asyncrat | hxxps://mega[.]nz/file/cHtgXRDK#MzCSaqS2U8z4AYQvlj_heJ7V2xhzvzGTeCrfDCWQgO8

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 13:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/cHtgXRDK#MzCSaqS2U8z4AYQvlj_heJ7V2xhzvzGTeCrfDCWQgO8

Score

10^/10

asyncrat stealerium stormkitty zgrat default rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:3232

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Detect ZGRat V1 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5276-242-0x00000000006F0000-0x0000000003D8E000-memory.dmp	family_zgrat_v1

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Plugins\eMTYbTz0gueNs4.dll	family_stormkitty

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Infected.exe	family_asyncrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/5276-242-0x00000000006F0000-0x0000000003D8E000-memory.dmp	net_reactor

Executes dropped EXE 2 IoCs

Processes:

Anarchy Panel.exeInfected.exe

pid process

5276 Anarchy Panel.exe
5748 Infected.exe
Loads dropped DLL 1 IoCs

Processes:

Anarchy Panel.exe

pid process

5276 Anarchy Panel.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
5276	Anarchy Panel.exe
5748	Infected.exe

pid	process
5276	Anarchy Panel.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 41 IoCs

Processes:

Anarchy Panel.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Downloads"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0 = 50003100000000009a58096c100041646d696e003c0009000400efbe9a586964ae58716e2e0000007ae101000000010000000000000000000000000000004eb16500410064006d0069006e00000014000000	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0 = 8400310000000000ae588d6e1100444f574e4c4f7e3100006c0009000400efbe9a586964ae588e6e2e00000082e10100000001000000000000000000420000000000582e5b0044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0 = 78003100000000009a5869641100557365727300640009000400efbe874f7748ae58716e2e000000c70500000000010000000000000000003a00000000005357ee0055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\NodeSlot = "3"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0\MRUListEx = ffffffff	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 19002f433a5c000000000000000000000000000000000000000000	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	Anarchy Panel.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeAnarchy Panel.exemsedge.exeInfected.exe

pid	process
3272	msedge.exe
3272	msedge.exe
1560	msedge.exe
1560	msedge.exe
468	identity_helper.exe
468	identity_helper.exe
5560	msedge.exe
5560	msedge.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
4532	msedge.exe
5748	Infected.exe
5748	Infected.exe
5748	Infected.exe
5748	Infected.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Anarchy Panel.exe

pid process

5276 Anarchy Panel.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1560 msedge.exe
1560 msedge.exe
1560 msedge.exe
1560 msedge.exe
1560 msedge.exe
1560 msedge.exe
1560 msedge.exe

pid	process
5276	Anarchy Panel.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AUDIODG.EXE7zG.exeAnarchy Panel.exeInfected.exe

description	pid	process
Token: 33	4252	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4252	AUDIODG.EXE
Token: SeRestorePrivilege	5780	7zG.exe
Token: 35	5780	7zG.exe
Token: SeSecurityPrivilege	5780	7zG.exe
Token: SeSecurityPrivilege	5780	7zG.exe
Token: SeDebugPrivilege	5276	Anarchy Panel.exe
Token: SeDebugPrivilege	5748	Infected.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

msedge.exe7zG.exeAnarchy Panel.exe

pid	process
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
5780	7zG.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

msedge.exeAnarchy Panel.exe

pid	process
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
1560	msedge.exe
5276	Anarchy Panel.exe
5276	Anarchy Panel.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Anarchy Panel.exe

pid process

5276 Anarchy Panel.exe

pid	process
5276	Anarchy Panel.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1560 wrote to memory of 1020	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 1020	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 548	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 3272	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 3272	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe
PID 1560 wrote to memory of 4900	1560	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/file/cHtgXRDK#MzCSaqS2U8z4AYQvlj_heJ7V2xhzvzGTeCrfDCWQgO8
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6d7e46f8,0x7ffd6d7e4708,0x7ffd6d7e4718
2⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15419634364438189125,9478144231012042373,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
2⤵
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,15419634364438189125,9478144231012042373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,15419634364438189125,9478144231012042373,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
2⤵
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15419634364438189125,9478144231012042373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
2⤵
PID:1852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15419634364438189125,9478144231012042373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
2⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,15419634364438189125,9478144231012042373,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4784 /prefetch:8
2⤵
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,15419634364438189125,9478144231012042373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
2⤵
PID:4036

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,15419634364438189125,9478144231012042373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15419634364438189125,9478144231012042373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
2⤵
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15419634364438189125,9478144231012042373,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
2⤵
PID:2668

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15419634364438189125,9478144231012042373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
2⤵
PID:5288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15419634364438189125,9478144231012042373,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
2⤵
PID:5296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,15419634364438189125,9478144231012042373,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5824 /prefetch:8
2⤵
PID:5540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15419634364438189125,9478144231012042373,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
2⤵
PID:5548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,15419634364438189125,9478144231012042373,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15419634364438189125,9478144231012042373,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2780

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x50c 0x508
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5508

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap22992:94:7zEvent16532
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5780

C:\Users\Admin\Downloads\Anarchy Panel.exe
"C:\Users\Admin\Downloads\Anarchy Panel.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5276

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2200

C:\Users\Admin\Downloads\Infected.exe
"C:\Users\Admin\Downloads\Infected.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5748

C:\Windows\SYSTEM32\cmd.exe
"cmd"
2⤵
PID:5440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
8cd9bb3c6bd2692615d3efc54f74ed0e

SHA1
21b6d03a410f9a1c532837e20c8199b0bd6b2222

SHA256
6d7d597d6d7ecefbbd2dfc9d7f18809ae29cef70a883e1f1b8e06562ec299594

SHA512
4f9d503b3d2b0eb108d713bae4b34c0b91fd231187843405cf300f1a13466eb81ba0a9730715358536ee77876f07226d2f9cef96f396b13742ceb6135bd2891f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f07509dfca26ce5cccb2269059097dd8

SHA1
4eeccd93cc2182e8d8711ab5e11bb66b93a0e37b

SHA256
33fbff51292ee5fae30195ee4025325a315c37a98417f9b4305350e40e66f9c7

SHA512
4b5ee18c4da8488873e4e8050206aae0e5b1926428aeae9c72adb3398a9d80fa5aedf853c4af626b41535fd46c80eddec9e254ab018695299f2f1059bb7a163b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5123235071a62d20a74ebc2524432a7b

SHA1
414cef7d01c127fd852aa952b0fe688ff211fb69

SHA256
0417a18aa3f03f2fd8d36909825a36b67ad53baf3cacbfd88471d12e9e6d43d2

SHA512
46a30eee3fe0753ee0e535c0f014f92eeda7311a74054aacc9ffa2f12091d374104e8cf668c6cc3e68959c841f6ecaf00f8ba38e282caffd054b993f00cf4d5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f371f5c070bd35eb0cfe7cc6a75bee68

SHA1
1124f6a98de51304bf322d78c7c1e064342d082f

SHA256
e9be4e97aee74d3cf7326acf98a4ace41759a34a8dd81184d2837a3c6e6e7d74

SHA512
62c422dc34ee5584d3b33f0186a819e4ec202ac79f1d978a35269b32e5bf5e747ea6a27a5b282232d648a46ae30e59ee280bd69600c0434b6fda4239b0712c6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
6aadf37ea020ab818d379e6a2834b758

SHA1
0caf015ba3e9339c6274a69253566cecef472bb4

SHA256
117fb049933dada1e0c120dcb4aef625ac3ec9252672181b7beb8549e9d459b8

SHA512
8df9cfda3906fd455aee8e2e0face99aaa4d264dbf42f84b20a04193aabdea985e9ec414b63e675a7b0cc6bf3376b201e92ae86999284a71918ddd7080054d75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cc29.TMP
Filesize
48B

MD5
85674e426b9f3fe3892e08a6a6811900

SHA1
6a1c0e20321ad13e94f8f1eb9c9120823cde126b

SHA256
d3dcd6a8dd4bbbc3268bb5616ba64beec26ebf6426fa9019abd7283cf95c2808

SHA512
898b904e604c0c42301e192b8974a105b649747dcb5ccef32cdc45adae5c6638dcdef34d2f71cac2fdff3d9069e121737c3c216382f396e30056b501f777cdfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
224f900cb7d1787d10e4d06443aaead0

SHA1
96193af14fdcb3425fc06f84180ba616ac742241

SHA256
5d10354e6aaf9037ce3d9039f8b5cfc237646f6eceee0e9167f729138d4e78bf

SHA512
81ca21484d92fc00e2fc26ae414a487c4f0579b3bc9dd1233723c13ebad51cad372f3330ddf9147ff0456874f2eabee1b90d265ebc73bf879ef4a77bfbc1e456

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll
Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_yec0oguhrfk1brwuomjru23k2fiovwkq\4.7.0.0\user.config
Filesize
1KB

MD5
4b01719ab493b81d429c574dbaca15ef

SHA1
719ef1e4e6616a3d8afce09de7f89ddcf186a3a3

SHA256
33ce546b728989bc9ff5dd4c487a87723e5eb7b3953b7cb56e747747411b6c54

SHA512
4d5293d8b58c793bbbe6dedc061cb4fd3e7302771ee91789240ecf80f2f79d08dffc36d148f755107a3d12de6037ab18c57cb42494de80a40d90b64bb04ef234

Download Submit
C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_yec0oguhrfk1brwuomjru23k2fiovwkq\4.7.0.0\user.config
Filesize
1KB

MD5
712a8adc7e3796c3e89b18065bb8d64d

SHA1
d59cc27c6483285ad6fd1424922abf2ab4f636a5

SHA256
78f5fa573c3eb135abf7224bbd2da0eab9e691810524405bf664c2e7baa3fee2

SHA512
3f1b09e3e56c0ff92afbadb7be9c5019c4c586bec55ccb971e1443489f58bb603875c5ca4b5c4a95e3bbb2e5d025f6257ba87f3961104e6d366725b258379b29

Download Submit
C:\Users\Admin\Downloads\Anarchy Panel.exe.config
Filesize
3KB

MD5
3d441f780367944d267e359e4786facd

SHA1
d3a4ba9ffc555bbc66207dfdaf3b2d569371f7b5

SHA256
49648bbe8ec16d572b125fff1f0e7faa19e1e8c315fd2a1055d6206860a960c9

SHA512
5f17ec093cdce3dbe2cb62fec264b3285aabe7352c1d65ec069ffbc8a17a9b684850fe38c1ffd8b0932199c820881d255c8d1e6000cbbe85587c98e88c9acb90

Download Submit
C:\Users\Admin\Downloads\Infected.exe
Filesize
63KB

MD5
f2176a097c7e63137541ca169962b08b

SHA1
610bd36cb8f10801bcb8c2a86744374a2244400d

SHA256
8db845d3f067ef262d97346d0d114b329acf135714ed1004fc846522b1b021e3

SHA512
86bdf80f578f09d4762db2430062f75aecb269ab53c86958371a22b150dbe95b1fbe1c2bd9b2b010172d0c3bfaaa4a84e1e6f70bb74866f7c629d51da37a51ac

Download Submit
C:\Users\Admin\Downloads\Plugins\0guo3zbo66fqoG.dll
Filesize
78KB

MD5
e4ebcf76ff80ef398d3ab77d577f4c08

SHA1
cb9e6b30a63d50ae87610f6855b64abfb25691d2

SHA256
9661b1abc9a3e95e591c49c3838a64a066a2ff3c6de08d8aa7b541c4a75cd8e5

SHA512
8f37cedd987dd14181fdfa861b8a95271868dac21aa9df80bd6daa831ae20f4b4965c8be3e36f32aa220bd37ded11a7568ae237c9c9641bb4fc087f6fe104b01

Download Submit
C:\Users\Admin\Downloads\Plugins\59Zp7paEHDF7luJ.dll
Filesize
4.0MB

MD5
15e3d44d37439f3ac8574ac1c9789ec2

SHA1
bb3ef30e9f4496198f412738579966210ade36e0

SHA256
5db4c26057a05bb75ff7892fb60fd76620fc2228811d913d152a0aa4ec9db7a5

SHA512
ff358c9896792017ff7e91f1dedffd9d75a099c5b852da19599799aeca20b6b269267ff7c12c918a2530fe1a79a12bc8796c4eb3914c97faba3eba27388abde1

Download Submit
C:\Users\Admin\Downloads\Plugins\CjETR6GpGXqM.dll
Filesize
395KB

MD5
b0fc0ba80f8ec9586ff397412c512d9f

SHA1
0f6051b71b715a47be1fa16683201413905629a3

SHA256
13db80a0211ba9bf59a1e43bdb2fffa91de5c7f38bd469c4824b5e06245a0234

SHA512
222a365ae567c6c773ca2b99b82795916839cc5c9ba8eb019bf6713108720c2793303ef6612b64488f4584602cec84c0b48a02fe709db0250bf377d07e002d7d

Download Submit
C:\Users\Admin\Downloads\Plugins\EVa7gBMKoaHmLC.dll
Filesize
170KB

MD5
64a3d908b8a5feff2bccfc67f3a67dbd

SHA1
a17d7e5fa57c99a067cac459cb507b625dac254e

SHA256
6ea1ae7ab496666c0117fc20e704bfb6104b13cfb0408073a09689f863fa64b1

SHA512
66374d720230799bea6ac6cfe3faadc37fd775a49d40c04facae1caf1ec658956bbda54ba75287d7128b19b97971bd933a64469da8e0884225c5a8d8b9423ccc

Download Submit
C:\Users\Admin\Downloads\Plugins\FBSyChwp.dll
Filesize
170KB

MD5
0d41ccfaa8e7ef96248b8270d1a44d08

SHA1
6ee22bdb91d3a18e0b45b6590eb69bc9a0b02326

SHA256
0ea38d0d964815e2b84748a78bd5a829ae01586478e5f17b976f1ae763c8dec3

SHA512
a0f236f6dbeb1763fb1c198616de65b907a3a5edf7ed9435c2ad0b5826d84e9d2f25e96aba4e8b681ef495612cf0e04e929427a92d332164ace89e797bcb0e0e

Download Submit
C:\Users\Admin\Downloads\Plugins\G3nl0mDcABnDuZ.dll
Filesize
177KB

MD5
97b8bec4c47286e333cc2bedacf7338e

SHA1
764bbd0307924b71ca89538b42996208d10c9b91

SHA256
060d467cbeb0a58696287c052f3dd9b3597331b1c812e3e2882d6c232f8511de

SHA512
a40970622a594533349e75fc2022314ba21f05fc82709d6eaba82f4a2bc343c960029ad2825cfc034ce82622722127d149993bff88982f02d6dd6b5b1fb60fbf

Download Submit
C:\Users\Admin\Downloads\Plugins\KNTmoSnG.dll
Filesize
670KB

MD5
738c096a9bc38e21a9aa59ebc356c80d

SHA1
139756ad201a537461a6bb8524a4b89a63b1b1b9

SHA256
300a5551f7be89c5f03c0b70fa7dafb7f84c6394dac68bee95169e985e7786f0

SHA512
294c34f0716861fa67ba571bf7a8614613a1746e9f2935ba0c86eb1897dff858ea1f7fb44f1b6ec87cc709f4933a912dcd3eadd5d0b208c72985aa47e1f214f2

Download Submit
C:\Users\Admin\Downloads\Plugins\PK0TcnqTGFagQTS.dll
Filesize
174KB

MD5
fa90a2aee0d172000257c4faca31237c

SHA1
b317281b4acaaf1d7b7255c5e92887322abae892

SHA256
991fc53fa1aa7b5cd0b6e19dab536873d68e4413fd55b533601a3a2582d38a49

SHA512
b05c0b52e011089258ad31dd23a1f8a0cc8145b202e42e2a9d4fdf892c12d4a7b5843cc7721041295ab796e8bc98747b9e321c4e54bfd1a7c9a02dd2796fc405

Download Submit
C:\Users\Admin\Downloads\Plugins\RssCnLKcGRxj.dll
Filesize
181KB

MD5
f6808c4fbbe0275db03b2cc5b4c2bc0d

SHA1
e40b61c64c68f72fc5144f5057d54229babdecf8

SHA256
e204d15f0e7269d364157aaab265a5dfbe7e76c9f6202bf90998f0edd77ca248

SHA512
f077c49f6943d0e40799b3b42d1e11f50dabca48305c36ef2acd3258c990e0e0f982fbb0c27b1243aa15d2ed7b398b70f07dddc9ba76ff032ba74a24c8e08fb4

Download Submit
C:\Users\Admin\Downloads\Plugins\eMTYbTz0gueNs4.dll
Filesize
1.1MB

MD5
5dfbcfbbf9e2ae7db23e252808699ffb

SHA1
a1d429292fe73aeb5abab10304e1ae8c1262b26d

SHA256
929e5f15e9ceca03c80b2d174283cb25bf47adfe4693f5c01f622416c9f6d03c

SHA512
9ee63080781577e0d818a27d026024f96161bb7b132dc0c130fabbe2d6c3b7758868fff5a4ad68efeb4d08f964e2f69417022751880a443f7f920aa4f40f5c09

Download Submit
C:\Users\Admin\Downloads\Plugins\fzAgyDYa.dll
Filesize
79KB

MD5
a5770798b7a6465f5b5a8c19d7d707ee

SHA1
ca67e9591d2f757cbbfacb55f27aec6485b10ee6

SHA256
f855353a618af8a53504b5188c05d3a09fb1ff85763e0cd15c53dee82d7c6119

SHA512
64da7687e83c6ff4d1c1cdc644ffff53333f745e82f169beb529d55ec5be6f21658d27c6e01744147c00f834978260e86ea627a5f2981f27305afb69a7b467dc

Download Submit
C:\Users\Admin\Downloads\Plugins\mGWHaG2Jn.dll
Filesize
81KB

MD5
8f98206f577160f950d456d1190c8d32

SHA1
defced38fce00775c4616b420fa674d77f946eff

SHA256
2bde0293c982fb6266c683ecaa2c90372d26d9a2786726874a2cfb89dcc68324

SHA512
432c2b6759701754616273633c966332e718dbb10a9a7eab0d7c57ffdc9be95b5e1b16b6e291301ac7aa6d1de48a46d30f08729e45d6634b1849f41c78e92d91

Download Submit
C:\Users\Admin\Downloads\Plugins\mML6WKMqdxjDGA.dll
Filesize
173KB

MD5
e03b206eec8a7efbd1a47909071226e5

SHA1
21163989ea524920e874bc7932adfcd5e94f854e

SHA256
778877431354a9584325dadb663be077f757227eaae8bcad33e4bf26efd6b965

SHA512
831ed74419f1b4c3250fbff20be16ed7058a851d7168a17e8a4dcf284a19412feee42a8c198af34b37571de33a80c48ac855f5d018ea9e2cfdcd846b832155ff

Download Submit
C:\Users\Admin\Downloads\Plugins\oYsKwDG.dll
Filesize
4.8MB

MD5
a718955297276f2349b7644447736e08

SHA1
377388d115b77aff357dcaf92b6aeb6286b1460d

SHA256
54ec206c8fe8ff27b3fb02ef892b8e6bc4b6abfff2fe08f5f57175c64f1d3220

SHA512
a3c2ded0cdc4e62adac92a569d6cd4db0c3647e663700f019a9de27e738eb2672e5cccec19af15633a3cd25a882452ff5ce39c17f67dc3ed6653b9e0ad063641

Download Submit
C:\Users\Admin\Downloads\Plugins\rNXXgmX25s.dll
Filesize
1.5MB

MD5
050f07b46987eaf152aab521c0112fc4

SHA1
2d2c0943ce9c10ba09b0d5cca54c2a88a1e61e95

SHA256
b93374fdfd9af786ff20597ae0e242b81373984ba5718194f9e57feb231c52cf

SHA512
a27c370e40ec126b6b9f3ab7d603378c2b629ec752aa8fc57a10e3ef58c0b701a5d1b4903a17ba180c4e73e76b54304f0868c474eb60e671562d0deed83a18c8

Download Submit
C:\Users\Admin\Downloads\Usrs.p12
Filesize
1KB

MD5
df57bf616cfdc524b3091e2831745993

SHA1
e7bac2e9e172f46b7a3117a7ccfa1a9432d2d978

SHA256
1e9f607cfda104a3fd8788828a2ae326c56fd0846c6371ed4996f29003d8f5e2

SHA512
27a371b1b32598d20443a5e25e6b3ea81480cadf94c889db030203cdc02a88ab158352e6090f2f2507e845af6ee362fce783429c96ae8bac1e4ab7ebbf1216ca

Download Submit
\??\pipe\LOCAL\crashpad_1560_AQTIGGGMXHNMPUPE
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5276-265-0x0000000023B50000-0x0000000023B62000-memory.dmp

Filesize
72KB

Download
memory/5276-272-0x000000001FA40000-0x000000001FA4A000-memory.dmp

Filesize
40KB

Download
memory/5276-261-0x0000000023900000-0x0000000023A4E000-memory.dmp

Filesize
1.3MB

Download
memory/5276-262-0x0000000023BA0000-0x0000000023BB4000-memory.dmp

Filesize
80KB

Download
memory/5276-266-0x0000000024A90000-0x0000000024D08000-memory.dmp

Filesize
2.5MB

Download
memory/5276-259-0x000000001F4F0000-0x000000001F8B0000-memory.dmp

Filesize
3.8MB

Download
memory/5276-249-0x000000001EF00000-0x000000001F4E8000-memory.dmp

Filesize
5.9MB

Download
memory/5276-304-0x0000000027440000-0x000000002755E000-memory.dmp

Filesize
1.1MB

Download
memory/5276-248-0x0000000005E40000-0x0000000005E52000-memory.dmp

Filesize
72KB

Download
memory/5276-242-0x00000000006F0000-0x0000000003D8E000-memory.dmp

Filesize
54.6MB

Download
memory/5276-260-0x00000000232B0000-0x0000000023502000-memory.dmp

Filesize
2.3MB

Download
memory/5748-338-0x0000000000550000-0x0000000000566000-memory.dmp

Filesize
88KB

Download
memory/5748-355-0x000000001B240000-0x000000001B2B6000-memory.dmp

Filesize
472KB

Download
memory/5748-356-0x00000000027E0000-0x0000000002814000-memory.dmp

Filesize
208KB

Download
memory/5748-357-0x00000000027B0000-0x00000000027CE000-memory.dmp

Filesize
120KB

Download
memory/5748-362-0x0000000002840000-0x000000000285A000-memory.dmp

Filesize
104KB

Download