asyncrat | 258e07372cfe185797b6c044f17439e6e3f621dd31db32ba93d61af170361d43

Resubmissions

08-08-2024 20:39

240808-zfqa5ayhpp 10

08-08-2024 20:38

240808-ze75jstaka 1

Analysis

max time kernel
521s
max time network
507s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
08-08-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AsyncRAT-C-Sharp[1]
Size

327KB
MD5

fdaef1ee8df86d3be81635910117256b
SHA1

d543715b01923fbf601e23a87b7e3a4343a7f021
SHA256

258e07372cfe185797b6c044f17439e6e3f621dd31db32ba93d61af170361d43
SHA512

488a1f0fe23702ae07b033e79eed2170b90995f5cf39ba786d95fb2741cfbe2819272dbea9e93032203350fdb466db8244797d1224145b1110b40e23f25ab1ef
SSDEEP

6144:iSotL3uokeOvHS1d1+sNs8wbiWQo9JvZJT3CqbMrhryf65NRPaCieMjAkvCJv1Vo:FotL3uokeOvHS1d1+sNs8wbiWQo9JvZx

Score

10^/10

asyncrat default discovery evasion rat trojan

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

M19GxaCXV2QE

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	AsyncClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	AsyncClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	AsyncClient.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	AsyncClient.exe

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x000500000002abaa-611.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
1880	AsyncClient.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	AsyncClient.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	AsyncClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
43	camo.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133676232235500204"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 50003100000000000259407f100041646d696e003c0009000400efbe02590e7a085905a52e00000059570200000001000000000000000000000000000000e17c9400410064006d0069006e00000014000000	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0 = 5a00310000000000085950a510004173796e635241540000420009000400efbe085941a5085950a52e00000089ab0200000004000000000000000000000000000000ae6cb5004100730079006e006300520041005400000018000000	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\NodeSlot = "5"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\MRUListEx = ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 780031000000000002590e7a1100557365727300640009000400efbec5522d60085905a52e0000006c0500000000010000000000000000003a00000000006938420055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	AsyncRAT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0000000001000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0 = 8400310000000000085941a51100444f574e4c4f7e3100006c0009000400efbe02590e7a085941a52e0000006157020000000100000000000000000042000000000036740c0044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0 = 5a00310000000000085941a51000434f4d50494c45440000420009000400efbe085941a5085941a52e000000faa802000000020000000000000000000000000000001f4e050043004f004d00500049004c0045004400000018000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-6179872-1886041298-1573312864-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	AsyncRAT.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\COMPILED.zip:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
1880	AsyncClient.exe
1880	AsyncClient.exe
1880	AsyncClient.exe
4724	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
4112	chrome.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
6108	AsyncRAT.exe
1396	taskmgr.exe
1880	AsyncClient.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe
Token: SeShutdownPrivilege	4944	chrome.exe
Token: SeCreatePagefilePrivilege	4944	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
4944	chrome.exe
6108	AsyncRAT.exe
6108	AsyncRAT.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe
1396	taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
6108	AsyncRAT.exe
1880	AsyncClient.exe
1880	AsyncClient.exe
1880	AsyncClient.exe
4724	POWERPNT.EXE
4724	POWERPNT.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4944 wrote to memory of 2616	4944	chrome.exe	85
PID 4944 wrote to memory of 2616	4944	chrome.exe	85
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 5040	4944	chrome.exe	86
PID 4944 wrote to memory of 4532	4944	chrome.exe	87
PID 4944 wrote to memory of 4532	4944	chrome.exe	87
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88
PID 4944 wrote to memory of 5888	4944	chrome.exe	88

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\AsyncRAT-C-Sharp[1]
1⤵
PID:3476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb74c1cc40,0x7ffb74c1cc4c,0x7ffb74c1cc58
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1784,i,11801174402307327996,3821715788757813333,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1780 /prefetch:2
  2⤵
  PID:5040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2044,i,11801174402307327996,3821715788757813333,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:4532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2160,i,11801174402307327996,3821715788757813333,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2212 /prefetch:8
  2⤵
  PID:5888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,11801174402307327996,3821715788757813333,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:5284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3100,i,11801174402307327996,3821715788757813333,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4432,i,11801174402307327996,3821715788757813333,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4712,i,11801174402307327996,3821715788757813333,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:5696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4744,i,11801174402307327996,3821715788757813333,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5052,i,11801174402307327996,3821715788757813333,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4380,i,11801174402307327996,3821715788757813333,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4788,i,11801174402307327996,3821715788757813333,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4304 /prefetch:1
  2⤵
  PID:5336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,11801174402307327996,3821715788757813333,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4724 /prefetch:8
  2⤵
  PID:5808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3456,i,11801174402307327996,3821715788757813333,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3284 /prefetch:8
  2⤵
  - NTFS ADS
  PID:1464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1124,i,11801174402307327996,3821715788757813333,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4112

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3828

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1408

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe
"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6108

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2416

C:\Users\Admin\Downloads\AsyncClient.exe
"C:\Users\Admin\Downloads\AsyncClient.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1880
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:2416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb601e3cb8,0x7ffb601e3cc8,0x7ffb601e3cd8
    3⤵
    PID:1224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,4972169379275948124,6215077826109587529,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
    3⤵
    PID:4816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,4972169379275948124,6215077826109587529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
    3⤵
    PID:5532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,4972169379275948124,6215077826109587529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
    3⤵
    PID:3988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,4972169379275948124,6215077826109587529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
    3⤵
    PID:1872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,4972169379275948124,6215077826109587529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:4436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,4972169379275948124,6215077826109587529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
    3⤵
    PID:5972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wsdlfit2\wsdlfit2.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2544
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA60.tmp" "c:\Users\Admin\AppData\Local\Temp\wsdlfit2\CSC43E0EF4E1DE34CD5B3183D3D3B84B825.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5424

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:864

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\ClearMount.ppsm" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
7af6bcbc1326a33568e7fee5766a77a4

SHA1
d3a286f5e08a7d1a5fbdd0daa54c79b066148698

SHA256
5b2dfefb69c22be9ab244ca2b6b94d2ffd7079a8cfa10701acf0c74eba0efe41

SHA512
dfd4fb0c50d1bd91b41428ddd3a004cd0810b3be1f4143bf5963b9ed11d7fecf5965741e6a4168c98897290c5fe1e1c6d03476d3a35a07b6358e7ec48bc32415

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
fdb5d5b7d1aa306a354c2cc308d65394

SHA1
44b95c6e8fff5baaf3cbcb025ab4e9da39f37de1

SHA256
32e4fdf3113c8d15cb5e6e55036ad4cdf89abf0782729c6fc0155e8a53b40e14

SHA512
5f01e345f1ac87e963b0373f03971b6c5f122a668107782f606a9a2d2603479610ce52bb16c704dd2463f4d5ce405ae598ceac6fff7ef015eabcb46c86daedfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
e56a78d0cba6d3838bfbde6a1fa02482

SHA1
b53392665a81dd8c9d41a09f8299608f63f3520a

SHA256
a116daa7fe436f7d705ac89a8c518f772ee9eb06d695b8e006def62cb313ea8d

SHA512
e8a8d56308f746d63090c541f53d12182a8fe8cd0ffbfb6d6a373988a7786aba5deca5ea98e0e4d6e7cf6fc6ba58c938ded99b5b4e178ef5ca3b73f11a4a9c82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
c8f75ba20e69f159d2e92c276c6cc696

SHA1
f10e750343cd98c141269e0290ab92cc43649c1c

SHA256
7d771d07c4d4450d5ca30308e425d5de64a1f5de560ff588884a884da753d6e1

SHA512
ec5f850e9db3f72a42f71b9653e3784569a8f2baaf721e59222394f60757bdaaf5a818d86313ebd4489c855896061ddc1e8e66945673076b8d1f3c90a34156ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
665bc8e7ab2f21e60e9f4c7e9bb93607

SHA1
15fbf38459b5a30ac1da16077c3137480175537b

SHA256
c71a29db960de969cc8886c6a5cca6b6a700f78b611fc2d0ddf45b06bac22018

SHA512
d305820a54b777e85aa9c79a669b5e6371203b95624dd36398b05ec4c0d0927dc10ecb21fbbdf1fbd24ba5730ae41bb373392e6efda4d6ef0d497b8f3dec99d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9f7b0d399095fde03af34474b9259be5

SHA1
a3bf70f09dd7430b61752f662b0da26af1ae1b7a

SHA256
e0376e5026a8adbd0844e92cf30e854fa02550bbcb5236e50372313664216365

SHA512
b9bda5fb7a7f15507994c59769c6873da75694ce15f9a7e9e592ba5a5283447417f36589dd5749a0a095a245e30b9a1c7e85dda39b7d699463b6237880621672

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0ea8b584478057ccdcc2cd576075633b

SHA1
8e25142b3ee1edd776f96343f6f7a143ec7ea262

SHA256
4901a5933b3cdd40475b92fa1a3d0ff0ba09dbcaca9f1340ea9b0efad59df426

SHA512
a7d66ceee37e8ae28ae30375bb0cdb6fc3ec79040dc75dbf51f067151636c8f6d0b35994e59aeb67685eda5efdb12a9eb08bdf3f0d8a30535da3b7966c93b1c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6055e8b3df46cfc471cccb7b2e70bdeb

SHA1
6d1d455eacb90606502fa03216cbc122ba8b9685

SHA256
22044eaf7c60444d7741c599a7738908cc3f0adfef9eb4eaf75074a578c07cfb

SHA512
361edc1df53cc23380874afdcae159229a2e3b6ef07f523d81c7945140b7b9ef16f93aa48a50bcdb86b91ae55ba7d08c55e9d897b04fa17b204261fd4089ed09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1e0bc80bd3af2b3dc4d04b2dd3542caa

SHA1
735133110e46f849b7a37655a67c9ee567224fee

SHA256
ff781c4e46a3100c112123f08a1ce0983774d40b06e46660f363758d009cbdf7

SHA512
00e0bdb6978db81b420f50ec7f04278b426315238df74a88266938e2f2b4eee88a418e9db425f3ee7153c7e9aa492fe44131ae9c4299ced21e28d38f132ab35f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5f01500ff7f2962e5ebe6d9408e3aa2d

SHA1
dec4189c56e324c78f5726a93ae7bb73b4216445

SHA256
f39d414c700b1f0ba523622809f7b0e8df6468aa8542db6888902b67ebe3a959

SHA512
06b048e85984c1cc98db9ffe8e3bd3ebfa7c0a8facc4341feb64f23393d7993aa732a5b9da3433cb96a15bf1a4707c2fb0f95d0228cd0a476b333c5424795e89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
82f5c9de0940633fe39bd3ca8ab6b417

SHA1
e2fc5a788dbc446bf4e2eb1987b429b12868746c

SHA256
711c11c7dbe6cc6deadce0ed4f2b368766f499943581e2a83f0007f82fea5c91

SHA512
f20fa92ad51cee00cb578cb247e33ddc3951f1cc63dfb8f9423c8eeaa43140fe16bd4c597a238bcb29c3e5aa9aee74ea95bc65068760b311a320c100d010dc9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8b1a802f03eb499b8662991e44528217

SHA1
07008378540b75e1a4c865aaf5b9c1ecaaba6e8d

SHA256
7d711810aebae4f935348115f1ba4e94dfdd2d6a3fac76faf443ded49f680f08

SHA512
f7139d946452a47db6c8efe3fa57d3262cd17814bf9a38c60ae5f8bcd7157877caa9edfbdb571ececfb3cf82ad80af6875cfad23e6859487aae27ce9451773ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2fc203b86a8fd0eaffac2566356f9abc

SHA1
87705d8dbcd81ecee55922bebf0f5d867446267c

SHA256
a8fbf7dadac2065d9aa47571e5fcc43994c88c3a279fd07ce95de286cf2aa03a

SHA512
8a0175fa0180e1d1f91bc60390886dafe9c4b2e4ca12b631098db23aac635a497733a92143666eabc62ebbad31b38fc37d77223c09c1b8cf538ae691034046f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
81d3c28bf6959943d7ffc48dd461cc26

SHA1
a0e1000e036cfbdb8a93294b752413a5a6eb93a1

SHA256
c886b33e1856bb0d4788717f090c5980419991c42597b0a763a961989e464f29

SHA512
ae65233bc88cc23a09988266c408ede1c9aae14fb091e5ac96791784fb6f879d40152c26b5904ecb5794e3bf1272ad303bc1da009fc97ca87514d2cb02286b34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
40fbcee2adffe05a05dac606aa50e451

SHA1
81dbbe3dd792e11d6261f67375a1c069007b25d3

SHA256
41d5e0eea41c5359fd262db5f3b1fc7a32ca1ff883489db470e8bf40c4973fd9

SHA512
c45f70c3f8d98368f434223eb55daac6c0b1db37c224dd30d81911ee3c63e4eba55f7fb9b85443c2cced8c9f95864c09b115de34de9707d2651b0fc6fb7f1860

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d1679d768aace7e7f88b20ecfbe3165

SHA1
3487b27fe8910379a4694ce57e38690725fc3b6a

SHA256
ee0ec2ffc8fb19be5d3a47e310a67d76a90967c29096d0735d065d20e196949c

SHA512
3aaa1f78a2fdc3bfa34bfab2e1fa3e17d378a64d0dd27f8df9d631a639d3a57991f019f8db8f3de44e7eed84fb3db4ecafc374fbff0bd2369fc32c24767fab1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2b5cdd49b08bfe68388877d3c7e596d6

SHA1
f1af7a1c26b17b8e3ac4fb5b93ab3bea594ef636

SHA256
9540eede83667229b38bdfb675b0eb0f0a2c2fdd9acd273fb95c7384f9e51c5c

SHA512
fe8af7f9e48b5b1cb1985e08800ca073feb85c6c4f15af90ab8cf8a21fbeda34c271e17d488c8e1b9884b87db260ed25be104ade460d192ae21ce972f1e2c3a5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4808721671e786edef652766521ff6a0

SHA1
76a69ab8d28cc1628071e0097af574cc7c5fd2f0

SHA256
502dfa15bddbea1aded28e2ee66e39ac5e91095a38af32725bd87c161b2e6fc2

SHA512
b1483a504964138e3c94ec1484e86227e437071775d0b8d29c6ebc22356a55b0f2d739b9c00330e4e03d129a3c424930b692c45e87a010cb6ffff930bde420fa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
54f914426916f2e4f4f961e207297667

SHA1
c0afd1fc81684f420c25dd1a2f8c016109694a17

SHA256
60ed4350713c34bef23c5678c53bcdee87836e94e9f62b2f9cefb949e4096e1a

SHA512
5bbc6415bdbfc2080882fbd7c0e7b3d99942af0a4299512f958fce2072956ea63eefb69042d3890d1d5dc15b3e77f5edc9860135963662bbc42c6052a7cb3715

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1feeeafc8a922341ea8b9073483ff1d8

SHA1
6a02ede86c77eb35fc5656ea8538de77584e3676

SHA256
a24029e9944a981bb0e7f62c521c5ea4c14acd2c11892af7294f35064816f123

SHA512
68d289bb713a31f2447486cdf93ae680b551b00e56820046d25e9643678390ea7bdec1a3cb7d923f0aeba5b23cc19c9c8ca1e4c186f9c39841334d397489d40a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1454b6092aee83de89bde10b1eaa12b8

SHA1
26497d958f55fe391c97492d32f35dc093486d3f

SHA256
18a5b099c1277687a2ee637f2d1eb6cb20488e1e247b312322c80cab3e8ec7ac

SHA512
ccad2f701e27b941bc7e5a14a1a75ea8cf71468ec7b9f50f93d6df3d0cb87f2415ac26166af596a7f45332745318b4542099d59d43a7ee0f7c2b573f992d59d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
27f7418f7be19da7dd6bde308a70f75e

SHA1
14374b04babb0245e8000edc09c49946dd5ff76e

SHA256
f3154b4bcdeade298f823b7c55958008e938e7ffaed4d03229b1fef56cf7b698

SHA512
387a0abe31959e57816006871a2d6bb23a4528a499211b88245aa507b13af0dd6278cccaccbf05960eb98881b705bd8a18ed5bb3acd207bb3701f07a2ca09fc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f9fedb8bfa36d83d4d8340a86e173646

SHA1
20211012ee75546ac4cfa5302179af40cbb1fc49

SHA256
2704d25b5afeb323d9ddfe2854df287dc963afd5b1748fce45ccabc69d60c6c4

SHA512
f7386de4b1a6845201ad911b2b5674a9a0423f15ba18f90c20e5b40feb91244a4d22ba28c297c13c9dcea2b2cc5c6651b73b1b76eb76595b19429d68df2ce374

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
1da795dd49cf7dee5a5c6a89eb0e2339

SHA1
75833e6319ae49592e2ca0ec4ee0c168670704a6

SHA256
fbbc8d60c7797d388ed6cafb736dd11e28cbb7d2669a1ded8c2682200ac0c8a7

SHA512
ab456f9b6742c8b372c58cdbcdae315fb1c7b36fd71d6551b6bd3db7ad79494c4c131c04c6af645c6f8337bb96f084da7d22c7942557512d825a63b3a8fdfab3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
2e1b5d86165e1027eda0a2fd8a1ce7d2

SHA1
ca8c4a6800f38b85a776d3fb918b748a263e1593

SHA256
1df4503f9944b48db305c9223e6bc0f24db0508ae159137ed89c6ba4ae078c38

SHA512
69fc0365cc49d04397a7ce3f5783534936781f4444be5f94136aaec0170f5e4a3491739a7800ca0914794ae8e37a972ff41e575c6679356e498faa09fae5c83a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5c9410a7a9d51c1247790541c6cd66cd

SHA1
675435ca7601aae896b36b4f7371015d2d7a35fb

SHA256
53db17f029c124f27b4b27c0e7ded0ad0335d468cfce7fa88f3896537e8ab508

SHA512
0f7923561f681fae6c14dc5a93468aa2699906a7e245eb0f35494e11dd00099b8ed7072dc811f3bd4688707bc92a416443cc75a04e474a96441efedd4b66b9f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
70ad6488eb41aea9222d7da0274ae495

SHA1
7bacfbd55d7ca52e23900722cf073da2c0d090f7

SHA256
b34ce6c2ed276c855274a4aac6af8c0e560c62f3b4ac756f887dc59ce7622803

SHA512
60f7388a022169070410e38f946927f22af2a68882d56ca088ac44abc0bc313cfc7abe42f58e3d88d484a465ee5c1e4462063513c1925e9697bf0c70d3cc4d88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a83be59fbc35bc09618d4c11a74a06de

SHA1
861c3846817919dad859362f396613788e44bb2c

SHA256
5dda3319404aadcc920f65b8c9287d47ab411136e3252dd0a8b770a1c8a14679

SHA512
b3ce5bdb6e7343718e51aa62f7c418d32be30d9af3a62b894707bc3df9684df3920a0345332cc546066036a7936c55c2a863f7cb4dd742b78a16910795f2adf4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ec04916a5ea34dc55784ce1b6ab15975

SHA1
9106d55ea554dc906f8d272aea44a5fdd009cb4d

SHA256
3c1197d87787b3172d41b4117163875d70453e31c401a7a249f453c62149ea1d

SHA512
2d3b8298ef968731b2caf88ae32eb91c5821db54a1320563b8db836586596e504686ffa3c33fa1d82d50f7ab5411e37523999a24ce6b19dab311fc5823b194bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2135164bb1ca21f5caf44807ebc69b64

SHA1
a48fc696e380f3994f076c62958400c404346811

SHA256
348b1dbb0222e2a63cc597a718ae167ab4dce1479eaca85adeb084b7246dba92

SHA512
768c299f391de5fc50e4da98167122aea1e7fdb85b751ef1f9833faedf1da3ab96b094b05dd5e52d972696692f1b365c21b2cc03c2f65cb6f411f2ecaf71bb39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
0cdaf7701c216a4ad7b1ad6245c10dcb

SHA1
57dadb7866d9b6a51ec383a42446ce783619f992

SHA256
321a0c20b4c613e2a87a9001d503cdcffc48756e8a2171d6cb7832c57c408cff

SHA512
4488622c4a220d3ecae2849e69136cd9be2c562af3f32a5517cd89aa4d7b6544787132c08cc69ca0ba741bae148c96a0850af47844aaa726a9c1c163b1e98e02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7761f2133b7f227bcc113657e218e1e2

SHA1
7912283cd4720cd7d94edcf7b5ed4b174ffa4a46

SHA256
c6036cdf239d9b4f5f3ee5b95940dd7b050966b77dbd82db43371947aa14a878

SHA512
9be2aceabd428f85b1782f025772c6488eae8ba20c7f404608bdebb45774abca2447a0f0ff1641d2b6d46184cd2222bad3ff045b142e0b78ec9fc5b52a102f1d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5495d9d70d604af34ee97977960778b2

SHA1
f615cc85c90c983f9a67bf423395df37c962f52a

SHA256
24e7718e6237262560a03d3961ac6af9cf1957feb0714efa7f31efa6c7688e42

SHA512
b0c311c9469ed05fcdf2585d3e3e3761730fa3c1f09a37f0e6d00250ce2e9673d28ea4d0f30dbf5fae5f8057d3fb451c586cfe7ec9087f5ca4fe9d4460f59448

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
94a97260f208a1851f607b524469ee7c

SHA1
b6fb29512931bd75624e8b29e618f80859a949f3

SHA256
783a471758aca3ca6a77dd12a7293df5cfd9644652118fe3abc845e17fe8d2f1

SHA512
83e33425ea2a3331e75e2044fb96af08652520e4316ab12878470a0ea44277e42cc7b0b76cb1607d84be368159fda904d0442057604aa75994648232b33e86a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e3cd264dc4638b6d16a11993564c2617

SHA1
8ca7ef783b518d6d720731eaf6cc903f3a07113f

SHA256
490030e9b8fb21eac13d208d26a1067ddc5401f51fea77cfc1c870523df7781a

SHA512
b89aba18d02f4e191eea7c9484aa960e4648f5b8d9be95c9c264ec7ce39249c200c781645cbfd6fc90f8ee5655ba4d72b4d56763bf84a742b6279686e8edab56

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
416ac2b7ff99f047318a11a87c44e4c7

SHA1
62f5b62007bd656c6304e1c7d819b822f15b6260

SHA256
aa09177ae5fc2d6dea2130419dadc57d1d36432b1c7b3f8e884e502258c771b5

SHA512
3bfea11f240fcd8feccb9327dd3fe5ac50612bff5cb2db15ac0b7788cdb13643759416aac289c791ba0658b7342cae93fcf8dd749d7387b3349d6a72d13b42ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3d07c14e701fa2ba8ee39355b90e5e8e

SHA1
2d40c83614050434d1d4f59a5e1df43a99a5979f

SHA256
79bb1295b745b9ed8aaa57cf2c4685f60418ccc85c7e27f56d1691e0dcd276a6

SHA512
b1a3de512bddff980b23495c36a583d717a11d3f865799836e53cf9f663e75d0ddd3b129ffd9e1708236298daafb2fbfef3824919c5330138f94ebd66212a6ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e69cbc3e68f7502ed03e43e7e5d2c8cf

SHA1
91892effe0cb3e681e73e2439841fabb0634a649

SHA256
04f49976d1513144fb8dfe187f20689aaa25e8f6cc1d82c4c141630501572b3a

SHA512
66f9e8a73829c79cbed13e3569d611bc5599d1049048cd272f42181e4eb97b7ef7e4ebf593f57c9f50f081a2032479b67b71cd87c9dff3732a68bec4c57f237a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d201455443fe6d92465bc49860abb3bc

SHA1
f5eea083ba6777aa9536e1550773e9233505b08c

SHA256
b5da4ccd07557e5e27574e3044a2564edbb057c0f8a42d23ed5e621e203a408e

SHA512
0d3b2003377f44b6bad7947300a112b3676d517d2f3d51e3a30eba4c416135ee8ca81d8037e1b851ab21ac9a55f3d1c41c997624fe71d6e158733198bb83800f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a35c1626ab2de6dbac3f42199b8c2519

SHA1
86fa271281e5a7c0622175ddf45301bd145cf935

SHA256
13179fd6fdf6158c2bd5dbbb73e78dd739d9b24a2c5625871abc1e9b136ed09f

SHA512
480259d756331ee7bd9efb9d99e85841c62eb3a3ccf17e596b3e14edabb9fe0d4f0eb5aeac2d01de6cc2ab4a50b3eabf2342bd5005f0ac3598a5bd27273461d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
14dd5fb29cfca83ba9013c75421fff3d

SHA1
cb5dbb07ffcd7de2d22380a2e46a78bd10b3e641

SHA256
ae06f8e887c0d8e62d18f771fd04b4130650d4ba5c733d46a693a5f3aee704f3

SHA512
cf8fd8b6e06a939c91004600ddac612a663a1d7a2f5e3ef8e186aed9d7c0b91b4297bd90d8f9981d5253ac2ab04b64ac524b8bcbc08207be900dda2070fe402c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6a03fb9e593a77d79e1d242e970bb085

SHA1
85ba6c16dd6f6f1603db8277cd67bae6f9203de0

SHA256
3e5bed3644fcb9fb18e2f5eefa3ba8fd5da6a9d615061e18f21cff32db0b9960

SHA512
02aa6079b163dd4b2cb4e92bf3ee078ded86d8895be4365e6257d20fc3ce80672e856c453c46530b582901b71934a3969b731e9edee6b670727d23ef7cbf2402

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2fe83fc10759ab723fff79f5508c9c52

SHA1
73f30eb44b47755bcb19261684231b60b073c8a1

SHA256
a170a0ef825bda389a447fb6eb09e0c7824598adea5b843a1b6d45d6c41dca43

SHA512
4b33bfe6bac5b451fa480d803ab9e6a3bf07e8783fa889298296af5d923cda612bd400f6551ab5014c18327c5d2772ef8676b88fe45b3f593a8827f8f7c6ac9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f9d71024465ab546b3ad1771389ea883

SHA1
16a133a746374e15e416c78f34f6519456c89782

SHA256
a5ac6945ec04e6eefbf6a81af41f6616982143ba17db52fc35f6a6945d8075e5

SHA512
5f8a8b453ca2679b19d2055cd9b57e3399a70a1ba3142f7f5e994655eefa81100703f7f2e91443878a758b0f56705af870da67f22bc81fed70707304c3720992

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
193KB

MD5
e54ee757068dfd61ae3c60788e6f3e63

SHA1
442b1624fb39aa0ca6cddc2f8efc3d9e99f7562d

SHA256
1245c29ab6065f0956a6d8c09e63b64fa35ad87a80e0621fec57eb42ddc1f2fe

SHA512
218b87c385b321ba6af669e9f72eefe47d800c82b183485c15324a139e0dfa3afbb7f4ca3083982c63931c7a2032f9a0ddb0c8163c2b24091ed5970b43173228

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
193KB

MD5
c0bdd3f609e36a3857bb633c135a828b

SHA1
bdf05494bdb5f062cbadba0ae9a46f9269b43012

SHA256
9f34d2a717383701a99a9b656f8999706c14e5c178b6547e5f72ab5ba332119b

SHA512
9e3c861b0255b481fac4319bd45d170eee40a0d0e0e959fc6bcd8d6e93c03135ed37798444dd4f7b76a9e437f96c5aa933d0aa0d0137626acc1578976d4aec18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9efc5ba989271670c86d3d3dd581b39

SHA1
3ad714bcf6bac85e368b8ba379540698d038084f

SHA256
c2e16990b0f6f23efdcecd99044993a4c2b8ba87bd542dd8f6256d69e24b93b3

SHA512
c1bc0dc70ab827b54feb64ad069d21e1c3c28d57d126b08314a9670437881d77dba02b5cca57ef0f2aa7f8e7d4d163fbd2c6f246ea2d51ce201d61a89015e8b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
302c3de891ef3a75b81a269db4e1cf22

SHA1
5401eb5166da78256771e8e0281ca2d1f471c76f

SHA256
1d1640e5755779c90676290853d2e3ca948f57cf5fb1df4b786e277a97757f58

SHA512
da18e7d40376fd13255f3f67a004c3a7f408466bd7ce92e36a4d0c20441279fe4b1b6e0874ab74c494663fb97bd7992b5e7c264b3fc434c1e981326595263d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
8f6c188aab6879c8499451b0a7d0a791

SHA1
626d2b0c55cbbff1385ea897211a8972d79fbd13

SHA256
0212e812de826844b6138bce06ccbae89aa03918e74ae8064f179622b5eba36f

SHA512
654cddae722b181f97543c450b98ee0edeed3fd23455c56c9c984cd9c5cd31aee965e2b4571aa606c563c582fc1bdb3a31fee525baea84f7ee306775b1420cbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
815B

MD5
62ac072cfcfc6e887997a4acd0ad0084

SHA1
ed90fcac5ab39f6772763714d64aa843b0e5d145

SHA256
22c402f7dbcfb4ebc3efea929101db455ec0c5772ac1c2d711e0d38bdfb9f070

SHA512
bd21fa4aed0b9879b42f61ab8674a21e415a5463a400f748b1cfdafdb5bbd2dcf0e453cb0d2b397484801474432ba7e321bfccbf727f9c8ea5814db210670761

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
960814b703bf284d226b10495e6915f2

SHA1
ec4fbe8ea95d739224597cfc427ff02c608b1ae4

SHA256
d6c6127a3fba10d670b85f3fc92d08229e8d4755073290015d9198b07e7486fc

SHA512
ded64a6e500d9c0da4126633da6b3a9457825c04a7301310aa450f8bde466975bb755e9cffd1f9ec2d1237670454cc4d7a160003d17b34f9cd57dafb63321ab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aa17df638377951426204d02545a64b8

SHA1
326ee21a72126b996e694ebfbed7d3dc2fc1435d

SHA256
1e883ba19d6e7f811793754959b3e19fd4a781b42f9ebb5101cd76709bf1169d

SHA512
3f70e75ecd85a6350feaceb6dcfb6fa1a5caeb0268b8ce19c02ce6de71d570b4f503ace3fb21e1a2f8cb153417fae938b453c14845067c2a5e6a5b6aabdd69f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
78210cf60601973f9e951d6c872eb73d

SHA1
f425af53161a8b58e0ff8e777d89b817ebf61d36

SHA256
5b26aac0923fccdc472f5d6ac0dc19c43edea37b120a13eed93a300831748573

SHA512
b73fab1ea666c301d0cbaa54998d8a3db17edeacc2a5a4e15094fde9462a5179c01c48a4964d4cceb11940a3b8d69ce2bd7525eea86bdce91d318d917b8c4f0d

Download Submit
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_rlcfuditezizgbmskmstccdixoxy2jyu\0.5.8.0\user.config

Filesize
319B

MD5
f71f55112253acc1ef2ecd0a61935970

SHA1
faa9d50656e386e460278d31b1d9247fdd947bb7

SHA256
d1ad588a08c8c0799d7a14509f1e0a7ae04c519102ed9d328a83fe65999e6179

SHA512
761b5c13e39bd4ae21d298084bbe747ae71c383fedf9a51fd5e9723a8b3b4547de459d82bac7f3f8f3bfc11cfb0528a4f1057b51996d7d046583109a53317b44

Download Submit
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_rlcfuditezizgbmskmstccdixoxy2jyu\0.5.8.0\user.config

Filesize
565B

MD5
740e930ec88c58973c5cfb82696d9158

SHA1
0603fdaa7a75fe506b5a3aa77d43d3ba7779644f

SHA256
78b0d41c72e096373b9d093df0d810060a0d0ffcc03b41b34b4cb943c5d7b74e

SHA512
221ca50c18aa871b3e8857f6d31fff666a3deea450f7706565607f6e09d832a03fbf420cf8317397bc7bdbbb854dc78fba8c6ca096b425ab9566d4cef7d8e7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDA60.tmp

Filesize
1KB

MD5
7e65e9630bab3361f1ab6c2f925b524c

SHA1
7148e52dd56e0beb98010df0bd0da98c78fd7dbf

SHA256
9b482021131a30eaf2f847901779f578eeefef3acbd614c9a54c1bfacd0cfe76

SHA512
87c73cfcc35a3432595d96f5a59427a5fe89360b1d491dfc5a21958f7f350ee36dd9be43aede87b288b640ec9198b52db639c8f66e81990640f60cf07773657e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4hi2tphq.0dq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsdlfit2\wsdlfit2.exe

Filesize
3KB

MD5
4ea16b7f9c2a188f68b01b0ec9d75864

SHA1
534a75d3a062a6646ab87a405917b6ce344b4ac6

SHA256
149921a59b37cad102bfd7143fcba7f92e0a000ed4828de70d309713fdc81a33

SHA512
78c29fa7debbe1388b4bdbfd56226842bc45fcf8aa60a1e972d128f53d52aec2c02f7a987f2d24cb89a62b8df39fd3cb5ffb439b1733c8404295096ded339fe8

Download Submit
C:\Users\Admin\Downloads\AsyncClient.exe

Filesize
45KB

MD5
5dd34cfaebc32d77ed83a9013ca8a8b1

SHA1
27ce18c55997a1bf43d2702e25f795d528e40b2c

SHA256
09e5515a20ee91b97eb63c95be344770dafbb09e6bf1d5d3f0fec600b85c2e57

SHA512
f98a60b68431e67f36793afe6565599dd9a6a34e70a6e186346b9f3abee93531d955de33c671d7fcd11a8ca5277ebca2741687760301ae27e1b101bf742fdfa0

Download Submit
C:\Users\Admin\Downloads\COMPILED.zip.crdownload

Filesize
6.9MB

MD5
30b1961a9b56972841a3806e716531d7

SHA1
63c6880d936a60fefc43a51715036c93265a4ae5

SHA256
0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c

SHA512
9449065743226bd15699e710b2bab2a5bb44866f2d9a8bd1b3529b7c53d68e5ecba935e36406d1b69e1fb050f50e3321ef91bc61faac9790f6209fec6f930ed0

Download Submit
C:\Users\Admin\Downloads\COMPILED.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\ServerCertificate.p12

Filesize
4KB

MD5
6527aba71f7e2d24f48ccdcb781876a3

SHA1
70914df037d7995145882f2fd344b2d297a33788

SHA256
ad295c7a4ef37ea12e46e4dffe692287258f1a98a39565bf1653dbbd5eaac1f4

SHA512
1d3c1c27f996018b2a32a55f4be20840e68001bf69cdb24341a1c4d133cba1d60a140accc804f6b92a4fdaabaefd91980cc7511baf04e630794af917415ccc91

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wsdlfit2\CSC43E0EF4E1DE34CD5B3183D3D3B84B825.TMP

Filesize
1KB

MD5
6002031be54cfd272623322076d6cdb1

SHA1
e81da270b8c14bde2079aaeac3ed35b432db6d8d

SHA256
bbd47911eb0ffb700d7c79fef991063f4a9bb59883ed3cba0bda06c224aa98f0

SHA512
4721f9a77cc1e835c2820a017569abab00869466cf574740a8c81dba9b9755c4525152acad3bda8ea5f2532d14c0f2ca2ac6662ab6edc7b13faaf7e329ab89c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wsdlfit2\wsdlfit2.0.cs

Filesize
300B

MD5
a85fa53c112b4e364fa6b963a545325d

SHA1
27543fe26aa3344a677f03d5d892a543f3a7a7a0

SHA256
9048696e1de76c06e31a701b2b5f9a32361c34fb63ab1cca8574330d8152c121

SHA512
7aa25cff8c813440b7dfe1146cbe7a1213bedda48ddb819ae506616c8d97a8377dcd7fbad4b67dfd1bf5f130ba622beb7b2a546ccd18288705806b483fa4282c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wsdlfit2\wsdlfit2.cmdline

Filesize
334B

MD5
3b5aeca14c753d1f368232624654a102

SHA1
34d359000849ab3d410992eaf5a17b6434a43693

SHA256
9c81e7dd2c1054c8bca356eb33eedf6bbd7ff80ec1076b4e4c27fe5f217d7ce2

SHA512
262447a4ad4a7c9d05883af725d22717b64ffeb2c0ad72993a305e79b4989f42ea134b9c98fbb1438d451a0403e08ac6ebddca18d7c3bd7ed86cac11d992ceb1

Download Submit
memory/1396-703-0x0000025047730000-0x0000025047731000-memory.dmp

Filesize
4KB

Download
memory/1396-702-0x0000025047730000-0x0000025047731000-memory.dmp

Filesize
4KB

Download
memory/1396-705-0x0000025047730000-0x0000025047731000-memory.dmp

Filesize
4KB

Download
memory/1396-706-0x0000025047730000-0x0000025047731000-memory.dmp

Filesize
4KB

Download
memory/1396-704-0x0000025047730000-0x0000025047731000-memory.dmp

Filesize
4KB

Download
memory/1396-700-0x0000025047730000-0x0000025047731000-memory.dmp

Filesize
4KB

Download
memory/1396-694-0x0000025047730000-0x0000025047731000-memory.dmp

Filesize
4KB

Download
memory/1396-701-0x0000025047730000-0x0000025047731000-memory.dmp

Filesize
4KB

Download
memory/1396-695-0x0000025047730000-0x0000025047731000-memory.dmp

Filesize
4KB

Download
memory/1396-696-0x0000025047730000-0x0000025047731000-memory.dmp

Filesize
4KB

Download
memory/1880-636-0x0000000007030000-0x0000000007094000-memory.dmp

Filesize
400KB

Download
memory/1880-926-0x0000000009540000-0x00000000095D2000-memory.dmp

Filesize
584KB

Download
memory/1880-637-0x0000000007390000-0x00000000073AE000-memory.dmp

Filesize
120KB

Download
memory/1880-638-0x0000000007470000-0x0000000007502000-memory.dmp

Filesize
584KB

Download
memory/1880-635-0x00000000070B0000-0x0000000007126000-memory.dmp

Filesize
472KB

Download
memory/1880-616-0x0000000005E10000-0x0000000005E76000-memory.dmp

Filesize
408KB

Download
memory/1880-717-0x0000000006D20000-0x0000000006D2A000-memory.dmp

Filesize
40KB

Download
memory/1880-615-0x00000000063C0000-0x0000000006966000-memory.dmp

Filesize
5.6MB

Download
memory/1880-614-0x0000000005D70000-0x0000000005E0C000-memory.dmp

Filesize
624KB

Download
memory/1880-613-0x0000000000ED0000-0x0000000000EE2000-memory.dmp

Filesize
72KB

Download
memory/1880-994-0x0000000006350000-0x0000000006358000-memory.dmp

Filesize
32KB

Download
memory/1880-716-0x0000000006C70000-0x0000000006CD2000-memory.dmp

Filesize
392KB

Download
memory/2220-764-0x00000000074E0000-0x00000000074FA000-memory.dmp

Filesize
104KB

Download
memory/2220-736-0x00000000029A0000-0x00000000029D6000-memory.dmp

Filesize
216KB

Download
memory/2220-770-0x0000000007830000-0x000000000784A000-memory.dmp

Filesize
104KB

Download
memory/2220-769-0x0000000007730000-0x0000000007745000-memory.dmp

Filesize
84KB

Download
memory/2220-768-0x0000000007720000-0x000000000772E000-memory.dmp

Filesize
56KB

Download
memory/2220-767-0x00000000076F0000-0x0000000007701000-memory.dmp

Filesize
68KB

Download
memory/2220-766-0x0000000007770000-0x0000000007806000-memory.dmp

Filesize
600KB

Download
memory/2220-765-0x0000000007560000-0x000000000756A000-memory.dmp

Filesize
40KB

Download
memory/2220-763-0x0000000007B20000-0x000000000819A000-memory.dmp

Filesize
6.5MB

Download
memory/2220-762-0x00000000073A0000-0x0000000007444000-memory.dmp

Filesize
656KB

Download
memory/2220-761-0x0000000007380000-0x000000000739E000-memory.dmp

Filesize
120KB

Download
memory/2220-752-0x0000000070720000-0x000000007076C000-memory.dmp

Filesize
304KB

Download
memory/2220-751-0x0000000006760000-0x0000000006794000-memory.dmp

Filesize
208KB

Download
memory/2220-750-0x00000000061C0000-0x000000000620C000-memory.dmp

Filesize
304KB

Download
memory/2220-749-0x0000000006180000-0x000000000619E000-memory.dmp

Filesize
120KB

Download
memory/2220-748-0x0000000005C90000-0x0000000005FE7000-memory.dmp

Filesize
3.3MB

Download
memory/2220-738-0x00000000052D0000-0x00000000052F2000-memory.dmp

Filesize
136KB

Download
memory/2220-739-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/2220-737-0x0000000005500000-0x0000000005B2A000-memory.dmp

Filesize
6.2MB

Download
memory/2220-771-0x0000000007820000-0x0000000007828000-memory.dmp

Filesize
32KB

Download
memory/4724-1015-0x00007FFB444B0000-0x00007FFB444C0000-memory.dmp

Filesize
64KB

Download
memory/4724-1018-0x00007FFB444B0000-0x00007FFB444C0000-memory.dmp

Filesize
64KB

Download
memory/4724-1034-0x00007FFB444B0000-0x00007FFB444C0000-memory.dmp

Filesize
64KB

Download
memory/4724-1035-0x00007FFB444B0000-0x00007FFB444C0000-memory.dmp

Filesize
64KB

Download
memory/4724-1033-0x00007FFB444B0000-0x00007FFB444C0000-memory.dmp

Filesize
64KB

Download
memory/4724-1032-0x00007FFB444B0000-0x00007FFB444C0000-memory.dmp

Filesize
64KB

Download
memory/4724-1020-0x00007FFB41990000-0x00007FFB419A0000-memory.dmp

Filesize
64KB

Download
memory/4724-1019-0x00007FFB41990000-0x00007FFB419A0000-memory.dmp

Filesize
64KB

Download
memory/4724-1014-0x00007FFB444B0000-0x00007FFB444C0000-memory.dmp

Filesize
64KB

Download
memory/4724-1016-0x00007FFB444B0000-0x00007FFB444C0000-memory.dmp

Filesize
64KB

Download
memory/4724-1017-0x00007FFB444B0000-0x00007FFB444C0000-memory.dmp

Filesize
64KB

Download
memory/6108-503-0x00000241CFF20000-0x00000241CFF2A000-memory.dmp

Filesize
40KB

Download
memory/6108-563-0x00000241D0380000-0x00000241D04A6000-memory.dmp

Filesize
1.1MB

Download
memory/6108-485-0x00000241CD4D0000-0x00000241CD722000-memory.dmp

Filesize
2.3MB

Download
memory/6108-486-0x00007FFB5EF80000-0x00007FFB5FA42000-memory.dmp

Filesize
10.8MB

Download
memory/6108-534-0x00007FFB5EF80000-0x00007FFB5FA42000-memory.dmp

Filesize
10.8MB

Download
memory/6108-981-0x00000241CE240000-0x00000241CE298000-memory.dmp

Filesize
352KB

Download
memory/6108-504-0x00000241CD910000-0x00000241CD922000-memory.dmp

Filesize
72KB

Download
memory/6108-505-0x00000241D04C0000-0x00000241D0740000-memory.dmp

Filesize
2.5MB

Download
memory/6108-531-0x00007FFB5EF83000-0x00007FFB5EF85000-memory.dmp

Filesize
8KB

Download
memory/6108-483-0x00000241B2860000-0x00000241B2ECA000-memory.dmp

Filesize
6.4MB

Download
memory/6108-482-0x00007FFB5EF83000-0x00007FFB5EF85000-memory.dmp

Filesize
8KB

Download