asyncrat | efd21682d800d3dac89b182f18b25efbdb00291cfe4fcb3b05e7c338ec19968e

Analysis

max time kernel
58s
max time network
61s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
26/02/2025, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

grger/Anarchy Panel 4.7/Anarchy Panel.exe
Size

34.0MB
MD5

309d8906e1e32e2a0c1db6310da96d73
SHA1

e6141cbe0a7095260b41553281fc547191398cf4
SHA256

0e3f65457656e1c83c76cf2838bdf6aae294157a4cd7141fdea868b5724a75a2
SHA512

f207dc50cf5aa452b7fd802087b0569b82bef7ac3110e71186b2c4de2a7bd213e0269dc4b4ca1c0aecddd488d7508515716f731a471e79b31b80ef16b3c81e67
SSDEEP

12288:hQXqRba8sXrA1gqWVOmw0dKcaJzkVCp4Lkuc+tSV1pH16oG8HCdIfe+:hQXqsi1OOYdKcoA5kp+S/1JGvdIfl

Score

10^/10

asyncrat default discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

AWS | RxR

Botnet

Default

Nightmare15.strangled.net:6606

Nightmare15.strangled.net:7707

Nightmare15.strangled.net:8808

lastofdr51.mywire.org:6606

lastofdr51.mywire.org:7707

lastofdr51.mywire.org:8808

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
System.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Downloads MZ/PE file 2 IoCs

flow	pid	Process
48	3024	Anarchy Panel.exe
58	5016	GreenField.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/1080-98-0x0000000000A90000-0x000000000412E000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	Service.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation	GreenField.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Service.lnk	Service.exe

Executes dropped EXE 5 IoCs

pid	Process
4404	Service.exe
4840	zxc.exe
5016	GreenField.exe
4304	zxc.exe
2036	PhotoBox.exe

Loads dropped DLL 3 IoCs

pid	Process
4840	zxc.exe
4840	zxc.exe
1080	bb2.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyProgram = "C:\\Users\\Admin\\AppData\\Roaming\\MyAppDownloads\\GreenField.exe"	GreenField.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
47	raw.githubusercontent.com
48	raw.githubusercontent.com
51	pastebin.com
52	pastebin.com
53	pastebin.com
58	raw.githubusercontent.com

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4840 set thread context of 4304	4840	zxc.exe	100

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Anarchy Panel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Service.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GreenField.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zxc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PhotoBox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2832	msedge.exe
2832	msedge.exe
3436	msedge.exe
3436	msedge.exe
3024	Anarchy Panel.exe
3024	Anarchy Panel.exe
2108	identity_helper.exe
2108	identity_helper.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe
1080	bb2.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1080	bb2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	Anarchy Panel.exe
Token: SeDebugPrivilege	4404	Service.exe
Token: SeDebugPrivilege	5016	GreenField.exe
Token: SeDebugPrivilege	1080	bb2.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
1080	bb2.exe
3436	msedge.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
3436	msedge.exe
1080	bb2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 3436	3024	Anarchy Panel.exe	85
PID 3024 wrote to memory of 3436	3024	Anarchy Panel.exe	85
PID 3436 wrote to memory of 3120	3436	msedge.exe	86
PID 3436 wrote to memory of 3120	3436	msedge.exe	86
PID 3024 wrote to memory of 4404	3024	Anarchy Panel.exe	87
PID 3024 wrote to memory of 4404	3024	Anarchy Panel.exe	87
PID 3024 wrote to memory of 4404	3024	Anarchy Panel.exe	87
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2476	3436	msedge.exe	88
PID 3436 wrote to memory of 2832	3436	msedge.exe	89
PID 3436 wrote to memory of 2832	3436	msedge.exe	89
PID 3436 wrote to memory of 4892	3436	msedge.exe	90
PID 3436 wrote to memory of 4892	3436	msedge.exe	90
PID 3436 wrote to memory of 4892	3436	msedge.exe	90
PID 3436 wrote to memory of 4892	3436	msedge.exe	90
PID 3436 wrote to memory of 4892	3436	msedge.exe	90
PID 3436 wrote to memory of 4892	3436	msedge.exe	90
PID 3436 wrote to memory of 4892	3436	msedge.exe	90
PID 3436 wrote to memory of 4892	3436	msedge.exe	90
PID 3436 wrote to memory of 4892	3436	msedge.exe	90
PID 3436 wrote to memory of 4892	3436	msedge.exe	90
PID 3436 wrote to memory of 4892	3436	msedge.exe	90
PID 3436 wrote to memory of 4892	3436	msedge.exe	90
PID 3436 wrote to memory of 4892	3436	msedge.exe	90
PID 3436 wrote to memory of 4892	3436	msedge.exe	90
PID 3436 wrote to memory of 4892	3436	msedge.exe	90

C:\Users\Admin\AppData\Local\Temp\grger\Anarchy Panel 4.7\Anarchy Panel.exe
"C:\Users\Admin\AppData\Local\Temp\grger\Anarchy Panel 4.7\Anarchy Panel.exe"
1⤵
- Downloads MZ/PE file
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/Private_Hacking_Cracking_Tools
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9d7d046f8,0x7ff9d7d04708,0x7ff9d7d04718
    3⤵
    PID:3120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,4110080315206961409,11515318597042190687,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
    3⤵
    PID:2476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,4110080315206961409,11515318597042190687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,4110080315206961409,11515318597042190687,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2136 /prefetch:8
    3⤵
    PID:4892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4110080315206961409,11515318597042190687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4110080315206961409,11515318597042190687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:3432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4110080315206961409,11515318597042190687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
    3⤵
    PID:4728
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4110080315206961409,11515318597042190687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4180 /prefetch:8
    3⤵
    PID:448
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,4110080315206961409,11515318597042190687,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4180 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4110080315206961409,11515318597042190687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
    3⤵
    PID:4940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4110080315206961409,11515318597042190687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
    3⤵
    PID:488
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4110080315206961409,11515318597042190687,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
    3⤵
    PID:5236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,4110080315206961409,11515318597042190687,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
    3⤵
    PID:5244
- C:\Users\Admin\AppData\Roaming\Service.exe
  "C:\Users\Admin\AppData\Roaming\Service.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4404
- - C:\Users\Admin\AppData\Roaming\zxc.exe
    "C:\Users\Admin\AppData\Roaming\zxc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:4840
  - - C:\Users\Admin\AppData\Roaming\zxc.exe
      C:\Users\Admin\AppData\Roaming\zxc.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4304
- C:\Users\Admin\AppData\Roaming\MyAppDownloads\GreenField.exe
  "C:\Users\Admin\AppData\Roaming\MyAppDownloads\GreenField.exe"
  2⤵
  - Downloads MZ/PE file
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- - C:\Users\Admin\AppData\Local\PhotoBox.exe
    "C:\Users\Admin\AppData\Local\PhotoBox.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2036
- C:\Users\Admin\AppData\Local\Temp\grger\Anarchy Panel 4.7\bb2.exe
  "C:\Users\Admin\AppData\Local\Temp\grger\Anarchy Panel 4.7\bb2.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4496

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3628

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:3400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\zxc.exe.log

Filesize
321B

MD5
baf5d1398fdb79e947b60fe51e45397f

SHA1
49e7b8389f47b93509d621b8030b75e96bb577af

SHA256
10c8c7b5fa58f8c6b69f44e92a4e2af111b59fcf4f21a07e04b19e14876ccdf8

SHA512
b2c9ef5581d5eae7c17ae260fe9f52344ed737fa851cb44d1cea58a32359d0ac5d0ca3099c970209bd30a0d4af6e504101f21b7054cf5eca91c0831cf12fb413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
94bd9c36e88be77b106069e32ac8d934

SHA1
32bd157b84cde4eaf93360112d707056fc5b0b86

SHA256
8f49a43a08e2984636b172a777d5b3880e6e82ad25b427fef3f05b7b4f5c5b27

SHA512
7d4933fae6a279cc330fde4ae9425f66478c166684a30cec9c5c3f295289cf83cbdf604b8958f6db64b0a4b1566db102fbcbdcdb6eca008d86d9a9c8b252ff16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25f87986bcd72dd045d9b8618fb48592

SHA1
c2d9b4ec955b8840027ff6fd6c1f636578fef7b5

SHA256
d8b542281740c12609279f2549f85d3c94e6e49a3a2a4b9698c93cca2dce486c

SHA512
0c8a0d1a3b0d4b30773b8519a3d6e63d92973733da818ca9838599a9639e18df18ce31ebf56f46f6bbb7d89d10c726f4d73781e154d115a6068a3be7dd12b314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
5426103f6696da962d0e7a04e59a7c83

SHA1
ac3614a5da04e931d5894e7379031390a18b8b8d

SHA256
4f53999d9c78626923dedd19638152fe201cd6cee8e3dd9650b997e845f3a496

SHA512
81b1176a4e030f76c32be3bf489cfd36947527b0337d6b088e08a3e51e9fc5ff284066553a04acb2d66ad945c3123bebb2c3354790644fcbd492262468e9fc20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4a11b0b3e8277eb09a6d993385d3b264

SHA1
f02998b9aa1f5e904572aef72f9b68887b3550e5

SHA256
4978a576dbd273985269f7e32b4ab6f48e53938c68df0be33162e2302414341f

SHA512
83b9aa0841c92fde93e667d4e02a5694e4aaafbe0f51f9486802d93215b46ae301f422a0386ee5293ced923f3808952666bc72f3693709c35868fc0be2a3a3c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
973301efc1f7edbe8374ff3693b3f7c0

SHA1
bbf2dc35234b2e92e5e110dcc4d8532248ec356b

SHA256
47660efd41a4e7224e71effae67fcb873a4f0e694d09b725fdd4abb601c4aecb

SHA512
90a0d786ee96568a86f13144bf8b4cfc70da7ce9c375251323654e87295584bdcd673c04907161575228fd3bdffaac7bb9ed1e97e013e3fcd06953cba5b0e2e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ce2683e98cc62e7287d45f6cdc870d6a

SHA1
00de0a950266c66c08fdadc9c3d3f903d166cfae

SHA256
eb90d0d22131e75bc6f1afc46dd1dfaebb83dcd4846f21a1c012a4c59dedcf24

SHA512
e86031f4be46c10b9f0f02ea637be98cdce53aedf677d6e484cfd316ca7ac90a352ea51df81debad0b2130ff42a55e74907418321ad635bc9501a094f9c1bba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
949ede84053df859def338fab4694963

SHA1
6dd4f08cd8c2dd23812147be2efd030f3c2f6f77

SHA256
253a75e7323b484e0d30481addc737a9b29d06b0383d2bd12925bc155606205d

SHA512
f9212ff720c0e1efbb63271a93b61a423ab4c36403c5b83bd16ffb39f7483c0d51a6943b308795d5f96ebb618702c1f88f1f93b14150123343c3fc621ab8da1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2472e9e566b56086883df58301f1ca33

SHA1
2c4f98a7597bba289f3d0909f3432bbef807e6b1

SHA256
7a3ab94499a39b49354cfa1fb3ebe10e359f8b6c67b734910cc8c889e54dcca9

SHA512
8cc682d0388adb4553ecd18787cfda6f5949eb7d3c7da2e32c35c2535ee4e170ce57c936fc49192faab058f55c9dd5015f899f6e15167dd0084310713d35531c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a3115b7dc20cbf345fdd6746f6003be2

SHA1
df50ef2f6b8eaf2c587659c6684b021b7ff054f4

SHA256
6ad90d670645e2373119ea7cb735feb0d04d15767330d4cd762ba4c5be3a6694

SHA512
7c7599e035d97fc4a854a3458ddb0792f1780a6d73fa42d20b2a459f922e5d04bb4a50c27797e5e739826b8505d6aaf7954b7696ecba0aa19302e07660299f25

Download Submit
C:\Users\Admin\AppData\Local\PhotoBox.exe

Filesize
659KB

MD5
79d9abdf646c50d31dd5f3903ab0c824

SHA1
a62a3f5531a425f17d8112534ccf69882609e5b6

SHA256
fdf58ed8fdad03cd75410787e5c3c60881dda2614a6f62a2e50b1a4ed4258686

SHA512
23d3fdae5c7d1696b7880bed198001b8f6b457661004402936a68bfc28ec29df2b503dcf969f00846c8b980da9e48b4ed9bd82015a74d5e353e212af64e2bdec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
C:\Users\Admin\AppData\Roaming\ClassLibrary1.dll

Filesize
43KB

MD5
34e361dfc148b474fcff61b398939e38

SHA1
0113e1ede190c4d790f159bb0d860afec078162d

SHA256
981b6fc61a7d7a56fa7f9ff70fb4146ae4639ea027290260f04b5c631d47c277

SHA512
b6acf60b7b70883e64fbbe398461f371b37a16376d2ac797d006081de9bb51e889846d3a0fa4549fd63184ec257c54ad94b3a918127b7ce445afe7eef4f7d8a3

Download Submit
C:\Users\Admin\AppData\Roaming\MyAppDownloads\GreenField.exe

Filesize
11KB

MD5
b1c0d640f28c579d65bac58ba1a84bb4

SHA1
ceed59fd0b054f91a310f4233bc053a718e74475

SHA256
c797733bdb414dbfe5cae129b88fa74e801a1caff00ca4090851fe8b76de4279

SHA512
a3fbfdb15430c677934c550805f11c2b9478593bc5210ca3d23f965bbe83690bdf05dd02e99d70fd929c2b37498ef98855ffb627f6cbd526c688cc12fdc89057

Download Submit
C:\Users\Admin\AppData\Roaming\Service.exe

Filesize
141KB

MD5
af58a1dd81627fd89531266cd9c898a4

SHA1
3d2191c1d99133596cfb42878ce2c56a1eae8609

SHA256
ae3aea0612bf3708a1c3c0514d1a7c5e5ca6648d42fe56517e44494dc004cff2

SHA512
9de6a79be2057cfb0fd454c652d30bfb64e30a0e3f62860b1c46753a880b6090b062707660b98020a581e162df76be30d7b9683ec59ea2d0ce59e6913ae69188

Download Submit
C:\Users\Admin\AppData\Roaming\class.txt

Filesize
84KB

MD5
c05f730e38c3b040dd89cbf9dbf82e79

SHA1
77d2a2b36f4b13392c44ece04cee3883a760f482

SHA256
2623454b67ae5807002c568bb77a1b1a9796cfccfc1b4b000fa5038576038abc

SHA512
bc8eadccdd868bbcb7f25aef56958eace77a429015985effdda3be1ce990b62b0abe8e930d16e1d9913c90e4033cfee3e379de5778cf7437b0cac0c2e3085b1f

Download Submit
C:\Users\Admin\AppData\Roaming\zxc.exe

Filesize
5KB

MD5
81b8a4d2fec16df7d96f3ee708649acc

SHA1
ea74fb369b7c282c6ea32c9f25da64083ddce82e

SHA256
8cc3b2a35835da2b85c736d702a0275dff625ff7fa8be1a1d2391c184270ede8

SHA512
e6fa665de854831affe2b69e19eafb7538e3ff81924abe4cf9de48406f5c1ba8037880d44a03c842d7464a0cae25502d77a421db8d5e1c023ea0ec243b6be065

Download Submit
memory/1080-137-0x000000001F880000-0x000000001FC40000-memory.dmp

Filesize
3.8MB

Download
memory/1080-186-0x0000000023BC0000-0x0000000023BD4000-memory.dmp

Filesize
80KB

Download
memory/1080-185-0x0000000023920000-0x0000000023A6E000-memory.dmp

Filesize
1.3MB

Download
memory/1080-136-0x000000001F290000-0x000000001F878000-memory.dmp

Filesize
5.9MB

Download
memory/1080-135-0x0000000004A20000-0x0000000004A32000-memory.dmp

Filesize
72KB

Download
memory/1080-98-0x0000000000A90000-0x000000000412E000-memory.dmp

Filesize
54.6MB

Download
memory/1080-184-0x0000000021D00000-0x0000000021F52000-memory.dmp

Filesize
2.3MB

Download
memory/2036-112-0x0000000005350000-0x000000000535A000-memory.dmp

Filesize
40KB

Download
memory/2036-110-0x0000000000A00000-0x0000000000AAA000-memory.dmp

Filesize
680KB

Download
memory/2036-111-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/3024-96-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/3024-2-0x0000000002F40000-0x0000000002F70000-memory.dmp

Filesize
192KB

Download
memory/3024-1-0x0000000000CF0000-0x0000000000DAC000-memory.dmp

Filesize
752KB

Download
memory/3024-3-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/3024-4-0x0000000005D10000-0x00000000062B4000-memory.dmp

Filesize
5.6MB

Download
memory/3024-0-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

Filesize
4KB

Download
memory/4304-88-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download
memory/4404-22-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4404-144-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4404-21-0x0000000005510000-0x000000000552E000-memory.dmp

Filesize
120KB

Download
memory/4404-15-0x0000000074BB0000-0x0000000075360000-memory.dmp

Filesize
7.7MB

Download
memory/4404-13-0x0000000004E30000-0x0000000004EA6000-memory.dmp

Filesize
472KB

Download
memory/4404-9-0x00000000005A0000-0x00000000005CA000-memory.dmp

Filesize
168KB

Download
memory/4840-76-0x0000000002AD0000-0x0000000002ADA000-memory.dmp

Filesize
40KB

Download
memory/4840-49-0x0000000005150000-0x0000000005162000-memory.dmp

Filesize
72KB

Download
memory/4840-43-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/5016-67-0x0000000000D20000-0x0000000000D2A000-memory.dmp

Filesize
40KB

Download