asyncrat | hxxps://workupload[.]com/file/9recfD6V5SM

Analysis

max time kernel
81s
max time network
63s
platform
windows10-2004_x64
resource
win10v2004-20240730-en
resource tags

arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system
submitted
01-08-2024 06:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://workupload.com/file/9recfD6V5SM

Score

10^/10

asyncrat discovery rat

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/2776-213-0x0000000000E40000-0x00000000044DE000-memory.dmp	net_reactor

Executes dropped EXE 4 IoCs

pid	Process
2776	Anarchy Panel.exe
3956	Anarchy Panel.exe
1536	Anarchy Panel.exe
1744	Anarchy Panel.exe

Loads dropped DLL 4 IoCs

pid	Process
2776	Anarchy Panel.exe
3956	Anarchy Panel.exe
1536	Anarchy Panel.exe
1744	Anarchy Panel.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-807826884-2440573969-3755798217-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
436	msedge.exe
436	msedge.exe
3840	msedge.exe
3840	msedge.exe
3852	identity_helper.exe
3852	identity_helper.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
432	msedge.exe
432	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3616	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4668	taskmgr.exe
Token: SeSystemProfilePrivilege	4668	taskmgr.exe
Token: SeCreateGlobalPrivilege	4668	taskmgr.exe
Token: 33	4668	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4668	taskmgr.exe
Token: SeRestorePrivilege	3616	7zFM.exe
Token: 35	3616	7zFM.exe
Token: SeSecurityPrivilege	3616	7zFM.exe
Token: SeDebugPrivilege	2776	Anarchy Panel.exe
Token: SeDebugPrivilege	3956	Anarchy Panel.exe
Token: SeDebugPrivilege	1536	Anarchy Panel.exe
Token: SeDebugPrivilege	1744	Anarchy Panel.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
3840	msedge.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe
4668	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 2068	3840	msedge.exe	85
PID 3840 wrote to memory of 2068	3840	msedge.exe	85
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 1276	3840	msedge.exe	86
PID 3840 wrote to memory of 436	3840	msedge.exe	87
PID 3840 wrote to memory of 436	3840	msedge.exe	87
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88
PID 3840 wrote to memory of 1032	3840	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://workupload.com/file/9recfD6V5SM
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9786c46f8,0x7ff9786c4708,0x7ff9786c4718
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,8414968189901297915,5323233449661560931,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,8414968189901297915,5323233449661560931,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,8414968189901297915,5323233449661560931,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8414968189901297915,5323233449661560931,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8414968189901297915,5323233449661560931,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8414968189901297915,5323233449661560931,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,8414968189901297915,5323233449661560931,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,8414968189901297915,5323233449661560931,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8414968189901297915,5323233449661560931,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4748 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8414968189901297915,5323233449661560931,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8414968189901297915,5323233449661560931,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8414968189901297915,5323233449661560931,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1728 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8414968189901297915,5323233449661560931,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,8414968189901297915,5323233449661560931,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,8414968189901297915,5323233449661560931,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1824 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1476

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4668

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1056

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Anarchy Panel 4.7.7.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3616

C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe
"C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2776

C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe
"C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe
"C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1536

C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe
"C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea9ef805116c4ab90b5800c7cd94ab71

SHA1
eb9c7b8922c8ef79eef1009ab7f530bb57fbbbea

SHA256
bff3e3629de76b8b8dd001c3d8fb986e841c392dfe1982081751b92f5bd567b0

SHA512
8c907d2616ce16cfe08ddeb632f93402e765c5d9430a46e90ab5ea32d4df0a854c6007b19f9b0168254ab7aadf720fed8c68d1a055704db09c1b36c201a9b3b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
347755403306a2694773b0c232d3ab2c

SHA1
94d908aa90533fcaef3f1eb5aa93fee183d5f6ac

SHA256
d43f2dd4ac5b6ba779100eb8b84bc92fc8700bedcd339a801c5260b1bb3ce3bf

SHA512
98f1fb18bc34dfc224132dfa2a2e6a131b280b25fcb516fac3bb66da2a47c7a7061124881de6fa5f65602663dc0ea71357b171a3346bb1514176943438322253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
41b2c9b4f5ab8dcb374809bab74685e4

SHA1
6105c59a3789c069cd2bcb54cae613b798950e28

SHA256
2991969b1a7daf11057cec62c0412055d7e9229dae75a969e4f8e27c4a7b21e3

SHA512
ee24397555cd01f4a84824b2699b98c4ff7998540af6b59bd46d07f2fc9822552b7df44ec7ecc37566a04fac7e055744e69484089992b4994f39e37a28fc5b8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5ca7e90e5b73d88592adefd959348540

SHA1
ecea3002fad04ac6acbde8effa2179a7ff74e53a

SHA256
116d516507648500087fa2ebbc95977cee0b79c0414fccb98d10016ae386ca49

SHA512
2e7492be831def966d6ff002f9da90d3e3d382e877192647cf6b1151f3c2b57c0c59329c29bc57bd3d2038cf39994f438b65279de2aeff40dbc32893fa141ac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e33fd4b532a0afd90b647810d95a315d

SHA1
83c24d562711df070ba10c1340e12d7b55fadd91

SHA256
6de13d5a387c353926d4f37836b3272f1d4f4e0becc6b3fdeb06d00701f29f09

SHA512
1d98c4c3cfaf7733a98278c69cc8e941a1610bcfd9cb25991cc5dcd5b3976edab97f5d0fd198dfdf34813295ddaeeb588a1b2397d173364997835212bb680c19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2862a20394ba963927bab75fe084c239

SHA1
be13e123aed885598bac441c58a599cd5fdc2530

SHA256
1755e2ae86769fad34ea5b22970a57aedc8b041985afb56b2d6c0381612e5b26

SHA512
897ce650fa566400099621d2fcca227b6663ceac8a3a3dd29e48cba56d1b24850466480d13f45a308ed9d5b5ad82fe6280c6fe9eb70116630db99ae7bb99eb82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a7218c68aa0f837ea9c0b3098848d0f5

SHA1
c2d07104f83b874958884745a2b1e49ae7c0db1d

SHA256
8cf1761e25bfbe7c9a3d02d19e643b4f1e809393970e90b912f3d9ab7e73d6c9

SHA512
5c2a5384a29c3a87764e1798447fcf1e8bd01d48e835d431d0d36343e473efdd852a1407705eca21294338f66759b0f888b992425ff63fe0d8ca0656899ff02e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fd490da792ef665c4aee3a513cb5712a

SHA1
d9baf44e9111b7b855b67a0a020af7fa6906d0c1

SHA256
fe28632a62faa6435e285ddb29de76e2b9b55c4a537b6ee635520b481c819e6d

SHA512
1186afc253539c8bea50a49907c3cc78299a88f5de930552c9c3ccfcddc177fc9f8dfed27c757a9a4e4f1536aad90e203dbbe2f2274ee4237b6573c6319433ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe.config

Filesize
3KB

MD5
3d441f780367944d267e359e4786facd

SHA1
d3a4ba9ffc555bbc66207dfdaf3b2d569371f7b5

SHA256
49648bbe8ec16d572b125fff1f0e7faa19e1e8c315fd2a1055d6206860a960c9

SHA512
5f17ec093cdce3dbe2cb62fec264b3285aabe7352c1d65ec069ffbc8a17a9b684850fe38c1ffd8b0932199c820881d255c8d1e6000cbbe85587c98e88c9acb90

Download Submit
C:\Windows\System32\jxpv8r.exe

Filesize
7.2MB

MD5
f6d8913637f1d5d2dc846de70ce02dc5

SHA1
5fc9c6ab334db1f875fbc59a03f5506c478c6c3e

SHA256
4e72ca1baee2c7c0f50a42614d101159a9c653a8d6f7498f7bf9d7026c24c187

SHA512
21217a0a0eca58fc6058101aa69cf30d5dbe419c21fa7a160f44d8ebbcf5f4011203542c8f400a9bb8ee3826706417f2939c402f605817df597b7ff812b43036

Download Submit
memory/2776-222-0x000000001FBA0000-0x000000001FF60000-memory.dmp

Filesize
3.8MB

Download
memory/2776-221-0x000000001F5B0000-0x000000001FB98000-memory.dmp

Filesize
5.9MB

Download
memory/2776-220-0x0000000004D10000-0x0000000004D22000-memory.dmp

Filesize
72KB

Download
memory/2776-213-0x0000000000E40000-0x00000000044DE000-memory.dmp

Filesize
54.6MB

Download
memory/4668-84-0x000001EC13F50000-0x000001EC13F51000-memory.dmp

Filesize
4KB

Download
memory/4668-87-0x000001EC13F50000-0x000001EC13F51000-memory.dmp

Filesize
4KB

Download
memory/4668-88-0x000001EC13F50000-0x000001EC13F51000-memory.dmp

Filesize
4KB

Download
memory/4668-89-0x000001EC13F50000-0x000001EC13F51000-memory.dmp

Filesize
4KB

Download
memory/4668-90-0x000001EC13F50000-0x000001EC13F51000-memory.dmp

Filesize
4KB

Download
memory/4668-86-0x000001EC13F50000-0x000001EC13F51000-memory.dmp

Filesize
4KB

Download
memory/4668-85-0x000001EC13F50000-0x000001EC13F51000-memory.dmp

Filesize
4KB

Download
memory/4668-80-0x000001EC13F50000-0x000001EC13F51000-memory.dmp

Filesize
4KB

Download
memory/4668-79-0x000001EC13F50000-0x000001EC13F51000-memory.dmp

Filesize
4KB

Download
memory/4668-78-0x000001EC13F50000-0x000001EC13F51000-memory.dmp

Filesize
4KB

Download