asyncrat | hxxps://github[.]com/NYAN-x-CAT/AsyncRAT-C-Sharp

Resubmissions

09-12-2024 17:04

241209-vlrc6avkgw 10

09-12-2024 16:54

241209-vesbwavjcs 10

Analysis

max time kernel
662s
max time network
580s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-12-2024 17:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

GoOyV8Vm3e9E

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/files/0x00280000000452b5-524.dat	family_asyncrat
behavioral1/memory/3272-549-0x00000000070B0000-0x00000000070C2000-memory.dmp	family_asyncrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	AsyncClient.exe

Executes dropped EXE 13 IoCs

pid	Process
3272	AsyncClient.exe
3700	AsyncClient.exe
4732	AsyncClient.exe
4144	AsyncClient.exe
1120	AsyncClient.exe
3892	AsyncClient.exe
3300	AsyncClient.exe
1580	AsyncClient.exe
3308	AsyncClient.exe
4672	AsyncClient.exe
4820	AsyncClient.exe
4448	AsyncClient.exe
3856	vehgwn.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
43	camo.githubusercontent.com
44	camo.githubusercontent.com
37	camo.githubusercontent.com

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
4924	powershell.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\15aeb1d8-7bbe-4737-9577-651f6992ddd7.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241209170511.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 19 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vehgwn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
3472	timeout.exe
4248	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\MRUListEx = ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\NodeSlot = "4"	AsyncRAT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000a7f9eb555625db01f1dfba8b5c4adb01f1dfba8b5c4adb0114000000	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "5"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 7e003100000000008959ae8811004465736b746f7000680009000400efbe575938728959ae882e000000060904000000020000000000000000003e00000000000fdc0a004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 500031000000000057595d7f100041646d696e003c0009000400efbe575938728959a3882e000000fc080400000002000000000000000000000000000000f42e1100410064006d0069006e00000014000000	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 = 5a003100000000008959b68810004173796e635241540000420009000400efbe8959ae888959b7882e000000840c0400000004000000000000000000000000000000dd6414004100730079006e006300520041005400000018000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 7800310000000000575938721100557365727300640009000400efbe874f77488959a3882e000000fd0100000000010000000000000000003a000000000092b6370055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AsyncRAT.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
768	msedge.exe
768	msedge.exe
236	msedge.exe
236	msedge.exe
2172	identity_helper.exe
2172	identity_helper.exe
1708	msedge.exe
1708	msedge.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4448	AsyncClient.exe
4448	AsyncClient.exe
4448	AsyncClient.exe
4448	AsyncClient.exe
4448	AsyncClient.exe
4448	AsyncClient.exe
4448	AsyncClient.exe
4448	AsyncClient.exe
3308	msedge.exe
3308	msedge.exe
4448	AsyncClient.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
4448	AsyncClient.exe
4448	AsyncClient.exe
4448	AsyncClient.exe
4448	AsyncClient.exe
4632	identity_helper.exe
4632	identity_helper.exe
4448	AsyncClient.exe
4448	AsyncClient.exe
4448	AsyncClient.exe
4448	AsyncClient.exe
4448	AsyncClient.exe
4448	AsyncClient.exe
4448	AsyncClient.exe
4448	AsyncClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4376	AsyncRAT.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
236	msedge.exe
236	msedge.exe
236	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3272	AsyncClient.exe
Token: SeDebugPrivilege	4376	AsyncRAT.exe
Token: SeDebugPrivilege	4448	AsyncClient.exe
Token: 33	2924	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2924	AUDIODG.EXE
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe
Token: SeIncBasePriorityPrivilege	3524	msedge.exe
Token: 33	3524	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4376	AsyncRAT.exe
4376	AsyncRAT.exe
4376	AsyncRAT.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 236 wrote to memory of 3160	236	msedge.exe	82
PID 236 wrote to memory of 3160	236	msedge.exe	82
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 1420	236	msedge.exe	83
PID 236 wrote to memory of 768	236	msedge.exe	84
PID 236 wrote to memory of 768	236	msedge.exe	84
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85
PID 236 wrote to memory of 4364	236	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff97ed46f8,0x7fff97ed4708,0x7fff97ed4718
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,11398309171526642530,15364843650180060674,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,11398309171526642530,15364843650180060674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,11398309171526642530,15364843650180060674,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11398309171526642530,15364843650180060674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11398309171526642530,15364843650180060674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,11398309171526642530,15364843650180060674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:692
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff608735460,0x7ff608735470,0x7ff608735480
    3⤵
    PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,11398309171526642530,15364843650180060674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11398309171526642530,15364843650180060674,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,11398309171526642530,15364843650180060674,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4064 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,11398309171526642530,15364843650180060674,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:464

C:\Users\Admin\Desktop\AsyncRAT\AsyncRAT.exe
"C:\Users\Admin\Desktop\AsyncRAT\AsyncRAT.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4376

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:852

C:\Users\Admin\Desktop\AsyncClient.exe
"C:\Users\Admin\Desktop\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3272

C:\Users\Admin\Desktop\AsyncClient.exe
"C:\Users\Admin\Desktop\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3700

C:\Users\Admin\Desktop\AsyncClient.exe
"C:\Users\Admin\Desktop\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4732

C:\Users\Admin\Desktop\AsyncClient.exe
"C:\Users\Admin\Desktop\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4144

C:\Users\Admin\Desktop\AsyncClient.exe
"C:\Users\Admin\Desktop\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1120

C:\Users\Admin\Desktop\AsyncClient.exe
"C:\Users\Admin\Desktop\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3892

C:\Users\Admin\Desktop\AsyncClient.exe
"C:\Users\Admin\Desktop\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3300

C:\Users\Admin\Desktop\AsyncClient.exe
"C:\Users\Admin\Desktop\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1580

C:\Users\Admin\Desktop\AsyncClient.exe
"C:\Users\Admin\Desktop\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3308

C:\Users\Admin\Desktop\AsyncClient.exe
"C:\Users\Admin\Desktop\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4672

C:\Users\Admin\Desktop\AsyncClient.exe
"C:\Users\Admin\Desktop\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4820

C:\Users\Admin\Desktop\AsyncClient.exe
"C:\Users\Admin\Desktop\AsyncClient.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youareanidiot.com/
  2⤵
  PID:2664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7fff97ed46f8,0x7fff97ed4708,0x7fff97ed4718
    3⤵
    PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youareanidiot.org/
  2⤵
  PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff97ed46f8,0x7fff97ed4708,0x7fff97ed4718
    3⤵
    PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youareanidiot.cc/
  2⤵
  PID:752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7fff97ed46f8,0x7fff97ed4708,0x7fff97ed4718
    3⤵
    PID:1188
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vehgwn.exe"' & exit
  2⤵
  - System Location Discovery: System Language Discovery
  PID:564
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell –ExecutionPolicy Bypass Start-Process -FilePath '"C:\Users\Admin\AppData\Local\Temp\vehgwn.exe"'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    PID:4924
  - - C:\Users\Admin\AppData\Local\Temp\vehgwn.exe
      "C:\Users\Admin\AppData\Local\Temp\vehgwn.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3856
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp5275.tmp.bat""
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2288
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4248
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp18F7.tmp.bat""
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708
- - C:\Windows\SysWOW64\timeout.exe
    timeout 2
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7fff97ed46f8,0x7fff97ed4708,0x7fff97ed4718
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3492 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4404 /prefetch:8
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6176 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6044 /prefetch:2
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,16526045344959582021,16237621356034178022,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2696 /prefetch:1
  2⤵
  PID:708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4700

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x458 0x4cc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AsyncClient.exe.log

Filesize
425B

MD5
8c7889bde41724ce3db7c67e730677f6

SHA1
485891cc9120cb2203a2483754dbd5e6ea24f28e

SHA256
83c70bfcb1b41892c9c50cabe9bc2d96b2f7420b28545afabd32f682ac62d0ad

SHA512
b7c3aab27fc924dcaef78987b492931e164b9e30b813c532fe87e1d40001ed1861c4b5ddbdd85cd2278681a22e32eee816877f4f63cecaa9972976d87e38f5cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9d533e1f93a61b94eea29bf4313b0a8e

SHA1
96c1f0811d9e2fbf408e1b7186921b855fc891db

SHA256
ae95a7d192b6dfed1a8a5611850df994c63ba2038018901d59ef4dae64b74ed3

SHA512
b10de657d0cef4255e96daa1b6ad0c99c70b16c13b8e86790ea226e37e9ded1a8f8bed1e137f976d86ebc3ea9a4b5eb67ce2f5b0200025d35dc8e94c947ff3f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fccab8a2a3330ebd702a08d6cc6c1aee

SHA1
2d0ea7fa697cb1723d240ebf3c0781ce56273cf7

SHA256
fa39b46c6f11977f5a2e6f4cd495db424063320fbac26a2eae7466e82ffeb712

SHA512
5339b52bad5dff926b66044067aa3e1a6147c389a27ebd89b0f16e1267621d7ce7af9810010bee81cba7b08c77a33ede8ef4675fe049b9fb2ed510fcaef93d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
42c2215e4394e3906958d61ded8158cb

SHA1
c3032dc78ff4d32d1ea532d3687ce4d15a23ea5a

SHA256
7af0c570d97a2e83e35cde38e0fb8b03fbd66687321ec9b5c350b87aeb9e6db7

SHA512
a37100a25eac8e19891817b707a46aefdb57ab718374fca294811097781ae12479b0fea826982f535b0a0358e0349d8e9845b17feb196690f54df7b6ff907619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b072ae7d9aa11f2d0b09374cc5ff3fbd

SHA1
d312d5f12245d687ef359c365f9eafda629f8489

SHA256
5710c614f437689394bf626c40864a192e83b79350853db7cf0874c25324cbbf

SHA512
485d8b706cfa8ba5515cba0fd4767c0512ca9014b17b92cea86d80dde45b255394495c1de45207990cd0761e8c0c0ea7cbd01c8124bc006f793f7f178ef8aad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b6d9057ecf712c62d2c09325ed63bbbc

SHA1
98615402da2fbe615d0fa4f30043d57a2280995f

SHA256
9675970792017fcbb2df47d84dc805e3b7f07f75ddee4530b16d986e6cc5ceb7

SHA512
16c968f4cd30dcf4e7d4bca349816550b1407337b04e50b75168eaec410fd399eca2c1fe9ff0a7ab5b2acc8eae015809f37f74eef38a63e3a3f1eed2e5f31080

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
202KB

MD5
9901c48297a339c554e405b4fefe7407

SHA1
5182e80bd6d4bb6bb1b7f0752849fe09e4aa330e

SHA256
9a5974509d9692162d491cf45136f072c54ddc650b201336818c76a9f257d4d2

SHA512
b68ef68c4dcc31716ce25d486617f6ef929ddbb8f7030dd4838320e2803dd6dd1c83966b3484d2986b19f3bd866484c5a432f4f6533bb3e72f5c7457a9bb9742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7a0a520df566a1ad0b8cc942b09bb1ec

SHA1
061f832a462d1ec34269b4f70f98eacc3c2d274a

SHA256
52e076a5922dce969198a3a3ebced5570b9c20148aa5cb2f307e49ed30d2472b

SHA512
f04d52ddf730a1f9bbecefb8415e9322e9fd0962710b8771c9a57840358364c7f65ab0916387c6859733c2619a00e1657a75daa7ab75bc86219266fe6392b5f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
e76320e0678c7a498910227abd85fdac

SHA1
d66a4cb77b2db94669346441964bcdeda078f81d

SHA256
b07206df7c220f8afe6c2ffeabea3e7b7a7751ebfe7a4c0fea8fdffd29fd3132

SHA512
64280327adb4923d1c35b1a18de43f0acd2cfc6420a857a73edcf56d3ada7677431e002599751983bd196a78d97d5fddcaaacba59b4b708d4dbd8722edd2a90e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
784c73eec860a8688cc1541cc310821b

SHA1
a89dd623f6a44b202b13d69706583b04ef92b74b

SHA256
9a48755fdb00e4cfddb6ca610428f85cd2e726fad4193b8d0783e54d13454cdc

SHA512
394997dffbc801fb1a34ca3f160bdf94a46e9b16fdafc3a9cb224d8352bc60e4a86089e1428b0cd72725ea465181150669f7f5d009255c86aafad121a0e0df90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d3dcc7ce87073c855bb6365cb0452081

SHA1
a4aa6c0353eca18e57cb7f259acbc588c2986763

SHA256
1e12999214b65763f89ede6e3ec0c742038bc7dfad9b4ce6a72beb328c6c3dfb

SHA512
5d3beb0f78b6cf633bfec68aa24bdd58723798e4d5ac90a656de216359b56951f71098aa89cc992dec166c20c16ff8884a9967d8f19acffe77d8dd3bf5fdf939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1b002ca67703e2085bae0a5b32293a07

SHA1
35943dc055c9153a6b0f9d6cd522d604ea917b1c

SHA256
61719cf1c80f29f97db30cd28aa5dc1af02186300916cff63ae006d6dff1d2ec

SHA512
46ffaace449bbe1a0a6ba27aef6597fcfbc87b48f5e07cbcffcefffd569d01578206a7a1edcdd22e6eb3cce14501ac7cdd5dc73a386cf0a6947ccc33cd26dd70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
491b17b3d0b4240f08789be9e2682520

SHA1
fca130179189fb522488ca59f377aa198c403acd

SHA256
4aef7f07fc13521bc194a8e539212a853a6310014ff4127d5b12a45ce41b5779

SHA512
e0a37cf08e3a599fd637aa4bb75e95615241592d48ae1218b6414eabbaf07113995312b3a8048e85c218d3e36448164426842a63564a1ddfa6f24c92dc321597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

Filesize
256KB

MD5
ebf8189decee1ccd3fb9eac3ac6f4d8d

SHA1
31b46bfd24b490e74890c4b9d5827d5ba9e0305e

SHA256
60f8c06957a06c719058f2f9624c3bafcfaccc43d4a3b57287bfe4ae329a455c

SHA512
ac6249372bc3442118171abef2283c695c5b9495e4369a98c915a2e578811df5627a674f0478037e4feaeea56c47ab0d1c03f0b667711b9d801f5ea1db6e78a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
4e464375465aa57833682287e7ebd2f1

SHA1
12c58163fa6d9e797e5315608de4065d9ed9dad5

SHA256
c4c8cf2ef7ed30c421f4aab5ecabdfaa72f99d3eb71a0034d16c7075b559d8ac

SHA512
76a0cb0bbaa5401811503f37d6e6726a7eebe7ab8d203d502633dbe91116c8c7548af25da68ae37c6a930e11cbdd5850ae94e08c57145e5a4db77760f7095141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
d12d3b6560619edfaf7d2bfc35d2662e

SHA1
3318419d7dc5c952da84902af24a4d194327b632

SHA256
ae22e9c0f40e9ba07220c87d9ca544874021bcec76f62651991a8d0c1fba9164

SHA512
4636bd5f28ec0c958ddb3dcc0600a67fdf46575e5cb2a8f7b3708eb422a2f640c582130794248b14d63675b573384555787a0512eebaf82f331157736ca3cf1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
11KB

MD5
394cf765b12a6f52ef509fda97dd3b1a

SHA1
069b6c287c1586132ca9d27c9733e3ae7c42c97c

SHA256
8fdea24c882fdbeda731ba0d70ba3e64c605d9f9efde22e26a1958a86aa88b2c

SHA512
50eb13867bcc1e2979a8f77f6dbc05b37943f65d133a77778f2bec7063765274a11f81cc7ee80cd27aed32b65411d10e4602c8f0c297d748037c419afa2676e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
289B

MD5
6248b25c7bc14de21d38633f54f37656

SHA1
6d8d1383ebf57f599f61a1ad303a6704d170370e

SHA256
a3902438efdc16f434bb8ec06db6593f55eb6a1618e33d6449f097cb37217cc2

SHA512
f715aecdc33ae1841fc061ab6888d2f50376586deed38c143ed6f0c9051114b0e939a0406a6acfa717ca5a1a33dd86110a98f8b74a143dcf092d25384bc9dffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
580B

MD5
23a3063148f7bce8c648463ed5fedb7d

SHA1
22e6e98e0947f954982ab280f7a77f1d240cb682

SHA256
0fba30c8186933174b2c395cb7aa254873cfc4d814fde1b4501ed2120fac7f7d

SHA512
dc9a3e0d734c56032198cb3c25ab0dc903e24c6d2261f6aa17d408a4d6b91e1a5ab2c55f98210e9fb3c46c8d441b7ab8c7b9ec5f1b6e1b69d1657a2ac1079ddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
77e6e76e1843a7d115898cece3edd049

SHA1
e7818c5aa99ae76b32dbd01d5eb955700ffa6fd3

SHA256
001ae5bd8ba677a5960b8a239d13fbd56e7de800fa3d1f621d034749b983ba1f

SHA512
b0e5dfd9390912edb13358cacaf12b6e1d7ed0bf36a4b95735086c2630a1ea063c03d47c614de07bf45be241b356e4ca936d5015e3d21f225c5452f508a1488d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
d66937a7f345dcd6254c7d774100a592

SHA1
99103e3ed82acf2f72080853dcc780d8174eb7ec

SHA256
309cf4e889b662a0e6d2dcaf3a0998c7852ca35e49e2564788f240ee8685f4f9

SHA512
5adbca3ffdfad1a18ad00bba1c6045ce51f824f4da5953c9ab85c69d65f41908ff1e958e1226c59ddd84c4504e1d3503a3d191fec6036e833452c81cb60b0098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
f18b4301e8cd08b69aa7996b7f2d1d8c

SHA1
865ce61a2449da7ce1b5350fbeb185d674d0f28e

SHA256
39debf66db347a33de417a7233216987dbbdc3074b618f56d6602ee9a4440922

SHA512
8c660e7a250b1b9d8e0eecee2fc2aa0e02c263e5cb200e6e96a0eb94247336bc5e105f5470b0dbf81c0694ac2bb229013c70bcfd01edc74774f26182333dc74e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
6f003dae6c079717ea842354a0e62e1c

SHA1
92f0fe1ff081a01c474b30babfe049aff7295daa

SHA256
cb490fbfc3865e85e469660afcb04127225296439122f7c6d6e56ee8e5dc6244

SHA512
935eccfb228ed5e62cc590177928490a3528f04a7cc7c49254a4a4e3fad55fa2816700741104adf43da5cc055d32ca25d38343ae1cdc163aa901712f9ec1ddf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
c963c35de5656f012432d28e608f5750

SHA1
7d88d293c7a4528f012a4c04ce25921e20a02585

SHA256
e79ccdcb36f715ab3ccf36616a2bc6f5a587a0ae519361dabc10e884d693e8d9

SHA512
bd76b5499542aed730c63dd815b520d9535190897e1bc09d6ec64b9e2922a16b7aa3e08a0b844cfb019534be8af1a16b8663a84f66adafe4385076623a10a6f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
cbe78305c8ec10819466b6d576289b1c

SHA1
2efdc06028f9f18bae5f62d9bcd66d25c248c6e3

SHA256
03b466a591d59de0be7c4e67472d9bd9fc832d61e537cf3e9f7c3efe1a52866e

SHA512
3e67e7f23cd4a05ff558bfa024b023cac7874686e7d77b98be3f68d4b9df5aa12277e1920d8b15d841617e81644fec42000e527a0939fad1872a7e6c9402ec78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
57da55d251f4352df700cb8ec770ba42

SHA1
6ad78b8cb255302fdcc83e52779df1b49f9b447a

SHA256
44ce5717a5273658b8f3653048231d16a02e1fe2590f9b61a3b3aa744a7ff5f2

SHA512
4e74718bd91dedb371e67e1523c7104cba4005b1bfdd429824f8e77e3c2004cdcec7d6b205b62438e366f54247b2d3dbb13532ef864812fd850e83075a3c700f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4fa95770d6a1314be404fd4c3f4ad287

SHA1
7063199fc8ca44bda59cdcfe01f18b3a9d62cd39

SHA256
517120c898cd90bbbb765921a0a9fafccf10bac3c2c4c2d241f71678d28f9646

SHA512
fcda624e38fc12e4982d4ef0c8a89b5e0841d4db10e3b12ec840123f9a2df03b6b05af0a67bfabb1171f5397efaac92807a6e530b09d7014528e0967b542687a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a42d39b33bbc3666df228afab2908555

SHA1
baf6d826cd57dbd59d183ba772dda112ed4d63f1

SHA256
d3a2ae1d683058d9e301c59e85acef086d764ddd2bdc6a363c744c90ad012532

SHA512
297b1cf92521b0e2538aa7816d022d000a7fdf62443bee8ffeb0a99626f62816c76dea5b1f1addebcd76c645a41b02f64cd8412bdf9a3d91614a3270797fde88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
df374772defc9d4c9c807951570328e5

SHA1
77414e43553f780820077c821fad48574ee673cd

SHA256
ae20b8ec3a6995bd8de1029509a1b9e0c86d817b496196d5d958d8cdde72633b

SHA512
a5b788121ddfd7264c4df005b1dbc56e2d924144da047dc9e822a9362b721cca38026d30d86e7c482e88889b1f444b4d98d8567f2408c6efa93cb0dccf06de9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a118b2ce2c7c3829908abed81a656137

SHA1
3c92224b14f8fb24f4d74a3a334c74827b8c07ad

SHA256
aa2d5317a644ef4e45487d506ff394578d45c5ad61bd55a940b01540e7e1b1d2

SHA512
6dc3e4e6e3b0683a36873bdcfceab6ef2e87909adddec4f41ac33226720d5f58ada2117899b0c33f2b3c6d4c35f93daddc7436df3a134470125ec9b1a3f776be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0a5537dcb66dd701eea1f7b722083a05

SHA1
b20cbcb49d10a32ffcca381386607f720ec62122

SHA256
f9252c8cf62026ee0efa75e00fd8a59fb3a32334252be7acecb304775d800457

SHA512
580b45341d1068e26fb73826592ab9b24049bc707b88cc0608629aceab8060c69f54b3567959be494799d8f6ed8d0c45485f0afbd1855f493393a770f3939d94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
551ccaef48ddd67096eb32fd6ba4848f

SHA1
a61b58e4358a46b1c8410ce88fe1c9e026f24e7b

SHA256
0418db604148b35406d6c98526f00194a19895adce0a51d195107d2776b71cfc

SHA512
788ecf1fa4275a87c60a7352ea7c197cfb1103b964c7fd0d911cc8207cc38b151d6d04970d16ce97a1c5e8c6c0b57042a6a272df1dc806b5ebf8efc6436f544d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
bb1622fdeb8012cee568eed39ec9836b

SHA1
c1c9aea4e6f2cf65ddbe0a2ba990124f03cad03f

SHA256
eb9ee4ff05c1af1e5dcb2905f8428edc0394cfd0d77b61ab9542d8aa6b1f38ce

SHA512
59c26cdac33cdd33ac5becf2efc4ff1c663ad522c674449f0501344efe543636dbbdcdad61e1b59a929d590050101fc47d83beb7bb9f018ac5c00be5bce73432

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
22d862b2fae7e98d5199b6a8a454b598

SHA1
e8c6e3cc0790139f3cb449ace105352164d861ce

SHA256
47e6464c23345ea309e1ad360a1c2c64f6341fc5dbe701ea2f923f5adfa4b4ac

SHA512
36687f26abe54000155e26d3b409d29af115c01ca72050966f965ca8212a6ed6cb2d7dc4157a82c412cbf93ef582c1a7df499c055a973a3162eaf7e697441ed8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8cb69f1a2e672303ed687b413d7a9565

SHA1
68ae068439bd8424703376528aaae74a9c493109

SHA256
5fef556877f2467c6b34ce8a936aaadc4c0839e148cad433544dcc4971ce943b

SHA512
3a9e7683e95816be6149813059d765c5c110ab1c9e08ed6d47b6d7d0da6ee71d0358b016d2321bcb648b26a23a48771f7dc7754db49a4a0eb88b3feee4e2963f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
61cd1d9cd04d56280e281d3f91e07c40

SHA1
4a85e7a62c0d3a0d6ef0818ad52a897a81bbc189

SHA256
62b0a3fe11d55b7b6e57114cf6afc97be786fe003542ce30f731c9308b38245c

SHA512
a81357583c62372c33e3ca1f55e963dcd1b5deb2019384509d52fa397906961c16f2cbab48831bec95c5b1aabf8dc3f23d9726598feb1c73ec936f5ed523ac5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4cf736a50b9f806189953b8e3ad47a2d

SHA1
a0db6679bef3425de99c24b516977bc30b16e19e

SHA256
a0198c95c98b5c9aea85846d232134dbb863636c6e8a72b08ccf4588b4add6a5

SHA512
de88df1563c6bf3aa63fdb4c1b9bb84e7d8545ec677e90135a3ec7b527a898e6fd53230db810199a406f330e9d9a27432e327f5e79b3aa41ccbcddbce8a64802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9e6697be7bfa287cf64ea10ffd173b07

SHA1
c9cd81edcebf16db9bf2ee5c48c5e78db3f1e161

SHA256
6d45037af0e2f10ef7c61344fa85dc095e01efa89844a4ebfc9e766c29c69aa9

SHA512
a9b91a52fe8acd1c996342b8e13b0b1090bac2d7ebc874f9642f489e792bfcbbb95879a69532e161dcf0eea7de666b9843dde2622e55242bf1393844a60af11e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8e018fc20c8b570689cd2eb924929039

SHA1
3678cba24b1555697866f78b8481adda6b42c765

SHA256
8172082c7221f34d8c410d8b53a9430e6be113dc91ec876326dd583f66af5d4f

SHA512
f69008b3c63a7917d069533f512342bb12ef7ab6d50ebb2f2c50300560d7e1161f15b458fe59001880248350cb8be6bf39178865c2d56932e54e962e393aad87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
7ec09c7cbd7cb0b8a777b3a9e2a1892e

SHA1
3b07979e57b6c93be7d5a6cd8fa954dee91bd8dd

SHA256
a623633f34a241b0dbc9fd26f34446d716955f94e90b2ff9ac8b9df801bdae5e

SHA512
5fff0a38a3b6e4b29d402eef2650011e4d9df514e0624767c84ea31cb73cbba10c7e0b5711cb487976d637f0f60a85c431cf0db54b519411245684c116c07b7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ed659b1d7a51e558246bd24f62fff931

SHA1
84685d6f04379c290e4261ff04e9e1879d54d42c

SHA256
23fafd9073812d5ff8b523b84bc981e4cb410bebbf3675db2b29cfac0dae9690

SHA512
1c3203328583241895db9fb165fcfd595f642e218ee3a453ab6873cbac10ddab693cd2f913bab15c8bb7b5a12c5768b3dfcb278aad754dec1fbffe66b81843cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
305c75ab2fa747719e996ad7cc072d4c

SHA1
00fa72da3985ee2e239040809d1d76f5c3de90b5

SHA256
7f6257876fe46a5549b993f6e0b9f74b88f475db82587a8e91e8e758f1e85cd0

SHA512
c7f2c73afbed021dd446e358389838be187cb570736f33c56770be97a9a16d3e721b9031de25fba816194dca236ecd5f1e7e5b293cca5c98da335580be1bbe47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b9b20138-ef53-4572-a592-24b0bebc25cc\index-dir\the-real-index

Filesize
2KB

MD5
ae853fe9e953a8a258ecad5edf0dcbe8

SHA1
f513e1cb209a58684f0ded2e5b6923a5ec726dd8

SHA256
bfec1927326791650b3996dc2d25906568cfa571c1a4f09d2c4b3f591b0671c6

SHA512
4184a67ef9c1879cde3a2e3add4f8a62d2a2a32dce05be55e495f8e4b8d415e554a7dbc4fba3cc662f821b78c88872646a30ebb53f4c6b450a6a9abf1eed163e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\b9b20138-ef53-4572-a592-24b0bebc25cc\index-dir\the-real-index~RFe5c54af.TMP

Filesize
48B

MD5
ea7e8e1fa14797c58322899d1f8dbea9

SHA1
b846026ba714493ef068607139db8a2a3e8484a0

SHA256
405342b7c0c4403267427cd56d1c3995cc05eb945bb548fec6a405e589bc4a5c

SHA512
dd6481b2d5c2125aa496fb1e90c098d793697626d904f99145facb313d5f5502e62c522e347952a8f6ff5ac355f220486e96cde86d0f54a71a5984d41d43bcf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
22dfbb45ce5e435a135dcdb767a686df

SHA1
d85ec0e92ee78a88bbbd01d1b4c8c43185dd80e7

SHA256
4126df09c6bcc69a14e45bf64ab6a345e92d442b0cfa9ce838ad261cbd68fdf6

SHA512
0de90a79ac1fed6303959abedb8752e87d963b352fe01c3de90e4764c0111079ed71ddbd5dd325e2a3c107c27fd3fce608723216f43c1c03822842c77d6194ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
4ff55a6e5328587f44e7d7b52fd08eec

SHA1
bf9136f2d4cd2a650d49cfd9358669f917dfdc90

SHA256
3e44eadaf97804e28f496ec4fc3eb144a9c907fd1b50e1ab47a32d4d42ad7be5

SHA512
aab7d3a28ed7e3831446dbedf2f001eb9bf4f5ab0e962ffecab52b799884873ee76750f906076c5463759c121a79a9a8a1c4fc2d43ff1c8c7560ced5355321b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
c9a6cfa4fde7060a4f2069efdc4e8673

SHA1
de871b4e05db1f81e661aaf0c903503f7682b046

SHA256
8f120cf62a4f4aef8fc85a458043438805f9516345f002d01b2e97cc6141504c

SHA512
d71821637f887b8542e5a11b58994fdc1775213938e29dc6df34a5bb9b5bc77a6c6bbd5a110e3fd35286cdb320a3e7d3020fd04a31fb3c5f073c257670bdf776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
8070d3870f82f5f936233e0fa68beacc

SHA1
26f4021df11aed4910329a835c7dcca1f9b5710b

SHA256
aebdc35d8add93f0c5543a9993a7bceec873c74cf056aaf73f5de729122cc88d

SHA512
018e7e80998fce68447a925975f492bffc01d74eb938c10969686f48ae1d3337382de875a6627d0688c5027df7bd43850001bde6a76af1cef75093331fc51b14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f73a8ee93cb62f6ac1bde92c42c7592c

SHA1
aaecdf0f4c241dcd450095263109edc2e14af8fc

SHA256
9c59027ceba57e471a569b82a2a883b0791f6ff74b86c86db9a16f6baa837e98

SHA512
9139027a2072e54aaa038b1f320aa280282514662b62b1625dd1163f3886dcf095b2949b15ee58b792bcafe8a24cbc9fcfbdfa2a2e9e542f5f81dca7ca3d5e79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
48B

MD5
348f202775d7c2dbd65c58fda4002293

SHA1
8f01dd01c250257d67b9c0d1d3c3646edf686d71

SHA256
69536d9380b60fb907c9640ce0d144b57bf4d2e36dcf9faa4567458c0c247735

SHA512
4a6dd05fa603d8ce03bb467ce39181a165fdcb45c258673858ab5a7d02c418422595f7d0520f243732a0f4652fb4f654ed9f48dc36caec812160e476c6ae5d78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5c4e95.TMP

Filesize
48B

MD5
e0faf6f662c8f2b3b4bddbd349539b55

SHA1
0d4c2e5aacd2f9372e45e130479883e01287589c

SHA256
af11bd57d0dc1517e7b126b355c90271ad71a97aa41cf7338b72196cf276fa48

SHA512
94f622440ecfaeac35871dbbd71e8ef11a896235b9a362526f1c0e5c2c875775f810e982d9458990db50522d06a40285a19159132369ee63524c0457458e9416

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13378237525663050

Filesize
4KB

MD5
7c52ba9e9f205dd203eb3a3e695efe22

SHA1
c2cb4d2e5a18357c23352a1bec35c9a1a1e550d7

SHA256
5188d5fcf1dbcb3225abe06108f657fe2ad312127e30cea20437cc16eb8b6e2c

SHA512
97aad6768e3a295c4039d79b4ef331a9d8dc1dcda0ea395c2ab25d2c805bbd6a22e9cafb76cd7b12a5580e213676ce0e2a6c37b6c33fff1d5e2ad40708c7a91d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
93c3224c4f34f2e4263ade8add217726

SHA1
7d05f5a7e17a14a7f75ee0d9481beaa142e36dc7

SHA256
a1f14b39d2843d62f3d426b2848d45b2ba8d26708ddf486722e142e1bb2ef40d

SHA512
e622575655aaf0b48bfd7e974c179436103fffcf38310ce9955e9724ff294a744baf218aa4eddaec8e05b1e71cee47ec31b2a41db0961748d7443a79bc8cbb40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
761b8f3df8ae7dd0a4bf898712246074

SHA1
fe3f5d3fa975ae8d048ee54a58f0087504ef56e2

SHA256
e786093de796dc194a84d57445138cb2fed1ad4b49418ec17d67af93a84aa785

SHA512
8f870e599877a32e0399721f310778103d563bd89de7b44c59dbce7d5911ce80a31c2716152f0f5426ed09a2b9c440e724111afdd689067de5b422e5071dc0f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
1bf7d1ef2c824b8955e8a339b821a1d5

SHA1
f4b72a6f7a512a247f1ed60eb418a9ff31e6760f

SHA256
7d6ef31ba07c36aca7f3258e7f220040fd6f4990e7fb2577d44cdd2d0c021a78

SHA512
8f50218e076ad9f4b1a8a9faed5829fc239cf589d419aaaf25e23458cabf332ddc8d71b1df48540d618c3484e0633b0b1aee05fd1f1625d36079207eb9042fc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d4ebd2be9a263b22ba24e1bd4c654333

SHA1
f2dcc014bd8c942ffd6dabf39814860906e14e20

SHA256
6a06cfb1f627a94a99d64460689a828260a3d6aad2835b720ff4b4c437c1e05a

SHA512
b2771808d7898f832f0e00f13c8d7503184cb814e9c69e882e56a0cd6008ec4b288f1ff06d9a6471a3f1379a24efa6d90b369bf53f84c7c4e8a469521635485f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8ae35c1d1ea1482f9d759591001e1a52

SHA1
04f92c54744b0f7f38939a2a41868c1f5c31c50d

SHA256
2de0ba52808f9541f515bde08a1f7e0ce80f8cdac1cbb5517175110ff8caba00

SHA512
c1f0241f99f7ce32cf8e994d01960d48142371d119b8fdfbeb787876ea046982964bd3c49ce00230e9529c5e3d9422cf55154a52e5e584585d9b024b5badae11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581652.TMP

Filesize
1KB

MD5
7884162357e8ea60c5fb9cc4fef7ab27

SHA1
77050ae0c1525c63a537296de97265a71de07765

SHA256
d810fbab2e0dec1b289e89337d08559853d31016318c901343a5ca1365510d30

SHA512
bc5f9acf7105c1941190679fb15e0587c5c20cad8876c6277ad4daa9b074432ba3f4fc1c0d2b21f5391f31f22123afac0ea5fd00197aba8a1b573992ee3c6335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
19cd1494d38fe210b5182f7b0950a167

SHA1
175f37f4ccf3de05cc25b664ec4d30ec5077e6e3

SHA256
023f238794a06ec4637e3ca51d45ae47de6146e4f5ea932d587ead25149e9602

SHA512
e0bbea9a4ec16d87f8792f73744cdddaddc1b24a86716c67cb971c15cccfa3c33e05ae013261599a413e85c8ca7ec5db9eedcd3e675b093a6c7c70f1049d1146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
f01abafa21924018eed48ffb450e3460

SHA1
266b536f46df60eb602c5475c232a2f460cbbc0a

SHA256
29ed7545db010098df50061c2fbf3bc7c427882c1efc800dcb36949589ef7b7b

SHA512
bb0c5b58bed8ec139f6ba658976505dc5bef8c9015a981d4b281cb6996e2dc0b67a6cfd1d7c5afae95987d87d44f345d20ed968d32d7e2e0dd0c07a5bce7a08e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
297B

MD5
4701757d75ad34886ab6b44fc535a717

SHA1
833611f0f42eabf2a0d84a1664da72125e656612

SHA256
ade2e30f5bc5721d370f278eac6da80bf97d0869815f9f4317f0cc18e7c0cf55

SHA512
d06a6abb740d275481737adeba4676a0c6feeb70f7eb04da65d02e2f01496cc76021eee6a1a5098bcf0a4e0e234c6f43c471638525dc223e9f927f2413aa162a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c62a3af82eff4fdb387ed25c58da3bf1

SHA1
556fca05a7102908b1e663eece27b8d858858c7e

SHA256
c02724980c9a968dab3db6e9b9bd108882fe20127d8df1a8a530ddad36cabfde

SHA512
6c4224715aadecdb3f6f86f5bb92561287b5c9160e33cbdfdd06d0f314929c4d23cfc99edb17d2d2a29e6aae98416eae33a527a60d2957beae6b732e7a68e8c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
aefcff9815afae0ed40bcd756c9a550e

SHA1
0f952b5d15d8de9404dbfd1795f007211dd9b0a7

SHA256
5d90ea2d2bf0db334eaf384c31ce6bc9024cf984ad59ee37de59d3a12152e696

SHA512
97837d7a21dcf488c3380425e5d6b42d8d686283f60fb80601990f924e125115dae7b1a3a8303fde46dacadaea47c7996b74d62e2d57170c84b119874f09dd20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c10cd576bb29c2115b57bbe28486229

SHA1
31ddcab6eb317baf59e9cf8f3053969bc021cf05

SHA256
b3572e7226a54ef471dadc5feb304581501037084a0f1c75e339abd144d66b1e

SHA512
d0f380706a77e90f6f4e46af4768debe4e2ec05131cd46876036ad54d6ddeb643d22e26a1efdb761dc8e877b8819d688906d91908dec20d5368d8506150a2c3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b530b23a71aaab4469c9d23975ada537

SHA1
9b204ba40d69bfeff6cade4b960062e75b80f413

SHA256
dcf69deeb35a6b3753019cab56ff556d5390ab01222b552471f5a1f2b8ecdb28

SHA512
57cf3d4449c0a818ff7d3177e1f6894649d6a369f5de876c481f001e2e318065ef87c2ec0597565c881191970c4a26b656c1b4d8322d2e55c875ee082b32b0ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7cb8d4a451c8a57ca5ea93872525fa7a

SHA1
2484e9b539de1a9f9df3843f60605c4c79e27137

SHA256
e00d9f4e3d9edd45c146fc10481bf6d5151cefc5847e874853311cac106afcc1

SHA512
de02f005998bebbd0aa1dfb9c203f4c308cbbbc6bf88285afa67bf4a3a5f5fdef038a2df5057406650e28e57717c25ae5a095ec39b90942142e5f360861e4a09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
38e0c3135ce1d7e465e0f553ccbe62ab

SHA1
3186ce6d1a30efe87527ec1226cb34d5895fb0b5

SHA256
0a9c123e61876bb3f5bd800c4c66330988abc714633e77d313071a6384580028

SHA512
db61613894c413ef97809b8c8dae49417e193d1994e51f816e97175a7150d9e20ad7b9759734592e95af1b174ab7ffb4bf57ce262f93457e0efa3dfa5a3963b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e1f6ea48cf197ead6829301d8dc11892

SHA1
ebe217dd7c3cc33f319c8c206af820444fd8f09f

SHA256
abbf488ce1244cfd53d5fa2bc617a75bd1806dc1ce0d0adb2421ec76143aaee5

SHA512
6d1d54f76435e5bcdb5c49aa38afae854e52e1ba7adc0889008ff0d2ebffabfbe509db93f7ad1f2092eb749f46e425345d13d1882349793b38eb5c74128fe52f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
6a3a60a3f78299444aacaa89710a64b6

SHA1
2a052bf5cf54f980475085eef459d94c3ce5ef55

SHA256
61597278d681774efd8eb92f5836eb6362975a74cef807ce548e50a7ec38e11f

SHA512
c5d0419869a43d712b29a5a11dc590690b5876d1d95c1f1380c2f773ca0cb07b173474ee16fe66a6af633b04cc84e58924a62f00dcc171b2656d554864bf57a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638343870221005468

Filesize
57B

MD5
3a05eaea94307f8c57bac69c3df64e59

SHA1
9b852b902b72b9d5f7b9158e306e1a2c5f6112c8

SHA256
a8ef112df7dad4b09aaa48c3e53272a2eec139e86590fd80e2b7cbd23d14c09e

SHA512
6080aef2339031fafdcfb00d3179285e09b707a846fd2ea03921467df5930b3f9c629d37400d625a8571b900bc46021047770bac238f6bac544b48fb3d522fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982

Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_id0rl34oxreuuoxkuh1icsh0qae0uc4o\0.5.8.0\user.config

Filesize
439B

MD5
8521aa3937baad8a2a7b5cc5235ff8aa

SHA1
7eb5786b9963c386a8f0e9666c4ad54378401fc6

SHA256
8f64e2ad952c408bc8e12dcc0b0bf16d8778fd6aaa779ee2639ea42e94efdd67

SHA512
bd607e8d3b63e41afa351b9e41b61436f037f306b2be41397cff8b260747a5ba199e6deaefcb39f9f42c88256fcb51f624549756e66e0de34de32bf9d93fccf9

Download Submit
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_id0rl34oxreuuoxkuh1icsh0qae0uc4o\0.5.8.0\user.config

Filesize
319B

MD5
f71f55112253acc1ef2ecd0a61935970

SHA1
faa9d50656e386e460278d31b1d9247fdd947bb7

SHA256
d1ad588a08c8c0799d7a14509f1e0a7ae04c519102ed9d328a83fe65999e6179

SHA512
761b5c13e39bd4ae21d298084bbe747ae71c383fedf9a51fd5e9723a8b3b4547de459d82bac7f3f8f3bfc11cfb0528a4f1057b51996d7d046583109a53317b44

Download Submit
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_id0rl34oxreuuoxkuh1icsh0qae0uc4o\0.5.8.0\y0eac52f.newcfg

Filesize
552B

MD5
4998b0db70f48c49bab39aaf5e1cdaf9

SHA1
4b59068442caca5a058dc5202c78530fc059079f

SHA256
3653d52c82c854d233cb3ed7689f99ad2f243ebfdab4391b6a8d7ccc819c7e98

SHA512
4fa6bb929f0caa50899cde8b84bd0cf60f968323ca1b2b811f0dacdaa1f724c666f4717b90a9f32c4e0cd0a4b4045eef5c6e16ca87ee57778b4af3337017afa3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_th3h12au.t23.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
b7a1b4cfbf9944b31ad75d7b17efe7e9

SHA1
7ae2d0d4f581f987513ded0ae85a0f8730947d18

SHA256
8fdbb0ce05579a080257094ff5930a1c4a5b4f44ee6b696d65a9e4179de9240f

SHA512
841334839a65af27c8fa6fd157fe983e87b2431cb3241342c6e50f83826558f34b124d7184ed63620457768c918138995e83cdbde9cbb1204f63bf02a6fe554b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
da8cad23c772efc5896c4f263078fabe

SHA1
fa69a4a2ef63988684e9466acc76299c4980710b

SHA256
827f023cf8af6fbca6bd5059eabdb70ad8fa586767f1b17eba4b7397b189a44f

SHA512
1e4b31fb6f2bd295857bf785569bf3f998696dfb67ce99a60b4fb770be7083c1688b599ab44dc72138b45aa2949df4203b534ab045ffe238f4090697a5581a14

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
4dc541a35a88071ff23d21e350f1cdee

SHA1
2ddc39bb2e464510fefe4ba217598a3cea434f0c

SHA256
05cc594cd1097fc3d8d2f2050a12e088a92261475ba313ee8ded0fa2e4666639

SHA512
46e772be0921d0188835b5b1f8adb48bf0982c998ab5a382df0308b1418922deeb507ccea9273bd8cd4e2cda21f37865a71aec08938682baf780ec202c9e7d4d

Download Submit
C:\Users\Admin\Desktop\AsyncClient.exe

Filesize
45KB

MD5
864c8ebc5289e59ca0d273a2d653a1b8

SHA1
b48be52988a33dd04a3043a53576886e454bb0b3

SHA256
5806cbf433806d05ee696983d702538af28f27bc25906eecf4abe2070e19f44b

SHA512
403516270d958c13eccf4678e5173c86468d628853b058161eb7c6d42f8059ea1c3e516006349cd6e3f2124cb59b189fa2e72803419c4eeb4db5bfdb9557b117

Download Submit
C:\Users\Admin\Desktop\AsyncRAT\ServerCertificate.p12

Filesize
4KB

MD5
c91a2a14efbeb2fc27dc36b619012c2f

SHA1
a8ba56dc3eb062f81082d0b24c3fc5c3ccfba7ef

SHA256
0e164c6ac41f0fcef99cc587c1c05a94753d02f6ed067ff1a54644c1e3a5a699

SHA512
fe48629384e9aeedaadbbbb337204861cd3a90ab4302954b12b12e96b552a7146e08a269678e30a9a16723bcd08967c291c3a4c9d28b9100f1701f116716dd8e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 192976.crdownload

Filesize
6.9MB

MD5
30b1961a9b56972841a3806e716531d7

SHA1
63c6880d936a60fefc43a51715036c93265a4ae5

SHA256
0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c

SHA512
9449065743226bd15699e710b2bab2a5bb44866f2d9a8bd1b3529b7c53d68e5ecba935e36406d1b69e1fb050f50e3321ef91bc61faac9790f6209fec6f930ed0

Download Submit
memory/3272-548-0x0000000007070000-0x000000000708E000-memory.dmp

Filesize
120KB

Download
memory/3272-528-0x0000000006050000-0x00000000065F6000-memory.dmp

Filesize
5.6MB

Download
memory/3272-529-0x0000000005B10000-0x0000000005B76000-memory.dmp

Filesize
408KB

Download
memory/3272-549-0x00000000070B0000-0x00000000070C2000-memory.dmp

Filesize
72KB

Download
memory/3272-526-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/3272-546-0x0000000006DC0000-0x0000000006E36000-memory.dmp

Filesize
472KB

Download
memory/3272-527-0x0000000005A00000-0x0000000005A9C000-memory.dmp

Filesize
624KB

Download
memory/3272-547-0x0000000006D40000-0x0000000006DA2000-memory.dmp

Filesize
392KB

Download
memory/4376-483-0x00000205478F0000-0x0000020547902000-memory.dmp

Filesize
72KB

Download
memory/4376-484-0x00000205481D0000-0x0000020548450000-memory.dmp

Filesize
2.5MB

Download
memory/4376-494-0x0000020544D00000-0x0000020544E26000-memory.dmp

Filesize
1.1MB

Download
memory/4376-482-0x0000020548170000-0x000002054817A000-memory.dmp

Filesize
40KB

Download
memory/4376-481-0x0000020543FA0000-0x00000205441F2000-memory.dmp

Filesize
2.3MB

Download
memory/4376-479-0x0000020529310000-0x000002052997A000-memory.dmp

Filesize
6.4MB

Download
memory/4448-560-0x0000000006E50000-0x0000000006EB8000-memory.dmp

Filesize
416KB

Download
memory/4448-563-0x00000000064B0000-0x0000000006514000-memory.dmp

Filesize
400KB

Download
memory/4448-561-0x0000000006FA0000-0x0000000007032000-memory.dmp

Filesize
584KB

Download
memory/4448-551-0x00000000065F0000-0x0000000006662000-memory.dmp

Filesize
456KB

Download
memory/4448-552-0x0000000006970000-0x0000000006992000-memory.dmp

Filesize
136KB

Download
memory/4448-554-0x00000000069B0000-0x00000000069F4000-memory.dmp

Filesize
272KB

Download
memory/4448-553-0x0000000006950000-0x000000000695A000-memory.dmp

Filesize
40KB

Download
memory/4448-921-0x0000000006350000-0x00000000063B4000-memory.dmp

Filesize
400KB

Download
memory/4448-1629-0x0000000007E30000-0x0000000007E92000-memory.dmp

Filesize
392KB

Download
memory/4448-1025-0x0000000007DB0000-0x0000000007E14000-memory.dmp

Filesize
400KB

Download
memory/4448-935-0x0000000007BA0000-0x0000000007C04000-memory.dmp

Filesize
400KB

Download
memory/4924-1635-0x00000000058E0000-0x0000000005902000-memory.dmp

Filesize
136KB

Download
memory/4924-1634-0x0000000005D80000-0x000000000644A000-memory.dmp

Filesize
6.8MB

Download
memory/4924-1641-0x0000000005980000-0x00000000059E6000-memory.dmp

Filesize
408KB

Download
memory/4924-1646-0x0000000006450000-0x00000000067A7000-memory.dmp

Filesize
3.3MB

Download
memory/4924-1647-0x00000000067F0000-0x000000000680E000-memory.dmp

Filesize
120KB

Download
memory/4924-1648-0x0000000006890000-0x00000000068DC000-memory.dmp

Filesize
304KB

Download
memory/4924-1651-0x0000000006D80000-0x0000000006DA2000-memory.dmp

Filesize
136KB

Download
memory/4924-1650-0x0000000006CF0000-0x0000000006D0A000-memory.dmp

Filesize
104KB

Download
memory/4924-1649-0x0000000007850000-0x00000000078E6000-memory.dmp

Filesize
600KB

Download
memory/4924-1633-0x0000000002E50000-0x0000000002E86000-memory.dmp

Filesize
216KB

Download