asyncrat | bf9aa6957a814d551d3ba7f96690ff76c79ff884718b3a0f16ab17b96c2637ff

Analysis

max time kernel
659s
max time network
605s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2023 06:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anarchy Panel 4.7.7z
Size

52.3MB
MD5

40fa4dfb75a2ff3595435c374a5f5e68
SHA1

2086fd6c2f38fb20e87a50cf3ee27dfb68fa3843
SHA256

bf9aa6957a814d551d3ba7f96690ff76c79ff884718b3a0f16ab17b96c2637ff
SHA512

a0655a97428c2a1981015c7b819a207d119b82fe88242f8a0e703adf3eedd386de73412e428dfce1fcedacbbb04ff23775c66e21584f27b5065ed32f510da3de
SSDEEP

1572864:AN5bnkUpaR1Ju0aVJfQF593gMr8okmaHY5q2iSBHxhj3lF:Q5bkxbJOJfnMYoriIRhX

Score

10^/10

asyncrat stormkitty default ransomware rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:3232

Mutex

OΘ1贼يFjgS弗IKXΖdhcVVΖ

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000a00000002318a-532.dat	family_stormkitty

Async RAT payload 21 IoCs

rat

resource	yara_rule
behavioral1/files/0x000a000000023185-177.dat	asyncrat
behavioral1/files/0x000a000000023185-178.dat	asyncrat
behavioral1/memory/3388-181-0x00000000006A0000-0x0000000003D3E000-memory.dmp	asyncrat
behavioral1/files/0x000a000000023185-318.dat	asyncrat
behavioral1/files/0x000a000000023185-329.dat	asyncrat
behavioral1/files/0x000a000000023185-333.dat	asyncrat
behavioral1/files/0x0006000000023291-445.dat	asyncrat
behavioral1/files/0x0006000000023291-446.dat	asyncrat
behavioral1/memory/1648-447-0x0000000000ED0000-0x0000000000EE6000-memory.dmp	asyncrat
behavioral1/files/0x0008000000023259-528.dat	asyncrat
behavioral1/files/0x000b000000023186-529.dat	asyncrat
behavioral1/files/0x000a000000023187-530.dat	asyncrat
behavioral1/files/0x000a000000023188-531.dat	asyncrat
behavioral1/files/0x0008000000023258-536.dat	asyncrat
behavioral1/files/0x0009000000023257-535.dat	asyncrat
behavioral1/files/0x000a000000023256-534.dat	asyncrat
behavioral1/files/0x000900000002318b-533.dat	asyncrat
behavioral1/files/0x0006000000023291-601.dat	asyncrat
behavioral1/files/0x000600000002325c-616.dat	asyncrat
behavioral1/files/0x000600000002325a-617.dat	asyncrat
behavioral1/files/0x000600000002325b-618.dat	asyncrat

Renames multiple (464) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

.NET Reactor proctector 6 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/files/0x000a000000023185-177.dat	net_reactor
behavioral1/files/0x000a000000023185-178.dat	net_reactor
behavioral1/memory/3388-181-0x00000000006A0000-0x0000000003D3E000-memory.dmp	net_reactor
behavioral1/files/0x000a000000023185-318.dat	net_reactor
behavioral1/files/0x000a000000023185-329.dat	net_reactor
behavioral1/files/0x000a000000023185-333.dat	net_reactor

Executes dropped EXE 6 IoCs

pid	Process
3388	Anarchy Panel.exe
4648	Anarchy Panel.exe
2988	Anarchy Panel.exe
2276	Anarchy Panel.exe
1648	Infected.exe
1020	Infected.exe

Loads dropped DLL 4 IoCs

pid	Process
3388	Anarchy Panel.exe
4648	Anarchy Panel.exe
2988	Anarchy Panel.exe
2276	Anarchy Panel.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\about.html	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.flightrecorder.controlpanel.ui_5.5.0.165303.jar	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.renderers.swt_0.12.1.v20140903-1023.jar	Infected.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	Infected.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\hwrlatinlm.dat	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.greychart.ui.ja_5.5.0.165303.jar	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.felix.gogo.runtime_0.10.0.v201209301036.jar	Infected.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	Infected.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\auxpad\auxbase.xml	Infected.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	Infected.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.property_1.4.200.v20140214-0004.jar	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.commands_0.10.2.v20140424-2344.jar	Infected.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.browser_5.5.0.165303.jar	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.batik.util_1.7.0.v201011041433.jar	Infected.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.docs.zh_CN_5.5.0.165303.jar	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rcp.application_5.5.0.165303.jar	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.httpcomponents.httpclient_4.2.6.v201311072007.jar	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\ant-javafx.jar	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\artifacts.xml	Infected.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.nl_ja_4.4.0.v20140623020002.jar	Infected.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar	Infected.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\icudtl.dat	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_zh_4.4.0.v20140623020002.jar	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\1423496926556.profile.gz	Infected.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	Infected.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_de_DE.jar	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar	Infected.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.model.workbench.nl_ja_4.4.0.v20140623020002.jar	Infected.exe
File opened for modification	C:\Program Files\ResumeClear.jpeg	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\THIRDPARTYLICENSEREADME-JAVAFX.txt	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbynet.jar	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.net.nl_ja_4.4.0.v20140623020002.jar	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt_1.1.1.v20140903-0821.jar	Infected.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\license.html	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.databinding.beans.nl_zh_4.4.0.v20140623020002.jar	Infected.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.runtime_3.10.0.v20140318-2214.jar	Infected.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	Infected.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsdeu.xml	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\lib\derbyLocale_it.jar	Infected.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.bindings_0.10.200.v20140424-2042.jar	Infected.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	Infected.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.core.di_1.4.0.v20140414-1837.jar	Infected.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	Infected.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	Infected.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrome.7z	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\THIRDPARTYLICENSEREADME.txt	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\nashorn.jar	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_MoveNoDrop32x32.gif	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.ibm.icu_52.1.0.v201404241930.jar	Infected.exe
File opened for modification	C:\Program Files\UnregisterResume.zip	Infected.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\ko-kr.xml	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\jdwpTransport.h	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\COPYRIGHT	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jaccess.jar	Infected.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\meta-index	Infected.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.apache.lucene.core_3.5.0.v20120725-1805.jar	Infected.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3916	1648	WerFault.exe	128

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
4816	timeout.exe

Modifies registry class 56 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Anarchy Panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Generic"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0\0	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000008cbb63e8a9add901d1baceeba9add901f78298eda9add90114000000	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\0	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "6"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Anarchy Panel.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

pid	Process
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe
1648	Infected.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4648	Anarchy Panel.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeRestorePrivilege	1956	7zG.exe
Token: 35	1956	7zG.exe
Token: SeSecurityPrivilege	1956	7zG.exe
Token: SeSecurityPrivilege	1956	7zG.exe
Token: SeDebugPrivilege	3388	Anarchy Panel.exe
Token: SeDebugPrivilege	4648	Anarchy Panel.exe
Token: SeDebugPrivilege	2988	Anarchy Panel.exe
Token: SeDebugPrivilege	2276	Anarchy Panel.exe
Token: SeDebugPrivilege	1648	Infected.exe
Token: SeDebugPrivilege	1020	Infected.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1956	7zG.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4064	notepad.exe
4648	Anarchy Panel.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
2532	OpenWith.exe
2532	OpenWith.exe
2532	OpenWith.exe
2532	OpenWith.exe
2532	OpenWith.exe
2532	OpenWith.exe
2532	OpenWith.exe
2532	OpenWith.exe
2532	OpenWith.exe
2532	OpenWith.exe
2532	OpenWith.exe
2532	OpenWith.exe
2532	OpenWith.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe
4648	Anarchy Panel.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1020 wrote to memory of 4368	1020	Infected.exe	142
PID 1020 wrote to memory of 4368	1020	Infected.exe	142
PID 4368 wrote to memory of 4816	4368	cmd.exe	144
PID 4368 wrote to memory of 4816	4368	cmd.exe	144

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7.7z"
1⤵
- Modifies registry class
PID:3760

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2532

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1540

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\" -spe -an -ai#7zMap23214:112:7zEvent1806
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1956

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3388

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
PID:3264

C:\Windows\system32\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Windows\system32\PcaSvc.dll,PcaPatchSdbTask
1⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4648

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4540

C:\Users\Admin\Desktop\Infected.exe
"C:\Users\Admin\Desktop\Infected.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1648
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 1648 -s 640
  2⤵
  - Program crash
  PID:3916

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
- Suspicious use of FindShellTrayWindow
PID:4064

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 1648 -ip 1648
1⤵
PID:4744

C:\Users\Admin\Desktop\Infected.exe
"C:\Users\Admin\Desktop\Infected.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE7CF.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4368
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:4816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.8.0_66\db\bin\NetworkServerControl.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain

Filesize
5KB

MD5
47124b3ef5a971c95fc27709cd7e82b2

SHA1
c8c9ec474a253e7325c1a7e40306806e6c56dbc4

SHA256
6e9d6a5dbce43d2422a2171c4e59407932c70c30afbd82c0100b3babf6dd6333

SHA512
45ff9ab08a1f3d6d48e5616444d949bdf7bbb2278d2a81c9a6ac3fffb4173122b59808f0aeee58e623372a7ebe76036f22475000c04d328dc31ef9e36b814bd4

Download Submit
C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
416add29c67ec212c152d21a1ca666d9

SHA1
24710d2ab2fdb3bb5010916495c80824935ff123

SHA256
f63fab711c816167a22fcd463455070e66c8ddae169192c5999ac28c484272aa

SHA512
34a573f2faf2ffe294f55f159f9d79b64c4339515a39be7e4f3fe98dc7690db3e24e135166626d0253245dc9f732bb736e8490313cce4e758753c09ad9880ef5

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\epl-v10.html

Filesize
12KB

MD5
e6f08768f3d69fa6b3dbe9574fdc6552

SHA1
86548b878742d3dca4fe0e89e70297b6a2fd3d00

SHA256
378dfabe7b67765f8b72c458d37ee5d646c65eff7ed5b38cf3ffbb238973560a

SHA512
247e46ce3b42e5da7ba38f4296f4288a4ff0bb322cc7b78d8edce57e9c79652b2784523bfb869b345f909f2e3d39b68611e95d47cd2382b8a99b781de3f73a8d

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\license.html

Filesize
8KB

MD5
1e16b3a09739b78454f90a91c29fbfe0

SHA1
12f1d49658c8f808ac4182a91b8118741e55beb4

SHA256
109a7f7c84f431708165e55bfb1985fbc67bed4cb638fdc97bd96734308cf101

SHA512
4e7bddc8971d1725a9f38cab4ea9577f1f3a3c13a7a399689c2d6b85ebd4ef5de8f7927ba71dabf38ae3e691197cd879248d7ca869dab2cd17897b85ef41cff0

Download Submit
C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt.ا̘͜ل̬͓͖̘̜̀ͅف̹̙̖͈̣̀و̠͕͖̀ا̛̲ل̸̘̺ف̶̹و͚̖̗̙̝ض̨͇̮͓̠̠ͅى̹̗̯͡ض̢ى̳̬-aj219sj1Uain

Filesize
11KB

MD5
3721091ca750a1f58bbf95e822fc6d1d

SHA1
18c44ac9a74f344fff54f0ab8d7e4468745b7ba6

SHA256
319b12f665a1501c42b4746622680acee64658b0e307cebfb72727593de7ecd2

SHA512
b5544e365f941867548c6750e63444004f533e6f8939cd64ed03566d1ee94e99c68bf71c318969975acf6bf2318bf2641dee099cf58f4aa732df93630da82e80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Anarchy Panel.exe.log

Filesize
1KB

MD5
0d2d3bb478a1aea68cef5fb4a3c04b6c

SHA1
f7cf575e1d84ab9679afbfd0bac221fc30b12f3b

SHA256
fe7ce3cc7179fa700899af212bcee04b201fa837df7bf581b77c11e1fc0d8d50

SHA512
dcda3108adf0e038eabffed9384bd8258e6d46e2e12d94f340a3c74c77a60a8ab2185d51f5aad0c1e5d68e0330cbcdf73758096464fee016b04063a7f64eb7a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe

Filesize
54.6MB

MD5
94bac1a0cc0dbac256f0d3b4c90648c2

SHA1
4abcb8a31881e88322f6a37cbb24a14a80c6eef2

SHA256
50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94

SHA512
30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe

Filesize
54.6MB

MD5
94bac1a0cc0dbac256f0d3b4c90648c2

SHA1
4abcb8a31881e88322f6a37cbb24a14a80c6eef2

SHA256
50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94

SHA512
30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe

Filesize
54.6MB

MD5
94bac1a0cc0dbac256f0d3b4c90648c2

SHA1
4abcb8a31881e88322f6a37cbb24a14a80c6eef2

SHA256
50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94

SHA512
30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe

Filesize
54.6MB

MD5
94bac1a0cc0dbac256f0d3b4c90648c2

SHA1
4abcb8a31881e88322f6a37cbb24a14a80c6eef2

SHA256
50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94

SHA512
30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe

Filesize
54.6MB

MD5
94bac1a0cc0dbac256f0d3b4c90648c2

SHA1
4abcb8a31881e88322f6a37cbb24a14a80c6eef2

SHA256
50c2dba1d961e09cb8df397b71bd3b6a32d0ee6dbe886e7309305dc4ba968f94

SHA512
30ecee38d5d641abaf73e09a23c614cb3b8b84aa1f8ff1818e92c1f2b51bf6841d3e51564aecb5efd01a3d98db88f0938e7dd4ee9c74ca5477785c33c969ffd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Anarchy Panel.exe.config

Filesize
3KB

MD5
3d441f780367944d267e359e4786facd

SHA1
d3a4ba9ffc555bbc66207dfdaf3b2d569371f7b5

SHA256
49648bbe8ec16d572b125fff1f0e7faa19e1e8c315fd2a1055d6206860a960c9

SHA512
5f17ec093cdce3dbe2cb62fec264b3285aabe7352c1d65ec069ffbc8a17a9b684850fe38c1ffd8b0932199c820881d255c8d1e6000cbbe85587c98e88c9acb90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\0guo3zbo66fqoG.dll

Filesize
78KB

MD5
e4ebcf76ff80ef398d3ab77d577f4c08

SHA1
cb9e6b30a63d50ae87610f6855b64abfb25691d2

SHA256
9661b1abc9a3e95e591c49c3838a64a066a2ff3c6de08d8aa7b541c4a75cd8e5

SHA512
8f37cedd987dd14181fdfa861b8a95271868dac21aa9df80bd6daa831ae20f4b4965c8be3e36f32aa220bd37ded11a7568ae237c9c9641bb4fc087f6fe104b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\59Zp7paEHDF7luJ.dll

Filesize
4.0MB

MD5
15e3d44d37439f3ac8574ac1c9789ec2

SHA1
bb3ef30e9f4496198f412738579966210ade36e0

SHA256
5db4c26057a05bb75ff7892fb60fd76620fc2228811d913d152a0aa4ec9db7a5

SHA512
ff358c9896792017ff7e91f1dedffd9d75a099c5b852da19599799aeca20b6b269267ff7c12c918a2530fe1a79a12bc8796c4eb3914c97faba3eba27388abde1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\CjETR6GpGXqM.dll

Filesize
395KB

MD5
b0fc0ba80f8ec9586ff397412c512d9f

SHA1
0f6051b71b715a47be1fa16683201413905629a3

SHA256
13db80a0211ba9bf59a1e43bdb2fffa91de5c7f38bd469c4824b5e06245a0234

SHA512
222a365ae567c6c773ca2b99b82795916839cc5c9ba8eb019bf6713108720c2793303ef6612b64488f4584602cec84c0b48a02fe709db0250bf377d07e002d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\EVa7gBMKoaHmLC.dll

Filesize
170KB

MD5
64a3d908b8a5feff2bccfc67f3a67dbd

SHA1
a17d7e5fa57c99a067cac459cb507b625dac254e

SHA256
6ea1ae7ab496666c0117fc20e704bfb6104b13cfb0408073a09689f863fa64b1

SHA512
66374d720230799bea6ac6cfe3faadc37fd775a49d40c04facae1caf1ec658956bbda54ba75287d7128b19b97971bd933a64469da8e0884225c5a8d8b9423ccc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\FBSyChwp.dll

Filesize
170KB

MD5
0d41ccfaa8e7ef96248b8270d1a44d08

SHA1
6ee22bdb91d3a18e0b45b6590eb69bc9a0b02326

SHA256
0ea38d0d964815e2b84748a78bd5a829ae01586478e5f17b976f1ae763c8dec3

SHA512
a0f236f6dbeb1763fb1c198616de65b907a3a5edf7ed9435c2ad0b5826d84e9d2f25e96aba4e8b681ef495612cf0e04e929427a92d332164ace89e797bcb0e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\G3nl0mDcABnDuZ.dll

Filesize
177KB

MD5
97b8bec4c47286e333cc2bedacf7338e

SHA1
764bbd0307924b71ca89538b42996208d10c9b91

SHA256
060d467cbeb0a58696287c052f3dd9b3597331b1c812e3e2882d6c232f8511de

SHA512
a40970622a594533349e75fc2022314ba21f05fc82709d6eaba82f4a2bc343c960029ad2825cfc034ce82622722127d149993bff88982f02d6dd6b5b1fb60fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\KNTmoSnG.dll

Filesize
670KB

MD5
738c096a9bc38e21a9aa59ebc356c80d

SHA1
139756ad201a537461a6bb8524a4b89a63b1b1b9

SHA256
300a5551f7be89c5f03c0b70fa7dafb7f84c6394dac68bee95169e985e7786f0

SHA512
294c34f0716861fa67ba571bf7a8614613a1746e9f2935ba0c86eb1897dff858ea1f7fb44f1b6ec87cc709f4933a912dcd3eadd5d0b208c72985aa47e1f214f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\eMTYbTz0gueNs4.dll

Filesize
1.1MB

MD5
5dfbcfbbf9e2ae7db23e252808699ffb

SHA1
a1d429292fe73aeb5abab10304e1ae8c1262b26d

SHA256
929e5f15e9ceca03c80b2d174283cb25bf47adfe4693f5c01f622416c9f6d03c

SHA512
9ee63080781577e0d818a27d026024f96161bb7b132dc0c130fabbe2d6c3b7758868fff5a4ad68efeb4d08f964e2f69417022751880a443f7f920aa4f40f5c09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\fzAgyDYa.dll

Filesize
79KB

MD5
a5770798b7a6465f5b5a8c19d7d707ee

SHA1
ca67e9591d2f757cbbfacb55f27aec6485b10ee6

SHA256
f855353a618af8a53504b5188c05d3a09fb1ff85763e0cd15c53dee82d7c6119

SHA512
64da7687e83c6ff4d1c1cdc644ffff53333f745e82f169beb529d55ec5be6f21658d27c6e01744147c00f834978260e86ea627a5f2981f27305afb69a7b467dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\mGWHaG2Jn.dll

Filesize
81KB

MD5
8f98206f577160f950d456d1190c8d32

SHA1
defced38fce00775c4616b420fa674d77f946eff

SHA256
2bde0293c982fb6266c683ecaa2c90372d26d9a2786726874a2cfb89dcc68324

SHA512
432c2b6759701754616273633c966332e718dbb10a9a7eab0d7c57ffdc9be95b5e1b16b6e291301ac7aa6d1de48a46d30f08729e45d6634b1849f41c78e92d91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\mML6WKMqdxjDGA.dll

Filesize
173KB

MD5
e03b206eec8a7efbd1a47909071226e5

SHA1
21163989ea524920e874bc7932adfcd5e94f854e

SHA256
778877431354a9584325dadb663be077f757227eaae8bcad33e4bf26efd6b965

SHA512
831ed74419f1b4c3250fbff20be16ed7058a851d7168a17e8a4dcf284a19412feee42a8c198af34b37571de33a80c48ac855f5d018ea9e2cfdcd846b832155ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Plugins\oYsKwDG.dll

Filesize
4.8MB

MD5
a718955297276f2349b7644447736e08

SHA1
377388d115b77aff357dcaf92b6aeb6286b1460d

SHA256
54ec206c8fe8ff27b3fb02ef892b8e6bc4b6abfff2fe08f5f57175c64f1d3220

SHA512
a3c2ded0cdc4e62adac92a569d6cd4db0c3647e663700f019a9de27e738eb2672e5cccec19af15633a3cd25a882452ff5ce39c17f67dc3ed6653b9e0ad063641

Download Submit
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7\Usrs.p12

Filesize
1KB

MD5
83abef590217cf3bbe4078562fee8175

SHA1
4505cdb5fe77241417b6110304c9657994fbd36c

SHA256
4e8776d540e3cfc17248abcbe1cb2759dd03c96f4b326bd7f6fae171a41a6eec

SHA512
2218718eb8ab21e60cdea58a4dfbbdf3d5e8b0c3596db906dd957e33e309c074895249c7b5c3ad207997949ba5bb086553116d5b3941e5e15deaaac4ba588d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE7CF.tmp.bat

Filesize
149B

MD5
6cd889d56b279ca45b1f113bcadd498c

SHA1
eca93ea2ba761a335845d9e6cf59437268bd48a5

SHA256
8399ce5ae4e2975898569d7d72f7452841114d6b6b7330467f32d36937b1b157

SHA512
f7d6c71233a6f2b757bffa374e26d08e5eda1f2da8743bbe61126ff61425cc6b76a787e38e7990289cb5331f85cc321c702873766afb8706361e0233cad945d2

Download Submit
C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_ovpbhp5zsdrmidfq3zzyatud1lqqbvfc\4.7.0.0\user.config

Filesize
1KB

MD5
4b01719ab493b81d429c574dbaca15ef

SHA1
719ef1e4e6616a3d8afce09de7f89ddcf186a3a3

SHA256
33ce546b728989bc9ff5dd4c487a87723e5eb7b3953b7cb56e747747411b6c54

SHA512
4d5293d8b58c793bbbe6dedc061cb4fd3e7302771ee91789240ecf80f2f79d08dffc36d148f755107a3d12de6037ab18c57cb42494de80a40d90b64bb04ef234

Download Submit
C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_ovpbhp5zsdrmidfq3zzyatud1lqqbvfc\4.7.0.0\user.config

Filesize
1KB

MD5
495d368baef768dd527dd8b772702c87

SHA1
20ceb83c7076024e0491f169173607aa4a2e3931

SHA256
38f1820a88401c8e117bfeca56a11aa06dc806a175203e86f323dc6fb81fb3cf

SHA512
75770717f4bc7c9bdd13d747fdcd6306c38423b1b5d908b5d7cdf4da1b7bbe722f65bb52e63c61ca6da89981d8f5a99035c1d610a0fdacb706a046520c291d18

Download Submit
C:\Users\Admin\Desktop\Infected.exe

Filesize
63KB

MD5
c73e2075df22ff8a810724b317bedcec

SHA1
c14bac5f0e89d2b1fbfefb5ff76bde0c3f577a7a

SHA256
1ba7079c0e6983cd6ffffd26eca8f7dfeea6b0cd0822bcd7e4bec6296c96291e

SHA512
402b56cc0150849f31244753113bb421ebd4ef2a3596d672efa12449bef401409a9500b9998dfa76bec6b5c921c17172288219d3eee83aab50313783f3fd8bbb

Download Submit
C:\Users\Admin\Desktop\Infected.exe

Filesize
63KB

MD5
c73e2075df22ff8a810724b317bedcec

SHA1
c14bac5f0e89d2b1fbfefb5ff76bde0c3f577a7a

SHA256
1ba7079c0e6983cd6ffffd26eca8f7dfeea6b0cd0822bcd7e4bec6296c96291e

SHA512
402b56cc0150849f31244753113bb421ebd4ef2a3596d672efa12449bef401409a9500b9998dfa76bec6b5c921c17172288219d3eee83aab50313783f3fd8bbb

Download Submit
C:\Users\Admin\Desktop\Infected.exe

Filesize
63KB

MD5
c73e2075df22ff8a810724b317bedcec

SHA1
c14bac5f0e89d2b1fbfefb5ff76bde0c3f577a7a

SHA256
1ba7079c0e6983cd6ffffd26eca8f7dfeea6b0cd0822bcd7e4bec6296c96291e

SHA512
402b56cc0150849f31244753113bb421ebd4ef2a3596d672efa12449bef401409a9500b9998dfa76bec6b5c921c17172288219d3eee83aab50313783f3fd8bbb

Download Submit
memory/1648-448-0x00007FFE2F110000-0x00007FFE2FBD1000-memory.dmp

Filesize
10.8MB

Download
memory/1648-457-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/1648-552-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/1648-550-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/1648-549-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/1648-553-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/1648-551-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/1648-456-0x00007FFE2F110000-0x00007FFE2FBD1000-memory.dmp

Filesize
10.8MB

Download
memory/1648-537-0x000000001CD90000-0x000000001CE06000-memory.dmp

Filesize
472KB

Download
memory/1648-447-0x0000000000ED0000-0x0000000000EE6000-memory.dmp

Filesize
88KB

Download
memory/1648-538-0x000000001CE10000-0x000000001CE2E000-memory.dmp

Filesize
120KB

Download
memory/1648-539-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/1648-540-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/1648-541-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/1648-542-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/1648-543-0x000000001BBC0000-0x000000001BBD0000-memory.dmp

Filesize
64KB

Download
memory/2276-371-0x00007FFE2F110000-0x00007FFE2FBD1000-memory.dmp

Filesize
10.8MB

Download
memory/2276-360-0x000000001EC50000-0x000000001EC60000-memory.dmp

Filesize
64KB

Download
memory/2276-357-0x00007FFE2F110000-0x00007FFE2FBD1000-memory.dmp

Filesize
10.8MB

Download
memory/2276-337-0x00007FFE2F110000-0x00007FFE2FBD1000-memory.dmp

Filesize
10.8MB

Download
memory/2276-358-0x000000001EC50000-0x000000001EC60000-memory.dmp

Filesize
64KB

Download
memory/2276-340-0x000000001EC50000-0x000000001EC60000-memory.dmp

Filesize
64KB

Download
memory/2276-341-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/2276-359-0x000000001EC50000-0x000000001EC60000-memory.dmp

Filesize
64KB

Download
memory/2988-339-0x0000000003F50000-0x0000000003F51000-memory.dmp

Filesize
4KB

Download
memory/2988-366-0x000000001E610000-0x000000001E620000-memory.dmp

Filesize
64KB

Download
memory/2988-367-0x000000001E610000-0x000000001E620000-memory.dmp

Filesize
64KB

Download
memory/2988-369-0x00007FFE2F110000-0x00007FFE2FBD1000-memory.dmp

Filesize
10.8MB

Download
memory/2988-354-0x000000001E610000-0x000000001E620000-memory.dmp

Filesize
64KB

Download
memory/2988-356-0x00007FFE2F110000-0x00007FFE2FBD1000-memory.dmp

Filesize
10.8MB

Download
memory/2988-336-0x00007FFE2F110000-0x00007FFE2FBD1000-memory.dmp

Filesize
10.8MB

Download
memory/2988-353-0x000000001E610000-0x000000001E620000-memory.dmp

Filesize
64KB

Download
memory/3388-192-0x000000001E9F0000-0x000000001EA00000-memory.dmp

Filesize
64KB

Download
memory/3388-512-0x00007FFE2F110000-0x00007FFE2FBD1000-memory.dmp

Filesize
10.8MB

Download
memory/3388-193-0x000000001E9F0000-0x000000001EA00000-memory.dmp

Filesize
64KB

Download
memory/3388-197-0x000000001E9F0000-0x000000001EA00000-memory.dmp

Filesize
64KB

Download
memory/3388-191-0x00007FFE2F110000-0x00007FFE2FBD1000-memory.dmp

Filesize
10.8MB

Download
memory/3388-194-0x000000001E9F0000-0x000000001EA00000-memory.dmp

Filesize
64KB

Download
memory/3388-195-0x000000001E9F0000-0x000000001EA00000-memory.dmp

Filesize
64KB

Download
memory/3388-190-0x000000001E8F0000-0x000000001E902000-memory.dmp

Filesize
72KB

Download
memory/3388-183-0x0000000005D80000-0x0000000005D81000-memory.dmp

Filesize
4KB

Download
memory/3388-182-0x000000001E9F0000-0x000000001EA00000-memory.dmp

Filesize
64KB

Download
memory/3388-196-0x000000001E9F0000-0x000000001EA00000-memory.dmp

Filesize
64KB

Download
memory/3388-181-0x00000000006A0000-0x0000000003D3E000-memory.dmp

Filesize
54.6MB

Download
memory/3388-180-0x00007FFE2F110000-0x00007FFE2FBD1000-memory.dmp

Filesize
10.8MB

Download
memory/4648-455-0x000000002A860000-0x000000002A960000-memory.dmp

Filesize
1024KB

Download
memory/4648-327-0x000000001EC40000-0x000000001EC50000-memory.dmp

Filesize
64KB

Download
memory/4648-326-0x00007FFE2F110000-0x00007FFE2FBD1000-memory.dmp

Filesize
10.8MB

Download
memory/4648-325-0x000000001EC40000-0x000000001EC50000-memory.dmp

Filesize
64KB

Download
memory/4648-321-0x00000000045A0000-0x00000000045A1000-memory.dmp

Filesize
4KB

Download
memory/4648-320-0x000000001EC40000-0x000000001EC50000-memory.dmp

Filesize
64KB

Download
memory/4648-319-0x00007FFE2F110000-0x00007FFE2FBD1000-memory.dmp

Filesize
10.8MB

Download
memory/4648-328-0x000000001EC40000-0x000000001EC50000-memory.dmp

Filesize
64KB

Download
memory/4648-338-0x000000001EC40000-0x000000001EC50000-memory.dmp

Filesize
64KB

Download
memory/4648-344-0x000000001EC40000-0x000000001EC50000-memory.dmp

Filesize
64KB

Download
memory/4648-352-0x000000001EC40000-0x000000001EC50000-memory.dmp

Filesize
64KB

Download
memory/4648-355-0x000000001EC40000-0x000000001EC50000-memory.dmp

Filesize
64KB

Download
memory/4648-463-0x000000002A860000-0x000000002A960000-memory.dmp

Filesize
1024KB

Download
memory/4648-379-0x0000000024110000-0x0000000024122000-memory.dmp

Filesize
72KB

Download
memory/4648-372-0x000000001EC40000-0x000000001EC50000-memory.dmp

Filesize
64KB

Download
memory/4648-373-0x000000001EC40000-0x000000001EC50000-memory.dmp

Filesize
64KB

Download
memory/4648-389-0x000000001EC40000-0x000000001EC50000-memory.dmp

Filesize
64KB

Download
memory/4648-388-0x000000001EC40000-0x000000001EC50000-memory.dmp

Filesize
64KB

Download
memory/4648-385-0x0000000021560000-0x000000002156A000-memory.dmp

Filesize
40KB

Download