asyncrat | 7c1d0a5b8a6a3755887981f854c368b372e0629929f3ded5bf17715ec220423e

Analysis

max time kernel
163s
max time network
154s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20/02/2025, 22:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anarchy Panel 4.7.rar
Size

53.7MB
MD5

1ac099674321f8736ef32e0eed5dbaee
SHA1

d609a36a7687635631380378a8262f66dfd78fb0
SHA256

7c1d0a5b8a6a3755887981f854c368b372e0629929f3ded5bf17715ec220423e
SHA512

3c798e14f584b9629cc9807c01abe56d5bebdc4812a38eb5f7299eb729fa5576b17ef167607211ccf8a19ca05fb8c4799897a2fff584cf5a92499ae730762bd9
SSDEEP

786432:zWgaBwgV+yi4Z6dFTlYG9rLKVp29NRvLbWMMydIWd/inlJWDx+xteKGnYnPJCA+I:CV2ikYUrLY2HJRtIWdYlJC1K+YC5Lmz3

Score

10^/10

asyncrat stealerium stormkitty default collection discovery persistence privilege_escalation rat stealer

Malware Config

Extracted

Family

asyncrat

Botnet

Default

127.0.0.1:3232

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Stealerium
An open source info stealer written in C# first seen in May 2022.
stealer stealerium
Stealerium family
stealerium
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000027cd1-125.dat	family_stormkitty

Stormkitty family
stormkitty

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x0008000000027d6c-117.dat	family_asyncrat

.NET Reactor proctector 1 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral1/memory/4560-48-0x0000000000020000-0x00000000036BE000-memory.dmp	net_reactor

Executes dropped EXE 3 IoCs

pid	Process
4560	Anarchy Panel.exe
4348	Anarchy Panel.exe
2244	Infected.exe

Loads dropped DLL 2 IoCs

pid	Process
4560	Anarchy Panel.exe
4348	Anarchy Panel.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe
Key opened	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe
Key opened	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
36	icanhazip.com
38	ip-api.com

Looks up geolocation information via web service
Uses a legitimate geolocation service to find the infected system's geolocation info.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2652	cmd.exe
2012	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Infected.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Infected.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Internet Explorer\TypedURLs	Anarchy Panel.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 020000000100000000000000ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0 = 5000310000000000515a9195100041646d696e003c0009000400efbe515ad590545acfb52e000000ee0501000000020000000000000000000000000000003c642100410064006d0069006e00000014000000	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0\MRUListEx = ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings	7zFM.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0 = 7800310000000000515ad5901100557365727300640009000400efbe874f7748545acfb52e000000fd0100000000010000000000000000003a0000000000e3ea150055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0 = 6e00310000000000545ae4b51000414e415243487e312e370000540009000400efbe545acfb5545ae4b52e000000af7c020000000b000000000000000000000000000000e4641f0141006e00610072006300680079002000500061006e0065006c00200034002e00370000001a000000	Anarchy Panel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0 = 7e00310000000000545ad1b511004465736b746f7000680009000400efbe515ad590545ad1b52e000000f80501000000020000000000000000003e0000000000d4aa41004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\0\0\NodeSlot = "5"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	Anarchy Panel.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0 = 19002f433a5c000000000000000000000000000000000000000000	Anarchy Panel.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\0\0\0\MRUListEx = 00000000ffffffff	Anarchy Panel.exe
Key created	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	Anarchy Panel.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2036	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
1984	7zFM.exe
1984	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
3796	7zFM.exe
4348	Anarchy Panel.exe
1984	7zFM.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	3796	7zFM.exe
Token: 35	3796	7zFM.exe
Token: SeSecurityPrivilege	3796	7zFM.exe
Token: SeDebugPrivilege	4560	Anarchy Panel.exe
Token: SeDebugPrivilege	4348	Anarchy Panel.exe
Token: SeRestorePrivilege	1984	7zFM.exe
Token: 35	1984	7zFM.exe
Token: SeSecurityPrivilege	1984	7zFM.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
3796	7zFM.exe
3796	7zFM.exe
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe
1984	7zFM.exe
1984	7zFM.exe
1984	7zFM.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4348	Anarchy Panel.exe
4348	Anarchy Panel.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4348	Anarchy Panel.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 4868	2652	cmd.exe	99
PID 2652 wrote to memory of 4868	2652	cmd.exe	99
PID 2652 wrote to memory of 2012	2652	cmd.exe	100
PID 2652 wrote to memory of 2012	2652	cmd.exe	100
PID 2652 wrote to memory of 3132	2652	cmd.exe	101
PID 2652 wrote to memory of 3132	2652	cmd.exe	101
PID 4636 wrote to memory of 920	4636	cmd.exe	104
PID 4636 wrote to memory of 920	4636	cmd.exe	104
PID 4636 wrote to memory of 4912	4636	cmd.exe	105
PID 4636 wrote to memory of 4912	4636	cmd.exe	105
PID 1984 wrote to memory of 2036	1984	7zFM.exe	110
PID 1984 wrote to memory of 2036	1984	7zFM.exe	110

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2501448743-3279416841-701563739-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Infected.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Anarchy Panel 4.7.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3796

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4852

C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe
"C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:4560

C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe
"C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4348

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4296

C:\Users\Admin\Desktop\Anarchy Panel 4.7\Infected.exe
"C:\Users\Admin\Desktop\Anarchy Panel 4.7\Infected.exe"
1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- outlook_office_path
- outlook_win_path
PID:2244
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All
  2⤵
  - System Network Configuration Discovery: Wi-Fi Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:4868
- - C:\Windows\system32\netsh.exe
    netsh wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2012
- - C:\Windows\system32\findstr.exe
    findstr All
    3⤵
    PID:3132
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C chcp 65001 && netsh wlan show networks mode=bssid
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:920
- - C:\Windows\system32\netsh.exe
    netsh wlan show networks mode=bssid
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:4912

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Anarchy Panel 4.7\ClientsFolder\4FC4BAF1B61D68290ECC\StealData\Information about the data.txt
1⤵
PID:4932

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Anarchy Panel 4.7\ClientsFolder\4FC4BAF1B61D68290ECC\StealData\AnarchyData.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO0C7B94A9\OneDrive.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO0C7B94A9\OneDrive.txt

Filesize
25B

MD5
966247eb3ee749e21597d73c4176bd52

SHA1
1e9e63c2872cef8f015d4b888eb9f81b00a35c79

SHA256
8ddfc481b1b6ae30815ecce8a73755862f24b3bb7fdebdbf099e037d53eb082e

SHA512
bd30aec68c070e86e3dec787ed26dd3d6b7d33d83e43cb2d50f9e2cff779fee4c96afbbe170443bd62874073a844beb29a69b10c72c54d7d444a8d86cfd7b5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Costura\C5730A4C0FDD612A5678E51A536CE09E\64\sqlite.interop.dll

Filesize
1.7MB

MD5
56a504a34d2cfbfc7eaa2b68e34af8ad

SHA1
426b48b0f3b691e3bb29f465aed9b936f29fc8cc

SHA256
9309fb2a3f326d0f2cc3f2ab837cfd02e4f8cb6b923b3b2be265591fd38f4961

SHA512
170c3645083d869e2368ee16325d7edaeba2d8f1d3d4a6a1054cfdd8616e03073772eeae30c8f79a93173825f83891e7b0e4fd89ef416808359f715a641747d7

Download Submit
C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_fyvzuhxnbqilp3z0o2ahpywhvhur0bh3\4.7.0.0\ddfbyvh2.newcfg

Filesize
1KB

MD5
495d368baef768dd527dd8b772702c87

SHA1
20ceb83c7076024e0491f169173607aa4a2e3931

SHA256
38f1820a88401c8e117bfeca56a11aa06dc806a175203e86f323dc6fb81fb3cf

SHA512
75770717f4bc7c9bdd13d747fdcd6306c38423b1b5d908b5d7cdf4da1b7bbe722f65bb52e63c61ca6da89981d8f5a99035c1d610a0fdacb706a046520c291d18

Download Submit
C:\Users\Admin\AppData\Local\VyLcvAjyZL9oUxnI4mJV\Anarchy_Panel.exe_Url_fyvzuhxnbqilp3z0o2ahpywhvhur0bh3\4.7.0.0\user.config

Filesize
1KB

MD5
4b01719ab493b81d429c574dbaca15ef

SHA1
719ef1e4e6616a3d8afce09de7f89ddcf186a3a3

SHA256
33ce546b728989bc9ff5dd4c487a87723e5eb7b3953b7cb56e747747411b6c54

SHA512
4d5293d8b58c793bbbe6dedc061cb4fd3e7302771ee91789240ecf80f2f79d08dffc36d148f755107a3d12de6037ab18c57cb42494de80a40d90b64bb04ef234

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Anarchy Panel.exe.config

Filesize
3KB

MD5
3d441f780367944d267e359e4786facd

SHA1
d3a4ba9ffc555bbc66207dfdaf3b2d569371f7b5

SHA256
49648bbe8ec16d572b125fff1f0e7faa19e1e8c315fd2a1055d6206860a960c9

SHA512
5f17ec093cdce3dbe2cb62fec264b3285aabe7352c1d65ec069ffbc8a17a9b684850fe38c1ffd8b0932199c820881d255c8d1e6000cbbe85587c98e88c9acb90

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\ClientsFolder\4FC4BAF1B61D68290ECC\StealData\AnarchyData.zip

Filesize
65KB

MD5
72809a64fcd00954a08d3e3e8a2f2445

SHA1
06dd8e01939029357e4884c89ca41c914d7e08ae

SHA256
1fec8a2a3829edc534b239ef674790ecb78d77a8494a61664d99d348628f7ffe

SHA512
9ddf88a4899fd6a0ff6c9ddfc94d3ac883ec870d248999dcd932b7439068d882ca68996101d5d10b4edf8ddcda26024a93175a3adc51b4832e0a1ad3d92d8259

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\ClientsFolder\4FC4BAF1B61D68290ECC\StealData\Information about the data.txt

Filesize
1KB

MD5
49dec79a995ca1b9ce476b8deb8caf03

SHA1
20525b5a8821079ada1f30ea05b15e870412b61a

SHA256
bed5c4f13a29bcab706827ceb76045fd840fb8f33a7b3d373837727183f02508

SHA512
1bde05f67269770cbc905b05b29c8100aab11a62331de6501ce8d59815fb406c70254f31095a322d449872662769b31d200cd2c43d0d8c48ac5e346fd14e5252

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Infected.exe

Filesize
63KB

MD5
30362181a742fb8bc5612bad13c0a946

SHA1
6befad828f2a58392127f0a1b09e4bdf79414730

SHA256
3435ff129bbca838396c6a381a60525c9009093f2f7b94fee0d2fa39953fbe41

SHA512
36db4f64faf4c087e5c4b11f306f3e96f728961994ceae54cb0b188ba761b2181c61c061516fd6ff47f5644e01daa677d44489178d3efa6ae5eb751e4ac9ae52

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\0guo3zbo66fqoG.dll

Filesize
78KB

MD5
e4ebcf76ff80ef398d3ab77d577f4c08

SHA1
cb9e6b30a63d50ae87610f6855b64abfb25691d2

SHA256
9661b1abc9a3e95e591c49c3838a64a066a2ff3c6de08d8aa7b541c4a75cd8e5

SHA512
8f37cedd987dd14181fdfa861b8a95271868dac21aa9df80bd6daa831ae20f4b4965c8be3e36f32aa220bd37ded11a7568ae237c9c9641bb4fc087f6fe104b01

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\59Zp7paEHDF7luJ.dll

Filesize
4.0MB

MD5
15e3d44d37439f3ac8574ac1c9789ec2

SHA1
bb3ef30e9f4496198f412738579966210ade36e0

SHA256
5db4c26057a05bb75ff7892fb60fd76620fc2228811d913d152a0aa4ec9db7a5

SHA512
ff358c9896792017ff7e91f1dedffd9d75a099c5b852da19599799aeca20b6b269267ff7c12c918a2530fe1a79a12bc8796c4eb3914c97faba3eba27388abde1

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\CjETR6GpGXqM.dll

Filesize
395KB

MD5
b0fc0ba80f8ec9586ff397412c512d9f

SHA1
0f6051b71b715a47be1fa16683201413905629a3

SHA256
13db80a0211ba9bf59a1e43bdb2fffa91de5c7f38bd469c4824b5e06245a0234

SHA512
222a365ae567c6c773ca2b99b82795916839cc5c9ba8eb019bf6713108720c2793303ef6612b64488f4584602cec84c0b48a02fe709db0250bf377d07e002d7d

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\EVa7gBMKoaHmLC.dll

Filesize
170KB

MD5
64a3d908b8a5feff2bccfc67f3a67dbd

SHA1
a17d7e5fa57c99a067cac459cb507b625dac254e

SHA256
6ea1ae7ab496666c0117fc20e704bfb6104b13cfb0408073a09689f863fa64b1

SHA512
66374d720230799bea6ac6cfe3faadc37fd775a49d40c04facae1caf1ec658956bbda54ba75287d7128b19b97971bd933a64469da8e0884225c5a8d8b9423ccc

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\FBSyChwp.dll

Filesize
170KB

MD5
0d41ccfaa8e7ef96248b8270d1a44d08

SHA1
6ee22bdb91d3a18e0b45b6590eb69bc9a0b02326

SHA256
0ea38d0d964815e2b84748a78bd5a829ae01586478e5f17b976f1ae763c8dec3

SHA512
a0f236f6dbeb1763fb1c198616de65b907a3a5edf7ed9435c2ad0b5826d84e9d2f25e96aba4e8b681ef495612cf0e04e929427a92d332164ace89e797bcb0e0e

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\G3nl0mDcABnDuZ.dll

Filesize
177KB

MD5
97b8bec4c47286e333cc2bedacf7338e

SHA1
764bbd0307924b71ca89538b42996208d10c9b91

SHA256
060d467cbeb0a58696287c052f3dd9b3597331b1c812e3e2882d6c232f8511de

SHA512
a40970622a594533349e75fc2022314ba21f05fc82709d6eaba82f4a2bc343c960029ad2825cfc034ce82622722127d149993bff88982f02d6dd6b5b1fb60fbf

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\KNTmoSnG.dll

Filesize
670KB

MD5
738c096a9bc38e21a9aa59ebc356c80d

SHA1
139756ad201a537461a6bb8524a4b89a63b1b1b9

SHA256
300a5551f7be89c5f03c0b70fa7dafb7f84c6394dac68bee95169e985e7786f0

SHA512
294c34f0716861fa67ba571bf7a8614613a1746e9f2935ba0c86eb1897dff858ea1f7fb44f1b6ec87cc709f4933a912dcd3eadd5d0b208c72985aa47e1f214f2

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\PK0TcnqTGFagQTS.dll

Filesize
174KB

MD5
fa90a2aee0d172000257c4faca31237c

SHA1
b317281b4acaaf1d7b7255c5e92887322abae892

SHA256
991fc53fa1aa7b5cd0b6e19dab536873d68e4413fd55b533601a3a2582d38a49

SHA512
b05c0b52e011089258ad31dd23a1f8a0cc8145b202e42e2a9d4fdf892c12d4a7b5843cc7721041295ab796e8bc98747b9e321c4e54bfd1a7c9a02dd2796fc405

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\eMTYbTz0gueNs4.dll

Filesize
1.1MB

MD5
5dfbcfbbf9e2ae7db23e252808699ffb

SHA1
a1d429292fe73aeb5abab10304e1ae8c1262b26d

SHA256
929e5f15e9ceca03c80b2d174283cb25bf47adfe4693f5c01f622416c9f6d03c

SHA512
9ee63080781577e0d818a27d026024f96161bb7b132dc0c130fabbe2d6c3b7758868fff5a4ad68efeb4d08f964e2f69417022751880a443f7f920aa4f40f5c09

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\fzAgyDYa.dll

Filesize
79KB

MD5
a5770798b7a6465f5b5a8c19d7d707ee

SHA1
ca67e9591d2f757cbbfacb55f27aec6485b10ee6

SHA256
f855353a618af8a53504b5188c05d3a09fb1ff85763e0cd15c53dee82d7c6119

SHA512
64da7687e83c6ff4d1c1cdc644ffff53333f745e82f169beb529d55ec5be6f21658d27c6e01744147c00f834978260e86ea627a5f2981f27305afb69a7b467dc

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\mGWHaG2Jn.dll

Filesize
81KB

MD5
8f98206f577160f950d456d1190c8d32

SHA1
defced38fce00775c4616b420fa674d77f946eff

SHA256
2bde0293c982fb6266c683ecaa2c90372d26d9a2786726874a2cfb89dcc68324

SHA512
432c2b6759701754616273633c966332e718dbb10a9a7eab0d7c57ffdc9be95b5e1b16b6e291301ac7aa6d1de48a46d30f08729e45d6634b1849f41c78e92d91

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\mML6WKMqdxjDGA.dll

Filesize
173KB

MD5
e03b206eec8a7efbd1a47909071226e5

SHA1
21163989ea524920e874bc7932adfcd5e94f854e

SHA256
778877431354a9584325dadb663be077f757227eaae8bcad33e4bf26efd6b965

SHA512
831ed74419f1b4c3250fbff20be16ed7058a851d7168a17e8a4dcf284a19412feee42a8c198af34b37571de33a80c48ac855f5d018ea9e2cfdcd846b832155ff

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\oYsKwDG.dll

Filesize
4.8MB

MD5
a718955297276f2349b7644447736e08

SHA1
377388d115b77aff357dcaf92b6aeb6286b1460d

SHA256
54ec206c8fe8ff27b3fb02ef892b8e6bc4b6abfff2fe08f5f57175c64f1d3220

SHA512
a3c2ded0cdc4e62adac92a569d6cd4db0c3647e663700f019a9de27e738eb2672e5cccec19af15633a3cd25a882452ff5ce39c17f67dc3ed6653b9e0ad063641

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Plugins\rNXXgmX25s.dll

Filesize
1.5MB

MD5
050f07b46987eaf152aab521c0112fc4

SHA1
2d2c0943ce9c10ba09b0d5cca54c2a88a1e61e95

SHA256
b93374fdfd9af786ff20597ae0e242b81373984ba5718194f9e57feb231c52cf

SHA512
a27c370e40ec126b6b9f3ab7d603378c2b629ec752aa8fc57a10e3ef58c0b701a5d1b4903a17ba180c4e73e76b54304f0868c474eb60e671562d0deed83a18c8

Download Submit
C:\Users\Admin\Desktop\Anarchy Panel 4.7\Usrs.p12

Filesize
1KB

MD5
290ece3710b655d71e62517d77414208

SHA1
b3d08a6ff99d615cef7be9fa1f21ad470b82410e

SHA256
8c7138c5d3bdf7fac3367dca06e1e28a7d7bc2018c40689bbc044728c755a67e

SHA512
32d4ecb0c4ee0e27660e5294182ec1ed318102902e3889e96d6308d987232209c48f5b4fe74248ed4bba3f672510fa37bbc11db4a8723841932fb766077814be

Download Submit
memory/4348-75-0x00000000200C0000-0x00000000200CA000-memory.dmp

Filesize
40KB

Download
memory/4348-69-0x0000000025180000-0x00000000253F8000-memory.dmp

Filesize
2.5MB

Download
memory/4348-68-0x0000000024EB0000-0x0000000024EC2000-memory.dmp

Filesize
72KB

Download
memory/4348-67-0x0000000025170000-0x0000000025184000-memory.dmp

Filesize
80KB

Download
memory/4348-66-0x0000000024ED0000-0x000000002501E000-memory.dmp

Filesize
1.3MB

Download
memory/4348-65-0x00000000246A0000-0x00000000248F2000-memory.dmp

Filesize
2.3MB

Download
memory/4348-82-0x0000000026070000-0x000000002618E000-memory.dmp

Filesize
1.1MB

Download
memory/4560-60-0x00007FFFE46E0000-0x00007FFFE51A2000-memory.dmp

Filesize
10.8MB

Download
memory/4560-58-0x000000001FBB0000-0x000000001FF70000-memory.dmp

Filesize
3.8MB

Download
memory/4560-59-0x00007FFFE46E3000-0x00007FFFE46E5000-memory.dmp

Filesize
8KB

Download
memory/4560-57-0x000000001F5C0000-0x000000001FBA8000-memory.dmp

Filesize
5.9MB

Download
memory/4560-62-0x00007FFFE46E0000-0x00007FFFE51A2000-memory.dmp

Filesize
10.8MB

Download
memory/4560-56-0x000000001E150000-0x000000001E162000-memory.dmp

Filesize
72KB

Download
memory/4560-50-0x00007FFFE46E0000-0x00007FFFE51A2000-memory.dmp

Filesize
10.8MB

Download
memory/4560-49-0x00007FFFE46E0000-0x00007FFFE51A2000-memory.dmp

Filesize
10.8MB

Download
memory/4560-48-0x0000000000020000-0x00000000036BE000-memory.dmp

Filesize
54.6MB

Download
memory/4560-47-0x00007FFFE46E3000-0x00007FFFE46E5000-memory.dmp

Filesize
8KB

Download