asyncrat | hxxps://discord[.]gg/eDYP7Ky3ZX

Analysis

max time kernel
480s
max time network
485s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-01-2025 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://discord.gg/eDYP7Ky3ZX

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

Mutex

OPbk3tlGlGkQ

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0027000000046483-1673.dat	family_asyncrat

Executes dropped EXE 1 IoCs

pid	Process
6028	AsyncClient.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
129	discord.com
187	camo.githubusercontent.com
188	camo.githubusercontent.com
189	camo.githubusercontent.com
14	discord.com
15	discord.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\cd2946c1-c64e-4edc-8d83-2d21368e276a.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250101233615.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4352	ipconfig.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000005ce0d422dd4bdb01b525ab58ea4bdb013d89ad58ea4bdb0114000000	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 50003100000000008b59c184100041646d696e003c0009000400efbe8b594f77215a84bc2e000000f9080400000002000000000000000000000000000000a0ac6700410064006d0069006e00000014000000	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	AsyncRAT.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3829776853-2076861744-2973657197-1000\{F4D5CF65-FB48-40B4-B198-E1B3CCBB5BBD}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\MRUListEx = ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0\NodeSlot = "5"	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 8400310000000000215a12bd1100444f574e4c4f7e3100006c0009000400efbe8b594f77215a12bd2e00000001090400000002000000000000000000420000000000cd04ce0044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 78003100000000008b594f771100557365727300640009000400efbe874f7748215a84bc2e000000fd0100000000010000000000000000003a00000000002131180155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0 = 5a00310000000000215a12bd1000434f4d50494c45440000420009000400efbe215a12bd215a12bd2e000000eb63040000002b0000000000000000000000000000007c97c00043004f004d00500049004c0045004400000018000000	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0\0 = 5a00310000000000215a1cbd10004173796e635241540000420009000400efbe215a12bd215a1cbd2e00000063640400000028000000000000000000000000000000530c25014100730079006e006300520041005400000018000000	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	AsyncRAT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "6"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	AsyncRAT.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\0	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	AsyncRAT.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	AsyncRAT.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	AsyncRAT.exe
Key created	\REGISTRY\USER\S-1-5-21-3829776853-2076861744-2973657197-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	AsyncRAT.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2072	msedge.exe
2072	msedge.exe
1824	msedge.exe
1824	msedge.exe
232	msedge.exe
232	msedge.exe
4512	identity_helper.exe
4512	identity_helper.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
3740	msedge.exe
3740	msedge.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe
6028	AsyncClient.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2032	AsyncRAT.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
688	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 28 IoCs

pid	Process
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: 33	2352	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2352	AUDIODG.EXE
Token: 33	5064	msedge.exe
Token: SeIncBasePriorityPrivilege	5064	msedge.exe
Token: 33	5064	msedge.exe
Token: SeIncBasePriorityPrivilege	5064	msedge.exe
Token: SeDebugPrivilege	6028	AsyncClient.exe
Token: SeDebugPrivilege	2032	AsyncRAT.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe

Suspicious use of SendNotifyMessage 33 IoCs

pid	Process
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
2032	AsyncRAT.exe
2032	AsyncRAT.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2032	AsyncRAT.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 2684	1824	msedge.exe	81
PID 1824 wrote to memory of 2684	1824	msedge.exe	81
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 1580	1824	msedge.exe	82
PID 1824 wrote to memory of 2072	1824	msedge.exe	83
PID 1824 wrote to memory of 2072	1824	msedge.exe	83
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84
PID 1824 wrote to memory of 4608	1824	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://discord.gg/eDYP7Ky3ZX
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff857fc46f8,0x7ff857fc4708,0x7ff857fc4718
  2⤵
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3680 /prefetch:8
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4196 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:5060
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff687aa5460,0x7ff687aa5470,0x7ff687aa5480
    3⤵
    PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6284 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:1736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6856 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1736 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7528 /prefetch:8
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7508 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7196 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,8675461543323420452,15859228641141059118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2644

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x4f8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2352

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6036

C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe
"C:\Users\Admin\Downloads\COMPILED\AsyncRAT\AsyncRAT.exe"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ukkz5ntx\ukkz5ntx.cmdline"
  2⤵
  PID:4300
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8BD.tmp" "c:\Users\Admin\AppData\Local\Temp\ukkz5ntx\CSC73D9371FED314636BD9680D25E95A98.TMP"
    3⤵
    PID:4752

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2244

C:\Users\Admin\Desktop\AsyncClient.exe
"C:\Users\Admin\Desktop\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6028
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2584
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:4352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\med1cljm\med1cljm.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2B0.tmp" "c:\Users\Admin\AppData\Local\Temp\med1cljm\CSCBA33D1F744E34FFD99209F6DE9B91E46.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wd0nizqq\wd0nizqq.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5204
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7686.tmp" "c:\Users\Admin\AppData\Local\Temp\wd0nizqq\CSCAC74BBD3B9D4B71A9E4423D76CEDEC9.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2168

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8978379b8b4dac705f196c82cddb401

SHA1
873169c69e4aaa8c3e1da1c95f3fc6b005f63112

SHA256
83528bc9af5e037e40f14bece26788301e4555a6164b31e6010d93d7d18f0afa

SHA512
2d73194d03ea51d4154ee9556950dee1e666720c4b53fe671cf2e7647889d480c2941757d6b9b4c60a29a6799478450136f4847b0bec5d4b6aa630d9ca856308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c8c74ab5c035388c9f8ca42d04225ed8

SHA1
1bb47394d88b472e3f163c39261a20b7a4aa3dc0

SHA256
ea821d15371cdfef9f4c01c71fbe39f9db7bfd61e6a83e09b14886c5756cd9d9

SHA512
88922af80d561b3cf10963160d245044554f9011e4aec4fd40c740b06e5e87e9bc16ed309e296f549d9244b6cc93f627d6dd010eb2d325b38cbb1d43d8b95157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
137KB

MD5
7209f284854b7ea1e5642c91fd2e43d4

SHA1
4f3e2904428778c247fee4bbf39dfefb45234370

SHA256
1878e1d962faa07f1e785f5be4104bfab3feb6112a66d7bdcae1fe2524e8e4e4

SHA512
fd8f15a12102b842f28da5a2f8d2eacaa0600459c6d0df415ac7e43cea0fdb359cf95bb2193695cf6169eca5157914d584c694514f9498ade833a49da67ce3f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037

Filesize
67KB

MD5
69df804d05f8b29a88278b7d582dd279

SHA1
d9560905612cf656d5dd0e741172fb4cd9c60688

SHA256
b885987a52236f56ce7a5ca18b18533e64f62ab64eb14050ede93c93b5bd5608

SHA512
0ef49eeeeb463da832f7d5b11f6418baa65963de62c00e71d847183e0035be03e63c097103d30329582fe806d246e3c0e3ecab8b2498799abbb21d8b7febdc0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005a

Filesize
97KB

MD5
422ea571762501fb4df38298fbc8c253

SHA1
30ffcc1cb9219aa2e22b17334e941cd76a96dcf3

SHA256
db6bc9db41e91b689b6d82af2370b8ac4f63068c08423561d2626c913d3caf20

SHA512
ee5f3c70f6188a0adfd7ddcb5956f89d260b26e45fdf4f8bf250da20cd61c3b8e0833c02281294f7312ca256249290e38c6036330ba235c31d9af835e87c3f3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000062

Filesize
98KB

MD5
5b0392ad2e4fcfd1fffe5e58c286765b

SHA1
cc11f4f6a49413ea347ebb6c66895a230faa9d04

SHA256
7b5a822ca15078f279ba6d4a0bd55d07ea835fdd1e53fc1782ef52e10b43f0ca

SHA512
a5191947603bfdb3e8602c8a2bd4e3b76e0798f96013555f90bb0bbec0b86d2f900ebe09e19c2bde6042bff5705e82fbcaf58a02a5c969f65ed99504e2a7a595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007c

Filesize
102KB

MD5
fc27ec8e76d28080a899fd13062d1d49

SHA1
1dad1c58da75d8a9142c5d424f7f1d497fe049a5

SHA256
d76c63105429e3f7b84dd5052c6a7bf770c79467a1771047df1e83eaeeb01503

SHA512
62afaf9246bf15cba81f7028823b0cd468ae83f7b8bbfd03d2a5cfa688145bd606bc4d516a4146c4af15f799e60efddb77a011c1045ba2c136ce5848a7c292f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
7b5be6408b6b6618e3a923abb6461034

SHA1
6cbb92ca4ad4997b6c856c05398004570b92cd92

SHA256
f67d5747aa4bd7ba86a8041b10360ec3f7f049ceabd944891e2f681912888ed0

SHA512
a1dd96dd3440954d76e72cf5226be46da06ad746fdac9e1216f3015d868d5cf94865580a066eb82ea808e6758ed77e4a7a6973ecbc85d04feaeaca239d0378e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
198ff6ea271a230cec2e5b6f3507d464

SHA1
05c36c611b10a4f48ac2c4928e58b9f17dbd7f34

SHA256
b410b91eea0bc05cf407e5381f7c16ec321931f4e3398d9fb362e1ea75bdb984

SHA512
2dfc8f70c61598d7561a156fedf97c3aed6a4d09d664d4fd0c6034cebf5bd10faa3a573184604f13269c0c0a23f6fd8e5bbb982703a5052971445684d88293ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
d88d650383d5f180dad4d8f9ebcdbe7a

SHA1
46818dde60eea0089ec943711c64b79cb5f6d0a3

SHA256
f1126f16b200f862e843d33f02af931de22730995b69b92725aa9e385fc511c2

SHA512
488964d05ab041254ac0d47a71810d77ac671a831249f9b1493d74b9de9b67459893d8e2c24c27b8b6f06578935d6afdfd2e2ec513f7ed0d4991669c27069365

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
720B

MD5
03f635c045ccc69b793a4cd57f4301ec

SHA1
bc64b824f762b82470a5afae2e653271759a63f9

SHA256
a02520f3a6b1527d528bbc9ab38e3c06f5675938dd8f6e716f8aa111fab88922

SHA512
1df4b1f718222a90b685b1a7faf1cef3d8a58073993b0a77f6ae75823ef94cff51e55802dd3a347d0ca1f44b56277cc80ac786d08bce61cff46b889fa27ed863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
1d91b78adc29138dd2a0392669f740f7

SHA1
4fe6b073e729f82891a268de2781ae4894069ec0

SHA256
1557076ccf55832cbc04b0b69d7a31b5f45fa97ac114a3fb8d17bbd9d60f8864

SHA512
d791e03928cdde80bcc09ace365c779906b53407efe764d42ab1d416bbe79fd767735856afd830c49e40162f2b3bdc6f83fcf8542fb1b6715dcb1c9462071cb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
bfd0ae581af85029c98c8629c16b81a3

SHA1
eed5ecbadbe62adda58bf009f7a191f6de62aec3

SHA256
a5eb9528652113064550af5997d737e9927984829f0a65e571724bc9a2878232

SHA512
d8f6bd9fab19947010381907e066ba822ca1bfb94c7c4d848f3fb6bdb246792d53549b2593ed3bc6560e1307a3f9a5673acf0be47a5489a3dcf68e51f0d07bb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
836B

MD5
2512e6d9f5c1f4e3561947b0eb637162

SHA1
ac3bfacb1311bda3a9185fab44b52d965906b5fa

SHA256
df5a5d8aa80ebad9dcab1bead7e97fed0aafbd8c615fe9f68bb29ac0b69192ed

SHA512
cf9c5f5eb5918f5746f87033ab7b43891aa0a30c32dd2732a97708f71b0fdd7649ad1e46f26b6a72f6edeaf5bb919b649dec3e1395cda32f40c7879289039a6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
aea02a193a57015b22361c2549150bf2

SHA1
c2680972f9f1e356423021a7d12793444c7c3b28

SHA256
4db7abd37f74ae5d6417fa8ac70ebb14bd16f1d63050f11076bf05d62bfc315e

SHA512
2a95b633034cd40478914861c1d59415d6d4130c2cc82c0568477196d4a6c7698e59ac1a25ff98ee9a6893b0b2656636bdca52cc59fd2a573216f19dbf885fa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
76e09efed42544b3c8f1740a407599f8

SHA1
bb47e14ddc5e3f1ecd4d0bb5ce75ffb15094dc4b

SHA256
1228aa2d05ebeb7b9db5a54c995e1f17b73722dbadf720c5fa36b1c28979e8be

SHA512
8ab66b4b35353c6292fd20d05217b2e56564761a54dfdf163ee22619108dde4ebb7de435870ccb5710773f9112b6234fb160e0f2a3ba039dba61d718189df44e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b6147b044ac2f31dab44e9ec69a0dfae

SHA1
4d2e7559f0c7ca13ff23ba07af81d4b919ac5077

SHA256
5767b45baf3ab55cd503880ca7b717295ab54370ea456a28a4040ff5c6f6ca1c

SHA512
3136d6d58267ae8d138161f879c6c3e3a6d008b331fb542d18d77390a1f16f603c754e38799bb2607d3a4e07bff2b604dae9e65db8336285ab012d26f8a48d9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
dfd8590dde3bbac8be34e4472e053534

SHA1
0e01efb6a8eb8fb6b7279dcfce130198cdf44139

SHA256
fa48602654d67d236f1fd28e3d9efda04d6da470a4947a88c3a1ce0a4f60881d

SHA512
f8b76e700b5537d0b9398702abc825a8c407b7ec5c652332063c07b1b6eb253481adf6b94aee2155741b2c95fadcf189fdfad525553b772782bad4ee5d102867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe586dd8.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e2f0f6c009ef667da8749f403e4b085f

SHA1
3fdb6db7f99d2e9861cb036a39c8921bd0106920

SHA256
a1f66ae331a21bcc94e5ab500635f581986e5d5ff47a7d5b680774a9a27ecc9f

SHA512
fdc1bb62ddd1f9f9c0aade8c97eced739c81f52fcaaa7a125ba3af358a2c94f0aac1ea34edb25d4e09d921fa831ad5eefe641f6d951e81be6ab4c4a85d15e359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5197a149cddd335c18d7c66db6752afe

SHA1
434f5dcef1e885d7c725d85280254cb7c3fe4aa9

SHA256
40d11579e634757038c539be73e119e55e58b764fb8d050526d61e19cc856890

SHA512
c7553624d50fc6c088c23eb1df56e5520ba58b4d577e3c2cf90447a952da03c6f75ee11eeeb2f0bd3be321b4094f57edb26d624f7d27616cea7657719ff5bda7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
37cf6b612e6219bc35f04848cdab63e5

SHA1
2f9ab60eae0cfbbe2bb38b43240a78743843d323

SHA256
c5413227941c5a7f3fb254391ec833afea669c3fca9110ce5806a65dd3418dfe

SHA512
0908c2a08437adc4b38ca7f043f366ea26a8b6f50af3d68b986a93b9f399322d678330379f9c511b5ad0b9231ab6ad1646d70a5223595a5e365f00efbf447a84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8bf588cdb2906f8219b28eae871b8656

SHA1
352e78de9d12e56be2ac891971c1b680c784133c

SHA256
41536c9752e9ce4b773091ca0a4a0d77cdcaac1a0176565e30e28edfa7c98fed

SHA512
7731860886bd5830a312b3bf19ef670345b51159538468a607bd7aee2418b8d4d9ca5b02c194d4a5ce9ebf0379b5002b98dc8409ef509ce00b60c60efba42500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d7b4431c8d31bda7d61780f6e090c7e

SHA1
f8d3c095502b1f1a4b2135293ea1b588692f99d8

SHA256
5d947bbccfa32c9be9e5c971920c70938e724c9be86f4dc73a6ac1af9189e786

SHA512
cd39831de296846005748e30e945c2449c34cb70d36565b5dc6b0204ef7b3d5c8ac31a53daa7d9bd995bdb0e05457355f4d7b85caa255fefc117b1239650e990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6876f0d080ca5d6ff5d5fe0b10b3c604

SHA1
af446af35f8cde2a659f74ae309370fb41381c7a

SHA256
9875be0f329c81c99217fbb4f0dc832c5f54b4b7918cdabd18f165a0ebe001bc

SHA512
ba2d486d552aba7720af8c9fc9737eae6e69514d7fd05ac72feb60a55361c5019236667e6a25cdc4b479c9ca5c038e458b16b02907d5d8d30c651e022e0718ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5b14d602d82cecb0e74f2dd8a204a9d2

SHA1
c9c44c4bee36f1f8664d52cf127c89a04edce706

SHA256
d360617e5162c6e9310e86fe866a1f8f178db27752700a71229d189b33fc06aa

SHA512
42ee3f19d9dc51da0103551bf5c3c6e26ddee5960fba70d8e17f5d7e6ecce317b9d671748b3a704b6583cd93542d87ec367856941a36550fc98a6fa2f4773448

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef28966591a2b02b5fc3e7dde4c52b48

SHA1
213ddd364721bc303ab3202600e54b6be16bd468

SHA256
a3b4477c4a97273b13840e20c419233b05db813c5e9aea50440b54879abbba7a

SHA512
b9fa08a6a9cdd383929d83a618a3f6d89946d1d7e6c8af78cfc04ee87fa8a3c88c3e8cd471767db21645591229ee0546386c1c2a7ae961f27d14a2cdc83a96a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f09cb8f1448b9501115ec7a1f656daba

SHA1
2ae036d8b9cc2a5e188d1fd280995a401a3d08b7

SHA256
81a774ec012d6c404573e42d6cde3f96e1f8bd31dea899cb2c57c717be7c3cea

SHA512
a4d0ca3ae7b16226cea9379a4a5a62625d857452fa194ab8e24d1a77545e8d541837baecb81164345016a4e225610e6982b92e425da4c019285855a5bd68ba58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4ddde6b524b6d8aef7b452da5e98b4d9

SHA1
5d8426be79b9e29cf3c4d22eb00582c005144c8f

SHA256
d9fdba9936ffe878b97f2ad53d3873ccb0fda96ceac24f7bda64da91df27ab5a

SHA512
383a514f3589408a602ab730dc5bc820d8cb7274dee9d065769cdcb02f217e53837ea3c327dd372170752ede32a0841ecf2c22f4b3fe47d6857e4d508d9dc51d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bdc4b4176f5be5a16b2f14674cd42946

SHA1
5b0d815b632c616dba952115cb8d54837f191d94

SHA256
2aec5aeef4c0985ab3efa5b881d33fa0d126dbfd5a10bb36b6e5ad4d28dd75e8

SHA512
6147061293ed4650311173e7e41594044908cfc97106ceb637e308a16dafdd9fc8d60675c7d6a80bc1e4324637e31dac07e4b64a442df7cf746ab2ed05e1f7be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8ce8c191fa4a0bdf9cef140b36d8de73

SHA1
d30671c9907304489391fe582b627da98594ec57

SHA256
f4a251831edaa8dd79083d9acf876b73b38c82434a377753da7203f9dcf90276

SHA512
e9f5d5e0fb16c8fc6c7424b0f8ce0ed7b4f82397c1a0a7b5ce3ac27a2fa64205410b270fc58e48dddc1ca5991ebfbb857fba67662193b5fe0ffb10cf4aba1143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
713a304be612975d4cc72def5cb4ae4f

SHA1
1b438b0c5f8312356fa7a170013da310e9db878f

SHA256
f0fcf3be66122cc15f10ed4847c83a5626c6c0ea2c0d3f99955b57e736c223a1

SHA512
61a6e6018873f9284778b48481aa1f0282bfabdc867e8205d27d515634365bd4627e2d5811498c4a3033265952ed476213a35a570643c8bae050716d4dd7b8d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
671cfbd0275770e681ef4ede37140969

SHA1
ac145dd046e86ab6aff6340664c509c4fd5f1746

SHA256
dfafdb318c177ff96d9b85ed518f229398c3f5161f0ca48ff427516292b9d823

SHA512
d76a8d3a91d1e5e84b35cfa815736c1d0bd7252381f4e540a8d7102385224167b995f698559c95fa18ed3a50e14a58fb0a96bcedb57d4770df50f98c6d331faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
55182d891d98ec9d988cec04bac8752d

SHA1
e18a06e1498ff69c1c2697df7e195cf922a92e01

SHA256
08dc082566b36f693f93e341a5eb4e93a95d5bfed35b952f5ddcf4a5d51e963d

SHA512
35b9bf0c05da26bcebb4e259deca27c84e28521aff5a27af8205624581d1b0a7da6350ee7de0a2329c9cbc1d8cf205c1487638196232cbe794aaa91b0d86d0f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
20c80f860102efb330925792e5d9d7c3

SHA1
4194061352bc2821edf85bb86b4eb0858dff7789

SHA256
a8e9e735bd1f2c3e6748edea2c69c603fe7a4f7429613e9c823cb5120ec56f7b

SHA512
35fe81509413e825d23862e0f3cbdad9ee906d9b4736c1e293c42028970969f9a0c3f5ff11da50f37e8d111bb346b01478000660444b70c9d2b3cc480d95ec56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c90e4f7b4a8253bfc0194617a52a1f28

SHA1
9fdc101388d12422772f705cf1ffcf8563e1000d

SHA256
93a883fd28696b8c33a0e837183cade7b5acb55fa8db4c9f35228e71e2b21587

SHA512
148d1daff9186c163f688b5890617ca5a3a834b0b0d84c2ab9331a65b59828143f12597a9ffa6d4d6c6e83b7fd01c5b1ca3c0c0b50191eaa9c69bfd407b745fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f34ff8f6e3807d4d088fcf224831c29e

SHA1
ba02ebf89c37cc98d06ed541f6adefc51eea7af9

SHA256
2a428a0d5d2df83e61c1e0b8ae8cb944831ad4abee6bea0b8058cfdb183b6ca7

SHA512
2816ea4801dae4ded33d7ebe6c2a2fedcff5a0fb7eb06c2e2fd4754c195ff5b5fba57751092a8bb123939c60b397cfa0b9cac79f54f9673f53e5a3fbcca31ad7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e86c4d7195e93d137af2001e430070a5

SHA1
7ca7e12eb45fda260e86395c508161bb80c23441

SHA256
88f1e9aac62414d662b04d7f6fc5279769022c525520f29e29496e9030ac3211

SHA512
e1a74419593a6c6e691bce2a20361e775be0da4b369442924b316b3572e7c52d5ea725fc342c7cee87fc0be59301cef6b81c26c5541b1fd76afbfe3fe3aadd62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
134b7345c30211e3a71cfc5e1b047a57

SHA1
0264b405cbc46438ae455373b7417f1f2eafd72f

SHA256
7568d91e305d677497d86e6257fefb7cea24140e76aec649e4ac14c7809ffc24

SHA512
ce4a9744bab4b66896043fad8ba7222e9ec867a2a6de706502f93f4d84607b670bd1039ce6daa8b68d1cff3602c083c918ea3779d923a3ba8bdf9844e281f2ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
8c055ec9dddc14b4a46e3162e1fb10a8

SHA1
5e570bbb5942b216b105cfd0c25aecf35655415f

SHA256
97b191da611ee742e36f79cf467832d81798430b35f270ac05ba52abfbd2900d

SHA512
e51d08bac0d0cf80e6035c0dcf9e1e2694dce0ca31477b15fb6d3745d7b095b77021a93be9630a99dcfa17f2a2ea7665f3ba3a9c30cd32635914228c1a5b2053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
28af21bd95f32a103ab3435c0e056ef5

SHA1
f715cb09d2e25521e965aded2a64711926cd9939

SHA256
a598bf52e47ab149ac47887bbf4a45bfa82e09baa7cdb36f86af9cc846ef6ca6

SHA512
3f28cfac3489c5a0c0567f574638a9869cb7a0be72d6003b8b083fdc45629e7fef716fb40149e1b1dbad8f3fcd7c06acee84d5ec89225fc65ef55f61662409ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
47b1eadf86bee555a29feecc44a2bd26

SHA1
2b596d8db0d31b77f4badd2f29247974e7df6d0f

SHA256
3522ae7a33d777b2c31488d1769f67b76983b42f868dde0898758f41337c8495

SHA512
fe2fb0d6507d85ed74b8189c751489c1dba3e772d8b021ccf76fc40d95acbe23bc0417d3ff3043c3a4b146cdd78c3fbe2e97d1c9f262cfec03ac9c6cd8b20f4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
471ffc33c3185b732f283fa042387df7

SHA1
4286ffd6c35cbe5f922453a2177e9d5aca9ba1ec

SHA256
60c3a6d77758e18f7efdd47cdca8e1fcda496ef5447b0177037c3b9d6e39abeb

SHA512
24a2d5bda349ae7687454723beae34a5dbc6de39dbf9a3900a0c5ea6cf5312e489252b8827b83ca32218feaf3a469a0f19e13fe26044d8bc1db2dbab47fca541

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3b96c38ad0cac4169313d6d0375ad331

SHA1
33c8a4056ac711d77564899e17148ddc2bb57460

SHA256
acf91e58fc183709d049c2833eda942b7c69189a1c5b26f0fae4dfc473bdf6dc

SHA512
4653bb4fff61055c199f21608576e70990d01112de13eb72d15ab952fabece330dd244307805c0ee1e2c0c6aa7c41733ef9c4abe020682a53658b7afb9fd630e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
536b80d96cc6a6204cb26e53ad310a52

SHA1
b4dbbae76d71a023ec8b59afe69c1ee821fdd955

SHA256
42272bfc54b39c06eb5c5fd43ba11f1b6ad72d71dd0d5250e1241f36596758b8

SHA512
43e248453a4f43ca9171a775b39b59fcd7938d7b5806e4ea56b9303d7ee06eab3400ac6aa00c0257ebe34f8e1117194a8c48ff82434ba02b06da9f974a7a7676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
5fd58493c60c6ddade4136efddce7cfc

SHA1
45fb65a20530247b8e257aece19efb55ef077d89

SHA256
9e7812df1a4f1df2da4805315fe6e29bcbb8bd307368f5b1b15993910f7c1b7f

SHA512
5cf400f8cdff30437cffdcc0a0bd9565bf2cebb9ae13662a877fb1a87af59b0e8c26f43c80e933a365f693d759641f5ef9b3fbd925e68454568c25d47fc30c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
2f474479cd744a3063dd5a6ec50d7dd7

SHA1
07929939b04cfa0887159b637aaa16e4fca9ec9b

SHA256
f075f54502233ac17b84d21300cd1ccafcc3b479f414c44046ea5bae1773a29c

SHA512
15b420bcb458977b8968deb21010b76211a3e4e6534484ff53dbd6339f03940b3eecabad4ee11fb09decf0592131552f0c113451b6fe3f12943d7bcdd9cb6ad1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
25ebe6fc9a8f782332a3d6362b367907

SHA1
a6223f8d410ed6ffebe9264ae72982e93134fc79

SHA256
7144926f5c34d3fee116f0e2b2a27ea986ab7ed7336d6151861f3e6d1249fca8

SHA512
66c390c6db6b28a8c7f89fe0060fd9d113412f9d21180546c5016d7f0629d62ee07b27cf00031bd2224b60358bafb41f0402dac36dcd69aa0e825ded50b91742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a6286e20dea35bad0d5a5c8b8b3da3af

SHA1
557450141d4ef947add59657c1cda52d096b3c46

SHA256
7e0f5ca64510eb38ba3147e0a62627df447719d07148ad2edff41a8b4e4e71c0

SHA512
ed2acb9a9a31f6b15ad0d29a5e6d12ffac04d17bd136073e215f9f95a986ce911ada29a767063270f71655cf56e343cf554caa45565e470cc71e15f0a8866ff5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
88f1494ed180c4071d438592bf9c90c7

SHA1
a14a02b85b503c3ca13ea1cdc3a93acad68ba86e

SHA256
5893112e3282697ce127c0b663d4e51bdafacec60d1b7e16bafd538f1cc425ba

SHA512
b4b1f0c51390efd0619de54c286fffa9797590aa6e6c590e5c5d3e77418fdaf269660df5db13d1b2662b4dd72a91d460947f411b35a0dcbdb07a47d349dfaf66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
5caca659a804fc528b49d98313cd2875

SHA1
95c9eb121611dcdbe7788cf8c02f777d58be66be

SHA256
b8eca23dac9ea7b76a48ed88e1897b87d164b42071d35ac80e3a53c8d4b47cfe

SHA512
4bcec08616b4cb60e02520ff493f45303862cacc0de0b839893fcf80e3e19bad5d820f02ca6f352793915b5f3fcac8c081134f954391920dec239aa22eadcfcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
33c47d3fe9fda5fbab1589d4ea85e68b

SHA1
7fdfdf37ac4dd2954fe793e39afd3f6d9f4a2043

SHA256
1cc08ea3b8bc2b823d8c19ef316e74090c7c788c795f88513d5009d8262ce29e

SHA512
d75882886475a0c74270e828acaf500b9655107b9efc3094341d33a632eb7e80266f96bf61f50dbd24aafe9f352e57b2b3d8adfbce62518aaddcf96fd7c0d9b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
134643ec4e288aa2682adc018906476c

SHA1
c6557f976f980cd513d9fbd84a9ff27120897b5a

SHA256
c4ba2c0ba8391c3e18485239f8c89790edf563238d1dce494d970bac1b0e170c

SHA512
c07a41ad3274dc829dd9184920ed9126e4954c21f282f458d3c09c899d4a6f2cbea2b51cd55434665e76e0d3d03834d36a227efb69915786839936f5dcf531c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
0879d47a25f6ca259b90a68c5649ccf2

SHA1
2614a15586edc19a5e440ed26afd50f657fa463d

SHA256
18766d94ce68318c0490e86f12c8ee13103d426398a6a349561933823fcb7c2b

SHA512
4cc9f8f9f60b2a005d2d1cca29a21a6579d3c1bbdad0cc3dd1e2e229be5be2508f1b0d5a2b35b4f998beddf7951d26e68b05b77fc326e98dc44f94d032c0aa82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d614cb5b548702982c3819874ceeefab

SHA1
2bc78dbe656c63a4393e82c42c41899c497f0844

SHA256
9603b46ea43c7c1038eaeb646cc19bb1111bab67c8a2ecc7357906a4f82b492c

SHA512
ec19b34f09bbddf0c72737999cf16153e5df7dca712580930761247a788e94575bb7e8e8cec5c538ae26dee0caa6d5cfa58ccaf9852dc1e339414d8cace7e5ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
e5d72d654a2afcccc7d5d5ab5979adae

SHA1
c695230c7fd10d842bdbbcd35d36879f5de2fe5b

SHA256
d84132b747cec93944815b9aafd6ae5f83d46c76616e6dd63a2ef8e5c3ca0b04

SHA512
9c01ced0b34812ace9987d94068110f78c087431623fd5a85aaf72da5f6e73ab1e4a3beb55ed5c660a0c1bf914fa98db0237083bf121458f659da0013db3c635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ab82.TMP

Filesize
370B

MD5
417f6556e820051eea28a8f927174eb5

SHA1
cabfc9c9bbece89d049459de8ae27b0ed6a21d75

SHA256
3e3f65d4030c2c015859e3f441adc50f4ceb4733ce4370f13d4866bf6e76e4ed

SHA512
8db3f38eddde2d2714310aada0b69f5bca4eab87363cd86d284758705a21eeaec12014971210018e305eadeebc54cbc938e44fca7d30638e203447ccd87e3b76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6240ed69d2b2a2208fcabde9af4ac711

SHA1
7a4d0c8e0d6c665698e19e8bd088a26036d7b743

SHA256
5917cb6b6c3bf12e9217368deb7356684ad9de68f7ed9b34477dc539cb66d20e

SHA512
b335bc6e76d307f270eaacfbeb9339b55014122305d221458c5b55c60dd4d3aef1e032fb3364c6fbc3624921725bc20eae262979663902011b4850cce37d9f3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4b6826b5971678e5ad7f19e2d0eb1d54

SHA1
ffa59c01505e2fc40ed6274e2d4d71f95ea1cc4d

SHA256
6ddc002fc324c419d4ef256f067d54eafe91573970ea385b8adaeac919b13ab4

SHA512
d3d12709a6876068a86ceee6558c873e85ecb9fd24c1035b2f9592d5f41a6f792474666b51281f01354b3bdf6d9d9da02532eeb0db341e9e9b40e9deac4af9f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b2b00d32c5ce3c6d0fff81c487ad3a09

SHA1
b61f79fc750723fac1433ac249698a8539b879a6

SHA256
1b9b7c992e767c62c0a5d6d54b46bfe45c2a347850d138a92e14ec6ea23b4046

SHA512
e668ac4abe73e8ce2f7ab12afa104824e7cab9cedfb72b8d6f6dd8526094dc8347e524ccbafa2dfb2c1c0da13cf0bcaa18134313b6bba04afc17c1cf76be83a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8476ede713526439d74f8d3688255781

SHA1
194bb29a52f8f168f1dd1f9838b70c63ef7ab278

SHA256
a64b013975e3fdf1d5bb4454fe4e6d68d9b8566134fb43c643b1d76e6a5d08c1

SHA512
47e6f115c4109b5dc42fa49769f1eb885a1b19ab0bf5ee2cf7caad89e9f4b4775b548f9928319297fa9cbf2ce4f61dd359bce213c94ada5b60484f5f0007000d

Download Submit
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_rlcfuditezizgbmskmstccdixoxy2jyu\0.5.8.0\user.config

Filesize
319B

MD5
f71f55112253acc1ef2ecd0a61935970

SHA1
faa9d50656e386e460278d31b1d9247fdd947bb7

SHA256
d1ad588a08c8c0799d7a14509f1e0a7ae04c519102ed9d328a83fe65999e6179

SHA512
761b5c13e39bd4ae21d298084bbe747ae71c383fedf9a51fd5e9723a8b3b4547de459d82bac7f3f8f3bfc11cfb0528a4f1057b51996d7d046583109a53317b44

Download Submit
C:\Users\Admin\AppData\Local\Server\AsyncRAT.exe_Url_rlcfuditezizgbmskmstccdixoxy2jyu\0.5.8.0\vsbju14r.newcfg

Filesize
439B

MD5
8521aa3937baad8a2a7b5cc5235ff8aa

SHA1
7eb5786b9963c386a8f0e9666c4ad54378401fc6

SHA256
8f64e2ad952c408bc8e12dcc0b0bf16d8778fd6aaa779ee2639ea42e94efdd67

SHA512
bd607e8d3b63e41afa351b9e41b61436f037f306b2be41397cff8b260747a5ba199e6deaefcb39f9f42c88256fcb51f624549756e66e0de34de32bf9d93fccf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES7686.tmp

Filesize
1KB

MD5
5cf217724e4e944f302ef9e65f0e24d6

SHA1
7228b1171695921002906841f51c2e5d57ac066c

SHA256
4a6537350e84a43c1a905da0354e586aab5085d5281f390796029ba5e432b376

SHA512
e9920f077a92371108758adbed643ab2746baca02923360c77b66d43713dc50c857c892b478611fe19e2fdaa9d600f3b1eea11faff07d57245f1732307774631

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE8BD.tmp

Filesize
1KB

MD5
2415881af10498f0324050e5878faadc

SHA1
c2361a5172bad2f95d8e7150eb6eb84d8bc1cea5

SHA256
2849f52c9456bf2cc6e27ba6d3526b54ab753f2d286bf5e4c8176d50651476bf

SHA512
1c9d1ff6a312a2e9a7a3d325e3a411d5c52bd248ee87406da5db643ff5fa1604af75c1c77e4f14b30868158ad99d77eae8b0df5ad75ea0956c038c690387f0a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF2B0.tmp

Filesize
1KB

MD5
0efca167c3745abff4e846800f4e9073

SHA1
4fc530221c7b37db8e8efa17041be74119b9815b

SHA256
e2f523b0d956a22baec06737ddd953fbd9d6a2a8cadced2d111049b65deb9ee6

SHA512
d1d0c65651afe6043d75e81cd186f8b0ff5a15f680e977f350c4d692ffbf8f7312a725c443415b1435982a84438b6e342a71a1ea9b18eba3b8d175bd219b2c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\med1cljm\med1cljm.exe

Filesize
3KB

MD5
eaf20b8412bc3425b5d9f022b6137623

SHA1
f2fd543c42fef910e884db3c61014a5117088214

SHA256
042ba4870d3936d001fc99ce7c6992222c501595837ab2879fb957b800fea906

SHA512
c79f694a9f39e95b8786a65507064fd83197cc3a9b29af5cc80c111b2eb27f406766ead0bd9ed6f93f16882f749a1330bf5578af3e654a76408fce5a1bff1b08

Download Submit
C:\Users\Admin\AppData\Local\Temp\ukkz5ntx\ukkz5ntx.exe

Filesize
3KB

MD5
190f608e127fa135e62e01be5c033ffe

SHA1
ee0d9d7fa62a4e7456682b2e6a58b2f4c7d7cb5e

SHA256
9931643196351945f295ccbc3ef9d99e970b78df264731e5c60f1a72feea665c

SHA512
14f33a9367ed06a36ef8d79060c0673bb242e99a195e5105af78b8678e3dae77651f27e88ea0d67dc64d06c0492050d0f89e6a37ee9f5dd0f4544258475a4c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\wd0nizqq\wd0nizqq.exe

Filesize
3KB

MD5
73e34a990e5e7fac43b4da320f2ac895

SHA1
690cdb3e170ef12eec98ce26bdd749f5ee70c2b7

SHA256
cc2fd5ac73988eb97ed0e868abc12609ac4e5dc1b631aac56bbf3f0bf1b90e93

SHA512
3142b611a0f5c5ccb016bf04399a7c33475d25b52d974cb29fd543aade95b6adc1790586178a95d3ce17671863d921d511ef9eedb3dc1257920002668913ac5c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
dce01c2b97c935c833cf169acd257dff

SHA1
7c2e155b423fdff6b667c89027bc304f72bcef16

SHA256
39070d3765ccfb5598e648b71caca2733e5d5e88a15cffc5491198ad3007ca3e

SHA512
fa35adafe0014d9c0ca67959a9e5658c419747d397f27b4607efcdcf456dd9017a01c3a9ef978c51a0f1e11fa6028a12fb1fa037490d7c6393fa2b10aa204764

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
60808b80daa07157556cfcf78c80e882

SHA1
085a3bd46b5875579f1056a4e78cdb3d69844b08

SHA256
a236d9f564f2629b31c5912326946cf586becbf223bf2029e97c38e09a6dc278

SHA512
cfdd7200aa13f1a6ee6ab438f39e08a9867b3029279143b33855ee7a315f440bd25846e6dbeb4be13d4eaed2aa34d57ce584d0a0cefb980c68ca80905f15ba1e

Download Submit
C:\Users\Admin\Desktop\AsyncClient.exe

Filesize
45KB

MD5
c59de766aaaec119d7a820d6f8635e22

SHA1
d609a1d9673fd403af63ff7de1db8ca163c6a3f1

SHA256
afd91bc1c689fd2d16fec96a0f7254fc4e546cb8ddce860cbb87c57546a36b39

SHA512
c41f3c65c4081c00d8a49bbd2439ca50bf8c916e96de78b7f1f63e690bc0f2b3e3794a9c3b27ef0218f5cb0e149d66ad2a99070592706959f8c09ca0722be992

Download Submit
C:\Users\Admin\Downloads\COMPILED\AsyncRAT\ServerCertificate.p12

Filesize
4KB

MD5
cf058a88cf6bf024b591cf4d1f359177

SHA1
cb51803cee0307fce18f58bad307dd932e70e42d

SHA256
e2ab65e3083159c817fc04af1dd65b5f56d2642d0cdfcb65d0657781027c81b6

SHA512
1fa3e6db8d7a77fa4a3e94e7d0c2fc32b1f059c141f895ff99ccc028f688cb61b1bd33cbb18b85020db649a639a42d40e3ca1dd10bc950694f95e0e1b5566c3f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 702072.crdownload

Filesize
6.9MB

MD5
30b1961a9b56972841a3806e716531d7

SHA1
63c6880d936a60fefc43a51715036c93265a4ae5

SHA256
0b29711ec115c27f4cd6963b9ea1e4febf15624f1c17d1c018611ee3df8c333c

SHA512
9449065743226bd15699e710b2bab2a5bb44866f2d9a8bd1b3529b7c53d68e5ecba935e36406d1b69e1fb050f50e3321ef91bc61faac9790f6209fec6f930ed0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\med1cljm\CSCBA33D1F744E34FFD99209F6DE9B91E46.TMP

Filesize
1KB

MD5
32389dc1d8910958160eda70d74a6911

SHA1
7480031e6e8708737c70d362b658169818a07ab8

SHA256
3b7293dc6c12e5d138881e192200f177fda78a6bc107967955525e184503e902

SHA512
c8f396efb66b41bc188c43411b55012943806702cd788fe6f05c6caca7b5ff82f191d4f49699fbd0c93ed728f77d075a90a5caef7d833714c7076355b97d9154

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\med1cljm\med1cljm.cmdline

Filesize
334B

MD5
b2b4d65dde1e3e45dea15758e7d34331

SHA1
eacd1058b6046b8bff12fae346fe8de0d700f112

SHA256
9080d62cfd8a8e6c3d71e1898104350c8f8b1ca320a0ad4fc807891586d45192

SHA512
cfe57596d536f650c41cf7bf4d96e4f4f09b1214f5387c0cb4a1ce36e0d5a4e585e4138226d720498c9e45a28726d0202f6ce54b78bfc59fa9a713dfd6745ed3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ukkz5ntx\CSC73D9371FED314636BD9680D25E95A98.TMP

Filesize
1KB

MD5
cd28460a7ee417c7995e0fbc8bf97e46

SHA1
15585725fd36f754fd4fc4b0310ea7ec5d8f6d4a

SHA256
9bd9ab0146bbbdfcb51dcb725fd26184a1c7f76c1c4b54b798100eef90db259d

SHA512
cd0be5860ea07bf6772720cc868845103e10da5e1773def8047a50f61414f45a9d04d13100eeaa37d80356fd4a0821da193858d54bd30dca09b5d4d529c7ae4b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ukkz5ntx\ukkz5ntx.0.cs

Filesize
300B

MD5
a85fa53c112b4e364fa6b963a545325d

SHA1
27543fe26aa3344a677f03d5d892a543f3a7a7a0

SHA256
9048696e1de76c06e31a701b2b5f9a32361c34fb63ab1cca8574330d8152c121

SHA512
7aa25cff8c813440b7dfe1146cbe7a1213bedda48ddb819ae506616c8d97a8377dcd7fbad4b67dfd1bf5f130ba622beb7b2a546ccd18288705806b483fa4282c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ukkz5ntx\ukkz5ntx.cmdline

Filesize
334B

MD5
89735312683c26a62d0f00738ba578b3

SHA1
3128168359de1cae9888f6faf435e12841dbf22c

SHA256
a8fb8b6434940cb0aeb6dd8ee9946690faf2809d9c3d411a9f618d12d21f276e

SHA512
384b9ecda1db856c498a8cb61a80cf14ca559b189ab32099b748af06de57e3fd77b7ae053e22bb668c016686675662fb8d0c0dbd1ca2acd9b0874ebe88c68d21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wd0nizqq\CSCAC74BBD3B9D4B71A9E4423D76CEDEC9.TMP

Filesize
1KB

MD5
b1af3a08b2cd3b23d7bb96b7ac7023e4

SHA1
1102e5b1192cb4e68c0a88454bff85ed5409008b

SHA256
31d5afe4e0ac84a300924ec9e3d6671db73fd2477822cbe22a56e076edb1b83c

SHA512
8f142fcd39fb594f78f7e777f9a05d95a5ae5586ec37b9ee67e5f0dde8a22ff6e8d293a785bccc4007058132e63844e208b29a6194126911fd3008b1b783252b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wd0nizqq\wd0nizqq.0.cs

Filesize
310B

MD5
473de806dea4154fbb994f43c7db7abb

SHA1
a2ee6277000e8ce0f81d2cb81ee9bacae9966464

SHA256
88ead148a3a163c5cc4627451a6df3d91ca36d79239d0a0fc907713128c65282

SHA512
d70d5b8cdbe88246687d553bb6b2a7fb1e7f055f10c405d6d468bd36ab9df1981b7cc38f542b818c45f08a91efb2dceeb3614a7318620286e7743fc125652016

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wd0nizqq\wd0nizqq.cmdline

Filesize
334B

MD5
1697ff750dc54d170da914129e46bd2d

SHA1
7e1a6e69ae514c63426da0fe265499b747cc3ac9

SHA256
e323ad9bd4a4dc8d1d45e1793654f720ac902db6510b3c6cf4c337f259a7d9c2

SHA512
75eb51bbf885037e06ed82785e2fb3fe1a9ee99b6c8b7384cb420d7f064321246fa754d938d0850b6dd4fdffd90042219efd202bc857b3cee10927d0286ca29a

Download Submit
memory/2032-1605-0x000001DC32270000-0x000001DC32282000-memory.dmp

Filesize
72KB

Download
memory/2032-1590-0x000001DC17200000-0x000001DC1786A000-memory.dmp

Filesize
6.4MB

Download
memory/2032-1750-0x000001DC37950000-0x000001DC379A8000-memory.dmp

Filesize
352KB

Download
memory/2032-1636-0x000001DC32C80000-0x000001DC32DA6000-memory.dmp

Filesize
1.1MB

Download
memory/2032-1592-0x000001DC31E30000-0x000001DC32082000-memory.dmp

Filesize
2.3MB

Download
memory/2032-1602-0x000001DC35F50000-0x000001DC35F5A000-memory.dmp

Filesize
40KB

Download
memory/2032-1606-0x000001DC35FB0000-0x000001DC36230000-memory.dmp

Filesize
2.5MB

Download
memory/2032-1763-0x000001DC32B10000-0x000001DC32B18000-memory.dmp

Filesize
32KB

Download
memory/6028-1711-0x0000000007990000-0x0000000007A22000-memory.dmp

Filesize
584KB

Download
memory/6028-1675-0x0000000000130000-0x0000000000142000-memory.dmp

Filesize
72KB

Download
memory/6028-1731-0x0000000006A10000-0x0000000006A74000-memory.dmp

Filesize
400KB

Download
memory/6028-1710-0x00000000066E0000-0x0000000006772000-memory.dmp

Filesize
584KB

Download
memory/6028-1777-0x0000000006E10000-0x0000000006E18000-memory.dmp

Filesize
32KB

Download
memory/6028-1709-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/6028-1708-0x00000000061C0000-0x0000000006228000-memory.dmp

Filesize
416KB

Download
memory/6028-1707-0x0000000006240000-0x00000000062B6000-memory.dmp

Filesize
472KB

Download
memory/6028-1704-0x00000000054D0000-0x0000000005A76000-memory.dmp

Filesize
5.6MB

Download
memory/6028-1705-0x0000000004F90000-0x0000000004FF6000-memory.dmp

Filesize
408KB

Download
memory/6028-1791-0x00000000006F0000-0x00000000006F8000-memory.dmp

Filesize
32KB

Download
memory/6028-1703-0x0000000004E80000-0x0000000004F1C000-memory.dmp

Filesize
624KB

Download