0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c

Analysis

max time kernel
131s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
27-05-2024 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

COMPILED.zip
Size

6.9MB
MD5

30b1961a9b56972841a3806e716531d7
SHA1

63c6880d936a60fefc43a51715036c93265a4ae5
SHA256

0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c
SHA512

9449065743226bd15699e710b2bab2a5bb44866f2d9a8bd1b3529b7c53d68e5ecba935e36406d1b69e1fb050f50e3321ef91bc61faac9790f6209fec6f930ed0
SSDEEP

196608:C+MPQJu8YfQFtMAFMQ5RIhFmQ06L29tJW0SCK5u:C+mQ08YfQNMQ5RI7i9LSCAu

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 12 IoCs

Processes:

lodctr.exe

description	ioc	process
File created	C:\Windows\system32\perfh009.dat	lodctr.exe
File created	C:\Windows\system32\perfc00A.dat	lodctr.exe
File created	C:\Windows\system32\perfh00C.dat	lodctr.exe
File created	C:\Windows\system32\perfc010.dat	lodctr.exe
File created	C:\Windows\system32\perfh011.dat	lodctr.exe
File created	C:\Windows\system32\perfc007.dat	lodctr.exe
File created	C:\Windows\system32\perfh007.dat	lodctr.exe
File created	C:\Windows\system32\perfc009.dat	lodctr.exe
File created	C:\Windows\system32\perfh00A.dat	lodctr.exe
File created	C:\Windows\system32\perfc00C.dat	lodctr.exe
File created	C:\Windows\system32\perfh010.dat	lodctr.exe
File created	C:\Windows\system32\perfc011.dat	lodctr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

AsyncRAT.exeAsyncRAT.exeAsyncRAT.exemsedge.exemsedge.exe

pid	process
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4140	AsyncRAT.exe
4044	AsyncRAT.exe
4044	AsyncRAT.exe
4044	AsyncRAT.exe
4044	AsyncRAT.exe
4044	AsyncRAT.exe
4044	AsyncRAT.exe
4044	AsyncRAT.exe
4044	AsyncRAT.exe
4044	AsyncRAT.exe
4044	AsyncRAT.exe
4044	AsyncRAT.exe
4044	AsyncRAT.exe
4044	AsyncRAT.exe
4044	AsyncRAT.exe
4044	AsyncRAT.exe
4044	AsyncRAT.exe
4044	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2416	msedge.exe
2416	msedge.exe
2976	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AsyncRAT.exe

pid process

2020 AsyncRAT.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

2976 msedge.exe
2976 msedge.exe
2976 msedge.exe
2976 msedge.exe

pid	process
2020	AsyncRAT.exe

pid	process
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of FindShellTrayWindow 32 IoCs

Processes:

AsyncRAT.exeAsyncRAT.exeAsyncRAT.exemsedge.exe

pid	process
4140	AsyncRAT.exe
4044	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2020	AsyncRAT.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

AsyncRAT.exeAsyncRAT.exeAsyncRAT.exemsedge.exe

pid	process
4140	AsyncRAT.exe
4044	AsyncRAT.exe
2020	AsyncRAT.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe
2976	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exemsedge.exe

description	pid	process	target process
PID 1996 wrote to memory of 1344	1996	cmd.exe	lodctr.exe
PID 1996 wrote to memory of 1344	1996	cmd.exe	lodctr.exe
PID 2976 wrote to memory of 4812	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4812	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4588	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 2416	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 2416	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe
PID 2976 wrote to memory of 4912	2976	msedge.exe	msedge.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\COMPILED.zip
1⤵
PID:4020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2168

C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe
"C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\COMPILED\AsyncRAT\Fixer.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1996
- C:\Windows\system32\lodctr.exe
  lodctr /r
  2⤵
  - Drops file in System32 directory
  PID:1344

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4628

C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe
"C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4044

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:468

C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe
"C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2020

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3552

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtAddPFX C:\Users\Admin\AppData\Local\Temp\Temp1_BackupCertificate.zip\ServerCertificate.p12
1⤵
PID:4728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff86a2846f8,0x7ff86a284708,0x7ff86a284718
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,4146807930684286626,1144064705387434499,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,4146807930684286626,1144064705387434499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,4146807930684286626,1144064705387434499,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4146807930684286626,1144064705387434499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4146807930684286626,1144064705387434499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4146807930684286626,1144064705387434499,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,4146807930684286626,1144064705387434499,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,4146807930684286626,1144064705387434499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,4146807930684286626,1144064705387434499,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3572 /prefetch:8
  2⤵
  PID:3788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0a69bcbb188b19ff23e55c03d28b9858

SHA1
5d1a146e3cef67468838e450512198a01aa5adda

SHA256
b084fe20e3a4d57cc82f97cbb846e38a77960a836b76ff7fa973df720a3c8cf5

SHA512
0c9b49c4dbe92b36d9a84b472662130b06f2f75c3347bdd08a920445e1990ac21fd6288541e46e7c8b0d99d5dcc4ace67b6250aa9da73d482a571590af46a5c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
383874747740795adb1e5cb8f6d9f4d7

SHA1
8524853682d535d6bcde92ff19eae042e119c60d

SHA256
8fb71c04b06e014c922b20b682e3755c649a9b7774fcec978970c93d0143cc6a

SHA512
643af60ffa567ca8102b5d703be33fa8023ddf3ce89ba5940e314c6182d427e0569fc2acca1f81563984e7e8c1111e893f7f2398c053fee559e5407a2cb7df45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2682827db7f936954b9b108f104d8414

SHA1
519197bcd1214e04978752affb7d9970b88329a3

SHA256
7fdbc12f1233a4d404686d45ac35b3281429e8bd8f5da39c6db7110555136910

SHA512
fdd60b25b66f7b9db44e673d5fcc8e78a2f2bba56d0c80d85519d464fcf1e2b9cd401c3490156eef893358c56e5aedf4b3e7c23ccde8a8da99ab2eefdb88a44c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
eb1649dd7cc78165e6d87379dfdc3565

SHA1
1c3723b57fb8d09c44f5f6e2d99695a3b9a1d9b8

SHA256
6060e9d1c0d797dde4d09f22995a21d1472cae3c502c0f0dbb5d0e586c5fd9ae

SHA512
0e669dac03e11df801f88e02a4a99c6204be39b8af7bba0690798895b469461cb0f9570880763f26b65782d34f16a0db178f3ee201d8babc72ac4c9ec445ba25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
626b88cf617e98b219e26327363eb7a9

SHA1
7b04aba1d7d2184b22229a177a18b0175120b56a

SHA256
d0fb7b0959ce63239466ca6451352b531379c68f63fa6f22e8949dfb595e146d

SHA512
b58a1eae8fa68c6a134f2714ceaea8c775d17c8b8f21427d83d042f0289ee8d6f44dec958c82056d728198d575866b92d0428819c874db980f26244088fb12f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_ijesrqqvouafvh4ococuu4gxisqs2ty0\0.5.8.0\user.config

Filesize
319B

MD5
f71f55112253acc1ef2ecd0a61935970

SHA1
faa9d50656e386e460278d31b1d9247fdd947bb7

SHA256
d1ad588a08c8c0799d7a14509f1e0a7ae04c519102ed9d328a83fe65999e6179

SHA512
761b5c13e39bd4ae21d298084bbe747ae71c383fedf9a51fd5e9723a8b3b4547de459d82bac7f3f8f3bfc11cfb0528a4f1057b51996d7d046583109a53317b44

Download Submit
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_ijesrqqvouafvh4ococuu4gxisqs2ty0\0.5.8.0\user.config

Filesize
445B

MD5
5bf9253f4e0b1793475841d80b4cfb01

SHA1
e6ba58d19d5cb582ee2da463265e76c66b5f6f65

SHA256
e4d9c595d88c12e2aedc06b8cad0f45fbcbdaa341aad528836d7471a983aa711

SHA512
db42628012c28422cd8ace63162e902b786823938ea455031b2dc84b13235a49626bce09498bfb83aa0ff4be05a08f21665ca0bcd69ff617f598bf0b30ba0bd1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-540404634-651139247-2967210625-1000\47a84719fa3bd80f467fdd5009bcb73c_41e50f4a-4a76-42e1-a3df-51306e426307

Filesize
3KB

MD5
1ad508a61a41a09186cdfda6d21a1022

SHA1
6d2107880856ee78e53478c01f0c2f05dc0b93ba

SHA256
f09bbabc61c0e16029a0dbe52fdde269a74e7d8b1bddaf6a98d2a075f653689c

SHA512
6623c081e47d003a427b9bc9d8162808476165bae43672d73b1baccedb7b73f7aab900e66fdc7ef953b1b157dd5bf2c211e8e9b0fceb55467f095b45e8cd4493

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\09616A0C737F19EE4F812E3B5A1D6CD5F04778F3

Filesize
1KB

MD5
7c19861048e1cfa29fe4343f4242e1b6

SHA1
f70c70282ec38adc4b64bbeb1c1f7d3490ef3628

SHA256
ec39e6a5ffb1b45ab2f5b4e3fec47e10eaa32657eda86b0d63b9f53ef721b33c

SHA512
5116ffb58cddda6bbe439d96762af4efaddb51f6c243d489d490d243c8d554f29d0b9794fb97d28b6e334ae262832574166f8823e875c1fb2803440fa9db08a3

Download Submit
C:\Users\Admin\Documents\COMPILED\AsyncRAT\Fixer.bat

Filesize
141B

MD5
52ab2690a33a51804764be81820504aa

SHA1
36af53e8b27ea737c255402156c77c5f9be17aa0

SHA256
5255fa89ba49c5f1f2c81d66d42e3b16305296945683954eab1492ed11b90b4c

SHA512
95579203bd7e3f2104ad2f886b162f9938d6e371ba351b0b9c5fb5d3368d674f22f4c2ccc54aece5a9ab5f044ca9deeed63a4ad30ffd42787c54807c8396f21b

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
44KB

MD5
bc3d1639f16cb93350a76b95cd59108b

SHA1
47f1067b694967d71af236d5e33d31cb99741f4c

SHA256
004818827ecc581f75674919f4605d28eed27e3f2229ae051d6849129eef40e9

SHA512
fe44f3dbd009d932491af26c3615e616bc0042741dc3815ffb4d2b8d201efd8ab89f7cdd747406609393f005a596a6e9ea8e3f231bc150dc406c2adb8f806249

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
47KB

MD5
69c02ba10f3f430568e00bcb54ddf5a9

SHA1
8b95d298633e37c42ea5f96ac08d950973d6ee9d

SHA256
62e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e

SHA512
16e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
43KB

MD5
8b4b53cf469919a32481ce37bcce203a

SHA1
58ee96630adf29e79771bfc39a400a486b4efbb0

SHA256
a7b3a2b6c67e98cf2b13684c8774113c4ed4f60cd6fc673d4c9dcb360c60ce42

SHA512
62217e68c9e4c7b077e127040318c603e2f2cbcc5517ce0cfc6189e43023f8d8a05b8e694b2a35d4b409241136a1067749b7b6e2049d6910246d8c0fa6e9e575

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
42KB

MD5
bea0a3b9b4dc8d06303d3d2f65f78b82

SHA1
361df606ee1c66a0b394716ba7253d9785a87024

SHA256
e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927

SHA512
341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88

Download Submit
C:\Windows\System32\perfc011.dat

Filesize
32KB

MD5
50681b748a019d0096b5df4ebe1eab74

SHA1
0fa741b445f16f05a1984813c7b07cc66097e180

SHA256
33295c7ee1b56a41e809432bc25dd745ba55b2dc91bfa97aa1f55156880cd71a

SHA512
568439b3547dcbcce28499d45663fdd0e2222f6c5c90053769ce2585f65721f679c071393328bde72c9a3f03da4c17abb84b8303897688b59598887ceb31438e

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
298KB

MD5
eadd51b4e0a81aa0a1ec7392a1ce681a

SHA1
f384c3bc0f16ccb5049ebbf7df776e684da84706

SHA256
1a2fd21891c4055b2ee03ee06665f1a09a6503f7a4b57acba67820ec561d12e4

SHA512
de74112ed8f81f4723241102e9e493921419f836e7f095000a0ae34616db1886c22dff6ab4dfd5bd1ebbc9840498c3606ac0e5791f7fadac1b52c18043571ae4

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
297KB

MD5
50362589add3f92e63c918a06d664416

SHA1
e1f96e10fb0f9d3bec9ea89f07f97811ccc78182

SHA256
9a60acb9d0cb67b40154feb3ff45119f122301ee059798c87a02cc0c23e2ffce

SHA512
e21404bc7a5708ab1f4bd1df5baff4302bc31ac894d0940a38b8967b40aac46c2b3e51566d6410e66c4e867e1d8a88489adccf8bdcaec682e9ddabc0dac64468

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
347KB

MD5
49032045f6bcb9f676c7437df76c7ffa

SHA1
f1bf3ba149cd1e581fe12fb06e93d512fe3a241b

SHA256
089f30c1e60f038627531d486659fab66a8b927d65e4eca18f104d6ae4c7f641

SHA512
55b459b7787e6efacdcc17adb830dc3172a316ff8dd3b14a51bf4496a9479f513ae279a839674b472c1424170ee4aa63a5d45fc7fbd38a533a885282858c74f1

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
350KB

MD5
518020fbecea70e8fecaa0afe298a79e

SHA1
c16d691c479a05958958bd19d1cb449769602976

SHA256
9a139a16fe741593e50fa5e1e2a0c706c0eba7f4d1e1a7a91035428185fde125

SHA512
ff910efee092c2b4a3fa1114f745feb7d01a38b55b0345e0118cdc601a056f79035bd92c76b49559480b515da4cd66d2fbe789baacdde67485cab989ff009b2e

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
340KB

MD5
f9fcefdf318c60de1e79166043b85ec4

SHA1
a99d480b322c9789c161ee3a46684f030ec9ad33

SHA256
9c92309f7a11b916d0e9b99f9083f58b1a2fa7a9aad283b064f01c11781160e7

SHA512
881e112fedccc8643d872396baf726ceb7a49c5cce09489ddcb88400b5a4578dd5ee62a4082d81a6c721c74edb00d84d225e08ab892cc094976149a1a2c486d8

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
145KB

MD5
f4f62aa4c479d68f2b43f81261ffd4e3

SHA1
6fa9ff1dbb2c6983afc3d57b699bc1a9d9418daa

SHA256
c2f81f06c86bf118a97fba7772d20d2c4ba92944551cd14e9d9bab40bf22816c

SHA512
cbd94b41fc3136c05981e880e1f854a5847a18708459112ca7eb0bdcb04d0034c42af8c58501a21ae56e07a29751236af9735b0a4ded3a6b0ef57d717acd5ff3

Download Submit
C:\Windows\system32\perfc009.dat

Filesize
122KB

MD5
243bb32f23a8a2fa8113e879d73bfdf7

SHA1
2f9d0154d65d0b8979a1aeb95b6cf43384114f70

SHA256
69012c5b50e669fca5ad692dc405017da474a5a4ec876de70d9748a4f30c046c

SHA512
34f7663ef59412a12ce950eb5ab947b2fb6bb811d5cfd92d05b6a884bcb2fc31fdc880b8e152a383055ca0efee707eb23bbfe181ace8c1ca112262f2a75bf0a8

Download Submit
\??\PIPE\wkssvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2020-1465-0x000001F16DFE0000-0x000001F16E260000-memory.dmp

Filesize
2.5MB

Download
memory/2020-1464-0x000001F16AA90000-0x000001F16AAA2000-memory.dmp

Filesize
72KB

Download
memory/4140-1463-0x00007FF8676B0000-0x00007FF868171000-memory.dmp

Filesize
10.8MB

Download
memory/4140-1462-0x00007FF8676B0000-0x00007FF868171000-memory.dmp

Filesize
10.8MB

Download
memory/4140-1461-0x00007FF8676B3000-0x00007FF8676B5000-memory.dmp

Filesize
8KB

Download
memory/4140-0-0x00007FF8676B3000-0x00007FF8676B5000-memory.dmp

Filesize
8KB

Download
memory/4140-7-0x0000023B79B70000-0x0000023B79B7A000-memory.dmp

Filesize
40KB

Download
memory/4140-5-0x00007FF8676B0000-0x00007FF868171000-memory.dmp

Filesize
10.8MB

Download
memory/4140-4-0x00007FF8676B0000-0x00007FF868171000-memory.dmp

Filesize
10.8MB

Download
memory/4140-3-0x0000023B794D0000-0x0000023B79722000-memory.dmp

Filesize
2.3MB

Download
memory/4140-1-0x0000023B767D0000-0x0000023B76E3A000-memory.dmp

Filesize
6.4MB

Download