asyncrat | hxxps://files-ld[.]s3[.]us-east-2[.]amazonaws[.]com/client[.]zip

Resubmissions

12-10-2024 17:33

241012-v4xynasdmd 10

12-10-2024 17:30

241012-v3arqswhjr 3

12-10-2024 16:44

241012-t8t7wszgnf 10

12-10-2024 16:40

241012-t6l4havbqn 10

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://files-ld.s3.us-east-2.amazonaws.com/client.zip

Score

10^/10

asyncrat new discovery rat

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

New

147.185.221.19:22240

Mutex

komvqogocxtmko

Attributes

delay
1
install
true
install_file
new.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\new.exe	family_asyncrat

Executes dropped EXE 1 IoCs

Processes:

new.exe

pid process

3612 new.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1480 timeout.exe

pid	process
3612	new.exe

pid	process
1480	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133732248351221227"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings chrome.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

1084 schtasks.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	chrome.exe

pid	process
1084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

chrome.exeClient.exenew.exechrome.exe

pid	process
2580	chrome.exe
2580	chrome.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
2564	Client.exe
3612	new.exe
3612	new.exe
3612	new.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
4040	chrome.exe
3612	new.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

2580 chrome.exe
2580 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe
Token: SeShutdownPrivilege	2580	chrome.exe
Token: SeCreatePagefilePrivilege	2580	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

Processes:

chrome.exe

pid	process
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe
2580	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

new.exe

pid process

3612 new.exe

pid	process
3612	new.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 2580 wrote to memory of 464	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 464	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 1100	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3728	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3728	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe
PID 2580 wrote to memory of 3648	2580	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://files-ld.s3.us-east-2.amazonaws.com/client.zip
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff86669cc40,0x7ff86669cc4c,0x7ff86669cc58
2⤵
PID:464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,9960825233616051402,9617665545723803427,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
2⤵
PID:1100

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,9960825233616051402,9617665545723803427,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:3
2⤵
PID:3728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2184,i,9960825233616051402,9617665545723803427,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2204 /prefetch:8
2⤵
PID:3648

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3084,i,9960825233616051402,9617665545723803427,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3104 /prefetch:1
2⤵
PID:1200

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3092,i,9960825233616051402,9617665545723803427,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
2⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4776,i,9960825233616051402,9617665545723803427,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4820 /prefetch:8
2⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4472,i,9960825233616051402,9617665545723803427,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4868 /prefetch:8
2⤵
PID:4040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5088,i,9960825233616051402,9617665545723803427,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4864 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4040

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2384

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2564

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "new" /tr '"C:\Users\Admin\AppData\Roaming\new.exe"' & exit
2⤵
PID:3216

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "new" /tr '"C:\Users\Admin\AppData\Roaming\new.exe"'
3⤵
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCB79.tmp.bat""
2⤵
PID:4336

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1480

C:\Users\Admin\AppData\Roaming\new.exe
"C:\Users\Admin\AppData\Roaming\new.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3612

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:2920

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:2036

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:4628

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:3644

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\048ce028-d0cf-4800-898b-c14691245875.tmp

Filesize
8KB

MD5
12485df417fd190cc2cbccbc9f0de678

SHA1
c944d27ca425962ff3a223237b6c34c047229be7

SHA256
2496da82e7328d6fff3ce845a27856cc72be97b97b918604089b330d29287f97

SHA512
c1d61d738e0b5d713187edc94515bcdd6041034805c104dabba077fef5e089482ed8b6b01008db0bf16a4a9dbd7a63ed2a53ae31909a348bfa890dcd6059ba99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e0c0825384ea45f9e15f783d67661d29

SHA1
3c7c04679c192faf576acd6484f25e58f756a5de

SHA256
9d31f6cad0caaa3ba7a1d74087aa0d1c3855e04a418b7c9035ac574926ab5ddb

SHA512
8d3db2924f1470360e1b57da366137bef865704f0da4468563342ea07f794ecad0825fc167603abfc86a3fcce313b635de6987fc11dc12268975e47da3bd4087

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1558c84aa403f1bfc4980f4b645eb2e6

SHA1
155a840db399c0283e22cac054e45e9578be854f

SHA256
b8932691268700a4f1546e14b25a4c4d3fa9b38142c108e02dc7ce86c39dc13d

SHA512
22c37a9bb396ccc6c7cdd5ff24cd5c0bcd1d113a2aba030cac3acf7c47e1bfd7f0a2e915b02d735c975b274e1c98562dc010d6c97bb35a254b5eff4e67aab478

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
71808d14cffcac7212a40d4959988ce3

SHA1
e6c0ce1938c85adacb3a4f455b7afdeade7f7171

SHA256
9752407c31fbbffa06481811c827a6ce501da6c6e4b8f47fbec25e9f4448b32f

SHA512
59fb1fda0b1f195f3e8a8455a6c1ba4b1aa9497212bacbaf7f5f71709425db587021e70180fd09030545732c47a75ef70d7d744cffe2cc122e7898afdbbf61e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
f6a5246c3c92c9d72432ca7f21d3e35c

SHA1
d97af6d0fa4dc9a52f9e71a25fcc98829831cd5c

SHA256
302f866eb216583fc452bbeaccf4c0b5f52af1eba45c424202fd2534b86288bb

SHA512
b30fcb1be057aa1259f5d284815423c2a6a48262ed19b5388609ebd44bcca175cce6cdcceb27dade740d5be7290bc5bc706a07a4ba8640f7a69ee39ebd445363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
71c91e3239cb91f87b703ff12b3e0978

SHA1
16678384d8c7b4815689416981b01230533d058e

SHA256
3a281a581fc06623ce9c23919e071d28946d4133ead52d8fe9b7055963799e40

SHA512
dd6cc7e42bf4cc162a451873b00e4d83e5b09274d9abd7b3e9e9fc3af9f35798746f0d72b565de6144ccfa179139192dd143ee4011510bf26d6d09b680772b13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
edc1a1d131dfc264bdd93f6f1cfd454b

SHA1
7cabb609952836b1d0d5fefac0bbb4babcf67eef

SHA256
8bf2d580d815a0f613903b19511c78812a80344eaee1e216d0f809360a803734

SHA512
9ce1e669dfb0cca17f0f29ae04840132880ad68c9be27f86da78f2fed2cf39063f533d20d7109d3cce36ccb2b6c2d532d2fc2d459d616f18d401d7ab4b0d3eef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
09440968a91b351e13c264f196befe9f

SHA1
98d3a3966d919a8fe8068a99d64e711bbb7f229a

SHA256
70bc2d1e2643fb46b4e5e2a52bb0460e271b1c8df4a46c2578462b22cb634070

SHA512
67370c495c6a1b07f5d2190614a3911116f6445c6236b703830d50b035c1f9467214742652365d88080ec2293acd092fb91fe490818d713d334e48b0e4b44878

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
af4c93d7fba38fcd378e46b68b0fbec5

SHA1
677ff33b6eea42ec49d03371f9996180bf5dfa2d

SHA256
299bb6ba933aa262130f8d088e774624877fe2a54145b6ec33c5efe53ec25f77

SHA512
f4ff4959a1b54c4896a2b37cc2217a67855e56cf455214b839114824fd42d4e6b912dfbba738a0bef677a76195c270c85a525ac5c5a130a5deeb4fa64a5eecfc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a59f66ac60d02432b8553873ae7587d8

SHA1
125b801a864420231a4505b1e536ca68ca84be0d

SHA256
3aecfd06ea705d9b2708b3911b5f57621767964c6c06501fdb21292658f4edd5

SHA512
2be0b3a7d38a8290dd808d7d6b615dc018353f3382fcfb90113ff972d5b1102e4e26bff17f8cc9e6c44290937e37fee0725bb946dd6af7c7d7ac984adfcac38f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
fc6dea31659e5ec255e42128abda53e0

SHA1
5cb30228c3ecef601c7a905b840877b70e292910

SHA256
f4ff87133f902e699fcb3adf1df6a842b9747ee7e083bca1c2c8b4b983d9bedb

SHA512
7139dd8429933b1bc037de82ce609948918b8ac3ac1db6a1fb0e8a2b19ba0aadbdeb31898f8ebea2f67b730febe3fb61ffb62abc555983ee57824dd4760dbf2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
3ab1e6b9adbe64d69f6437c8702d08e9

SHA1
2180d045b180579a216ffc17528abe6cdbf511c2

SHA256
100c29ff64fbd4ac85d78e09e2b2bf40165d71515f9ec5fea10614e20528bba9

SHA512
524fc443bdc07b9770e87de34c0b54c734dc7702d47f2f7762867e0c7e8c94998a5e7380f799f2e7996a78140c1efe0fe9516de690308ab6c0bf131f55f2760e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCB79.tmp.bat

Filesize
147B

MD5
ee354667e67051a0a959a3c411afb4f3

SHA1
478afac38424b21e8db55113bfa9d4fb600f5e14

SHA256
3f694999a8d806379f0447603a4c70231a0b283ad785c5fa45457016caec4ab5

SHA512
41dcac8e3050cef7e6abd9b61f0a4d693452cb40e73d173e52e08d7e779883ccacfc28c1d948f05cc5e06bed69cc021d33440b6c9d9deeebaf4fedcc57116f0d

Download Submit
C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

Filesize
8B

MD5
cf759e4c5f14fe3eec41b87ed756cea8

SHA1
c27c796bb3c2fac929359563676f4ba1ffada1f5

SHA256
c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

SHA512
c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

Download Submit
C:\Users\Admin\AppData\Roaming\new.exe

Filesize
74KB

MD5
7e98ce3829f6afc0318ac2deea0680ad

SHA1
2f63adade7fa8ada790dd8f30045db1f64ab575d

SHA256
994a3ffb6fdde0851e076dc9e42262538481e285979c8ead8ed00e7580b61b3b

SHA512
3507eeb3c8eac5cc1438e6dc9e259553537386b456a0883e13cfa691f80496d0e1b01177848c338d9e134bd40e1455551b5ee36f3a510c4cb2ac3aaf3f98d33b

Download Submit
C:\Users\Admin\Downloads\client.zip.crdownload

Filesize
34KB

MD5
487a9d6044844f9addd0a2379b2ced05

SHA1
873d6b1ba9a4712295faf82ab138e32746f58d1d

SHA256
99ff4121626b82849bdacb05e73c4fd747e6853eb3e96e3aec57bb1b8153ce1d

SHA512
6b46ccb475c810e79b4605a3b49aa6bd955d80b851dd16ea71064cf03b65efacd804d725d4aa717669b2d3fe3c55ed0656d50ad74c8d091b233e6dd96a203cd2

Download Submit
\??\pipe\crashpad_2580_AFSPJFWMECVKLYPS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2564-98-0x00007FF852A10000-0x00007FF8534D1000-memory.dmp

Filesize
10.8MB

Download
memory/2564-97-0x00007FF852A10000-0x00007FF8534D1000-memory.dmp

Filesize
10.8MB

Download
memory/2564-92-0x00007FF852A10000-0x00007FF8534D1000-memory.dmp

Filesize
10.8MB

Download
memory/2564-90-0x0000000000B60000-0x0000000000B78000-memory.dmp

Filesize
96KB

Download
memory/2564-89-0x00007FF852A13000-0x00007FF852A15000-memory.dmp

Filesize
8KB

Download