Analysis Overview
SHA256
f31297dbb9f3aa6a6331c0d70ccfa89bc89b6a5e0a0b6eefb8078204d9bdf94a
Threat Level: Known bad
The file Anarchy Panel 4.7.7z was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Asyncrat family
Async RAT payload
Stealerium family
StormKitty payload
Stormkitty family
Async RAT payload
Loads dropped DLL
.NET Reactor proctector
Enumerates physical storage devices
Program crash
Unsigned PE
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-10 01:20
Signatures
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Asyncrat family
Stealerium family
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Stormkitty family
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral14
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win10v2004-20230831-en
Max time kernel
136s
Max time network
147s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FBSyChwp.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.132.60.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win7-20230831-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\RssCnLKcGRxj.dll,#1
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win7-20230831-en
Max time kernel
120s
Max time network
130s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"
Network
Files
memory/2240-0-0x000007FEF5F20000-0x000007FEF690C000-memory.dmp
memory/2240-1-0x0000000000100000-0x000000000379E000-memory.dmp
memory/2240-2-0x000000001E850000-0x000000001E8D0000-memory.dmp
memory/2240-3-0x00000000038E0000-0x00000000038E1000-memory.dmp
\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll
| MD5 | 56a504a34d2cfbfc7eaa2b68e34af8ad |
| SHA1 | 426b48b0f3b691e3bb29f465aed9b936f29fc8cc |
| SHA256 | 9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961 |
| SHA512 | 170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7 |
memory/2240-8-0x000000001EF30000-0x000000001F518000-memory.dmp
memory/2240-9-0x000000001F760000-0x000000001FB20000-memory.dmp
memory/2240-10-0x000000001E850000-0x000000001E8D0000-memory.dmp
memory/2240-11-0x000007FEF5F20000-0x000007FEF690C000-memory.dmp
memory/2240-12-0x000000001E850000-0x000000001E8D0000-memory.dmp
memory/2240-13-0x000000001E850000-0x000000001E8D0000-memory.dmp
memory/2240-14-0x000000001E850000-0x000000001E8D0000-memory.dmp
memory/2240-15-0x000000001E850000-0x000000001E8D0000-memory.dmp
memory/2240-16-0x000000001E850000-0x000000001E8D0000-memory.dmp
memory/2240-17-0x000000001E850000-0x000000001E8D0000-memory.dmp
memory/2240-18-0x000000001E850000-0x000000001E8D0000-memory.dmp
memory/2240-19-0x000000001E850000-0x000000001E8D0000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:23
Platform
win10v2004-20230831-en
Max time kernel
61s
Max time network
74s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\59Zp7paEHDF7luJ.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.132.60.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.121.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win10v2004-20230831-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\WkUP83aP9CABpi.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.132.60.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.3.248.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral26
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win10v2004-20230831-en
Max time kernel
138s
Max time network
157s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\svchost.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\eMTYbTz0gueNs4.dll,#1
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.179.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.65.42.20.in-addr.arpa | udp |
Files
memory/3996-0-0x000001E7A3340000-0x000001E7A3350000-memory.dmp
memory/3996-16-0x000001E7A3440000-0x000001E7A3450000-memory.dmp
memory/3996-32-0x000001E7AB9C0000-0x000001E7AB9C1000-memory.dmp
memory/3996-33-0x000001E7AB9F0000-0x000001E7AB9F1000-memory.dmp
memory/3996-34-0x000001E7AB9F0000-0x000001E7AB9F1000-memory.dmp
memory/3996-35-0x000001E7AB9F0000-0x000001E7AB9F1000-memory.dmp
memory/3996-36-0x000001E7AB9F0000-0x000001E7AB9F1000-memory.dmp
memory/3996-37-0x000001E7AB9F0000-0x000001E7AB9F1000-memory.dmp
memory/3996-38-0x000001E7AB9F0000-0x000001E7AB9F1000-memory.dmp
memory/3996-39-0x000001E7AB9F0000-0x000001E7AB9F1000-memory.dmp
memory/3996-40-0x000001E7AB9F0000-0x000001E7AB9F1000-memory.dmp
memory/3996-41-0x000001E7AB9F0000-0x000001E7AB9F1000-memory.dmp
memory/3996-42-0x000001E7AB9F0000-0x000001E7AB9F1000-memory.dmp
memory/3996-43-0x000001E7AB610000-0x000001E7AB611000-memory.dmp
memory/3996-44-0x000001E7AB600000-0x000001E7AB601000-memory.dmp
memory/3996-46-0x000001E7AB610000-0x000001E7AB611000-memory.dmp
memory/3996-49-0x000001E7AB600000-0x000001E7AB601000-memory.dmp
memory/3996-52-0x000001E7AB540000-0x000001E7AB541000-memory.dmp
memory/3996-64-0x000001E7AB740000-0x000001E7AB741000-memory.dmp
memory/3996-66-0x000001E7AB750000-0x000001E7AB751000-memory.dmp
memory/3996-67-0x000001E7AB750000-0x000001E7AB751000-memory.dmp
memory/3996-68-0x000001E7AB860000-0x000001E7AB861000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:23
Platform
win10v2004-20230831-en
Max time kernel
107s
Max time network
90s
Command Line
Signatures
AsyncRat
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
.NET Reactor proctector
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000\Software\Microsoft\Internet Explorer\TypedURLs | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 4e003100000000002a57c20a100054656d7000003a0009000400efbe1f5755a02a57c60a2e000000a6e10100000001000000000000000000000000000000436d0f01540065006d007000000014000000 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic" | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000001f5755a01100557365727300640009000400efbe874f77481f57adad2e000000c70500000000010000000000000000003a00000000006be7e80055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000001f5756ad100041646d696e003c0009000400efbe1f5755a01f57adad2e00000087e101000000010000000000000000000000000000007e8eeb00410064006d0069006e00000014000000 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 50003100000000001f57b4ad10004c6f63616c003c0009000400efbe1f5755a01f57b4ad2e000000a5e1010000000100000000000000000000000000000001891e014c006f00630061006c00000014000000 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1" | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000001f5755a012004170704461746100400009000400efbe1f5755a01f57adad2e00000092e10100000001000000000000000000000000000000b172d3004100700070004400610074006100000016000000 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-4078585466-1563564224-3678410669-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"
C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.132.60.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.121.18.2.in-addr.arpa | udp |
Files
memory/4140-0-0x00007FF8AFEC0000-0x00007FF8B0981000-memory.dmp
memory/4140-1-0x0000000000230000-0x00000000038CE000-memory.dmp
memory/4140-2-0x000000001E490000-0x000000001E4A0000-memory.dmp
memory/4140-3-0x0000000003E70000-0x0000000003E71000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll
| MD5 | 56a504a34d2cfbfc7eaa2b68e34af8ad |
| SHA1 | 426b48b0f3b691e3bb29f465aed9b936f29fc8cc |
| SHA256 | 9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961 |
| SHA512 | 170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7 |
memory/4140-9-0x0000000005AB0000-0x0000000005AC2000-memory.dmp
memory/4140-10-0x000000001E490000-0x000000001E4A0000-memory.dmp
memory/4140-11-0x000000001E490000-0x000000001E4A0000-memory.dmp
memory/4140-12-0x00007FF8AFEC0000-0x00007FF8B0981000-memory.dmp
memory/4140-13-0x000000001E490000-0x000000001E4A0000-memory.dmp
memory/4140-14-0x000000001E490000-0x000000001E4A0000-memory.dmp
memory/4140-15-0x000000001E490000-0x000000001E4A0000-memory.dmp
memory/4140-16-0x000000001E490000-0x000000001E4A0000-memory.dmp
memory/4140-17-0x000000001E490000-0x000000001E4A0000-memory.dmp
memory/4140-18-0x000000001E490000-0x000000001E4A0000-memory.dmp
memory/4140-19-0x000000001E490000-0x000000001E4A0000-memory.dmp
memory/4140-20-0x000000001E490000-0x000000001E4A0000-memory.dmp
memory/4140-21-0x00000000246D0000-0x00000000246E2000-memory.dmp
memory/4140-27-0x000000001E590000-0x000000001E59A000-memory.dmp
memory/4140-30-0x000000001E490000-0x000000001E4A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Usrs.p12
| MD5 | a8c14c0204e1da23da92b294f1544dcc |
| SHA1 | ad1a58ba88d0c70ef2dfed5507abddb6498402ce |
| SHA256 | 99f819a393672435766e0d345180408592b114a62d5989b6066d1da686c10598 |
| SHA512 | 6547854b22e4fc89582780e961adf694328040e636acff2b3d6c88fbd6bf551389b18914c8182d6c8ed7c92183e3b48cf6ac270c0305b3fa23c36ab23f64485f |
C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_bhennukkrj4ap4ybumzdxwrmvm3shh42\4.7.0.0\user.config
| MD5 | 4b01719ab493b81d429c574dbaca15ef |
| SHA1 | 719ef1e4e6616a3d8afce09de7f89ddcf186a3a3 |
| SHA256 | 33ce546b728989bc9ff5dd4c487a87723e5eb7b3953b7cb56e747747411b6c54 |
| SHA512 | 4d5293d8b58c793bbbe6dedc061cb4fd3e7302771ee91789240ecf80f2f79d08dffc36d148f755107a3d12de6037ab18c57cb42494de80a40d90b64bb04ef234 |
C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_bhennukkrj4ap4ybumzdxwrmvm3shh42\4.7.0.0\user.config
| MD5 | 495d368baef768dd527dd8b772702c87 |
| SHA1 | 20ceb83c7076024e0491f169173607aa4a2e3931 |
| SHA256 | 38f1820a88401c8e117bfeca56a11aa06dc806a175203e86f323dc6fb81fb3cf |
| SHA512 | 75770717f4bc7c9bdd13d747fdcd6306c38423b1b5d908b5d7cdf4da1b7bbe722f65bb52e63c61ca6da89981d8f5a99035c1d610a0fdacb706a046520c291d18 |
Analysis: behavioral7
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:22
Platform
win7-20230831-en
Max time kernel
23s
Max time network
18s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\59Zp7paEHDF7luJ.dll,#1
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win7-20230831-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\FBSyChwp.dll,#1
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win7-20230831-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\PK0TcnqTGFagQTS.dll,#1
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win7-20230831-en
Max time kernel
122s
Max time network
132s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\mML6WKMqdxjDGA.dll,#1
Network
Files
Analysis: behavioral27
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win7-20230831-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\fzAgyDYa.dll,#1
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win10v2004-20230831-en
Max time kernel
150s
Max time network
170s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\mGWHaG2Jn.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 114.132.60.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:22
Platform
win10v2004-20230831-en
Max time kernel
35s
Max time network
49s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE |
Processes
C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE
"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe.xml"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 4156 -ip 4156
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4156 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 125.132.60.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
Files
memory/4156-1-0x00007FFF9E810000-0x00007FFF9EA05000-memory.dmp
memory/4156-0-0x00007FFF5E890000-0x00007FFF5E8A0000-memory.dmp
memory/4156-2-0x00007FFF9E810000-0x00007FFF9EA05000-memory.dmp
memory/4156-3-0x00007FFF9C270000-0x00007FFF9C539000-memory.dmp
memory/4156-4-0x00007FFF5E890000-0x00007FFF5E8A0000-memory.dmp
memory/4156-5-0x00007FFF9E810000-0x00007FFF9EA05000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:22
Platform
win7-20230831-en
Max time kernel
38s
Max time network
19s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\0guo3zbo66fqoG.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:22
Platform
win10v2004-20230831-en
Max time kernel
31s
Max time network
45s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\0guo3zbo66fqoG.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.121.18.2.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win7-20230831-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\EVa7gBMKoaHmLC.dll,#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win10v2004-20230831-en
Max time kernel
146s
Max time network
156s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\G3nl0mDcABnDuZ.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.113.26.67.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win10v2004-20230831-en
Max time kernel
138s
Max time network
149s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\CjETR6GpGXqM.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.132.60.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win7-20230831-en
Max time kernel
119s
Max time network
132s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\G3nl0mDcABnDuZ.dll,#1
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win7-20230831-en
Max time kernel
120s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\KNTmoSnG.dll,#1
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win10v2004-20230831-en
Max time kernel
139s
Max time network
159s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\KNTmoSnG.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.132.60.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.179.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral25
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win7-20230831-en
Max time kernel
122s
Max time network
129s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\eMTYbTz0gueNs4.dll,#1
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win10v2004-20230831-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\mML6WKMqdxjDGA.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.179.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win7-20230831-en
Max time kernel
136s
Max time network
136s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6AF9A701-4F78-11EE-B3E2-7EFDAE50F694} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000ee2e8b1b8e885df9f5bb3b79c2f458f0ab553d36fb5d678487f5f4bea655e253000000000e80000000020000200000009a7c7e594025214f5e7e2607b1478777de627bd0649f06a0de8d495dfbaaf774200000007d46c4ea33230d2c60508d8abc4a85d58efd75800f8680b5d3149693ea06c46240000000af7dcc48395f295f1466d2aad6864992aa399175cdf473c2617c18d76340431570d5fd76cda01b20674ad834f2197ac17202d11b59fb343ac63d3adb63b29386 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 103a0e4085e3d901 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000ea3dc2a7c0fe4d49bd6e8f3e7e71513f00000000020000000000106600000001000020000000a5137defe17cce82e810166b679a8526ea2fc87cb3f589a9bec7db972bbc2e0f000000000e8000000002000020000000439553ca75898e44525a665eacdeca6ce9a96df3a46dc82ab8ec856697136703900000003dac5fa37d048959d58fc3d8ebacb4ab29340cd5b9a4f74e6695f4902c31601455be5d1ac36ef8722f21476f0cfb74fbc2721bbf8a6de146a651e2e2430231ba4d0ddb1e64c314167f32d8f9dbc6966a847e0c60931819e3d0ec0081fee8aec09c90cb57e0f90165a80aeba31e5f1aeccbae3ddddfa601302e282daca26af99fc6e7f9c97623d52f9bf16a18f708d8604000000011374f07e85a08fb94a910ce17bfaa7bdbfa1518dbed7d57d8a37b0df5a0bfd4b8b212a8d154519bc461c8475f9fb763f8fbb349d48129f6a72ba4ad97407802 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-686452656-3203474025-4140627569-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "400470778" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe.xml"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2728 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab53BE.tmp
| MD5 | f3441b8572aae8801c04f3060b550443 |
| SHA1 | 4ef0a35436125d6821831ef36c28ffaf196cda15 |
| SHA256 | 6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf |
| SHA512 | 5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9 |
C:\Users\Admin\AppData\Local\Temp\Tar540F.tmp
| MD5 | 9441737383d21192400eca82fda910ec |
| SHA1 | 725e0d606a4fc9ba44aa8ffde65bed15e65367e4 |
| SHA256 | bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5 |
| SHA512 | 7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f800d0c53208e408daa3c73a4d617c4c |
| SHA1 | cd78feced5b6cf333d934d6339822d0dc775a214 |
| SHA256 | dee0388dfcb101705b448012c98d47a01d6f7af1f42a502c95146da44eff2dd7 |
| SHA512 | 9d30edeb49fe70be73766b49bce86be5569d6d391e9abb0ebc050178c109e22f3968f5f1e1f6f32d6eccc901b35d71f03e5cf3a2abac9ae3c22cc8e95c4e9e69 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d3461abcfc5abfdf8893b7995f74a97d |
| SHA1 | 094763470c06297f28da7105a934b9c7c7ae2085 |
| SHA256 | 58530e5dbc7b2f99a865a2e446e6cc030986378b45191daa83f1558624d29709 |
| SHA512 | 322fa5f7c8612b301c2c586b4449b444f471706a20872b2dd3b70fbae537b412dca0c73a1a3d905a976cbe9932f9df3dfbf2e4a0fdfa20a5043ce3d76340f63c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6404bd741037a166b6896b02ff6d1d6c |
| SHA1 | 10048b0eedc7ca3e820dc385575223b518cae457 |
| SHA256 | a66dc3463d0e24418efa18925dbcfa0382666624c584ed806605bc67ec3dc55c |
| SHA512 | d9b146a9049639acfb1ae4f11b17d77df8324d63218e02770183dceb343e4e11c9a1b2f3a7fdbdd2133daec44ee6581c978544b9f68a12b1681170843ae67250 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f40d98a8976daedd6028b2a5a552f930 |
| SHA1 | 6ba5827425c976f7f6551d0730c8744328a3cf89 |
| SHA256 | cf3ad73cff35ba578f00d1541daa80c6d5e68753762eb45c0f45deae701a48b3 |
| SHA512 | 7f04b624472ac50adeeb3d220fba2ca66c4fcc0bfd39f03eeaeaecd269660744eff4f4d3d113bf1ea67ddb460e8c368045749c467f3753a72cfefbfbeecd8509 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d4cb0bdd7c14dfff506c19fd4939f07 |
| SHA1 | a6a904aa1c5e15127a609cbceb5f4f91d8bd5d9c |
| SHA256 | 45800327df63928c72b7cb1657b4c63daac2a6f301c63f51cff30109dd566ece |
| SHA512 | 5b7510703377c7ff5ffc9d14ee9e482c4e968c6e80f18045e2537f720b38c3ec9387a47a8b1d62b4eb6c0451c538a6ce95a6e94dfcceb1c5e3328e297b46e4dc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ba7e91afe40ef8b6a1c0dfea86f79115 |
| SHA1 | b06797fe55d27c120afd7abef6e6ccdaf7d0f1f4 |
| SHA256 | 07fdc88d074e78a76283ef3e4dcd46a3a83cfad79c5c5635ad2b2ab0d644708a |
| SHA512 | 835e37fca667257df0ff433692911f588d858ececb6ca78599f0947cc8992a76b191f45b3c87f038fc550e9f1278d4ef64691dbaa0b4086fff960bef7fd6599d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e63d671d67bafd88efad07dc70508906 |
| SHA1 | 7e0a0455b9576aa52ea5bef7e6d081bf18538c73 |
| SHA256 | ca77a3866840a051d46f8d689df03f8f2ef4cac8bfa98469338dff7467415f61 |
| SHA512 | 53b0d3234374bb4ec92c3678bfd3c482b7d76a45723209296b4dd2ab6872cf9261d628f97780467ebcf582413b3757959f27b3dcf4cadef39a61d07a975a04ff |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ffb240bd2430764628a32f3f3ca35faf |
| SHA1 | c20a015a70734e691ec3a718b2b244d135b1b3cf |
| SHA256 | 0505a031d5dcc70eaa05eb9cd63707b55d282e9575d54af55b5a806ce23fa6ed |
| SHA512 | 3d3d7dc0d969b073d30fde8d5083421ec91a55da4be1e0e8f1f617323ad2389df36b5635023c5577d42e7a0645b9b5e1a46e4fbf007c0ce462716c0f30b61caf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6a187a232ff2c5fcbf3989c7cee179f4 |
| SHA1 | ab8bda237a632b91458c6031c00c36649d5046fb |
| SHA256 | 15013a962691da3b6fdf5ccfe21c8a2a8e55d85d36af10ff811f8329b31caa5b |
| SHA512 | 2062ef187ca925875f3031dd4abb63ee7e7b7b97c80c32defc0243810e04dde9ea7d0e7813c229e4c1df2a4dee8d214aa6bcf0dc36640387b41ac30e394e4e3b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 06e34f806459de2bf808fd6eeaede579 |
| SHA1 | 0f29ef83100466370b2a5add62293b8feec557b6 |
| SHA256 | 5ccc175074f157888807dbf11018d556170d033350c25f866bd73d4a3b855955 |
| SHA512 | 7cfc22a02d261dbf77fddf611a122ce66a719a9a473e13a118b8ebf12cf2a0cf6abb991b9d88afa87eb24bf86fd9277c0ebc1460e3a769c92464ca8e1d1f58e4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fe604456946d80b018acb4d3c7b7e59f |
| SHA1 | a14e7bc905107e129a69077088c937eefd77ba85 |
| SHA256 | 2dbbf7f992d08c86b06d4fea3bc97d20004f656c5498afab83b1e64762e65b2c |
| SHA512 | 83494cbccd0e8e12c98b67f53ed8d94cc4232b24a92220d7fadab805045c33588a94135403d72a378e206b96da3d7a506c413c9ecc108ba5d149519bc6474073 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6e31c677b9f9503cee331760bccf44aa |
| SHA1 | 3bb9d16ab108732a700e6b513de7c311cbdd3f38 |
| SHA256 | 3c4ac98beacf17b973496e64ce96a485859ffc47cdab09d63e958cc76e63f5b5 |
| SHA512 | fd85aae8a59bc61e127e65caf7d3eb229458a1dc1d14c02bea5241aad3989612487ae2413e6167d1ab435e590f85668fe7129e6334488a9ed1fe46624c84a08b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e896f3a5485a03732db80e48599167fe |
| SHA1 | 6f18e7cd345d29a5c209a26a12f7c2f439ab50ed |
| SHA256 | 1082115941f9cdc22b8d0cd148940f9f724b78d9c0937470726bfcd733633c9d |
| SHA512 | acf7872adb5dae6a576bde4a385f942227fe8c0a112c86a4cdc892e3117eac1383a7581b893ee79862d3e0685d9cdee8ef805078263b6587bbea7d81277d118d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d80b875f94f27a4cc42e07ba149e3583 |
| SHA1 | 6ca39a5f4e2094cf8c69d159f6a55ec863744b9f |
| SHA256 | 4242dcbf5917f2d7078f6ef67626e91497e6c43e9a7e2765525faab9e164290b |
| SHA512 | 1f2bb2d5dfae06c993c3b52ec7c0b00a25ebf3a6ba524d7ae5077a3f79ec524eb58ed0177a3b7d3656fbb76be9fcf702998d7963b36a517b04ec53bdd1c0f1bc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3606319e825154d10b44fd18b5f121a6 |
| SHA1 | d1170125edf7160ad3c574000db3da53e482a9dd |
| SHA256 | 46e665262a1325b0f0d9d996f4396b3ffb6455a15ebb7c0489c8e3905df860c1 |
| SHA512 | 8d66e3cd3d28efa4d69b05e062f72c5126b8276229aab5960fb810eb159c6a587391164729ddfb5c8e74b667cb7b461544bfc15b601ef793f229a51f17c02c39 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2000100864e0af60cf4e2acf23a6dcd6 |
| SHA1 | 827dfed26150a7492ccc8874082e26966850f447 |
| SHA256 | d04c674a1846e603ad8981e106a1cd951130f5c6016b335be0d6e41f8761a680 |
| SHA512 | 516d5a3ee24b43595307ce3f932cfa3efbe575d3dde28a908b17b84bb7611c53d32901e11803ee835344c0b990454b69680208f7658b41b72ff9636c683ae782 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a93da016bff854cd5f43e075f942807e |
| SHA1 | 69d88347269fbd7c0210d503bfce3dd2762ebe49 |
| SHA256 | d40c126560000fb5ef08d100edb6652ca8d36ee286693e48d44f42f6b0d4e680 |
| SHA512 | e8abbf36ec8c486e9037e3ee670e3cd9797a65d59ed8484e3ed925f6fdfd90fa7ad08f380ce4fb1e8b2e88e282e043ab81c5d66ea499a032a8963c86ad94d98b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 67ed206a1525d1303c1105633990b878 |
| SHA1 | 7bf8791af5dedf18c076be2afb47f00ca68cf8c0 |
| SHA256 | 2f2b57f9d69968f0ee3254f49ec7b14854b520887ebca4d4ed512402b2137341 |
| SHA512 | 791863758c73976f5a145f984194fee208fd175ffe71d43230804025ac02f4b4dc832dc34c611ba366756ec6d676fcefbaaa4c536f2d3ed00fbf402600244eaa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5a867009c2f4f260caf8a61abe8137c4 |
| SHA1 | 241680618ccd8d0006c75360608371d61e3e4d52 |
| SHA256 | 05d0166ff95bb6358a9daf38f004d65231953096e57e7af792c485b4fea0193b |
| SHA512 | 122ef04bb47635c8abccae45875ded0a844fb532f2aeb7361b79bc4598ddf2a49d1113ff3222d91b866004bb00db4f9e564217dfe2ae593f99bf1a986b0a1213 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 090f7c42d7b424999e3b557feb5c90b1 |
| SHA1 | aac828b7c93225e9f0d48e5a6917497f635d2223 |
| SHA256 | 02414e843f9cc7bef952c3eee241ec4572266b30eb56dbe0e41993b43bac0f58 |
| SHA512 | 40f7783bba2e3ed968cc50e49a63818f129d688c96ff3786ddced5c325e4f310a06be18908f3c0e50e4fe3ee23795bb474e2bf09f21b1602cc52e02cad94054f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 52a8f18b19e589a71f38958e83f4d668 |
| SHA1 | 6ec3592609487ab39b819587c4dd6ac3aab1fe7a |
| SHA256 | b9c2835757be53d0cedb9fa05d990d6d8d8291300c1fb51ab499c011f2456a96 |
| SHA512 | bc5db42097b01e76b1fbddd29f1c55e6bfc94833d54631b3b1ade5a9caba3cbfc9134327ef81699728ff63d18e095e377c70d8fc82945330d6c947e8c951196b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5754e5fa0b9138e57009d74e3c07a874 |
| SHA1 | 14bd3feef3b33bea89d152c4afa2c7a216e687b2 |
| SHA256 | 304de02e6eb7ca43cb73f01c6961bef957b6fedf40d9e7ec481b0db99c7dafd2 |
| SHA512 | 1ffee922f94bc40c261679894be00fb2370c91e4559e130e1960d40df266e6be5676e7af4b170e743e63adc015be7f8bb7959d8bbb2f1d4fc3370b54ecc0edea |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3759f88a15382304da1509cb942a4cc3 |
| SHA1 | 0ed82a5b5e52654a6e4dffea78f2513f6f400994 |
| SHA256 | 49e8f9ca4fd110f1d170bae69aaf07726716c3d93c26ca678b74122601f52f0d |
| SHA512 | 650377000f84eee5c266a70924d6c784eefa3a743bb6dc8e014334afc1a0b1be92fb8d5b2cbcf1ae2e386628e52319b9a90fdf507d6e9fbf1b6739b5eb29b58d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 029da8f245f8013197782ef060a5ee21 |
| SHA1 | 7caf78543435fdd9baced1c8420b19ca285e4b7b |
| SHA256 | ee39931f1956db6bf975d2bd5bd2dfca54cff3d0d0e23c03be69d365be7c4398 |
| SHA512 | b254ec876e46f9ef4059f9b0c07497cb761a009fedd331bf28d83d43d3a1aad0fdd9f6dc8c607833acbc721f14987c112512683c68e60e7239da43f1457c4699 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 43bfa87ba59f089042b853d1e1260251 |
| SHA1 | 3cbef96972bbf5e8aa5d1e1074de717a1eb66765 |
| SHA256 | e1ba919bd7fb21f936803b2efbe974097636c48d2326f5d05035bfe4ef2af351 |
| SHA512 | 1cdc5324f87148b617cfc3410eb499b22b77cbc76633dad64cf39207083f2d3b9047bfa9cda4fdd7b999bf521300ce49e98c1c3360d0f1b64a4614a0b2da3cf8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f68e9c02b9291f6d2d5f8df1a09c2343 |
| SHA1 | 2327f4a1e03fad8a05707ce6d13ccc1f391de906 |
| SHA256 | 5ce9eae158a494775bbe39596ccadac1069a47d6e94176b75af21ef2ce3067e5 |
| SHA512 | 807b16771dbbdcb89c306aa7edcbdc460d35e6aed28785e86c0b39ff7dd5fecd757174569b45c5b5269860c8d8fae77c9e7dabb92bb2b719ecebc9264d151687 |
Analysis: behavioral28
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win10v2004-20230831-en
Max time kernel
140s
Max time network
154s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\fzAgyDYa.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 54.120.234.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.73.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral29
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win7-20230831-en
Max time kernel
119s
Max time network
126s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\mGWHaG2Jn.dll,#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:23
Platform
win7-20230831-en
Max time kernel
41s
Max time network
20s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\CjETR6GpGXqM.dll,#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win10v2004-20230831-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\EVa7gBMKoaHmLC.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.132.60.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.21.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win10v2004-20230831-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\PK0TcnqTGFagQTS.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.211.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win10v2004-20230831-en
Max time kernel
133s
Max time network
147s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\RssCnLKcGRxj.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 125.132.60.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.73.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2023-09-10 01:19
Reported
2023-09-10 01:24
Platform
win7-20230831-en
Max time kernel
117s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Plugins\WkUP83aP9CABpi.dll,#1