asyncrat | e544ff3ed62db97c02442c849b3214a7b3d913fb73b430d79edf557e7ec91555

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
16-08-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AsyncClient.exe
Size

47KB
MD5

c792e7efbdb2d57c605efcb45a48109d
SHA1

eb0c663a68aee213c6b64e1f10207409f0da5b20
SHA256

e544ff3ed62db97c02442c849b3214a7b3d913fb73b430d79edf557e7ec91555
SHA512

f407285fd965f6d7e5ea42312fda6159cd9546480e2752983cf6f784c414ee040446c6bbb595d27e9d27d07e5f59355265fe7384f6666af86c3c6a8e1aa74b33
SSDEEP

768:Juk0VT3ongoWU2Gjimo2qryBmv83OxmIsPIjACXD9izQ0b3eQbC2l6S6heyV27H1:Juk0VT3Q+2qg0jAgCb3ZbC2lqYyV27hv

Score

10^/10

asyncrat default defense_evasion discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:7707

127.0.0.1:8808

Mutex

uSyaMxhmF1LU

Attributes

delay
3
install
true
install_file
hey.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000700000002aac4-42.dat	family_asyncrat

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
3300	hey.exe
3024	AsyncClient.exe
2124	AsyncClient.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\AsyncClient.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3584	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133682926808045094"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\AsyncClient.exe:Zone.Identifier	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1424	AsyncClient.exe
1424	AsyncClient.exe
1424	AsyncClient.exe
1424	AsyncClient.exe
1424	AsyncClient.exe
1424	AsyncClient.exe
1424	AsyncClient.exe
1424	AsyncClient.exe
1424	AsyncClient.exe
1424	AsyncClient.exe
1424	AsyncClient.exe
1424	AsyncClient.exe
1424	AsyncClient.exe
1424	AsyncClient.exe
1424	AsyncClient.exe
1424	AsyncClient.exe
1424	AsyncClient.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe
708	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	AsyncClient.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeDebugPrivilege	3300	hey.exe
Token: SeDebugPrivilege	3300	hey.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe
Token: SeCreatePagefilePrivilege	1664	chrome.exe
Token: SeShutdownPrivilege	1664	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe
1664	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2700	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 4048	1664	chrome.exe	84
PID 1664 wrote to memory of 4048	1664	chrome.exe	84
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 1204	1664	chrome.exe	85
PID 1664 wrote to memory of 2104	1664	chrome.exe	86
PID 1664 wrote to memory of 2104	1664	chrome.exe	86
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87
PID 1664 wrote to memory of 3488	1664	chrome.exe	87

C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe
"C:\Users\Admin\AppData\Local\Temp\AsyncClient.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "hey" /tr '"C:\Users\Admin\AppData\Roaming\hey.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1656
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "hey" /tr '"C:\Users\Admin\AppData\Roaming\hey.exe"'
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1868
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpA076.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1772
- - C:\Windows\SysWOW64\timeout.exe
    timeout 3
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3584
- - C:\Users\Admin\AppData\Roaming\hey.exe
    "C:\Users\Admin\AppData\Roaming\hey.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xe4,0x108,0x7ffb12b1cc40,0x7ffb12b1cc4c,0x7ffb12b1cc58
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1804 /prefetch:2
  2⤵
  PID:1204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2084,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2092 /prefetch:3
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2176 /prefetch:8
  2⤵
  PID:3488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3080,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4276,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4780,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4328 /prefetch:8
  2⤵
  PID:4864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4976,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=3528,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4328,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5100,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5252,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4680 /prefetch:8
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5264,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3320 /prefetch:8
  2⤵
  PID:896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5460,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3164 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:904
- C:\Users\Admin\Downloads\AsyncClient.exe
  "C:\Users\Admin\Downloads\AsyncClient.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=224,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4596 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5352,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4872,i,12960824949782266894,3217898554005300661,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:708

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2732

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2700

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1580

C:\Users\Admin\Downloads\AsyncClient.exe
"C:\Users\Admin\Downloads\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\01ac4300-27da-41f5-a619-7807f00f6084.tmp

Filesize
9KB

MD5
62c6f8afe28a46a6a937e417085f0f69

SHA1
d2230482f9a3d30a2b0fd66121b2a88857281ad3

SHA256
b6d893be3cde5bb581320130f768244eeccaa77d9912c2e9e6a4b7e335d1504a

SHA512
f09987d137859f8b26c5d6329338cc0c8f51eeb2166e15f151446b1b4f2ea450c0b0a7be9befc77f0a06977408acadd48be5b0433f11ab8986c3ef47d005d19b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a40304b23fb802e91ae2c730df337ede

SHA1
3beb6b29a293c1eaf7af5c56d0a86e11b2887b75

SHA256
52ee72c5654209695e1267cc43320acf82af7e9dad3a1616af846e351cdc96c6

SHA512
cd1acc5e37f3930197a3bb97251db3a59a851cb855cfd28d2cadc77d5a3c117fa4c6507b6d524154e35591cf47103e753ad9535ffadd6b0e0476e2e77d174deb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
a6230b8f305c59c93aeee3e671b2530b

SHA1
60f1aa3b97d72b0b795fe867e576415acb3c5fb4

SHA256
2f018647fa42c7215e07fd4c66f2b12cb58bcf74b7e339f2c8f7faf29564c3c9

SHA512
c6267b604f53abc56d0765a14e9313fa7f9ef285364e1795f046b761d5ef5557ec81cb62a85379c963cbfe0a815213f152f65e60baf4610dc918da1a281ed066

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3b20ccf13527f275f33fbd731a3df46f

SHA1
da9662a64cb9cee177e207442f5a1185c46fb343

SHA256
2d0f94bdb603bcb8e32b60c49811b0cd0bbfc72bc2f35b236b398c293a3df72f

SHA512
a34c2d826507456a7ac141cc44508b69180263bb3357716775c0cb618fe26e4dc8bb11e41cd64e4ad427208d3537aa03d4c9f3f7dc7b4b8bf84ba619c4f614d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
cf9a1a06f0cd0053e0a80d2f235ec748

SHA1
f63e0c59862b9b93744b3b99d69f414c336c41f3

SHA256
5d5cf3e4f825fffc0b7bea42b3fcc42941284b810482f0073f485de87fb0edab

SHA512
bde7e749d9691ecb4419b6700e91a3b30bd56a45a301537e2d03133b78fd00d03c0dee713c237b6051b36330c05ea0ab8139415cbf8d603a6dd68206ff911dc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
858B

MD5
00abb502168d74eab2fb3c0e21aac33d

SHA1
2654e70c55a3e2a6b7f6b71130dc8a53df6f9928

SHA256
0fa520b00e67c37e587fe2419a561edbe33dfd507b8decff7e46bf277dedc633

SHA512
419c39ab128ef54fbbb39bfa9fd178a21a2b814d9f520c75719a4779ea0c394c77b3739425bbccfa0ad919d26d5f36a0674fa9b64dd942bd9329b94659c55fe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
b60a610912bd444f9a370cabdd1f7859

SHA1
e697ead8600a96f0b03d5fcbb39853285ad0d3ce

SHA256
e014584fea182bcbebd50c30a395b3f4438c1efd31edbed51211fbc8e8723344

SHA512
1740ef008b263e85e798ab652be2e0e1da127356df58a8e9bb598000f7887ee40f6c99693be8a0d897b3ab6a4a1667cab9435163d184cf64956feef5f8de734b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5f1a5b577cc2b2136d243f1d8bf8f6f2

SHA1
f46c8a73bc848abcd252ac3207c775c72d00a45f

SHA256
e8c14b8401c843e3d59ed3062788fb8e0a9f9840c809b790b547355070efd663

SHA512
7105082420c67dba62ef55352ff4201237dcb4d8e5ce49496ad442aba46d376b4b692a8a8a22a797a21d199d24c2c903784956b7a22a42e45bf344b6383af6a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d4eda993f405058a1389880ef075b12e

SHA1
8ff4082dd8215980f62b87e457ac9f9f851607a5

SHA256
6a71d0638605577474d9d2cc0acf1e7389ea7d378cf77328affa13fdf40d1074

SHA512
95731c30abf7a3ac41e0098ac4088f57ccd94b4fce1d3a90bd12a91cc49d639671689968a9ef472fc5c5c0e2a68b5d867a03f842d0b732c22ad1649f9ab6569e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7f65f0d070f8dfa18c373381e392c3bf

SHA1
b6dafdb92ec4e69171de64b7bfe19ea8f0a8d629

SHA256
8d20488410f07e11206e1458ba69cd097728e85f4df2ead503c690a76e742df5

SHA512
47223632a0710daaef36e8ec1db86d9cd419c9604dd0091e21391a6494bcd5654bd2dd013770531141a970511f932167e9ad69e64e55af1b43e7841e84cd257a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1f7acaa6acb9c88d1e7580dca2663787

SHA1
baebf16a3670a12a757ce1f8b60d0ba60b9df0b2

SHA256
3b3e0dad6968a6f8ecec37a26ce5cb4406b3d2beb9e75d244b24df8af16fb5c9

SHA512
94c828901084986ca37f7ea9294b599a094119a589964f4cee7286b2396bee11936e5a988945e23130f741e7c8703d963460c894852775302bd44654c8c9c4d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
77137e8842390115b887ad56a8ed9d0a

SHA1
4512303cd1ac3290cc486c4df91d378ba4ef5c9e

SHA256
23ea56388af1504d5aa09b158c00dbf359f327b6f0d0bb25a591e77b715b6642

SHA512
d8f552593297e85550453e0b37f50d9ef0136a254cdea2d5565dd264ea6c33b81451e7bff7281f2435ad68c6b955fcc9adc7df29840bd318b6912f659314a715

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e53f3018bf4900f607059a9ab06a599a

SHA1
5b64e0725a5d4089d6a1d830320c762b3992ed65

SHA256
c2a1d6655df1c8a9c4ed5e5bb759374dce7b9124bab277c07f153615a1589da0

SHA512
a649796b7e8e4633834a513e9a3524d54deebc53726338bfe6d3370a78df54b4a5eec2a1fdee3f1ea0ac4d06c04d71c8c1bc564d7f283807016e345beb889990

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dabe4f72a155703288b9b88358ad6f07

SHA1
a37ab575775c00b7af5ef9817d87dc96ee944a69

SHA256
c061b7075105879b2baaa3867ba0172f80c6a058972c7ac570e23dab9fd9212a

SHA512
89d7871d08346f0669cb6cb22da369b68d9949a8ba37718f11d840e65d6936b368d45ff5ad14568ea9f71e36b7d0a9f1b163273e83ff3cb8e66c3d6fbd3b26d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
44a39c7a98bf1370b0a74c59a4401588

SHA1
43e2d672cf0b6a42a58b2ddc84e52ca4baaef872

SHA256
952d3f47d05f695ce3f8d10724734db5b805be0648f7daf9000189af34e2bc75

SHA512
0bc2e3ced504ba4ad03816398199d6b0e3e358ac512f246b6befea91d173537af3619fbdb6b74d259a5e77b7629ef2669cbd275c49acdfcfea8d4332b076a3ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
99bbaf2003c943cd81b73d4ec41fab16

SHA1
c7aaec87e1f7720d27c01cc45268b05fcf469132

SHA256
eca0b712b529a6a83252e18e274cfc7604ed50e04d5b37296ec3f4a7aa3f7fb9

SHA512
cfdb5e039f836aaffb4106684d62b34dde36256c16add8a5377a02e4fa0396f7de0bde7b1885781c1addabcdf4863597331bf51cc25c3ce6631ca839740fadff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e5d4de2b7241608eb15905c61a8b4093

SHA1
e97734aaa557888dd921e102fb6bf6bc763282c4

SHA256
6a53263366daa1e803d1a0827faa63634a1da33b3d1419c119e79db83bb64d77

SHA512
4a98c01d203c1254ae974e97c4f4d5514496bda40266229d4b079c78fcc778884927269f284c7a2362371abe82f5bc964f9068a583850c39f0a66d7b1a7d951d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4fa9b62b61959d81472192bd6e74e607

SHA1
eab142333a427f62a5473672fa2ded44584deb17

SHA256
a814b8b93d0644b1c2a37c66264528128db40ec6a889046394547d1dce09f561

SHA512
60fd035de39d2139d37e3b79e0c2dd0ea546751c46e823472c9aa4d11b9708d9a8edb702bad0fde00826177429f2318f54c57b7474438b6612c94d05debe7f2b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
7746769e47f8438685b744e4852281be

SHA1
b4ad6c94850028dfb2bd372564c66c2bb133fb6f

SHA256
d7d65c83b4141da3583f56cd225a87b682327b23117147ab65f2f00509cfd141

SHA512
312a0084fd7092086025c2d7ec7d3c249f9a5d66b966e7f2a936cc89bc565e0847d91dc15b27bfe7f57a729c28ad0b1ae0e0b7f1e89f13cafc81c57415158a0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
e7ab89c80d53d8e658a775cf63d04e7f

SHA1
fb407302b058bb5b62fddb4b2798ba938e493d0a

SHA256
d24f808bf028ca389a7a2867ed2c8590656901c47ec7055b30c298df80cef071

SHA512
cc2706a668276972d9ecacb4a92449683eac3e060e16da09e099bddce36ba3407573094cd10c672b7a3b106a0dbf8cb02c63589ce28ab59578cae51cf9408ad5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
243792b22f3dde1dc3f2d35cc40e890d

SHA1
41d0066025d121afae5f616ef0cb44b9056ec40d

SHA256
d8cbf92f54b0a4be636ec57ca55ffbb69c8de40dd400c5cabad9d0bf42a82ec9

SHA512
1f3a8480a77d76d5c11393c433646b6f5ca0ebd10cb907f75f91357fd16c0191a902dfb446daaf2675f72696cc8a9782e2fa0b1312ebafa38aa80ca65f795527

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
244KB

MD5
06075826ba2e91140865abad6cf764eb

SHA1
c971b7a53877c68b334c4cb3f2c0bf29a5fb0945

SHA256
720d92feb257400a1b9bee8a23e27d185c4d7fe3ee6195dc30100efb92c2e34a

SHA512
762695fea71ce7a81fbf7622eeadc8175fdeaff97408826c2d74d64b114f6de5bd11cc3f857ac0e0253c2843e5d6de12319abec4116e90ed57e767d4071a6875

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
a4c071e3c5c572bfc836bd1eca26cdd5

SHA1
a53c4aa0abd4a9fcaedbeebb529e1ac663bcd728

SHA256
1275a4fdecbee581d5fa25972b2c724e17523140962cf43047a21d041e3b69b3

SHA512
78526c9c2482e0b37198e5c95f841fe459cd4b4d8188991ac3ace1ec27f36c5e76ebd98fca77fcfa854ea5fb03b1eaa8c9ef380966df262ddb159eff70b296e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
20609e816930200e6f8c2943561634c0

SHA1
4e238d555cdf47aa55a2848674574bbd13cc80b5

SHA256
1da09f94c253e1ef4ad4f8482312e3a412be2222b55581838697818bee95faf4

SHA512
41922becc20d37bd47081cd6d59b33bbdf6044f33b0355fc4e7744723c80177ab5bce38ad1c3bd6f2ae540a32752b17df5408b5a9d891838422006460d11843f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AsyncClient.exe.log

Filesize
522B

MD5
db9f45365506c49961bfaf3be1475ad2

SHA1
6bd7222f7b7e3e9685207cb285091c92728168e4

SHA256
3a8c487575696f7ace931dc220c85a47d33e0ead96aa9e47c705fee5dfac667a

SHA512
807028e2aed5b25b2d19ec4f09867746456de4e506c90c73e6730b35303511349a79ca0b9290509664edc0433d47e3fc7f2661534293ebb82185b1494da86a41

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA076.tmp.bat

Filesize
147B

MD5
3f8624f9c82a3cb55db6c431904fdf5b

SHA1
239065c94ec3fe8cee9943f7d872e46e512a326d

SHA256
e43c7b49baf0de0c34773e71fe00b31ca755522e01ef32567eaf84c42435f1d9

SHA512
d6e98b3d38a9ae83be1708986202c6a6e97c2ca40a772191d8d4f6d04873784ee701f5825cdcf368b2452a1b002f9efd599290b29e12c0187091300276d910f1

Download Submit
C:\Users\Admin\AppData\Roaming\hey.exe

Filesize
47KB

MD5
c792e7efbdb2d57c605efcb45a48109d

SHA1
eb0c663a68aee213c6b64e1f10207409f0da5b20

SHA256
e544ff3ed62db97c02442c849b3214a7b3d913fb73b430d79edf557e7ec91555

SHA512
f407285fd965f6d7e5ea42312fda6159cd9546480e2752983cf6f784c414ee040446c6bbb595d27e9d27d07e5f59355265fe7384f6666af86c3c6a8e1aa74b33

Download Submit
C:\Users\Admin\Downloads\AsyncClient.exe:Zone.Identifier

Filesize
113B

MD5
d1b40eaa58d6baa355c8f4980de7b513

SHA1
183156b6042c361a77f86d46c9eab703aaae9414

SHA256
918b1c9fb31a690de73f266fbe6736cf4e7dce2435ea3674406bff0562585741

SHA512
f68e1b1091aab4308abfd25814ee68e58e9ad3ca0e537d3c24ce8239345d524bc6fc68b019d58f9f2137a2d6ab35bbaa03814ff28ca817b3774128e13ed0a738

Download Submit
memory/1424-37-0x0000000075240000-0x00000000759F1000-memory.dmp

Filesize
7.7MB

Download
memory/1424-17-0x00000000051A0000-0x000000000523C000-memory.dmp

Filesize
624KB

Download
memory/1424-0-0x000000007524E000-0x000000007524F000-memory.dmp

Filesize
4KB

Download
memory/1424-2-0x0000000075240000-0x00000000759F1000-memory.dmp

Filesize
7.7MB

Download
memory/1424-1-0x0000000000720000-0x0000000000732000-memory.dmp

Filesize
72KB

Download