Malware Analysis Report

2024-09-22 06:58

Sample ID 240621-xcr97szarc
Target https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/releases/download/v0.5.8/COMPILED.zip
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/releases/download/v0.5.8/COMPILED.zip was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Enumerates system info in registry

Scheduled Task/Job: Scheduled Task

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-21 18:42

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 18:42

Reported

2024-06-21 18:48

Platform

win10v2004-20240508-en

Max time kernel

349s

Max time network

346s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/releases/download/v0.5.8/COMPILED.zip

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfc007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh007.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc010.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh011.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh009.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00A.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfc00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh00C.dat C:\Windows\system32\lodctr.exe N/A
File created C:\Windows\system32\perfh010.dat C:\Windows\system32\lodctr.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133634691328130872" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 8400310000000000d5586b951100444f574e4c4f7e3100006c0009000400efbea8582761d5586b952e00000080e10100000001000000000000000000420000000000d9cd280144006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 5a00310000000000d558769510004173796e635241540000420009000400efbed5586b95d55877952e000000f2350200000007000000000000000000000000000000d24b84004100730079006e006300520041005400000018000000 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 5000310000000000a858a86d100041646d696e003c0009000400efbea8582761d55860952e00000078e101000000010000000000000000000000000000000fbf4d00410064006d0069006e00000014000000 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 7800310000000000a85827611100557365727300640009000400efbe874f7748d55860952e000000c70500000000010000000000000000003a0000000000eff5be0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 = 5a00310000000000d5586b951000434f4d50494c45440000420009000400efbed5586b95d5586b952e000000f1350200000007000000000000000000000000000000d9cd280143004f004d00500049004c0045004400000018000000 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\NodeSlot = "5" C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{6E1542BE-2CE4-4E43-BD03-64DBECEF95AE} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = ffffffff C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic" C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\RAT.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A
N/A N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4404 wrote to memory of 2020 N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 2020 N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 2020 N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4236 N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4236 N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4404 wrote to memory of 4236 N/A C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe C:\Windows\SysWOW64\cmd.exe
PID 4236 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4236 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 4236 wrote to memory of 4100 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\timeout.exe
PID 2020 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2020 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2020 wrote to memory of 1560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4236 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RAT.exe
PID 4236 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RAT.exe
PID 4236 wrote to memory of 4936 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\RAT.exe
PID 2888 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 4528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2888 wrote to memory of 1944 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/releases/download/v0.5.8/COMPILED.zip

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4196,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=3888,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=4112 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=3520,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5312 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5464,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5492,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5548 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=5304,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6040 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5964,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6616,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6600 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6740,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6732 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3532,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6880 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=4712,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6588 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2f4 0x2f8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5064,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=7200 /prefetch:8

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\COMPILED\" -ad -an -ai#7zMap16889:78:7zEvent22590

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe

"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe"

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Windows\system32\wbem\WmiApSrv.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=6232,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6172 /prefetch:8

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe

"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "RAT" /tr '"C:\Users\Admin\AppData\Roaming\RAT.exe"' & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEC3B.tmp.bat""

C:\Windows\SysWOW64\timeout.exe

timeout 3

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "RAT" /tr '"C:\Users\Admin\AppData\Roaming\RAT.exe"'

C:\Users\Admin\AppData\Roaming\RAT.exe

"C:\Users\Admin\AppData\Roaming\RAT.exe"

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe

"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ff8a5a9ceb8,0x7ff8a5a9cec4,0x7ff8a5a9ced0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2684,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=2680 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1860,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=3416 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2164,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4416,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4416,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:8

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe

"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4052,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=4668 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4048,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=4704 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4692,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=4056 /prefetch:8

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient2.exe

"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient2.exe"

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe

"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4552,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=4872 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Fixer.bat" "

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Fixer.bat"

C:\Windows\system32\lodctr.exe

lodctr /r

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient2.exe

"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient2.exe"

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe

"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtAddPFX C:\Users\Admin\Downloads\COMPILED\AsyncRAT\ServerCertificate.p12

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3852,i,9811130411687161049,2877204376044296817,262144 --variations-seed-version --mojo-platform-channel-handle=3972 /prefetch:8

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Stub\Stub.exe

"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Stub\Stub.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2812 -ip 2812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 780

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient2.exe

"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient2.exe"

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe

"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
SE 184.31.15.40:443 bzib.nelreports.net tcp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 objects.githubusercontent.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 185.199.110.133:443 objects.githubusercontent.com tcp
SE 23.34.233.128:443 www.microsoft.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 172.165.61.93:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 nav-edge.smartscreen.microsoft.com tcp
GB 172.165.61.93:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 158.6.107.13.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 40.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 128.233.34.23.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 dl-edge.smartscreen.microsoft.com udp
GB 13.87.96.169:443 dl-edge.smartscreen.microsoft.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 telem-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 telem-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 93.61.165.172.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 169.96.87.13.in-addr.arpa udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 app-edge.smartscreen.microsoft.com udp
GB 51.11.108.188:443 app-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 app-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 app-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 app-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 app-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 app-edge.smartscreen.microsoft.com tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
BE 2.17.107.107:443 www.bing.com tcp
US 8.8.8.8:53 107.107.17.2.in-addr.arpa udp
BE 2.17.107.107:443 www.bing.com udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 57.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 2.17.178.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
SE 23.34.233.128:443 www.microsoft.com tcp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.19.24:443 pastebin.com tcp
US 8.8.8.8:53 24.19.67.172.in-addr.arpa udp
SE 23.34.233.128:443 www.microsoft.com tcp
US 8.8.8.8:53 update.googleapis.com udp
US 8.8.8.8:53 update.googleapis.com udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 13.107.246.64:443 edge-mobile-static.azureedge.net tcp
GB 216.58.204.67:443 update.googleapis.com tcp
BE 88.221.83.194:443 www.bing.com tcp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 194.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp

Files

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe

MD5 97a429c4b6a2cb95ece0ddb24c3c2152
SHA1 6fcc26793dd474c0c7113b3360ff29240d9a9020
SHA256 06899071233d61009a64c726a4523aa13d81c2517a0486cc99ac5931837008e5
SHA512 524a63f39e472bd052a258a313ff4f2005041b31f11da4774d3d97f72773f3edb40df316fa9cc2a0f51ea5d8ac404cfdd486bab6718bae60f0d860e98e533f89

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe.config

MD5 cb1f2dcfeb5cbb5af8efa7ea40b8e908
SHA1 ceb040761554040cac2fc7ca18623498d3bfc7ce
SHA256 58f956abe9d717683f4a1cfa6f70e256c80461315a8d47b6456116b3d3075372
SHA512 f0d805bb7983a111b7083e08d5e53c30dd78a0a5fa2baa2af6c5d3395475a3399fd085d151cc8cce312c7eb3e11ac7c2cc78c49ff8a9bfba4b6ad6585caeaeea

memory/1060-36-0x000001BB5EA80000-0x000001BB5F0EA000-memory.dmp

memory/1060-35-0x00007FF8ACA53000-0x00007FF8ACA55000-memory.dmp

memory/1060-38-0x000001BB79710000-0x000001BB79962000-memory.dmp

memory/1060-39-0x00007FF8ACA50000-0x00007FF8AD511000-memory.dmp

memory/1060-40-0x000001BB79B60000-0x000001BB79B6A000-memory.dmp

memory/1060-41-0x000001BB79B30000-0x000001BB79B42000-memory.dmp

memory/1060-42-0x000001BB7D080000-0x000001BB7D300000-memory.dmp

memory/1060-50-0x00007FF8ACA53000-0x00007FF8ACA55000-memory.dmp

memory/1060-51-0x00007FF8ACA50000-0x00007FF8AD511000-memory.dmp

memory/1060-55-0x000001BB7EA40000-0x000001BB7EB66000-memory.dmp

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Stub\Stub.exe

MD5 f76702fa423ce2b2b4b0fdcf547b0789
SHA1 ea408a4419e8a3139ef14df987608964c12d3190
SHA256 0e19cefba973323c234322452dfd04e318f14809375090b4f6ab39282f6ba07e
SHA512 03c7d8814687bb4f11ac41a555f368d89d5be749c92624073b77da0e57d872df201f2657b180ad0c9d5bc9ffa0a85989bf31374c7e5deefa06cf36bce3697971

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\ServerCertificate.p12

MD5 1deb62abf002c49001200cdfa8cc2f5a
SHA1 459aaf61c5fb8310115cd65535d67890e4963e67
SHA256 3434b9f90c9c2a670dc336caf8d054825bc2537e95ea2d282c212c4c16ac77ca
SHA512 67ea2074f9182447793d7f72dedade2a84ca12580b78afdda4b1c5bfd002ba30c4a07302b3d8732d158ac43f458cabe13dc809402a6863c143d2b2dc971cdc10

C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_rlcfuditezizgbmskmstccdixoxy2jyu\0.5.8.0\user.config

MD5 46c32cf0d264d60ed51033c6fb9b9055
SHA1 219053ee826dd49ff5e69708fdeb865e78180f08
SHA256 14f0745f4339a2d9b9c2243e0488f6a956b170c5585de8ad842718e7c55f728d
SHA512 d6a647eb0d2aed0332d9b8c71966385cc3a7b68acd121eb53bc99c05689a9d13c2cdf25231a4943522f1317d6b0ca18baf89326a02819ce20878b351459e5c14

C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_rlcfuditezizgbmskmstccdixoxy2jyu\0.5.8.0\uwauklhv.newcfg

MD5 d7704fba5acd561f74e072bc4b7243b7
SHA1 bd68d92fa59ca670f3b30f12e27f13a2325ce739
SHA256 4a6cad2d0d9eb22228da12490aae3df1375408e645320103a595781d7cb157f6
SHA512 2437a71ba0cd915d3bc2328b9923e5fc69fb20b05fdacfef043dd904a875eb28b828894f91c8cd022606b33cb2c87b0bf1882044baaf081ad377a185baec875d

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient.exe

MD5 a82ff81f17f3cb96c95defffdb7fa290
SHA1 d01fbb32be99229a4d877e08a5de4273cbd3e3e2
SHA256 ba303903868c206472ecef1dec652cc51b1051b8c525422b21aacc672ae238dc
SHA512 c81ac17cbbb6b2e79b74242a53d188d20300a4a07a50c43ecb11460918afba371874f82126f68138fe5130d3e3da90856393a96a5801bfc0dad2b47482189ef9

memory/4404-92-0x0000000000D20000-0x0000000000D32000-memory.dmp

memory/4404-93-0x00000000056F0000-0x0000000005756000-memory.dmp

memory/4404-94-0x0000000005B80000-0x0000000005C1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEC3B.tmp.bat

MD5 511cd853d9e49e2392eb79ae82edd827
SHA1 47e6b8f39ad3b412f4c0e3d4d8c3cb4e66764444
SHA256 d2cc3b6b0fcfc77f88dd47539c2b4f058f87e90626e9b1ade81666becb95cf32
SHA512 458c3baad4aaf3b242cda3fcff4204dcd7f53fde00ea0230939d00a3583be331647f1765c1611a607db3eabf81de74213b3cd136688a726f778d09b7a889ac49

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AsyncClient.exe.log

MD5 54920f388010333559bdff225040761d
SHA1 040972bf1fc83014f10c45832322c094f883ce30
SHA256 9ed5449a36700939987209c7a2974b9cc669b8b22c7c4e7936f35dda0a4dc359
SHA512 e17aa5d1328b3bfd3754d15b3c2eded98653d90c7b326f941522e0b3bd6f557880246a6bc69047facb42eb97d2e0ed6c46148dfe95a98669fc4e1d07c21a285c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f7c8df0eae60b94c46d1aed4da844328
SHA1 123fe1f5f00f764ed950d8224c3dd7b9e1438893
SHA256 815136919ff4613b4460094fd82e47b35af80f7da04a8899cf83c2d53706b97c
SHA512 1107d65da4ef228c015f0a4d16e3e1ac4c7dbec8f6ce0acbf451149d3f314905258867e352bd82389e631fb291adedbb00920211dc27b3cab246fafd3577c52a

\??\pipe\crashpad_2888_LYAJXSGDLYQOXKMV

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1d93f9364655c6997178f55ad99b84d1
SHA1 574a92300d5f793fd8b5ce1c81dad66fe3727964
SHA256 c827490b254442a167728340b8bda8c9301d39711ca83cf96e896d5486152c73
SHA512 921f74e3f894c8aed3ae2c378e1b4d904bbadc8595bb3852f38fce4932621967c911ba5368bf2dd94d9b57e05cd8bd9699546a6509774188eea868b577e3b2ed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0d595f584ce55ebbfd4a49e88cfa945a
SHA1 c0480373e4b3ebeeca6e83139860c5ade4b3ba89
SHA256 9ba456b9b39867eca23a972e9ccb18e37456d2e2558fe59ff9da995abc7f7f3b
SHA512 4c62fe37b85ecfefa1ea9cd5cc4d0325773fcec241e7efc1343e6b7f18ab00e6c8e9b78653e4dcec6eb6a809c1a54f51b53aeb1b895f512b507c9a0aba4d0dcb

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d10b3284ee65a5942ca4dc4c043d16e4
SHA1 52caf8d4407505997c977465a175347f114ff2bc
SHA256 4f205973c394d2f19826d5894a7647ff10a966d4d184ca0fd156d6825ee55dc4
SHA512 ace3ca69af8e16fddc3a60d8c8cc705fbfd7b3d9a05be6ffc2c3251600d1855fd087cd14ac9b76d9ba3f55182d409d59ffc3d36fa54cd731c88210e01bfc5e2e

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1181767204-2009306918-3718769404-1000\70c8050e67127bbdd8744af45d4d969f_d2547453-e731-4fdf-8f92-95f955a44aca

MD5 cbf9d8f274bdfc9f014b59cfe0eada31
SHA1 a5aa813bc7cef834d499af6b87365ac5049e6a12
SHA256 690cb45fd1b61c2f7adb26775bcff3cc986816f356ec3cad0291df3b61e3d764
SHA512 8bafa56211a3a1ef9425139f732db3ecc2ec069efc45c9a68ef3f5aac6bc8ab10b2eae680371526f34d4df36f2f8f685e8d068c6b000808ea098a03455ad6227

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncClient2.exe

MD5 6f3f84141cb8bf7c1d8f23de34420a25
SHA1 17ff408c441ed892734e72727f68ed4c8395c6a0
SHA256 617fe099b8c0069c1d6f5dac68391d2504a4c5b36b78d0744d58ebb713d9aeb1
SHA512 21f44b13a17d49e9a991c194dbc3d616ff0d09223b2d4508e35b12340adc9b31ddbf5adf534eb94e1b99d364a0bbb68d08ce1967fac0a69f0b1f4a2c2ed53870

memory/4788-258-0x00000000007A0000-0x00000000007B2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 2c0226cf06799eca6d61debdcfce5885
SHA1 24e47a6b71d5bdb690aa53430d1f27818e23176c
SHA256 96509b2682a671018bd3653e6bccf8492eff494a168fe7d1ecbddb75015ed4ea
SHA512 11ce8843ca7975f0b01014db4cbbd05e1c68d70c0dd1d1f6728575ec4231f7baf480113e49e8cfd1c688a568574da949eabac231e887d0478f706d05453a9b39

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\Fixer.bat

MD5 52ab2690a33a51804764be81820504aa
SHA1 36af53e8b27ea737c255402156c77c5f9be17aa0
SHA256 5255fa89ba49c5f1f2c81d66d42e3b16305296945683954eab1492ed11b90b4c
SHA512 95579203bd7e3f2104ad2f886b162f9938d6e371ba351b0b9c5fb5d3368d674f22f4c2ccc54aece5a9ab5f044ca9deeed63a4ad30ffd42787c54807c8396f21b

C:\Windows\System32\perfh011.dat

MD5 ab6f8e83a55fadfc107060ed8311e0a4
SHA1 55a39474b14b6600543080268d41e8732ba0edad
SHA256 8647f007d314a30ae0760a8b70c6c42b4cf0e7da321795dbf1d254377a70ff18
SHA512 f5be5c78e9d10dd69c8b21ab4d5702a3a24e2ff4cec19ae56a9d58e6ceb9edc40e17b548373b7db5ce58b6759ef3ce361e8514c774fda9a7d988d330a7944732

C:\Windows\System32\perfh010.dat

MD5 92c1b6edbb53fe2bdb3bdf4ac3976548
SHA1 7167c6b531d179c17faddcb800736ee57bfd242b
SHA256 8f2aa1fed331bdd7dd0069fcdd03815de2efdcc62563123f5b2ba7f0d74784b3
SHA512 fb2c3f0597cfd9bcaf3bf5b6277d86e488e0aa5893a84c21a5609b129d94a9312b6550cac3769923bcac6673c81da574f544c55c288567b5f3e6a9ad122d45b6

C:\Windows\System32\perfc010.dat

MD5 bea0a3b9b4dc8d06303d3d2f65f78b82
SHA1 361df606ee1c66a0b394716ba7253d9785a87024
SHA256 e88439ae381e57e207ce09bbf369859c34b239b08124339534dcc935a89ac927
SHA512 341132d443cd41acf0a7eaee0d6883c40d8a4db8c59e056211e898c817c2847377f0208ed3a40e0fd6f73f0196ffcc680c55754e160edafd97036739861a6c88

C:\Windows\System32\perfh00C.dat

MD5 138145450a903faeec6b50cc482f920d
SHA1 7408b4314f7489d9cc4bcac3bdaa2b1e3d0d1043
SHA256 7d80d852e09fc4d3c56de4e09835cdb5dad4f278f56209c466d75e9d6c2fe2d1
SHA512 d0a0fc17b8154b9c66ff2a88d74b028976305b49fcf809d54992360c3391809a88d2e4959df6ca8130242b2510be8603c5641c0e62db88a34de0337b13ec5f57

C:\Windows\System32\perfc007.dat

MD5 346d728646b9a6ebc5d93d187abcff80
SHA1 0c6ca50c812dbc4f60843841824130b9b12ef3b0
SHA256 465eccb7704aba5117a356b0469253b24cdc3ecc99330a5a14f33cb09206be7e
SHA512 4829fe8f15a319178b2d3ac4a74572da3b4f1bff02cb6673c5d24438e5d59cd083307e640daba78a37a719f361f10140db4601641627981cec14ef41b5a64a2a

C:\Windows\System32\perfc00C.dat

MD5 8b4b53cf469919a32481ce37bcce203a
SHA1 58ee96630adf29e79771bfc39a400a486b4efbb0
SHA256 a7b3a2b6c67e98cf2b13684c8774113c4ed4f60cd6fc673d4c9dcb360c60ce42
SHA512 62217e68c9e4c7b077e127040318c603e2f2cbcc5517ce0cfc6189e43023f8d8a05b8e694b2a35d4b409241136a1067749b7b6e2049d6910246d8c0fa6e9e575

C:\Windows\System32\perfh00A.dat

MD5 85dbe627bfb856b9eacf633196ab7c66
SHA1 b5703c6d77edfa1717134784e61684b2d7a42e2e
SHA256 9eb4e83c4513e2028f4142cde91a72daa3d32006bf183288bacefc63caf8cdac
SHA512 948fe1519cd417c46fadbcedb57087379aa9e99571163084dc7e3f45fbdbc874686056765c9e598ec40d19311808e157bfc8ee71f13afa6184b17cbb000f21bf

C:\Windows\System32\perfc00A.dat

MD5 69c02ba10f3f430568e00bcb54ddf5a9
SHA1 8b95d298633e37c42ea5f96ac08d950973d6ee9d
SHA256 62e5660f9018da67d3c6727c39e9690650beb62749df0b4c00e6085f36c8e94e
SHA512 16e4d29324c2b50e1347532cd0982a149a7c67c4f27a743bbad8609ac662c3e00fa1be645b1b5f23adca3abd60c812f3f87d669f5ffb42b90ca5026dcbf2824e

C:\Windows\System32\perfh009.dat

MD5 e899ba2399c5a54e08ddcdec67b0652c
SHA1 72a4925c0ff569155b05b1f85077f65df42cfdaa
SHA256 ca0856e721e8ed8287ddf4100cea90862e454c143febe56b43525db9be2b47f5
SHA512 b4cb5c979be2d3c1b1aefa898005e538cf07752258930137323c520d735b05ac2f2c9e5208f750e62b6c551234f0a00d106d8930274b389a6b997af770872e62

C:\Windows\System32\perfh007.dat

MD5 2f4067241594899ff4443304e3ef39a8
SHA1 c25b57932ec8653008536167bfc1539b3a38b79f
SHA256 f77c7d83a39ded171ffd5c52cbafd1bd8e2713674c139c2f6a60f912ccf8eeea
SHA512 116a633f1d3254c286897132cff9349fe53d770688d864a50ab919156968aa0620cb3aa1b03fce66882881f4da885f2a992f1d9ce0a7ccd03689f53b764ab1f3

C:\Windows\System32\perfc011.dat

MD5 17fc81a0e3f9fc02821e40166f1cb09f
SHA1 2931659b064a216371420db215b1f48de29a1858
SHA256 fe933b8ae9d8fb3283a76b42cfed31be01d02c91cd7ba742b399df613762fff2
SHA512 19a93f08124962c9826cb6794b897ddc3dd3391e2b24cebd70c2a8027aa082d2b65f2d92ba438684d6e0490f1dabb714bcb17561b951807589c5ce920f2e6031

memory/2812-1763-0x0000000000BF0000-0x0000000000C00000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AsyncClient2.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1