asyncrat | hxxps://github[.]com/NYAN-x-CAT/AsyncRAT-C-Sharp/releases/tag/v0[.]5[.]8

Analysis

max time kernel
333s
max time network
327s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 13:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/releases/tag/v0.5.8

Score

10^/10

asyncrat zgrat default evasion rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

Hx7xy8o54daw

Attributes

delay
3
install
true
install_file
rizz.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5428-331-0x0000000006BF0000-0x0000000006C58000-memory.dmp	family_zgrat_v1
behavioral1/memory/5428-334-0x0000000007360000-0x00000000073C0000-memory.dmp	family_zgrat_v1
behavioral1/memory/5428-336-0x0000000007A70000-0x0000000007AD2000-memory.dmp	family_zgrat_v1
behavioral1/memory/5428-338-0x0000000007720000-0x00000000077B2000-memory.dmp	family_zgrat_v1
behavioral1/memory/5428-548-0x00000000065B0000-0x0000000006614000-memory.dmp	family_zgrat_v1

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

rizz.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	rizz.exe

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AsyncClient.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	AsyncClient.exe

Executes dropped EXE 3 IoCs

Processes:

AsyncClient.exerizz.exeAsyncClient.exe

pid process

2668 AsyncClient.exe
5428 rizz.exe
5480 AsyncClient.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

5476 5252 WerFault.exe Stub.exe
5576 3624 WerFault.exe Stub.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

6000 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

5992 timeout.exe

pid	process
2668	AsyncClient.exe
5428	rizz.exe
5480	AsyncClient.exe

pid	pid_target	process	target process
5476	5252	WerFault.exe	Stub.exe
5576	3624	WerFault.exe	Stub.exe

pid	process
6000	schtasks.exe

pid	process
5992	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 47 IoCs

Processes:

AsyncRAT.exemsedge.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 5a00310000000000af581c6810004173796e635241540000420009000400efbeaf581268af581d682e0000002e3502000000080000000000000000000000000000007a5055004100730079006e006300520041005400000018000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 8400310000000000af5812681100444f574e4c4f7e3100006c0009000400efbe9a587164af5812682e00000075e1010000000100000000000000000042000000000093874d0044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\NodeSlot = "6"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 78003100000000009a5871641100557365727300640009000400efbe874f7748af5807682e000000c70500000000010000000000000000003a00000000005f472b0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 50003100000000009a584c6c100041646d696e003c0009000400efbe9a587164af5807682e0000006de101000000010000000000000000000000000000003594c800410064006d0069006e00000014000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	AsyncRAT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 = 5a00310000000000af5812681000434f4d50494c45440000420009000400efbeaf581268af5812682e00000099340200000009000000000000000000000000000000208c3e0043004f004d00500049004c0045004400000018000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	AsyncRAT.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3571316656-3665257725-2415531812-1000\{03F2CF1B-FACF-46D2-B538-49D7AF093F89}	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AsyncRAT.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

rizz.exe

pid process

5428 rizz.exe

pid	process
5428	rizz.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeAsyncRAT.exemsedge.exeAsyncClient.exe

pid	process
1496	msedge.exe
1496	msedge.exe
2936	msedge.exe
2936	msedge.exe
1356	identity_helper.exe
1356	identity_helper.exe
376	msedge.exe
376	msedge.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2336	msedge.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe
2668	AsyncClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AsyncRAT.exe

pid process

5784 AsyncRAT.exe

pid	process
5784	AsyncRAT.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AsyncClient.exerizz.exeAsyncRAT.exe

description pid process

Token: SeDebugPrivilege 2668 AsyncClient.exe
Token: SeDebugPrivilege 5428 rizz.exe
Token: SeDebugPrivilege 5784 AsyncRAT.exe

description	pid	process
Token: SeDebugPrivilege	2668	AsyncClient.exe
Token: SeDebugPrivilege	5428	rizz.exe
Token: SeDebugPrivilege	5784	AsyncRAT.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

msedge.exeAsyncRAT.exe

pid	process
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

msedge.exeAsyncRAT.exe

pid	process
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
2936	msedge.exe
5784	AsyncRAT.exe
5784	AsyncRAT.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AsyncRAT.exerizz.exe

pid process

5784 AsyncRAT.exe
5428 rizz.exe

pid	process
5784	AsyncRAT.exe
5428	rizz.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2936 wrote to memory of 1404	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 1404	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 3632	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 1496	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 1496	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe
PID 2936 wrote to memory of 2896	2936	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/releases/tag/v0.5.8
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffadc0a46f8,0x7ffadc0a4708,0x7ffadc0a4718
2⤵
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
2⤵
PID:3632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
2⤵
PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
2⤵
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
2⤵
PID:3144

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
2⤵
PID:3180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
2⤵
PID:1196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
2⤵
PID:3380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
2⤵
PID:3268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5600 /prefetch:8
2⤵
PID:4872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
2⤵
PID:1544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5100 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1784 /prefetch:1
2⤵
PID:5924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
2⤵
PID:5904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
2⤵
PID:5284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
2⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
2⤵
PID:32

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5820 /prefetch:8
2⤵
PID:1864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6184 /prefetch:8
2⤵
- Modifies registry class
PID:1352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
2⤵
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2144 /prefetch:1
2⤵
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
2⤵
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13107194022721514149,4786370167283386760,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
2⤵
PID:5440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5448

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe
"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5784

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:6088

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Stub\Stub.exe
"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Stub\Stub.exe"
1⤵
PID:5252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5252 -s 780
2⤵
- Program crash
PID:5476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5252 -ip 5252
1⤵
PID:5388

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Stub\Stub.exe
"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Stub\Stub.exe"
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 744
2⤵
- Program crash
PID:5576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3624 -ip 3624
1⤵
PID:4224

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe
"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "rizz" /tr '"C:\Users\Admin\AppData\Roaming\rizz.exe"' & exit
2⤵
PID:1068

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "rizz" /tr '"C:\Users\Admin\AppData\Roaming\rizz.exe"'
3⤵
- Creates scheduled task(s)
PID:6000

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp939.tmp.bat""
2⤵
PID:2312

C:\Windows\SysWOW64\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:5992

C:\Users\Admin\AppData\Roaming\rizz.exe
"C:\Users\Admin\AppData\Roaming\rizz.exe"
3⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5428

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe
"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"
1⤵
- Executes dropped EXE
PID:5480

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AsyncClient.exe.log
Filesize
522B

MD5
acc9090417037dfa2a55b46ed86e32b8

SHA1
53fa6fb25fb3e88c24d2027aca6ae492b2800a4d

SHA256
2412679218bb0a7d05ceee32869bbb223619bde9966c4c460a68304a3367724b

SHA512
d51f7085ec147c708f446b9fb6923cd2fb64596d354ed929e125b30ace57c8cb3217589447a36960e5d3aea87a4e48aaa82c7509eced6d6c2cecd71fcfe3697b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
6def14d6b7a0dcf9243d3ef80004c79c

SHA1
50950b43509df06c3431d3d06b2ba398f04ed672

SHA256
3dd49b2461a84d8653fb385302f1645149b796acd37f233cc15d837abee0f152

SHA512
c2a98c868eda5749d459b69cf353e6df822d418b576db2d4d9d4bbc9cbe5e6807bca268ddfa39f71e463a5892d49c9e5bfbb186a2207e4a19f6c81810ff1e9b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
c389afc198a67880c5476a306e81aecb

SHA1
9a0b65d69318badfbfd35658bf858b77795115f7

SHA256
717e9a224c147e599bd18be0728bb1239eac7ff5a18369b3e941256cbb4734e1

SHA512
71e7021ac3d63d89063eb712157d924d2d44e8e306f036b1d337c58f4b9577d9cdc21d1316eb9b296b466745f75c9c8ef5d0cbf14710449f44c33f63b77d84ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
496B

MD5
30322550d9f9c54f345ea1c71f3b2e8f

SHA1
b5a3cff2995147279c2bbed7c03b2280ecb286e5

SHA256
4e7798d8476361378f8fbfb0442db63c7f6bf7e1830d50808bfdb8a58700d8f9

SHA512
261d1f5bc9c8a369f815eb846c252f54681f70862153bd49959411450870207b3ee240cc9016533c27401922527d561cc1ea7bb23708e4a257f071d010cf55ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
dad30933a5bed919d5dac309089034e9

SHA1
b5d3edea179f9be3d0a21b1f64a078d614526298

SHA256
5b22cc3fd6fe34c1565e5898e6491dfc20f9e23a90ba9daa642cc4715ee4e564

SHA512
9533495933f1def92cfb7f3fb6ffa36a2cfb3dec4204530cf18251ec62e177a590a8bd9b5ebef265902476902508b8290c9e0978e88a2aeda121c770db2ed7a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
62ca5be5a08425d0364604d3442bd522

SHA1
030d9fc1d92e0c3968955a56a1f499effe103e57

SHA256
4a47bea0a86f7e52b81906245cd00b2f73d666d2df068679fb2d08efe2b7bb4f

SHA512
22af12723a14b785b73ad91932493a6d806c522a179cd3698fa6a6a943f5d86195025f2bb032516d6d7babb951096917867300379a13181eb41ec20e2f6a77d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
aa6fd6bfb3ed45002d72a38454f4b3e3

SHA1
dd1a3cb7934735f3b925c2f97dfa8f5bc80ff960

SHA256
591edb032c531cc4178dce58ee9ef863d24dffc427bdf4418264c54d1d931f11

SHA512
3241b62cd5ed35b943151fd284f0ca1543b0ad640c5f78a619980fd98f55e7bf3be8598f74a7f867b3f93fbf91516b001841978214062c1c370252fe9deb6fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
33f9ee86f85833f4cb2b4052044997bc

SHA1
532890072d8d6fd83c2aff2edb1a2512f1a4baf8

SHA256
cc09b9ba4de9fef4da259e1c576dc9382c6b79a9d33a59f83eee0cab9c9fefb1

SHA512
d52f6b323befd6e61b8c0f127a1ecfe6820b92a5149b70759c17b0fa4c39115a1876bb4b724e8afa1321436c73e59153bf2e5dcd6824430faaeec2f3300083fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
bb4b7edf9d894bf7a64e02815cd0db36

SHA1
38702ef4455a01b04502e06ebe50b375c323307e

SHA256
9840914ca6613e929a169f29648a402f29531b46cd859a2b08c658cb17664c42

SHA512
891db6f61a955f590179241a3d1cd2c5bca2145c962214906b566e8c2b65f76427f710734f05aed2e720908118da8c96928fd6970dc45a97944327b8e1ed47d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5b879b.TMP
Filesize
874B

MD5
7530e7ce5459807ec2aa37854fe086b9

SHA1
f0c9e8d933a788d8e77633492dd13c6a9d56ccfb

SHA256
8b639c63edbc6756ef68b9e59456cfce19fcb7d9a60a534a9cae660cd6cfb2b1

SHA512
e0debe17b09b3975f3121a7eafeb8943c36604a52a650de84d5581c7c029f0ac4696b537e220a0d8b6e1c094d71fd8c671a0c4b7dc0deafb36b5ad2b491aaf96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
6ae7270334da784c5a2abda067099b2c

SHA1
81be0cf11ad11829150bbdf37a8847d4758bd6ad

SHA256
f1486a5b406951c59744e272408737df62891c65be0706784f4d7dd6067cc6fa

SHA512
4783cc1a51e7035530f8ec33211535fa1383dbfad67efadf900e1ef09e34885acb693b50c4bb224cddd58c7f8ac57593d313be68633200aaffc0f2dbb0503343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
4708c4f7e3a89c9e2f2d196a803992c3

SHA1
198d0eff9253657a770642e75387630e51c8bbf8

SHA256
e42887dab3b407e67db1f80920a31e67f06e31074b4a1753ed735d0794f8467a

SHA512
ba9ecef8c1f159cbcb905e2194f8eda260cb145056e5d9f4a2a93cb508454f5ebeb8737048d548ebd86366bb64569fc90e1a60b504046ff5f93a815c5578034e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
d955467a7880524a8235a59bd7804893

SHA1
5655ec211cf6a34f02911994be651fd79a2cfc8a

SHA256
0859cb43859a950e4c583c13b002007f7d090ab6d2463c0309480ee731d7eb6d

SHA512
c75fa18a754fd01f7207844a870720270a530f41045e0e54abe509b22ee56f318cf7ed079341705b94c6ebabca5fb65af1368ad9ccd6df31b0389eb43fc244ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
0e4445be6b42a9b2683640bc69ca0d0e

SHA1
e1f4e09647e8a21b367bd8292f7d001a9967bff7

SHA256
8cf5973781310e1546d0a6e190eb411ddd9f7bf5ced22a4c2b11161e0d02ceb9

SHA512
d46605c88b7e41255ef0ad8281aafec95d5977db3a39da8ee231f87d031543081dd150e9ba2c418093c5ed6aab3e17059c87643b22085ffcc2410480929053f4

Download Submit
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_rlcfuditezizgbmskmstccdixoxy2jyu\0.5.8.0\user.config
Filesize
319B

MD5
f71f55112253acc1ef2ecd0a61935970

SHA1
faa9d50656e386e460278d31b1d9247fdd947bb7

SHA256
d1ad588a08c8c0799d7a14509f1e0a7ae04c519102ed9d328a83fe65999e6179

SHA512
761b5c13e39bd4ae21d298084bbe747ae71c383fedf9a51fd5e9723a8b3b4547de459d82bac7f3f8f3bfc11cfb0528a4f1057b51996d7d046583109a53317b44

Download Submit
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_rlcfuditezizgbmskmstccdixoxy2jyu\0.5.8.0\user.config
Filesize
690B

MD5
b05efa9932a29b1ebb0dd7c6bff8dce6

SHA1
0c8c0b8479f4d877299455ed0d29923787563b88

SHA256
090d037532d9fd4966dd807239ed32d0fd39ac4bb5fe52404e418405b90a43a9

SHA512
d8497fc9bd7a038ef4fea16caa741607df93e3a4431d35fd0066134d2c6b13b8bcee4359ef0412dae9dda54008a49f66863a5fdd34eb29895a2a2d139607593f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp939.tmp.bat
Filesize
147B

MD5
868a0cede37de035d3418cab824257f6

SHA1
455061ef9a68b3608565566862c1d1dae2b30ff6

SHA256
cbbab201c50e3901e3986f4ca84d5002778a65120585e4e6e7ba7e6b94f624a0

SHA512
3f6ffd1fb74a99d42ae8811412c216cbcf02a3d2fb2be963eccfbeaebc895ecc795308ae25ce451aa459758304c90d94f5563165e1a59f812fe71fa97c111f34

Download Submit
C:\Users\Admin\Downloads\COMPILED.zip
Filesize
6.9MB

MD5
30b1961a9b56972841a3806e716531d7

SHA1
63c6880d936a60fefc43a51715036c93265a4ae5

SHA256
0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c

SHA512
9449065743226bd15699e710b2bab2a5bb44866f2d9a8bd1b3529b7c53d68e5ecba935e36406d1b69e1fb050f50e3321ef91bc61faac9790f6209fec6f930ed0

Download Submit
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe
Filesize
45KB

MD5
905e646d3cfbe3915adee6a122c81909

SHA1
fc236f6f2920c8904aed10a823a2cd6405acf323

SHA256
111446388e2e5bc6a6ff6a2e00c01b1853781f058554c2fa4228238fcac6d808

SHA512
25a5908c00a186819355c6a4123c4d2483d3cc7eff3e69533615588c9f80a4cd04eaf027f3802d277070dddc54e371a3836d5c951e6a1cfed17a7e703eca4177

Download Submit
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\ServerCertificate.p12
Filesize
4KB

MD5
933348d9f4cf176132d30d3ec894a059

SHA1
4b7a5bdf8d9ee3b21aa8e9a9e137b4f86522d142

SHA256
79745018a32f4cce17b172b691e755f3a1b6de2bf30ccf742f75d9b42517affb

SHA512
2748e7d7ac139ff993cee480cea7080c2085119792bf4efbd0e1df92277344ddcdd6efb3fd5b72a31c6c5a8ee1a5250f5c983f526b79ff3e7f43bf2efcb901c2

Download Submit
memory/2668-316-0x0000000000A50000-0x0000000000A62000-memory.dmp

Filesize
72KB

Download
memory/2668-317-0x0000000005350000-0x00000000053EC000-memory.dmp

Filesize
624KB

Download
memory/5252-268-0x0000000000F10000-0x0000000000F20000-memory.dmp

Filesize
64KB

Download
memory/5428-333-0x00000000070F0000-0x0000000007182000-memory.dmp

Filesize
584KB

Download
memory/5428-337-0x0000000007CC0000-0x0000000007CCA000-memory.dmp

Filesize
40KB

Download
memory/5428-326-0x0000000006000000-0x00000000065A4000-memory.dmp

Filesize
5.6MB

Download
memory/5428-330-0x0000000006C70000-0x0000000006CE6000-memory.dmp

Filesize
472KB

Download
memory/5428-331-0x0000000006BF0000-0x0000000006C58000-memory.dmp

Filesize
416KB

Download
memory/5428-332-0x0000000006D20000-0x0000000006D3E000-memory.dmp

Filesize
120KB

Download
memory/5428-548-0x00000000065B0000-0x0000000006614000-memory.dmp

Filesize
400KB

Download
memory/5428-334-0x0000000007360000-0x00000000073C0000-memory.dmp

Filesize
384KB

Download
memory/5428-336-0x0000000007A70000-0x0000000007AD2000-memory.dmp

Filesize
392KB

Download
memory/5428-327-0x0000000005AC0000-0x0000000005B26000-memory.dmp

Filesize
408KB

Download
memory/5428-338-0x0000000007720000-0x00000000077B2000-memory.dmp

Filesize
584KB

Download
memory/5784-194-0x0000026F6F6B0000-0x0000026F6F930000-memory.dmp

Filesize
2.5MB

Download
memory/5784-193-0x0000026F6F690000-0x0000026F6F6A2000-memory.dmp

Filesize
72KB

Download
memory/5784-192-0x0000026F6C250000-0x0000026F6C25A000-memory.dmp

Filesize
40KB

Download
memory/5784-191-0x0000026F6BE10000-0x0000026F6C062000-memory.dmp

Filesize
2.3MB

Download
memory/5784-189-0x0000026F691D0000-0x0000026F6983A000-memory.dmp

Filesize
6.4MB

Download
memory/5784-282-0x0000026F71170000-0x0000026F71296000-memory.dmp

Filesize
1.1MB

Download