Malware Analysis Report

2024-09-22 07:14

Sample ID 240531-xy7xsaab3y
Target COMPILED.zip
SHA256 0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c

Threat Level: Known bad

The file COMPILED.zip was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

Async RAT payload

Asyncrat family

AsyncRat

Async RAT payload

Executes dropped EXE

Unsigned PE

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Delays execution with timeout.exe

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-05-31 19:16

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Asyncrat family

asyncrat

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-31 19:16

Reported

2024-05-31 19:41

Platform

win10v2004-20240426-en

Max time kernel

270s

Max time network

275s

Command Line

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\COMPILED.zip

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncClient.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1" C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\NodeSlot = "8" C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 5a00310000000000bf58b09c10004173796e635241540000420009000400efbebf58a79cbf58b09c2e000000dfe4010000000c0000000000000000000000000000003d8cfe004100730079006e006300520041005400000018000000 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4" C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 50003100000000009a58ef6c100041646d696e003c0009000400efbe9a586864bf58999c2e00000080e1010000000100000000000000000000000000000016ca2500410064006d0069006e00000014000000 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 = 5a00310000000000bf58a79c1000434f4d50494c45440000420009000400efbebf58a79cbf58a79c2e000000c3e00100000004000000000000000000000000000000fbf0e10043004f004d00500049004c0045004400000018000000 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0" C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1162180587-977231257-2194346871-1000\{8494FB2D-29B5-46F6-A968-A548CF74F668} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Documents" C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656} C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1" C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1" C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 8400310000000000bf58a79c1100444f43554d457e3100006c0009000400efbe9a586864bf58a79c2e00000089e10100000001000000000000000000420000000000a817e90044006f00630075006d0065006e0074007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370037003000000018000000 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16" C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0" C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 78003100000000009a5868641100557365727300640009000400efbe874f7748bf58999c2e000000c70500000000010000000000000000003a00000000003c960a0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257" C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1224 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4320 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2552 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 2608 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1224 wrote to memory of 4468 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\COMPILED.zip

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe

"C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc677d46f8,0x7ffc677d4708,0x7ffc677d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4168 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5204 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5160 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1

C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe

"C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncRAT.exe"

C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncClient.exe

"C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncClient.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,11333273718911113237,17159659989143444173,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5660 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp40CE.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
NL 23.62.61.194:443 th.bing.com tcp
NL 23.62.61.194:443 th.bing.com tcp
NL 23.62.61.194:443 th.bing.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 40.126.31.67:443 login.microsoftonline.com tcp
US 8.8.8.8:53 workupload.com udp
DE 144.76.176.119:443 workupload.com tcp
DE 144.76.176.119:443 workupload.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 119.176.76.144.in-addr.arpa udp
DE 144.76.176.119:443 workupload.com tcp
US 8.8.8.8:53 services.bingapis.com udp
US 13.107.5.80:443 services.bingapis.com tcp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
GB 142.250.200.34:443 securepubads.g.doubleclick.net tcp
DE 144.76.176.119:443 workupload.com tcp
GB 142.250.200.34:443 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 142.250.187.238:443 fundingchoicesmessages.google.com tcp
US 8.8.8.8:53 80.5.107.13.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 34.200.250.142.in-addr.arpa udp
GB 142.250.187.238:443 fundingchoicesmessages.google.com udp
DE 144.76.176.119:443 workupload.com tcp
US 8.8.8.8:53 194.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 167.154.64.172.in-addr.arpa udp
US 8.8.8.8:53 f84.workupload.com udp
DE 176.9.34.148:443 f84.workupload.com tcp
US 8.8.8.8:53 148.34.9.176.in-addr.arpa udp
DE 144.76.176.119:443 workupload.com tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp
N/A 127.0.0.1:8808 tcp

Files

memory/4104-0-0x00007FFC64303000-0x00007FFC64305000-memory.dmp

memory/4104-1-0x000001A7B9970000-0x000001A7B9FDA000-memory.dmp

memory/4104-3-0x000001A7D4680000-0x000001A7D48D2000-memory.dmp

memory/4104-4-0x00007FFC64300000-0x00007FFC64DC1000-memory.dmp

memory/4104-5-0x00007FFC64300000-0x00007FFC64DC1000-memory.dmp

memory/4104-6-0x000001A7D7DC0000-0x000001A7D7DCA000-memory.dmp

memory/4104-7-0x000001A7D7000000-0x000001A7D7012000-memory.dmp

memory/4104-8-0x000001A7D7E20000-0x000001A7D80A0000-memory.dmp

memory/4104-16-0x00007FFC64303000-0x00007FFC64305000-memory.dmp

memory/4104-17-0x00007FFC64300000-0x00007FFC64DC1000-memory.dmp

memory/4104-18-0x00007FFC64300000-0x00007FFC64DC1000-memory.dmp

memory/4104-21-0x000001A7D55A0000-0x000001A7D56C6000-memory.dmp

C:\Users\Admin\Documents\COMPILED\AsyncRAT\ServerCertificate.p12

MD5 333f0010514b786c328892f7f89119a1
SHA1 a62e127897c1f6469479ac8db5f35037cab227c2
SHA256 36c1cdd6070cf57bbd993d3a863c65954ee7c5f003fdd592a15781991e4263bc
SHA512 979e58aea73f9553b81e58ac70c39c22f360922fa05982392a179355ba2d831b13de80b736235c3ff2437d8d1540251f6ec4f70916651a578809d39d203d5bfa

C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_ijesrqqvouafvh4ococuu4gxisqs2ty0\0.5.8.0\user.config

MD5 f71f55112253acc1ef2ecd0a61935970
SHA1 faa9d50656e386e460278d31b1d9247fdd947bb7
SHA256 d1ad588a08c8c0799d7a14509f1e0a7ae04c519102ed9d328a83fe65999e6179
SHA512 761b5c13e39bd4ae21d298084bbe747ae71c383fedf9a51fd5e9723a8b3b4547de459d82bac7f3f8f3bfc11cfb0528a4f1057b51996d7d046583109a53317b44

C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_ijesrqqvouafvh4ococuu4gxisqs2ty0\0.5.8.0\user.config

MD5 d1cc20e0af5be746057fce07cb1a0528
SHA1 6ba60adb5ea734ad1d21e3bb055bd9e8e887363d
SHA256 3758d2fd8f641b0d79db5fe416b474c49d0d4fb4ee08bc15d0f127c910cdd57e
SHA512 47e80af37fa4266efb2d70e238a3c8b4441c92345ba4e165e3459630da3dc4de48e258378e4bc0ef1ef9837fd8479cbfe61329693a118afca7a3a31b0f8a736e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 8b167567021ccb1a9fdf073fa9112ef0
SHA1 3baf293fbfaa7c1e7cdacb5f2975737f4ef69898
SHA256 26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513
SHA512 726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

\??\pipe\LOCAL\crashpad_1224_JYHZEFJTXSQVQPWX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2c1d64c5ccbd9b26f8be5c8342cc3679
SHA1 b58a98a9afd689366ad1a27b27dbb8a28ce50662
SHA256 e8a18861e16b8cbe0839732c9e2e3448ad0470fe697e7d31956292ffc97b1767
SHA512 a39d4b7292a9a3015c301881772d36472d4be7d98cf64f3b7a9477fd4dad371b6bbcd6dff592f0a24272154438681720da1a5e177452d7da187bf0b8482855cf

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8ba736af5ac2f3dfca449f0d398dfc97
SHA1 ea832db51912d127dd583ec3bd7011cc7941c67f
SHA256 f4f01c1d5faacf1cefa9d5ca01ea5fb1791bf6de2519c838c9022419f2d5a5c3
SHA512 c5c4c8ec729d5947693aa3ad1c91db58a6b848b4097a4e66da8c95a27ba1d24d8e980e5214eb4cf47f331c356c625605e5bc58392181e5cc16243980081ed3e8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 030b8d8a814df95ac05ac124fd8cbaed
SHA1 cf27a6c898745a11739bdae56f16eebf1058d21f
SHA256 2d89bc32cf070c681e5a13d3cf9fad91ca2648df1038cc68825f02b3c031cc12
SHA512 1d1cd68222bfe494cbbe89b8ab0e4dbf478adc9b44ff8e699f24c6dba3facb1bd4eaac58274d32a1513a9179d781d0d2448db59cfa3f4fe098de59afbbcfaee1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\Documents\COMPILED\AsyncRAT\AsyncClient.exe

MD5 164b523d087bc4bb6b39e91ba4e1d668
SHA1 699fc7d0ec5ad1257c6258fa509e455a958030bd
SHA256 335d3b73b42ade3014efbe034e358c194ab077d0159015b5932cc4abfe07f4c0
SHA512 5d49c95c6d767c0fe9e9cf8d84d32fe42f327aeb3df272efbdaf0bcdc307f25059518e91f1e1d107c1f04fa5de750be704f534f95c656a504a8ce873d7b7c164

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 560dffcd6a104e20ea9b3c4b0a9b2dbc
SHA1 417010b755783265fb54f84f5a179405b5ae9095
SHA256 9c9f43f3f22231284edc0f4224385c273f72f53e43c7bf803cacfa26485d19c0
SHA512 b539be1ffc029f41d3695443c67e254de42b6d5ec1689270043b7a7c67cf4b8a7c6169441707b42daf6aa82fed6c9442b33e060df1acd5bc3383e2d86fb87e22

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 d7e04f35a420b3a93134c159fd4dd395
SHA1 091c592df12906d6373330648a52eb0e13884ea4
SHA256 37db7ee348ae86c029b0cacb1ec1bfd46fcdb7f763d8f23120bb7dd7927cbdaa
SHA512 0e4329422a508bf9a6fc3d86fd561b65abafdbb8feb0df838d90c15c2f696cd3735a6cad96c3bace97e47f264f4429d5f86345d8c7f09ebbda521880f477b34e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 56951255bbf6e6022390c9f9e4944671
SHA1 38b74a3145c32e08d65176ecdb7d714af1683118
SHA256 02e352a797412587d5b78c351acacc5fbfd649990a39309146cf1eb47a15742b
SHA512 128e86654f6eecee1d3a05ba0f5129946c87e880e1543d648e01b2c98fd36738a08e5e4a1c114502fefbcc176bc45675e754a467f9dcbe322cb811b27cd407fb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 9908112533673f9dfeb7f63d5aae87bd
SHA1 4ebf8d3f41a0c0f89719783cf7cde126988635e6
SHA256 5b1e92005c36cc8d657c0b84fbe39e968dda30d883db727ab25cec6b7d8ad327
SHA512 b500b6fbc6983f6092ddf97c75997dba4a78a8e782ba2672d085f01572a4564e7fd9ce54201b64dbdaa0389c7a7a42060337bbe7df7de165ce000bba46467c47

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9482eb26cc30bc4a6ba9008f90df6296
SHA1 9883d11a959d65c01c188e15a2097508bcd5beea
SHA256 50a74911e21da293cbf7d9cade0dc496551f5e86bb49cb4cfce3d3261c92608e
SHA512 4db2418b28b7dc22064d49604e8dbf81712140d8a6bc6678ed0cbc1540edb450de98ff59f3df23676046a438aa8f5ddb634462b2614207b1eb75377504ef25e6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 53dd78d4f4e33afbdf94b39fe81d034a
SHA1 8711d0ec8d2f9c21e34f39ea3f5b33b516fcdbfa
SHA256 c3de052f9f0bcd49af16a05638a388ddc486b653c48efc9a9e4c11463ce9be8e
SHA512 7b5016d4ae91c395101614f95fb7359886936bfd08f68687ab9e40f9b2618d07cf612dc831acb00ff52e4e75366aad835f96f36a6ac26fbd617ac15a6d0ce4b7

memory/4412-374-0x00000000006B0000-0x00000000006C2000-memory.dmp

memory/4412-375-0x0000000004F90000-0x0000000004FF6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1162180587-977231257-2194346871-1000\da12b2c8a43264e01a9570c81f9168ea_44d43ff8-91cd-4ca7-92c9-6495b4f546fa

MD5 b9e17b867abef7398fd1f2e78c7a6fe2
SHA1 80499e1c18ed733586dfd9613628bfb5237848da
SHA256 3c0e0fe92bb4cfc9493f4594c811ba14459637455904af1d6bc0281d8e0986b6
SHA512 1a2c24b0050938cc38008a0a5448c8d9c2e064af6b64a3815041d3acf16043d69d71082dc5f86ca70a2225ad9e4e1430428cf2e43be447801d7fee5720158678

memory/4412-378-0x00000000053A0000-0x000000000543C000-memory.dmp

memory/4412-382-0x0000000005E70000-0x0000000006414000-memory.dmp

memory/4412-386-0x00000000066A0000-0x0000000006716000-memory.dmp

memory/4412-387-0x0000000006720000-0x00000000067B2000-memory.dmp

memory/4412-388-0x00000000067B0000-0x00000000067CE000-memory.dmp

memory/4412-389-0x00000000068B0000-0x0000000006918000-memory.dmp

memory/4412-390-0x00000000071C0000-0x0000000007252000-memory.dmp

memory/4412-395-0x0000000007010000-0x0000000007088000-memory.dmp

memory/4412-405-0x00000000070C0000-0x0000000007124000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp40CE.tmp.bat

MD5 1e1b5681fcd3783ae11ef1d326b09675
SHA1 1b124b36a002fa2d7548c035426e3242766f8376
SHA256 fd4fb5b814cd7a2184c9ad397316a69bbd88294a2ca69ff948a15ee6f1c68f63
SHA512 75d5d17d40bb6679a47c9a81001d339fd27fdb00decc0d2653bc14de2b1740f13cb16a80bb64a59755f74e1c04f2a7a5e7857e9b6e25d2a32ac5c89f7beaef5b

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AsyncRAT.exe.log

MD5 baf55b95da4a601229647f25dad12878
SHA1 abc16954ebfd213733c4493fc1910164d825cac8
SHA256 ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924
SHA512 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

memory/4104-411-0x00007FFC64300000-0x00007FFC64DC1000-memory.dmp