Malware Analysis Report

2025-08-05 16:19

Sample ID 231023-mle15afg7x
Target 341ee831beed0672610cb558fd96a92f4991fccd7e30c52a73932798b6579b4c
SHA256 341ee831beed0672610cb558fd96a92f4991fccd7e30c52a73932798b6579b4c
Tags
formbook g11y rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

341ee831beed0672610cb558fd96a92f4991fccd7e30c52a73932798b6579b4c

Threat Level: Known bad

The file 341ee831beed0672610cb558fd96a92f4991fccd7e30c52a73932798b6579b4c was found to be: Known bad.

Malicious Activity Summary

formbook g11y rat spyware stealer trojan

Formbook

Formbook payload

Checks computer location settings

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of UnmapMainImage

Creates scheduled task(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-23 10:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-23 10:32

Reported

2023-10-23 10:35

Platform

win7-20231020-en

Max time kernel

150s

Max time network

140s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\colorcpl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2196 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2196 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 2196 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2196 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2196 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2196 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2196 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2196 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2196 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2196 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2196 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2196 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1260 wrote to memory of 2524 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\colorcpl.exe
PID 1260 wrote to memory of 2524 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\colorcpl.exe
PID 1260 wrote to memory of 2524 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\colorcpl.exe
PID 1260 wrote to memory of 2524 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\colorcpl.exe
PID 2524 wrote to memory of 3024 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 3024 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 3024 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe
PID 2524 wrote to memory of 3024 N/A C:\Windows\SysWOW64\colorcpl.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe

"C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\idScXbUauEgmY.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\idScXbUauEgmY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3256.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\colorcpl.exe

"C:\Windows\SysWOW64\colorcpl.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.babyshowerco.com udp
US 3.33.130.190:80 www.babyshowerco.com tcp
US 8.8.8.8:53 www.x-y-z.online udp
US 8.8.8.8:53 www.cinelinz.com udp
US 34.94.245.237:80 www.cinelinz.com tcp
US 8.8.8.8:53 www.urupum.site udp

Files

memory/2196-1-0x00000000744E0000-0x0000000074BCE000-memory.dmp

memory/2196-0-0x0000000000900000-0x00000000009AA000-memory.dmp

memory/2196-2-0x0000000004C40000-0x0000000004C80000-memory.dmp

memory/2196-3-0x0000000001DC0000-0x0000000001DDC000-memory.dmp

memory/2196-4-0x00000000008F0000-0x00000000008FC000-memory.dmp

memory/2196-5-0x00000000744E0000-0x0000000074BCE000-memory.dmp

memory/2196-6-0x0000000004C40000-0x0000000004C80000-memory.dmp

memory/2196-7-0x0000000001DE0000-0x0000000001DF0000-memory.dmp

memory/2196-8-0x0000000004F30000-0x0000000004F9E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp3256.tmp

MD5 caa4e40e83f73f2850c1b7c00ab4945d
SHA1 5c488229c34363568e52975606b4457c20d70dae
SHA256 53544c962ee5e26a3bdb2fd8a59c1025e7330dabf43b2a7cc94516340aba8f28
SHA512 4ecf1390054246ba493b93e4a063046934e1baa250b17c838fe9dd13443d07ecec875b0ded8b47915898d496ef0473b477eac439db3d2ada14dc01a2c8c88c3e

memory/2652-16-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2652-18-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2652-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2652-22-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2196-23-0x00000000744E0000-0x0000000074BCE000-memory.dmp

memory/2748-26-0x00000000024F0000-0x0000000002530000-memory.dmp

memory/2748-25-0x000000006E970000-0x000000006EF1B000-memory.dmp

memory/2652-28-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2748-27-0x000000006E970000-0x000000006EF1B000-memory.dmp

memory/2652-29-0x0000000000320000-0x0000000000335000-memory.dmp

memory/2748-31-0x00000000024F0000-0x0000000002530000-memory.dmp

memory/2652-32-0x0000000000800000-0x0000000000B03000-memory.dmp

memory/1260-30-0x0000000006C40000-0x0000000006D8A000-memory.dmp

memory/2748-33-0x000000006E970000-0x000000006EF1B000-memory.dmp

memory/2524-34-0x0000000000050000-0x0000000000068000-memory.dmp

memory/2524-35-0x0000000000050000-0x0000000000068000-memory.dmp

memory/2524-36-0x00000000000A0000-0x00000000000CF000-memory.dmp

memory/2524-37-0x0000000001F20000-0x0000000002223000-memory.dmp

memory/2524-38-0x00000000000A0000-0x00000000000CF000-memory.dmp

memory/2524-40-0x0000000001D90000-0x0000000001E24000-memory.dmp

memory/1260-41-0x0000000004B40000-0x0000000004BE6000-memory.dmp

memory/1260-42-0x0000000004B40000-0x0000000004BE6000-memory.dmp

memory/1260-44-0x0000000004B40000-0x0000000004BE6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-23 10:32

Reported

2023-10-23 10:35

Platform

win10v2004-20231020-en

Max time kernel

150s

Max time network

162s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3811856890-180006922-3689258494-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4532 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4532 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4532 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4532 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4532 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4532 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\SysWOW64\schtasks.exe
PID 4532 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4532 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4532 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4532 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4532 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4532 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3228 wrote to memory of 2112 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 3228 wrote to memory of 2112 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 3228 wrote to memory of 2112 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 2112 wrote to memory of 1732 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 1732 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 2112 wrote to memory of 1732 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe

"C:\Users\Admin\AppData\Local\Temp\ახალი შესყიდვის შეკვეთა pdf.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\idScXbUauEgmY.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\idScXbUauEgmY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp174C.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\SysWOW64\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
US 8.8.8.8:53 www.x-y-z.online udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 www.dreamoney.online udp
US 8.8.8.8:53 www.ovelglove.site udp
US 104.21.12.11:80 www.ovelglove.site tcp
US 8.8.8.8:53 11.12.21.104.in-addr.arpa udp
US 8.8.8.8:53 www.adventurehartford.com udp
US 3.33.130.190:80 www.adventurehartford.com tcp
US 8.8.8.8:53 190.130.33.3.in-addr.arpa udp
US 8.8.8.8:53 193.98.74.40.in-addr.arpa udp

Files

memory/4532-0-0x00000000747F0000-0x0000000074FA0000-memory.dmp

memory/4532-1-0x0000000000EB0000-0x0000000000F5A000-memory.dmp

memory/4532-2-0x0000000005F00000-0x00000000064A4000-memory.dmp

memory/4532-3-0x0000000005950000-0x00000000059E2000-memory.dmp

memory/4532-4-0x00000000058C0000-0x00000000058D0000-memory.dmp

memory/4532-5-0x0000000005B00000-0x0000000005B0A000-memory.dmp

memory/4532-6-0x0000000005C50000-0x0000000005CEC000-memory.dmp

memory/4532-7-0x0000000005BB0000-0x0000000005BCC000-memory.dmp

memory/4532-8-0x0000000005B90000-0x0000000005B9C000-memory.dmp

memory/4532-9-0x00000000747F0000-0x0000000074FA0000-memory.dmp

memory/4532-10-0x00000000058C0000-0x00000000058D0000-memory.dmp

memory/4532-11-0x0000000003370000-0x0000000003380000-memory.dmp

memory/4532-12-0x0000000006AD0000-0x0000000006B3E000-memory.dmp

memory/4452-17-0x0000000000DA0000-0x0000000000DD6000-memory.dmp

memory/4452-18-0x00000000747F0000-0x0000000074FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp174C.tmp

MD5 7f803b32133a013d5421934e61d039fe
SHA1 8390d1a901df668a9fee0c732302c7e44f048d77
SHA256 6fe3888d112736409b1ef124405c7b8461b63305680ef415bcc9b902f3e084b7
SHA512 33ad560a69da6edb01e378e5cd1448ccd6303774d7b3edd53d09f89be586837e32815492ad0aa40d50f733d9c92126409fb48f2feb11ae2d08eef4cff7b34ced

memory/4452-22-0x0000000000D90000-0x0000000000DA0000-memory.dmp

memory/4452-21-0x0000000004D70000-0x0000000005398000-memory.dmp

memory/4452-19-0x0000000000D90000-0x0000000000DA0000-memory.dmp

memory/2388-23-0x0000000000400000-0x000000000042F000-memory.dmp

memory/4452-25-0x0000000004A40000-0x0000000004A62000-memory.dmp

memory/4452-27-0x0000000004C60000-0x0000000004CC6000-memory.dmp

memory/4452-28-0x0000000005510000-0x0000000005576000-memory.dmp

memory/4532-26-0x00000000747F0000-0x0000000074FA0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yuggw15j.zlb.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4452-38-0x0000000005580000-0x00000000058D4000-memory.dmp

memory/2388-39-0x0000000001370000-0x00000000016BA000-memory.dmp

memory/2388-41-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2388-42-0x0000000001300000-0x0000000001315000-memory.dmp

memory/3228-44-0x0000000007BE0000-0x0000000007CD5000-memory.dmp

memory/4452-43-0x00000000048A0000-0x00000000048BE000-memory.dmp

memory/4452-45-0x0000000006150000-0x000000000619C000-memory.dmp

memory/4452-46-0x0000000000D90000-0x0000000000DA0000-memory.dmp

memory/4452-47-0x00000000747F0000-0x0000000074FA0000-memory.dmp

memory/4452-60-0x0000000006070000-0x000000000608E000-memory.dmp

memory/4452-50-0x0000000070FE0000-0x000000007102C000-memory.dmp

memory/4452-49-0x000000007F110000-0x000000007F120000-memory.dmp

memory/4452-48-0x00000000060B0000-0x00000000060E2000-memory.dmp

memory/4452-61-0x0000000006D30000-0x0000000006DD3000-memory.dmp

memory/4452-62-0x0000000007460000-0x0000000007ADA000-memory.dmp

memory/4452-63-0x0000000006E20000-0x0000000006E3A000-memory.dmp

memory/4452-64-0x0000000006EB0000-0x0000000006EBA000-memory.dmp

memory/4452-65-0x0000000000D90000-0x0000000000DA0000-memory.dmp

memory/2112-66-0x0000000000FE0000-0x0000000000FEE000-memory.dmp

memory/2112-68-0x0000000000FE0000-0x0000000000FEE000-memory.dmp

memory/4452-69-0x0000000000D90000-0x0000000000DA0000-memory.dmp

memory/2112-70-0x0000000000A90000-0x0000000000ABF000-memory.dmp

memory/4452-71-0x00000000070C0000-0x0000000007156000-memory.dmp

memory/2112-73-0x0000000001600000-0x000000000194A000-memory.dmp

memory/4452-72-0x0000000007040000-0x0000000007051000-memory.dmp

memory/4452-74-0x0000000007070000-0x000000000707E000-memory.dmp

memory/4452-75-0x0000000007080000-0x0000000007094000-memory.dmp

memory/4452-76-0x0000000007180000-0x000000000719A000-memory.dmp

memory/4452-77-0x0000000007160000-0x0000000007168000-memory.dmp

memory/4452-80-0x00000000747F0000-0x0000000074FA0000-memory.dmp

memory/2112-81-0x0000000000A90000-0x0000000000ABF000-memory.dmp

memory/3228-82-0x0000000007BE0000-0x0000000007CD5000-memory.dmp

memory/2112-84-0x0000000001400000-0x0000000001494000-memory.dmp

memory/3228-85-0x0000000007D00000-0x0000000007DA9000-memory.dmp

memory/3228-86-0x0000000007D00000-0x0000000007DA9000-memory.dmp

memory/3228-88-0x0000000007D00000-0x0000000007DA9000-memory.dmp