asyncrat | bf9aa6957a814d551d3ba7f96690ff76c79ff884718b3a0f16ab17b96c2637ff

Resubmissions

14-08-2024 22:02

240814-1yattssdkl 7

14-08-2024 21:57

240814-1vba7axcqg 10

14-08-2024 21:49

240814-1pk87sxakc 10

Analysis

max time kernel
387s
max time network
314s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 21:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anarchy Panel 4.7.7z
Size

52.3MB
MD5

40fa4dfb75a2ff3595435c374a5f5e68
SHA1

2086fd6c2f38fb20e87a50cf3ee27dfb68fa3843
SHA256

bf9aa6957a814d551d3ba7f96690ff76c79ff884718b3a0f16ab17b96c2637ff
SHA512

a0655a97428c2a1981015c7b819a207d119b82fe88242f8a0e703adf3eedd386de73412e428dfce1fcedacbbb04ff23775c66e21584f27b5065ed32f510da3de
SSDEEP

1572864:AN5bnkUpaR1Ju0aVJfQF593gMr8okmaHY5q2iSBHxhj3lF:Q5bkxbJOJfnMYoriIRhX

Score

10^/10

asyncrat stealerium stormkitty default rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:5050

Attributes

delay
1
install
true
install_file
sex.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Desktop\Plugins\eMTYbTz0gueNs4.dll	family_stormkitty

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Infected.exe	family_asyncrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/3556-199-0x0000000000650000-0x0000000003CEE000-memory.dmp	net_reactor

Executes dropped EXE 1 IoCs

Processes:

Anarchy Panel.exe

pid process

3556 Anarchy Panel.exe
Loads dropped DLL 1 IoCs

Processes:

Anarchy Panel.exe

pid process

3556 Anarchy Panel.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 64 IoCs

Processes:

SearchProtocolHost.exeSearchFilterHost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-182 = "Microsoft PowerPoint Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008887180494eeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-120 = "Microsoft Word 97 - 2003 Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@cryptext.dll,-6148 = "Personal Information Exchange"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000097d0020394eeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-178 = "OpenDocument Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.au	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.asx\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b8c1b0294eeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-12385 = "Favorites Bar"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000008c9b0c0494eeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.pdf\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-180 = "Microsoft PowerPoint 97-2003 Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-10046 = "Internet Shortcut"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000060f4660394eeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9939 = "ADTS Audio"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{F81B1B56-7613-4EE4-BC05-1FAB5DE5C07E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d527d10394eeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\wmphoto.dll,-500 = "Windows Media Photo"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-915 = "XHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9912 = "Windows Media Audio file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rmi\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-2 = "XSL Stylesheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4803 = "VBScript Encoded Script File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b97ae90194eeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe

Modifies registry class 64 IoCs

Processes:

Anarchy Panel.execmd.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\NodeSlot = "7"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Version = "1"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe1100000007393172d7e4da0175bb1e3f94eeda012464e93f94eeda0114000000	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 7e003100000000000e5993ae11004465736b746f7000680009000400efbe025988630e5993ae2e00000072e101000000010000000000000000003e000000000039318e004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202	Anarchy Panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 500031000000000002594a6d100041646d696e003c0009000400efbe025988630e5944ae2e00000068e10100000001000000000000000000000000000000541a8f00410064006d0069006e00000014000000	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "9"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 5e003100000000000e59a1ae10004e4557464f4c7e310000460009000400efbe0e598dae0e59a1ae2e0000007c34020000000700000000000000000000000000000008d14d004e0065007700200066006f006c00640065007200000018000000	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Downloads"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	Anarchy Panel.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

Anarchy Panel.exe

pid	process
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exeAnarchy Panel.exe

pid process

4712 OpenWith.exe
3556 Anarchy Panel.exe

pid	process
4712	OpenWith.exe
3556	Anarchy Panel.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

Processes:

SearchIndexer.exe7zG.exe7zG.exeAnarchy Panel.exe

description	pid	process
Token: 33	3828	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	3828	SearchIndexer.exe
Token: SeRestorePrivilege	5108	7zG.exe
Token: 35	5108	7zG.exe
Token: SeSecurityPrivilege	5108	7zG.exe
Token: SeSecurityPrivilege	5108	7zG.exe
Token: SeRestorePrivilege	2880	7zG.exe
Token: 35	2880	7zG.exe
Token: SeSecurityPrivilege	2880	7zG.exe
Token: SeSecurityPrivilege	2880	7zG.exe
Token: SeDebugPrivilege	3556	Anarchy Panel.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

7zG.exe7zG.exeAnarchy Panel.exe

pid process

5108 7zG.exe
2880 7zG.exe
3556 Anarchy Panel.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Anarchy Panel.exe

pid process

3556 Anarchy Panel.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

OpenWith.exeAnarchy Panel.exe

pid process

4712 OpenWith.exe
3556 Anarchy Panel.exe
3556 Anarchy Panel.exe

pid	process
5108	7zG.exe
2880	7zG.exe
3556	Anarchy Panel.exe

pid	process
4712	OpenWith.exe
3556	Anarchy Panel.exe
3556	Anarchy Panel.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SearchIndexer.exe

description	pid	process	target process
PID 3828 wrote to memory of 3748	3828	SearchIndexer.exe	SearchProtocolHost.exe
PID 3828 wrote to memory of 3748	3828	SearchIndexer.exe	SearchProtocolHost.exe
PID 3828 wrote to memory of 5084	3828	SearchIndexer.exe	SearchFilterHost.exe
PID 3828 wrote to memory of 5084	3828	SearchIndexer.exe	SearchFilterHost.exe
PID 3828 wrote to memory of 3380	3828	SearchIndexer.exe	SearchFilterHost.exe
PID 3828 wrote to memory of 3380	3828	SearchIndexer.exe	SearchFilterHost.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7.7z"
1⤵
- Modifies registry class
PID:4492

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4712

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3828
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:3748
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:5084
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  PID:3380

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap8070:90:7zEvent19640
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5108

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap10040:90:7zEvent10889
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1664

C:\Users\Admin\Desktop\New folder\Anarchy Panel.exe
"C:\Users\Admin\Desktop\New folder\Anarchy Panel.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3556

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_bnuxk2ufgz5ksr2eaerevdto2le1myf0\4.7.0.0\user.config

Filesize
1KB

MD5
d91f8156ad7f9e55002ae66a03f15ffd

SHA1
b55bfecb007d05583fa7104eb1ebeddc835a7924

SHA256
1971a593af28c1ff95979bdb043ef64df7fe6aef71e680eb24d9d74fc508a885

SHA512
0a8972e32f581cf1b0164de7226c8ff009a515b5d4ed96627231bf71661230ca9ac634d9b41bf63877692328ebbe2a49206d0e9834a2b4037329a0723cd46d25

Download Submit
C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_bnuxk2ufgz5ksr2eaerevdto2le1myf0\4.7.0.0\user.config

Filesize
1KB

MD5
f5091e9034963be2755945da4b9b8628

SHA1
ac825ffddfcce760738abebadef7c65d10933b83

SHA256
cbdd7c33fda0379637e47f8251a6297958554747694826980a41208663cd5e9d

SHA512
996140534b183b65eb8008f252497c33512eabc2792a8f7c3eda8c3c5dd37ef01b4253332b0971a377f214d203e60fb0753c30287674300a4aa7f0518b977af4

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel.exe.config

Filesize
3KB

MD5
3d441f780367944d267e359e4786facd

SHA1
d3a4ba9ffc555bbc66207dfdaf3b2d569371f7b5

SHA256
49648bbe8ec16d572b125fff1f0e7faa19e1e8c315fd2a1055d6206860a960c9

SHA512
5f17ec093cdce3dbe2cb62fec264b3285aabe7352c1d65ec069ffbc8a17a9b684850fe38c1ffd8b0932199c820881d255c8d1e6000cbbe85587c98e88c9acb90

Download Submit
C:\Users\Admin\Desktop\New folder\BackupCertificate.zip

Filesize
1KB

MD5
f265c9eeaf0df6214ed3e9224dd3de1b

SHA1
1b4aa8118965732d154080ea3fa58486bc122dbf

SHA256
88858fd1e8e2a24880dbf3a36626fcd11b45afb62e6b384be94752a74946b846

SHA512
509c62624848f8940a4069ec58ca635a649483740b15be71853cecf0d03fb09d3ae38513351063cfdbe8116b453f3a46ced2f405e972b00db54f64263e744e42

Download Submit
C:\Users\Admin\Desktop\New folder\Usrs.p12

Filesize
1KB

MD5
462a67332bf138f7b7ef4ed37148646c

SHA1
1db855254db32f9f7bead03865f753bfa6d5fe00

SHA256
fccb41d2aa0d7f8a1a66d3026194718e0c1b220b0616e13aaea0e64bf993885a

SHA512
e6d9b12e4d06e03f874986b45c0b5289d2970c8601787f18e2126083d9b3633384f5d6adb09fe9b6ecfce847d72de85fd898586ef9674ef08f9862e69bddd9f9

Download Submit
C:\Users\Admin\Desktop\Plugins\0guo3zbo66fqoG.dll

Filesize
78KB

MD5
e4ebcf76ff80ef398d3ab77d577f4c08

SHA1
cb9e6b30a63d50ae87610f6855b64abfb25691d2

SHA256
9661b1abc9a3e95e591c49c3838a64a066a2ff3c6de08d8aa7b541c4a75cd8e5

SHA512
8f37cedd987dd14181fdfa861b8a95271868dac21aa9df80bd6daa831ae20f4b4965c8be3e36f32aa220bd37ded11a7568ae237c9c9641bb4fc087f6fe104b01

Download Submit
C:\Users\Admin\Desktop\Plugins\59Zp7paEHDF7luJ.dll

Filesize
4.0MB

MD5
15e3d44d37439f3ac8574ac1c9789ec2

SHA1
bb3ef30e9f4496198f412738579966210ade36e0

SHA256
5db4c26057a05bb75ff7892fb60fd76620fc2228811d913d152a0aa4ec9db7a5

SHA512
ff358c9896792017ff7e91f1dedffd9d75a099c5b852da19599799aeca20b6b269267ff7c12c918a2530fe1a79a12bc8796c4eb3914c97faba3eba27388abde1

Download Submit
C:\Users\Admin\Desktop\Plugins\CjETR6GpGXqM.dll

Filesize
395KB

MD5
b0fc0ba80f8ec9586ff397412c512d9f

SHA1
0f6051b71b715a47be1fa16683201413905629a3

SHA256
13db80a0211ba9bf59a1e43bdb2fffa91de5c7f38bd469c4824b5e06245a0234

SHA512
222a365ae567c6c773ca2b99b82795916839cc5c9ba8eb019bf6713108720c2793303ef6612b64488f4584602cec84c0b48a02fe709db0250bf377d07e002d7d

Download Submit
C:\Users\Admin\Desktop\Plugins\EVa7gBMKoaHmLC.dll

Filesize
170KB

MD5
64a3d908b8a5feff2bccfc67f3a67dbd

SHA1
a17d7e5fa57c99a067cac459cb507b625dac254e

SHA256
6ea1ae7ab496666c0117fc20e704bfb6104b13cfb0408073a09689f863fa64b1

SHA512
66374d720230799bea6ac6cfe3faadc37fd775a49d40c04facae1caf1ec658956bbda54ba75287d7128b19b97971bd933a64469da8e0884225c5a8d8b9423ccc

Download Submit
C:\Users\Admin\Desktop\Plugins\FBSyChwp.dll

Filesize
170KB

MD5
0d41ccfaa8e7ef96248b8270d1a44d08

SHA1
6ee22bdb91d3a18e0b45b6590eb69bc9a0b02326

SHA256
0ea38d0d964815e2b84748a78bd5a829ae01586478e5f17b976f1ae763c8dec3

SHA512
a0f236f6dbeb1763fb1c198616de65b907a3a5edf7ed9435c2ad0b5826d84e9d2f25e96aba4e8b681ef495612cf0e04e929427a92d332164ace89e797bcb0e0e

Download Submit
C:\Users\Admin\Desktop\Plugins\G3nl0mDcABnDuZ.dll

Filesize
177KB

MD5
97b8bec4c47286e333cc2bedacf7338e

SHA1
764bbd0307924b71ca89538b42996208d10c9b91

SHA256
060d467cbeb0a58696287c052f3dd9b3597331b1c812e3e2882d6c232f8511de

SHA512
a40970622a594533349e75fc2022314ba21f05fc82709d6eaba82f4a2bc343c960029ad2825cfc034ce82622722127d149993bff88982f02d6dd6b5b1fb60fbf

Download Submit
C:\Users\Admin\Desktop\Plugins\KNTmoSnG.dll

Filesize
670KB

MD5
738c096a9bc38e21a9aa59ebc356c80d

SHA1
139756ad201a537461a6bb8524a4b89a63b1b1b9

SHA256
300a5551f7be89c5f03c0b70fa7dafb7f84c6394dac68bee95169e985e7786f0

SHA512
294c34f0716861fa67ba571bf7a8614613a1746e9f2935ba0c86eb1897dff858ea1f7fb44f1b6ec87cc709f4933a912dcd3eadd5d0b208c72985aa47e1f214f2

Download Submit
C:\Users\Admin\Desktop\Plugins\PK0TcnqTGFagQTS.dll

Filesize
174KB

MD5
fa90a2aee0d172000257c4faca31237c

SHA1
b317281b4acaaf1d7b7255c5e92887322abae892

SHA256
991fc53fa1aa7b5cd0b6e19dab536873d68e4413fd55b533601a3a2582d38a49

SHA512
b05c0b52e011089258ad31dd23a1f8a0cc8145b202e42e2a9d4fdf892c12d4a7b5843cc7721041295ab796e8bc98747b9e321c4e54bfd1a7c9a02dd2796fc405

Download Submit
C:\Users\Admin\Desktop\Plugins\RssCnLKcGRxj.dll

Filesize
181KB

MD5
f6808c4fbbe0275db03b2cc5b4c2bc0d

SHA1
e40b61c64c68f72fc5144f5057d54229babdecf8

SHA256
e204d15f0e7269d364157aaab265a5dfbe7e76c9f6202bf90998f0edd77ca248

SHA512
f077c49f6943d0e40799b3b42d1e11f50dabca48305c36ef2acd3258c990e0e0f982fbb0c27b1243aa15d2ed7b398b70f07dddc9ba76ff032ba74a24c8e08fb4

Download Submit
C:\Users\Admin\Desktop\Plugins\WkUP83aP9CABpi.dll

Filesize
86KB

MD5
8dbfb67c059aa59f7c53e20ef6740363

SHA1
3de96e7f48ee7647f5a7c2efb68cbd914bc78364

SHA256
a74b74f463d567c1f0505bddcd49ed23700f9ab7dcf4b7f46435723258c5a7e2

SHA512
70aed01375416e2be63d676bbdba58c12ba5f50d406d1fe252e7a66b901d32e0705007dbf465193de51663174c1b53bdb980890d8b2e6ce641dd16a200e3440d

Download Submit
C:\Users\Admin\Desktop\Plugins\eMTYbTz0gueNs4.dll

Filesize
1.1MB

MD5
5dfbcfbbf9e2ae7db23e252808699ffb

SHA1
a1d429292fe73aeb5abab10304e1ae8c1262b26d

SHA256
929e5f15e9ceca03c80b2d174283cb25bf47adfe4693f5c01f622416c9f6d03c

SHA512
9ee63080781577e0d818a27d026024f96161bb7b132dc0c130fabbe2d6c3b7758868fff5a4ad68efeb4d08f964e2f69417022751880a443f7f920aa4f40f5c09

Download Submit
C:\Users\Admin\Desktop\Plugins\fzAgyDYa.dll

Filesize
79KB

MD5
a5770798b7a6465f5b5a8c19d7d707ee

SHA1
ca67e9591d2f757cbbfacb55f27aec6485b10ee6

SHA256
f855353a618af8a53504b5188c05d3a09fb1ff85763e0cd15c53dee82d7c6119

SHA512
64da7687e83c6ff4d1c1cdc644ffff53333f745e82f169beb529d55ec5be6f21658d27c6e01744147c00f834978260e86ea627a5f2981f27305afb69a7b467dc

Download Submit
C:\Users\Admin\Desktop\Plugins\mGWHaG2Jn.dll

Filesize
81KB

MD5
8f98206f577160f950d456d1190c8d32

SHA1
defced38fce00775c4616b420fa674d77f946eff

SHA256
2bde0293c982fb6266c683ecaa2c90372d26d9a2786726874a2cfb89dcc68324

SHA512
432c2b6759701754616273633c966332e718dbb10a9a7eab0d7c57ffdc9be95b5e1b16b6e291301ac7aa6d1de48a46d30f08729e45d6634b1849f41c78e92d91

Download Submit
C:\Users\Admin\Desktop\Plugins\mML6WKMqdxjDGA.dll

Filesize
173KB

MD5
e03b206eec8a7efbd1a47909071226e5

SHA1
21163989ea524920e874bc7932adfcd5e94f854e

SHA256
778877431354a9584325dadb663be077f757227eaae8bcad33e4bf26efd6b965

SHA512
831ed74419f1b4c3250fbff20be16ed7058a851d7168a17e8a4dcf284a19412feee42a8c198af34b37571de33a80c48ac855f5d018ea9e2cfdcd846b832155ff

Download Submit
C:\Users\Admin\Desktop\Plugins\oYsKwDG.dll

Filesize
4.8MB

MD5
a718955297276f2349b7644447736e08

SHA1
377388d115b77aff357dcaf92b6aeb6286b1460d

SHA256
54ec206c8fe8ff27b3fb02ef892b8e6bc4b6abfff2fe08f5f57175c64f1d3220

SHA512
a3c2ded0cdc4e62adac92a569d6cd4db0c3647e663700f019a9de27e738eb2672e5cccec19af15633a3cd25a882452ff5ce39c17f67dc3ed6653b9e0ad063641

Download Submit
C:\Users\Admin\Desktop\Plugins\rNXXgmX25s.dll

Filesize
1.5MB

MD5
050f07b46987eaf152aab521c0112fc4

SHA1
2d2c0943ce9c10ba09b0d5cca54c2a88a1e61e95

SHA256
b93374fdfd9af786ff20597ae0e242b81373984ba5718194f9e57feb231c52cf

SHA512
a27c370e40ec126b6b9f3ab7d603378c2b629ec752aa8fc57a10e3ef58c0b701a5d1b4903a17ba180c4e73e76b54304f0868c474eb60e671562d0deed83a18c8

Download Submit
C:\Users\Admin\Desktop\Plugins\sJ88z8tsg5XzK.dll

Filesize
172KB

MD5
b3fa2c3d50057ddd2c9579dc0aef1590

SHA1
88a1f57b9177c95a2e095866574639b09d5f310a

SHA256
6eaf5744b8ec91312e1c6be83d852627e5204b3b64a1932e60e47438d73fb6bf

SHA512
0d1b8288cbc1c206029fe2f9b7366b2f8b49158e4c9643e453111ceb90fd77af903533c64f6ede351755414c9e7daa926704cda6f1953be79e1adc7aff515508

Download Submit
C:\Users\Admin\Desktop\Plugins\yL9x34D8X3oO2P.dll

Filesize
180KB

MD5
38502e61cc1d39095a12c1883551ad9f

SHA1
135c9cad9e6d54bf66a1cee5c99ba510102623b0

SHA256
0e9733277eac197c4eaf40fb0eada0907388222ef21843488a8e591149768301

SHA512
cd67a63ea954a4db8c8dfadceb2822b447d98c2c43a8f9c6901d0fce3230605a0416395b92caea6ac08348d5f6b0e1cb052b24cf90829602b0a5b0652b8a2600

Download Submit
C:\Users\Admin\Desktop\Plugins\zVvPGvK64uLS.dll

Filesize
106KB

MD5
a267a675b7243d9152c7b8e3e261d64c

SHA1
9a0277095646e2a773e8a04a7913ce6a56cf05b5

SHA256
9e82bf869638f8118f47f3870b1382401e42912cefcc6a9890489af5bb805c7e

SHA512
0dae32c0c0fbf6918779a5e9699cbef27572458a5cdc7119298abddb6a597a0017fe33af06c02abe0c66f3cd490f6955bd7c65470ed3e31338d28575306c04bb

Download Submit
C:\Users\Admin\Desktop\Plugins\zVvPGvK64uLS1.dll

Filesize
234KB

MD5
4f2fb621cbea3cafb7a041c9b3c115a7

SHA1
137502326e0126f372586d157e51a1416146c3be

SHA256
98eb518c9785f988ab1dc0752e0ef6d23f171134e60187c621795d6877940f99

SHA512
22171b9ecf1fc99b7aaf4e73c4d164cedcb503e83021f36a9cec673ff327f83a6c7568e22a7329cc6fc7ef3d6ff79d5dc6c88a8784e58401b884920c5ba2ac9b

Download Submit
C:\Users\Admin\Downloads\Infected.exe

Filesize
63KB

MD5
030dac582c69164a637028eb76403f6d

SHA1
6e3d3688a5f491dd5f5748f76829bcf4defa83be

SHA256
9b7dac0ab24d49e30a40b5d06d2f587d3c1b4a43169e08814a417ed0a75b4b6e

SHA512
b5fbc1b1fcfacb22bfc6ee7787cc9fcf14b9a7f6dade9416cb7c935766cb010870d069f1a4ab81020ec76e6e56226c6ae428aec1d28c5cf84edd0992fdbeae96

Download Submit
memory/3556-210-0x0000000024590000-0x00000000245A4000-memory.dmp

Filesize
80KB

Download
memory/3556-218-0x0000000024180000-0x000000002418A000-memory.dmp

Filesize
40KB

Download
memory/3556-212-0x00000000246A0000-0x0000000024918000-memory.dmp

Filesize
2.5MB

Download
memory/3556-211-0x0000000024680000-0x0000000024692000-memory.dmp

Filesize
72KB

Download
memory/3556-199-0x0000000000650000-0x0000000003CEE000-memory.dmp

Filesize
54.6MB

Download
memory/3556-209-0x00000000242F0000-0x000000002443E000-memory.dmp

Filesize
1.3MB

Download
memory/3556-208-0x0000000023BF0000-0x0000000023E42000-memory.dmp

Filesize
2.3MB

Download
memory/3556-207-0x00000000201F0000-0x00000000205B0000-memory.dmp

Filesize
3.8MB

Download
memory/3556-228-0x00000000286D0000-0x00000000287EE000-memory.dmp

Filesize
1.1MB

Download
memory/3556-206-0x000000001FC00000-0x00000000201E8000-memory.dmp

Filesize
5.9MB

Download
memory/3556-205-0x000000001E8B0000-0x000000001E8C2000-memory.dmp

Filesize
72KB

Download
memory/3828-0-0x000001D5A2BF0000-0x000001D5A2C00000-memory.dmp

Filesize
64KB

Download
memory/3828-36-0x000001D5A8930000-0x000001D5A8938000-memory.dmp

Filesize
32KB

Download
memory/3828-16-0x000001D5A2E20000-0x000001D5A2E30000-memory.dmp

Filesize
64KB

Download
memory/3828-32-0x000001D5A71E0000-0x000001D5A71E8000-memory.dmp

Filesize
32KB

Download
memory/5084-56-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-53-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-57-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-50-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-51-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-48-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-49-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-46-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-44-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-43-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-42-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-41-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-40-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-55-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-60-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-52-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-59-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-58-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-62-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-63-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-66-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-67-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-65-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-64-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-38-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-47-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-61-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-45-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-54-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download
memory/5084-39-0x000002B86A560000-0x000002B86A570000-memory.dmp

Filesize
64KB

Download