asyncrat | e00de00f1dd4187b6bd9e863ffcc29ca4101feb0ef1906e0f01864533244e3de

Analysis

max time kernel
264s
max time network
390s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
02-06-2023 12:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

async_modified_0.zip
Size

32.2MB
MD5

489518b14412de03373efb0f6748c10d
SHA1

79407cb3ef838c74fed7af8ae2a15343a8061170
SHA256

e00de00f1dd4187b6bd9e863ffcc29ca4101feb0ef1906e0f01864533244e3de
SHA512

2e70cac4acba1f1ac20906463b82956ccf6c8ed6af59abd94251f697ae5decd0ffbe6d116b8ebb02d26388dfefdcec967fa3988be75fd9fc78a45f93c049b8be
SSDEEP

786432:G3B7Da83uoAOcbRRnMNHXUGrbFiuRrjqJgzS5VamIwsdzl09u/MWUApGa:GR7DaOuoLORRMdXUGrbssGJQUIwsF/9B

Score

10^/10

asyncrat default rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 3 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\async_modified\AsyncClient.exe	asyncrat
C:\Users\Admin\Desktop\async_modified\AsyncClient.exe	asyncrat
behavioral2/memory/2616-362-0x00000000002B0000-0x00000000002C6000-memory.dmp	asyncrat

.NET Reactor proctector 17 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
\Users\Admin\AppData\Roaming\svchost.exe	net_reactor
C:\Users\Admin\AppData\Roaming\svchost.exe	net_reactor
C:\Users\Admin\AppData\Roaming\svchost.exe	net_reactor
\Users\Admin\Desktop\async_modified\AsyncRAT.exe	net_reactor
C:\Users\Admin\Desktop\async_modified\AsyncRAT.exe	net_reactor
C:\Users\Admin\Desktop\async_modified\AsyncRAT.exe	net_reactor
behavioral2/memory/2604-280-0x0000000000950000-0x0000000000990000-memory.dmp	net_reactor
behavioral2/memory/2652-279-0x0000000000E30000-0x0000000001418000-memory.dmp	net_reactor
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	net_reactor
C:\Users\Admin\AppData\Roaming\svchost.exe	net_reactor
C:\Users\Admin\AppData\Roaming\svchost.exe	net_reactor
C:\Users\Admin\Desktop\async_modified\AsyncRAT.exe	net_reactor
\Users\Admin\Desktop\async_modified\AsyncRAT.exe	net_reactor
C:\Users\Admin\Desktop\async_modified\AsyncRAT.exe	net_reactor
C:\Users\Admin\Desktop\async_modified\AsyncRAT.exe	net_reactor
behavioral2/memory/2248-431-0x0000000000C30000-0x0000000001218000-memory.dmp	net_reactor
C:\Users\Admin\AppData\Roaming\svchost.exe	net_reactor

Drops startup file 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	svchost.exe

Executes dropped EXE 2 IoCs

Processes:

svchost.exeAsyncRAT.exe

pid process

2604 svchost.exe
2652 AsyncRAT.exe
Loads dropped DLL 2 IoCs

Processes:

Loader.exe

pid process

2512 Loader.exe
2512 Loader.exe

pid	process
2604	svchost.exe
2652	AsyncRAT.exe

pid	process
2512	Loader.exe
2512	Loader.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

7zG.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Local\Temp\async_modified_0\async_modified\Plugins\desktop.ini	7zG.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\async_modified_0\async_modified\Plugins\desktop.ini	7zG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2772 schtasks.exe

pid	process
2772	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

chrome.exeAsyncRAT.exe

pid	process
1524	chrome.exe
1524	chrome.exe
2652	AsyncRAT.exe
2652	AsyncRAT.exe
2652	AsyncRAT.exe
2652	AsyncRAT.exe
2652	AsyncRAT.exe
2652	AsyncRAT.exe
2652	AsyncRAT.exe
2652	AsyncRAT.exe
2652	AsyncRAT.exe
2652	AsyncRAT.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exeAUDIODG.EXE7zG.exesvchost.exe

description	pid	process
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: 33	1584	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1584	AUDIODG.EXE
Token: 33	1584	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1584	AUDIODG.EXE
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeRestorePrivilege	2672	7zG.exe
Token: 35	2672	7zG.exe
Token: SeSecurityPrivilege	2672	7zG.exe
Token: SeSecurityPrivilege	2672	7zG.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeShutdownPrivilege	1524	chrome.exe
Token: SeDebugPrivilege	2604	svchost.exe
Token: SeShutdownPrivilege	1524	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

chrome.exe7zG.exeAsyncRAT.exe

pid	process
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
2672	7zG.exe
2652	AsyncRAT.exe

Suspicious use of SendNotifyMessage 33 IoCs

Processes:

chrome.exeAsyncRAT.exe

pid	process
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
1524	chrome.exe
2652	AsyncRAT.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1524 wrote to memory of 1436	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1436	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1436	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 628	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1172	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1172	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1172	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe
PID 1524 wrote to memory of 1592	1524	chrome.exe	chrome.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\async_modified_0.zip
1⤵
PID:1348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6fc9758,0x7fef6fc9768,0x7fef6fc9778
2⤵
PID:1436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1216 --field-trial-handle=1232,i,8162204440852079662,5720712796632161914,131072 /prefetch:2
2⤵
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1464 --field-trial-handle=1232,i,8162204440852079662,5720712796632161914,131072 /prefetch:8
2⤵
PID:1172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1648 --field-trial-handle=1232,i,8162204440852079662,5720712796632161914,131072 /prefetch:8
2⤵
PID:1592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2196 --field-trial-handle=1232,i,8162204440852079662,5720712796632161914,131072 /prefetch:1
2⤵
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2240 --field-trial-handle=1232,i,8162204440852079662,5720712796632161914,131072 /prefetch:1
2⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1216 --field-trial-handle=1232,i,8162204440852079662,5720712796632161914,131072 /prefetch:2
2⤵
PID:2348

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3712 --field-trial-handle=1232,i,8162204440852079662,5720712796632161914,131072 /prefetch:1
2⤵
PID:2448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3892 --field-trial-handle=1232,i,8162204440852079662,5720712796632161914,131072 /prefetch:8
2⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4104 --field-trial-handle=1232,i,8162204440852079662,5720712796632161914,131072 /prefetch:8
2⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3976 --field-trial-handle=1232,i,8162204440852079662,5720712796632161914,131072 /prefetch:8
2⤵
PID:2624

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x544
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1584

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1400

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2120

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\async_modified_0\" -spe -an -ai#7zMap30697:112:7zEvent18396
1⤵
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2672

C:\Users\Admin\Desktop\async_modified\Loader.exe
"C:\Users\Admin\Desktop\async_modified\Loader.exe"
1⤵
- Loads dropped DLL
PID:2512

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2604

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
3⤵
- Creates scheduled task(s)
PID:2772

C:\Users\Admin\Desktop\async_modified\AsyncRAT.exe
"C:\Users\Admin\Desktop\async_modified\AsyncRAT.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2652

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2876

C:\Users\Admin\Desktop\async_modified\AsyncClient.exe
"C:\Users\Admin\Desktop\async_modified\AsyncClient.exe"
1⤵
PID:2616

C:\Windows\system32\taskeng.exe
taskeng.exe {E238E235-D8DC-4BDB-8586-8274911EAA1D} S-1-5-21-1283023626-844874658-3193756055-1000:THEQWNRW\Admin:Interactive:[1]
1⤵
PID:2264

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
PID:2420

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
2⤵
PID:568

C:\Users\Admin\Desktop\async_modified\Loader.exe
"C:\Users\Admin\Desktop\async_modified\Loader.exe"
1⤵
PID:2380

C:\Users\Admin\AppData\Roaming\svchost.exe
"C:\Users\Admin\AppData\Roaming\svchost.exe"
2⤵
PID:2396

C:\Users\Admin\Desktop\async_modified\AsyncRAT.exe
"C:\Users\Admin\Desktop\async_modified\AsyncRAT.exe"
2⤵
PID:2248

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF710eff.TMP
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
720720e968d5bca74623b752290ffe2c

SHA1
edabed66c2e2a09147482aca88c5c23ef1099773

SHA256
97d35fe5d3c48f49aa4bb3784aca4d5719fd0d414df7ce77e74f07cf1206fe35

SHA512
921383e8dc3f66efc1f02cba6dce6cd81a625283116bea28337f3f079bd85990b4b05ab7d663a080795276cb352f5fa43237a447a01dd9b099dec04df5cb4297

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
4KB

MD5
51f123336f6f6fdfa9bcba7f00b81031

SHA1
63bf2fdd30dfce9e55305ddeb7a7c7788c0f0235

SHA256
d875be6bf5e2f237c75310bd21876a00dfa983075dc3b925af66ebd9c74b7b76

SHA512
b92f553a734e1730e13269df48a0ff54a979b9a64bb0f836a072ab323f3ebd8fc057eec419a350e2e62269dcfb912df53a470cec6d21d69f1f7b6f02b5eeb342

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000004.dbtmp
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\hAZKu1Ue9dWeb20rqUE\AsyncRAT.exe_Url_pxzzo2mxqvqdmtn4sisogcucyfn44et1\0.5.7.0\l3525f5b.newcfg
Filesize
439B

MD5
8521aa3937baad8a2a7b5cc5235ff8aa

SHA1
7eb5786b9963c386a8f0e9666c4ad54378401fc6

SHA256
8f64e2ad952c408bc8e12dcc0b0bf16d8778fd6aaa779ee2639ea42e94efdd67

SHA512
bd607e8d3b63e41afa351b9e41b61436f037f306b2be41397cff8b260747a5ba199e6deaefcb39f9f42c88256fcb51f624549756e66e0de34de32bf9d93fccf9

Download Submit
C:\Users\Admin\AppData\Local\hAZKu1Ue9dWeb20rqUE\AsyncRAT.exe_Url_pxzzo2mxqvqdmtn4sisogcucyfn44et1\0.5.7.0\user.config
Filesize
319B

MD5
f71f55112253acc1ef2ecd0a61935970

SHA1
faa9d50656e386e460278d31b1d9247fdd947bb7

SHA256
d1ad588a08c8c0799d7a14509f1e0a7ae04c519102ed9d328a83fe65999e6179

SHA512
761b5c13e39bd4ae21d298084bbe747ae71c383fedf9a51fd5e9723a8b3b4547de459d82bac7f3f8f3bfc11cfb0528a4f1057b51996d7d046583109a53317b44

Download Submit
C:\Users\Admin\AppData\Local\hAZKu1Ue9dWeb20rqUE\AsyncRAT.exe_Url_pxzzo2mxqvqdmtn4sisogcucyfn44et1\0.5.7.0\user.config
Filesize
319B

MD5
f71f55112253acc1ef2ecd0a61935970

SHA1
faa9d50656e386e460278d31b1d9247fdd947bb7

SHA256
d1ad588a08c8c0799d7a14509f1e0a7ae04c519102ed9d328a83fe65999e6179

SHA512
761b5c13e39bd4ae21d298084bbe747ae71c383fedf9a51fd5e9723a8b3b4547de459d82bac7f3f8f3bfc11cfb0528a4f1057b51996d7d046583109a53317b44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1283023626-844874658-3193756055-1000\2b44349f4a1016b5927f50d6f9a2c837_97ec3239-d8ea-4bc4-8ce8-63e2080cbe23
Filesize
3KB

MD5
9264885888f2b27964a32e3314d5c38a

SHA1
b04c64baa7db2945636d262baf4eab7e5fb53f7a

SHA256
63aa8c316745f8cdbe8d9477a58124cfafd42d11f1cbdce5fa0a408199b90e96

SHA512
69c20c73db3a444606561622f367e591cdaa6fabcc2dc157b48b1d302c8e16e43b14c04b6e0c60eeb29db12a476a6c7af0b2cef4e0651bec77b8b2351c5ffcfb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
Filesize
231KB

MD5
eb6e93d48811825ae4e9c90bec2e8cbc

SHA1
ce93631ac2733b6eb4238f769e9af94f82876cfe

SHA256
049bc312bb80264bba937b76be6293adcf0fe02a0dc879247dbbb8b7b6e9c051

SHA512
ae61b42521b99a878e9a0631e61a42b342837fcde6e65a860a495568cfa03f1bfab7cd5b2c1f796010fe3f1a069b6b6a49e44c5ad939e852647d6c3b086d9c84

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
231KB

MD5
eb6e93d48811825ae4e9c90bec2e8cbc

SHA1
ce93631ac2733b6eb4238f769e9af94f82876cfe

SHA256
049bc312bb80264bba937b76be6293adcf0fe02a0dc879247dbbb8b7b6e9c051

SHA512
ae61b42521b99a878e9a0631e61a42b342837fcde6e65a860a495568cfa03f1bfab7cd5b2c1f796010fe3f1a069b6b6a49e44c5ad939e852647d6c3b086d9c84

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
231KB

MD5
eb6e93d48811825ae4e9c90bec2e8cbc

SHA1
ce93631ac2733b6eb4238f769e9af94f82876cfe

SHA256
049bc312bb80264bba937b76be6293adcf0fe02a0dc879247dbbb8b7b6e9c051

SHA512
ae61b42521b99a878e9a0631e61a42b342837fcde6e65a860a495568cfa03f1bfab7cd5b2c1f796010fe3f1a069b6b6a49e44c5ad939e852647d6c3b086d9c84

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
231KB

MD5
eb6e93d48811825ae4e9c90bec2e8cbc

SHA1
ce93631ac2733b6eb4238f769e9af94f82876cfe

SHA256
049bc312bb80264bba937b76be6293adcf0fe02a0dc879247dbbb8b7b6e9c051

SHA512
ae61b42521b99a878e9a0631e61a42b342837fcde6e65a860a495568cfa03f1bfab7cd5b2c1f796010fe3f1a069b6b6a49e44c5ad939e852647d6c3b086d9c84

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
231KB

MD5
eb6e93d48811825ae4e9c90bec2e8cbc

SHA1
ce93631ac2733b6eb4238f769e9af94f82876cfe

SHA256
049bc312bb80264bba937b76be6293adcf0fe02a0dc879247dbbb8b7b6e9c051

SHA512
ae61b42521b99a878e9a0631e61a42b342837fcde6e65a860a495568cfa03f1bfab7cd5b2c1f796010fe3f1a069b6b6a49e44c5ad939e852647d6c3b086d9c84

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe
Filesize
231KB

MD5
eb6e93d48811825ae4e9c90bec2e8cbc

SHA1
ce93631ac2733b6eb4238f769e9af94f82876cfe

SHA256
049bc312bb80264bba937b76be6293adcf0fe02a0dc879247dbbb8b7b6e9c051

SHA512
ae61b42521b99a878e9a0631e61a42b342837fcde6e65a860a495568cfa03f1bfab7cd5b2c1f796010fe3f1a069b6b6a49e44c5ad939e852647d6c3b086d9c84

Download Submit
C:\Users\Admin\Desktop\ApproveSkip.mp4
Filesize
645KB

MD5
82ed536807fc36f31de77d0c0bce6090

SHA1
9c7ef232b96b2612ca60aacfbbed9d386e36a4e7

SHA256
3cedb81011f48e8dbf4979e87738bc33c16fa5e9e627511245cdad3041106681

SHA512
555c079ced2ccf99d9c50f2cd834f20684c4ed4a60f0d9ecbe2ab762a94fa1cdf0d9fe74da854483e9792cd0effe8bb8475b045d107ed4189ba7cc480aa6930b

Download Submit
C:\Users\Admin\Desktop\BlockSync.svg
Filesize
547KB

MD5
3175b30113bb5000eb4bb0478aa1eff6

SHA1
70a48fbd5ae3e9dfd9780ef8903cb9ed2ac9b033

SHA256
2542b4616297386411eedbe3b0f35927d395201aaea7123b58180bea864a7898

SHA512
a360edd3cf0303f70456965214b01d73105f82d9671714a8d66f350163e9fb05f2d09f6a9f49469fce20246d96c85937300a82dff55508142a6fef22f74778d1

Download Submit
C:\Users\Admin\Desktop\CheckpointPing.cmd
Filesize
371KB

MD5
cbb2cd92a6349e7e181a7d9e9eb3056b

SHA1
ede3375d05ba32199c972fa44661acaef5389b14

SHA256
40d366e5dc374d2cac3f01e4c132f00bcf60bd14993bcefd3742bed0621d6703

SHA512
c9ce8c289f4bf967bb58ad9fc340836fbe2fb8635cadef59aba5e7a284c1bcb7dfe64bd701838fd27b7a334cb3de92e491c8110bc2a321b536c8d5dddc74c2ea

Download Submit
C:\Users\Admin\Desktop\CloseLock.potm
Filesize
254KB

MD5
706b94b9fafd3ae7e106df180c5f8ea9

SHA1
ac7058f509dd9eefa62a1adc1b540e76fff594fb

SHA256
b3fb6ee5ed3067989ecaa42a7f548e7678ff2f7844b4695f7800311360183fde

SHA512
dafe2659c3b1f82c1d4394d0d8603c93f4af8bee1d82dee70ff2e2befbf657c959f960075c7aa2e382cd6675ac0783d51e47fe40fee130bac1bf11006f95c026

Download Submit
C:\Users\Admin\Desktop\DisableSelect.wax
Filesize
664KB

MD5
5c62a17621d98b89eb573ef9026b6c9d

SHA1
aac87667c35a6157fa2ef1c1eff972100e35939e

SHA256
c9e122cfa067f365edf3cf76bfb6efc15790a17f106ef4a00c6c08cd8f14c138

SHA512
51b1515aa5dde0393ea5114981b0449e1366d169afb8d42605fec30f951b9464205e33389d686f3f52a77ec56c9fdb0134e91e04ff5718a2736589d9a0de5df4

Download Submit
C:\Users\Admin\Desktop\DisconnectHide.eps
Filesize
352KB

MD5
a9d341bae0bcd3dde697c533d814963f

SHA1
ddfcc1b7ce2bb8cfe32a52b8466e24f911368630

SHA256
7195828856a67f7238538ff69bc7478043440a7d8b426f853b5297137efdd33a

SHA512
1b54a4ab96ac1a60c2a036c46b4a2b49271c6493682b6eaa580652ba8f45c21f6e185dbf7c8f10e5c80d0808dba27d0e9dedd058f244d7040460760d949f7b88

Download Submit
C:\Users\Admin\Desktop\GetInstall.dwfx
Filesize
410KB

MD5
3c02b4a22c53e4065d82cd15ef61893b

SHA1
55d5d1ce23953fa7dc083d5409e53b9a8996ed7e

SHA256
4e36b372f5cc9ad1c911e0bd586113ae53263f4fb0b993c5df3bca34c1b9381b

SHA512
c4c22ae2c3a0a6e8c54181d66e37d5678ece2db442ad9a1b1943f5278a70c80cb7c7c80849f129e581029117e8c91c73ceb5f4455878efd46c59400867b2c3fa

Download Submit
C:\Users\Admin\Desktop\GetSubmit.dwfx
Filesize
625KB

MD5
0451a1f9b5e4324b39bbe76fda20314d

SHA1
b9b355dfb927565f440d301066d556985d4342ed

SHA256
1df73af3b40c0dae765915de86fc35e44b023d8ff53f3145e3a9afae15c9ca1c

SHA512
a8fedcdb887ac8a390b26ec85be97d52e235650af63d56a49e6f49cd81c180044499bf50e8fcda104a5284747e3db3cdc5a401ab90d35548a54b56911fb906bf

Download Submit
C:\Users\Admin\Desktop\GrantUninstall.pub
Filesize
430KB

MD5
619763bfb2c3779ecab226a3e15ddb81

SHA1
98f595fa4c8ee03387170eec845cc8c97f7abcd2

SHA256
42cde4914b8260339b389d4b679837b9728dfb2baae8869e1ee359fce9de3074

SHA512
82ac426e1fe251aff3927873eda39497cd6a8310957706aeceef1b0c5f1348d74c828e65405b7ae695705c1402ba5e2fe4b6088d0a522feb41b2b666885e3cf9

Download Submit
C:\Users\Admin\Desktop\ImportSwitch.ex_
Filesize
293KB

MD5
425a1c6f328b02a8fba6b398aea6e28a

SHA1
8759900146f1cbe11a97f74b9a9322daf0ab0e52

SHA256
8ab75b2922c97574db25f709df384412ca5991e849ec48a073be082781e79054

SHA512
dacf590e5a53d66ef30c2be6eea7f2a67ab9d29d6a9cf44d4dfa69db3a99e2bc930b68220d5b1086ec48300a94189b617ec5022072eb108ab632802b01c39b67

Download Submit
C:\Users\Admin\Desktop\LimitConvertFrom.iso
Filesize
488KB

MD5
320ea8d93f030b83459bdfbc07f04018

SHA1
4f966d25ca3e14f5a5912629210f7e14f81588b3

SHA256
841340af682128a2fae75416b4639656d58583094029364d9374bdf817eb7770

SHA512
8f3fc01ea09730c861b134c37f3814ec9071a1f198c22ee5e0f2912f96cc67b234767187ff4b3c603f482136aa47b6eb2617b67df3e6017642241545e11bd9bb

Download Submit
C:\Users\Admin\Desktop\LockBlock.ini
Filesize
586KB

MD5
091e9a0e1c1af022a2c665aa34f6a1a4

SHA1
83bba8e49b4de7cdd20382ef95dc4131a2b3c1aa

SHA256
59d695ac21c7ee61e85938b339a3567518aa44156f290eb145c8b0823824ca29

SHA512
42fff7e913ec3da5fe60616c153ab3c2706cc6d27194f1f5100ce13ca9b013226934ff8e6d6ef85a0e82c573e91963a54cf4034fc216c1f0f4ab4382a031bbf0

Download Submit
C:\Users\Admin\Desktop\MountRevoke.inf
Filesize
528KB

MD5
1e934151642d70c6d5d6d1dc109047e7

SHA1
f971f0246d331d459276dd92b10169104e34dd3a

SHA256
d5c018bb904de0836ff23bd46a393a68e6de81aac7c4dacff48e0310bf35c4b9

SHA512
cd946b65d05840c9d27f0710c0d5967dbaac0e8603295434c6ffc4b18c78c51f2e307704683f0d00c04e79bf752464ceb83d70786dba27351ec801128d0444c6

Download Submit
C:\Users\Admin\Desktop\OpenStep.3gp
Filesize
273KB

MD5
bf27c8ee05e682f32fa78c769396b1ef

SHA1
806ac04ccf752f9fa0872e6fc7eaca9c12206719

SHA256
cf05989eaf8e7cd387bbc368cc49d6af62b897c580825a5195d1d4fd2d159f5a

SHA512
5d065dd315f93c14796dbe4d98e08228528071294323dfd85cb66e3bc5edf45de0a8963e962a30b35e8b6d1d2d9600dbb4f7ae84fd09075c179e16f748550117

Download Submit
C:\Users\Admin\Desktop\PublishEdit.tif
Filesize
449KB

MD5
9ff97b20fc6f23a84322910f58f0b7d8

SHA1
2512849fef2efaea845ea282cfc11473e1bfac0f

SHA256
86e9c794eec495bab6fd8dc8be91a3207b54a9bd22da4d5d484f6857085eee09

SHA512
0b7559c745d2843ba7783b193f4507e4a5bfcb107c8153b3dc72a90a88bbf4a1ce9930c4c311bd70a07069f6b5b0a0cb2aa0663e792e7b37073c7b5120e60007

Download Submit
C:\Users\Admin\Desktop\RedoConvertFrom.svgz
Filesize
391KB

MD5
053c52a939ab303950bf39f0939202fd

SHA1
6db3c13f08ee7d436abb917b805f057bab965e70

SHA256
7f24ff9a600f21e8ca1fbcf0a4d1c339d977dbc0ae6977cc2c5c34599948bb2b

SHA512
7b8f5157e946eadfa4c37ce2489df3c30bd4c5fc2ba75f813a48cd2f67a2c3124c1ba149cdb5191bed3f1fa205c86a8e5dd3cdae36bb797ac369f965229b5ec0

Download Submit
C:\Users\Admin\Desktop\RepairCompress.ocx
Filesize
332KB

MD5
e954c84f42f6eb47004f9cee681955c1

SHA1
a0e19e3847404b62b4493efa700419da6f5002f0

SHA256
f2472b726a2179fe4b7fb73c8cd6f86b84baa60be949a0b0da7b7849c57591d2

SHA512
235e987c64c1c4493a71165fa265790687fa98a2620ddd5abe4cfcedab80a16473c2e121d305544ed576567611bcd0d715d8898832741610915bb91d6bb48ef3

Download Submit
C:\Users\Admin\Desktop\ResumeWatch.docm
Filesize
312KB

MD5
f0891187fdb103a811fe2509f179ca60

SHA1
cbe59dbf902095a517d83c3fd4bdf24d8547624b

SHA256
bb467cbd06fdc356cab2f95a61269150ea28506521ade48204aea20dfbce960f

SHA512
2264e6edb5ab6c0b972a5f8a5848f08db732583869b905999e2e9dc06e5be4a5307fe334ace0ae0b6b74474d0a957de611f57ef171fac2f6dbf92e3d4d07762e

Download Submit
C:\Users\Admin\Desktop\SendWatch.mpeg
Filesize
508KB

MD5
ed55cf9fd336bf4aa579474c982bf7fe

SHA1
0a5031c7a61ddab15b2c5037ccbb95ca26e5217c

SHA256
95c6723016a0f4fb1ab953a633be082a307ae2d029ef2f0a603e11342b0ec458

SHA512
45d37235e8c26cbc5d08acf42d5b7045108df17ec4706c9130807feb0f12895dd9685c1399ec5fdb5f50cb0dbd9be17f9edb440f920a2090ce4894c88967bfcc

Download Submit
C:\Users\Admin\Desktop\SwitchCheckpoint.vssx
Filesize
567KB

MD5
6170242691e01dd68fd686bf71175907

SHA1
743ec9cf927f8958b16ca7044af7a8fbb53abdbf

SHA256
188ab28b7164648040933eb22a382b2b64f7e88278d64d467c5879795945db8c

SHA512
82eba636cd826854a3bdcfd63c1f7088d3b15fbc9a9961ab350e169c4661bf5167be90e5115fd65e764462fc07ed0a01c8a6fea865e6c08049c3dd70b10e05fe

Download Submit
C:\Users\Admin\Desktop\SwitchCompare.bmp
Filesize
234KB

MD5
e7667e6d46faba8449f3b6320780b4d3

SHA1
63ce74c9a00ff7a1bea23f6c71f78c5a63aa5e67

SHA256
63eb5a2f3ae40d930866dc30662235e78ff50750176e4cc9bb78768dfbaa366c

SHA512
bce8bb37d4fcd4e69d340cf83cba4b5f33bc11c668b12459650505acdebb93279fe7e2d1756f9661605d3e6a6bc19c004d8a3fd6584541c4493126fa14aa5efa

Download Submit
C:\Users\Admin\Desktop\TraceTest.hta
Filesize
469KB

MD5
658e78631959ee09b8e3f6e6b7bacfd8

SHA1
50ebfbab0d1750c430d3ea3395543f1ab3d58328

SHA256
19a853110221c0daa3387831e5c6f8c94c728fe8216236e64639c610aaba119b

SHA512
bdb11597a3ce5379be5f118812dfcbbdb6527eaa04938c73ca1edf403c9d7d924b89b6c21a7f2228d420e4bdad7b12f6f1e7b6d0017e2757d81912d782d127c8

Download Submit
C:\Users\Admin\Desktop\UnprotectEnter.bmp
Filesize
919KB

MD5
7ee70570abee2c69c3d05622f513784b

SHA1
7092c24cee0741338ff2e300a9c97cd8c1e8c7f9

SHA256
d9960354617d6f7338164504b19deb2286e93060b3cd7175d592cb92c398f85b

SHA512
31978436658f1c3a6c4eb17610c5c271d2c63c91883442f71c82f01c73f2558adf5271f544a0c9625e488a4951eaa458bafa85467dd92ffd35bc89a59d62d307

Download Submit
C:\Users\Admin\Desktop\UpdateBackup.tmp
Filesize
606KB

MD5
3e1dde379669fdde72bf1573710822eb

SHA1
7e5451bf219bab40d3765348b07469fa81f5f180

SHA256
bea0637a73b9a3399cb9b1d64e041787d99ae6072518d42a1e8d5141d0c0c98d

SHA512
35a4709c9d70fb504fc576a9d81888e9504e259041dea69c7596c413525bb093fba88205ed4645f0e7c8977852e3d8c3e240900f0ae415a891e8f61c1179e076

Download Submit
C:\Users\Admin\Desktop\async_modified\AsyncClient.exe
Filesize
63KB

MD5
81c71237ec630d6056fa1f55b9290375

SHA1
749fac2d7ee2da4cc4411dbe44415c461a70f593

SHA256
60b3d76dac231ac0a0b469d433fd69cb60de619e0a7d03a5bf0626245008d756

SHA512
0e10627a533eef56a746fb4a95c8714be62317eaf037ee08345e09283cf0008ba340b68d9fce7b4d3bfd3b91a917466b3d3e357ffc99e4d4a95cab8f702eb57a

Download Submit
C:\Users\Admin\Desktop\async_modified\AsyncClient.exe
Filesize
63KB

MD5
81c71237ec630d6056fa1f55b9290375

SHA1
749fac2d7ee2da4cc4411dbe44415c461a70f593

SHA256
60b3d76dac231ac0a0b469d433fd69cb60de619e0a7d03a5bf0626245008d756

SHA512
0e10627a533eef56a746fb4a95c8714be62317eaf037ee08345e09283cf0008ba340b68d9fce7b4d3bfd3b91a917466b3d3e357ffc99e4d4a95cab8f702eb57a

Download Submit
C:\Users\Admin\Desktop\async_modified\AsyncRAT.exe
Filesize
5.9MB

MD5
94cefdebbed52959f5204ac14f558cf2

SHA1
545ed0a403620460a60097e9b3d279660cf862d0

SHA256
728efbbbd2ad6198c22c4fb0f52a9fbfd20c9923f22d6937afd00af99467f6f9

SHA512
68323126f3e1a3177f234edb147a1fde2b15320aa4ec22b614b6a079ddf65e1a455b7acccf1e4d750d8bc19cfe615e48d30e753d50b9a9bd24cbf9d413bc26a2

Download Submit
C:\Users\Admin\Desktop\async_modified\AsyncRAT.exe
Filesize
5.9MB

MD5
94cefdebbed52959f5204ac14f558cf2

SHA1
545ed0a403620460a60097e9b3d279660cf862d0

SHA256
728efbbbd2ad6198c22c4fb0f52a9fbfd20c9923f22d6937afd00af99467f6f9

SHA512
68323126f3e1a3177f234edb147a1fde2b15320aa4ec22b614b6a079ddf65e1a455b7acccf1e4d750d8bc19cfe615e48d30e753d50b9a9bd24cbf9d413bc26a2

Download Submit
C:\Users\Admin\Desktop\async_modified\AsyncRAT.exe
Filesize
5.9MB

MD5
94cefdebbed52959f5204ac14f558cf2

SHA1
545ed0a403620460a60097e9b3d279660cf862d0

SHA256
728efbbbd2ad6198c22c4fb0f52a9fbfd20c9923f22d6937afd00af99467f6f9

SHA512
68323126f3e1a3177f234edb147a1fde2b15320aa4ec22b614b6a079ddf65e1a455b7acccf1e4d750d8bc19cfe615e48d30e753d50b9a9bd24cbf9d413bc26a2

Download Submit
C:\Users\Admin\Desktop\async_modified\AsyncRAT.exe
Filesize
5.9MB

MD5
94cefdebbed52959f5204ac14f558cf2

SHA1
545ed0a403620460a60097e9b3d279660cf862d0

SHA256
728efbbbd2ad6198c22c4fb0f52a9fbfd20c9923f22d6937afd00af99467f6f9

SHA512
68323126f3e1a3177f234edb147a1fde2b15320aa4ec22b614b6a079ddf65e1a455b7acccf1e4d750d8bc19cfe615e48d30e753d50b9a9bd24cbf9d413bc26a2

Download Submit
C:\Users\Admin\Desktop\async_modified\AsyncRAT.exe
Filesize
5.9MB

MD5
94cefdebbed52959f5204ac14f558cf2

SHA1
545ed0a403620460a60097e9b3d279660cf862d0

SHA256
728efbbbd2ad6198c22c4fb0f52a9fbfd20c9923f22d6937afd00af99467f6f9

SHA512
68323126f3e1a3177f234edb147a1fde2b15320aa4ec22b614b6a079ddf65e1a455b7acccf1e4d750d8bc19cfe615e48d30e753d50b9a9bd24cbf9d413bc26a2

Download Submit
C:\Users\Public\Desktop\Adobe Reader 9.lnk
Filesize
1KB

MD5
64e95e5182271a97f61eb670ee66d384

SHA1
51f430b1eec892c16587ba9a2354eb356573b3bd

SHA256
7a9b2728e6e840f2b55128313c055a2b2e9d04cd048a8531d78dd0900e091022

SHA512
cd918860f7ae6a454e5e303cbd50594c6bc1b03ff35105e4a5a7a115af3adb396eccff62869bc96773ae710004bc31251d566913a96657c5b85dcb9b697563ba

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk
Filesize
878B

MD5
f80f8b61f7342e761adee79add575a6c

SHA1
48d2e8bedf74d3638cca6233c85e84b19853a275

SHA256
d401e5c861f8e958129c70b538241341b367c349f36075d5bbaa0382e90c63a5

SHA512
b4b64fcdaae5d67a9a309d62680000d0c1dfb735058ae3e74780322f1f30d79d5ecc8d9f93bac799f53c0b2d3fc7da1252067f3faed5f5395c4cadfff04a0ae0

Download Submit
\??\PIPE\lsarpc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_1524_XMZYTEMRMECDIPYK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\svchost.exe
Filesize
231KB

MD5
eb6e93d48811825ae4e9c90bec2e8cbc

SHA1
ce93631ac2733b6eb4238f769e9af94f82876cfe

SHA256
049bc312bb80264bba937b76be6293adcf0fe02a0dc879247dbbb8b7b6e9c051

SHA512
ae61b42521b99a878e9a0631e61a42b342837fcde6e65a860a495568cfa03f1bfab7cd5b2c1f796010fe3f1a069b6b6a49e44c5ad939e852647d6c3b086d9c84

Download Submit
\Users\Admin\Desktop\async_modified\AsyncRAT.exe
Filesize
5.9MB

MD5
94cefdebbed52959f5204ac14f558cf2

SHA1
545ed0a403620460a60097e9b3d279660cf862d0

SHA256
728efbbbd2ad6198c22c4fb0f52a9fbfd20c9923f22d6937afd00af99467f6f9

SHA512
68323126f3e1a3177f234edb147a1fde2b15320aa4ec22b614b6a079ddf65e1a455b7acccf1e4d750d8bc19cfe615e48d30e753d50b9a9bd24cbf9d413bc26a2

Download Submit
\Users\Admin\Desktop\async_modified\AsyncRAT.exe
Filesize
5.9MB

MD5
94cefdebbed52959f5204ac14f558cf2

SHA1
545ed0a403620460a60097e9b3d279660cf862d0

SHA256
728efbbbd2ad6198c22c4fb0f52a9fbfd20c9923f22d6937afd00af99467f6f9

SHA512
68323126f3e1a3177f234edb147a1fde2b15320aa4ec22b614b6a079ddf65e1a455b7acccf1e4d750d8bc19cfe615e48d30e753d50b9a9bd24cbf9d413bc26a2

Download Submit
memory/568-529-0x000000001AF80000-0x000000001B000000-memory.dmp

Filesize
512KB

Download
memory/2248-468-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/2248-432-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/2248-431-0x0000000000C30000-0x0000000001218000-memory.dmp

Filesize
5.9MB

Download
memory/2248-441-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/2248-464-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/2248-442-0x000000001B160000-0x000000001B1E0000-memory.dmp

Filesize
512KB

Download
memory/2396-433-0x000000001A8E0000-0x000000001A960000-memory.dmp

Filesize
512KB

Download
memory/2420-422-0x000000001AC20000-0x000000001ACA0000-memory.dmp

Filesize
512KB

Download
memory/2604-280-0x0000000000950000-0x0000000000990000-memory.dmp

Filesize
256KB

Download
memory/2604-294-0x0000000000860000-0x00000000008E0000-memory.dmp

Filesize
512KB

Download
memory/2604-282-0x0000000000860000-0x00000000008E0000-memory.dmp

Filesize
512KB

Download
memory/2616-446-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/2616-384-0x0000000004B70000-0x0000000004BB0000-memory.dmp

Filesize
256KB

Download
memory/2616-362-0x00000000002B0000-0x00000000002C6000-memory.dmp

Filesize
88KB

Download
memory/2652-284-0x000000001C1E0000-0x000000001C432000-memory.dmp

Filesize
2.3MB

Download
memory/2652-383-0x0000000023DA0000-0x0000000023DA1000-memory.dmp

Filesize
4KB

Download
memory/2652-380-0x000000001B750000-0x000000001B7D0000-memory.dmp

Filesize
512KB

Download
memory/2652-371-0x000000001B750000-0x000000001B7D0000-memory.dmp

Filesize
512KB

Download
memory/2652-339-0x000000001B750000-0x000000001B7D0000-memory.dmp

Filesize
512KB

Download
memory/2652-315-0x0000000023DA0000-0x0000000023DA1000-memory.dmp

Filesize
4KB

Download
memory/2652-314-0x000000001B750000-0x000000001B7D0000-memory.dmp

Filesize
512KB

Download
memory/2652-313-0x0000000023DC0000-0x0000000023DD0000-memory.dmp

Filesize
64KB

Download
memory/2652-312-0x0000000022640000-0x000000002275E000-memory.dmp

Filesize
1.1MB

Download
memory/2652-311-0x000000001B750000-0x000000001B7D0000-memory.dmp

Filesize
512KB

Download
memory/2652-309-0x000000001B750000-0x000000001B7D0000-memory.dmp

Filesize
512KB

Download
memory/2652-298-0x000000001B750000-0x000000001B7D0000-memory.dmp

Filesize
512KB

Download
memory/2652-299-0x000000001B750000-0x000000001B7D0000-memory.dmp

Filesize
512KB

Download
memory/2652-293-0x000000001B750000-0x000000001B7D0000-memory.dmp

Filesize
512KB

Download
memory/2652-288-0x000000001B750000-0x000000001B7D0000-memory.dmp

Filesize
512KB

Download
memory/2652-287-0x000000001B750000-0x000000001B7D0000-memory.dmp

Filesize
512KB

Download
memory/2652-283-0x000000001BB10000-0x000000001C1D8000-memory.dmp

Filesize
6.8MB

Download
memory/2652-281-0x000000001B750000-0x000000001B7D0000-memory.dmp

Filesize
512KB

Download
memory/2652-279-0x0000000000E30000-0x0000000001418000-memory.dmp

Filesize
5.9MB

Download