Malware Analysis Report

2024-10-10 10:16

Sample ID 230518-3ey4eseb49
Target Anarchy RAT v4.4 Cracked.zip.tmox7ti.partial
SHA256 96530315fa4e725f9f1cadf145b84119a53911944bcd4f92e2b577d30c5f98bb
Tags
agilenet rat identifier asyncrat arrowrat evasion themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96530315fa4e725f9f1cadf145b84119a53911944bcd4f92e2b577d30c5f98bb

Threat Level: Known bad

The file Anarchy RAT v4.4 Cracked.zip.tmox7ti.partial was found to be: Known bad.

Malicious Activity Summary

agilenet rat identifier asyncrat arrowrat evasion themida trojan

Contains code to disable Windows Defender

ArrowRat

Arrowrat family

Async RAT payload

Asyncrat family

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Obfuscated with Agile.Net obfuscator

Loads dropped DLL

Themida packer

Checks whether UAC is enabled

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-05-18 23:26

Signatures

Arrowrat family

arrowrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Asyncrat family

asyncrat

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win7-20230220-en

Max time kernel

106s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Anarchy.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{40C3AE61-F5E4-11ED-AE95-CEF47884BE6D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0f0bc1ff189d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "391224596" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca00000000020000000000106600000001000020000000d99aabafae5ada034aa43f902485ea7eb077fdff8c1b60f5d8b6e0eb98fd2823000000000e80000000020000200000006f8fe27f0d31c167c37f2252a1c8809a449fff31d2302aa3b51fc5b87561d1812000000095e562d8518d0a8c24f8aec2a480ac5507df1f39e8be92ec216cf887e66987d140000000c3349cab49902dd22bc7d8fe448794d54cb6267fdfe62422a92c3727e60010d2f7548f10f7d4b841b008e8067ab4186b742cf6ca97eb2be0d4fbb76b88462b7d C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000dbb59ddc676e394a83d3f942d26f43ca000000000200000000001066000000010000200000007872377547dd5ef468f3b48f560f12fbf61fea22e037e12f471b6ba5873d61eb000000000e8000000002000020000000f4f231fe5a00e9e43aa4d318a9df4fe619d4904dedf14f27cd7dac6cb9fe65479000000043991d6d432d2695323e8af2b6646ef562870e4f7834f50ae7cee87ccd84d44c1e6ba16667e5d336112f4ad8965eacebb336019fb55c7cb17e84705dd1488934410ba9620445de3466cfee9f757aca562c854acf5e90a16517c6329f814bcd7926cd83073fdbbbf897003f219090fbf4dd25f366f55f67021519862f8072363d3fc9767eef764839aaa96d1667179b3540000000e6eb3e17fc97507a610c87a97b40dfc6180fb03e7409272c9cac219a0886df5fa144ca66408a256d1f459e1c9023e79bfeb5322d673b8c93b60a6ca159f2b28f C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Anarchy.exe

"C:\Users\Admin\AppData\Local\Temp\Anarchy.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=Anarchy.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1724 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 b5fcc55cffd66f38d548e8b63206c5e6
SHA1 79db08ababfa33a4f644fa8fe337195b5aba44c7
SHA256 7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1
SHA512 aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 b5fcc55cffd66f38d548e8b63206c5e6
SHA1 79db08ababfa33a4f644fa8fe337195b5aba44c7
SHA256 7730df1165195dd5bb6b40d6e519b4ce07aceb03601a77bca6535d31698d4ca1
SHA512 aaa17175e90dbca04f0fa753084731313e70119fef7d408b41ff4170116ab24eaee0bd05dca2cc43464b1ee920819e5ce6f6e750d97e3c4fc605f01e7ff9c649

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e59c1f8fcec1f42155cf4b6138b9e5c2
SHA1 ef9db5ca7cd54ae006732cd3d08bb456eaece6ff
SHA256 388fa99c9af69020b56a722c5f31752eb4707773b9af135657620678b150c5fa
SHA512 d602d8ebeeb0dfc11755d7f3ac55b68d50715fd47096fc475e29818b453a233e4498bdac43ea431ae032f57a094f81d0c5a91a3858a5b36bdb89d0aa736f8f20

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8ba12a37a3383332299204601ffb8a95
SHA1 0d04b8ee36bcd95af81e5d768465f24c619bddfb
SHA256 ceba3e630353812a20cc6538c56750e35e1c1ca25845d081ce8cd4f9110a07b1
SHA512 32c38d4e8b3ee67bb2c06263e3bfa53e2882d4905589b452637eccf2699c1a4fb32718da108b7f568a9e6a5b18e463b3524660bc18d0cf277a0d2af3608fec69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ae23cde246434b65ccdcb656b073389
SHA1 f38015e17c2a91b5eb49e94dc772e8998a7d0f28
SHA256 67199c14cb9d8098f39128988b5a960cd6295f9d34eaa7f72c350efa832cbff9
SHA512 94434bdeb3cdc9d0b10122fc4c9e8325149faeb5a7c346bbd6bf3074913e9420e1720c63b8e83b08981ba61089fc710895a6d5b8f866b37299c6ac3465de67f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a7edb82e04ff914f86a09599e61c240d
SHA1 f8daba981605831c33082443167c8949218b0aab
SHA256 ccf7a0f9d9dbb9ed0130acb87d90d18796cac139c25a36280dde64d22ed0e019
SHA512 c9d687a600c6b6029b8a5f7580e8d7288c3b12537bd973fb34a52ee1c753d7700920ab0823fada9f9d0d2441b662564c54e17d4934db74e05244476c0dc19f10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8d76a47872b8974eca52b2a505348ad2
SHA1 2efd2d079a8150dc95fd7704b90afcdb9c05b6c1
SHA256 bcdba6abb5a3367210fef6138f3e0f35bdd9e69825a75f5d993065e7f5557509
SHA512 deda943642520ce03b5f3fd75c34266af1d81fad5a8b2d8a45f3271407dfdf0dc4aa58b44308f26a1c1375137fdc993ed61930bc352f283f19473b400077b988

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 610d7265093b9758263788990de5f0de
SHA1 5fc4ea116c3035679a9972f88126444e557325ff
SHA256 89bb85af11bcc5f44bca8d80fd8d25c16dd7b9d1a8007e2826347df3e725c5f3
SHA512 03ce6ad124be056a5109ed4d22d81f787b5811d0511d59a8e06e39f896a04e2ffc98ab830d1a39031763f61ddc54584ea96a7ae497499a523570715c68f9726d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f58e2534e33701ac590ec0f81706a8c
SHA1 d8ad7ac55220f03afea7f608fa584814eb89d761
SHA256 8f44b35d6ec6dc96bb5b0ff00aa3d3828afd25650c96f9d306835b01244e83a5
SHA512 b8420fc5ce869c91315111fd93fb980dc57bcc3b23dd8152bb3b146ab07f5511bae4df5fa4cd58fae61072003d4d2c9d69cdb6cd8561db571ce361312dcbfa37

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 614dea2feb52b28e19f62f3b9845bcdc
SHA1 78e55632ffc46c9aca5317823cf01fa7aa5530c1
SHA256 20c8e432038c6f1d361385f66f03dbb229799570cc574e6be2e8abd6edfed726
SHA512 5cee00d7754970f81a0f32aebdc05663c8746157d96b63d5fa69cfbcbe3704ca20dc57bee5e0e7142e0446db9a558ccf4459eb99b7e33c8a1f8ae77a9999fc48

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\5YDIR1WM.txt

MD5 d9182e9fa13ac65d49e4732ddadbc9ee
SHA1 9d0cf520c292e3582283ee07366b95dd7402572b
SHA256 04f9212087af618127438178ca4dd000f1f25d20becdfa0db9084e2eb0c8d36c
SHA512 f9f60dc32702738bbacfb81ec8d40f78fb14b807649b73ff6a9f66d2084422f74cf62a75bf6ada820baec3ce54d38d69b993ba9970de0dfeb9ede8ac3ffc5bf5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T210ZMR0\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral8

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\59Zp7paEHDF7luJ.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\59Zp7paEHDF7luJ.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 131.17.126.40.in-addr.arpa udp
US 20.189.173.4:443 tcp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win10v2004-20230220-en

Max time kernel

138s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Plugins\9Ood5SWkbwPn.exe"

Signatures

ArrowRat

rat arrowrat

Processes

C:\Users\Admin\AppData\Local\Temp\Plugins\9Ood5SWkbwPn.exe

"C:\Users\Admin\AppData\Local\Temp\Plugins\9Ood5SWkbwPn.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 142.145.190.20.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 132.17.126.40.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 141.145.190.20.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp

Files

memory/824-133-0x000001CF19DE0000-0x000001CF19E08000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win7-20230220-en

Max time kernel

27s

Max time network

32s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\RssCnLKcGRxj.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\RssCnLKcGRxj.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win7-20230220-en

Max time kernel

25s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Recovery.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Recovery.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win7-20230220-en

Max time kernel

26s

Max time network

31s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\WkUP83aP9CABpi.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\WkUP83aP9CABpi.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win10v2004-20230221-en

Max time kernel

134s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\WkUP83aP9CABpi.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\WkUP83aP9CABpi.dll,#1

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 20.189.173.3:443 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win10v2004-20230220-en

Max time kernel

74s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\0guo3zbo66fqoG.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\0guo3zbo66fqoG.dll,#1

Network

Country Destination Domain Proto
US 117.18.232.240:80 tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 52.152.110.14:443 tcp
IE 13.69.239.74:443 tcp
US 117.18.232.240:80 tcp
US 117.18.232.240:80 tcp
US 40.125.122.151:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win7-20230220-en

Max time kernel

29s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\59Zp7paEHDF7luJ.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\59Zp7paEHDF7luJ.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win7-20230220-en

Max time kernel

30s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\EVa7gBMKoaHmLC.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\EVa7gBMKoaHmLC.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win7-20230220-en

Max time kernel

26s

Max time network

32s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\G3nl0mDcABnDuZ.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\G3nl0mDcABnDuZ.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win10v2004-20230220-en

Max time kernel

156s

Max time network

177s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\mML6WKMqdxjDGA.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\mML6WKMqdxjDGA.dll,#1

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 93.184.220.29:80 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 117.18.237.29:80 tcp
US 40.125.122.176:443 tcp
US 20.42.73.26:443 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 40.125.122.176:443 tcp
NL 173.223.113.164:443 tcp
NL 20.123.141.233:443 tcp
US 40.125.122.176:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 40.125.122.176:443 tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win7-20230220-en

Max time kernel

30s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Plugins\9Ood5SWkbwPn.exe"

Signatures

ArrowRat

rat arrowrat

Processes

C:\Users\Admin\AppData\Local\Temp\Plugins\9Ood5SWkbwPn.exe

"C:\Users\Admin\AppData\Local\Temp\Plugins\9Ood5SWkbwPn.exe"

Network

N/A

Files

memory/1520-54-0x0000000000A00000-0x0000000000A28000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win7-20230220-en

Max time kernel

26s

Max time network

30s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FBSyChwp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FBSyChwp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win10v2004-20230221-en

Max time kernel

135s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FBSyChwp.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FBSyChwp.dll,#1

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 52.242.101.226:443 tcp
US 52.182.143.210:443 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 52.242.101.226:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp
US 52.242.101.226:443 tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win7-20230220-en

Max time kernel

30s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\KNTmoSnG.AnarHs.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\KNTmoSnG.AnarHs.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\PK0TcnqTGFagQTS.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\PK0TcnqTGFagQTS.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 84.150.43.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
NL 8.238.20.126:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win10v2004-20230220-en

Max time kernel

86s

Max time network

90s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\RssCnLKcGRxj.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\RssCnLKcGRxj.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 20.189.173.12:443 tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 93.184.220.29:80 tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win10v2004-20230220-en

Max time kernel

142s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Anarchy.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Anarchy.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Anarchy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Anarchy.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarchy.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Anarchy.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Anarchy.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\system32\WerFault.exe C:\Users\Admin\AppData\Local\Temp\Anarchy.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Anarchy.exe

"C:\Users\Admin\AppData\Local\Temp\Anarchy.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 448 -p 4668 -ip 4668

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 4668 -s 976

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 134.121.24.20.in-addr.arpa udp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 177.17.30.184.in-addr.arpa udp
US 8.8.8.8:53 254.132.255.8.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 229.78.74.40.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4668-133-0x00000219CDFB0000-0x00000219CF576000-memory.dmp

memory/4668-134-0x00000219D1260000-0x00000219D1270000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f43b5528-ae0b-4a5f-b092-3abdd9d556d3\AgileDotNetRT64.dll

MD5 e3bd88b3c3e9b33dfa72c814f8826cff
SHA1 6d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA256 28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512 fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

C:\Users\Admin\AppData\Local\Temp\f43b5528-ae0b-4a5f-b092-3abdd9d556d3\AgileDotNetRT64.dll

MD5 e3bd88b3c3e9b33dfa72c814f8826cff
SHA1 6d220c9eb7ee695f2b9dec261941bed59cac15e4
SHA256 28e9458a43e5d86a341590eaa83d0da18c29fce81f2383d84bda484e049a1796
SHA512 fcb7e384b5bda0f810c4b6190a991bd066eedfc8fc97af9837cda1ba480385c8bc09bd703c1029f9d8d8a3eea3dbc03af97b014b4713a4ceea6ad6ae85b3b6e9

memory/4668-142-0x00007FFCD4160000-0x00007FFCD49BF000-memory.dmp

memory/4668-141-0x00007FFCD4160000-0x00007FFCD49BF000-memory.dmp

memory/4668-143-0x00007FFCD6CF0000-0x00007FFCD6E3E000-memory.dmp

memory/4668-144-0x00007FFCD4160000-0x00007FFCD49BF000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win7-20230220-en

Max time kernel

27s

Max time network

31s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\0guo3zbo66fqoG.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\0guo3zbo66fqoG.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\G3nl0mDcABnDuZ.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\G3nl0mDcABnDuZ.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 177.17.30.184.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 209.197.3.8:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win10v2004-20230220-en

Max time kernel

143s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\KNTmoSnG.AnarHs.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\KNTmoSnG.AnarHs.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 20.189.173.4:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 117.18.237.29:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
IE 20.54.89.15:443 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win7-20230220-en

Max time kernel

23s

Max time network

35s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\fzAgyDYa.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\fzAgyDYa.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\fzAgyDYa.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\fzAgyDYa.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 20.189.173.6:443 tcp
US 52.152.110.14:443 tcp
US 209.197.3.8:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
US 52.152.110.14:443 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
NL 84.53.175.11:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win10v2004-20230220-en

Max time kernel

136s

Max time network

154s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Anarchy.exe.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00647153e089d901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b0000000002000000000010660000000100002000000089c3c2d54aaef84d0a157faa860f7b749712ddf1277478031e8b0c49d3784eba000000000e8000000002000020000000eb45a94faf2009588715278d477e3ee710866c056b0ee99e8c57c6e86b277a6e2000000055dd62a18dc92c859100543d22cc7f2d5f93e294b624c69a77b895dfe5adc35a40000000bd7c5ac28a32623d57bbddc63b7da1e54134d7223ced4e60ef441813232fa3a4fccf5a63a9757d3c11e5e577f3a8fe3ec7b30e3258bf945cf93f7d1efce71516 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{7BD1686A-F5D3-11ED-8FFF-62EB0CDC8974} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31033824" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1354010729" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1353854054" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31033824" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1385729220" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "391217395" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31033824" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000010d3bb75b0ea114e9ca1233a5a090b7b00000000020000000000106600000001000020000000820349a7db470c4ab916523df07fa54857c3fd6188c04aba54926b88d5a6d3ab000000000e8000000002000020000000176e098fbed043ab733540b99533fb4544f24db6289513f8be22454b7f4668c3200000009cf0f9129a1d0bc6095286985a27082f7e89e5b076298be6aba33766cc7ebe7a40000000e63a8156248bad03af44fc05cd657b1b9a7dac5997b96c93f23c2b448b229ba4af7d416cf5f5b454304e376254d320cdbe346316fae0938502dedfe52d9ee00e C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e02c8253e089d901 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Anarchy.exe.xml"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\Anarchy.exe.xml

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2216 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 20.42.65.89:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 200.232.18.117.in-addr.arpa udp
NL 8.238.20.126:80 tcp
NL 8.238.177.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
NL 8.238.177.126:80 tcp
NL 8.238.177.126:80 tcp
US 40.125.122.176:443 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp

Files

memory/1356-133-0x00007FF843670000-0x00007FF843680000-memory.dmp

memory/1356-134-0x00007FF843670000-0x00007FF843680000-memory.dmp

memory/1356-135-0x00007FF843670000-0x00007FF843680000-memory.dmp

memory/1356-136-0x00007FF843670000-0x00007FF843680000-memory.dmp

memory/1356-137-0x00007FF843670000-0x00007FF843680000-memory.dmp

memory/1356-138-0x00007FF843670000-0x00007FF843680000-memory.dmp

memory/1356-139-0x00007FF843670000-0x00007FF843680000-memory.dmp

memory/1356-140-0x00007FF843670000-0x00007FF843680000-memory.dmp

memory/1356-141-0x00007FF843670000-0x00007FF843680000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 0fed02082c0164242c1982417797401f
SHA1 c98e9032eb11d5ac902279db92d70228b5521944
SHA256 1b74b0641f03370601feeee0395348c3a7386c0266ca4a360d2a7b87b8208519
SHA512 ef0e2b3be2038037a18e66793cf24ab38c41c352eeaa833963906f971d1909fd6452f131f70cfea3a3cccfc51100a0ca621002dbccd4d2bdb8bb28e8f6b32e0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 144335f0965ff761e7a2defeed1a8a59
SHA1 6ec775e40f66b2c8520f2a39967a6cb1ef2321d3
SHA256 b96e3e4f61804f99f9924fd096b6e77445ed82675da23ad1c77c692a43e3b041
SHA512 f308b81d72b48875b1f22d994bf9f6f43999807983b667143abe572d041831c3dd1a14e50a25036799bde787a615bb8a0d9fa3fc3420c0b48c11e1c90f133d5d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\39K1WZBJ\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral17

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win7-20230220-en

Max time kernel

24s

Max time network

32s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\K8oCBS3ThnW0WP.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\K8oCBS3ThnW0WP.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win10v2004-20230220-en

Max time kernel

154s

Max time network

170s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\K8oCBS3ThnW0WP.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\K8oCBS3ThnW0WP.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 13.89.179.8:443 tcp
US 40.125.122.176:443 tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 8.238.21.254:80 tcp
NL 8.238.21.254:80 tcp
NL 8.238.21.254:80 tcp
NL 8.238.21.254:80 tcp
US 40.125.122.176:443 tcp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 40.125.122.176:443 tcp
NL 173.223.113.131:80 tcp
US 131.253.33.203:80 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp
US 40.125.122.176:443 tcp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win10v2004-20230220-en

Max time kernel

162s

Max time network

165s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Recovery.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\Recovery.dll,#1

Network

Country Destination Domain Proto
US 52.242.101.226:443 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 42.220.44.20.in-addr.arpa udp
US 13.89.178.27:443 tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 73.254.224.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 14.103.197.20.in-addr.arpa udp
US 8.8.8.8:53 177.17.30.184.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 99.113.223.173.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 126.179.238.8.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 42.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win7-20230220-en

Max time kernel

29s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\PK0TcnqTGFagQTS.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\PK0TcnqTGFagQTS.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win7-20230220-en

Max time kernel

26s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\mML6WKMqdxjDGA.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\mML6WKMqdxjDGA.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win7-20230220-en

Max time kernel

118s

Max time network

155s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Anarchy.exe.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 203d8b20f189d901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "391224609" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000743fd071976334797e6012501984d1f0000000002000000000010660000000100002000000076af9e4c0efa275323e3a358291d75cbe1c5e167fee6c77ae2f18a9f2a14d6af000000000e800000000200002000000053de7a2343b79b368aac27fe90275109ba0d8965457af2b6bb104bc3e378f86b90000000e292250fd83261417ad1ec4d3f91217eecf689e61ce02637f9f9ea60b2f9dffcdd6c9e0eea62738bdc85102f87a9e0359bc3d60c6d63d629ce36a4f39973f237f9518bbd419d900ed1e7c6236854b213dc39132651ddf72919d9a36836759cc3c1ab620ef4e49fa9fdbc2ac349e000be9a91f1a8ec7467e6937ceedef626f53176ba90c704638aa61f39dfa646aa1c6140000000b1665f270eb92a1b585711409a65d5da7cbb56a537ca552dee38d4b4ac059d60692ba820f16f083b31d20ee64789f21a923a9667aebd499685fdfecc174cc953 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000743fd071976334797e6012501984d1f000000000200000000001066000000010000200000001044f245238129e02d38f09886d06ce5edd80f2ad876d710ae1c6526143b872f000000000e8000000002000020000000a4f905cbb784b10084367495f25e5fbae58566ea8aee4229bd7532f446df74d3200000004aa94b626233068b3dad16e884036f0e06bc7050a204a49e578116b76528b5e940000000e8c355f9bfc14295bfd1b1c11ac071bf38ba5848a901ed28b1606ebe81d74653b0afb629f8f3e1615bcc8b3e2f55ffb33622d99aeaa9df5336bddac697cbf00a C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{48841E01-F5E4-11ED-8202-6E0AA2656971} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2961826002-3968192592-354541192-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1356 wrote to memory of 1868 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1356 wrote to memory of 1868 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1356 wrote to memory of 1868 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1356 wrote to memory of 1868 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1868 wrote to memory of 524 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1868 wrote to memory of 524 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1868 wrote to memory of 524 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1868 wrote to memory of 524 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 524 wrote to memory of 1988 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 524 wrote to memory of 1988 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 524 wrote to memory of 1988 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 524 wrote to memory of 1988 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Anarchy.exe.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:524 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab9E83.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\Local\Temp\Cab9F53.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar9FA4.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c00b02177e80f08346dcb4f9aa0a2c1a
SHA1 3631117c7d87adc4636880cf1bf5785225fae9a1
SHA256 e031da2f742ba54d0849c60254771e5c5c2603d74bd5f1ca4c68cd6d4a42345d
SHA512 c07a883da65fb7d585a5039c108212a86e1400cda3dbc83beebc48939812a1dce7fb83282afde0eb582c2bcf374574cc3f3889d3c9cbd8ef5f645bb6d23b2d26

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aace61f9257e998da4f0cd97f8c264cc
SHA1 055401c6cb7e3094373667ea03bd44dee4cfc637
SHA256 d34d863538949fa439b71901dfd8b6d394b4a481bcd013474b4a99c1c5b54d26
SHA512 fde23f602e587d1198e1b950acaf8b5b8539be82fdc6ad1b2f1224b2c5556f3332abb685787c1906ca0b71ecdef68e72ee5b0768390e4f3500cafe038740761e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0985914660c7e369d63954ba3f8c44e8
SHA1 d1f09956d2f794f94de07833dba760ac10393d88
SHA256 0fa338893b82206daf428e5ed51cae84cb5c9d34653fd015cb2179f960745185
SHA512 f0f0d95f4ee8db40ace57b1fce48c8be349dd04cfb41bfc20b119d73f6d3d123156802cd29a33c75017beff5d3c454286e5c37c5f4e601ccaa456b2b984b4ad3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66eb07db9a0a31225c9da77390dd5c5f
SHA1 86da0e5426cce5beb1c5ad888b817ad9638cc71f
SHA256 071c0169b972d708aa56254881b2f6b041c516af326f0bad636cd6e026514c75
SHA512 a5c0c9bb15bb8fb13b6502799a6da31ce1d06cbe4da48565e82c9f994e3897ea6704488fc9b77355f338312b27a1bc71988154137aba21a6d04f143a3688f765

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a5967ab6b7f1d88f6a86e0e8846c1f49
SHA1 0049b535ec978ab095128d521f39e45b68e97d8a
SHA256 d3f369464ac9ff89650a45ac4dbd553154eb1ea9b0f07fd64aeb38a7f6fce972
SHA512 b3fbfe2d5568f17f2c61510248a3a12ac385cd33e2f79015187f5a022f4d01674c8b03f0d1a3852d9ee34650616862031ff5929f7a520cfa8c48928cea693980

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d54d8de42b4d8c7bcd681825587edf08
SHA1 b03144f524a43738fb4dd21daa1b245d8acce11f
SHA256 82acf57c73add473f288ddd902fa7dd262616fe052d5d41d5ed2adacba01ef38
SHA512 5c4dfbaabadcd863afb197c9869977165a0d095f34a5f4fbd191e0c6fe6a524fd0ba2972df2cbc54f1947abe0a87013668c2bd03827795f42a7e4ee86327d4a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1ecf1edd162430df4e69f85747135e3a
SHA1 e818743ea6c1e249112a8e09d70f3b1d76aaa7a1
SHA256 e5633881d3370d97c4202c3a4442929c449ac18fe77e4e777a6ca314b5dc9bfb
SHA512 73267e3918233a3cb7693c0bb118df1f270ccf4e717f85a9841ebb5e9652def8a09a252680f6f103c3c0d2e3d032c722a549fece92c4c61b53afe0ff700b7071

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4f57858b4198c068991842c0cbcefa5
SHA1 6feed6b5f7e04bb126386e747b3a817f7e7f4f77
SHA256 056ed8a1ee9ed138cd4aade8acf8d8d1e4152ea3b5a29cb395e36bc9edf5e71c
SHA512 cadafa269b067ffcb0ebf002c161d68f1d42a6e7786e9106809064fff8ea6a450cd90274f36fca062d7465cbddb3893efad8b5850d406fab7e37393f42fc1711

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a95c8114858991a56cd00f584f1de1e5
SHA1 33a415386d3e2ad5a518cdd764457e5745012843
SHA256 0b1360061bdf3e110728fc02d41e31de8610b8d9589f9517f2651f966f732a0e
SHA512 6d993f57b13902d79f81483aa9fd61eb43f30cfcb9b3b23d98ff78f8ace74f0eba8984ce3b01ddb01fa8a237c62bcb43893d49e9399f272b11197c513eb499d5

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CQVA38KB.txt

MD5 7ccb14034c823da8e90372e55b886f2f
SHA1 3602fe1b3e09b07b22560ff2c257eeb22602e7e3
SHA256 7f42f0e782a75bdb04f5d8a2cb453b80f8b65a9c2f1cea1e6c541174e592003e
SHA512 fec18038ea08cd621005ae7685846a47724010b691cf5e122013832fecf0dbb4628d8c66ef9e56e6b4cf76fdbc27ba32f52629efbadabfe3d581ef839da7e7f1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGZY45B8\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral12

Detonation Overview

Submitted

2023-05-18 23:26

Reported

2023-05-18 23:29

Platform

win10v2004-20230220-en

Max time kernel

134s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\EVa7gBMKoaHmLC.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\EVa7gBMKoaHmLC.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 163.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 52.152.110.14:443 tcp
NL 13.69.109.131:443 tcp
US 13.107.4.50:80 tcp
NL 173.223.113.164:443 tcp
US 52.152.110.14:443 tcp
US 13.107.4.50:80 tcp
US 13.107.4.50:80 tcp
US 93.184.220.29:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

N/A