96530315fa4e725f9f1cadf145b84119a53911944bcd4f92e2b577d30c5f98bb

Analysis

max time kernel
209s
max time network
217s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2023 07:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anarchy.exe.xml
Size

530B
MD5

c7a4606f8f222fc96e1e6b08c093794b
SHA1

2700b3727ab01d93e75e1e12f308dcaeb1d37dba
SHA256

32d656a69b19be98ae050512a4d0f49ebe21b6f7bb9c50130b7e952ea4f5239b
SHA512

7516375b47536a51ede8079d25760e0142ac93077326b6cc033fd6cb1676b65aec7edb3f702922506f2b6b18992cd219be01e7adbf70c6d13404adceb410472b

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 59 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000da57136504b1be4386a89708edbe2ab9000000000200000000001066000000010000200000002af89c06d4403150a43aba7d99279150214cad15f66595e1f511c5e69c5c047c000000000e800000000200002000000011e9930f7c5c74a32204fdf10db5e2a2ea2e58d8fc0ca1f413634c542769ba5e20000000258b800663bef48d5da4a3c367b9d6fcf01836eebeb3465fd389ca658e4796d6400000006ec554b1d29b884d280ed82bc3154b5763891c48c1f9c81cf9ec7399e67e45fceb477bc3e4e3c24e17b3560147fd21cadc611491618ed106b9cbd05e7e8364aa	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31014185"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1184566207"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{91A8ECE1-A91C-11ED-B696-72E07057041D} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000da57136504b1be4386a89708edbe2ab900000000020000000000106600000001000020000000440f0d295d0b3e4d83702861cabe4cf7e84203277b35e8b83331a1eddda19fa7000000000e8000000002000020000000afb8299f4f0d7959aaa97bef66e5003e522aec8cadad2835c913862859a2d5ec20000000a0a5b8a999828b99b24386a0742b71077a2c61db6c1d25661c50f8850138f18c40000000d7aa5e8e770493a60b841f8d4e7c3b14619aa4edb666c6daafac50cb19bb322ac55c4ba9968946ee593354a8c3000b1f4c6977252b99285c1af18e891cfb52d7	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b03ca946293dd901	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382782494"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7142ED0F-A91C-11ED-B696-72E07057041D} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31014185"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000da57136504b1be4386a89708edbe2ab90000000002000000000010660000000100002000000099b00c0f1eb61ddafbc394b183e96a5863a7ee72f99de8bff871dcf8039dd655000000000e8000000002000020000000dae27b2f868069b3597cdf4ab4ef7ff0c023ad8353bfec68baa73fc739f328732000000054ce9873ee45cf4c75a6a7037074564b1919e6dd686c764ddcc553bd5b299134400000002997dfc89fb49ad1b184d8759485e99c73ae08dece2b7d4571ab01ffc9305c7b1626533dff790b79c7b9d242b14f9b7ef86f67d66f04f67aa2ab81f9acb40fdc	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a05fbf63293dd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 804fbc46293dd901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1184566207"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	mspaint.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4036	mspaint.exe
4036	mspaint.exe
3452	msedge.exe
3452	msedge.exe
2040	msedge.exe
2040	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4276	iexplore.exe
1620	iexplore.exe
2040	msedge.exe
2040	msedge.exe
2040	msedge.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4276	iexplore.exe
4276	iexplore.exe
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE
1640	IEXPLORE.EXE
4036	mspaint.exe
1724	OpenWith.exe
1620	iexplore.exe
1620	iexplore.exe
2188	IEXPLORE.EXE
2188	IEXPLORE.EXE
2188	IEXPLORE.EXE
2188	IEXPLORE.EXE
2188	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 4276	2536	MSOXMLED.EXE	77
PID 2536 wrote to memory of 4276	2536	MSOXMLED.EXE	77
PID 4276 wrote to memory of 1640	4276	iexplore.exe	79
PID 4276 wrote to memory of 1640	4276	iexplore.exe	79
PID 4276 wrote to memory of 1640	4276	iexplore.exe	79
PID 1620 wrote to memory of 2188	1620	iexplore.exe	88
PID 1620 wrote to memory of 2188	1620	iexplore.exe	88
PID 1620 wrote to memory of 2188	1620	iexplore.exe	88
PID 2040 wrote to memory of 4220	2040	msedge.exe	98
PID 2040 wrote to memory of 4220	2040	msedge.exe	98
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 4036	2040	msedge.exe	102
PID 2040 wrote to memory of 3452	2040	msedge.exe	103
PID 2040 wrote to memory of 3452	2040	msedge.exe	103
PID 2040 wrote to memory of 3512	2040	msedge.exe	105
PID 2040 wrote to memory of 3512	2040	msedge.exe	105
PID 2040 wrote to memory of 3512	2040	msedge.exe	105
PID 2040 wrote to memory of 3512	2040	msedge.exe	105
PID 2040 wrote to memory of 3512	2040	msedge.exe	105
PID 2040 wrote to memory of 3512	2040	msedge.exe	105
PID 2040 wrote to memory of 3512	2040	msedge.exe	105
PID 2040 wrote to memory of 3512	2040	msedge.exe	105
PID 2040 wrote to memory of 3512	2040	msedge.exe	105
PID 2040 wrote to memory of 3512	2040	msedge.exe	105
PID 2040 wrote to memory of 3512	2040	msedge.exe	105
PID 2040 wrote to memory of 3512	2040	msedge.exe	105

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Anarchy.exe.xml"
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Anarchy.exe.xml
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4276
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4276 CREDAT:17410 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1640

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\SyncSelect.jfif" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4036

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3272

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1724

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1620 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\RemoveLock.mhtml
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffa04e446f8,0x7ffa04e44708,0x7ffa04e44718
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,2646903139268461929,5754860909364657707,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,2646903139268461929,5754860909364657707,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,2646903139268461929,5754860909364657707,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2646903139268461929,5754860909364657707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2646903139268461929,5754860909364657707,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2646903139268461929,5754860909364657707,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,2646903139268461929,5754860909364657707,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
1KB

MD5
b1c9a5e36db157c425cc6d9a8813a548

SHA1
6c68f998843724c68198afcd1d56bf1dc69b5d54

SHA256
c950a63d980f0d05eff25e4ca462586d1fb153d55f71d5343354037d61c9c2e7

SHA512
c2b569d0c504d58d3af8b3652db79d37112401f21b44f7abcdbde08cf13f367ff60443cc91910d636ba64f2aa7af6c313d318ebd6186dc1d7cb0e8a427560558

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442

Filesize
446B

MD5
e348305c0cf9d0c2817dae48600aec9e

SHA1
0d7ac1991dfb5c38e9ce828902e8e057a68fcc67

SHA256
6590d90bf062220d7df750d2cbea946c0adcf24f668cb065c9263ba3bee13dfe

SHA512
c2d4f75879740ebf6a64001a9152ae2ed67848dbf98cc1269a375b5b348415e0a19dcffaecfabf5a91009e46afa64ec730d65685a69ce1902f354ca9d377ee7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
434B

MD5
7e461a476519193ef79b5d6ef46b2058

SHA1
1c2f6378b5667738237bed31151a72914cac2424

SHA256
d78b430bc60c0ba4b5ed85d34f66a1b50b90df9870372ca53cde1d419bc8a068

SHA512
17ceb0c75e059984053c8acf180ded0befc5d7e3e634e7be2559846a98d8ecd5a112664928dcfc0fb7bd3bc6f4ed814765db646eead395befefcd4a9d4933890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{7142ED0F-A91C-11ED-B696-72E07057041D}.dat

Filesize
5KB

MD5
d0ab502054e9fc5e7a22ff51a70fcd83

SHA1
75547953ef46e682ab6a7eea1d8d7e02ab3b9004

SHA256
4f6b7af0ac5923ac001f38e620787efa2540254cc37143d6e250566923e8ff37

SHA512
454aedbd22c8eee9d043c7c2a65ba4c8dde3648ddd3f2086a5f1965c9979bf25cf09cd8a5b93e9a7c9a45f1b0b7e5f2e1a72d01cc7093d1024091b4f14441c1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{EDF16A44-1A73-11ED-B68F-5EFCFBDDCDC6}.dat

Filesize
5KB

MD5
acd4b6175a561f45d47744f818040ce3

SHA1
1c587d1da2cc29760444e7039ac1209b75c9eb77

SHA256
b33b24ee689393a5a00d26e7dcdb981fff6283bf2997dee298f031476fe58263

SHA512
e58b811287d4407310a02b42dc8e44976ff3152e972b95c07e26bb6fd4878083d5497356f2e0de997c8cd4a87d35c5a98f3efaf3769a042af381ed6337476e6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{891E9CEE-A91C-11ED-B696-72E07057041D}.dat

Filesize
4KB

MD5
97982d7cc526833945082177d24c16cb

SHA1
d59b0cf7a4f01291e116a530fcf45e5aec77cd4d

SHA256
41ac522268aea46d8e26abe181be9c25b20891e14659341e00036ce9248269c1

SHA512
c431a441b2641c5ef004f48d14512964d1aef6e52499e4767632b16ecea5c2d996cd3021be100297c224405e233b8e9f6d64c3c74f31f336e26fcb4f1b3cd8ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

Filesize
5KB

MD5
03bdbacc70c77853b7ba219d7327efa3

SHA1
9cd98cf3f99e5b876b4a416a00ebf29ace2a662b

SHA256
e715295ab8cd5d9f0f082c54b20782f1cbe9c46baf6ba4d1517426f270786385

SHA512
02de797703d01837df64dae17fc457a4774a15e130900f08c5e6324e3fb6ce15090cda42ed42c36c83b0197e8d20c8598297eeef85bae325a4b095df4a6617ff

Download Submit
memory/2536-139-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/2536-137-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/2536-133-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/2536-140-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/2536-132-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/2536-134-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/2536-135-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/2536-136-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/2536-138-0x00007FF9E3F10000-0x00007FF9E3F20000-memory.dmp

Filesize
64KB

Download
memory/3272-143-0x00000209E7A60000-0x00000209E7A70000-memory.dmp

Filesize
64KB

Download
memory/3272-142-0x00000209E7190000-0x00000209E71A0000-memory.dmp

Filesize
64KB

Download