asyncrat | cd61b22206c6d49921a64d25afe25f378c5a2a9adb5cbb9bde6b8710a9b69ae2

Analysis

max time kernel
284s
max time network
292s
platform
windows10-2004_x64
resource
win10v2004-20250129-it
resource tags

arch:x64arch:x86image:win10v2004-20250129-itlocale:it-itos:windows10-2004-x64systemwindows
submitted
15/02/2025, 13:04

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

Anarchy Panel.rar
Size

53.7MB
MD5

5dc9c6fd4edbd148791b562f00876187
SHA1

a2505b95d41ce293b2b2301bcb6d182266efd7aa
SHA256

cd61b22206c6d49921a64d25afe25f378c5a2a9adb5cbb9bde6b8710a9b69ae2
SHA512

c786dce92af961aa108222735a96cc3bc5be2d1406f205b5d5d6ebbf1835088fbab8d594259868f303cce50808ab4a52b18732dc6a343379c9b3419572c555fe
SSDEEP

1572864:ptM3JU8MZutgbxMwJimb8+iq7JRCctUvKYo8+:HMJB9wJis8+ieRMKYo8+

Score

10^/10

asyncrat stealerium stormkitty default collection discovery persistence privilege_escalation rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:3232

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001da29-105.dat	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0009000000023c6c-98.dat	family_asyncrat

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/4920-54-0x0000000000530000-0x0000000003BCE000-memory.dmp	net_reactor

Executes dropped EXE 2 IoCs

pid	Process
4920	Anarchy Panel.exe
4896	Infected.exe

Loads dropped DLL 1 IoCs

pid	Process
4920	Anarchy Panel.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe
Key opened	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe
Key opened	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe

Enumerates connected drives 3 TTPs 6 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe
File opened (read-only)	\??\D:	explorer.exe
File opened (read-only)	\??\F:	explorer.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
58	icanhazip.com
60	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2444	cmd.exe
2200	netsh.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	explorer.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	explorer.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Infected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Infected.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Internet Explorer\TypedURLs	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_HW_fr-FR.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\Recognizers\\Tokens\\MS-1033-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Discrete;Continuous"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Stefan"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR en-US Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{E164F996-FF93-4675-BDD8-6C47AB0B86B1}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\L1036"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Paul"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "804"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Universal Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5248260"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\lsr1041.lxa"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{81218F10-A8AA-44C4-9436-33A42C3852E9}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Katja"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Paul"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "407"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Sie haben %1 als Standardstimme ausgewählt."	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lts Lexicon"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\tn1036.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_it-IT.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\MSTTSLocdeDE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\r1033sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Elsa - Italian (Italy)"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{2984A9DB-5689-43AD-877D-14999A15DD46}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; computer=NativeSupported; address=NativeSupported; currency=NativeSupported; message=NativeSupported; media=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "14766"	SearchApp.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2211717155-842865201-3404093980-1000\{667B055E-D670-4FD9-8238-31774A17BA55}	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "6;18;22"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR de-DE Locale Handler"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Ichiro"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 ^ 0008 1 0009 2 000a ~ 000b : 000c a 000d aw 000e ax 000f ay 0010 b 0011 d 0012 ch 0013 eh 0014 eu 0015 ey 0016 f 0017 g 0018 h 0019 ih 001a iy 001b jh 001c k 001d l 001e m 001f n 0020 ng 0021 oe 0022 oh 0023 ow 0024 oy 0025 p 0026 pf 0027 r 0028 s 0029 sh 002a t 002b ts 002c ue 002d uh 002e uw 002f uy 0030 v 0031 x 0032 y 0033 z 0034 zh 0035"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\L1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - English (United States)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_es-ES.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR Engine (11.0) Text Normalization"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\VoiceActivation_de-DE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\AI043082"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\fr-FR\\VoiceActivation_fr-FR.dat"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 78003100000000003d5a86491100557365727300640009000400efbe874f77484f5aea682e000000c70500000000010000000000000000003a00000000001708260155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Ayumi"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "既定の音声として%1を選びました"	SearchApp.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "40C"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "I 0069 Y 0079 IX 0268 YX 0289 UU 026F U 0075 IH 026A YH 028F UH 028A E 0065 EU 00F8 EX 0258 OX 0275 OU 0264 O 006F AX 0259 EH 025B OE 0153 ER 025C UR 025E AH 028C AO 0254 AE 00E6 AEX 0250 A 0061 AOE 0276 AA 0251 Q 0252 EI 006503610069 AU 00610361028A OI 025403610069 AI 006103610069 IYX 006903610259 UYX 007903610259 EHX 025B03610259 UWX 007503610259 OWX 006F03610259 AOX 025403610259 EN 00650303 AN 00610303 ON 006F0303 OEN 01530303 P 0070 B 0062 M 006D BB 0299 PH 0278 BH 03B2 MF 0271 F 0066 V 0076 VA 028B TH 03B8 DH 00F0 T 0074 D 0064 N 006E RR 0072 DX 027E S 0073 Z 007A LSH 026C LH 026E RA 0279 L 006C SH 0283 ZH 0292 TR 0288 DR 0256 NR 0273 DXR 027D SR 0282 ZR 0290 R 027B LR 026D CT 0063 JD 025F NJ 0272 C 00E7 CJ 029D J 006A LJ 028E W 0077 K 006B G 0067 NG 014B X 0078 GH 0263 GA 0270 GL 029F QT 0071 QD 0262 QN 0274 QQ 0280 QH 03C7 RH 0281 HH 0127 HG 0295 GT 0294 H 0068 WJ 0265 PF 007003610066 TS 007403610073 CH 007403610283 JH 006403610292 JJ 006A0361006A DZ 00640361007A CC 007403610255 JC 006403610291 TSR 007403610282 WH 028D ESH 029C EZH 02A2 ET 02A1 SC 0255 ZC 0291 LT 027A SHX 0267 HZ 0266 PCK 0298 TCK 01C0 NCK 0021 CCK 01C2 LCK 01C1 BIM 0253 DIM 0257 QIM 029B GIM 0260 JIM 0284 S1 02C8 S2 02CC . 002E _\| 007C _\|\| 2016 lng 02D0 hlg 02D1 xsh 02D8 _^ 203F _! 0001 _& 0002 _, 0003 _s 0004 _. 2198 _? 2197 T5 030B T4 0301 T3 0304 T2 0300 T1 030F T- 2193 T+ 2191 vls 030A vcd 032C bvd 0324 cvd 0330 asp 02B0 mrd 0339 lrd 031C adv 031F ret 0331 cen 0308 mcn 033D syl 0329 nsy 032F rho 02DE lla 033C lab 02B7 pal 02B2 vel 02E0 phr 02E4 vph 0334 rai 031D low 031E atr 0318 rtr 0319 den 032A api 033A lam 033B nas 0303 nsr 207F lar 02E1 nar 031A ejc 02BC + 0361 bva 02B1 G2 0261 rte 0320 vsl 0325 NCK3 0297 NCK2 01C3 LCK2 0296 TCK2 0287 JC2 02A5 CC2 02A8 LG 026B DZ2 02A3 TS2 02A6 JH2 02A4 CH2 02A7 SHC 0286 rhz 02B4 QOM 02A0 xst 0306 T= 2192 ERR 025D AXR 025A ZHJ 0293"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\c1036.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\VoiceActivation_HW_ja-JP.dat"	SearchApp.exe

Opens file in notepad (likely ransom note) 4 IoCs

ransomware

pid	Process
4800	NOTEPAD.EXE
1308	NOTEPAD.EXE
5040	NOTEPAD.EXE
4608	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe
4896	Infected.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2556	7zFM.exe
4920	Anarchy Panel.exe
4572	explorer.exe
1568	explorer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2556	7zFM.exe
Token: 35	2556	7zFM.exe
Token: SeSecurityPrivilege	2556	7zFM.exe
Token: SeDebugPrivilege	4920	Anarchy Panel.exe
Token: SeDebugPrivilege	4896	Infected.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4572	explorer.exe
Token: SeCreatePagefilePrivilege	4572	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe
Token: SeCreatePagefilePrivilege	4932	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe
Token: SeCreatePagefilePrivilege	4932	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe
Token: SeCreatePagefilePrivilege	4932	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe
Token: SeCreatePagefilePrivilege	4932	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe
Token: SeCreatePagefilePrivilege	4932	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe
Token: SeCreatePagefilePrivilege	4932	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe
Token: SeCreatePagefilePrivilege	4932	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe
Token: SeCreatePagefilePrivilege	4932	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe
Token: SeCreatePagefilePrivilege	4932	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe
Token: SeCreatePagefilePrivilege	4932	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe
Token: SeCreatePagefilePrivilege	4932	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe
Token: SeCreatePagefilePrivilege	4932	explorer.exe
Token: SeShutdownPrivilege	4932	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2556	7zFM.exe
2556	7zFM.exe
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4920	Anarchy Panel.exe

Suspicious use of SendNotifyMessage 63 IoCs

pid	Process
4920	Anarchy Panel.exe
4920	Anarchy Panel.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4572	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4920	Anarchy Panel.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
4932	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
4920	Anarchy Panel.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe
1568	explorer.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4920	Anarchy Panel.exe
4456	StartMenuExperienceHost.exe
1856	StartMenuExperienceHost.exe
4880	SearchApp.exe
1568	explorer.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 2444	4896	Infected.exe	119
PID 4896 wrote to memory of 2444	4896	Infected.exe	119
PID 2444 wrote to memory of 4272	2444	cmd.exe	121
PID 2444 wrote to memory of 4272	2444	cmd.exe	121
PID 2444 wrote to memory of 2200	2444	cmd.exe	122
PID 2444 wrote to memory of 2200	2444	cmd.exe	122
PID 2444 wrote to memory of 3544	2444	cmd.exe	123
PID 2444 wrote to memory of 3544	2444	cmd.exe	123
PID 4896 wrote to memory of 4728	4896	Infected.exe	124
PID 4896 wrote to memory of 4728	4896	Infected.exe	124
PID 4728 wrote to memory of 4720	4728	cmd.exe	126
PID 4728 wrote to memory of 4720	4728	cmd.exe	126
PID 4728 wrote to memory of 3036	4728	cmd.exe	127
PID 4728 wrote to memory of 3036	4728	cmd.exe	127

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2556

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:676

C:\Users\Admin\Desktop\Anarchy Panel\Anarchy Panel.exe
"C:\Users\Admin\Desktop\Anarchy Panel\Anarchy Panel.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4920

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4624

C:\Users\Admin\Desktop\Anarchy Panel\Infected.exe
"C:\Users\Admin\Desktop\Anarchy Panel\Infected.exe"
1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4896
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4272
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2200
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:3544
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4728
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4720
- - C:\Windows\system32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:3036

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Anarchy Panel\loginandpassword.txt
1⤵
PID:3800

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_AnarchyData.zip\System\ProductKey.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4800

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_AnarchyData.zip\System\Windows.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1308

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_AnarchyData.zip\System\ScanningNetworks.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:5040

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_AnarchyData.zip\System\Info.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4608

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4572

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:4456

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4932

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1856

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4880

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:3628

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1568

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:4884

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4316

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2100

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:2896

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4160

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:1120

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\7d83aca3ba959afc85fefa125ed4768e\Admin@IEYJLSCD_it-IT\System\Process.txt

Filesize
831B

MD5
631b2b89ffd7a7ab7b8e702abafa6d14

SHA1
8940285a6ff4ecc9a71a56cc0b2d75527c797d31

SHA256
6d79ce20c0073ccf59a7170e48b76fb7ad9e7d48cba86608ecb6a7d6a001c99d

SHA512
f138b778e487ac4e45548ac2cb8bf459354838f3e18b6d6e0e6cc0cd754c6a6d61eb919b6f0453d6389b698836bee521365022a160f32f430028730300c36bcc

Download Submit
C:\Users\Admin\AppData\Local\7d83aca3ba959afc85fefa125ed4768e\Admin@IEYJLSCD_it-IT\System\Process.txt

Filesize
1KB

MD5
aea167badeee095466a86e367a056ee3

SHA1
0641be045c00d40e8689bd07c157b8333d28d9f7

SHA256
24b3a776b1a2b2603b60e5a6914b2c2dfde44409a7f900938f4c2beaf6ece471

SHA512
363714fbcea7a1f6a1d651f5bb31d08bbacc6c3f5f7ffb895ece07ee19c384c07362ce849592e02abed8ccb7e6978db8bfc8c5312de8592ce79dadcfff03117d

Download Submit
C:\Users\Admin\AppData\Local\7d83aca3ba959afc85fefa125ed4768e\Admin@IEYJLSCD_it-IT\System\Process.txt

Filesize
3KB

MD5
de525b6d322bcc1acfe11673e30fdcf1

SHA1
478ebf571c4879d57f3330e74e89ebb3cb5ad441

SHA256
f3e10bccb5fdd9f885a014c247f4c83fe845801c91c224859df1611753abc034

SHA512
c90ea0edc8496c08b03384586bf09c55324f411a4d1043a7d90a9c65e2cd93943c5822999b3dde62a950eedf56be93fb4db393adc189fe638ebf5ca4fdaa0ea5

Download Submit
C:\Users\Admin\AppData\Local\7d83aca3ba959afc85fefa125ed4768e\Admin@IEYJLSCD_it-IT\System\Process.txt

Filesize
4KB

MD5
031531e6f9a8e1f63ed08c77c61ced13

SHA1
497583cface33014ceea6166282698d6c3dae449

SHA256
eeae94fb70cee61fe204d8b18704625b05c831f9e878e30c5f66472380d12fcc

SHA512
9600e1411cda325b325cb1b049da58d2b3d98c679068685d0b4fe982b403c57b5e82e43125df4319ac7965b225e1e6a44c10b6c5b97666e1b5660b7b104521f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133840986601313349.txt

Filesize
75KB

MD5
01c536885b5b84979ebe1de87e9131da

SHA1
4214edcc6da33dcf94dada8fc187f127c2d66ef8

SHA256
643296211d03a0a30930d328c0c7d5e7054cea4f60d25f9d9e7f1b3a3632afcc

SHA512
86160675a0f8f005300faf1ca4162d986561d00e714215abae5cace213e1016e0772f445ca6a72bfdfa6ce662a905b193f98fad0a2d96381c56749208ac194c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_ngizoguis4xqpklht0y4p0amnsr1wb5h\4.7.0.0\user.config

Filesize
1KB

MD5
495d368baef768dd527dd8b772702c87

SHA1
20ceb83c7076024e0491f169173607aa4a2e3931

SHA256
38f1820a88401c8e117bfeca56a11aa06dc806a175203e86f323dc6fb81fb3cf

SHA512
75770717f4bc7c9bdd13d747fdcd6306c38423b1b5d908b5d7cdf4da1b7bbe722f65bb52e63c61ca6da89981d8f5a99035c1d610a0fdacb706a046520c291d18

Download Submit
C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_ngizoguis4xqpklht0y4p0amnsr1wb5h\4.7.0.0\user.config

Filesize
1KB

MD5
4b01719ab493b81d429c574dbaca15ef

SHA1
719ef1e4e6616a3d8afce09de7f89ddcf186a3a3

SHA256
33ce546b728989bc9ff5dd4c487a87723e5eb7b3953b7cb56e747747411b6c54

SHA512
4d5293d8b58c793bbbe6dedc061cb4fd3e7302771ee91789240ecf80f2f79d08dffc36d148f755107a3d12de6037ab18c57cb42494de80a40d90b64bb04ef234

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Anarchy Panel.exe.config

Filesize
3KB

MD5
3d441f780367944d267e359e4786facd

SHA1
d3a4ba9ffc555bbc66207dfdaf3b2d569371f7b5

SHA256
49648bbe8ec16d572b125fff1f0e7faa19e1e8c315fd2a1055d6206860a960c9

SHA512
5f17ec093cdce3dbe2cb62fec264b3285aabe7352c1d65ec069ffbc8a17a9b684850fe38c1ffd8b0932199c820881d255c8d1e6000cbbe85587c98e88c9acb90

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Infected.exe

Filesize
63KB

MD5
64ca5c257f4d056be7b96a9db33f0ebf

SHA1
515b613c389ae1a1abf1f6e27752b6258a71993d

SHA256
a19a10f5758e7f5d2d543089d966c1328814b67b6123ea755da68ae18a78eac6

SHA512
6707f904176449a48fa58b9b05fd1f4024cfb24317366426fee6c5bde54ef2ce288fe6389149f5baaff24c4bc2e9869e8ef040055c887f7ff215f70947bf0064

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\0guo3zbo66fqoG.dll

Filesize
78KB

MD5
e4ebcf76ff80ef398d3ab77d577f4c08

SHA1
cb9e6b30a63d50ae87610f6855b64abfb25691d2

SHA256
9661b1abc9a3e95e591c49c3838a64a066a2ff3c6de08d8aa7b541c4a75cd8e5

SHA512
8f37cedd987dd14181fdfa861b8a95271868dac21aa9df80bd6daa831ae20f4b4965c8be3e36f32aa220bd37ded11a7568ae237c9c9641bb4fc087f6fe104b01

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\59Zp7paEHDF7luJ.dll

Filesize
4.0MB

MD5
15e3d44d37439f3ac8574ac1c9789ec2

SHA1
bb3ef30e9f4496198f412738579966210ade36e0

SHA256
5db4c26057a05bb75ff7892fb60fd76620fc2228811d913d152a0aa4ec9db7a5

SHA512
ff358c9896792017ff7e91f1dedffd9d75a099c5b852da19599799aeca20b6b269267ff7c12c918a2530fe1a79a12bc8796c4eb3914c97faba3eba27388abde1

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\CjETR6GpGXqM.dll

Filesize
395KB

MD5
b0fc0ba80f8ec9586ff397412c512d9f

SHA1
0f6051b71b715a47be1fa16683201413905629a3

SHA256
13db80a0211ba9bf59a1e43bdb2fffa91de5c7f38bd469c4824b5e06245a0234

SHA512
222a365ae567c6c773ca2b99b82795916839cc5c9ba8eb019bf6713108720c2793303ef6612b64488f4584602cec84c0b48a02fe709db0250bf377d07e002d7d

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\EVa7gBMKoaHmLC.dll

Filesize
170KB

MD5
64a3d908b8a5feff2bccfc67f3a67dbd

SHA1
a17d7e5fa57c99a067cac459cb507b625dac254e

SHA256
6ea1ae7ab496666c0117fc20e704bfb6104b13cfb0408073a09689f863fa64b1

SHA512
66374d720230799bea6ac6cfe3faadc37fd775a49d40c04facae1caf1ec658956bbda54ba75287d7128b19b97971bd933a64469da8e0884225c5a8d8b9423ccc

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\FBSyChwp.dll

Filesize
170KB

MD5
0d41ccfaa8e7ef96248b8270d1a44d08

SHA1
6ee22bdb91d3a18e0b45b6590eb69bc9a0b02326

SHA256
0ea38d0d964815e2b84748a78bd5a829ae01586478e5f17b976f1ae763c8dec3

SHA512
a0f236f6dbeb1763fb1c198616de65b907a3a5edf7ed9435c2ad0b5826d84e9d2f25e96aba4e8b681ef495612cf0e04e929427a92d332164ace89e797bcb0e0e

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\G3nl0mDcABnDuZ.dll

Filesize
177KB

MD5
97b8bec4c47286e333cc2bedacf7338e

SHA1
764bbd0307924b71ca89538b42996208d10c9b91

SHA256
060d467cbeb0a58696287c052f3dd9b3597331b1c812e3e2882d6c232f8511de

SHA512
a40970622a594533349e75fc2022314ba21f05fc82709d6eaba82f4a2bc343c960029ad2825cfc034ce82622722127d149993bff88982f02d6dd6b5b1fb60fbf

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\KNTmoSnG.dll

Filesize
670KB

MD5
738c096a9bc38e21a9aa59ebc356c80d

SHA1
139756ad201a537461a6bb8524a4b89a63b1b1b9

SHA256
300a5551f7be89c5f03c0b70fa7dafb7f84c6394dac68bee95169e985e7786f0

SHA512
294c34f0716861fa67ba571bf7a8614613a1746e9f2935ba0c86eb1897dff858ea1f7fb44f1b6ec87cc709f4933a912dcd3eadd5d0b208c72985aa47e1f214f2

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\PK0TcnqTGFagQTS.dll

Filesize
174KB

MD5
fa90a2aee0d172000257c4faca31237c

SHA1
b317281b4acaaf1d7b7255c5e92887322abae892

SHA256
991fc53fa1aa7b5cd0b6e19dab536873d68e4413fd55b533601a3a2582d38a49

SHA512
b05c0b52e011089258ad31dd23a1f8a0cc8145b202e42e2a9d4fdf892c12d4a7b5843cc7721041295ab796e8bc98747b9e321c4e54bfd1a7c9a02dd2796fc405

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\RssCnLKcGRxj.dll

Filesize
181KB

MD5
f6808c4fbbe0275db03b2cc5b4c2bc0d

SHA1
e40b61c64c68f72fc5144f5057d54229babdecf8

SHA256
e204d15f0e7269d364157aaab265a5dfbe7e76c9f6202bf90998f0edd77ca248

SHA512
f077c49f6943d0e40799b3b42d1e11f50dabca48305c36ef2acd3258c990e0e0f982fbb0c27b1243aa15d2ed7b398b70f07dddc9ba76ff032ba74a24c8e08fb4

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\WkUP83aP9CABpi.dll

Filesize
86KB

MD5
8dbfb67c059aa59f7c53e20ef6740363

SHA1
3de96e7f48ee7647f5a7c2efb68cbd914bc78364

SHA256
a74b74f463d567c1f0505bddcd49ed23700f9ab7dcf4b7f46435723258c5a7e2

SHA512
70aed01375416e2be63d676bbdba58c12ba5f50d406d1fe252e7a66b901d32e0705007dbf465193de51663174c1b53bdb980890d8b2e6ce641dd16a200e3440d

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\eMTYbTz0gueNs4.dll

Filesize
1.1MB

MD5
5dfbcfbbf9e2ae7db23e252808699ffb

SHA1
a1d429292fe73aeb5abab10304e1ae8c1262b26d

SHA256
929e5f15e9ceca03c80b2d174283cb25bf47adfe4693f5c01f622416c9f6d03c

SHA512
9ee63080781577e0d818a27d026024f96161bb7b132dc0c130fabbe2d6c3b7758868fff5a4ad68efeb4d08f964e2f69417022751880a443f7f920aa4f40f5c09

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\fzAgyDYa.dll

Filesize
79KB

MD5
a5770798b7a6465f5b5a8c19d7d707ee

SHA1
ca67e9591d2f757cbbfacb55f27aec6485b10ee6

SHA256
f855353a618af8a53504b5188c05d3a09fb1ff85763e0cd15c53dee82d7c6119

SHA512
64da7687e83c6ff4d1c1cdc644ffff53333f745e82f169beb529d55ec5be6f21658d27c6e01744147c00f834978260e86ea627a5f2981f27305afb69a7b467dc

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\mGWHaG2Jn.dll

Filesize
81KB

MD5
8f98206f577160f950d456d1190c8d32

SHA1
defced38fce00775c4616b420fa674d77f946eff

SHA256
2bde0293c982fb6266c683ecaa2c90372d26d9a2786726874a2cfb89dcc68324

SHA512
432c2b6759701754616273633c966332e718dbb10a9a7eab0d7c57ffdc9be95b5e1b16b6e291301ac7aa6d1de48a46d30f08729e45d6634b1849f41c78e92d91

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\mML6WKMqdxjDGA.dll

Filesize
173KB

MD5
e03b206eec8a7efbd1a47909071226e5

SHA1
21163989ea524920e874bc7932adfcd5e94f854e

SHA256
778877431354a9584325dadb663be077f757227eaae8bcad33e4bf26efd6b965

SHA512
831ed74419f1b4c3250fbff20be16ed7058a851d7168a17e8a4dcf284a19412feee42a8c198af34b37571de33a80c48ac855f5d018ea9e2cfdcd846b832155ff

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\oYsKwDG.dll

Filesize
4.8MB

MD5
a718955297276f2349b7644447736e08

SHA1
377388d115b77aff357dcaf92b6aeb6286b1460d

SHA256
54ec206c8fe8ff27b3fb02ef892b8e6bc4b6abfff2fe08f5f57175c64f1d3220

SHA512
a3c2ded0cdc4e62adac92a569d6cd4db0c3647e663700f019a9de27e738eb2672e5cccec19af15633a3cd25a882452ff5ce39c17f67dc3ed6653b9e0ad063641

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\rNXXgmX25s.dll

Filesize
1.5MB

MD5
050f07b46987eaf152aab521c0112fc4

SHA1
2d2c0943ce9c10ba09b0d5cca54c2a88a1e61e95

SHA256
b93374fdfd9af786ff20597ae0e242b81373984ba5718194f9e57feb231c52cf

SHA512
a27c370e40ec126b6b9f3ab7d603378c2b629ec752aa8fc57a10e3ef58c0b701a5d1b4903a17ba180c4e73e76b54304f0868c474eb60e671562d0deed83a18c8

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\sJ88z8tsg5XzK.dll

Filesize
172KB

MD5
b3fa2c3d50057ddd2c9579dc0aef1590

SHA1
88a1f57b9177c95a2e095866574639b09d5f310a

SHA256
6eaf5744b8ec91312e1c6be83d852627e5204b3b64a1932e60e47438d73fb6bf

SHA512
0d1b8288cbc1c206029fe2f9b7366b2f8b49158e4c9643e453111ceb90fd77af903533c64f6ede351755414c9e7daa926704cda6f1953be79e1adc7aff515508

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Plugins\yL9x34D8X3oO2P.dll

Filesize
180KB

MD5
38502e61cc1d39095a12c1883551ad9f

SHA1
135c9cad9e6d54bf66a1cee5c99ba510102623b0

SHA256
0e9733277eac197c4eaf40fb0eada0907388222ef21843488a8e591149768301

SHA512
cd67a63ea954a4db8c8dfadceb2822b447d98c2c43a8f9c6901d0fce3230605a0416395b92caea6ac08348d5f6b0e1cb052b24cf90829602b0a5b0652b8a2600

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\Usrs.p12

Filesize
1KB

MD5
d3329e96031efae033873ab280ee08ec

SHA1
19460f48c4448083a901cdbb3229223cb8f7018f

SHA256
b62e244de4d836e50dd7e5e4fea9371de617403259ac57f75e10f50ebae4e0f8

SHA512
c99f5939d62f24ae572d362a97e81d9ece32d47d43b3e803bc34269263e74c3fb1dd2ca2f40430a21641815915ce3382c93484851e952764f6a16940284d0010

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel\loginandpassword.txt

Filesize
90B

MD5
7ee98887cd3550deb1e601361b5821f2

SHA1
f8b97ee5d34be89446a31ebf87e6dfbceddc5479

SHA256
eccf16f811dabab40436d06dcf15b05d00f084b0dc5911ae1ea23cd08f4ce41f

SHA512
e0d56654c738072b6c3a6c4f2f1173900d5bf9480f82a8784fd8f03f7cf75327dad918f1d68121caedcdde15db7cda89d4c61d28518f2383699e1c963ed5ea38

Download Submit
memory/1568-501-0x00000000041B0000-0x00000000041B1000-memory.dmp

Filesize
4KB

Download
memory/4880-334-0x0000024423380000-0x0000024423480000-memory.dmp

Filesize
1024KB

Download
memory/4880-345-0x0000024424360000-0x0000024424380000-memory.dmp

Filesize
128KB

Download
memory/4880-358-0x0000024424770000-0x0000024424790000-memory.dmp

Filesize
128KB

Download
memory/4880-339-0x00000244243A0000-0x00000244243C0000-memory.dmp

Filesize
128KB

Download
memory/4896-116-0x000000001BDD0000-0x000000001BF58000-memory.dmp

Filesize
1.5MB

Download
memory/4896-324-0x000000001BD50000-0x000000001BD6C000-memory.dmp

Filesize
112KB

Download
memory/4896-115-0x00000000024A0000-0x0000000002516000-memory.dmp

Filesize
472KB

Download
memory/4896-100-0x00000000001A0000-0x00000000001B6000-memory.dmp

Filesize
88KB

Download
memory/4896-117-0x0000000000B80000-0x0000000000B9E000-memory.dmp

Filesize
120KB

Download
memory/4896-122-0x0000000000AF0000-0x0000000000AFA000-memory.dmp

Filesize
40KB

Download
memory/4896-506-0x000000001BD00000-0x000000001BD34000-memory.dmp

Filesize
208KB

Download
memory/4896-503-0x000000001D440000-0x000000001D90C000-memory.dmp

Filesize
4.8MB

Download
memory/4896-502-0x000000001BC50000-0x000000001BD02000-memory.dmp

Filesize
712KB

Download
memory/4896-327-0x000000001BD90000-0x000000001BDC2000-memory.dmp

Filesize
200KB

Download
memory/4896-261-0x000000001BFE0000-0x000000001C020000-memory.dmp

Filesize
256KB

Download
memory/4896-282-0x000000001BBD0000-0x000000001BC4A000-memory.dmp

Filesize
488KB

Download
memory/4920-62-0x000000001E670000-0x000000001E682000-memory.dmp

Filesize
72KB

Download
memory/4920-66-0x00007FF8DA923000-0x00007FF8DA925000-memory.dmp

Filesize
8KB

Download
memory/4920-63-0x000000001ECC0000-0x000000001F2A8000-memory.dmp

Filesize
5.9MB

Download
memory/4920-68-0x00007FF8DA920000-0x00007FF8DB3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4920-64-0x000000001F2B0000-0x000000001F670000-memory.dmp

Filesize
3.8MB

Download
memory/4920-67-0x00007FF8DA920000-0x00007FF8DB3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4920-69-0x00000000230F0000-0x0000000023342000-memory.dmp

Filesize
2.3MB

Download
memory/4920-70-0x0000000023870000-0x00000000239BE000-memory.dmp

Filesize
1.3MB

Download
memory/4920-71-0x0000000023A00000-0x0000000023A14000-memory.dmp

Filesize
80KB

Download
memory/4920-72-0x0000000023BA0000-0x0000000023D2C000-memory.dmp

Filesize
1.5MB

Download
memory/4920-56-0x00007FF8DA920000-0x00007FF8DB3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4920-79-0x0000000021C00000-0x0000000021D1E000-memory.dmp

Filesize
1.1MB

Download
memory/4920-65-0x0000000020C30000-0x0000000020D32000-memory.dmp

Filesize
1.0MB

Download
memory/4920-53-0x00007FF8DA923000-0x00007FF8DA925000-memory.dmp

Filesize
8KB

Download
memory/4920-55-0x00007FF8DA920000-0x00007FF8DB3E1000-memory.dmp

Filesize
10.8MB

Download
memory/4920-54-0x0000000000530000-0x0000000003BCE000-memory.dmp

Filesize
54.6MB

Download
memory/4932-333-0x0000000004DF0000-0x0000000004DF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads