asyncrat | hxxps://dosya[.]co/yb4em9qkj6dm/AsyncClient[.]exe[.]html

Analysis

max time kernel
69s
max time network
80s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16/01/2025, 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dosya.co/yb4em9qkj6dm/AsyncClient.exe.html

Score

10^/10

asyncrat default defense_evasion discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

l0cphgzgx.localto.net:1604

l0cphgzgx.localto.net:7404

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
StepClient.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001a00000002ab82-71.dat	family_asyncrat

Executes dropped EXE 7 IoCs

pid	Process
3652	AsyncClient.exe
672	AsyncClient.exe
1432	AsyncClient.exe
2200	AsyncClient.exe
1420	AsyncClient.exe
4600	AsyncClient.exe
3768	AsyncClient.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\AsyncClient.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AsyncClient.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 664222.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\AsyncClient.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2928	msedge.exe
2928	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
4460	msedge.exe
4460	msedge.exe
4668	identity_helper.exe
4668	identity_helper.exe
1088	msedge.exe
1088	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3652	AsyncClient.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe
3068	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2640	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 564	3068	msedge.exe	79
PID 3068 wrote to memory of 564	3068	msedge.exe	79
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2140	3068	msedge.exe	80
PID 3068 wrote to memory of 2928	3068	msedge.exe	81
PID 3068 wrote to memory of 2928	3068	msedge.exe	81
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82
PID 3068 wrote to memory of 2816	3068	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://dosya.co/yb4em9qkj6dm/AsyncClient.exe.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc976d3cb8,0x7ffc976d3cc8,0x7ffc976d3cd8
  2⤵
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,15481175488431728252,11870140213732354219,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,15481175488431728252,11870140213732354219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,15481175488431728252,11870140213732354219,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15481175488431728252,11870140213732354219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15481175488431728252,11870140213732354219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15481175488431728252,11870140213732354219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1936,15481175488431728252,11870140213732354219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1936,15481175488431728252,11870140213732354219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15481175488431728252,11870140213732354219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1936,15481175488431728252,11870140213732354219,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15481175488431728252,11870140213732354219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15481175488431728252,11870140213732354219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15481175488431728252,11870140213732354219,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,15481175488431728252,11870140213732354219,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1936,15481175488431728252,11870140213732354219,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Users\Admin\Downloads\AsyncClient.exe
  "C:\Users\Admin\Downloads\AsyncClient.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3652
- C:\Users\Admin\Downloads\AsyncClient.exe
  "C:\Users\Admin\Downloads\AsyncClient.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3820

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2640

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1948

C:\Users\Admin\Downloads\AsyncClient.exe
"C:\Users\Admin\Downloads\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1432

C:\Users\Admin\Downloads\AsyncClient.exe
"C:\Users\Admin\Downloads\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200

C:\Users\Admin\Downloads\AsyncClient.exe
"C:\Users\Admin\Downloads\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1420

C:\Users\Admin\Downloads\AsyncClient.exe
"C:\Users\Admin\Downloads\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4600

C:\Users\Admin\Downloads\AsyncClient.exe
"C:\Users\Admin\Downloads\AsyncClient.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AsyncClient.exe.log

Filesize
425B

MD5
bb27934be8860266d478c13f2d65f45e

SHA1
a69a0e171864dcac9ade1b04fc0313e6b4024ccb

SHA256
85ad0d9909461517acf2e24ff116ca350e9b7000b4eefb23aa3647423c9745b4

SHA512
87dd77feac509a25b30c76c119752cc25020cca9c53276c2082aef2a8c75670ef67e1e70024a63d44ae442b64f4bc464aee6691e80c525376bb7421929cfa3bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
bd70b3d57f11239deb9f1d4880062693

SHA1
64bc7d8521c839025bf760e6000f4f7ab06a0080

SHA256
9a06f67d2f50af5de005bd08035e9e16e1c2883c0ceb8bb364cb00457127a239

SHA512
e4c8f6e5e753821453d045a8d3bfb24aa3a051784bb95f8a4f31fc525d3b5e63fcee79ecad821920ca55ac2de48d94e7a291156c2f21bbdb9e775a2ae2b43f2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d07f3ce5077d623b31263c8f8c9b79cd

SHA1
a1c9cf2d7e9cdf0f1a344cc0625df8cbe265d853

SHA256
aa9a9fea1f8022c3bdfbbbac00272d67c8727a306bb21be4561ef831a41842d7

SHA512
e1e536a01e8c759959d8c33f1a629475e550a1b9a73b95f1205bdab542e46591598293451f43780d7a3fc4bf1d1d6eafa9787e9dc11973c307039aa89ea9e4bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c7cdd58b4e997c45f976c07d4a15d9e1

SHA1
ecdbcdd70e75883c3c4fcab9ac14be6b1819ab91

SHA256
bd23c56886d2161508de447e580fc0996e9977100bd22c3279dc129ca1793762

SHA512
a61fb7cb117c7a6c89ac115ee91820d69ce98944e2346a83a727b811a5d3de52cafa9467c7f3fcae777990eef99efd134705f46a358bbb97a33f0880091f06d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0a9e18e129162f6b57d2428d3ba1d679

SHA1
c3b34ee82f052f1a290ff6b3e9934171981816f6

SHA256
c41439bd03b0c31245a0e0ce7013c99aebcd46191e1d856309dce65a0f0ac39d

SHA512
564011a1c74841a38a1d8e200143ea602de23c99aa99da4e62f09cd3129b63e1df0f26efa27a5c73272a459131ff05e56e11bee3f512b10ad34474df8a93411c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d1cef865974e2ec94c93f3bc2b07ee42

SHA1
e9e625d3c2678b5a530e01f04316fc8e7924017b

SHA256
ebde68c71161e0e83d359ea4eab1758bb7deb317a9e2a0a5659569968fcc321b

SHA512
9c0657c4b4d91b59ee3e7993b2d33dad9addc43ad225e97181c9e5ea0da9a550b56d1c81ad8346bb1f132e683454f95ef6adf2ede66d0b3d2421ad4278d2be35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7125f9fd94e27ebf3536100c7007fbe9

SHA1
a67c7c4c9bfa0c01c4be34f529d3d76a1134fb19

SHA256
2165eb5f76c501b0b5770bd98a1006cdb29f61d27740f9f55e2b799bb3c45483

SHA512
eece425d509c1eaf35fe8621f43c55b8c1b5f21484645e37515f2bf719b1fa98cd969a5f374a73a330876d6603bc6aafcae6e2e6e40a98356fdfca6eae5bf2d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7484cb1377f2ea5e1ad62e0d7771a00f

SHA1
1e009ffe4da38aa5ed176ba2b9514067329e6ca6

SHA256
5ef624f8abfee0cab1fe2cd7665cdf7247e3ea66169426d4aef8099c1474bc06

SHA512
8d47ebed998e2ab4e60040f28dced134e20a1d08a89dac582767c1dafead7ec96b8df51e3fd45e108e3aa4141d1206d820d7f6e3939b1170f95345c2326a46c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
f7634b33eb3a1b33fe70a2d3016a4aa6

SHA1
2961320c457fac9a2849423a00fe8982353687e0

SHA256
e69be3546cea365d96842e9ea79b142df5d61ec399f194e6cb464a32f2478137

SHA512
10599214e8c09fbdd9a540fcfed8aa1ecc4ddeba56c967d5b4d5132bf1752506ef9214450f3b09847902705278607454446f9d349eca7b6072f8184a1b088c9f

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1e7dd00b69af4d51fb747a9f42c6cffa

SHA1
496cdb3187d75b73c0cd72c69cd8d42d3b97bca2

SHA256
bc7aec43a9afb0d07ef7e3b84b5d23a907b6baff367ecd4235a15432748f1771

SHA512
d5227d3df5513d7d0d7fb196eef014e54094c5ed8c5d31207b319e12480433f1424d49df759a7a2aefc6a69cef6bf2a0cc45d05660e618dc2ec9a2b082b7b5f7

Download Submit
C:\Users\Admin\Downloads\AsyncClient.exe:Zone.Identifier

Filesize
168B

MD5
9893a7b85b19fe4694d7577d22aaf080

SHA1
a80b4b1e56146f67962dc524c5b6172b7de8fbef

SHA256
4e475b8c9fb15392dc2b3c3e57e18cfb7a870b9232199f1541d87b0f9a3dc9ef

SHA512
d8123b8f1e2129d7fa4f70721f4f64350ccbc57522c0ee3cbe97cd04d0cc2b97667976d8a996511277a9680b5f04da83bfc915c052f7fe40468089f0ef0d9709

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 664222.crdownload

Filesize
45KB

MD5
1f8661b5717c10d581b1747655a03cfc

SHA1
23382132f4f6aae7ad5a6a8f8f2f8bb5dfba14ca

SHA256
2a746bfe6cc7409d820b7efd69997d280c094c53a26a863c9a2a9b3dadc64ea5

SHA512
a3af2cfe5a27919e988459be9113cda8e57d19b9e428ec0db7f70504a930c7f6dd34e888c0b1469e7522e77ada2c8bb38449f5ba1283f2227a70df037c9aaed7

Download Submit
memory/3652-111-0x0000000000130000-0x0000000000142000-memory.dmp

Filesize
72KB

Download
memory/3652-137-0x0000000005070000-0x00000000050D6000-memory.dmp

Filesize
408KB

Download
memory/3652-136-0x00000000055B0000-0x0000000005B56000-memory.dmp

Filesize
5.6MB

Download
memory/3652-135-0x0000000004F60000-0x0000000004FFC000-memory.dmp

Filesize
624KB

Download