Analysis
-
max time kernel
349s -
max time network
346s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-06-2024 18:42
Static task
static1
URLScan task
urlscan1
General
Malware Config
Extracted
asyncrat
0.5.8
Default
127.0.0.1:6606
127.0.0.1:7707
127.0.0.1:8808
127.0.0.1:9999
COsVW5DISTiY
-
delay
3
-
install
true
-
install_file
RAT.exe
-
install_folder
%AppData%
-
pastebin_config
https://pastebin.com/raw/s14cUU5G
Signatures
-
Async RAT payload 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Stub\Stub.exe family_asyncrat C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe family_asyncrat C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient2.exe family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
AsyncClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation AsyncClient.exe -
Executes dropped EXE 12 IoCs
Processes:
AsyncRAT.exeAsyncClient.exeRAT.exeAsyncClient.exeAsyncClient.exeAsyncClient2.exeAsyncClient.exeAsyncClient2.exeAsyncClient.exeStub.exeAsyncClient2.exeAsyncClient.exepid process 1060 AsyncRAT.exe 4404 AsyncClient.exe 4936 RAT.exe 972 AsyncClient.exe 1952 AsyncClient.exe 4788 AsyncClient2.exe 2640 AsyncClient.exe 4788 AsyncClient2.exe 392 AsyncClient.exe 2812 Stub.exe 5072 AsyncClient2.exe 3428 AsyncClient.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 12 IoCs
Processes:
lodctr.exedescription ioc process File created C:\Windows\system32\perfc007.dat lodctr.exe File created C:\Windows\system32\perfh007.dat lodctr.exe File created C:\Windows\system32\perfc010.dat lodctr.exe File created C:\Windows\system32\perfc011.dat lodctr.exe File created C:\Windows\system32\perfh011.dat lodctr.exe File created C:\Windows\system32\perfc009.dat lodctr.exe File created C:\Windows\system32\perfh009.dat lodctr.exe File created C:\Windows\system32\perfc00A.dat lodctr.exe File created C:\Windows\system32\perfh00A.dat lodctr.exe File created C:\Windows\system32\perfc00C.dat lodctr.exe File created C:\Windows\system32\perfh00C.dat lodctr.exe File created C:\Windows\system32\perfh010.dat lodctr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3248 2812 WerFault.exe Stub.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4100 timeout.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies data under HKEY_USERS 2 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry msedge.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634691328130872" msedge.exe -
Modifies registry class 47 IoCs
Processes:
AsyncRAT.exemsedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 8400310000000000d5586b951100444f574e4c4f7e3100006c0009000400efbea8582761d5586b952e00000080e10100000001000000000000000000420000000000d9cd280144006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000 AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 5a00310000000000d558769510004173796e635241540000420009000400efbed5586b95d55877952e000000f2350200000007000000000000000000000000000000d24b84004100730079006e006300520041005400000018000000 AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000 AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 5000310000000000a858a86d100041646d696e003c0009000400efbea8582761d55860952e00000078e101000000010000000000000000000000000000000fbf4d00410064006d0069006e00000014000000 AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" AsyncRAT.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 7800310000000000a85827611100557365727300640009000400efbe874f7748d55860952e000000c70500000000010000000000000000003a0000000000eff5be0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = 00000000ffffffff AsyncRAT.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 = 5a00310000000000d5586b951000434f4d50494c45440000420009000400efbed5586b95d5586b952e000000f1350200000007000000000000000000000000000000d9cd280143004f004d00500049004c0045004400000018000000 AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\NodeSlot = "5" AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" AsyncRAT.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{6E1542BE-2CE4-4E43-BD03-64DBECEF95AE} msedge.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" AsyncRAT.exe Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 AsyncRAT.exe Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = ffffffff AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 AsyncRAT.exe Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" AsyncRAT.exe Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 AsyncRAT.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 52 IoCs
Processes:
AsyncRAT.exeAsyncClient.exemsedge.exemsedge.exepid process 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 1060 AsyncRAT.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 4404 AsyncClient.exe 2888 msedge.exe 2888 msedge.exe 4256 msedge.exe 4256 msedge.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AsyncRAT.exepid process 1060 AsyncRAT.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
7zG.exeAsyncClient.exeRAT.exedescription pid process Token: SeRestorePrivilege 2180 7zG.exe Token: 35 2180 7zG.exe Token: SeSecurityPrivilege 2180 7zG.exe Token: SeSecurityPrivilege 2180 7zG.exe Token: SeDebugPrivilege 4404 AsyncClient.exe Token: SeDebugPrivilege 4936 RAT.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zG.exeAsyncRAT.exepid process 2180 7zG.exe 1060 AsyncRAT.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
AsyncRAT.exepid process 1060 AsyncRAT.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AsyncRAT.exepid process 1060 AsyncRAT.exe 1060 AsyncRAT.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
AsyncClient.execmd.execmd.exemsedge.exedescription pid process target process PID 4404 wrote to memory of 2020 4404 AsyncClient.exe cmd.exe PID 4404 wrote to memory of 2020 4404 AsyncClient.exe cmd.exe PID 4404 wrote to memory of 2020 4404 AsyncClient.exe cmd.exe PID 4404 wrote to memory of 4236 4404 AsyncClient.exe cmd.exe PID 4404 wrote to memory of 4236 4404 AsyncClient.exe cmd.exe PID 4404 wrote to memory of 4236 4404 AsyncClient.exe cmd.exe PID 4236 wrote to memory of 4100 4236 cmd.exe timeout.exe PID 4236 wrote to memory of 4100 4236 cmd.exe timeout.exe PID 4236 wrote to memory of 4100 4236 cmd.exe timeout.exe PID 2020 wrote to memory of 1560 2020 cmd.exe schtasks.exe PID 2020 wrote to memory of 1560 2020 cmd.exe schtasks.exe PID 2020 wrote to memory of 1560 2020 cmd.exe schtasks.exe PID 4236 wrote to memory of 4936 4236 cmd.exe RAT.exe PID 4236 wrote to memory of 4936 4236 cmd.exe RAT.exe PID 4236 wrote to memory of 4936 4236 cmd.exe RAT.exe PID 2888 wrote to memory of 4528 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 4528 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe PID 2888 wrote to memory of 1944 2888 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/releases/download/v0.5.8/COMPILED.zip1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4196,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3888,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=3520,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5312 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5464,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5492,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5548 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=5304,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6040 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5964,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6280 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6616,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6600 /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6740,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6732 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3532,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6880 /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4712,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6588 /prefetch:81⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2f4 0x2f81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5064,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=7200 /prefetch:81⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zG.exe"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\COMPILED\" -ad -an -ai#7zMap16889:78:7zEvent225901⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe"1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6232,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6172 /prefetch:81⤵
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RAT" /tr '"C:\Users\Admin\AppData\Roaming\RAT.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "RAT" /tr '"C:\Users\Admin\AppData\Roaming\RAT.exe"'3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEC3B.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\RAT.exe"C:\Users\Admin\AppData\Roaming\RAT.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ff8a5a9ceb8,0x7ff8a5a9cec4,0x7ff8a5a9ced02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2684,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=2680 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1860,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=3416 /prefetch:32⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4416,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4416,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4052,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=4668 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4048,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=4704 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=4056 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4552,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=4872 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3852,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=3972 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"1⤵
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient2.exe"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient2.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Fixer.bat" "1⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Fixer.bat"1⤵
-
C:\Windows\system32\lodctr.exelodctr /r2⤵
- Drops file in System32 directory
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient2.exe"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient2.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"1⤵
- Executes dropped EXE
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtAddPFX C:\Users\Admin\Downloads\COMPILED\AsyncRAT\ServerCertificate.p121⤵
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Stub\Stub.exe"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Stub\Stub.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 7802⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2812 -ip 28121⤵
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient2.exe"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient2.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AsyncClient.exe.logFilesize
614B
MD554920f388010333559bdff225040761d
SHA1040972bf1fc83014f10c45832322c094f883ce30
SHA2569ed5449a36700939987209c7a2974b9cc669b8b22c7c4e7936f35dda0a4dc359
SHA512e17aa5d1328b3bfd3754d15b3c2eded98653d90c7b326f941522e0b3bd6f557880246a6bc69047facb42eb97d2e0ed6c46148dfe95a98669fc4e1d07c21a285c
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AsyncClient2.exe.logFilesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD52c0226cf06799eca6d61debdcfce5885
SHA124e47a6b71d5bdb690aa53430d1f27818e23176c
SHA25696509b2682a671018bd3653e6bccf8492eff494a168fe7d1ecbddb75015ed4ea
SHA51211ce8843ca7975f0b01014db4cbbd05e1c68d70c0dd1d1f6728575ec4231f7baf480113e49e8cfd1c688a568574da949eabac231e887d0478f706d05453a9b39
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch DictionariesFilesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
11KB
MD51d93f9364655c6997178f55ad99b84d1
SHA1574a92300d5f793fd8b5ce1c81dad66fe3727964
SHA256c827490b254442a167728340b8bda8c9301d39711ca83cf96e896d5486152c73
SHA512921f74e3f894c8aed3ae2c378e1b4d904bbadc8595bb3852f38fce4932621967c911ba5368bf2dd94d9b57e05cd8bd9699546a6509774188eea868b577e3b2ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
30KB
MD5d10b3284ee65a5942ca4dc4c043d16e4
SHA152caf8d4407505997c977465a175347f114ff2bc
SHA2564f205973c394d2f19826d5894a7647ff10a966d4d184ca0fd156d6825ee55dc4
SHA512ace3ca69af8e16fddc3a60d8c8cc705fbfd7b3d9a05be6ffc2c3251600d1855fd087cd14ac9b76d9ba3f55182d409d59ffc3d36fa54cd731c88210e01bfc5e2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
74KB
MD5f7c8df0eae60b94c46d1aed4da844328
SHA1123fe1f5f00f764ed950d8224c3dd7b9e1438893
SHA256815136919ff4613b4460094fd82e47b35af80f7da04a8899cf83c2d53706b97c
SHA5121107d65da4ef228c015f0a4d16e3e1ac4c7dbec8f6ce0acbf451149d3f314905258867e352bd82389e631fb291adedbb00920211dc27b3cab246fafd3577c52a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
74KB
MD50d595f584ce55ebbfd4a49e88cfa945a
SHA1c0480373e4b3ebeeca6e83139860c5ade4b3ba89
SHA2569ba456b9b39867eca23a972e9ccb18e37456d2e2558fe59ff9da995abc7f7f3b
SHA5124c62fe37b85ecfefa1ea9cd5cc4d0325773fcec241e7efc1343e6b7f18ab00e6c8e9b78653e4dcec6eb6a809c1a54f51b53aeb1b895f512b507c9a0aba4d0dcb
-
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_rlcfuditezizgbmskmstccdixoxy2jyu\0.5.8.0\user.configFilesize
324B
MD546c32cf0d264d60ed51033c6fb9b9055
SHA1219053ee826dd49ff5e69708fdeb865e78180f08
SHA25614f0745f4339a2d9b9c2243e0488f6a956b170c5585de8ad842718e7c55f728d
SHA512d6a647eb0d2aed0332d9b8c71966385cc3a7b68acd121eb53bc99c05689a9d13c2cdf25231a4943522f1317d6b0ca18baf89326a02819ce20878b351459e5c14
-
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_rlcfuditezizgbmskmstccdixoxy2jyu\0.5.8.0\uwauklhv.newcfgFilesize
694B
MD5d7704fba5acd561f74e072bc4b7243b7
SHA1bd68d92fa59ca670f3b30f12e27f13a2325ce739
SHA2564a6cad2d0d9eb22228da12490aae3df1375408e645320103a595781d7cb157f6
SHA5122437a71ba0cd915d3bc2328b9923e5fc69fb20b05fdacfef043dd904a875eb28b828894f91c8cd022606b33cb2c87b0bf1882044baaf081ad377a185baec875d
-
C:\Users\Admin\AppData\Local\Temp\tmpEC3B.tmp.batFilesize
147B
MD5511cd853d9e49e2392eb79ae82edd827
SHA147e6b8f39ad3b412f4c0e3d4d8c3cb4e66764444
SHA256d2cc3b6b0fcfc77f88dd47539c2b4f058f87e90626e9b1ade81666becb95cf32
SHA512458c3baad4aaf3b242cda3fcff4204dcd7f53fde00ea0230939d00a3583be331647f1765c1611a607db3eabf81de74213b3cd136688a726f778d09b7a889ac49
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1181767204-2009306918-3718769404-1000\70c8050e67127bbdd8744af45d4d969f_d2547453-e731-4fdf-8f92-95f955a44acaFilesize
3KB
MD5cbf9d8f274bdfc9f014b59cfe0eada31
SHA1a5aa813bc7cef834d499af6b87365ac5049e6a12
SHA256690cb45fd1b61c2f7adb26775bcff3cc986816f356ec3cad0291df3b61e3d764
SHA5128bafa56211a3a1ef9425139f732db3ecc2ec069efc45c9a68ef3f5aac6bc8ab10b2eae680371526f34d4df36f2f8f685e8d068c6b000808ea098a03455ad6227
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exeFilesize
47KB
MD5a82ff81f17f3cb96c95defffdb7fa290
SHA1d01fbb32be99229a4d877e08a5de4273cbd3e3e2
SHA256ba303903868c206472ecef1dec652cc51b1051b8c525422b21aacc672ae238dc
SHA512c81ac17cbbb6b2e79b74242a53d188d20300a4a07a50c43ecb11460918afba371874f82126f68138fe5130d3e3da90856393a96a5801bfc0dad2b47482189ef9
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient2.exeFilesize
45KB
MD56f3f84141cb8bf7c1d8f23de34420a25
SHA117ff408c441ed892734e72727f68ed4c8395c6a0
SHA256617fe099b8c0069c1d6f5dac68391d2504a4c5b36b78d0744d58ebb713d9aeb1
SHA51221f44b13a17d49e9a991c194dbc3d616ff0d09223b2d4508e35b12340adc9b31ddbf5adf534eb94e1b99d364a0bbb68d08ce1967fac0a69f0b1f4a2c2ed53870
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exeFilesize
6.4MB
MD597a429c4b6a2cb95ece0ddb24c3c2152
SHA16fcc26793dd474c0c7113b3360ff29240d9a9020
SHA25606899071233d61009a64c726a4523aa13d81c2517a0486cc99ac5931837008e5
SHA512524a63f39e472bd052a258a313ff4f2005041b31f11da4774d3d97f72773f3edb40df316fa9cc2a0f51ea5d8ac404cfdd486bab6718bae60f0d860e98e533f89
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe.configFilesize
5KB
MD5cb1f2dcfeb5cbb5af8efa7ea40b8e908
SHA1ceb040761554040cac2fc7ca18623498d3bfc7ce
SHA25658f956abe9d717683f4a1cfa6f70e256c80461315a8d47b6456116b3d3075372
SHA512f0d805bb7983a111b7083e08d5e53c30dd78a0a5fa2baa2af6c5d3395475a3399fd085d151cc8cce312c7eb3e11ac7c2cc78c49ff8a9bfba4b6ad6585caeaeea
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Fixer.batFilesize
141B
MD552ab2690a33a51804764be81820504aa
SHA136af53e8b27ea737c255402156c77c5f9be17aa0
SHA2565255fa89ba49c5f1f2c81d66d42e3b16305296945683954eab1492ed11b90b4c
SHA51295579203bd7e3f2104ad2f886b162f9938d6e371ba351b0b9c5fb5d3368d674f22f4c2ccc54aece5a9ab5f044ca9deeed63a4ad30ffd42787c54807c8396f21b
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\ServerCertificate.p12Filesize
4KB
MD51deb62abf002c49001200cdfa8cc2f5a
SHA1459aaf61c5fb8310115cd65535d67890e4963e67
SHA2563434b9f90c9c2a670dc336caf8d054825bc2537e95ea2d282c212c4c16ac77ca
SHA51267ea2074f9182447793d7f72dedade2a84ca12580b78afdda4b1c5bfd002ba30c4a07302b3d8732d158ac43f458cabe13dc809402a6863c143d2b2dc971cdc10
-
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Stub\Stub.exeFilesize
38KB
MD5f76702fa423ce2b2b4b0fdcf547b0789
SHA1ea408a4419e8a3139ef14df987608964c12d3190
SHA2560e19cefba973323c234322452dfd04e318f14809375090b4f6ab39282f6ba07e
SHA51203c7d8814687bb4f11ac41a555f368d89d5be749c92624073b77da0e57d872df201f2657b180ad0c9d5bc9ffa0a85989bf31374c7e5deefa06cf36bce3697971
-
C:\Windows\System32\perfc007.datFilesize
56KB
MD5346d728646b9a6ebc5d93d187abcff80
SHA10c6ca50c812dbc4f60843841824130b9b12ef3b0
SHA256465eccb7704aba5117a356b0469253b24cdc3ecc99330a5a14f33cb09206be7e
SHA5124829fe8f15a319178b2d3ac4a74572da3b4f1bff02cb6673c5d24438e5d59cd083307e640daba78a37a719f361f10140db4601641627981cec14ef41b5a64a2a
-
C:\Windows\System32\perfc00A.datFilesize
47KB
MD569c02ba10f3f430568e00bcb54ddf5a9
SHA18b95d298633e37c42ea5f96ac08d950973d6ee9d
SHA25662e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e
SHA51216e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e
-
C:\Windows\System32\perfc00C.datFilesize
43KB
MD58b4b53cf469919a32481ce37bcce203a
SHA158ee96630adf29e79771bfc39a400a486b4efbb0
SHA256a7b3a2b6c67e98cf2b13684c8774113c4ed4f60cd6fc673d4c9dcb360c60ce42
SHA51262217e68c9e4c7b077e127040318c603e2f2cbcc5517ce0cfc6189e43023f8d8a05b8e694b2a35d4b409241136a1067749b7b6e2049d6910246d8c0fa6e9e575
-
C:\Windows\System32\perfc010.datFilesize
42KB
MD5bea0a3b9b4dc8d06303d3d2f65f78b82
SHA1361df606ee1c66a0b394716ba7253d9785a87024
SHA256e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927
SHA512341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88
-
C:\Windows\System32\perfc011.datFilesize
35KB
MD517fc81a0e3f9fc02821e40166f1cb09f
SHA12931659b064a216371420db215b1f48de29a1858
SHA256fe933b8ae9d8fb3283a76b42cfed31be01d02c91cd7ba742b399df613762fff2
SHA51219a93f08124962c9826cb6794b897ddc3dd3391e2b24cebd70c2a8027aa082d2b65f2d92ba438684d6e0490f1dabb714bcb17561b951807589c5ce920f2e6031
-
C:\Windows\System32\perfh007.datFilesize
343KB
MD52f4067241594899ff4443304e3ef39a8
SHA1c25b57932ec8653008536167bfc1539b3a38b79f
SHA256f77c7d83a39ded171ffd5c52cbafd1bd8e2713674c139c2f6a60f912ccf8eeea
SHA512116a633f1d3254c286897132cff9349fe53d770688d864a50ab919156968aa0620cb3aa1b03fce66882881f4da885f2a992f1d9ce0a7ccd03689f53b764ab1f3
-
C:\Windows\System32\perfh009.datFilesize
330KB
MD5e899ba2399c5a54e08ddcdec67b0652c
SHA172a4925c0ff569155b05b1f85077f65df42cfdaa
SHA256ca0856e721e8ed8287ddf4100cea90862e454c143febe56b43525db9be2b47f5
SHA512b4cb5c979be2d3c1b1aefa898005e538cf07752258930137323c520d735b05ac2f2c9e5208f750e62b6c551234f0a00d106d8930274b389a6b997af770872e62
-
C:\Windows\System32\perfh00A.datFilesize
383KB
MD585dbe627bfb856b9eacf633196ab7c66
SHA1b5703c6d77edfa1717134784e61684b2d7a42e2e
SHA2569eb4e83c4513e2028f4142cde91a72daa3d32006bf183288bacefc63caf8cdac
SHA512948fe1519cd417c46fadbcedb57087379aa9e99571163084dc7e3f45fbdbc874686056765c9e598ec40d19311808e157bfc8ee71f13afa6184b17cbb000f21bf
-
C:\Windows\System32\perfh00C.datFilesize
385KB
MD5138145450a903faeec6b50cc482f920d
SHA17408b4314f7489d9cc4bcac3bdaa2b1e3d0d1043
SHA2567d80d852e09fc4d3c56de4e09835cdb5dad4f278f56209c466d75e9d6c2fe2d1
SHA512d0a0fc17b8154b9c66ff2a88d74b028976305b49fcf809d54992360c3391809a88d2e4959df6ca8130242b2510be8603c5641c0e62db88a34de0337b13ec5f57
-
C:\Windows\System32\perfh010.datFilesize
377KB
MD592c1b6edbb53fe2bdb3bdf4ac3976548
SHA17167c6b531d179c17faddcb800736ee57bfd242b
SHA2568f2aa1fed331bdd7dd0069fcdd03815de2efdcc62563123f5b2ba7f0d74784b3
SHA512fb2c3f0597cfd9bcaf3bf5b6277d86e488e0aa5893a84c21a5609b129d94a9312b6550cac3769923bcac6673c81da574f544c55c288567b5f3e6a9ad122d45b6
-
C:\Windows\System32\perfh011.datFilesize
159KB
MD5ab6f8e83a55fadfc107060ed8311e0a4
SHA155a39474b14b6600543080268d41e8732ba0edad
SHA2568647f007d314a30ae0760a8b70c6c42b4cf0e7da321795dbf1d254377a70ff18
SHA512f5be5c78e9d10dd69c8b21ab4d5702a3a24e2ff4cec19ae56a9d58e6ceb9edc40e17b548373b7db5ce58b6759ef3ce361e8514c774fda9a7d988d330a7944732
-
\??\pipe\crashpad_2888_LYAJXSGDLYQOXKMVMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1060-50-0x00007FF8ACA53000-0x00007FF8ACA55000-memory.dmpFilesize
8KB
-
memory/1060-42-0x000001BB7D080000-0x000001BB7D300000-memory.dmpFilesize
2.5MB
-
memory/1060-38-0x000001BB79710000-0x000001BB79962000-memory.dmpFilesize
2.3MB
-
memory/1060-36-0x000001BB5EA80000-0x000001BB5F0EA000-memory.dmpFilesize
6.4MB
-
memory/1060-39-0x00007FF8ACA50000-0x00007FF8AD511000-memory.dmpFilesize
10.8MB
-
memory/1060-40-0x000001BB79B60000-0x000001BB79B6A000-memory.dmpFilesize
40KB
-
memory/1060-41-0x000001BB79B30000-0x000001BB79B42000-memory.dmpFilesize
72KB
-
memory/1060-35-0x00007FF8ACA53000-0x00007FF8ACA55000-memory.dmpFilesize
8KB
-
memory/1060-55-0x000001BB7EA40000-0x000001BB7EB66000-memory.dmpFilesize
1.1MB
-
memory/1060-51-0x00007FF8ACA50000-0x00007FF8AD511000-memory.dmpFilesize
10.8MB
-
memory/2812-1763-0x0000000000BF0000-0x0000000000C00000-memory.dmpFilesize
64KB
-
memory/4404-94-0x0000000005B80000-0x0000000005C1C000-memory.dmpFilesize
624KB
-
memory/4404-92-0x0000000000D20000-0x0000000000D32000-memory.dmpFilesize
72KB
-
memory/4404-93-0x00000000056F0000-0x0000000005756000-memory.dmpFilesize
408KB
-
memory/4788-258-0x00000000007A0000-0x00000000007B2000-memory.dmpFilesize
72KB