
true
install_file
hey.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000300000002aa5e-11.dat	family_asyncrat

Downloads MZ/PE file

Executes dropped EXE 8 IoCs

pid	Process
2008	hey.exe
1492	AsyncClient.exe
728	AsyncClient.exe
3268	AsyncClient.exe
2832	AsyncClient.exe
5068	AsyncClient.exe
2812	AsyncClient.exe
2296	AsyncClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
44	drive.google.com
1	drive.google.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\AsyncClient.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2092	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133682924037208087"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-6179872-1886041298-1573312864-1000\{0F355389-FC24-485E-8DD3-CBBC3276A91C}	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\AsyncClient.exe:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1144	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
1012	AsyncClient.exe
3788	chrome.exe
3788	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1012	AsyncClient.exe
Token: SeDebugPrivilege	2008	hey.exe
Token: SeDebugPrivilege	2008	hey.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe
Token: SeCreatePagefilePrivilege	3788	chrome.exe
Token: SeShutdownPrivilege	3788	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe
3788	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1012 wrote to memory of 2332	1012	AsyncClient.exe	88
PID 1012 wrote to memory of 2332	1012	AsyncClient.exe	88
PID 1012 wrote to memory of 2332	1012	AsyncClient.exe	88
PID 1012 wrote to memory of 4924	1012	AsyncClient.exe	90
PID 1012 wrote to memory of 4924	1012	AsyncClient.exe	90
PID 1012 wrote to memory of 4924	1012	AsyncClient.exe	90
PID 2332 wrote to memory of 1144	2332	cmd.exe	92
PID 2332 wrote to memory of 1144	2332	cmd.exe	92
PID 2332 wrote to memory of 1144	2332	cmd.exe	92
PID 4924 wrote to memory of 2092	4924	cmd.exe	93
PID 4924 wrote to memory of 2092	4924	cmd.exe	93
PID 4924 wrote to memory of 2092	4924	cmd.exe	93
PID 4924 wrote to memory of 2008	4924	cmd.exe	95
PID 4924 wrote to memory of 2008	4924	cmd.exe	95
PID 4924 wrote to memory of 2008	4924	cmd.exe	95
PID 3788 wrote to memory of 2768	3788	chrome.exe	99
PID 3788 wrote to memory of 2768	3788	chrome.exe	99
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 3504	3788	chrome.exe	100
PID 3788 wrote to memory of 4724	3788	chrome.exe	101
PID 3788 wrote to memory of 4724	3788	chrome.exe	101
PID 3788 wrote to memory of 220	3788	chrome.exe	102
PID 3788 wrote to memory of 220	3788	chrome.exe	102
PID 3788 wrote to memory of 220	3788	chrome.exe	102
PID 3788 wrote to memory of 220	3788	chrome.exe	102
PID 3788 wrote to memory of 220	3788	chrome.exe	102
PID 3788 wrote to memory of 220	3788	chrome.exe	102
PID 3788 wrote to memory of 220	3788	chrome.exe	102
PID 3788 wrote to memory of 220	3788	chrome.exe	102
PID 3788 wrote to memory of 220	3788	chrome.exe	102
PID 3788 wrote to memory of 220	3788	chrome.exe	102
PID 3788 wrote to memory of 220	3788	chrome.exe	102
PID 3788 wrote to memory of 220	3788	chrome.exe	102
PID 3788 wrote to memory of 220	3788	chrome.exe	102
PID 3788 wrote to memory of 220	3788	chrome.exe	102
PID 3788 wrote to memory of 220	3788	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "hey" /tr '"C:\Users\Admin\AppData\Roaming\hey.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "hey" /tr '"C:\Users\Admin\AppData\Roaming\hey.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBDD2.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4924
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:2092
- - C:\Users\Admin\AppData\Roaming\hey.exe
    "C:\Users\Admin\AppData\Roaming\hey.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb823cc40,0x7fffb823cc4c,0x7fffb823cc58
  2⤵
  PID:2768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1780,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1768 /prefetch:2
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2072,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2192,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3104,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3556,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4780,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4820,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4880,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4604,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3236,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3240,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3336 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5236,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Modifies registry class
  PID:2792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4468,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3352 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5280,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:1544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=4556,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3228,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5348,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4560,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3296 /prefetch:8
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4496,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:2716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5424,i,13508487745047851421,7165555211560305284,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:440
- C:\Users\Admin\Downloads\AsyncClient.exe
  "C:\Users\Admin\Downloads\AsyncClient.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1492

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4688

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3168

C:\Users\Admin\Downloads\AsyncClient.exe
"C:\Users\Admin\Downloads\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:728

C:\Users\Admin\Downloads\AsyncClient.exe
"C:\Users\Admin\Downloads\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3268

C:\Users\Admin\Downloads\AsyncClient.exe
"C:\Users\Admin\Downloads\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2832

C:\Users\Admin\Downloads\AsyncClient.exe
"C:\Users\Admin\Downloads\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5068

C:\Users\Admin\Downloads\AsyncClient.exe
"C:\Users\Admin\Downloads\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2812

C:\Users\Admin\Downloads\AsyncClient.exe
"C:\Users\Admin\Downloads\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\8c7ac7c0-f330-4407-be96-5758a49feba0.tmp

Filesize
15KB

MD5
0088c81c7d40188913c2b54deb20c0f8

SHA1
2b23ca4cf5bac5b5faeab62d57826f0477c0e5cc

SHA256
16454713e3006a04367db2a44ace41191fd1ce0c929c3508c8108d70b832e9a9

SHA512
641c4dc820e6966502169c4eeda5c705aa99274078f834753b488c26a8a09cc5de1d2586874efb20be154f5c4b0d4ae4c071dccaf9276febf33f5ad8448e85c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ed87eef569bf6cb324f5a908633a59ff

SHA1
637b4fa484baeaa775507c07f1550d40cd4d3c28

SHA256
2cee62fba9a04b7f9e0574362dbecb357d05eb98265449a9ad3dc8ecc67dd2ff

SHA512
543247fffebec8bb1e5e9dcea643709b7308d9b58a63dbf9f1fbd9da51ee5a3c3077e04d2ca98d78347ce72e1d9e9e5b1f99e5b12dae50ccb5758d235dd1e38e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
744B

MD5
2aa655c3912f97674b2efd84f72a986e

SHA1
8af3792f5f3d0852fc4ea7e6cc48c338e740f713

SHA256
256979c64f16f020205cfc9fe947d4b3c0b0317234999705d3f48661fb882dc8

SHA512
0c5878f6e70d2cb1b3e3b962dc9cac5803fd2603c3d6b77f4aa25e57b13dc3f85c7d08a52b5f75889ec74d31361ce5db7bcdd99d2267fecc1a9f5fbee68f79e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
044e83fe79353e515a0fb2ccf874253b

SHA1
98088bfa1f7d091789f2b558fc7677421afe0c2e

SHA256
5c2060382719992f2df0593abf7741a6a21bff135491d54f660ce6385b20827c

SHA512
8d1cb6302784d02e5e2464e859b832658328839e8e66d9aa901d4f5a514520b890eb440e41e5161b25fa62db4bb07f8ebce32df4fcf6111a29108c6d81c41ec5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
0c95dcaa4e61e61c4ae17c1fa51ef93f

SHA1
084ec83d88655847ea6a1a3dfdf9436744bf55df

SHA256
25eccc6329a21536125de12bcd79288402ebc851f2b9798987f88918a28ab105

SHA512
544aff971f5513fd283223319eb4fc211a094cb2c264d3ad05d34d9a0ef459cdac9147474e3aba9a61facc74caeb688f41806067f717ceecde7b9564b619fbee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
50cfc626247d9d6ec1661fe9db6dfac4

SHA1
68c7805ec4c16eb4c6260e888a3d30e66724c35c

SHA256
223e6cdecacd26ba24a93d2d6f231e0c0c26d3e256f7a86d7d97f81589105e74

SHA512
6cdb6721ac534aab7cbdfaaf73001989f0bce5a7c7c19bbfcdb5a2b305d52bc4f01ca6327d955c877a826c7663942c6b276cb2b1205cfc7d0167568d07131256

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
54368b014808e1f33a03c5f624f868e0

SHA1
b352c36e44e41d679167342c43e1948020009479

SHA256
0e7557ae7991c6120daae8cd3e8bb92fab55d5050cb3106717332f612b89ae48

SHA512
3fae9bdc6c20c4aae4aea54df2a476c97f0adf124953c2222d5795621496858747b7dbc14f3150e57b0e6815a945e927ff879c158ea1d6b3ba0e75d2e15fb08d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
4f35f11c72aff295f05a08a53245b881

SHA1
21bad800ad617b3e64d0c9d1bce5be592edc0186

SHA256
838de24e99cecfca38b8a3833a34283be455bf78aa56edb4b7e05c8469db2a75

SHA512
721d15fe15cc2268ae925493eabb3ee508683339dfa04137c4a83b5b07ac6ac00cec581d385add5c0ad4010c3f40d975b2b81e1141e92f2adba6220fea1bcb19

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
37aeb5016b2da25db2636afd81dcfded

SHA1
eb1fc7a65ccaddca88309f5d48015a21255ae46d

SHA256
74527d931e5fff8727cbbfb8713c525771c49f36f0d8cf5bfe9ed2646efc51a4

SHA512
ac5d88baf23c8a1dd7a316a9c8552edc70af34a6b75aac2ca5c998d34ed55f5546c8affc7c61c9492438bac086e54eda257885282a6e63dedda4ab042beb1028

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
f665fe73050b962976490bd53b965cb6

SHA1
cb46cd2bd5f50a588463f44b36cf19df38bd3292

SHA256
4708354e54bb83fbd71857bfc0635124b8ffae76e64031f5cd6cc3d80e42cdd5

SHA512
c5e98a5fcce48fede5820cc25c89bfefac4fa1dab48114c08655e30948af7cfd9a52f3d4855e42871c059fdcb5eaf44f7fe37dd1c0acb4c1966b2eb077696b01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
b41681eee2fe4c1962b1e073ee109968

SHA1
308bcb9cf0303e866195e9c37009ef01fbd77c32

SHA256
65d6218a663383c82c0804335bac6047321ac2add64aeb32b73dc713285af988

SHA512
995ee66e1ba22e2569196340bea766136d0cb08381fc29be50aa2a4d2dba913153e2ecb8633873886d459da20b023e47915986747e61cb2dac59c1e5408edd7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3e323a1edc8dc9594627cb54059e58d5

SHA1
1aa16c19fd963c144a0101ff28219f0b60813527

SHA256
468d6814d70b9a6a08b4d640688de379716c84f0007f0c820ef01aab4f6c3bf5

SHA512
57670c20094d93cc9979219bd028f54b4afff547399199e6ca1a050ed905a0ddc88b03f3136ffc0c5c151c9da9f0fdf82c10830840663b20ff4acb6a7c68ec1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
471caac35cd130d79bc66d566842b9a4

SHA1
e9485e2fb1bc412e7883952f93062ac6d0a98f32

SHA256
e980900593113cee207899708f7924ca8e3602aacb98351aec180899e65f45ea

SHA512
8731b7a905048c80ea9ee4cbd9f9e22495d7d1cffe9ce2bf9693b5e8f26eb91a420e9adafa19b2d21e6614e1693e86cc2f839d3482f652e2c90b63e23f9bf4cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a8c90371da871bcd1b9a28276b582c89

SHA1
1c7cf96a5d82a7e80797bba52dd1360a7b4637db

SHA256
dc6c279d1da1b16d7c244122ad6958a58aed3f2bba500545ba9b6041c6e6118e

SHA512
0c2f669427aa515fe32799d0bbb9d9cd596bd4a13c2a1b5cffae34ca229529e28d8597f4ccf9a4269d89843445d3c7f876d1e078f2c1ef5bc70a587affa8ec9a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9a2c722f8f2fae04e7c8ac566031fb52

SHA1
a614da2fd7305ed98c9bdb826eaeb4d5f2132105

SHA256
678067f08455e6ff61ee10c5ef332ad68bee00bffd960f1115c14368f4800f4a

SHA512
7bef877abe0346a064876bcf7170b0ca75f00282521d15641e8c8f8bcc9c631249efb39221270abeb68f7c68da648a2e6572838ec2d0d5b34674118dce664a1a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7ab3c4efc8e29177995011597bff96fe

SHA1
b01670adffb7dab45e950a5066ba3104eb80771b

SHA256
0ed66a99ba180d06038d7590f051c8a75d742e9c9e3bd40166097cdd535b97f4

SHA512
4da79c850fc8623cd7a6be0de3b65e742fe67348312ce0a65cb6f2cd62f3199e184ddadb27a4ec071de7ba6b1d51005cab673118ab35f695e10b16663adbb4a3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1e1632484caf1a0f056af02337691f71

SHA1
45f5b001ef0226262ddf3f09d41700941082c471

SHA256
06d599b9717b465720d3a0df96dcd8ab8c6ab2aa099ab498fd5d9d5388e49c54

SHA512
396955ff64b7031b2e406395ecec51fb168fd0057458fba907074d6d851c3ff7fc6d9f3864636b88a28155b7bd63ee8a8c01b2841adac519f3b6de0ca8f0cbf7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a280a4c1214a3edf8d8e49bac5886c54

SHA1
30b0affc470cac66b8b2160ccd613eabaa4f5f53

SHA256
4966efe94faa1720220599dffad815a43f380b79f449d4166ef4e7519bb73e21

SHA512
87a5bd9c238f578b32bf477734b517c8c6e841929c3463bbe73976527520f2c648f74abe4a99ea4428c796133397b9bd3c83316e7908da258df495e44787224f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
822a0d89a5e25daa5acc1545ec802d0f

SHA1
244139ad7a6a943e867cd86fb600b416132f2a70

SHA256
9bf7c4c15f9c46b96c7e32d91b31f8beec265b56444f7a879944bf557d81be4d

SHA512
bad3c210835a12cd50fe99809f114eedce43952c1f1dfee991bb3574a1935a9811266aa0d76a8e85d4afab8d4c596d00e96fcd7d7114ab0fcdc29fcb5f0aa937

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0733bcdae81500ab4891867bc5135fc4

SHA1
3b5aa13fc92102094f822b0b1aeb8672c82db931

SHA256
d8c03cc08872eabbd07fe2c24d712c23b4656c870e2884e156e3b2a8bd5acab9

SHA512
bfde94e02cccb475b23917206ba7e631e3265cae27466e33003f682eab7feb36de5a682377b19f3f2c780683b0f6ccf3d9d3d3584740f0898a6a2e2da8904cde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2d34210bcba566420b886965c994b4b7

SHA1
b57c4893584a43d44237524a09b169d431d21744

SHA256
6d8827c667e72d0852e9da03237cdf4fb6e9db724baadd699873e5c8ab265d3f

SHA512
7440248470a0f33ab529fa0b30715cc0e7590d602381242eab6a8c83c6650d0e5e9a6366f80904013318ed1514751d8aa95e9797d166dfae434abf2ea8df6218

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4769a0dc15b776514d7354865844b4af

SHA1
6253251d2d8936c6909a3b31ded17c83e4a6b2b9

SHA256
5625c8544878b7da9fb5ee0163c6f76cbbc98b514e963152046ac2af4b6b97ad

SHA512
cf8081600185bae2218663f0f7a7d3ad3c58238564f1ca436d817db6a5bda250e2ec76ffc0534b28758f765db3aad0daabd73fc03ad33c5e8a000acf897a3039

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3539c111161b4f4f20e84b1370748306

SHA1
d1ac1635e7434e0790e3a54aca5f2d338f4b38a5

SHA256
5addbd277683e40f8dd6003cc1bdee0f953c6a57dd39050f0a5c5685e211ab36

SHA512
9b185096b0a248ae514d2dd639e5ff2da394d95003368ce24304849ab463b4adf7bc24ba8e13cf4d76d5ce258d19262abec10847e0803e26d6ceb217bd620d02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ad0f8db396103f47740e3312178ce944

SHA1
18bbd4dff47b734fd67e1c0d8c63cd014d2d452a

SHA256
8fb45e3417a8383685b426516711dc32a11470d6c05d5d831d1495ac57b42231

SHA512
3a1fd25f5be8e57159409dc13a0376893e06d9d9254a6f827a52fce4ab8e99fcf72ba84db21c81cbcda459f163e3f9eecfe7ac968b1e49c9bc682e6dc3f4262b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
ead1fd6f9ea731c67a1da0a834733dcd

SHA1
7ab69a8aee7b1972daab6bdc2e75c7787e7c16a4

SHA256
d2e60ff1b77c17b08619e037b61daa9b620c7034378803c87774e20424bfd8e4

SHA512
216bbf998a9bd2ef6b4417e3613f35d26c158c09940412ba5bbb038f374322517f20be8d5fc91f65a7575c5ff915f0266e9980bc7fb645e7fd2178b7bc722ec4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
85ee827ef6824edc1e49ac2301867980

SHA1
216ed061925567a82da819cd88b8d7ed1c1ba2fc

SHA256
b309d76966d9f2d288e253648f652feac9b81505fded721e6a53dd4576eba25f

SHA512
51b1b9928f4879946a09157cc7b4f0d1886a4c92022dd9c2a72b25c101c951843df4b92fe4905fc05839e0e3e1a07b171d600bbcc4ac86f19305995a35c9e504

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
07d7afc67c190c1dd12b76c01043abd4

SHA1
1841297298ab7c9dc54e2dacc2f6807e1a1ff39c

SHA256
04a6241cfc95421afad5fec44287b5e3627cd61be3e706ccdcd233163c3ec41c

SHA512
2b03fa5905884adfda5faaed08ceeb1a9ae5cee66a27eaf1dbb40db279d36e51d9dda6ef92301fa3f824c2b6a545db4270b5e02d043b0f3033536360d5565141

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
b05d7a254e83b1e2cfaf5071088ea353

SHA1
94269687bbcc25f1cb10035d17c543e951b9b281

SHA256
579875d56729c790d021bc4cabfed7acc8ce096ffbdef78eeea739d398bb515d

SHA512
0d1574277af396bd9fc9b87d1ad324e3c0920926cfff385add50163c5d03a69f9e5ef7ad8fa022e2be8706bdc3e65641d1b555bc797af2ce5007235cf2ec0244

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
bc6512a6c141d6b764f39ad40d4388e1

SHA1
a1ccb2a3bb328c88c79d64b463dfd778a051d165

SHA256
396587240c6f29d632f3e8b9f664780c6525d65ffea7b9a3994fc8bc54122b7c

SHA512
00dea22f7a35a3b14ccee7783e61981c4ca14c4c23927c4feabd46d9b4fc3c27231998a58f612b2aee6b133e2a186f817ce8f869daad4bd1a44dd433ee836405

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AsyncClient.exe.log

Filesize
522B

MD5
db9f45365506c49961bfaf3be1475ad2

SHA1
6bd7222f7b7e3e9685207cb285091c92728168e4

SHA256
3a8c487575696f7ace931dc220c85a47d33e0ead96aa9e47c705fee5dfac667a

SHA512
807028e2aed5b25b2d19ec4f09867746456de4e506c90c73e6730b35303511349a79ca0b9290509664edc0433d47e3fc7f2661534293ebb82185b1494da86a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBDD2.tmp.bat

Filesize
147B

MD5
45b3e1e21d82d77b5226e299f07a4efd

SHA1
48cf3db0224dad30538330fe9ff52d38ead5b26f

SHA256
1a0ae3a0896687d03922501201d4bf25bbbc8dd6fea9d032104f03dcc0096ad9

SHA512
6baf43aa2d41cee2f431257e304374509b6aa2049f58f6c6a15f9e7edf54a85da9a4f03b60ff642bbc430dab00558607507d81f741375b951be0e5684ca81d21

Download Submit
C:\Users\Admin\AppData\Roaming\hey.exe

Filesize
47KB

MD5
c792e7efbdb2d57c605efcb45a48109d

SHA1
eb0c663a68aee213c6b64e1f10207409f0da5b20

SHA256
e544ff3ed62db97c02442c849b3214a7b3d913fb73b430d79edf557e7ec91555

SHA512
f407285fd965f6d7e5ea42312fda6159cd9546480e2752983cf6f784c414ee040446c6bbb595d27e9d27d07e5f59355265fe7384f6666af86c3c6a8e1aa74b33

Download Submit
C:\Users\Admin\Downloads\AsyncClient.exe:Zone.Identifier

Filesize
56B

MD5
5bb5cac758af54ecba857942807a4047

SHA1
a510fb307298051c8eeea5c7f8a3ea4a3d631992

SHA256
a3c3b80c1724b1d9d58ffe48df78b36108abd35cf73ed0837a409c95aa54f5d0

SHA512
e67b4ae4e896d52d0e28d7fc4909b47814c7817d85ab6cdc879e23b6138962425e8408ddc4a4abbe776aebb9f2a5f7af54c6b756dc07bf21aa04e51d558d64eb

Download Submit
memory/1012-8-0x00000000745B0000-0x0000000074D61000-memory.dmp

Filesize
7.7MB

Download
memory/1012-0-0x00000000745BE000-0x00000000745BF000-memory.dmp

Filesize
4KB

Download
memory/1012-3-0x0000000005320000-0x00000000053BC000-memory.dmp

Filesize
624KB

Download
memory/1012-2-0x00000000745B0000-0x0000000074D61000-memory.dmp

Filesize
7.7MB

Download
memory/1012-1-0x00000000009E0000-0x00000000009F2000-memory.dmp

Filesize
72KB

Download
memory/2008-13-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download
memory/2008-14-0x0000000074500000-0x0000000074CB1000-memory.dmp

Filesize
7.7MB

Download